From b0ed31e468fff55b722c1d2e6f7858fea60cb548 Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Thu, 7 Dec 2023 14:13:33 +0100 Subject: [PATCH 01/12] Coq proof lib --- proof-libs/coq/.gitignore | 7 + proof-libs/coq/README.md | 22 + proof-libs/coq/_CoqProject | 27 + proof-libs/coq/_vc/Hacspec_Aes.v | 720 +++ proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v | 126 + proof-libs/coq/_vc/Hacspec_Bip_340.v | 530 ++ proof-libs/coq/_vc/Hacspec_Bls12_381.v | 772 +++ proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v | 1754 ++++++ proof-libs/coq/_vc/Hacspec_Chacha20.v | 223 + proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v | 98 + proof-libs/coq/_vc/Hacspec_Coverage_Test.v | 163 + proof-libs/coq/_vc/Hacspec_Curve25519.v | 170 + .../coq/_vc/Hacspec_Ecdsa_P256_Sha256.v | 128 + proof-libs/coq/_vc/Hacspec_Ed25519.v | 690 +++ proof-libs/coq/_vc/Hacspec_Edwards25519.v | 597 ++ .../coq/_vc/Hacspec_Edwards25519_Ecvrf.v | 349 ++ .../coq/_vc/Hacspec_Edwards25519_Hash.v | 504 ++ proof-libs/coq/_vc/Hacspec_Gf128.v | 113 + proof-libs/coq/_vc/Hacspec_Gimli.v | 406 ++ proof-libs/coq/_vc/Hacspec_Hkdf.v | 93 + proof-libs/coq/_vc/Hacspec_Hmac.v | 178 + proof-libs/coq/_vc/Hacspec_Linalg.v | 296 + proof-libs/coq/_vc/Hacspec_Merlin.v | 88 + proof-libs/coq/_vc/Hacspec_Ntru_Prime.v | 138 + proof-libs/coq/_vc/Hacspec_P256.v | 494 ++ proof-libs/coq/_vc/Hacspec_Poly1305.v | 147 + proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v | 184 + proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v | 224 + proof-libs/coq/_vc/Hacspec_Ristretto.v | 700 +++ proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v | 70 + proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v | 121 + proof-libs/coq/_vc/Hacspec_Sha1.v | 205 + proof-libs/coq/_vc/Hacspec_Sha256.v | 305 + proof-libs/coq/_vc/Hacspec_Sha3.v | 357 ++ proof-libs/coq/_vc/Hacspec_Sha512.v | 321 ++ proof-libs/coq/_vc/Pearlite_Example.v | 19 + proof-libs/coq/_vc/Strobe.v | 305 + proof-libs/coq/_vc/Tls_Cryptolib.v | 673 +++ proof-libs/coq/docker_build/Dockerfile | 12 + proof-libs/coq/src/Hacspec_Aes.v | 720 +++ proof-libs/coq/src/Hacspec_Aes128_Gcm.v | 126 + proof-libs/coq/src/Hacspec_Bip_340.v | 530 ++ proof-libs/coq/src/Hacspec_Bls12_381.v | 772 +++ proof-libs/coq/src/Hacspec_Bls12_381_Hash.v | 1754 ++++++ proof-libs/coq/src/Hacspec_Chacha20.v | 223 + proof-libs/coq/src/Hacspec_Chacha20poly1305.v | 98 + proof-libs/coq/src/Hacspec_Coverage_Test.v | 163 + proof-libs/coq/src/Hacspec_Curve25519.v | 170 + .../coq/src/Hacspec_Ecdsa_P256_Sha256.v | 128 + proof-libs/coq/src/Hacspec_Ed25519.v | 690 +++ proof-libs/coq/src/Hacspec_Edwards25519.v | 597 ++ .../coq/src/Hacspec_Edwards25519_Ecvrf.v | 349 ++ .../coq/src/Hacspec_Edwards25519_Hash.v | 504 ++ proof-libs/coq/src/Hacspec_Gf128.v | 113 + proof-libs/coq/src/Hacspec_Gimli.v | 406 ++ proof-libs/coq/src/Hacspec_Hkdf.v | 93 + proof-libs/coq/src/Hacspec_Hmac.v | 178 + proof-libs/coq/src/Hacspec_Lib.v | 1783 ++++++ proof-libs/coq/src/Hacspec_Linalg.v | 296 + proof-libs/coq/src/Hacspec_Merlin.v | 88 + proof-libs/coq/src/Hacspec_Ntru_Prime.v | 138 + proof-libs/coq/src/Hacspec_P256.v | 494 ++ proof-libs/coq/src/Hacspec_Poly1305.v | 147 + proof-libs/coq/src/Hacspec_Riot_Bootloader.v | 184 + proof-libs/coq/src/Hacspec_Riot_Runqueue.v | 224 + proof-libs/coq/src/Hacspec_Ristretto.v | 700 +++ proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v | 70 + proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v | 121 + proof-libs/coq/src/Hacspec_Sha1.v | 205 + proof-libs/coq/src/Hacspec_Sha256.v | 305 + proof-libs/coq/src/Hacspec_Sha3.v | 357 ++ proof-libs/coq/src/Hacspec_Sha512.v | 321 ++ proof-libs/coq/src/MachineIntegers.v | 4886 +++++++++++++++++ proof-libs/coq/src/Pearlite_Example.v | 19 + proof-libs/coq/src/QuickChickLib.v | 100 + proof-libs/coq/src/Strobe.v | 305 + proof-libs/coq/src/Tls_Cryptolib.v | 673 +++ proof-libs/coq/src/_vc/Hacspec_Aes.v | 714 +++ proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v | 124 + proof-libs/coq/src/_vc/Hacspec_Bls12_381.v | 763 +++ .../coq/src/_vc/Hacspec_Bls12_381_Hash.v | 1752 ++++++ proof-libs/coq/src/_vc/Hacspec_Chacha20.v | 222 + .../coq/src/_vc/Hacspec_Chacha20poly1305.v | 97 + proof-libs/coq/src/_vc/Hacspec_Curve25519.v | 169 + .../coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v | 127 + proof-libs/coq/src/_vc/Hacspec_Ed25519.v | 619 +++ proof-libs/coq/src/_vc/Hacspec_Gf128.v | 112 + proof-libs/coq/src/_vc/Hacspec_Gimli.v | 395 ++ proof-libs/coq/src/_vc/Hacspec_Hkdf.v | 91 + proof-libs/coq/src/_vc/Hacspec_Hmac.v | 177 + proof-libs/coq/src/_vc/Hacspec_Linalg.v | 64 + proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v | 136 + proof-libs/coq/src/_vc/Hacspec_P256.v | 486 ++ proof-libs/coq/src/_vc/Hacspec_Poly1305.v | 143 + .../coq/src/_vc/Hacspec_Riot_Bootloader.v | 180 + .../coq/src/_vc/Hacspec_Riot_Runqueue.v | 223 + proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v | 112 + proof-libs/coq/src/_vc/Hacspec_Sha256.v | 304 + proof-libs/coq/src/_vc/Hacspec_Sha3.v | 350 ++ proof-libs/coq/src/_vc/Hacspec_Sha512.v | 320 ++ proof-libs/coq/src/_vc/Tls_Cryptolib.v | 670 +++ 101 files changed, 39709 insertions(+) create mode 100644 proof-libs/coq/.gitignore create mode 100644 proof-libs/coq/README.md create mode 100644 proof-libs/coq/_CoqProject create mode 100644 proof-libs/coq/_vc/Hacspec_Aes.v create mode 100644 proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v create mode 100644 proof-libs/coq/_vc/Hacspec_Bip_340.v create mode 100644 proof-libs/coq/_vc/Hacspec_Bls12_381.v create mode 100644 proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v create mode 100644 proof-libs/coq/_vc/Hacspec_Chacha20.v create mode 100644 proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v create mode 100644 proof-libs/coq/_vc/Hacspec_Coverage_Test.v create mode 100644 proof-libs/coq/_vc/Hacspec_Curve25519.v create mode 100644 proof-libs/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v create mode 100644 proof-libs/coq/_vc/Hacspec_Ed25519.v create mode 100644 proof-libs/coq/_vc/Hacspec_Edwards25519.v create mode 100644 proof-libs/coq/_vc/Hacspec_Edwards25519_Ecvrf.v create mode 100644 proof-libs/coq/_vc/Hacspec_Edwards25519_Hash.v create mode 100644 proof-libs/coq/_vc/Hacspec_Gf128.v create mode 100644 proof-libs/coq/_vc/Hacspec_Gimli.v create mode 100644 proof-libs/coq/_vc/Hacspec_Hkdf.v create mode 100644 proof-libs/coq/_vc/Hacspec_Hmac.v create mode 100644 proof-libs/coq/_vc/Hacspec_Linalg.v create mode 100644 proof-libs/coq/_vc/Hacspec_Merlin.v create mode 100644 proof-libs/coq/_vc/Hacspec_Ntru_Prime.v create mode 100644 proof-libs/coq/_vc/Hacspec_P256.v create mode 100644 proof-libs/coq/_vc/Hacspec_Poly1305.v create mode 100644 proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v create mode 100644 proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v create mode 100644 proof-libs/coq/_vc/Hacspec_Ristretto.v create mode 100644 proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v create mode 100644 proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v create mode 100644 proof-libs/coq/_vc/Hacspec_Sha1.v create mode 100644 proof-libs/coq/_vc/Hacspec_Sha256.v create mode 100644 proof-libs/coq/_vc/Hacspec_Sha3.v create mode 100644 proof-libs/coq/_vc/Hacspec_Sha512.v create mode 100644 proof-libs/coq/_vc/Pearlite_Example.v create mode 100644 proof-libs/coq/_vc/Strobe.v create mode 100644 proof-libs/coq/_vc/Tls_Cryptolib.v create mode 100644 proof-libs/coq/docker_build/Dockerfile create mode 100644 proof-libs/coq/src/Hacspec_Aes.v create mode 100644 proof-libs/coq/src/Hacspec_Aes128_Gcm.v create mode 100644 proof-libs/coq/src/Hacspec_Bip_340.v create mode 100644 proof-libs/coq/src/Hacspec_Bls12_381.v create mode 100644 proof-libs/coq/src/Hacspec_Bls12_381_Hash.v create mode 100644 proof-libs/coq/src/Hacspec_Chacha20.v create mode 100644 proof-libs/coq/src/Hacspec_Chacha20poly1305.v create mode 100644 proof-libs/coq/src/Hacspec_Coverage_Test.v create mode 100644 proof-libs/coq/src/Hacspec_Curve25519.v create mode 100644 proof-libs/coq/src/Hacspec_Ecdsa_P256_Sha256.v create mode 100644 proof-libs/coq/src/Hacspec_Ed25519.v create mode 100644 proof-libs/coq/src/Hacspec_Edwards25519.v create mode 100644 proof-libs/coq/src/Hacspec_Edwards25519_Ecvrf.v create mode 100644 proof-libs/coq/src/Hacspec_Edwards25519_Hash.v create mode 100644 proof-libs/coq/src/Hacspec_Gf128.v create mode 100644 proof-libs/coq/src/Hacspec_Gimli.v create mode 100644 proof-libs/coq/src/Hacspec_Hkdf.v create mode 100644 proof-libs/coq/src/Hacspec_Hmac.v create mode 100644 proof-libs/coq/src/Hacspec_Lib.v create mode 100644 proof-libs/coq/src/Hacspec_Linalg.v create mode 100644 proof-libs/coq/src/Hacspec_Merlin.v create mode 100644 proof-libs/coq/src/Hacspec_Ntru_Prime.v create mode 100644 proof-libs/coq/src/Hacspec_P256.v create mode 100644 proof-libs/coq/src/Hacspec_Poly1305.v create mode 100644 proof-libs/coq/src/Hacspec_Riot_Bootloader.v create mode 100644 proof-libs/coq/src/Hacspec_Riot_Runqueue.v create mode 100644 proof-libs/coq/src/Hacspec_Ristretto.v create mode 100644 proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v create mode 100644 proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v create mode 100644 proof-libs/coq/src/Hacspec_Sha1.v create mode 100644 proof-libs/coq/src/Hacspec_Sha256.v create mode 100644 proof-libs/coq/src/Hacspec_Sha3.v create mode 100644 proof-libs/coq/src/Hacspec_Sha512.v create mode 100644 proof-libs/coq/src/MachineIntegers.v create mode 100644 proof-libs/coq/src/Pearlite_Example.v create mode 100644 proof-libs/coq/src/QuickChickLib.v create mode 100644 proof-libs/coq/src/Strobe.v create mode 100644 proof-libs/coq/src/Tls_Cryptolib.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Aes.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Bls12_381.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Bls12_381_Hash.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Chacha20.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Chacha20poly1305.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Curve25519.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Ed25519.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Gf128.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Gimli.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Hkdf.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Hmac.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Linalg.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_P256.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Poly1305.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Riot_Bootloader.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Riot_Runqueue.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Sha256.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Sha3.v create mode 100644 proof-libs/coq/src/_vc/Hacspec_Sha512.v create mode 100644 proof-libs/coq/src/_vc/Tls_Cryptolib.v diff --git a/proof-libs/coq/.gitignore b/proof-libs/coq/.gitignore new file mode 100644 index 000000000..0b7287c5c --- /dev/null +++ b/proof-libs/coq/.gitignore @@ -0,0 +1,7 @@ +*.vo* +*.aux +*.glob +*.cache +.Makefile.d +Makefile +Makefile.conf diff --git a/proof-libs/coq/README.md b/proof-libs/coq/README.md new file mode 100644 index 000000000..725ca4607 --- /dev/null +++ b/proof-libs/coq/README.md @@ -0,0 +1,22 @@ +## Dependencies + +The coq libraries uses `compcert` for machine signed and unsigned integer modulo arithmetic, and `coqprime` for finite field arithmetic on prime modulus (to support hacspec's `nat_mod p` type). +These requires the following repository: + +``` +opam repo add coq-released https://coq.inria.fr/opam/released --all-switches +``` + +Then one can install the dependencies through `opam`: + +``` +opam install coq-compcert coq-coqprime +``` +(assuming you have coq installed through opam). + +## Compiling the coq files + +In folder `/coq`, type `make`. This compiles the coq libraries and the compiled examples, as defined in `_CoqProject`. +This requires the coq compiler to be installed (only tested on coq 8.13.1) + +If you want to add a new example to `_CoqProject`, such that it is compiled through `make`, you should run `coq_makefile -f _CoqProject -o Makefile` in `/coq` to update the makefile. diff --git a/proof-libs/coq/_CoqProject b/proof-libs/coq/_CoqProject new file mode 100644 index 000000000..9b71d810b --- /dev/null +++ b/proof-libs/coq/_CoqProject @@ -0,0 +1,27 @@ +-R src/ Hacspec +# -Q src/_vc "" # Folder should be ignored! +-arg -w +-arg all + +src/MachineIntegers.v +src/Hacspec_Lib.v +src/QuickChickLib.v + +# # src/Hacspec_Coverage_Test.v +# # src/Hacspec_Aes.v # TODO: not currently working ? +# # src/Hacspec_Aes128_Gcm.v # requires Aes +# src/Hacspec_Bls12_381.v +# # src/Hacspec_Bls12_381_Hash.v +# src/Hacspec_Chacha20.v +# src/Hacspec_Poly1305.v +# # src/Hacspec_Chacha20poly1305.v +# src/Hacspec_Curve25519.v +# # src/Hacspec_Ecdsa_P256_Sha256.v +# src/Hacspec_Gf128.v +# # src/Hacspec_Gimli.v # ArrayName::length() impl missing +# # src/Hacspec_Hkdf.v # Cannot infer M for bind (should use result_monad) +# # src/Hacspec_Hmac.v +# # src/Hacspec_Ntru_Prime.v # missing mul_poly_irr /// Polynomial multiplication of two size fixed polynomials in R_modulo \ irr +# # src/Hacspec_P256.v +# # src/Hacspec_Sha3.v # Issues with operations with different types eg ".*" vs "*" +# src/Hacspec_Sha256.v diff --git a/proof-libs/coq/_vc/Hacspec_Aes.v b/proof-libs/coq/_vc/Hacspec_Aes.v new file mode 100644 index 000000000..b87f94a3d --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Aes.v @@ -0,0 +1,720 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition blocksize_v : uint_size := + usize 16. + +Definition ivsize_v : uint_size := + usize 12. + +Definition key_length_v : uint_size := + usize 4. + +Definition rounds_v : uint_size := + usize 10. + +Definition key_schedule_length_v : uint_size := + usize 176. + +Definition iterations_v : uint_size := + usize 40. + +Definition invalid_key_expansion_index_v : int8 := + @repr WORDSIZE8 1. + +Definition block_t := nseq (uint8) (blocksize_v). + +Definition word_t := nseq (uint8) (key_length_v). + +Definition round_key_t := nseq (uint8) (blocksize_v). + +Definition aes_nonce_t := nseq (uint8) (ivsize_v). + +Definition s_box_t := nseq (uint8) (usize 256). + +Definition r_con_t := nseq (uint8) (usize 15). + +Definition bytes144_t := nseq (uint8) (usize 144). + +Definition bytes176_t := nseq (uint8) (key_schedule_length_v). + +Definition key128_t := nseq (uint8) (blocksize_v). + +Notation "'byte_seq_result_t'" := ((result byte_seq int8)) : hacspec_scope. + +Notation "'block_result_t'" := ((result block_t int8)) : hacspec_scope. + +Notation "'word_result_t'" := ((result word_t int8)) : hacspec_scope. + +Definition sbox_v : s_box_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 197) : int8; + secret (@repr WORDSIZE8 48) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 103) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 130) : int8; + secret (@repr WORDSIZE8 201) : int8; + secret (@repr WORDSIZE8 125) : int8; + secret (@repr WORDSIZE8 250) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 71) : int8; + secret (@repr WORDSIZE8 240) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 212) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 156) : int8; + secret (@repr WORDSIZE8 164) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 192) : int8; + secret (@repr WORDSIZE8 183) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 38) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 63) : int8; + secret (@repr WORDSIZE8 247) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 52) : int8; + secret (@repr WORDSIZE8 165) : int8; + secret (@repr WORDSIZE8 229) : int8; + secret (@repr WORDSIZE8 241) : int8; + secret (@repr WORDSIZE8 113) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 21) : int8; + secret (@repr WORDSIZE8 4) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 35) : int8; + secret (@repr WORDSIZE8 195) : int8; + secret (@repr WORDSIZE8 24) : int8; + secret (@repr WORDSIZE8 150) : int8; + secret (@repr WORDSIZE8 5) : int8; + secret (@repr WORDSIZE8 154) : int8; + secret (@repr WORDSIZE8 7) : int8; + secret (@repr WORDSIZE8 18) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 178) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 9) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 110) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 214) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 41) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 132) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 177) : int8; + secret (@repr WORDSIZE8 91) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 203) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 207) : int8; + secret (@repr WORDSIZE8 208) : int8; + secret (@repr WORDSIZE8 239) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 133) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 249) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 80) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 159) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 163) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 143) : int8; + secret (@repr WORDSIZE8 146) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 56) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 218) : int8; + secret (@repr WORDSIZE8 33) : int8; + secret (@repr WORDSIZE8 16) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 243) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 205) : int8; + secret (@repr WORDSIZE8 12) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 236) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 151) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 196) : int8; + secret (@repr WORDSIZE8 167) : int8; + secret (@repr WORDSIZE8 126) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 93) : int8; + secret (@repr WORDSIZE8 25) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 220) : int8; + secret (@repr WORDSIZE8 34) : int8; + secret (@repr WORDSIZE8 42) : int8; + secret (@repr WORDSIZE8 144) : int8; + secret (@repr WORDSIZE8 136) : int8; + secret (@repr WORDSIZE8 70) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 184) : int8; + secret (@repr WORDSIZE8 20) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 219) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 73) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 36) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 172) : int8; + secret (@repr WORDSIZE8 98) : int8; + secret (@repr WORDSIZE8 145) : int8; + secret (@repr WORDSIZE8 149) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 200) : int8; + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 109) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 213) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 169) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 86) : int8; + secret (@repr WORDSIZE8 244) : int8; + secret (@repr WORDSIZE8 234) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 122) : int8; + secret (@repr WORDSIZE8 174) : int8; + secret (@repr WORDSIZE8 8) : int8; + secret (@repr WORDSIZE8 186) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 37) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 28) : int8; + secret (@repr WORDSIZE8 166) : int8; + secret (@repr WORDSIZE8 180) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 116) : int8; + secret (@repr WORDSIZE8 31) : int8; + secret (@repr WORDSIZE8 75) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 139) : int8; + secret (@repr WORDSIZE8 138) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 181) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 14) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 87) : int8; + secret (@repr WORDSIZE8 185) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 225) : int8; + secret (@repr WORDSIZE8 248) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 17) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 217) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 30) : int8; + secret (@repr WORDSIZE8 135) : int8; + secret (@repr WORDSIZE8 233) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 40) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 137) : int8; + secret (@repr WORDSIZE8 13) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 230) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 187) : int8; + secret (@repr WORDSIZE8 22) : int8 + ] in l). + +Definition rcon_v : r_con_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 4) : int8; + secret (@repr WORDSIZE8 8) : int8; + secret (@repr WORDSIZE8 16) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 77) : int8 + ] in l). + +Definition sub_bytes (state_150 : block_t) : block_t := + let st_151 : block_t := + state_150 in + let st_151 := + foldi (usize 0) (blocksize_v) (fun i_152 st_151 => + let st_151 := + array_upd st_151 (i_152) (array_index (sbox_v) (uint8_declassify ( + array_index (state_150) (i_152)))) in + (st_151)) + st_151 in + st_151. + +Definition shift_row + (i_153 : uint_size) + (shift_154 : uint_size) + (state_155 : block_t) + : block_t := + let out_156 : block_t := + state_155 in + let out_156 := + array_upd out_156 (i_153) (array_index (state_155) ((i_153) + ((usize 4) * ( + (shift_154) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 4)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 1)) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 8)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 2)) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 12)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 3)) %% (usize 4))))) in + out_156. + +Definition shift_rows (state_157 : block_t) : block_t := + let state_158 : block_t := + shift_row (usize 1) (usize 1) (state_157) in + let state_159 : block_t := + shift_row (usize 2) (usize 2) (state_158) in + shift_row (usize 3) (usize 3) (state_159). + +Definition xtime (x_160 : uint8) : uint8 := + let x1_161 : uint8 := + (x_160) shift_left (usize 1) in + let x7_162 : uint8 := + (x_160) shift_right (usize 7) in + let x71_163 : uint8 := + (x7_162) .& (secret (@repr WORDSIZE8 1) : int8) in + let x711b_164 : uint8 := + (x71_163) .* (secret (@repr WORDSIZE8 27) : int8) in + (x1_161) .^ (x711b_164). + +Definition mix_column (c_165 : uint_size) (state_166 : block_t) : block_t := + let i0_167 : uint_size := + (usize 4) * (c_165) in + let s0_168 : uint8 := + array_index (state_166) (i0_167) in + let s1_169 : uint8 := + array_index (state_166) ((i0_167) + (usize 1)) in + let s2_170 : uint8 := + array_index (state_166) ((i0_167) + (usize 2)) in + let s3_171 : uint8 := + array_index (state_166) ((i0_167) + (usize 3)) in + let st_172 : block_t := + state_166 in + let tmp_173 : uint8 := + (((s0_168) .^ (s1_169)) .^ (s2_170)) .^ (s3_171) in + let st_172 := + array_upd st_172 (i0_167) (((s0_168) .^ (tmp_173)) .^ (xtime ((s0_168) .^ ( + s1_169)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 1)) (((s1_169) .^ (tmp_173)) .^ (xtime ( + (s1_169) .^ (s2_170)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 2)) (((s2_170) .^ (tmp_173)) .^ (xtime ( + (s2_170) .^ (s3_171)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 3)) (((s3_171) .^ (tmp_173)) .^ (xtime ( + (s3_171) .^ (s0_168)))) in + st_172. + +Definition mix_columns (state_174 : block_t) : block_t := + let state_175 : block_t := + mix_column (usize 0) (state_174) in + let state_176 : block_t := + mix_column (usize 1) (state_175) in + let state_177 : block_t := + mix_column (usize 2) (state_176) in + mix_column (usize 3) (state_177). + +Definition add_round_key + (state_178 : block_t) + (key_179 : round_key_t) + : block_t := + let out_180 : block_t := + state_178 in + let out_180 := + foldi (usize 0) (blocksize_v) (fun i_181 out_180 => + let out_180 := + array_upd out_180 (i_181) ((array_index (out_180) (i_181)) .^ ( + array_index (key_179) (i_181))) in + (out_180)) + out_180 in + out_180. + +Definition aes_enc + (state_182 : block_t) + (round_key_183 : round_key_t) + : block_t := + let state_184 : block_t := + sub_bytes (state_182) in + let state_185 : block_t := + shift_rows (state_184) in + let state_186 : block_t := + mix_columns (state_185) in + add_round_key (state_186) (round_key_183). + +Definition aes_enc_last + (state_187 : block_t) + (round_key_188 : round_key_t) + : block_t := + let state_189 : block_t := + sub_bytes (state_187) in + let state_190 : block_t := + shift_rows (state_189) in + add_round_key (state_190) (round_key_188). + +Definition rounds_aes (state_191 : block_t) (key_192 : byte_seq) : block_t := + let out_193 : block_t := + state_191 in + let out_193 := + foldi (usize 0) (seq_num_chunks (key_192) ( + blocksize_v)) (fun i_194 out_193 => + let '(_, key_block_195) := + seq_get_chunk (key_192) (blocksize_v) (i_194) in + let out_193 := + aes_enc (out_193) (array_from_seq (blocksize_v) (key_block_195)) in + (out_193)) + out_193 in + out_193. + +Definition block_cipher_aes + (input_196 : block_t) + (key_197 : byte_seq) + (nr_198 : uint_size) + : block_t := + let k0_199 : round_key_t := + array_from_slice_range (default : uint8) (blocksize_v) (key_197) (( + usize 0, + usize 16 + )) in + let k_200 : seq uint8 := + seq_from_slice_range (key_197) ((usize 16, (nr_198) * (usize 16))) in + let kn_201 : round_key_t := + array_from_slice (default : uint8) (blocksize_v) (key_197) ((nr_198) * ( + usize 16)) (usize 16) in + let state_202 : block_t := + add_round_key (input_196) (k0_199) in + let state_203 : block_t := + rounds_aes (state_202) (k_200) in + aes_enc_last (state_203) (kn_201). + +Definition rotate_word (w_204 : word_t) : word_t := + array_from_list uint8 (let l := + [ + array_index (w_204) (usize 1); + array_index (w_204) (usize 2); + array_index (w_204) (usize 3); + array_index (w_204) (usize 0) + ] in l). + +Definition slice_word (w_205 : word_t) : word_t := + array_from_list uint8 (let l := + [ + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 0))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 1))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 2))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 3))) + ] in l). + +Definition aes_keygen_assist (w_206 : word_t) (rcon_207 : uint8) : word_t := + let k_208 : word_t := + rotate_word (w_206) in + let k_208 := + slice_word (k_208) in + let k_208 := + array_upd k_208 (usize 0) ((array_index (k_208) (usize 0)) .^ ( + rcon_207)) in + k_208. + +Definition key_expansion_word + (w0_209 : word_t) + (w1_210 : word_t) + (i_211 : uint_size) + (nk_212 : uint_size) + (nr_213 : uint_size) + : word_result_t := + let k_214 : word_t := + w1_210 in + let result_215 : (result word_t int8) := + @Err word_t int8 (invalid_key_expansion_index_v) in + let '(k_214, result_215) := + if (i_211) <.? ((usize 4) * ((nr_213) + (usize 1))):bool then (let '(k_214 + ) := + if ((i_211) %% (nk_212)) =.? (usize 0):bool then (let k_214 := + aes_keygen_assist (k_214) (array_index (rcon_v) ((i_211) / ( + nk_212))) in + (k_214)) else (let '(k_214) := + if ((nk_212) >.? (usize 6)) && (((i_211) %% (nk_212)) =.? ( + usize 4)):bool then (let k_214 := + slice_word (k_214) in + (k_214)) else ((k_214)) in + (k_214)) in + let k_214 := + foldi (usize 0) (usize 4) (fun i_216 k_214 => + let k_214 := + array_upd k_214 (i_216) ((array_index (k_214) (i_216)) .^ ( + array_index (w0_209) (i_216))) in + (k_214)) + k_214 in + let result_215 := + @Ok word_t int8 (k_214) in + (k_214, result_215)) else ((k_214, result_215)) in + result_215. + +Definition key_expansion_aes + (key_217 : byte_seq) + (nk_218 : uint_size) + (nr_219 : uint_size) + (key_schedule_length_220 : uint_size) + (key_length_221 : uint_size) + (iterations_222 : uint_size) + : byte_seq_result_t := + let key_ex_223 : seq uint8 := + seq_new_ (default : uint8) (key_schedule_length_220) in + let key_ex_223 := + seq_update_start (key_ex_223) (key_217) in + let word_size_224 : uint_size := + key_length_221 in + bind (foldibnd (usize 0) to ( + iterations_222) for key_ex_223 >> (fun j_225 key_ex_223 => + let i_226 : uint_size := + (j_225) + (word_size_224) in + bind (key_expansion_word (array_from_slice (default : uint8) ( + key_length_v) (key_ex_223) ((usize 4) * ((i_226) - (word_size_224))) ( + usize 4)) (array_from_slice (default : uint8) (key_length_v) ( + key_ex_223) (((usize 4) * (i_226)) - (usize 4)) (usize 4)) (i_226) ( + nk_218) (nr_219)) (fun word_227 => let key_ex_223 := + seq_update (key_ex_223) ((usize 4) * (i_226)) ( + array_to_seq (word_227)) in + @Ok (seq uint8) int8 ((key_ex_223))))) (fun key_ex_223 => + @Ok byte_seq int8 (key_ex_223)). + +Definition aes_encrypt_block + (k_228 : byte_seq) + (input_229 : block_t) + (nk_230 : uint_size) + (nr_231 : uint_size) + (key_schedule_length_232 : uint_size) + (key_length_233 : uint_size) + (iterations_234 : uint_size) + : block_result_t := + bind (key_expansion_aes (k_228) (nk_230) (nr_231) (key_schedule_length_232) ( + key_length_233) (iterations_234)) (fun key_ex_235 => @Ok block_t int8 ( + block_cipher_aes (input_229) (key_ex_235) (nr_231))). + +Definition aes128_encrypt_block + (k_236 : key128_t) + (input_237 : block_t) + : block_t := + result_unwrap (aes_encrypt_block (seq_from_seq (array_to_seq (k_236))) ( + input_237) (key_length_v) (rounds_v) (key_schedule_length_v) ( + key_length_v) (iterations_v)). + +Definition aes_ctr_key_block + (k_238 : byte_seq) + (n_239 : aes_nonce_t) + (c_240 : uint32) + (nk_241 : uint_size) + (nr_242 : uint_size) + (key_schedule_length_243 : uint_size) + (key_length_244 : uint_size) + (iterations_245 : uint_size) + : block_result_t := + let input_246 : block_t := + array_new_ (default : uint8) (blocksize_v) in + let input_246 := + array_update (input_246) (usize 0) (array_to_seq (n_239)) in + let input_246 := + array_update (input_246) (usize 12) (array_to_seq (uint32_to_be_bytes ( + c_240))) in + aes_encrypt_block (k_238) (input_246) (nk_241) (nr_242) ( + key_schedule_length_243) (key_length_244) (iterations_245). + +Definition xor_block + (block_247 : block_t) + (key_block_248 : block_t) + : block_t := + let out_249 : block_t := + block_247 in + let out_249 := + foldi (usize 0) (blocksize_v) (fun i_250 out_249 => + let out_249 := + array_upd out_249 (i_250) ((array_index (out_249) (i_250)) .^ ( + array_index (key_block_248) (i_250))) in + (out_249)) + out_249 in + out_249. + +Definition aes_counter_mode + (key_251 : byte_seq) + (nonce_252 : aes_nonce_t) + (counter_253 : uint32) + (msg_254 : byte_seq) + (nk_255 : uint_size) + (nr_256 : uint_size) + (key_schedule_length_257 : uint_size) + (key_length_258 : uint_size) + (iterations_259 : uint_size) + : byte_seq_result_t := + let ctr_260 : uint32 := + counter_253 in + let blocks_out_261 : seq uint8 := + seq_new_ (default : uint8) (seq_len (msg_254)) in + let n_blocks_262 : uint_size := + seq_num_exact_chunks (msg_254) (blocksize_v) in + bind (foldibnd (usize 0) to (n_blocks_262) for (ctr_260, blocks_out_261 + ) >> (fun i_263 '(ctr_260, blocks_out_261) => + let msg_block_264 : seq uint8 := + seq_get_exact_chunk (msg_254) (blocksize_v) (i_263) in + bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) (nr_256) ( + key_schedule_length_257) (key_length_258) (iterations_259)) ( + fun key_block_265 => let blocks_out_261 := + seq_set_chunk (blocks_out_261) (blocksize_v) (i_263) ( + array_to_seq (xor_block (array_from_seq (blocksize_v) ( + msg_block_264)) (key_block_265))) in + let ctr_260 := + (ctr_260) .+ (secret (@repr WORDSIZE32 1) : int32) in + @Ok (uint32 '× seq uint8) int8 ((ctr_260, blocks_out_261))))) (fun '( + ctr_260, + blocks_out_261 + ) => let last_block_266 : seq uint8 := + seq_get_remainder_chunk (msg_254) (blocksize_v) in + let last_block_len_267 : uint_size := + seq_len (last_block_266) in + ifbnd (last_block_len_267) !=.? (usize 0) : bool + thenbnd (let last_block_268 : block_t := + array_update_start (array_new_ (default : uint8) (blocksize_v)) ( + last_block_266) in + bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) ( + nr_256) (key_schedule_length_257) (key_length_258) (iterations_259)) ( + fun key_block_269 => let blocks_out_261 := + seq_set_chunk (blocks_out_261) (blocksize_v) (n_blocks_262) ( + array_slice_range (xor_block (last_block_268) (key_block_269)) (( + usize 0, + last_block_len_267 + ))) in + @Ok (seq uint8) int8 ((blocks_out_261)))) + else ((blocks_out_261)) >> (fun '(blocks_out_261) => + @Ok byte_seq int8 (blocks_out_261))). + +Definition aes128_encrypt + (key_270 : key128_t) + (nonce_271 : aes_nonce_t) + (counter_272 : uint32) + (msg_273 : byte_seq) + : byte_seq := + result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_270))) ( + nonce_271) (counter_272) (msg_273) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)). + +Definition aes128_decrypt + (key_274 : key128_t) + (nonce_275 : aes_nonce_t) + (counter_276 : uint32) + (ctxt_277 : byte_seq) + : byte_seq := + result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_274))) ( + nonce_275) (counter_276) (ctxt_277) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)). + diff --git a/proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v b/proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v new file mode 100644 index 000000000..0d6395bc6 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v @@ -0,0 +1,126 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Aes. + +Require Import Hacspec_Gf128. + +Notation "'aes_gcm_byte_seq_result_t'" := (( + result byte_seq int8)) : hacspec_scope. + +Definition invalid_tag_v : int8 := + @repr WORDSIZE8 1. + +Definition pad_aad_msg (aad_278 : byte_seq) (msg_279 : byte_seq) : byte_seq := + let laad_280 : uint_size := + seq_len (aad_278) in + let lmsg_281 : uint_size := + seq_len (msg_279) in + let pad_aad_282 : uint_size := + (if (((laad_280) %% (usize 16)) =.? (usize 0)):bool then (laad_280) else (( + laad_280) + ((usize 16) - ((laad_280) %% (usize 16))))) in + let pad_msg_283 : uint_size := + (if (((lmsg_281) %% (usize 16)) =.? (usize 0)):bool then (lmsg_281) else (( + lmsg_281) + ((usize 16) - ((lmsg_281) %% (usize 16))))) in + let padded_msg_284 : seq uint8 := + seq_new_ (default : uint8) (((pad_aad_282) + (pad_msg_283)) + ( + usize 16)) in + let padded_msg_284 := + seq_update (padded_msg_284) (usize 0) (aad_278) in + let padded_msg_284 := + seq_update (padded_msg_284) (pad_aad_282) (msg_279) in + let padded_msg_284 := + seq_update (padded_msg_284) ((pad_aad_282) + (pad_msg_283)) ( + array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( + laad_280)) : int64) .* (secret ( + @repr WORDSIZE64 8) : int64)))) in + let padded_msg_284 := + seq_update (padded_msg_284) (((pad_aad_282) + (pad_msg_283)) + (usize 8)) ( + array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( + lmsg_281)) : int64) .* (secret ( + @repr WORDSIZE64 8) : int64)))) in + padded_msg_284. + +Definition encrypt_aes + (key_285 : byte_seq) + (iv_286 : aes_nonce_t) + (aad_287 : byte_seq) + (msg_288 : byte_seq) + : (byte_seq '× gf128_tag_t) := + let iv0_289 : aes_nonce_t := + array_new_ (default : uint8) (_) in + let mac_key_290 : block_t := + result_unwrap (aes_ctr_key_block (key_285) (iv0_289) (secret ( + @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) in + let tag_mix_291 : block_t := + result_unwrap (aes_ctr_key_block (key_285) ((iv_286)) (secret ( + @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) in + let cipher_text_292 : seq uint8 := + aes128_encrypt (array_from_seq (_) (key_285)) (iv_286) (secret ( + @repr WORDSIZE32 2) : int32) (msg_288) in + let padded_msg_293 : seq uint8 := + pad_aad_msg (aad_287) (cipher_text_292) in + let tag_294 : gf128_tag_t := + gmac (padded_msg_293) (array_from_seq (_) (array_to_seq (mac_key_290))) in + let tag_295 : block_t := + xor_block (array_from_seq (_) (array_to_seq (tag_294))) (tag_mix_291) in + (cipher_text_292, array_from_seq (_) (array_to_seq (tag_295))). + +Definition encrypt_aes128 + (key_296 : key128_t) + (iv_297 : aes_nonce_t) + (aad_298 : byte_seq) + (msg_299 : byte_seq) + : (byte_seq '× gf128_tag_t) := + encrypt_aes (seq_from_seq (array_to_seq (key_296))) (iv_297) (aad_298) ( + msg_299). + +Definition decrypt_aes + (key_300 : byte_seq) + (iv_301 : aes_nonce_t) + (aad_302 : byte_seq) + (cipher_text_303 : byte_seq) + (tag_304 : gf128_tag_t) + : aes_gcm_byte_seq_result_t := + let iv0_305 : aes_nonce_t := + array_new_ (default : uint8) (_) in + bind (aes_ctr_key_block (key_300) (iv0_305) (secret ( + @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) (fun mac_key_306 => + bind (aes_ctr_key_block (key_300) ((iv_301)) (secret ( + @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) ( + fun tag_mix_307 => let padded_msg_308 : seq uint8 := + pad_aad_msg (aad_302) (cipher_text_303) in + let my_tag_309 : gf128_tag_t := + gmac (padded_msg_308) (array_from_seq (_) ( + array_to_seq (mac_key_306))) in + let my_tag_310 : block_t := + xor_block (array_from_seq (_) (array_to_seq (my_tag_309))) ( + tag_mix_307) in + let ptxt_311 : seq uint8 := + aes128_decrypt (array_from_seq (_) (key_300)) (iv_301) (secret ( + @repr WORDSIZE32 2) : int32) (cipher_text_303) in + (if (array_declassify_eq (my_tag_310) (array_from_seq (_) ( + array_to_seq (tag_304)))):bool then (@Ok byte_seq int8 ( + ptxt_311)) else (@Err byte_seq int8 (invalid_tag_v))))). + +Definition decrypt_aes128 + (key_312 : key128_t) + (iv_313 : aes_nonce_t) + (aad_314 : byte_seq) + (cipher_text_315 : byte_seq) + (tag_316 : gf128_tag_t) + : aes_gcm_byte_seq_result_t := + decrypt_aes (seq_from_seq (array_to_seq (key_312))) (iv_313) (aad_314) ( + cipher_text_315) (tag_316). + diff --git a/proof-libs/coq/_vc/Hacspec_Bip_340.v b/proof-libs/coq/_vc/Hacspec_Bip_340.v new file mode 100644 index 000000000..461143d44 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Bip_340.v @@ -0,0 +1,530 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Inductive error_t := +| InvalidSecretKey : error_t +| InvalidNonceGenerated : error_t +| InvalidPublicKey : error_t +| InvalidXCoordinate : error_t +| InvalidSignature : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | InvalidSecretKey => match y with | InvalidSecretKey=> true | _ => false end + | InvalidNonceGenerated => + match y with + | InvalidNonceGenerated=> true + | _ => false + end + | InvalidPublicKey => match y with | InvalidPublicKey=> true | _ => false end + | InvalidXCoordinate => + match y with + | InvalidXCoordinate=> true + | _ => false + end + | InvalidSignature => match y with | InvalidSignature=> true | _ => false end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Definition field_canvas_t := nseq (int8) (32). +Definition field_element_t := + nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141. + +Definition big_integer_t := nat_mod pow2 256. + +Notation "'affine_point_t'" := ((field_element_t '× field_element_t +)) : hacspec_scope. + +Definition p_bytes32_t := nseq (int8) (usize 32). + +Inductive point_t := +| Affine : affine_point_t -> point_t +| AtInfinity : point_t. + +Definition finite (p_2555 : point_t) : (option affine_point_t) := + match p_2555 with + | Affine (p_2556) => some (p_2556) + | AtInfinity => @None affine_point_t + end. + +Definition x (p_2557 : affine_point_t) : field_element_t := + let '(x_2558, _) := + p_2557 in + x_2558. + +Definition y (p_2559 : affine_point_t) : field_element_t := + let '(_, y_2560) := + p_2559 in + y_2560. + +Definition has_even_y (p_2561 : affine_point_t) : bool := + ((y (p_2561)) rem (nat_mod_two )) =.? (nat_mod_zero ). + +Definition sqrt (y_2562 : field_element_t) : (option field_element_t) := + let p1_4_2563 : field_element_t := + nat_mod_from_public_byte_seq_be (array_from_list int8 (let l := + [ + @repr WORDSIZE8 63; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 191; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 12 + ] in l)) in + let x_2564 : field_element_t := + nat_mod_pow_self (y_2562) (p1_4_2563) in + (if ((nat_mod_pow_self (x_2564) (nat_mod_two )) =.? (y_2562)):bool then ( + some (x_2564)) else (@None field_element_t)). + +Definition lift_x + (x_2565 : field_element_t) + : (result affine_point_t error_t) := + let one_2566 : field_element_t := + nat_mod_one in + let two_2567 : field_element_t := + nat_mod_two in + let three_2568 : field_element_t := + nat_mod_from_literal ( + 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( + @repr WORDSIZE128 3) : field_element_t in + let seven_2569 : field_element_t := + nat_mod_from_literal ( + 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( + @repr WORDSIZE128 7) : field_element_t in + let y_sq_2570 : field_element_t := + (nat_mod_pow_self (x_2565) (three_2568)) +% (seven_2569) in + bind (option_ok_or (sqrt (y_sq_2570)) (InvalidXCoordinate)) (fun y_2571 => + let '(y_2571) := + if ((y_2571) rem (two_2567)) =.? (one_2566):bool then (let y_2571 := + (nat_mod_zero ) -% (y_2571) in + (y_2571)) else ((y_2571)) in + @Ok affine_point_t error_t ((x_2565, y_2571))). + +Definition compute_lam + (p1_2572 : affine_point_t) + (p2_2573 : affine_point_t) + : field_element_t := + let three_2574 : field_element_t := + nat_mod_from_literal ( + 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( + @repr WORDSIZE128 3) : field_element_t in + (if ((p1_2572) !=.? (p2_2573)):bool then (((y (p2_2573)) -% (y ( + p1_2572))) *% (nat_mod_pow_self ((x (p2_2573)) -% (x (p1_2572))) (( + nat_mod_zero ) -% (nat_mod_two )))) else ((((three_2574) *% (x ( + p1_2572))) *% (x (p1_2572))) *% (nat_mod_pow_self (( + nat_mod_two ) *% (y (p1_2572))) ((nat_mod_zero ) -% ( + nat_mod_two ))))). + +Definition point_add (p1_2575 : point_t) (p2_2576 : point_t) : point_t := + let result_2577 : point_t := + AtInfinity in + let '(result_2577) := + if option_is_none (finite (p1_2575)):bool then (let result_2577 := + p2_2576 in + (result_2577)) else (let '(result_2577) := + if option_is_none (finite (p2_2576)):bool then (let result_2577 := + p1_2575 in + (result_2577)) else (let p1_2578 : ( + field_element_t '× + field_element_t + ) := + option_unwrap (finite (p1_2575)) in + let p2_2579 : (field_element_t '× field_element_t) := + option_unwrap (finite (p2_2576)) in + let '(result_2577) := + if negb (((x (p1_2578)) =.? (x (p2_2579))) && ((y (p1_2578)) !=.? ( + y (p2_2579)))):bool then (let lam_2580 : field_element_t := + compute_lam (p1_2578) (p2_2579) in + let x3_2581 : field_element_t := + (((lam_2580) *% (lam_2580)) -% (x (p1_2578))) -% (x ( + p2_2579)) in + let result_2577 := + Affine (( + x3_2581, + ((lam_2580) *% ((x (p1_2578)) -% (x3_2581))) -% (y ( + p1_2578)) + )) in + (result_2577)) else ((result_2577)) in + (result_2577)) in + (result_2577)) in + result_2577. + +Definition point_mul (s_2582 : scalar_t) (p_2583 : point_t) : point_t := + let p_2584 : point_t := + p_2583 in + let q_2585 : point_t := + AtInfinity in + let '(p_2584, q_2585) := + foldi (usize 0) (usize 256) (fun i_2586 '(p_2584, q_2585) => + let '(q_2585) := + if nat_mod_bit (s_2582) (i_2586):bool then (let q_2585 := + point_add (q_2585) (p_2584) in + (q_2585)) else ((q_2585)) in + let p_2584 := + point_add (p_2584) (p_2584) in + (p_2584, q_2585)) + (p_2584, q_2585) in + q_2585. + +Definition point_mul_base (s_2587 : scalar_t) : point_t := + let gx_2588 : p_bytes32_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 121; + @repr WORDSIZE8 190; + @repr WORDSIZE8 102; + @repr WORDSIZE8 126; + @repr WORDSIZE8 249; + @repr WORDSIZE8 220; + @repr WORDSIZE8 187; + @repr WORDSIZE8 172; + @repr WORDSIZE8 85; + @repr WORDSIZE8 160; + @repr WORDSIZE8 98; + @repr WORDSIZE8 149; + @repr WORDSIZE8 206; + @repr WORDSIZE8 135; + @repr WORDSIZE8 11; + @repr WORDSIZE8 7; + @repr WORDSIZE8 2; + @repr WORDSIZE8 155; + @repr WORDSIZE8 252; + @repr WORDSIZE8 219; + @repr WORDSIZE8 45; + @repr WORDSIZE8 206; + @repr WORDSIZE8 40; + @repr WORDSIZE8 217; + @repr WORDSIZE8 89; + @repr WORDSIZE8 242; + @repr WORDSIZE8 129; + @repr WORDSIZE8 91; + @repr WORDSIZE8 22; + @repr WORDSIZE8 248; + @repr WORDSIZE8 23; + @repr WORDSIZE8 152 + ] in l) in + let gy_2589 : p_bytes32_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 72; + @repr WORDSIZE8 58; + @repr WORDSIZE8 218; + @repr WORDSIZE8 119; + @repr WORDSIZE8 38; + @repr WORDSIZE8 163; + @repr WORDSIZE8 196; + @repr WORDSIZE8 101; + @repr WORDSIZE8 93; + @repr WORDSIZE8 164; + @repr WORDSIZE8 251; + @repr WORDSIZE8 252; + @repr WORDSIZE8 14; + @repr WORDSIZE8 17; + @repr WORDSIZE8 8; + @repr WORDSIZE8 168; + @repr WORDSIZE8 253; + @repr WORDSIZE8 23; + @repr WORDSIZE8 180; + @repr WORDSIZE8 72; + @repr WORDSIZE8 166; + @repr WORDSIZE8 133; + @repr WORDSIZE8 84; + @repr WORDSIZE8 25; + @repr WORDSIZE8 156; + @repr WORDSIZE8 71; + @repr WORDSIZE8 208; + @repr WORDSIZE8 143; + @repr WORDSIZE8 251; + @repr WORDSIZE8 16; + @repr WORDSIZE8 212; + @repr WORDSIZE8 184 + ] in l) in + let g_2590 : point_t := + Affine (( + nat_mod_from_public_byte_seq_be (gx_2588), + nat_mod_from_public_byte_seq_be (gy_2589) + )) in + point_mul (s_2587) (g_2590). + +Definition bytes32_t := nseq (uint8) (usize 32). + +Notation "'secret_key_t'" := (bytes32_t) : hacspec_scope. + +Notation "'public_key_t'" := (bytes32_t) : hacspec_scope. + +Notation "'message_t'" := (bytes32_t) : hacspec_scope. + +Notation "'aux_rand_t'" := (bytes32_t) : hacspec_scope. + +Definition signature_t := nseq (uint8) (usize 64). + +Definition tagged_hash + (tag_2591 : public_byte_seq) + (msg_2592 : byte_seq) + : bytes32_t := + let tag_hash_2593 : seq uint8 := + array_to_be_bytes (sha256 (seq_from_public_seq (tag_2591))) in + let hash_2594 : sha256_digest_t := + sha256 (seq_concat (seq_concat (tag_hash_2593) (tag_hash_2593)) ( + msg_2592)) in + array_from_seq (32) (array_to_seq (hash_2594)). + +Definition tagged_hash_aux_prefix_t := nseq (int8) (usize 11). + +Definition bip0340_aux_v : tagged_hash_aux_prefix_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 66; + @repr WORDSIZE8 73; + @repr WORDSIZE8 80; + @repr WORDSIZE8 48; + @repr WORDSIZE8 51; + @repr WORDSIZE8 52; + @repr WORDSIZE8 48; + @repr WORDSIZE8 47; + @repr WORDSIZE8 97; + @repr WORDSIZE8 117; + @repr WORDSIZE8 120 + ] in l). + +Definition hash_aux (aux_rand_2595 : aux_rand_t) : bytes32_t := + tagged_hash (seq_from_seq (array_to_seq (bip0340_aux_v))) (seq_from_seq ( + aux_rand_2595)). + +Definition tagged_hash_nonce_prefix_t := nseq (int8) (usize 13). + +Definition bip0340_nonce_v : tagged_hash_nonce_prefix_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 66; + @repr WORDSIZE8 73; + @repr WORDSIZE8 80; + @repr WORDSIZE8 48; + @repr WORDSIZE8 51; + @repr WORDSIZE8 52; + @repr WORDSIZE8 48; + @repr WORDSIZE8 47; + @repr WORDSIZE8 110; + @repr WORDSIZE8 111; + @repr WORDSIZE8 110; + @repr WORDSIZE8 99; + @repr WORDSIZE8 101 + ] in l). + +Definition hash_nonce + (rand_2596 : bytes32_t) + (pubkey_2597 : bytes32_t) + (msg_2598 : message_t) + : bytes32_t := + let c_2599 : byte_seq := + seq_concat (seq_concat (seq_from_seq (array_to_seq (rand_2596))) ( + array_to_seq (pubkey_2597))) (msg_2598) in + tagged_hash (seq_from_seq (array_to_seq (bip0340_nonce_v))) (c_2599). + +Definition tagged_hash_challenge_prefix_t := nseq (int8) (usize 17). + +Definition bip0340_challenge_v : tagged_hash_challenge_prefix_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 66; + @repr WORDSIZE8 73; + @repr WORDSIZE8 80; + @repr WORDSIZE8 48; + @repr WORDSIZE8 51; + @repr WORDSIZE8 52; + @repr WORDSIZE8 48; + @repr WORDSIZE8 47; + @repr WORDSIZE8 99; + @repr WORDSIZE8 104; + @repr WORDSIZE8 97; + @repr WORDSIZE8 108; + @repr WORDSIZE8 108; + @repr WORDSIZE8 101; + @repr WORDSIZE8 110; + @repr WORDSIZE8 103; + @repr WORDSIZE8 101 + ] in l). + +Definition hash_challenge + (rx_2600 : bytes32_t) + (pubkey_2601 : bytes32_t) + (msg_2602 : bytes32_t) + : bytes32_t := + let c_2603 : byte_seq := + seq_concat (seq_concat (seq_from_seq (array_to_seq (rx_2600))) ( + array_to_seq (pubkey_2601))) (array_to_seq (msg_2602)) in + tagged_hash (seq_from_seq (array_to_seq (bip0340_challenge_v))) (c_2603). + +Definition bytes_from_point (p_2604 : affine_point_t) : bytes32_t := + let '(x_2605, _) := + p_2604 in + array_from_seq (32) (nat_mod_to_byte_seq_be (x_2605)). + +Definition bytes_from_scalar (x_2606 : scalar_t) : bytes32_t := + array_from_seq (32) (nat_mod_to_byte_seq_be (x_2606)). + +Definition scalar_from_bytes (b_2607 : bytes32_t) : scalar_t := + nat_mod_from_byte_seq_be (array_to_seq (b_2607)) : scalar_t. + +Definition scalar_from_bytes_strict (b_2608 : bytes32_t) : (option scalar_t) := + let s_2609 : big_integer_t := + nat_mod_from_byte_seq_be (array_to_seq (b_2608)) : big_integer_t in + let max_scalar_2610 : big_integer_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + nat_mod_max_val )) : big_integer_t in + (if ((s_2609) >.? (max_scalar_2610)):bool then (@None scalar_t) else ( + @Some scalar_t (nat_mod_from_byte_seq_be ( + array_to_seq (b_2608)) : scalar_t))). + +Definition seckey_scalar_from_bytes (b_2611 : bytes32_t) : (option scalar_t) := + bind (scalar_from_bytes_strict (b_2611)) (fun s_2612 => (if ((s_2612) =.? ( + nat_mod_zero )):bool then (@None scalar_t) else (@Some scalar_t ( + s_2612)))). + +Definition fieldelem_from_bytes + (b_2613 : public_key_t) + : (option field_element_t) := + let s_2614 : big_integer_t := + nat_mod_from_byte_seq_be (b_2613) : big_integer_t in + let max_fe_2615 : big_integer_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + nat_mod_max_val )) : big_integer_t in + (if ((s_2614) >.? (max_fe_2615)):bool then (@None field_element_t) else ( + @Some field_element_t (nat_mod_from_byte_seq_be ( + b_2613) : field_element_t))). + +Definition xor_bytes (b0_2616 : bytes32_t) (b1_2617 : bytes32_t) : bytes32_t := + let b_2618 : seq uint8 := + seq_new_ (default : uint8) (array_len (b0_2616)) in + let b_2618 := + foldi (usize 0) (array_len (b0_2616)) (fun i_2619 b_2618 => + let b_2618 := + seq_upd b_2618 (i_2619) ((array_index (b0_2616) (i_2619)) .^ ( + array_index (b1_2617) (i_2619))) in + (b_2618)) + b_2618 in + array_from_seq (32) (b_2618). + +Notation "'pubkey_gen_result_t'" := (( + result public_key_t error_t)) : hacspec_scope. + +Definition pubkey_gen (seckey_2620 : secret_key_t) : pubkey_gen_result_t := + bind (option_ok_or (seckey_scalar_from_bytes (seckey_2620)) ( + InvalidSecretKey)) (fun d0_2621 => let p_2622 : ( + field_element_t '× + field_element_t + ) := + option_unwrap (finite (point_mul_base (d0_2621))) in + @Ok public_key_t error_t (bytes_from_point (p_2622))). + +Notation "'sign_result_t'" := ((result signature_t error_t)) : hacspec_scope. + +Definition sign + (msg_2623 : message_t) + (seckey_2624 : secret_key_t) + (aux_rand_2625 : aux_rand_t) + : sign_result_t := + bind (option_ok_or (seckey_scalar_from_bytes (seckey_2624)) ( + InvalidSecretKey)) (fun d0_2626 => let p_2627 : ( + field_element_t '× + field_element_t + ) := + option_unwrap (finite (point_mul_base (d0_2626))) in + let d_2628 : scalar_t := + (if (has_even_y (p_2627)):bool then (d0_2626) else ((nat_mod_zero ) -% ( + d0_2626))) in + let t_2629 : bytes32_t := + xor_bytes (bytes_from_scalar (d_2628)) (hash_aux (aux_rand_2625)) in + let k0_2630 : scalar_t := + scalar_from_bytes (hash_nonce (t_2629) (bytes_from_point (p_2627)) ( + msg_2623)) in + ifbnd (k0_2630) =.? (nat_mod_zero ) : bool + thenbnd (bind (@Err signature_t error_t (InvalidNonceGenerated)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let r_2631 : (field_element_t '× field_element_t) := + option_unwrap (finite (point_mul_base (k0_2630))) in + let k_2632 : scalar_t := + (if (has_even_y (r_2631)):bool then (k0_2630) else ((nat_mod_zero ) -% ( + k0_2630))) in + let e_2633 : scalar_t := + scalar_from_bytes (hash_challenge (bytes_from_point (r_2631)) ( + bytes_from_point (p_2627)) (msg_2623)) in + let sig_2634 : signature_t := + array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( + array_to_seq (bytes_from_point (r_2631)))) (usize 32) ( + array_to_seq (bytes_from_scalar ((k_2632) +% ((e_2633) *% ( + d_2628))))) in + bind (verify (msg_2623) (bytes_from_point (p_2627)) (sig_2634)) (fun _ => + @Ok signature_t error_t (sig_2634)))). + +Notation "'verification_result_t'" := ((result unit error_t)) : hacspec_scope. + +Definition verify + (msg_2635 : message_t) + (pubkey_2636 : public_key_t) + (sig_2637 : signature_t) + : verification_result_t := + bind (option_ok_or (fieldelem_from_bytes (pubkey_2636)) (InvalidPublicKey)) ( + fun p_x_2638 => bind (lift_x (p_x_2638)) (fun p_2639 => bind (option_ok_or ( + fieldelem_from_bytes (array_from_slice (default : uint8) (32) ( + array_to_seq (sig_2637)) (usize 0) (usize 32))) ( + InvalidSignature)) (fun r_2640 => bind (option_ok_or ( + scalar_from_bytes_strict (array_from_slice (default : uint8) (32) ( + array_to_seq (sig_2637)) (usize 32) (usize 32))) ( + InvalidSignature)) (fun s_2641 => let e_2642 : scalar_t := + scalar_from_bytes (hash_challenge (array_from_slice ( + default : uint8) (32) (array_to_seq (sig_2637)) (usize 0) ( + usize 32)) (bytes_from_point (p_2639)) (msg_2635)) in + bind (option_ok_or (finite (point_add (point_mul_base (s_2641)) ( + point_mul ((nat_mod_zero ) -% (e_2642)) (Affine (p_2639))))) ( + InvalidSignature)) (fun r_p_2643 => (if ((negb (has_even_y ( + r_p_2643))) || ((x (r_p_2643)) !=.? (r_2640))):bool then ( + @Err unit error_t (InvalidSignature)) else (@Ok unit error_t ( + tt)))))))). + diff --git a/proof-libs/coq/_vc/Hacspec_Bls12_381.v b/proof-libs/coq/_vc/Hacspec_Bls12_381.v new file mode 100644 index 000000000..93170a691 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Bls12_381.v @@ -0,0 +1,772 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +From QuickChick Require Import QuickChick. +Require Import QuickChickLib. +Require Import Hacspec_Lib. + +Definition fp_canvas_t := nseq (int8) (48). +Definition fp_t := + nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. +Instance show_fp_t : Show (fp_t) := Build_Show (fp_t) (fun x => show (GZnZ.val _ x)). +Definition g_fp_t : G (fp_t) := @bindGen Z (fp_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). +Instance gen_fp_t : Gen (fp_t) := Build_Gen fp_t g_fp_t. + + +Definition serialized_fp_t := nseq (uint8) (usize 48). + +Definition array_fp_t := nseq (uint64) (usize 6). + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. +Instance show_scalar_t : Show (scalar_t) := Build_Show (scalar_t) (fun x => show (GZnZ.val _ x)). +Definition g_scalar_t : G (scalar_t) := @bindGen Z (scalar_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). +Instance gen_scalar_t : Gen (scalar_t) := Build_Gen scalar_t g_scalar_t. + + +Notation "'g1_t'" := ((fp_t '× fp_t '× bool)) : hacspec_scope. +Instance show_g1_t : Show (g1_t) := +Build_Show g1_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_g1_t : G (g1_t) := +bindGen arbitrary (fun x0 : fp_t => + bindGen arbitrary (fun x1 : fp_t => + bindGen arbitrary (fun x2 : bool => + returnGen (x0,x1,x2)))). +Instance gen_g1_t : Gen (g1_t) := Build_Gen g1_t g_g1_t. + + +Notation "'fp2_t'" := ((fp_t '× fp_t)) : hacspec_scope. +Instance show_fp2_t : Show (fp2_t) := +Build_Show fp2_t (fun x => + let (x, x0) := x in + (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. +Definition g_fp2_t : G (fp2_t) := +bindGen arbitrary (fun x0 : fp_t => + bindGen arbitrary (fun x1 : fp_t => + returnGen (x0,x1))). +Instance gen_fp2_t : Gen (fp2_t) := Build_Gen fp2_t g_fp2_t. + + +Notation "'g2_t'" := ((fp2_t '× fp2_t '× bool)) : hacspec_scope. +Instance show_g2_t : Show (g2_t) := +Build_Show g2_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_g2_t : G (g2_t) := +bindGen arbitrary (fun x0 : fp2_t => + bindGen arbitrary (fun x1 : fp2_t => + bindGen arbitrary (fun x2 : bool => + returnGen (x0,x1,x2)))). +Instance gen_g2_t : Gen (g2_t) := Build_Gen g2_t g_g2_t. + + +Notation "'fp6_t'" := ((fp2_t '× fp2_t '× fp2_t)) : hacspec_scope. +Instance show_fp6_t : Show (fp6_t) := +Build_Show fp6_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_fp6_t : G (fp6_t) := +bindGen arbitrary (fun x0 : fp2_t => + bindGen arbitrary (fun x1 : fp2_t => + bindGen arbitrary (fun x2 : fp2_t => + returnGen (x0,x1,x2)))). +Instance gen_fp6_t : Gen (fp6_t) := Build_Gen fp6_t g_fp6_t. + + +Notation "'fp12_t'" := ((fp6_t '× fp6_t)) : hacspec_scope. +Instance show_fp12_t : Show (fp12_t) := +Build_Show fp12_t (fun x => + let (x, x0) := x in + (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. +Definition g_fp12_t : G (fp12_t) := +bindGen arbitrary (fun x0 : fp6_t => + bindGen arbitrary (fun x1 : fp6_t => + returnGen (x0,x1))). +Instance gen_fp12_t : Gen (fp12_t) := Build_Gen fp12_t g_fp12_t. + + +Definition fp2fromfp (n_1405 : fp_t) : fp2_t := + (n_1405, nat_mod_zero ). + +Definition fp2zero : fp2_t := + fp2fromfp (nat_mod_zero ). + +Definition fp2neg (n_1406 : fp2_t) : fp2_t := + let '(n1_1407, n2_1408) := + n_1406 in + ((nat_mod_zero ) -% (n1_1407), (nat_mod_zero ) -% (n2_1408)). + +Definition fp2add (n_1409 : fp2_t) (m_1410 : fp2_t) : fp2_t := + let '(n1_1411, n2_1412) := + n_1409 in + let '(m1_1413, m2_1414) := + m_1410 in + ((n1_1411) +% (m1_1413), (n2_1412) +% (m2_1414)). + +Definition fp2sub (n_1415 : fp2_t) (m_1416 : fp2_t) : fp2_t := + fp2add (n_1415) (fp2neg (m_1416)). + +Definition fp2mul (n_1417 : fp2_t) (m_1418 : fp2_t) : fp2_t := + let '(n1_1419, n2_1420) := + n_1417 in + let '(m1_1421, m2_1422) := + m_1418 in + let x1_1423 : fp_t := + ((n1_1419) *% (m1_1421)) -% ((n2_1420) *% (m2_1422)) in + let x2_1424 : fp_t := + ((n1_1419) *% (m2_1422)) +% ((n2_1420) *% (m1_1421)) in + (x1_1423, x2_1424). + +Definition fp2inv (n_1425 : fp2_t) : fp2_t := + let '(n1_1426, n2_1427) := + n_1425 in + let t0_1428 : fp_t := + ((n1_1426) *% (n1_1426)) +% ((n2_1427) *% (n2_1427)) in + let t1_1429 : fp_t := + nat_mod_inv (t0_1428) in + let x1_1430 : fp_t := + (n1_1426) *% (t1_1429) in + let x2_1431 : fp_t := + (nat_mod_zero ) -% ((n2_1427) *% (t1_1429)) in + (x1_1430, x2_1431). + +Definition fp2conjugate (n_1432 : fp2_t) : fp2_t := + let '(n1_1433, n2_1434) := + n_1432 in + (n1_1433, (nat_mod_zero ) -% (n2_1434)). + +Definition fp6fromfp2 (n_1435 : fp2_t) : fp6_t := + (n_1435, fp2zero , fp2zero ). + +Definition fp6zero : fp6_t := + fp6fromfp2 (fp2zero ). + +Definition fp6neg (n_1436 : fp6_t) : fp6_t := + let '(n1_1437, n2_1438, n3_1439) := + n_1436 in + ( + fp2sub (fp2zero ) (n1_1437), + fp2sub (fp2zero ) (n2_1438), + fp2sub (fp2zero ) (n3_1439) + ). + +Definition fp6add (n_1440 : fp6_t) (m_1441 : fp6_t) : fp6_t := + let '(n1_1442, n2_1443, n3_1444) := + n_1440 in + let '(m1_1445, m2_1446, m3_1447) := + m_1441 in + ( + fp2add (n1_1442) (m1_1445), + fp2add (n2_1443) (m2_1446), + fp2add (n3_1444) (m3_1447) + ). + +Definition fp6sub (n_1448 : fp6_t) (m_1449 : fp6_t) : fp6_t := + fp6add (n_1448) (fp6neg (m_1449)). + +Definition fp6mul (n_1450 : fp6_t) (m_1451 : fp6_t) : fp6_t := + let '(n1_1452, n2_1453, n3_1454) := + n_1450 in + let '(m1_1455, m2_1456, m3_1457) := + m_1451 in + let eps_1458 : (fp_t '× fp_t) := + (nat_mod_one , nat_mod_one ) in + let t1_1459 : (fp_t '× fp_t) := + fp2mul (n1_1452) (m1_1455) in + let t2_1460 : (fp_t '× fp_t) := + fp2mul (n2_1453) (m2_1456) in + let t3_1461 : (fp_t '× fp_t) := + fp2mul (n3_1454) (m3_1457) in + let t4_1462 : (fp_t '× fp_t) := + fp2mul (fp2add (n2_1453) (n3_1454)) (fp2add (m2_1456) (m3_1457)) in + let t5_1463 : (fp_t '× fp_t) := + fp2sub (fp2sub (t4_1462) (t2_1460)) (t3_1461) in + let x_1464 : (fp_t '× fp_t) := + fp2add (fp2mul (t5_1463) (eps_1458)) (t1_1459) in + let t4_1465 : (fp_t '× fp_t) := + fp2mul (fp2add (n1_1452) (n2_1453)) (fp2add (m1_1455) (m2_1456)) in + let t5_1466 : (fp_t '× fp_t) := + fp2sub (fp2sub (t4_1465) (t1_1459)) (t2_1460) in + let y_1467 : (fp_t '× fp_t) := + fp2add (t5_1466) (fp2mul (eps_1458) (t3_1461)) in + let t4_1468 : (fp_t '× fp_t) := + fp2mul (fp2add (n1_1452) (n3_1454)) (fp2add (m1_1455) (m3_1457)) in + let t5_1469 : (fp_t '× fp_t) := + fp2sub (fp2sub (t4_1468) (t1_1459)) (t3_1461) in + let z_1470 : (fp_t '× fp_t) := + fp2add (t5_1469) (t2_1460) in + (x_1464, y_1467, z_1470). + +Definition fp6inv (n_1471 : fp6_t) : fp6_t := + let '(n1_1472, n2_1473, n3_1474) := + n_1471 in + let eps_1475 : (fp_t '× fp_t) := + (nat_mod_one , nat_mod_one ) in + let t1_1476 : (fp_t '× fp_t) := + fp2mul (n1_1472) (n1_1472) in + let t2_1477 : (fp_t '× fp_t) := + fp2mul (n2_1473) (n2_1473) in + let t3_1478 : (fp_t '× fp_t) := + fp2mul (n3_1474) (n3_1474) in + let t4_1479 : (fp_t '× fp_t) := + fp2mul (n1_1472) (n2_1473) in + let t5_1480 : (fp_t '× fp_t) := + fp2mul (n1_1472) (n3_1474) in + let t6_1481 : (fp_t '× fp_t) := + fp2mul (n2_1473) (n3_1474) in + let x0_1482 : (fp_t '× fp_t) := + fp2sub (t1_1476) (fp2mul (eps_1475) (t6_1481)) in + let y0_1483 : (fp_t '× fp_t) := + fp2sub (fp2mul (eps_1475) (t3_1478)) (t4_1479) in + let z0_1484 : (fp_t '× fp_t) := + fp2sub (t2_1477) (t5_1480) in + let t0_1485 : (fp_t '× fp_t) := + fp2mul (n1_1472) (x0_1482) in + let t0_1486 : (fp_t '× fp_t) := + fp2add (t0_1485) (fp2mul (eps_1475) (fp2mul (n3_1474) (y0_1483))) in + let t0_1487 : (fp_t '× fp_t) := + fp2add (t0_1486) (fp2mul (eps_1475) (fp2mul (n2_1473) (z0_1484))) in + let t0_1488 : (fp_t '× fp_t) := + fp2inv (t0_1487) in + let x_1489 : (fp_t '× fp_t) := + fp2mul (x0_1482) (t0_1488) in + let y_1490 : (fp_t '× fp_t) := + fp2mul (y0_1483) (t0_1488) in + let z_1491 : (fp_t '× fp_t) := + fp2mul (z0_1484) (t0_1488) in + (x_1489, y_1490, z_1491). + +Definition fp12fromfp6 (n_1492 : fp6_t) : fp12_t := + (n_1492, fp6zero ). + +Definition fp12neg (n_1493 : fp12_t) : fp12_t := + let '(n1_1494, n2_1495) := + n_1493 in + (fp6sub (fp6zero ) (n1_1494), fp6sub (fp6zero ) (n2_1495)). + +Definition fp12add (n_1496 : fp12_t) (m_1497 : fp12_t) : fp12_t := + let '(n1_1498, n2_1499) := + n_1496 in + let '(m1_1500, m2_1501) := + m_1497 in + (fp6add (n1_1498) (m1_1500), fp6add (n2_1499) (m2_1501)). + +Definition fp12sub (n_1502 : fp12_t) (m_1503 : fp12_t) : fp12_t := + fp12add (n_1502) (fp12neg (m_1503)). + +Definition fp12mul (n_1504 : fp12_t) (m_1505 : fp12_t) : fp12_t := + let '(n1_1506, n2_1507) := + n_1504 in + let '(m1_1508, m2_1509) := + m_1505 in + let gamma_1510 : (fp2_t '× fp2_t '× fp2_t) := + (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in + let t1_1511 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n1_1506) (m1_1508) in + let t2_1512 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n2_1507) (m2_1509) in + let x_1513 : (fp2_t '× fp2_t '× fp2_t) := + fp6add (t1_1511) (fp6mul (t2_1512) (gamma_1510)) in + let y_1514 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (fp6add (n1_1506) (n2_1507)) (fp6add (m1_1508) (m2_1509)) in + let y_1515 : (fp2_t '× fp2_t '× fp2_t) := + fp6sub (fp6sub (y_1514) (t1_1511)) (t2_1512) in + (x_1513, y_1515). + +Definition fp12inv (n_1516 : fp12_t) : fp12_t := + let '(n1_1517, n2_1518) := + n_1516 in + let gamma_1519 : (fp2_t '× fp2_t '× fp2_t) := + (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in + let t1_1520 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n1_1517) (n1_1517) in + let t2_1521 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n2_1518) (n2_1518) in + let t1_1522 : (fp2_t '× fp2_t '× fp2_t) := + fp6sub (t1_1520) (fp6mul (gamma_1519) (t2_1521)) in + let t2_1523 : (fp2_t '× fp2_t '× fp2_t) := + fp6inv (t1_1522) in + let x_1524 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n1_1517) (t2_1523) in + let y_1525 : (fp2_t '× fp2_t '× fp2_t) := + fp6neg (fp6mul (n2_1518) (t2_1523)) in + (x_1524, y_1525). + +Definition fp12exp (n_1526 : fp12_t) (k_1527 : scalar_t) : fp12_t := + let c_1528 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in + let c_1528 := + foldi (usize 0) (usize 256) (fun i_1529 c_1528 => + let c_1528 := + fp12mul (c_1528) (c_1528) in + let '(c_1528) := + if nat_mod_bit (k_1527) ((usize 255) - (i_1529)):bool then ( + let c_1528 := + fp12mul (c_1528) (n_1526) in + (c_1528)) else ((c_1528)) in + (c_1528)) + c_1528 in + c_1528. + +Definition fp12conjugate (n_1530 : fp12_t) : fp12_t := + let '(n1_1531, n2_1532) := + n_1530 in + (n1_1531, fp6neg (n2_1532)). + +Definition fp12zero : fp12_t := + fp12fromfp6 (fp6zero ). + +Definition g1add_a (p_1533 : g1_t) (q_1534 : g1_t) : g1_t := + let '(x1_1535, y1_1536, _) := + p_1533 in + let '(x2_1537, y2_1538, _) := + q_1534 in + let x_diff_1539 : fp_t := + (x2_1537) -% (x1_1535) in + let y_diff_1540 : fp_t := + (y2_1538) -% (y1_1536) in + let xovery_1541 : fp_t := + (y_diff_1540) *% (nat_mod_inv (x_diff_1539)) in + let x3_1542 : fp_t := + ((nat_mod_exp (xovery_1541) (@repr WORDSIZE32 2)) -% (x1_1535)) -% ( + x2_1537) in + let y3_1543 : fp_t := + ((xovery_1541) *% ((x1_1535) -% (x3_1542))) -% (y1_1536) in + (x3_1542, y3_1543, false). + +Definition g1double_a (p_1544 : g1_t) : g1_t := + let '(x1_1545, y1_1546, _) := + p_1544 in + let x12_1547 : fp_t := + nat_mod_exp (x1_1545) (@repr WORDSIZE32 2) in + let xovery_1548 : fp_t := + ((nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t) *% (x12_1547)) *% (nat_mod_inv (( + nat_mod_two ) *% (y1_1546))) in + let x3_1549 : fp_t := + (nat_mod_exp (xovery_1548) (@repr WORDSIZE32 2)) -% ((nat_mod_two ) *% ( + x1_1545)) in + let y3_1550 : fp_t := + ((xovery_1548) *% ((x1_1545) -% (x3_1549))) -% (y1_1546) in + (x3_1549, y3_1550, false). + +Definition g1double (p_1551 : g1_t) : g1_t := + let '(x1_1552, y1_1553, inf1_1554) := + p_1551 in + (if (((y1_1553) !=.? (nat_mod_zero )) && (negb (inf1_1554))):bool then ( + g1double_a (p_1551)) else ((nat_mod_zero , nat_mod_zero , true))). + +Definition g1add (p_1555 : g1_t) (q_1556 : g1_t) : g1_t := + let '(x1_1557, y1_1558, inf1_1559) := + p_1555 in + let '(x2_1560, y2_1561, inf2_1562) := + q_1556 in + (if (inf1_1559):bool then (q_1556) else ((if (inf2_1562):bool then ( + p_1555) else ((if ((p_1555) =.? (q_1556)):bool then (g1double ( + p_1555)) else ((if (negb (((x1_1557) =.? (x2_1560)) && (( + y1_1558) =.? ((nat_mod_zero ) -% ( + y2_1561))))):bool then (g1add_a (p_1555) ( + q_1556)) else ((nat_mod_zero , nat_mod_zero , true))))))))). + +Definition g1mul (m_1563 : scalar_t) (p_1564 : g1_t) : g1_t := + let t_1565 : (fp_t '× fp_t '× bool) := + (nat_mod_zero , nat_mod_zero , true) in + let t_1565 := + foldi (usize 0) (usize 256) (fun i_1566 t_1565 => + let t_1565 := + g1double (t_1565) in + let '(t_1565) := + if nat_mod_bit (m_1563) ((usize 255) - (i_1566)):bool then ( + let t_1565 := + g1add (t_1565) (p_1564) in + (t_1565)) else ((t_1565)) in + (t_1565)) + t_1565 in + t_1565. + +Definition g1neg (p_1567 : g1_t) : g1_t := + let '(x_1568, y_1569, inf_1570) := + p_1567 in + (x_1568, (nat_mod_zero ) -% (y_1569), inf_1570). + +Definition g2add_a (p_1571 : g2_t) (q_1572 : g2_t) : g2_t := + let '(x1_1573, y1_1574, _) := + p_1571 in + let '(x2_1575, y2_1576, _) := + q_1572 in + let x_diff_1577 : (fp_t '× fp_t) := + fp2sub (x2_1575) (x1_1573) in + let y_diff_1578 : (fp_t '× fp_t) := + fp2sub (y2_1576) (y1_1574) in + let xovery_1579 : (fp_t '× fp_t) := + fp2mul (y_diff_1578) (fp2inv (x_diff_1577)) in + let t1_1580 : (fp_t '× fp_t) := + fp2mul (xovery_1579) (xovery_1579) in + let t2_1581 : (fp_t '× fp_t) := + fp2sub (t1_1580) (x1_1573) in + let x3_1582 : (fp_t '× fp_t) := + fp2sub (t2_1581) (x2_1575) in + let t1_1583 : (fp_t '× fp_t) := + fp2sub (x1_1573) (x3_1582) in + let t2_1584 : (fp_t '× fp_t) := + fp2mul (xovery_1579) (t1_1583) in + let y3_1585 : (fp_t '× fp_t) := + fp2sub (t2_1584) (y1_1574) in + (x3_1582, y3_1585, false). + +Definition g2double_a (p_1586 : g2_t) : g2_t := + let '(x1_1587, y1_1588, _) := + p_1586 in + let x12_1589 : (fp_t '× fp_t) := + fp2mul (x1_1587) (x1_1587) in + let t1_1590 : (fp_t '× fp_t) := + fp2mul (fp2fromfp (nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t)) (x12_1589) in + let t2_1591 : (fp_t '× fp_t) := + fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (y1_1588)) in + let xovery_1592 : (fp_t '× fp_t) := + fp2mul (t1_1590) (t2_1591) in + let t1_1593 : (fp_t '× fp_t) := + fp2mul (xovery_1592) (xovery_1592) in + let t2_1594 : (fp_t '× fp_t) := + fp2mul (fp2fromfp (nat_mod_two )) (x1_1587) in + let x3_1595 : (fp_t '× fp_t) := + fp2sub (t1_1593) (t2_1594) in + let t1_1596 : (fp_t '× fp_t) := + fp2sub (x1_1587) (x3_1595) in + let t2_1597 : (fp_t '× fp_t) := + fp2mul (xovery_1592) (t1_1596) in + let y3_1598 : (fp_t '× fp_t) := + fp2sub (t2_1597) (y1_1588) in + (x3_1595, y3_1598, false). + +Definition g2double (p_1599 : g2_t) : g2_t := + let '(x1_1600, y1_1601, inf1_1602) := + p_1599 in + (if (((y1_1601) !=.? (fp2zero )) && (negb (inf1_1602))):bool then ( + g2double_a (p_1599)) else ((fp2zero , fp2zero , true))). + +Definition g2add (p_1603 : g2_t) (q_1604 : g2_t) : g2_t := + let '(x1_1605, y1_1606, inf1_1607) := + p_1603 in + let '(x2_1608, y2_1609, inf2_1610) := + q_1604 in + (if (inf1_1607):bool then (q_1604) else ((if (inf2_1610):bool then ( + p_1603) else ((if ((p_1603) =.? (q_1604)):bool then (g2double ( + p_1603)) else ((if (negb (((x1_1605) =.? (x2_1608)) && (( + y1_1606) =.? (fp2neg (y2_1609))))):bool then (g2add_a ( + p_1603) (q_1604)) else ((fp2zero , fp2zero , true))))))))). + +Definition g2mul (m_1611 : scalar_t) (p_1612 : g2_t) : g2_t := + let t_1613 : (fp2_t '× fp2_t '× bool) := + (fp2zero , fp2zero , true) in + let t_1613 := + foldi (usize 0) (usize 256) (fun i_1614 t_1613 => + let t_1613 := + g2double (t_1613) in + let '(t_1613) := + if nat_mod_bit (m_1611) ((usize 255) - (i_1614)):bool then ( + let t_1613 := + g2add (t_1613) (p_1612) in + (t_1613)) else ((t_1613)) in + (t_1613)) + t_1613 in + t_1613. + +Definition g2neg (p_1615 : g2_t) : g2_t := + let '(x_1616, y_1617, inf_1618) := + p_1615 in + (x_1616, fp2neg (y_1617), inf_1618). + +Definition twist (p_1619 : g1_t) : (fp12_t '× fp12_t) := + let '(p0_1620, p1_1621, _) := + p_1619 in + let x_1622 : ((fp2_t '× fp2_t '× fp2_t) '× fp6_t) := + ((fp2zero , fp2fromfp (p0_1620), fp2zero ), fp6zero ) in + let y_1623 : (fp6_t '× (fp2_t '× fp2_t '× fp2_t)) := + (fp6zero , (fp2zero , fp2fromfp (p1_1621), fp2zero )) in + (x_1622, y_1623). + +Definition line_double_p (r_1624 : g2_t) (p_1625 : g1_t) : fp12_t := + let '(r0_1626, r1_1627, _) := + r_1624 in + let a_1628 : (fp_t '× fp_t) := + fp2mul (fp2fromfp (nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t)) (fp2mul (r0_1626) (r0_1626)) in + let a_1629 : (fp_t '× fp_t) := + fp2mul (a_1628) (fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (r1_1627))) in + let b_1630 : (fp_t '× fp_t) := + fp2sub (r1_1627) (fp2mul (a_1629) (r0_1626)) in + let a_1631 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (a_1629)) in + let b_1632 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (b_1630)) in + let '(x_1633, y_1634) := + twist (p_1625) in + fp12neg (fp12sub (fp12sub (y_1634) (fp12mul (a_1631) (x_1633))) (b_1632)). + +Definition line_add_p + (r_1635 : g2_t) + (q_1636 : g2_t) + (p_1637 : g1_t) + : fp12_t := + let '(r0_1638, r1_1639, _) := + r_1635 in + let '(q0_1640, q1_1641, _) := + q_1636 in + let a_1642 : (fp_t '× fp_t) := + fp2mul (fp2sub (q1_1641) (r1_1639)) (fp2inv (fp2sub (q0_1640) ( + r0_1638))) in + let b_1643 : (fp_t '× fp_t) := + fp2sub (r1_1639) (fp2mul (a_1642) (r0_1638)) in + let a_1644 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (a_1642)) in + let b_1645 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (b_1643)) in + let '(x_1646, y_1647) := + twist (p_1637) in + fp12neg (fp12sub (fp12sub (y_1647) (fp12mul (a_1644) (x_1646))) (b_1645)). + +Definition frobenius (f_1648 : fp12_t) : fp12_t := + let '((g0_1649, g1_1650, g2_1651), (h0_1652, h1_1653, h2_1654)) := + f_1648 in + let t1_1655 : (fp_t '× fp_t) := + fp2conjugate (g0_1649) in + let t2_1656 : (fp_t '× fp_t) := + fp2conjugate (h0_1652) in + let t3_1657 : (fp_t '× fp_t) := + fp2conjugate (g1_1650) in + let t4_1658 : (fp_t '× fp_t) := + fp2conjugate (h1_1653) in + let t5_1659 : (fp_t '× fp_t) := + fp2conjugate (g2_1651) in + let t6_1660 : (fp_t '× fp_t) := + fp2conjugate (h2_1654) in + let c1_1661 : array_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 10162220747404304312) : int64; + secret (@repr WORDSIZE64 17761815663483519293) : int64; + secret (@repr WORDSIZE64 8873291758750579140) : int64; + secret (@repr WORDSIZE64 1141103941765652303) : int64; + secret (@repr WORDSIZE64 13993175198059990303) : int64; + secret (@repr WORDSIZE64 1802798568193066599) : int64 + ] in l) in + let c1_1662 : seq uint8 := + array_to_le_bytes (c1_1661) in + let c1_1663 : fp_t := + nat_mod_from_byte_seq_le (c1_1662) : fp_t in + let c2_1664 : array_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 3240210268673559283) : int64; + secret (@repr WORDSIZE64 2895069921743240898) : int64; + secret (@repr WORDSIZE64 17009126888523054175) : int64; + secret (@repr WORDSIZE64 6098234018649060207) : int64; + secret (@repr WORDSIZE64 9865672654120263608) : int64; + secret (@repr WORDSIZE64 71000049454473266) : int64 + ] in l) in + let c2_1665 : seq uint8 := + array_to_le_bytes (c2_1664) in + let c2_1666 : fp_t := + nat_mod_from_byte_seq_le (c2_1665) : fp_t in + let gamma11_1667 : (fp_t '× fp_t) := + (c1_1663, c2_1666) in + let gamma12_1668 : (fp_t '× fp_t) := + fp2mul (gamma11_1667) (gamma11_1667) in + let gamma13_1669 : (fp_t '× fp_t) := + fp2mul (gamma12_1668) (gamma11_1667) in + let gamma14_1670 : (fp_t '× fp_t) := + fp2mul (gamma13_1669) (gamma11_1667) in + let gamma15_1671 : (fp_t '× fp_t) := + fp2mul (gamma14_1670) (gamma11_1667) in + let t2_1672 : (fp_t '× fp_t) := + fp2mul (t2_1656) (gamma11_1667) in + let t3_1673 : (fp_t '× fp_t) := + fp2mul (t3_1657) (gamma12_1668) in + let t4_1674 : (fp_t '× fp_t) := + fp2mul (t4_1658) (gamma13_1669) in + let t5_1675 : (fp_t '× fp_t) := + fp2mul (t5_1659) (gamma14_1670) in + let t6_1676 : (fp_t '× fp_t) := + fp2mul (t6_1660) (gamma15_1671) in + ((t1_1655, t3_1673, t5_1675), (t2_1672, t4_1674, t6_1676)). + +Definition final_exponentiation (f_1677 : fp12_t) : fp12_t := + let fp6_1678 : (fp6_t '× fp6_t) := + fp12conjugate (f_1677) in + let finv_1679 : (fp6_t '× fp6_t) := + fp12inv (f_1677) in + let fp6_1_1680 : (fp6_t '× fp6_t) := + fp12mul (fp6_1678) (finv_1679) in + let fp8_1681 : (fp6_t '× fp6_t) := + frobenius (frobenius (fp6_1_1680)) in + let f_1682 : (fp6_t '× fp6_t) := + fp12mul (fp8_1681) (fp6_1_1680) in + let u_1683 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let u_half_1684 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 7566188111470821376) : scalar_t in + let t0_1685 : (fp6_t '× fp6_t) := + fp12mul (f_1682) (f_1682) in + let t1_1686 : (fp6_t '× fp6_t) := + fp12exp (t0_1685) (u_1683) in + let t1_1687 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1686) in + let t2_1688 : (fp6_t '× fp6_t) := + fp12exp (t1_1687) (u_half_1684) in + let t2_1689 : (fp6_t '× fp6_t) := + fp12conjugate (t2_1688) in + let t3_1690 : (fp6_t '× fp6_t) := + fp12conjugate (f_1682) in + let t1_1691 : (fp6_t '× fp6_t) := + fp12mul (t3_1690) (t1_1687) in + let t1_1692 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1691) in + let t1_1693 : (fp6_t '× fp6_t) := + fp12mul (t1_1692) (t2_1689) in + let t2_1694 : (fp6_t '× fp6_t) := + fp12exp (t1_1693) (u_1683) in + let t2_1695 : (fp6_t '× fp6_t) := + fp12conjugate (t2_1694) in + let t3_1696 : (fp6_t '× fp6_t) := + fp12exp (t2_1695) (u_1683) in + let t3_1697 : (fp6_t '× fp6_t) := + fp12conjugate (t3_1696) in + let t1_1698 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1693) in + let t3_1699 : (fp6_t '× fp6_t) := + fp12mul (t1_1698) (t3_1697) in + let t1_1700 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1698) in + let t1_1701 : (fp6_t '× fp6_t) := + frobenius (frobenius (frobenius (t1_1700))) in + let t2_1702 : (fp6_t '× fp6_t) := + frobenius (frobenius (t2_1695)) in + let t1_1703 : (fp6_t '× fp6_t) := + fp12mul (t1_1701) (t2_1702) in + let t2_1704 : (fp6_t '× fp6_t) := + fp12exp (t3_1699) (u_1683) in + let t2_1705 : (fp6_t '× fp6_t) := + fp12conjugate (t2_1704) in + let t2_1706 : (fp6_t '× fp6_t) := + fp12mul (t2_1705) (t0_1685) in + let t2_1707 : (fp6_t '× fp6_t) := + fp12mul (t2_1706) (f_1682) in + let t1_1708 : (fp6_t '× fp6_t) := + fp12mul (t1_1703) (t2_1707) in + let t2_1709 : (fp6_t '× fp6_t) := + frobenius (t3_1699) in + let t1_1710 : (fp6_t '× fp6_t) := + fp12mul (t1_1708) (t2_1709) in + t1_1710. + +Definition pairing (p_1711 : g1_t) (q_1712 : g2_t) : fp12_t := + let t_1713 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let r_1714 : (fp2_t '× fp2_t '× bool) := + q_1712 in + let f_1715 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in + let '(r_1714, f_1715) := + foldi (usize 1) (usize 64) (fun i_1716 '(r_1714, f_1715) => + let lrr_1717 : (fp6_t '× fp6_t) := + line_double_p (r_1714) (p_1711) in + let r_1714 := + g2double (r_1714) in + let f_1715 := + fp12mul (fp12mul (f_1715) (f_1715)) (lrr_1717) in + let '(r_1714, f_1715) := + if nat_mod_bit (t_1713) (((usize 64) - (i_1716)) - ( + usize 1)):bool then (let lrq_1718 : (fp6_t '× fp6_t) := + line_add_p (r_1714) (q_1712) (p_1711) in + let r_1714 := + g2add (r_1714) (q_1712) in + let f_1715 := + fp12mul (f_1715) (lrq_1718) in + (r_1714, f_1715)) else ((r_1714, f_1715)) in + (r_1714, f_1715)) + (r_1714, f_1715) in + final_exponentiation (fp12conjugate (f_1715)). + +Definition test_fp2_prop_add_neg (a_1719 : fp2_t) : bool := + let b_1720 : (fp_t '× fp_t) := + fp2neg (a_1719) in + (fp2fromfp (nat_mod_zero )) =.? (fp2add (a_1719) (b_1720)). +(*QuickChick ( + forAll g_fp2_t (fun a_1719 : fp2_t =>test_fp2_prop_add_neg a_1719)).*) + + +Definition test_fp2_prop_mul_inv (a_1721 : fp2_t) : bool := + let b_1722 : (fp_t '× fp_t) := + fp2inv (a_1721) in + (fp2fromfp (nat_mod_one )) =.? (fp2mul (a_1721) (b_1722)). +(*QuickChick ( + forAll g_fp2_t (fun a_1721 : fp2_t =>test_fp2_prop_mul_inv a_1721)).*) + + +Definition test_extraction_issue : bool := + let b_1723 : (fp_t '× fp_t) := + fp2inv ((nat_mod_one , nat_mod_one )) in + (fp2fromfp (nat_mod_one )) =.? (fp2mul ((nat_mod_one , nat_mod_one )) ( + b_1723)). +(*QuickChick (test_extraction_issue).*) + + +Definition test_fp6_prop_mul_inv (a_1724 : fp6_t) : bool := + let b_1725 : (fp2_t '× fp2_t '× fp2_t) := + fp6inv (a_1724) in + (fp6fromfp2 (fp2fromfp (nat_mod_one ))) =.? (fp6mul (a_1724) (b_1725)). +(*QuickChick ( + forAll g_fp6_t (fun a_1724 : fp6_t =>test_fp6_prop_mul_inv a_1724)).*) + + +Definition test_fp6_prop_add_neg (a_1726 : fp6_t) : bool := + let b_1727 : (fp2_t '× fp2_t '× fp2_t) := + fp6neg (a_1726) in + (fp6fromfp2 (fp2fromfp (nat_mod_zero ))) =.? (fp6add (a_1726) (b_1727)). +(*QuickChick ( + forAll g_fp6_t (fun a_1726 : fp6_t =>test_fp6_prop_add_neg a_1726)).*) + + +Definition test_fp12_prop_add_neg (a_1728 : fp12_t) : bool := + let b_1729 : (fp6_t '× fp6_t) := + fp12neg (a_1728) in + (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_zero )))) =.? (fp12add (a_1728) ( + b_1729)). +(*QuickChick ( + forAll g_fp12_t (fun a_1728 : fp12_t =>test_fp12_prop_add_neg a_1728)).*) + + +Definition test_fp12_prop_mul_inv (a_1730 : fp12_t) : bool := + let b_1731 : (fp6_t '× fp6_t) := + fp12inv (a_1730) in + (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one )))) =.? (fp12mul (a_1730) ( + b_1731)). +(*QuickChick ( + forAll g_fp12_t (fun a_1730 : fp12_t =>test_fp12_prop_mul_inv a_1730)).*) + + diff --git a/proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v new file mode 100644 index 000000000..de305328b --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v @@ -0,0 +1,1754 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Bls12_381. + +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition fp_hash_canvas_t := nseq (int8) (64). +Definition fp_hash_t := + nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. + +Definition arr_fp_t := nseq (uint64) (usize 6). + +Definition b_in_bytes_v : uint_size := + usize 32. + +Definition s_in_bytes_v : uint_size := + usize 64. + +Definition l_v : uint_size := + usize 64. + +Definition p_1_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 936899308823769933) : int64; + secret (@repr WORDSIZE64 2706051889235351147) : int64; + secret (@repr WORDSIZE64 12843041017062132063) : int64; + secret (@repr WORDSIZE64 12941209323636816658) : int64; + secret (@repr WORDSIZE64 1105070755758604287) : int64; + secret (@repr WORDSIZE64 15924587544893707605) : int64 + ] in l). + +Definition p_1_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 468449654411884966) : int64; + secret (@repr WORDSIZE64 10576397981472451381) : int64; + secret (@repr WORDSIZE64 15644892545385841839) : int64; + secret (@repr WORDSIZE64 15693976698673184137) : int64; + secret (@repr WORDSIZE64 552535377879302143) : int64; + secret (@repr WORDSIZE64 17185665809301629611) : int64 + ] in l). + +Definition p_3_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 468449654411884966) : int64; + secret (@repr WORDSIZE64 10576397981472451381) : int64; + secret (@repr WORDSIZE64 15644892545385841839) : int64; + secret (@repr WORDSIZE64 15693976698673184137) : int64; + secret (@repr WORDSIZE64 552535377879302143) : int64; + secret (@repr WORDSIZE64 17185665809301629610) : int64 + ] in l). + +Definition expand_message_xmd + (msg_1732 : byte_seq) + (dst_1733 : byte_seq) + (len_in_bytes_1734 : uint_size) + : byte_seq := + let ell_1735 : uint_size := + (((len_in_bytes_1734) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in + let dst_prime_1736 : seq uint8 := + seq_push (dst_1733) (uint8_from_usize (seq_len (dst_1733))) in + let z_pad_1737 : seq uint8 := + seq_new_ (default : uint8) (s_in_bytes_v) in + let l_i_b_str_1738 : seq uint8 := + seq_new_ (default : uint8) (usize 2) in + let l_i_b_str_1738 := + seq_upd l_i_b_str_1738 (usize 0) (uint8_from_usize ((len_in_bytes_1734) / ( + usize 256))) in + let l_i_b_str_1738 := + seq_upd l_i_b_str_1738 (usize 1) (uint8_from_usize (len_in_bytes_1734)) in + let msg_prime_1739 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (z_pad_1737) (msg_1732)) ( + l_i_b_str_1738)) (seq_new_ (default : uint8) (usize 1))) ( + dst_prime_1736) in + let b_0_1740 : seq uint8 := + seq_from_seq (array_to_seq (hash (msg_prime_1739))) in + let b_i_1741 : seq uint8 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_1740) (secret ( + @repr WORDSIZE8 1) : int8)) (dst_prime_1736)))) in + let uniform_bytes_1742 : seq uint8 := + seq_from_seq (b_i_1741) in + let '(b_i_1741, uniform_bytes_1742) := + foldi (usize 2) ((ell_1735) + (usize 1)) (fun i_1743 '( + b_i_1741, + uniform_bytes_1742 + ) => + let t_1744 : seq uint8 := + seq_from_seq (b_0_1740) in + let b_i_1741 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( + t_1744) seq_xor (b_i_1741)) (uint8_from_usize (i_1743))) ( + dst_prime_1736)))) in + let uniform_bytes_1742 := + seq_concat (uniform_bytes_1742) (b_i_1741) in + (b_i_1741, uniform_bytes_1742)) + (b_i_1741, uniform_bytes_1742) in + seq_truncate (uniform_bytes_1742) (len_in_bytes_1734). + +Definition fp_hash_to_field + (msg_1745 : byte_seq) + (dst_1746 : byte_seq) + (count_1747 : uint_size) + : seq fp_t := + let len_in_bytes_1748 : uint_size := + (count_1747) * (l_v) in + let uniform_bytes_1749 : seq uint8 := + expand_message_xmd (msg_1745) (dst_1746) (len_in_bytes_1748) in + let output_1750 : seq fp_t := + seq_new_ (default : fp_t) (count_1747) in + let output_1750 := + foldi (usize 0) (count_1747) (fun i_1751 output_1750 => + let elm_offset_1752 : uint_size := + (l_v) * (i_1751) in + let tv_1753 : seq uint8 := + seq_slice (uniform_bytes_1749) (elm_offset_1752) (l_v) in + let u_i_1754 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1753) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let output_1750 := + seq_upd output_1750 (i_1751) (u_i_1754) in + (output_1750)) + output_1750 in + output_1750. + +Definition fp_sgn0 (x_1755 : fp_t) : bool := + ((x_1755) rem (nat_mod_two )) =.? (nat_mod_one ). + +Definition fp_is_square (x_1756 : fp_t) : bool := + let c1_1757 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let tv_1758 : fp_t := + nat_mod_pow_self (x_1756) (c1_1757) in + ((tv_1758) =.? (nat_mod_zero )) || ((tv_1758) =.? (nat_mod_one )). + +Definition fp_sqrt (x_1759 : fp_t) : fp_t := + let c1_1760 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_4_v)) : fp_t in + nat_mod_pow_self (x_1759) (c1_1760). + +Definition g1_curve_func (x_1761 : fp_t) : fp_t := + (((x_1761) *% (x_1761)) *% (x_1761)) +% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t). + +Definition g1_map_to_curve_svdw (u_1762 : fp_t) : g1_t := + let z_1763 : fp_t := + (nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t) in + let gz_1764 : fp_t := + g1_curve_func (z_1763) in + let tv1_1765 : fp_t := + ((u_1762) *% (u_1762)) *% (gz_1764) in + let tv2_1766 : fp_t := + (nat_mod_one ) +% (tv1_1765) in + let tv1_1767 : fp_t := + (nat_mod_one ) -% (tv1_1765) in + let tv3_1768 : fp_t := + nat_mod_inv ((tv1_1767) *% (tv2_1766)) in + let tv4_1769 : fp_t := + fp_sqrt (((nat_mod_zero ) -% (gz_1764)) *% (((nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t) *% (z_1763)) *% (z_1763))) in + let '(tv4_1769) := + if fp_sgn0 (tv4_1769):bool then (let tv4_1769 := + (nat_mod_zero ) -% (tv4_1769) in + (tv4_1769)) else ((tv4_1769)) in + let tv5_1770 : fp_t := + (((u_1762) *% (tv1_1767)) *% (tv3_1768)) *% (tv4_1769) in + let tv6_1771 : fp_t := + (((nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t)) *% (gz_1764)) *% (nat_mod_inv ((( + nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t) *% ( + z_1763)) *% (z_1763))) in + let x1_1772 : fp_t := + (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) -% ( + tv5_1770) in + let x2_1773 : fp_t := + (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) +% ( + tv5_1770) in + let x3_1774 : fp_t := + (z_1763) +% (((tv6_1771) *% (((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) *% ( + ((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) in + let x_1775 : fp_t := + (if (fp_is_square (g1_curve_func (x1_1772))):bool then (x1_1772) else ((if ( + fp_is_square (g1_curve_func (x2_1773))):bool then (x2_1773) else ( + x3_1774)))) in + let y_1776 : fp_t := + fp_sqrt (g1_curve_func (x_1775)) in + let '(y_1776) := + if (fp_sgn0 (u_1762)) !=.? (fp_sgn0 (y_1776)):bool then (let y_1776 := + (nat_mod_zero ) -% (y_1776) in + (y_1776)) else ((y_1776)) in + (x_1775, y_1776, false). + +Definition g1_clear_cofactor (x_1777 : g1_t) : g1_t := + let h_eff_1778 : scalar_t := + nat_mod_from_literal (_) ( + @repr WORDSIZE128 15132376222941642753) : scalar_t in + g1mul (h_eff_1778) (x_1777). + +Definition g1_hash_to_curve_svdw + (msg_1779 : byte_seq) + (dst_1780 : byte_seq) + : g1_t := + let u_1781 : seq fp_t := + fp_hash_to_field (msg_1779) (dst_1780) (usize 2) in + let q0_1782 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_svdw (seq_index (u_1781) (usize 0)) in + let q1_1783 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_svdw (seq_index (u_1781) (usize 1)) in + let r_1784 : (fp_t '× fp_t '× bool) := + g1add (q0_1782) (q1_1783) in + let p_1785 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (r_1784) in + p_1785. + +Definition g1_encode_to_curve_svdw + (msg_1786 : byte_seq) + (dst_1787 : byte_seq) + : g1_t := + let u_1788 : seq fp_t := + fp_hash_to_field (msg_1786) (dst_1787) (usize 1) in + let q_1789 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_svdw (seq_index (u_1788) (usize 0)) in + let p_1790 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (q_1789) in + p_1790. + +Definition fp2_hash_to_field + (msg_1791 : byte_seq) + (dst_1792 : byte_seq) + (count_1793 : uint_size) + : seq fp2_t := + let len_in_bytes_1794 : uint_size := + ((count_1793) * (usize 2)) * (l_v) in + let uniform_bytes_1795 : seq uint8 := + expand_message_xmd (msg_1791) (dst_1792) (len_in_bytes_1794) in + let output_1796 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (count_1793) in + let output_1796 := + foldi (usize 0) (count_1793) (fun i_1797 output_1796 => + let elm_offset_1798 : uint_size := + ((l_v) * (i_1797)) * (usize 2) in + let tv_1799 : seq uint8 := + seq_slice (uniform_bytes_1795) (elm_offset_1798) (l_v) in + let e_1_1800 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1799) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let elm_offset_1801 : uint_size := + (l_v) * ((usize 1) + ((i_1797) * (usize 2))) in + let tv_1802 : seq uint8 := + seq_slice (uniform_bytes_1795) (elm_offset_1801) (l_v) in + let e_2_1803 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1802) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let output_1796 := + seq_upd output_1796 (i_1797) ((e_1_1800, e_2_1803)) in + (output_1796)) + output_1796 in + output_1796. + +Definition fp2_sgn0 (x_1804 : fp2_t) : bool := + let '(x0_1805, x1_1806) := + x_1804 in + let sign_0_1807 : bool := + fp_sgn0 (x0_1805) in + let zero_0_1808 : bool := + (x0_1805) =.? (nat_mod_zero ) in + let sign_1_1809 : bool := + fp_sgn0 (x1_1806) in + (sign_0_1807) || ((zero_0_1808) && (sign_1_1809)). + +Definition fp2_is_square (x_1810 : fp2_t) : bool := + let c1_1811 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let '(x1_1812, x2_1813) := + x_1810 in + let tv1_1814 : fp_t := + (x1_1812) *% (x1_1812) in + let tv2_1815 : fp_t := + (x2_1813) *% (x2_1813) in + let tv1_1816 : fp_t := + (tv1_1814) +% (tv2_1815) in + let tv1_1817 : fp_t := + nat_mod_pow_self (tv1_1816) (c1_1811) in + let neg1_1818 : fp_t := + (nat_mod_zero ) -% (nat_mod_one ) in + (tv1_1817) !=.? (neg1_1818). + +Definition fp2exp (n_1819 : fp2_t) (k_1820 : fp_t) : fp2_t := + let c_1821 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let c_1821 := + foldi (usize 0) (usize 381) (fun i_1822 c_1821 => + let c_1821 := + fp2mul (c_1821) (c_1821) in + let '(c_1821) := + if nat_mod_bit (k_1820) ((usize 380) - (i_1822)):bool then ( + let c_1821 := + fp2mul (c_1821) (n_1819) in + (c_1821)) else ((c_1821)) in + (c_1821)) + c_1821 in + c_1821. + +Definition fp2_sqrt (a_1823 : fp2_t) : fp2_t := + let c1_1824 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_3_4_v)) : fp_t in + let c2_1825 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let a1_1826 : (fp_t '× fp_t) := + fp2exp (a_1823) (c1_1824) in + let alpha_1827 : (fp_t '× fp_t) := + fp2mul (a1_1826) (fp2mul (a1_1826) (a_1823)) in + let x0_1828 : (fp_t '× fp_t) := + fp2mul (a1_1826) (a_1823) in + let neg1_1829 : (fp_t '× fp_t) := + ((nat_mod_zero ) -% (nat_mod_one ), nat_mod_zero ) in + let b_1830 : (fp_t '× fp_t) := + fp2exp (fp2add (fp2fromfp (nat_mod_one )) (alpha_1827)) (c2_1825) in + (if ((alpha_1827) =.? (neg1_1829)):bool then (fp2mul (( + nat_mod_zero , + nat_mod_one + )) (x0_1828)) else (fp2mul (b_1830) (x0_1828))). + +Definition g2_curve_func (x_1831 : fp2_t) : fp2_t := + fp2add (fp2mul (x_1831) (fp2mul (x_1831) (x_1831))) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t, + nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t + )). + +Definition g2_map_to_curve_svdw (u_1832 : fp2_t) : g2_t := + let z_1833 : (fp_t '× fp_t) := + fp2neg (fp2fromfp (nat_mod_one )) in + let gz_1834 : (fp_t '× fp_t) := + g2_curve_func (z_1833) in + let tv1_1835 : (fp_t '× fp_t) := + fp2mul (fp2mul (u_1832) (u_1832)) (gz_1834) in + let tv2_1836 : (fp_t '× fp_t) := + fp2add (fp2fromfp (nat_mod_one )) (tv1_1835) in + let tv1_1837 : (fp_t '× fp_t) := + fp2sub (fp2fromfp (nat_mod_one )) (tv1_1835) in + let tv3_1838 : (fp_t '× fp_t) := + fp2inv (fp2mul (tv1_1837) (tv2_1836)) in + let tv4_1839 : (fp_t '× fp_t) := + fp2_sqrt (fp2mul (fp2neg (gz_1834)) (fp2mul (fp2fromfp ( + nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) (fp2mul ( + z_1833) (z_1833)))) in + let '(tv4_1839) := + if fp2_sgn0 (tv4_1839):bool then (let tv4_1839 := + fp2neg (tv4_1839) in + (tv4_1839)) else ((tv4_1839)) in + let tv5_1840 : (fp_t '× fp_t) := + fp2mul (fp2mul (fp2mul (u_1832) (tv1_1837)) (tv3_1838)) (tv4_1839) in + let tv6_1841 : (fp_t '× fp_t) := + fp2mul (fp2mul (fp2neg (fp2fromfp (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t))) (gz_1834)) (fp2inv (fp2mul ( + fp2fromfp (nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) ( + fp2mul (z_1833) (z_1833)))) in + let x1_1842 : (fp_t '× fp_t) := + fp2sub (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( + tv5_1840) in + let x2_1843 : (fp_t '× fp_t) := + fp2add (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( + tv5_1840) in + let tv7_1844 : (fp_t '× fp_t) := + fp2mul (fp2mul (tv2_1836) (tv2_1836)) (tv3_1838) in + let x3_1845 : (fp_t '× fp_t) := + fp2add (z_1833) (fp2mul (tv6_1841) (fp2mul (tv7_1844) (tv7_1844))) in + let x_1846 : (fp_t '× fp_t) := + (if (fp2_is_square (g2_curve_func (x1_1842))):bool then (x1_1842) else (( + if (fp2_is_square (g2_curve_func (x2_1843))):bool then ( + x2_1843) else (x3_1845)))) in + let y_1847 : (fp_t '× fp_t) := + fp2_sqrt (g2_curve_func (x_1846)) in + let '(y_1847) := + if (fp2_sgn0 (u_1832)) !=.? (fp2_sgn0 (y_1847)):bool then (let y_1847 := + fp2neg (y_1847) in + (y_1847)) else ((y_1847)) in + (x_1846, y_1847, false). + +Definition psi (p_1848 : g2_t) : g2_t := + let c1_1849 : (fp_t '× fp_t) := + fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( + nat_mod_one )) *% (nat_mod_inv (nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t)))) in + let c2_1850 : (fp_t '× fp_t) := + fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( + nat_mod_one )) *% (nat_mod_inv (nat_mod_two )))) in + let '(x_1851, y_1852, inf_1853) := + p_1848 in + let qx_1854 : (fp_t '× fp_t) := + fp2mul (c1_1849) (fp2conjugate (x_1851)) in + let qy_1855 : (fp_t '× fp_t) := + fp2mul (c2_1850) (fp2conjugate (y_1852)) in + (qx_1854, qy_1855, inf_1853). + +Definition g2_clear_cofactor (p_1856 : g2_t) : g2_t := + let c1_1857 : scalar_t := + nat_mod_from_literal (_) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let t1_1858 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2mul (c1_1857) (p_1856) in + let t1_1859 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2neg (t1_1858) in + let t2_1860 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + psi (p_1856) in + let t3_1861 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2double (p_1856) in + let t3_1862 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + psi (psi (t3_1861)) in + let t3_1863 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1862) (g2neg (t2_1860)) in + let t2_1864 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t1_1859) (t2_1860) in + let t2_1865 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2mul (c1_1857) (t2_1864) in + let t2_1866 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2neg (t2_1865) in + let t3_1867 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1863) (t2_1866) in + let t3_1868 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1867) (g2neg (t1_1859)) in + let q_1869 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1868) (g2neg (p_1856)) in + q_1869. + +Definition g2_hash_to_curve_svdw + (msg_1870 : byte_seq) + (dst_1871 : byte_seq) + : g2_t := + let u_1872 : seq fp2_t := + fp2_hash_to_field (msg_1870) (dst_1871) (usize 2) in + let q0_1873 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_svdw (seq_index (u_1872) (usize 0)) in + let q1_1874 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_svdw (seq_index (u_1872) (usize 1)) in + let r_1875 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (q0_1873) (q1_1874) in + let p_1876 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (r_1875) in + p_1876. + +Definition g2_encode_to_curve_svdw + (msg_1877 : byte_seq) + (dst_1878 : byte_seq) + : g2_t := + let u_1879 : seq fp2_t := + fp2_hash_to_field (msg_1877) (dst_1878) (usize 1) in + let q_1880 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_svdw (seq_index (u_1879) (usize 0)) in + let p_1881 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (q_1880) in + p_1881. + +Definition g1_iso_a_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 5707120929990979) : int64; + secret (@repr WORDSIZE64 4425131892511951234) : int64; + secret (@repr WORDSIZE64 12748169179688756904) : int64; + secret (@repr WORDSIZE64 15629909748249821612) : int64; + secret (@repr WORDSIZE64 10994253769421683071) : int64; + secret (@repr WORDSIZE64 6698022561392380957) : int64 + ] in l). + +Definition g1_iso_b_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1360808972976160816) : int64; + secret (@repr WORDSIZE64 111203405409480251) : int64; + secret (@repr WORDSIZE64 2312248699302920304) : int64; + secret (@repr WORDSIZE64 11581500465278574325) : int64; + secret (@repr WORDSIZE64 6495071758858381989) : int64; + secret (@repr WORDSIZE64 15117538217124375520) : int64 + ] in l). + +Definition g1_xnum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1270119733718627136) : int64; + secret (@repr WORDSIZE64 13261148298159854981) : int64; + secret (@repr WORDSIZE64 7723742117508874335) : int64; + secret (@repr WORDSIZE64 17465657917644792520) : int64; + secret (@repr WORDSIZE64 6201670911048166766) : int64; + secret (@repr WORDSIZE64 12586459670690286007) : int64 + ] in l). + +Definition g1_xnum_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1668951808976071471) : int64; + secret (@repr WORDSIZE64 398773841247578140) : int64; + secret (@repr WORDSIZE64 8941869963990959127) : int64; + secret (@repr WORDSIZE64 17682789360670468203) : int64; + secret (@repr WORDSIZE64 5204176168283587414) : int64; + secret (@repr WORDSIZE64 16732261237459223483) : int64 + ] in l). + +Definition g1_xnum_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 960393023080265964) : int64; + secret (@repr WORDSIZE64 2094253841180170779) : int64; + secret (@repr WORDSIZE64 14844748873776858085) : int64; + secret (@repr WORDSIZE64 7528018573573808732) : int64; + secret (@repr WORDSIZE64 10776056440809943711) : int64; + secret (@repr WORDSIZE64 16147550488514976944) : int64 + ] in l). + +Definition g1_xnum_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1691355743628586423) : int64; + secret (@repr WORDSIZE64 5622191986793862162) : int64; + secret (@repr WORDSIZE64 15561595211679121189) : int64; + secret (@repr WORDSIZE64 17416319752018800771) : int64; + secret (@repr WORDSIZE64 5996228842464768403) : int64; + secret (@repr WORDSIZE64 14245880009877842017) : int64 + ] in l). + +Definition g1_xnum_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1051997788391994435) : int64; + secret (@repr WORDSIZE64 7368650625050054228) : int64; + secret (@repr WORDSIZE64 11086623519836470079) : int64; + secret (@repr WORDSIZE64 607681821319080984) : int64; + secret (@repr WORDSIZE64 10978131499682789316) : int64; + secret (@repr WORDSIZE64 5842660658088809945) : int64 + ] in l). + +Definition g1_xnum_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1598992431623377919) : int64; + secret (@repr WORDSIZE64 130921168661596853) : int64; + secret (@repr WORDSIZE64 15797696746983946651) : int64; + secret (@repr WORDSIZE64 11444679715590672272) : int64; + secret (@repr WORDSIZE64 11567228658253249817) : int64; + secret (@repr WORDSIZE64 14777367860349315459) : int64 + ] in l). + +Definition g1_xnum_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 967946631563726121) : int64; + secret (@repr WORDSIZE64 7653628713030275775) : int64; + secret (@repr WORDSIZE64 12760252618317466849) : int64; + secret (@repr WORDSIZE64 10378793938173061930) : int64; + secret (@repr WORDSIZE64 10205808941053849290) : int64; + secret (@repr WORDSIZE64 15985511645807504772) : int64 + ] in l). + +Definition g1_xnum_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1709149555065084898) : int64; + secret (@repr WORDSIZE64 16750075057192140371) : int64; + secret (@repr WORDSIZE64 3849985779734105521) : int64; + secret (@repr WORDSIZE64 11998370262181639475) : int64; + secret (@repr WORDSIZE64 4159013751748851119) : int64; + secret (@repr WORDSIZE64 11298218755092433038) : int64 + ] in l). + +Definition g1_xnum_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 580186936973955012) : int64; + secret (@repr WORDSIZE64 8903813505199544589) : int64; + secret (@repr WORDSIZE64 14140024565662700916) : int64; + secret (@repr WORDSIZE64 11728946595272970718) : int64; + secret (@repr WORDSIZE64 5738313744366653077) : int64; + secret (@repr WORDSIZE64 7886252005760951063) : int64 + ] in l). + +Definition g1_xnum_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1628930385436977092) : int64; + secret (@repr WORDSIZE64 3318087848058654498) : int64; + secret (@repr WORDSIZE64 15937899882900905113) : int64; + secret (@repr WORDSIZE64 7449821001803307903) : int64; + secret (@repr WORDSIZE64 11752436998487615353) : int64; + secret (@repr WORDSIZE64 9161465579737517214) : int64 + ] in l). + +Definition g1_xnum_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1167027828517898210) : int64; + secret (@repr WORDSIZE64 8275623842221021965) : int64; + secret (@repr WORDSIZE64 18049808134997311382) : int64; + secret (@repr WORDSIZE64 15351349873550116966) : int64; + secret (@repr WORDSIZE64 17769927732099571180) : int64; + secret (@repr WORDSIZE64 14584871380308065147) : int64 + ] in l). + +Definition g1_xnum_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 495550047642324592) : int64; + secret (@repr WORDSIZE64 13627494601717575229) : int64; + secret (@repr WORDSIZE64 3591512392926246844) : int64; + secret (@repr WORDSIZE64 2576269112800734056) : int64; + secret (@repr WORDSIZE64 14000314106239596831) : int64; + secret (@repr WORDSIZE64 12234233096825917993) : int64 + ] in l). + +Definition g1_xden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 633474091881273774) : int64; + secret (@repr WORDSIZE64 1779737893574802031) : int64; + secret (@repr WORDSIZE64 132274872219551930) : int64; + secret (@repr WORDSIZE64 11283074393783708770) : int64; + secret (@repr WORDSIZE64 13067430171545714168) : int64; + secret (@repr WORDSIZE64 11041975239630265116) : int64 + ] in l). + +Definition g1_xden_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1321272531362356291) : int64; + secret (@repr WORDSIZE64 5238936591227237942) : int64; + secret (@repr WORDSIZE64 8089002360232247308) : int64; + secret (@repr WORDSIZE64 82967328719421271) : int64; + secret (@repr WORDSIZE64 1430641118356186857) : int64; + secret (@repr WORDSIZE64 16557527386785790975) : int64 + ] in l). + +Definition g1_xden_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 804282852993868382) : int64; + secret (@repr WORDSIZE64 9311163821600184607) : int64; + secret (@repr WORDSIZE64 8037026956533927121) : int64; + secret (@repr WORDSIZE64 18205324308570099372) : int64; + secret (@repr WORDSIZE64 15466434890074226396) : int64; + secret (@repr WORDSIZE64 18213183315621985817) : int64 + ] in l). + +Definition g1_xden_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 234844145893171966) : int64; + secret (@repr WORDSIZE64 14428037799351479124) : int64; + secret (@repr WORDSIZE64 6559532710647391569) : int64; + secret (@repr WORDSIZE64 6110444250091843536) : int64; + secret (@repr WORDSIZE64 5293652763671852484) : int64; + secret (@repr WORDSIZE64 1373009181854280920) : int64 + ] in l). + +Definition g1_xden_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1416629893867312296) : int64; + secret (@repr WORDSIZE64 751851957792514173) : int64; + secret (@repr WORDSIZE64 18437674587247370939) : int64; + secret (@repr WORDSIZE64 10190314345946351322) : int64; + secret (@repr WORDSIZE64 11228207967368476701) : int64; + secret (@repr WORDSIZE64 6025034940388909598) : int64 + ] in l). + +Definition g1_xden_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1041270466333271993) : int64; + secret (@repr WORDSIZE64 6140956605115975401) : int64; + secret (@repr WORDSIZE64 4131830461445745997) : int64; + secret (@repr WORDSIZE64 739642499118176303) : int64; + secret (@repr WORDSIZE64 8358912131254619921) : int64; + secret (@repr WORDSIZE64 13847998906088228005) : int64 + ] in l). + +Definition g1_xden_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 536714149743900185) : int64; + secret (@repr WORDSIZE64 1098328982230230817) : int64; + secret (@repr WORDSIZE64 6273329123533496713) : int64; + secret (@repr WORDSIZE64 5633448088282521244) : int64; + secret (@repr WORDSIZE64 16894043798660571244) : int64; + secret (@repr WORDSIZE64 17016134625831438906) : int64 + ] in l). + +Definition g1_xden_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1488347500898461874) : int64; + secret (@repr WORDSIZE64 3509418672874520985) : int64; + secret (@repr WORDSIZE64 7962192351555381416) : int64; + secret (@repr WORDSIZE64 1843909372225399896) : int64; + secret (@repr WORDSIZE64 1127511003250156243) : int64; + secret (@repr WORDSIZE64 1294742680819751518) : int64 + ] in l). + +Definition g1_xden_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 725340084226051970) : int64; + secret (@repr WORDSIZE64 6814521545734988748) : int64; + secret (@repr WORDSIZE64 16176803544133875307) : int64; + secret (@repr WORDSIZE64 8363199516777220149) : int64; + secret (@repr WORDSIZE64 252877309218538352) : int64; + secret (@repr WORDSIZE64 5149562959837648449) : int64 + ] in l). + +Definition g1_xden_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 675470927100193492) : int64; + secret (@repr WORDSIZE64 5146891164735334016) : int64; + secret (@repr WORDSIZE64 17762958817130696759) : int64; + secret (@repr WORDSIZE64 8565656522589412373) : int64; + secret (@repr WORDSIZE64 10599026333335446784) : int64; + secret (@repr WORDSIZE64 3270603789344496906) : int64 + ] in l). + +Definition g1_ynum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 652344406751465184) : int64; + secret (@repr WORDSIZE64 2710356675495255290) : int64; + secret (@repr WORDSIZE64 1273695771440998738) : int64; + secret (@repr WORDSIZE64 3121750372618945491) : int64; + secret (@repr WORDSIZE64 14775319642720936898) : int64; + secret (@repr WORDSIZE64 13733803417833814835) : int64 + ] in l). + +Definition g1_ynum_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1389807578337138705) : int64; + secret (@repr WORDSIZE64 15352831428748068483) : int64; + secret (@repr WORDSIZE64 1307144967559264317) : int64; + secret (@repr WORDSIZE64 1121505450578652468) : int64; + secret (@repr WORDSIZE64 15475889019760388287) : int64; + secret (@repr WORDSIZE64 16183658160488302230) : int64 + ] in l). + +Definition g1_ynum_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 57553299067792998) : int64; + secret (@repr WORDSIZE64 17628079362768849300) : int64; + secret (@repr WORDSIZE64 2689461337731570914) : int64; + secret (@repr WORDSIZE64 14070580367580990887) : int64; + secret (@repr WORDSIZE64 15162865775551710499) : int64; + secret (@repr WORDSIZE64 13321614990632673782) : int64 + ] in l). + +Definition g1_ynum_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 141972750621744161) : int64; + secret (@repr WORDSIZE64 8689824239172478807) : int64; + secret (@repr WORDSIZE64 15288216298323671324) : int64; + secret (@repr WORDSIZE64 712874875091754233) : int64; + secret (@repr WORDSIZE64 16014900032503684588) : int64; + secret (@repr WORDSIZE64 11976580453200426187) : int64 + ] in l). + +Definition g1_ynum_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 633886036738506515) : int64; + secret (@repr WORDSIZE64 6678644607214234052) : int64; + secret (@repr WORDSIZE64 1825425679455244472) : int64; + secret (@repr WORDSIZE64 8755912272271186652) : int64; + secret (@repr WORDSIZE64 3379943669301788840) : int64; + secret (@repr WORDSIZE64 4735212769449148123) : int64 + ] in l). + +Definition g1_ynum_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1612358804494830442) : int64; + secret (@repr WORDSIZE64 2454990789666711200) : int64; + secret (@repr WORDSIZE64 8405916841409361853) : int64; + secret (@repr WORDSIZE64 8525415512662168654) : int64; + secret (@repr WORDSIZE64 2323684950984523890) : int64; + secret (@repr WORDSIZE64 11074978966450447856) : int64 + ] in l). + +Definition g1_ynum_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 336375361001233340) : int64; + secret (@repr WORDSIZE64 12882959944969186108) : int64; + secret (@repr WORDSIZE64 16671121624101127371) : int64; + secret (@repr WORDSIZE64 5922586712221110071) : int64; + secret (@repr WORDSIZE64 5163511947597922654) : int64; + secret (@repr WORDSIZE64 14511152726087948018) : int64 + ] in l). + +Definition g1_ynum_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 686738286210365551) : int64; + secret (@repr WORDSIZE64 16039894141796533876) : int64; + secret (@repr WORDSIZE64 1660145734357211167) : int64; + secret (@repr WORDSIZE64 18231571463891878950) : int64; + secret (@repr WORDSIZE64 4825120264949852469) : int64; + secret (@repr WORDSIZE64 11627815551290637097) : int64 + ] in l). + +Definition g1_ynum_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 719520515476580427) : int64; + secret (@repr WORDSIZE64 16756942182913253819) : int64; + secret (@repr WORDSIZE64 10320769399998235244) : int64; + secret (@repr WORDSIZE64 2200974244968450750) : int64; + secret (@repr WORDSIZE64 7626373186594408355) : int64; + secret (@repr WORDSIZE64 6933025920263103879) : int64 + ] in l). + +Definition g1_ynum_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1016611174344998325) : int64; + secret (@repr WORDSIZE64 2466492548686891555) : int64; + secret (@repr WORDSIZE64 14135124294293452542) : int64; + secret (@repr WORDSIZE64 475233659467912251) : int64; + secret (@repr WORDSIZE64 11186783513499056751) : int64; + secret (@repr WORDSIZE64 3147922594245844016) : int64 + ] in l). + +Definition g1_ynum_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1833315000454533566) : int64; + secret (@repr WORDSIZE64 1007974600900082579) : int64; + secret (@repr WORDSIZE64 14785260176242854207) : int64; + secret (@repr WORDSIZE64 15066861003931772432) : int64; + secret (@repr WORDSIZE64 3584647998681889532) : int64; + secret (@repr WORDSIZE64 16722834201330696498) : int64 + ] in l). + +Definition g1_ynum_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1780164921828767454) : int64; + secret (@repr WORDSIZE64 13337622794239929804) : int64; + secret (@repr WORDSIZE64 5923739534552515142) : int64; + secret (@repr WORDSIZE64 3345046972101780530) : int64; + secret (@repr WORDSIZE64 5321510883028162054) : int64; + secret (@repr WORDSIZE64 14846055306840460686) : int64 + ] in l). + +Definition g1_ynum_k_12_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 799438051374502809) : int64; + secret (@repr WORDSIZE64 15083972834952036164) : int64; + secret (@repr WORDSIZE64 8838227588559581326) : int64; + secret (@repr WORDSIZE64 13846054168121598783) : int64; + secret (@repr WORDSIZE64 488730451382505970) : int64; + secret (@repr WORDSIZE64 958146249756188408) : int64 + ] in l). + +Definition g1_ynum_k_13_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 163716820423854747) : int64; + secret (@repr WORDSIZE64 8285498163857659356) : int64; + secret (@repr WORDSIZE64 8465424830341846400) : int64; + secret (@repr WORDSIZE64 1433942577299613084) : int64; + secret (@repr WORDSIZE64 14325828012864645732) : int64; + secret (@repr WORDSIZE64 4817114329354076467) : int64 + ] in l). + +Definition g1_ynum_k_14_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 414658151749832465) : int64; + secret (@repr WORDSIZE64 189531577938912252) : int64; + secret (@repr WORDSIZE64 6802473390048830824) : int64; + secret (@repr WORDSIZE64 15684647020317539556) : int64; + secret (@repr WORDSIZE64 7755485098777620407) : int64; + secret (@repr WORDSIZE64 9685868895687483979) : int64 + ] in l). + +Definition g1_ynum_k_15_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1578157964224562126) : int64; + secret (@repr WORDSIZE64 5666948055268535989) : int64; + secret (@repr WORDSIZE64 14634479491382401593) : int64; + secret (@repr WORDSIZE64 6317940024988860850) : int64; + secret (@repr WORDSIZE64 13142913832013798519) : int64; + secret (@repr WORDSIZE64 338991247778166276) : int64 + ] in l). + +Definition g1_yden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1590100849350973618) : int64; + secret (@repr WORDSIZE64 5915497081334721257) : int64; + secret (@repr WORDSIZE64 6924968209373727718) : int64; + secret (@repr WORDSIZE64 17204633670617869946) : int64; + secret (@repr WORDSIZE64 572916540828819565) : int64; + secret (@repr WORDSIZE64 92203205520679873) : int64 + ] in l). + +Definition g1_yden_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1829261189398470686) : int64; + secret (@repr WORDSIZE64 1877083417397643448) : int64; + secret (@repr WORDSIZE64 9640042925497046428) : int64; + secret (@repr WORDSIZE64 11862766565471805471) : int64; + secret (@repr WORDSIZE64 8693114993904885301) : int64; + secret (@repr WORDSIZE64 3672140328108400701) : int64 + ] in l). + +Definition g1_yden_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 400243331105348135) : int64; + secret (@repr WORDSIZE64 8046435537999802711) : int64; + secret (@repr WORDSIZE64 8702226981475745585) : int64; + secret (@repr WORDSIZE64 879791671491744492) : int64; + secret (@repr WORDSIZE64 11994630442058346377) : int64; + secret (@repr WORDSIZE64 2172204746352322546) : int64 + ] in l). + +Definition g1_yden_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1637008473169220501) : int64; + secret (@repr WORDSIZE64 17441636237435581649) : int64; + secret (@repr WORDSIZE64 15066165676546511630) : int64; + secret (@repr WORDSIZE64 1314387578457599809) : int64; + secret (@repr WORDSIZE64 8247046336453711789) : int64; + secret (@repr WORDSIZE64 12164906044230685718) : int64 + ] in l). + +Definition g1_yden_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 855930740911588324) : int64; + secret (@repr WORDSIZE64 12685735333705453020) : int64; + secret (@repr WORDSIZE64 14326404096614579120) : int64; + secret (@repr WORDSIZE64 6066025509460822294) : int64; + secret (@repr WORDSIZE64 11676450493790612973) : int64; + secret (@repr WORDSIZE64 15724621714793234461) : int64 + ] in l). + +Definition g1_yden_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 637792788410719021) : int64; + secret (@repr WORDSIZE64 11507373155986977154) : int64; + secret (@repr WORDSIZE64 13186912195705886849) : int64; + secret (@repr WORDSIZE64 14262012144631372388) : int64; + secret (@repr WORDSIZE64 5328758613570342114) : int64; + secret (@repr WORDSIZE64 199925847119476652) : int64 + ] in l). + +Definition g1_yden_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1612297190139091759) : int64; + secret (@repr WORDSIZE64 14103733843373163083) : int64; + secret (@repr WORDSIZE64 6840121186619029743) : int64; + secret (@repr WORDSIZE64 6760859324815900753) : int64; + secret (@repr WORDSIZE64 15418807805142572985) : int64; + secret (@repr WORDSIZE64 4402853133867972444) : int64 + ] in l). + +Definition g1_yden_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1631410310868805610) : int64; + secret (@repr WORDSIZE64 269334146695233390) : int64; + secret (@repr WORDSIZE64 16547411811928854487) : int64; + secret (@repr WORDSIZE64 18353100669930795314) : int64; + secret (@repr WORDSIZE64 13339932232668798692) : int64; + secret (@repr WORDSIZE64 6984591927261867737) : int64 + ] in l). + +Definition g1_yden_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1758313625630302499) : int64; + secret (@repr WORDSIZE64 1881349400343039172) : int64; + secret (@repr WORDSIZE64 18013005311323887904) : int64; + secret (@repr WORDSIZE64 12377427846571989832) : int64; + secret (@repr WORDSIZE64 5967237584920922243) : int64; + secret (@repr WORDSIZE64 7720081932193848650) : int64 + ] in l). + +Definition g1_yden_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1619701357752249884) : int64; + secret (@repr WORDSIZE64 16898074901591262352) : int64; + secret (@repr WORDSIZE64 3609344159736760251) : int64; + secret (@repr WORDSIZE64 5983130161189999867) : int64; + secret (@repr WORDSIZE64 14355327869992416094) : int64; + secret (@repr WORDSIZE64 3778226018344582997) : int64 + ] in l). + +Definition g1_yden_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 347606589330687421) : int64; + secret (@repr WORDSIZE64 5255719044972187933) : int64; + secret (@repr WORDSIZE64 11271894388753671721) : int64; + secret (@repr WORDSIZE64 1033887512062764488) : int64; + secret (@repr WORDSIZE64 8189165486932690436) : int64; + secret (@repr WORDSIZE64 70004379462101672) : int64 + ] in l). + +Definition g1_yden_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 778202887894139711) : int64; + secret (@repr WORDSIZE64 17691595219776375879) : int64; + secret (@repr WORDSIZE64 9193253711563866834) : int64; + secret (@repr WORDSIZE64 10092455202333888821) : int64; + secret (@repr WORDSIZE64 1655469341950262250) : int64; + secret (@repr WORDSIZE64 10845992994110574738) : int64 + ] in l). + +Definition g1_yden_k_12_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 781015344221683683) : int64; + secret (@repr WORDSIZE64 14078588081290548374) : int64; + secret (@repr WORDSIZE64 6067271023149908518) : int64; + secret (@repr WORDSIZE64 9033357708497886086) : int64; + secret (@repr WORDSIZE64 10592474449179118273) : int64; + secret (@repr WORDSIZE64 2204988348113831372) : int64 + ] in l). + +Definition g1_yden_k_13_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 172830037692534587) : int64; + secret (@repr WORDSIZE64 7101012286790006514) : int64; + secret (@repr WORDSIZE64 13787308004332873665) : int64; + secret (@repr WORDSIZE64 14660498759553796110) : int64; + secret (@repr WORDSIZE64 4757234684169342080) : int64; + secret (@repr WORDSIZE64 15130647872920159991) : int64 + ] in l). + +Definition g1_yden_k_14_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1013206390650290238) : int64; + secret (@repr WORDSIZE64 7720336747103001025) : int64; + secret (@repr WORDSIZE64 8197694151986493523) : int64; + secret (@repr WORDSIZE64 3625112747029342752) : int64; + secret (@repr WORDSIZE64 6675167463148394368) : int64; + secret (@repr WORDSIZE64 4905905684016745359) : int64 + ] in l). + +Definition g1_simple_swu_iso (u_1882 : fp_t) : (fp_t '× fp_t) := + let z_1883 : fp_t := + nat_mod_from_literal (_) (@repr WORDSIZE128 11) : fp_t in + let a_1884 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_a_v)) : fp_t in + let b_1885 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_b_v)) : fp_t in + let tv1_1886 : fp_t := + nat_mod_inv ((((z_1883) *% (z_1883)) *% (nat_mod_exp (u_1882) ( + @repr WORDSIZE32 4))) +% (((z_1883) *% (u_1882)) *% (u_1882))) in + let x1_1887 : fp_t := + (((nat_mod_zero ) -% (b_1885)) *% (nat_mod_inv (a_1884))) *% (( + nat_mod_one ) +% (tv1_1886)) in + let '(x1_1887) := + if (tv1_1886) =.? (nat_mod_zero ):bool then (let x1_1887 := + (b_1885) *% (nat_mod_inv ((z_1883) *% (a_1884))) in + (x1_1887)) else ((x1_1887)) in + let gx1_1888 : fp_t := + ((nat_mod_exp (x1_1887) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( + x1_1887))) +% (b_1885) in + let x2_1889 : fp_t := + (((z_1883) *% (u_1882)) *% (u_1882)) *% (x1_1887) in + let gx2_1890 : fp_t := + ((nat_mod_exp (x2_1889) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( + x2_1889))) +% (b_1885) in + let '(x_1891, y_1892) := + (if (fp_is_square (gx1_1888)):bool then ((x1_1887, fp_sqrt (gx1_1888) + )) else ((x2_1889, fp_sqrt (gx2_1890)))) in + let '(y_1892) := + if (fp_sgn0 (u_1882)) !=.? (fp_sgn0 (y_1892)):bool then (let y_1892 := + (nat_mod_zero ) -% (y_1892) in + (y_1892)) else ((y_1892)) in + (x_1891, y_1892). + +Definition g1_isogeny_map (x_1893 : fp_t) (y_1894 : fp_t) : g1_t := + let xnum_k_1895 : seq fp_t := + seq_new_ (default : fp_t) (usize 12) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_0_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_1_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_2_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_3_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_4_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_5_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_6_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_7_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_8_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_9_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_xnum_k_10_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_xnum_k_11_v)) : fp_t) in + let xden_k_1896 : seq fp_t := + seq_new_ (default : fp_t) (usize 10) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_0_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_1_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_2_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_3_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_4_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_5_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_6_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_7_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_8_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_9_v)) : fp_t) in + let ynum_k_1897 : seq fp_t := + seq_new_ (default : fp_t) (usize 16) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_0_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_1_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_2_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_3_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_4_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_5_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_6_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_7_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_8_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_9_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_10_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_11_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 12) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_12_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 13) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_13_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 14) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_14_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 15) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_15_v)) : fp_t) in + let yden_k_1898 : seq fp_t := + seq_new_ (default : fp_t) (usize 15) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_0_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_1_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_2_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_3_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_4_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_5_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_6_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_7_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_8_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_9_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_10_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_11_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 12) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_12_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 13) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_13_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 14) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_14_v)) : fp_t) in + let xnum_1899 : fp_t := + nat_mod_zero in + let xx_1900 : fp_t := + nat_mod_one in + let '(xnum_1899, xx_1900) := + foldi (usize 0) (seq_len (xnum_k_1895)) (fun i_1901 '(xnum_1899, xx_1900) => + let xnum_1899 := + (xnum_1899) +% ((xx_1900) *% (seq_index (xnum_k_1895) (i_1901))) in + let xx_1900 := + (xx_1900) *% (x_1893) in + (xnum_1899, xx_1900)) + (xnum_1899, xx_1900) in + let xden_1902 : fp_t := + nat_mod_zero in + let xx_1903 : fp_t := + nat_mod_one in + let '(xden_1902, xx_1903) := + foldi (usize 0) (seq_len (xden_k_1896)) (fun i_1904 '(xden_1902, xx_1903) => + let xden_1902 := + (xden_1902) +% ((xx_1903) *% (seq_index (xden_k_1896) (i_1904))) in + let xx_1903 := + (xx_1903) *% (x_1893) in + (xden_1902, xx_1903)) + (xden_1902, xx_1903) in + let xden_1902 := + (xden_1902) +% (xx_1903) in + let ynum_1905 : fp_t := + nat_mod_zero in + let xx_1906 : fp_t := + nat_mod_one in + let '(ynum_1905, xx_1906) := + foldi (usize 0) (seq_len (ynum_k_1897)) (fun i_1907 '(ynum_1905, xx_1906) => + let ynum_1905 := + (ynum_1905) +% ((xx_1906) *% (seq_index (ynum_k_1897) (i_1907))) in + let xx_1906 := + (xx_1906) *% (x_1893) in + (ynum_1905, xx_1906)) + (ynum_1905, xx_1906) in + let yden_1908 : fp_t := + nat_mod_zero in + let xx_1909 : fp_t := + nat_mod_one in + let '(yden_1908, xx_1909) := + foldi (usize 0) (seq_len (yden_k_1898)) (fun i_1910 '(yden_1908, xx_1909) => + let yden_1908 := + (yden_1908) +% ((xx_1909) *% (seq_index (yden_k_1898) (i_1910))) in + let xx_1909 := + (xx_1909) *% (x_1893) in + (yden_1908, xx_1909)) + (yden_1908, xx_1909) in + let yden_1908 := + (yden_1908) +% (xx_1909) in + let xr_1911 : fp_t := + (xnum_1899) *% (nat_mod_inv (xden_1902)) in + let yr_1912 : fp_t := + ((y_1894) *% (ynum_1905)) *% (nat_mod_inv (yden_1908)) in + let inf_1913 : bool := + false in + let '(inf_1913) := + if ((xden_1902) =.? (nat_mod_zero )) || ((yden_1908) =.? ( + nat_mod_zero )):bool then (let inf_1913 := + true in + (inf_1913)) else ((inf_1913)) in + (xr_1911, yr_1912, inf_1913). + +Definition g1_map_to_curve_sswu (u_1914 : fp_t) : g1_t := + let '(xp_1915, yp_1916) := + g1_simple_swu_iso (u_1914) in + let p_1917 : (fp_t '× fp_t '× bool) := + g1_isogeny_map (xp_1915) (yp_1916) in + p_1917. + +Definition g1_hash_to_curve_sswu + (msg_1918 : byte_seq) + (dst_1919 : byte_seq) + : g1_t := + let u_1920 : seq fp_t := + fp_hash_to_field (msg_1918) (dst_1919) (usize 2) in + let q0_1921 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_sswu (seq_index (u_1920) (usize 0)) in + let q1_1922 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_sswu (seq_index (u_1920) (usize 1)) in + let r_1923 : (fp_t '× fp_t '× bool) := + g1add (q0_1921) (q1_1922) in + let p_1924 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (r_1923) in + p_1924. + +Definition g1_encode_to_curve_sswu + (msg_1925 : byte_seq) + (dst_1926 : byte_seq) + : g1_t := + let u_1927 : seq fp_t := + fp_hash_to_field (msg_1925) (dst_1926) (usize 1) in + let q_1928 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_sswu (seq_index (u_1927) (usize 0)) in + let p_1929 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (q_1928) in + p_1929. + +Definition g2_xnum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 416399692810564414) : int64; + secret (@repr WORDSIZE64 13500519111022079365) : int64; + secret (@repr WORDSIZE64 3658379999393219626) : int64; + secret (@repr WORDSIZE64 9850925049107374429) : int64; + secret (@repr WORDSIZE64 6640057249351452444) : int64; + secret (@repr WORDSIZE64 7077594464397203414) : int64 + ] in l). + +Definition g2_xnum_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058522) : int64 + ] in l). + +Definition g2_xnum_k_2_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058526) : int64 + ] in l). + +Definition g2_xnum_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 624599539215846622) : int64; + secret (@repr WORDSIZE64 1804034592823567431) : int64; + secret (@repr WORDSIZE64 14710942035944605247) : int64; + secret (@repr WORDSIZE64 14776387573661061644) : int64; + secret (@repr WORDSIZE64 736713837172402858) : int64; + secret (@repr WORDSIZE64 10616391696595805069) : int64 + ] in l). + +Definition g2_xnum_k_3_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1665598771242257658) : int64; + secret (@repr WORDSIZE64 17108588296669214228) : int64; + secret (@repr WORDSIZE64 14633519997572878506) : int64; + secret (@repr WORDSIZE64 2510212049010394485) : int64; + secret (@repr WORDSIZE64 8113484923696258161) : int64; + secret (@repr WORDSIZE64 9863633783879261905) : int64 + ] in l). + +Definition g2_xden_k_0_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863523) : int64 + ] in l). + +Definition g2_xden_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863583) : int64 + ] in l). + +Definition g2_ynum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1526798873638736187) : int64; + secret (@repr WORDSIZE64 6459500568425337235) : int64; + secret (@repr WORDSIZE64 1116230615302104219) : int64; + secret (@repr WORDSIZE64 17673314439684154624) : int64; + secret (@repr WORDSIZE64 18197961889718808424) : int64; + secret (@repr WORDSIZE64 1355520937843676934) : int64 + ] in l). + +Definition g2_ynum_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 416399692810564414) : int64; + secret (@repr WORDSIZE64 13500519111022079365) : int64; + secret (@repr WORDSIZE64 3658379999393219626) : int64; + secret (@repr WORDSIZE64 9850925049107374429) : int64; + secret (@repr WORDSIZE64 6640057249351452444) : int64; + secret (@repr WORDSIZE64 7077594464397203390) : int64 + ] in l). + +Definition g2_ynum_k_2_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058524) : int64 + ] in l). + +Definition g2_ynum_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 624599539215846622) : int64; + secret (@repr WORDSIZE64 1804034592823567431) : int64; + secret (@repr WORDSIZE64 14710942035944605247) : int64; + secret (@repr WORDSIZE64 14776387573661061644) : int64; + secret (@repr WORDSIZE64 736713837172402858) : int64; + secret (@repr WORDSIZE64 10616391696595805071) : int64 + ] in l). + +Definition g2_ynum_k_3_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1318599027233453979) : int64; + secret (@repr WORDSIZE64 18155985086623849168) : int64; + secret (@repr WORDSIZE64 8510412652460270214) : int64; + secret (@repr WORDSIZE64 12747851915130467410) : int64; + secret (@repr WORDSIZE64 5654561228188306393) : int64; + secret (@repr WORDSIZE64 16263467779354626832) : int64 + ] in l). + +Definition g2_yden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863163) : int64 + ] in l). + +Definition g2_yden_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863379) : int64 + ] in l). + +Definition g2_yden_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863577) : int64 + ] in l). + +Definition g2_simple_swu_iso (u_1930 : fp2_t) : (fp2_t '× fp2_t) := + let z_1931 : (fp_t '× fp_t) := + fp2neg ((nat_mod_two , nat_mod_one )) in + let a_1932 : (fp_t '× fp_t) := + (nat_mod_zero , nat_mod_from_literal (_) (@repr WORDSIZE128 240) : fp_t) in + let b_1933 : (fp_t '× fp_t) := + ( + nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t, + nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t + ) in + let tv1_1934 : (fp_t '× fp_t) := + fp2inv (fp2add (fp2mul (fp2mul (z_1931) (z_1931)) (fp2mul (fp2mul (u_1930) ( + u_1930)) (fp2mul (u_1930) (u_1930)))) (fp2mul (z_1931) (fp2mul ( + u_1930) (u_1930)))) in + let x1_1935 : (fp_t '× fp_t) := + fp2mul (fp2mul (fp2neg (b_1933)) (fp2inv (a_1932))) (fp2add (fp2fromfp ( + nat_mod_one )) (tv1_1934)) in + let '(x1_1935) := + if (tv1_1934) =.? (fp2zero ):bool then (let x1_1935 := + fp2mul (b_1933) (fp2inv (fp2mul (z_1931) (a_1932))) in + (x1_1935)) else ((x1_1935)) in + let gx1_1936 : (fp_t '× fp_t) := + fp2add (fp2add (fp2mul (fp2mul (x1_1935) (x1_1935)) (x1_1935)) (fp2mul ( + a_1932) (x1_1935))) (b_1933) in + let x2_1937 : (fp_t '× fp_t) := + fp2mul (fp2mul (z_1931) (fp2mul (u_1930) (u_1930))) (x1_1935) in + let gx2_1938 : (fp_t '× fp_t) := + fp2add (fp2add (fp2mul (fp2mul (x2_1937) (x2_1937)) (x2_1937)) (fp2mul ( + a_1932) (x2_1937))) (b_1933) in + let '(x_1939, y_1940) := + (if (fp2_is_square (gx1_1936)):bool then ((x1_1935, fp2_sqrt (gx1_1936) + )) else ((x2_1937, fp2_sqrt (gx2_1938)))) in + let '(y_1940) := + if (fp2_sgn0 (u_1930)) !=.? (fp2_sgn0 (y_1940)):bool then (let y_1940 := + fp2neg (y_1940) in + (y_1940)) else ((y_1940)) in + (x_1939, y_1940). + +Definition g2_isogeny_map (x_1941 : fp2_t) (y_1942 : fp2_t) : g2_t := + let xnum_k_1943 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 4) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t + )) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_1_i_v)) : fp_t + )) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 2) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_r_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_i_v)) : fp_t + )) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 3) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_3_r_v)) : fp_t, + nat_mod_zero + )) in + let xden_k_1944 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 2) in + let xden_k_1944 := + seq_upd xden_k_1944 (usize 0) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_0_i_v)) : fp_t + )) in + let xden_k_1944 := + seq_upd xden_k_1944 (usize 1) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 12) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_1_i_v)) : fp_t + )) in + let ynum_k_1945 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 4) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t + )) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_1_i_v)) : fp_t + )) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 2) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_r_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_i_v)) : fp_t + )) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 3) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_3_r_v)) : fp_t, + nat_mod_zero + )) in + let yden_k_1946 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 3) in + let yden_k_1946 := + seq_upd yden_k_1946 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t + )) in + let yden_k_1946 := + seq_upd yden_k_1946 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_1_i_v)) : fp_t + )) in + let yden_k_1946 := + seq_upd yden_k_1946 (usize 2) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 18) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_2_i_v)) : fp_t + )) in + let xnum_1947 : (fp_t '× fp_t) := + fp2zero in + let xx_1948 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(xnum_1947, xx_1948) := + foldi (usize 0) (seq_len (xnum_k_1943)) (fun i_1949 '(xnum_1947, xx_1948) => + let xnum_1947 := + fp2add (xnum_1947) (fp2mul (xx_1948) (seq_index (xnum_k_1943) ( + i_1949))) in + let xx_1948 := + fp2mul (xx_1948) (x_1941) in + (xnum_1947, xx_1948)) + (xnum_1947, xx_1948) in + let xden_1950 : (fp_t '× fp_t) := + fp2zero in + let xx_1951 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(xden_1950, xx_1951) := + foldi (usize 0) (seq_len (xden_k_1944)) (fun i_1952 '(xden_1950, xx_1951) => + let xden_1950 := + fp2add (xden_1950) (fp2mul (xx_1951) (seq_index (xden_k_1944) ( + i_1952))) in + let xx_1951 := + fp2mul (xx_1951) (x_1941) in + (xden_1950, xx_1951)) + (xden_1950, xx_1951) in + let xden_1950 := + fp2add (xden_1950) (xx_1951) in + let ynum_1953 : (fp_t '× fp_t) := + fp2zero in + let xx_1954 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(ynum_1953, xx_1954) := + foldi (usize 0) (seq_len (ynum_k_1945)) (fun i_1955 '(ynum_1953, xx_1954) => + let ynum_1953 := + fp2add (ynum_1953) (fp2mul (xx_1954) (seq_index (ynum_k_1945) ( + i_1955))) in + let xx_1954 := + fp2mul (xx_1954) (x_1941) in + (ynum_1953, xx_1954)) + (ynum_1953, xx_1954) in + let yden_1956 : (fp_t '× fp_t) := + fp2zero in + let xx_1957 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(yden_1956, xx_1957) := + foldi (usize 0) (seq_len (yden_k_1946)) (fun i_1958 '(yden_1956, xx_1957) => + let yden_1956 := + fp2add (yden_1956) (fp2mul (xx_1957) (seq_index (yden_k_1946) ( + i_1958))) in + let xx_1957 := + fp2mul (xx_1957) (x_1941) in + (yden_1956, xx_1957)) + (yden_1956, xx_1957) in + let yden_1956 := + fp2add (yden_1956) (xx_1957) in + let xr_1959 : (fp_t '× fp_t) := + fp2mul (xnum_1947) (fp2inv (xden_1950)) in + let yr_1960 : (fp_t '× fp_t) := + fp2mul (y_1942) (fp2mul (ynum_1953) (fp2inv (yden_1956))) in + let inf_1961 : bool := + false in + let '(inf_1961) := + if ((xden_1950) =.? (fp2zero )) || ((yden_1956) =.? (fp2zero )):bool then ( + let inf_1961 := + true in + (inf_1961)) else ((inf_1961)) in + (xr_1959, yr_1960, inf_1961). + +Definition g2_map_to_curve_sswu (u_1962 : fp2_t) : g2_t := + let '(xp_1963, yp_1964) := + g2_simple_swu_iso (u_1962) in + let p_1965 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_isogeny_map (xp_1963) (yp_1964) in + p_1965. + +Definition g2_hash_to_curve_sswu + (msg_1966 : byte_seq) + (dst_1967 : byte_seq) + : g2_t := + let u_1968 : seq fp2_t := + fp2_hash_to_field (msg_1966) (dst_1967) (usize 2) in + let q0_1969 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_sswu (seq_index (u_1968) (usize 0)) in + let q1_1970 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_sswu (seq_index (u_1968) (usize 1)) in + let r_1971 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (q0_1969) (q1_1970) in + let p_1972 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (r_1971) in + p_1972. + +Definition g2_encode_to_curve_sswu + (msg_1973 : byte_seq) + (dst_1974 : byte_seq) + : g2_t := + let u_1975 : seq fp2_t := + fp2_hash_to_field (msg_1973) (dst_1974) (usize 1) in + let q_1976 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_sswu (seq_index (u_1975) (usize 0)) in + let p_1977 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (q_1976) in + p_1977. + diff --git a/proof-libs/coq/_vc/Hacspec_Chacha20.v b/proof-libs/coq/_vc/Hacspec_Chacha20.v new file mode 100644 index 000000000..a44b16a43 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Chacha20.v @@ -0,0 +1,223 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition state_t := nseq (uint32) (usize 16). + +Definition state_idx_t := + nat_mod (usize 16). +Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. +Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. + +Definition constants_t := nseq (uint32) (usize 4). + +Definition constants_idx_t := + nat_mod (usize 4). +Definition uint_size_in_constants_idx_t(n : uint_size) : constants_idx_t := int_in_nat_mod n. +Coercion uint_size_in_constants_idx_t : uint_size >-> constants_idx_t. + +Definition block_t := nseq (uint8) (usize 64). + +Definition cha_cha_iv_t := nseq (uint8) (usize 12). + +Definition cha_cha_key_t := nseq (uint8) (usize 32). + +Definition chacha20_line + (a_345 : state_idx_t) + (b_346 : state_idx_t) + (d_347 : state_idx_t) + (s_348 : uint_size) + (m_349 : state_t) + : state_t := + let state_350 : state_t := + m_349 in + let state_350 := + array_upd state_350 (a_345) ((array_index (state_350) (a_345)) .+ ( + array_index (state_350) (b_346))) in + let state_350 := + array_upd state_350 (d_347) ((array_index (state_350) (d_347)) .^ ( + array_index (state_350) (a_345))) in + let state_350 := + array_upd state_350 (d_347) (uint32_rotate_left (array_index (state_350) ( + d_347)) (s_348)) in + state_350. + +Definition chacha20_quarter_round + (a_351 : state_idx_t) + (b_352 : state_idx_t) + (c_353 : state_idx_t) + (d_354 : state_idx_t) + (state_355 : state_t) + : state_t := + let state_356 : state_t := + chacha20_line (a_351) (b_352) (d_354) (usize 16) (state_355) in + let state_357 : state_t := + chacha20_line (c_353) (d_354) (b_352) (usize 12) (state_356) in + let state_358 : state_t := + chacha20_line (a_351) (b_352) (d_354) (usize 8) (state_357) in + chacha20_line (c_353) (d_354) (b_352) (usize 7) (state_358). + +Definition chacha20_double_round (state_359 : state_t) : state_t := + let state_360 : state_t := + chacha20_quarter_round (usize 0) (usize 4) (usize 8) (usize 12) ( + state_359) in + let state_361 : state_t := + chacha20_quarter_round (usize 1) (usize 5) (usize 9) (usize 13) ( + state_360) in + let state_362 : state_t := + chacha20_quarter_round (usize 2) (usize 6) (usize 10) (usize 14) ( + state_361) in + let state_363 : state_t := + chacha20_quarter_round (usize 3) (usize 7) (usize 11) (usize 15) ( + state_362) in + let state_364 : state_t := + chacha20_quarter_round (usize 0) (usize 5) (usize 10) (usize 15) ( + state_363) in + let state_365 : state_t := + chacha20_quarter_round (usize 1) (usize 6) (usize 11) (usize 12) ( + state_364) in + let state_366 : state_t := + chacha20_quarter_round (usize 2) (usize 7) (usize 8) (usize 13) ( + state_365) in + chacha20_quarter_round (usize 3) (usize 4) (usize 9) (usize 14) (state_366). + +Definition chacha20_rounds (state_367 : state_t) : state_t := + let st_368 : state_t := + state_367 in + let st_368 := + foldi (usize 0) (usize 10) (fun i_369 st_368 => + let st_368 := + chacha20_double_round (st_368) in + (st_368)) + st_368 in + st_368. + +Definition chacha20_core (ctr_370 : uint32) (st0_371 : state_t) : state_t := + let state_372 : state_t := + st0_371 in + let state_372 := + array_upd state_372 (usize 12) ((array_index (state_372) (usize 12)) .+ ( + ctr_370)) in + let k_373 : state_t := + chacha20_rounds (state_372) in + (k_373) array_add (state_372). + +Definition chacha20_constants_init : constants_t := + let constants_374 : constants_t := + array_new_ (default : uint32) (4) in + let constants_374 := + array_upd constants_374 (usize 0) (secret ( + @repr WORDSIZE32 1634760805) : int32) in + let constants_374 := + array_upd constants_374 (usize 1) (secret ( + @repr WORDSIZE32 857760878) : int32) in + let constants_374 := + array_upd constants_374 (usize 2) (secret ( + @repr WORDSIZE32 2036477234) : int32) in + let constants_374 := + array_upd constants_374 (usize 3) (secret ( + @repr WORDSIZE32 1797285236) : int32) in + constants_374. + +Definition chacha20_init + (key_375 : cha_cha_key_t) + (iv_376 : cha_cha_iv_t) + (ctr_377 : uint32) + : state_t := + let st_378 : state_t := + array_new_ (default : uint32) (16) in + let st_378 := + array_update (st_378) (usize 0) ( + array_to_seq (chacha20_constants_init )) in + let st_378 := + array_update (st_378) (usize 4) (array_to_le_uint32s (key_375)) in + let st_378 := + array_upd st_378 (usize 12) (ctr_377) in + let st_378 := + array_update (st_378) (usize 13) (array_to_le_uint32s (iv_376)) in + st_378. + +Definition chacha20_key_block (state_379 : state_t) : block_t := + let state_380 : state_t := + chacha20_core (secret (@repr WORDSIZE32 0) : int32) (state_379) in + array_from_seq (64) (array_to_le_bytes (state_380)). + +Definition chacha20_key_block0 + (key_381 : cha_cha_key_t) + (iv_382 : cha_cha_iv_t) + : block_t := + let state_383 : state_t := + chacha20_init (key_381) (iv_382) (secret (@repr WORDSIZE32 0) : int32) in + chacha20_key_block (state_383). + +Definition chacha20_encrypt_block + (st0_384 : state_t) + (ctr_385 : uint32) + (plain_386 : block_t) + : block_t := + let st_387 : state_t := + chacha20_core (ctr_385) (st0_384) in + let pl_388 : state_t := + array_from_seq (16) (array_to_le_uint32s (plain_386)) in + let st_389 : state_t := + (pl_388) array_xor (st_387) in + array_from_seq (64) (array_to_le_bytes (st_389)). + +Definition chacha20_encrypt_last + (st0_390 : state_t) + (ctr_391 : uint32) + (plain_392 : byte_seq) + : byte_seq := + let b_393 : block_t := + array_new_ (default : uint8) (64) in + let b_393 := + array_update (b_393) (usize 0) (plain_392) in + let b_393 := + chacha20_encrypt_block (st0_390) (ctr_391) (b_393) in + array_slice (b_393) (usize 0) (seq_len (plain_392)). + +Definition chacha20_update (st0_394 : state_t) (m_395 : byte_seq) : byte_seq := + let blocks_out_396 : seq uint8 := + seq_new_ (default : uint8) (seq_len (m_395)) in + let n_blocks_397 : uint_size := + seq_num_exact_chunks (m_395) (usize 64) in + let blocks_out_396 := + foldi (usize 0) (n_blocks_397) (fun i_398 blocks_out_396 => + let msg_block_399 : seq uint8 := + seq_get_exact_chunk (m_395) (usize 64) (i_398) in + let b_400 : block_t := + chacha20_encrypt_block (st0_394) (secret (pub_u32 (i_398)) : int32) ( + array_from_seq (64) (msg_block_399)) in + let blocks_out_396 := + seq_set_exact_chunk (blocks_out_396) (usize 64) (i_398) ( + array_to_seq (b_400)) in + (blocks_out_396)) + blocks_out_396 in + let last_block_401 : seq uint8 := + seq_get_remainder_chunk (m_395) (usize 64) in + let '(blocks_out_396) := + if (seq_len (last_block_401)) !=.? (usize 0):bool then ( + let b_402 : seq uint8 := + chacha20_encrypt_last (st0_394) (secret (pub_u32 ( + n_blocks_397)) : int32) (last_block_401) in + let blocks_out_396 := + seq_set_chunk (blocks_out_396) (usize 64) (n_blocks_397) (b_402) in + (blocks_out_396)) else ((blocks_out_396)) in + blocks_out_396. + +Definition chacha20 + (key_403 : cha_cha_key_t) + (iv_404 : cha_cha_iv_t) + (ctr_405 : int32) + (m_406 : byte_seq) + : byte_seq := + let state_407 : state_t := + chacha20_init (key_403) (iv_404) (secret (ctr_405) : int32) in + chacha20_update (state_407) (m_406). + diff --git a/proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v b/proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v new file mode 100644 index 000000000..206ae34b9 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v @@ -0,0 +1,98 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Chacha20. + +Require Import Hacspec_Poly1305. + +Inductive error_t := +| InvalidTag : error_t. + +Notation "'cha_cha_poly_key_t'" := (cha_cha_key_t) : hacspec_scope. + +Notation "'cha_cha_poly_iv_t'" := (cha_cha_iv_t) : hacspec_scope. + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Definition init + (key_408 : cha_cha_poly_key_t) + (iv_409 : cha_cha_poly_iv_t) + : poly_state_t := + let key_block0_410 : block_t := + chacha20_key_block0 (key_408) (iv_409) in + let poly_key_411 : poly_key_t := + array_from_slice (default : uint8) (32) (array_to_seq (key_block0_410)) ( + usize 0) (usize 32) in + poly1305_init (poly_key_411). + +Definition poly1305_update_padded + (m_412 : byte_seq) + (st_413 : poly_state_t) + : poly_state_t := + let st_414 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_update_blocks (m_412) (st_413) in + let last_415 : seq uint8 := + seq_get_remainder_chunk (m_412) (usize 16) in + poly1305_update_last (usize 16) (last_415) (st_414). + +Definition finish + (aad_len_416 : uint_size) + (cipher_len_417 : uint_size) + (st_418 : poly_state_t) + : poly1305_tag_t := + let last_block_419 : poly_block_t := + array_new_ (default : uint8) (16) in + let last_block_419 := + array_update (last_block_419) (usize 0) (array_to_seq (uint64_to_le_bytes ( + secret (pub_u64 (aad_len_416)) : int64))) in + let last_block_419 := + array_update (last_block_419) (usize 8) (array_to_seq (uint64_to_le_bytes ( + secret (pub_u64 (cipher_len_417)) : int64))) in + let st_420 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_update_block (last_block_419) (st_418) in + poly1305_finish (st_420). + +Definition chacha20_poly1305_encrypt + (key_421 : cha_cha_poly_key_t) + (iv_422 : cha_cha_poly_iv_t) + (aad_423 : byte_seq) + (msg_424 : byte_seq) + : (byte_seq '× poly1305_tag_t) := + let cipher_text_425 : seq uint8 := + chacha20 (key_421) (iv_422) (@repr WORDSIZE32 1) (msg_424) in + let poly_st_426 : (field_element_t '× field_element_t '× poly_key_t) := + init (key_421) (iv_422) in + let poly_st_426 := + poly1305_update_padded (aad_423) (poly_st_426) in + let poly_st_426 := + poly1305_update_padded (cipher_text_425) (poly_st_426) in + let tag_427 : poly1305_tag_t := + finish (seq_len (aad_423)) (seq_len (cipher_text_425)) (poly_st_426) in + (cipher_text_425, tag_427). + +Definition chacha20_poly1305_decrypt + (key_428 : cha_cha_poly_key_t) + (iv_429 : cha_cha_poly_iv_t) + (aad_430 : byte_seq) + (cipher_text_431 : byte_seq) + (tag_432 : poly1305_tag_t) + : byte_seq_result_t := + let poly_st_433 : (field_element_t '× field_element_t '× poly_key_t) := + init (key_428) (iv_429) in + let poly_st_433 := + poly1305_update_padded (aad_430) (poly_st_433) in + let poly_st_433 := + poly1305_update_padded (cipher_text_431) (poly_st_433) in + let my_tag_434 : poly1305_tag_t := + finish (seq_len (aad_430)) (seq_len (cipher_text_431)) (poly_st_433) in + (if (array_declassify_eq (my_tag_434) (tag_432)):bool then ( + @Ok byte_seq error_t (chacha20 (key_428) (iv_429) (@repr WORDSIZE32 1) ( + cipher_text_431))) else (@Err byte_seq error_t (InvalidTag))). + diff --git a/proof-libs/coq/_vc/Hacspec_Coverage_Test.v b/proof-libs/coq/_vc/Hacspec_Coverage_Test.v new file mode 100644 index 000000000..5b3b169f5 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Coverage_Test.v @@ -0,0 +1,163 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition big_integer_test : unit := + let _ : big_int_t := + big_int_zero in + let _ : big_int_t := + big_int_one in + let _ : big_int_t := + big_int_two in + let bi_2669 : big_int_t := + big_int_from_literal (@repr WORDSIZE128 1238) in + let bi_2669 := + big_int_get_bit (bi_2669) (usize 3) in + let bi_2669 := + big_int_set_bit (bi_2669) (big_int_one ) (usize 3) in + let bi_2669 := + big_int_set (bi_2669) (usize 4) (big_int_two ) (usize 2) in + let bi_2669 := + big_int_wrap_add (bi_2669) (big_int_two ) in + let bi_2669 := + big_int_wrap_sub (bi_2669) (big_int_two ) in + let bi_2669 := + big_int_wrap_mul (bi_2669) (big_int_two ) in + let _ : bool := + big_int_equal (big_int_one ) (big_int_two ) in + let bi_2669 := + big_int_sub_mod (bi_2669) (big_int_two ) (big_int_from_literal ( + @repr WORDSIZE128 4)) in + let bi_2669 := + big_int_add_mod (bi_2669) (big_int_two ) (big_int_from_literal ( + @repr WORDSIZE128 4)) in + let bi_2669 := + big_int_mul_mod (bi_2669) (big_int_two ) (big_int_from_literal ( + @repr WORDSIZE128 4)) in + let bi_2669 := + big_int_absolute (bi_2669) in + tt. + +Definition machine_integer_test : unit := + let _ : int32 := + pub_uint32_zero in + let _ : int8 := + pub_uint8_one in + let _ : int128 := + pub_uint128_two in + let mi_2670 : int16 := + pub_uint16_from_literal (@repr WORDSIZE128 1238) in + let mi_2670 := + pub_uint16_get_bit (mi_2670) (usize 3) in + let mi_2670 := + pub_uint16_set_bit (mi_2670) (pub_uint16_one ) (usize 3) in + let mi_2670 := + pub_uint16_set (mi_2670) (usize 4) (pub_uint16_two ) (usize 2) in + let mi_2670 := + pub_uint16_rotate_left (mi_2670) (@repr WORDSIZE32 4) in + let mi_2670 := + pub_uint16_rotate_right (mi_2670) (@repr WORDSIZE32 4) in + let _ : int16 := + pub_uint16_max_val in + let mi_2670 := + pub_uint16_wrap_add (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_wrap_sub (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_wrap_mul (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_exp (mi_2670) (@repr WORDSIZE32 2) in + let mi_2670 := + pub_uint16_divide (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_inv (pub_uint16_from_literal (@repr WORDSIZE128 79)) ( + pub_uint16_two ) in + let _ : bool := + pub_uint16_equal (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_greater_than (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_greater_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_less_than (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_less_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_not_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_greater_than_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_greater_than_or_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_less_than_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_less_than_or_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_sub_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( + @repr WORDSIZE128 4)) in + let mi_2670 := + pub_uint16_add_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( + @repr WORDSIZE128 4)) in + let mi_2670 := + pub_uint16_mul_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( + @repr WORDSIZE128 4)) in + let mi_2670 := + pub_uint16_absolute (mi_2670) in + let _ : uint64 := + secret (@repr WORDSIZE64 12) : int64 in + tt. + +Definition seq_test : unit := + let ns_2671 : seq int8 := + seq_with_capacity (usize 5) in + let ns_2671 := + seq_new_ (default : int8) (usize 5) in + let ns_2671 := + seq_reserve (ns_2671) (usize 10) in + let _ : uint_size := + seq_len (ns_2671) in + let ns_2671 := + seq_slice (ns_2671) (usize 0) (usize 5) in + let ns_2671 := + seq_into_slice (ns_2671) (usize 1) (usize 3) in + let ns_2671 := + seq_slice_range (ns_2671) ((usize 0, usize 2)) in + let ns_2671 := + seq_into_slice_range (ns_2671) ((usize 0, usize 1)) in + let '(ns1_2672, ns2_2673) := + seq_split_off (ns_2671) (usize 1) in + let ns1_2672 := + seq_truncate (ns1_2672) (usize 2) in + let ns2_2673 := + seq_from_slice (ns1_2672) (usize 0) (usize 1) in + let ns_2674 : seq int8 := + seq_concat (ns1_2672) (ns2_2673) in + let ns_2674 := + seq_concat_owned (ns1_2672) (ns2_2673) in + let ns_2674 := + seq_push (ns_2674) (@repr WORDSIZE8 2) in + let ns_2674 := + seq_push_owned (ns_2674) (@repr WORDSIZE8 4) in + let ns_2674 := + seq_from_slice_range (ns_2674) ((usize 0, usize 4)) in + let _ : uint_size := + seq_num_chunks (ns_2674) (usize 2) in + let _ : uint_size := + seq_num_exact_chunks (ns_2674) (usize 2) in + tt. + +Definition arr_name_t := nseq (uint64) (usize 8). + +Definition byte_arr_name_t := nseq (uint8) (usize 128). + +Definition array_test : unit := + tt. + diff --git a/proof-libs/coq/_vc/Hacspec_Curve25519.v b/proof-libs/coq/_vc/Hacspec_Curve25519.v new file mode 100644 index 000000000..4d340a361 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Curve25519.v @@ -0,0 +1,170 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition field_canvas_t := nseq (int8) (32). +Definition x25519_field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. + +Notation "'point_t'" := ((x25519_field_element_t '× x25519_field_element_t +)) : hacspec_scope. + +Definition x25519_serialized_point_t := nseq (uint8) (usize 32). + +Definition x25519_serialized_scalar_t := nseq (uint8) (usize 32). + +Definition mask_scalar + (s_477 : x25519_serialized_scalar_t) + : x25519_serialized_scalar_t := + let k_478 : x25519_serialized_scalar_t := + s_477 in + let k_478 := + array_upd k_478 (usize 0) ((array_index (k_478) (usize 0)) .& (secret ( + @repr WORDSIZE8 248) : int8)) in + let k_478 := + array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let k_478 := + array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .| (secret ( + @repr WORDSIZE8 64) : int8)) in + k_478. + +Definition decode_scalar (s_479 : x25519_serialized_scalar_t) : scalar_t := + let k_480 : x25519_serialized_scalar_t := + mask_scalar (s_479) in + nat_mod_from_byte_seq_le (array_to_seq (k_480)) : scalar_t. + +Definition decode_point (u_481 : x25519_serialized_point_t) : point_t := + let u_482 : x25519_serialized_point_t := + u_481 in + let u_482 := + array_upd u_482 (usize 31) ((array_index (u_482) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + ( + nat_mod_from_byte_seq_le (array_to_seq (u_482)) : x25519_field_element_t, + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 1) : x25519_field_element_t + ). + +Definition encode_point (p_483 : point_t) : x25519_serialized_point_t := + let '(x_484, y_485) := + p_483 in + let b_486 : x25519_field_element_t := + (x_484) *% (nat_mod_inv (y_485)) in + array_update_start (array_new_ (default : uint8) (32)) ( + nat_mod_to_byte_seq_le (b_486)). + +Definition point_add_and_double + (q_487 : point_t) + (np_488 : (point_t '× point_t)) + : (point_t '× point_t) := + let '(nq_489, nqp1_490) := + np_488 in + let '(x_1_491, z_1_492) := + q_487 in + let '(x_2_493, z_2_494) := + nq_489 in + let '(x_3_495, z_3_496) := + nqp1_490 in + let a_497 : x25519_field_element_t := + (x_2_493) +% (z_2_494) in + let aa_498 : x25519_field_element_t := + nat_mod_pow (a_497) (@repr WORDSIZE128 2) in + let b_499 : x25519_field_element_t := + (x_2_493) -% (z_2_494) in + let bb_500 : x25519_field_element_t := + (b_499) *% (b_499) in + let e_501 : x25519_field_element_t := + (aa_498) -% (bb_500) in + let c_502 : x25519_field_element_t := + (x_3_495) +% (z_3_496) in + let d_503 : x25519_field_element_t := + (x_3_495) -% (z_3_496) in + let da_504 : x25519_field_element_t := + (d_503) *% (a_497) in + let cb_505 : x25519_field_element_t := + (c_502) *% (b_499) in + let x_3_506 : x25519_field_element_t := + nat_mod_pow ((da_504) +% (cb_505)) (@repr WORDSIZE128 2) in + let z_3_507 : x25519_field_element_t := + (x_1_491) *% (nat_mod_pow ((da_504) -% (cb_505)) (@repr WORDSIZE128 2)) in + let x_2_508 : x25519_field_element_t := + (aa_498) *% (bb_500) in + let e121665_509 : x25519_field_element_t := + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 121665) : x25519_field_element_t in + let z_2_510 : x25519_field_element_t := + (e_501) *% ((aa_498) +% ((e121665_509) *% (e_501))) in + ((x_2_508, z_2_510), (x_3_506, z_3_507)). + +Definition swap (x_511 : (point_t '× point_t)) : (point_t '× point_t) := + let '(x0_512, x1_513) := + x_511 in + (x1_513, x0_512). + +Definition montgomery_ladder + (k_514 : scalar_t) + (init_515 : point_t) + : point_t := + let inf_516 : (x25519_field_element_t '× x25519_field_element_t) := + ( + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 1) : x25519_field_element_t, + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 0) : x25519_field_element_t + ) in + let acc_517 : (point_t '× point_t) := + (inf_516, init_515) in + let acc_517 := + foldi (usize 0) (usize 256) (fun i_518 acc_517 => + let '(acc_517) := + if nat_mod_bit (k_514) ((usize 255) - (i_518)):bool then (let acc_517 := + swap (acc_517) in + let acc_517 := + point_add_and_double (init_515) (acc_517) in + let acc_517 := + swap (acc_517) in + (acc_517)) else (let acc_517 := + point_add_and_double (init_515) (acc_517) in + (acc_517)) in + (acc_517)) + acc_517 in + let '(out_519, _) := + acc_517 in + out_519. + +Definition x25519_scalarmult + (s_520 : x25519_serialized_scalar_t) + (p_521 : x25519_serialized_point_t) + : x25519_serialized_point_t := + let s_522 : scalar_t := + decode_scalar (s_520) in + let p_523 : (x25519_field_element_t '× x25519_field_element_t) := + decode_point (p_521) in + let r_524 : (x25519_field_element_t '× x25519_field_element_t) := + montgomery_ladder (s_522) (p_523) in + encode_point (r_524). + +Definition x25519_secret_to_public + (s_525 : x25519_serialized_scalar_t) + : x25519_serialized_point_t := + let base_526 : x25519_serialized_point_t := + array_new_ (default : uint8) (32) in + let base_526 := + array_upd base_526 (usize 0) (secret (@repr WORDSIZE8 9) : int8) in + x25519_scalarmult (s_525) (base_526). + diff --git a/proof-libs/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v new file mode 100644 index 000000000..875bc79a9 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v @@ -0,0 +1,128 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_P256. + +Require Import Hacspec_Sha256. + +Inductive error_t := +| InvalidScalar : error_t +| InvalidSignature : error_t. + +Notation "'p256_public_key_t'" := (affine_t) : hacspec_scope. + +Notation "'p256_secret_key_t'" := (p256_scalar_t) : hacspec_scope. + +Notation "'p256_signature_t'" := ((p256_scalar_t '× p256_scalar_t +)) : hacspec_scope. + +Notation "'p256_signature_result_t'" := (( + result p256_signature_t error_t)) : hacspec_scope. + +Notation "'p256_verify_result_t'" := ((result unit error_t)) : hacspec_scope. + +Notation "'check_result_t'" := ((result unit error_t)) : hacspec_scope. + +Notation "'arithmetic_result_t'" := ((result affine_t error_t)) : hacspec_scope. + +Definition check_scalar_zero (r_527 : p256_scalar_t) : check_result_t := + (if (nat_mod_equal (r_527) (nat_mod_zero )):bool then (@Err unit error_t ( + InvalidScalar)) else (@Ok unit error_t (tt))). + +Definition ecdsa_point_mul_base (x_528 : p256_scalar_t) : arithmetic_result_t := + match p256_point_mul_base (x_528) with + | Ok (s_529) => @Ok affine_t error_t (s_529) + | Err (_) => @Err affine_t error_t (InvalidScalar) + end. + +Definition ecdsa_point_mul + (k_530 : p256_scalar_t) + (p_531 : affine_t) + : arithmetic_result_t := + match p256_point_mul (k_530) (p_531) with + | Ok (s_532) => @Ok affine_t error_t (s_532) + | Err (_) => @Err affine_t error_t (InvalidScalar) + end. + +Definition ecdsa_point_add + (p_533 : affine_t) + (q_534 : affine_t) + : arithmetic_result_t := + match point_add (p_533) (q_534) with + | Ok (s_535) => @Ok affine_t error_t (s_535) + | Err (_) => @Err affine_t error_t (InvalidScalar) + end. + +Definition sign + (payload_536 : byte_seq) + (sk_537 : p256_secret_key_t) + (nonce_538 : p256_scalar_t) + : p256_signature_result_t := + bind (check_scalar_zero (nonce_538)) (fun _ => bind (ecdsa_point_mul_base ( + nonce_538)) (fun '(k_x_539, k_y_540) => let r_541 : p256_scalar_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + k_x_539)) : p256_scalar_t in + bind (check_scalar_zero (r_541)) (fun _ => + let payload_hash_542 : sha256_digest_t := + hash (payload_536) in + let payload_hash_543 : p256_scalar_t := + nat_mod_from_byte_seq_be ( + array_to_seq (payload_hash_542)) : p256_scalar_t in + let rsk_544 : p256_scalar_t := + (r_541) *% (sk_537) in + let hash_rsk_545 : p256_scalar_t := + (payload_hash_543) +% (rsk_544) in + let nonce_inv_546 : p256_scalar_t := + nat_mod_inv (nonce_538) in + let s_547 : p256_scalar_t := + (nonce_inv_546) *% (hash_rsk_545) in + @Ok p256_signature_t error_t ((r_541, s_547))))). + +Definition ecdsa_p256_sha256_sign + (payload_548 : byte_seq) + (sk_549 : p256_secret_key_t) + (nonce_550 : p256_scalar_t) + : p256_signature_result_t := + sign (payload_548) (sk_549) (nonce_550). + +Definition verify + (payload_551 : byte_seq) + (pk_552 : p256_public_key_t) + (signature_553 : p256_signature_t) + : p256_verify_result_t := + let '(r_554, s_555) := + signature_553 in + let payload_hash_556 : sha256_digest_t := + hash (payload_551) in + let payload_hash_557 : p256_scalar_t := + nat_mod_from_byte_seq_be ( + array_to_seq (payload_hash_556)) : p256_scalar_t in + let s_inv_558 : p256_scalar_t := + nat_mod_inv (s_555) in + let u1_559 : p256_scalar_t := + (payload_hash_557) *% (s_inv_558) in + bind (ecdsa_point_mul_base (u1_559)) (fun u1_560 => + let u2_561 : p256_scalar_t := + (r_554) *% (s_inv_558) in + bind (ecdsa_point_mul (u2_561) (pk_552)) (fun u2_562 => bind ( + ecdsa_point_add (u1_560) (u2_562)) (fun '(x_563, y_564) => + let x_565 : p256_scalar_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + x_563)) : p256_scalar_t in + (if ((x_565) =.? (r_554)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature)))))). + +Definition ecdsa_p256_sha256_verify + (payload_566 : byte_seq) + (pk_567 : p256_public_key_t) + (signature_568 : p256_signature_t) + : p256_verify_result_t := + verify (payload_566) (pk_567) (signature_568). + diff --git a/proof-libs/coq/_vc/Hacspec_Ed25519.v b/proof-libs/coq/_vc/Hacspec_Ed25519.v new file mode 100644 index 000000000..2f9c9ffb8 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Ed25519.v @@ -0,0 +1,690 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha512. + +Require Import Hacspec_Edwards25519. + +Definition scalar_from_hash (h_1978 : sha512_digest_t) : scalar_t := + let s_1979 : big_scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (h_1978)) : big_scalar_t in + nat_mod_from_byte_seq_le (seq_slice (nat_mod_to_byte_seq_le (s_1979)) ( + usize 0) (usize 32)) : scalar_t. + +Definition sign (sk_1980 : secret_key_t) (msg_1981 : byte_seq) : signature_t := + let '(a_1982, prefix_1983) := + secret_expand (sk_1980) in + let a_1984 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (a_1982)) : scalar_t in + let b_1985 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let a_p_1986 : compressed_ed_point_t := + compress (point_mul (a_1984) (b_1985)) in + let r_1987 : scalar_t := + scalar_from_hash (sha512 (array_concat (prefix_1983) (msg_1981))) in + let r_p_1988 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (r_1987) (b_1985) in + let r_s_1989 : compressed_ed_point_t := + compress (r_p_1988) in + let h_1990 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_s_1989) ( + array_to_seq (a_p_1986))) (msg_1981))) in + let s_1991 : scalar_t := + (r_1987) +% ((h_1990) *% (a_1984)) in + let s_bytes_1992 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_le (s_1991)) (usize 0) (usize 32) in + array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( + array_to_seq (r_s_1989))) (usize 32) (s_bytes_1992). + +Definition zcash_verify + (pk_1993 : public_key_t) + (signature_1994 : signature_t) + (msg_1995 : byte_seq) + : verify_result_t := + let b_1996 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress_non_canonical (base_v)) in + bind (option_ok_or (decompress_non_canonical (pk_1993)) (InvalidPublickey)) ( + fun a_1997 => let r_bytes_1998 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( + usize 0) (usize 32) in + let s_bytes_1999 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1999)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress_non_canonical (r_bytes_1998)) (InvalidR)) ( + fun r_2000 => let s_2001 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1999)) : scalar_t in + let k_2002 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1998) ( + pk_1993)) (msg_1995))) in + let sb_2003 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_2001) (b_1996)) in + let rc_2004 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_2000) in + let ka_2005 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_2002) (a_1997)) in + (if (point_eq (sb_2003) (point_add (rc_2004) (ka_2005))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition ietf_cofactored_verify + (pk_2006 : public_key_t) + (signature_2007 : signature_t) + (msg_2008 : byte_seq) + : verify_result_t := + let b_2009 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_2006)) (InvalidPublickey)) (fun a_2010 => + let r_bytes_2011 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( + usize 0) (usize 32) in + let s_bytes_2012 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2012)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2011)) (InvalidR)) (fun r_2013 => + let s_2014 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2012)) : scalar_t in + let k_2015 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2011) ( + pk_2006)) (msg_2008))) in + let sb_2016 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_2014) (b_2009)) in + let rc_2017 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_2013) in + let ka_2018 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_2015) (a_2010)) in + (if (point_eq (sb_2016) (point_add (rc_2017) (ka_2018))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition ietf_cofactorless_verify + (pk_2019 : public_key_t) + (signature_2020 : signature_t) + (msg_2021 : byte_seq) + : verify_result_t := + let b_2022 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_2019)) (InvalidPublickey)) (fun a_2023 => + let r_bytes_2024 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( + usize 0) (usize 32) in + let s_bytes_2025 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2025)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2024)) (InvalidR)) (fun r_2026 => + let s_2027 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2025)) : scalar_t in + let k_2028 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2024) ( + pk_2019)) (msg_2021))) in + let sb_2029 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_2027) (b_2022) in + let ka_2030 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (k_2028) (a_2023) in + (if (point_eq (sb_2029) (point_add (r_2026) (ka_2030))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition is_identity (p_2031 : ed_point_t) : bool := + point_eq (p_2031) (point_identity ). + +Definition alg2_verify + (pk_2032 : public_key_t) + (signature_2033 : signature_t) + (msg_2034 : byte_seq) + : verify_result_t := + let b_2035 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_2032)) (InvalidPublickey)) (fun a_2036 => + ifbnd is_identity (point_mul_by_cofactor (a_2036)) : bool + thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let r_bytes_2037 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( + usize 0) (usize 32) in + let s_bytes_2038 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2038)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2037)) (InvalidR)) (fun r_2039 => + let s_2040 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2038)) : scalar_t in + let k_2041 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2037) ( + pk_2032)) (msg_2034))) in + let sb_2042 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_2040) (b_2035)) in + let rc_2043 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_2039) in + let ka_2044 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_2041) (a_2036)) in + (if (point_eq (sb_2042) (point_add (rc_2043) (ka_2044))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature))))))). + +Inductive batch_entry_t := +| BatchEntry : (public_key_t '× byte_seq '× signature_t) -> batch_entry_t. + +Definition zcash_batch_verify + (entries_2045 : seq batch_entry_t) + (entropy_2046 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2046)) <.? ((usize 16) * (seq_len ( + entries_2045))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2047 : scalar_t := + nat_mod_zero in + let r_sum_2048 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2049 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2045)) for ( + s_sum_2047, + r_sum_2048, + a_sum_2049 + ) >> (fun i_2050 '(s_sum_2047, r_sum_2048, a_sum_2049) => + let 'BatchEntry ((pk_2051, msg_2052, signature_2053)) := + (seq_index (entries_2045) (i_2050)) in + bind (option_ok_or (decompress_non_canonical (pk_2051)) ( + InvalidPublickey)) (fun a_2054 => + let r_bytes_2055 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2053)) (usize 0) (usize 32) in + let s_bytes_2056 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2053)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2056)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress_non_canonical (r_bytes_2055)) (InvalidR)) ( + fun r_2057 => let s_2058 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2056)) : scalar_t in + let c_2059 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2055) ( + array_to_seq (pk_2051))) (msg_2052))) in + let z_2060 : seq uint8 := + seq_slice (entropy_2046) ((usize 16) * (i_2050)) (usize 16) in + let z_2061 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2060) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2047 := + (s_sum_2047) +% ((s_2058) *% (z_2061)) in + let r_sum_2048 := + point_add (r_sum_2048) (point_mul (z_2061) (r_2057)) in + let a_sum_2049 := + point_add (a_sum_2049) (point_mul ((z_2061) *% (c_2059)) (a_2054)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2047, r_sum_2048, a_sum_2049))))))) (fun '( + s_sum_2047, + r_sum_2048, + a_sum_2049 + ) => let b_2062 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2063 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2047) (b_2062) in + let check_2064 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_2063)) (point_add ( + r_sum_2048) (a_sum_2049))) in + (if (is_identity (check_2064)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition ietf_cofactored_batch_verify + (entries_2065 : seq batch_entry_t) + (entropy_2066 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2066)) <.? ((usize 16) * (seq_len ( + entries_2065))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2067 : scalar_t := + nat_mod_zero in + let r_sum_2068 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2069 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2065)) for ( + s_sum_2067, + r_sum_2068, + a_sum_2069 + ) >> (fun i_2070 '(s_sum_2067, r_sum_2068, a_sum_2069) => + let 'BatchEntry ((pk_2071, msg_2072, signature_2073)) := + (seq_index (entries_2065) (i_2070)) in + bind (option_ok_or (decompress (pk_2071)) (InvalidPublickey)) (fun a_2074 => + let r_bytes_2075 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2073)) (usize 0) (usize 32) in + let s_bytes_2076 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2073)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2076)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2075)) (InvalidR)) (fun r_2077 => + let s_2078 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2076)) : scalar_t in + let c_2079 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2075) ( + array_to_seq (pk_2071))) (msg_2072))) in + let z_2080 : seq uint8 := + seq_slice (entropy_2066) ((usize 16) * (i_2070)) (usize 16) in + let z_2081 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2080) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2067 := + (s_sum_2067) +% ((s_2078) *% (z_2081)) in + let r_sum_2068 := + point_add (r_sum_2068) (point_mul (z_2081) (r_2077)) in + let a_sum_2069 := + point_add (a_sum_2069) (point_mul ((z_2081) *% (c_2079)) (a_2074)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2067, r_sum_2068, a_sum_2069))))))) (fun '( + s_sum_2067, + r_sum_2068, + a_sum_2069 + ) => let b_2082 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2083 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2067) (b_2082) in + let check_2084 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_2083)) (point_add ( + r_sum_2068) (a_sum_2069))) in + (if (is_identity (check_2084)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition ietf_cofactorless_batch_verify + (entries_2085 : seq batch_entry_t) + (entropy_2086 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2086)) <.? ((usize 16) * (seq_len ( + entries_2085))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2087 : scalar_t := + nat_mod_zero in + let r_sum_2088 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2089 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2085)) for ( + s_sum_2087, + r_sum_2088, + a_sum_2089 + ) >> (fun i_2090 '(s_sum_2087, r_sum_2088, a_sum_2089) => + let 'BatchEntry ((pk_2091, msg_2092, signature_2093)) := + (seq_index (entries_2085) (i_2090)) in + bind (option_ok_or (decompress (pk_2091)) (InvalidPublickey)) (fun a_2094 => + let r_bytes_2095 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2093)) (usize 0) (usize 32) in + let s_bytes_2096 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2093)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2096)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2095)) (InvalidR)) (fun r_2097 => + let s_2098 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2096)) : scalar_t in + let c_2099 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2095) ( + array_to_seq (pk_2091))) (msg_2092))) in + let z_2100 : seq uint8 := + seq_slice (entropy_2086) ((usize 16) * (i_2090)) (usize 16) in + let z_2101 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2100) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2087 := + (s_sum_2087) +% ((s_2098) *% (z_2101)) in + let r_sum_2088 := + point_add (r_sum_2088) (point_mul (z_2101) (r_2097)) in + let a_sum_2089 := + point_add (a_sum_2089) (point_mul ((z_2101) *% (c_2099)) (a_2094)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2087, r_sum_2088, a_sum_2089))))))) (fun '( + s_sum_2087, + r_sum_2088, + a_sum_2089 + ) => let b_2102 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2103 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2087) (b_2102) in + let check_2104 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (point_neg (sb_2103)) (point_add (r_sum_2088) (a_sum_2089)) in + (if (is_identity (check_2104)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition alg3_batch_verify + (entries_2105 : seq batch_entry_t) + (entropy_2106 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2106)) <.? ((usize 16) * (seq_len ( + entries_2105))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2107 : scalar_t := + nat_mod_zero in + let r_sum_2108 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2109 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2105)) for ( + s_sum_2107, + r_sum_2108, + a_sum_2109 + ) >> (fun i_2110 '(s_sum_2107, r_sum_2108, a_sum_2109) => + let 'BatchEntry ((pk_2111, msg_2112, signature_2113)) := + (seq_index (entries_2105) (i_2110)) in + bind (option_ok_or (decompress (pk_2111)) (InvalidPublickey)) (fun a_2114 => + ifbnd is_identity (point_mul_by_cofactor (a_2114)) : bool + thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let r_bytes_2115 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2113)) (usize 0) (usize 32) in + let s_bytes_2116 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2113)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2116)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2115)) (InvalidR)) (fun r_2117 => + let s_2118 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2116)) : scalar_t in + let c_2119 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2115) ( + array_to_seq (pk_2111))) (msg_2112))) in + let z_2120 : seq uint8 := + seq_slice (entropy_2106) ((usize 16) * (i_2110)) (usize 16) in + let z_2121 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2120) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2107 := + (s_sum_2107) +% ((s_2118) *% (z_2121)) in + let r_sum_2108 := + point_add (r_sum_2108) (point_mul (z_2121) (r_2117)) in + let a_sum_2109 := + point_add (a_sum_2109) (point_mul ((z_2121) *% (c_2119)) (a_2114)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2107, r_sum_2108, a_sum_2109)))))))) (fun '( + s_sum_2107, + r_sum_2108, + a_sum_2109 + ) => let b_2122 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2123 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2107) (b_2122) in + let check_2124 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_2123)) (point_add ( + r_sum_2108) (a_sum_2109))) in + (if (is_identity (check_2124)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + diff --git a/proof-libs/coq/_vc/Hacspec_Edwards25519.v b/proof-libs/coq/_vc/Hacspec_Edwards25519.v new file mode 100644 index 000000000..155089746 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Edwards25519.v @@ -0,0 +1,597 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha512. + +Definition field_canvas_t := nseq (int8) (32). +Definition ed25519_field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. + +Definition big_scalar_canvas_t := nseq (int8) (64). +Definition big_scalar_t := + nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. + +Definition big_integer_canvas_t := nseq (int8) (32). +Definition big_integer_t := + nat_mod 0x8000000000000000000000000000000080000000000000000000000000000000. + +Notation "'ed_point_t'" := (( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t +)) : hacspec_scope. + +Definition compressed_ed_point_t := nseq (uint8) (usize 32). + +Definition serialized_scalar_t := nseq (uint8) (usize 32). + +Definition signature_t := nseq (uint8) (usize 64). + +Notation "'public_key_t'" := (compressed_ed_point_t) : hacspec_scope. + +Notation "'secret_key_t'" := (serialized_scalar_t) : hacspec_scope. + +Inductive error_t := +| InvalidPublickey : error_t +| InvalidSignature : error_t +| InvalidS : error_t +| InvalidR : error_t +| SmallOrderPoint : error_t +| NotEnoughRandomness : error_t. + +Notation "'verify_result_t'" := ((result unit error_t)) : hacspec_scope. + +Definition base_v : compressed_ed_point_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8 + ] in l). + +Definition constant_p_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 127) : int8 + ] in l). + +Definition constant_l_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 18) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 214) : int8; + secret (@repr WORDSIZE8 156) : int8; + secret (@repr WORDSIZE8 247) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 249) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 20) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 16) : int8 + ] in l). + +Definition constant_p3_8_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 15) : int8 + ] in l). + +Definition constant_p1_4_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 31) : int8 + ] in l). + +Definition constant_d_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 163) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 82) : int8 + ] in l). + +Definition is_negative (x_2125 : ed25519_field_element_t) : uint8 := + (if (nat_mod_bit (x_2125) (usize 0)):bool then (secret ( + @repr WORDSIZE8 1) : int8) else (secret (@repr WORDSIZE8 0) : int8)). + +Definition compress (p_2126 : ed_point_t) : compressed_ed_point_t := + let '(x_2127, y_2128, z_2129, _) := + p_2126 in + let z_inv_2130 : ed25519_field_element_t := + nat_mod_inv (z_2129) in + let x_2131 : ed25519_field_element_t := + (x_2127) *% (z_inv_2130) in + let y_2132 : ed25519_field_element_t := + (y_2128) *% (z_inv_2130) in + let s_2133 : byte_seq := + nat_mod_to_byte_seq_le (y_2132) in + let s_2133 := + seq_upd s_2133 (usize 31) ((seq_index (s_2133) (usize 31)) .^ (( + is_negative (x_2131)) shift_left (usize 7))) in + array_from_slice (default : uint8) (32) (s_2133) (usize 0) (usize 32). + +Definition sqrt + (a_2134 : ed25519_field_element_t) + : (option ed25519_field_element_t) := + let p3_8_2135 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_p3_8_v)) : ed25519_field_element_t in + let p1_4_2136 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_p1_4_v)) : ed25519_field_element_t in + let x_c_2137 : ed25519_field_element_t := + nat_mod_pow_self (a_2134) (p3_8_2135) in + let result_2138 : (option ed25519_field_element_t) := + @None ed25519_field_element_t in + let '(result_2138) := + if ((x_c_2137) *% (x_c_2137)) =.? (a_2134):bool then (let result_2138 := + some (x_c_2137) in + (result_2138)) else ((result_2138)) in + let '(result_2138) := + if ((x_c_2137) *% (x_c_2137)) =.? ((nat_mod_zero ) -% (a_2134)):bool then ( + let x_2139 : ed25519_field_element_t := + (nat_mod_pow_self (nat_mod_two ) (p1_4_2136)) *% (x_c_2137) in + let result_2138 := + some (x_2139) in + (result_2138)) else ((result_2138)) in + result_2138. + +Definition check_canonical_point (x_2140 : compressed_ed_point_t) : bool := + let x_2140 := + array_upd x_2140 (usize 31) ((array_index (x_2140) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let x_2141 : big_integer_t := + nat_mod_from_byte_seq_le (array_to_seq (x_2140)) : big_integer_t in + (x_2141) <.? (nat_mod_from_byte_seq_le ( + array_to_seq (constant_p_v)) : big_integer_t). + +Definition decompress (q_2142 : compressed_ed_point_t) : (option ed_point_t) := + let d_2143 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_d_v)) : ed25519_field_element_t in + let x_s_2144 : uint8 := + ((array_index (q_2142) (usize 31)) .& (secret ( + @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in + let y_s_2145 : compressed_ed_point_t := + q_2142 in + let y_s_2145 := + array_upd y_s_2145 (usize 31) ((array_index (y_s_2145) (usize 31)) .& ( + secret (@repr WORDSIZE8 127) : int8)) in + ifbnd negb (check_canonical_point (y_s_2145)) : bool + thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) + else (tt) >> (fun 'tt => + let y_2146 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (y_s_2145)) : ed25519_field_element_t in + let z_2147 : ed25519_field_element_t := + nat_mod_one in + let yy_2148 : ed25519_field_element_t := + (y_2146) *% (y_2146) in + let u_2149 : ed25519_field_element_t := + (yy_2148) -% (z_2147) in + let v_2150 : ed25519_field_element_t := + ((d_2143) *% (yy_2148)) +% (z_2147) in + let xx_2151 : ed25519_field_element_t := + (u_2149) *% (nat_mod_inv (v_2150)) in + bind (sqrt (xx_2151)) (fun x_2152 => let x_r_2153 : uint8 := + is_negative (x_2152) in + ifbnd ((x_2152) =.? (nat_mod_zero )) && ((uint8_declassify (x_s_2144)) =.? ( + @repr WORDSIZE8 1)) : bool + thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) + else (tt) >> (fun 'tt => + let '(x_2152) := + if (uint8_declassify (x_r_2153)) !=.? (uint8_declassify ( + x_s_2144)):bool then (let x_2152 := + (nat_mod_zero ) -% (x_2152) in + (x_2152)) else ((x_2152)) in + some ((x_2152, y_2146, z_2147, (x_2152) *% (y_2146)))))). + +Definition decompress_non_canonical + (p_2154 : compressed_ed_point_t) + : (option ed_point_t) := + let d_2155 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_d_v)) : ed25519_field_element_t in + let x_s_2156 : uint8 := + ((array_index (p_2154) (usize 31)) .& (secret ( + @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in + let y_s_2157 : compressed_ed_point_t := + p_2154 in + let y_s_2157 := + array_upd y_s_2157 (usize 31) ((array_index (y_s_2157) (usize 31)) .& ( + secret (@repr WORDSIZE8 127) : int8)) in + let y_2158 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (y_s_2157)) : ed25519_field_element_t in + let z_2159 : ed25519_field_element_t := + nat_mod_one in + let yy_2160 : ed25519_field_element_t := + (y_2158) *% (y_2158) in + let u_2161 : ed25519_field_element_t := + (yy_2160) -% (z_2159) in + let v_2162 : ed25519_field_element_t := + ((d_2155) *% (yy_2160)) +% (z_2159) in + let xx_2163 : ed25519_field_element_t := + (u_2161) *% (nat_mod_inv (v_2162)) in + bind (sqrt (xx_2163)) (fun x_2164 => let x_r_2165 : uint8 := + is_negative (x_2164) in + let '(x_2164) := + if (uint8_declassify (x_r_2165)) !=.? (uint8_declassify ( + x_s_2156)):bool then (let x_2164 := + (nat_mod_zero ) -% (x_2164) in + (x_2164)) else ((x_2164)) in + some ((x_2164, y_2158, z_2159, (x_2164) *% (y_2158)))). + +Definition encode (p_2166 : ed_point_t) : byte_seq := + let '(x_2167, y_2168, z_2169, _) := + p_2166 in + let z_inv_2170 : ed25519_field_element_t := + nat_mod_inv (z_2169) in + let x_2171 : ed25519_field_element_t := + (x_2167) *% (z_inv_2170) in + let y_2172 : ed25519_field_element_t := + (y_2168) *% (z_inv_2170) in + let s_2173 : byte_seq := + nat_mod_to_byte_seq_le (y_2172) in + let s_2173 := + seq_upd s_2173 (usize 31) ((seq_index (s_2173) (usize 31)) .^ (( + is_negative (x_2171)) shift_left (usize 7))) in + s_2173. + +Definition decode (q_s_2174 : byte_seq) : (option ed_point_t) := + let q_2175 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (q_s_2174) (usize 0) (usize 32) in + decompress (q_2175). + +Definition point_add (p_2176 : ed_point_t) (q_2177 : ed_point_t) : ed_point_t := + let d_c_2178 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_d_v)) : ed25519_field_element_t in + let two_2179 : ed25519_field_element_t := + nat_mod_two in + let '(x1_2180, y1_2181, z1_2182, t1_2183) := + p_2176 in + let '(x2_2184, y2_2185, z2_2186, t2_2187) := + q_2177 in + let a_2188 : ed25519_field_element_t := + ((y1_2181) -% (x1_2180)) *% ((y2_2185) -% (x2_2184)) in + let b_2189 : ed25519_field_element_t := + ((y1_2181) +% (x1_2180)) *% ((y2_2185) +% (x2_2184)) in + let c_2190 : ed25519_field_element_t := + (((t1_2183) *% (two_2179)) *% (d_c_2178)) *% (t2_2187) in + let d_2191 : ed25519_field_element_t := + ((z1_2182) *% (two_2179)) *% (z2_2186) in + let e_2192 : ed25519_field_element_t := + (b_2189) -% (a_2188) in + let f_2193 : ed25519_field_element_t := + (d_2191) -% (c_2190) in + let g_2194 : ed25519_field_element_t := + (d_2191) +% (c_2190) in + let h_2195 : ed25519_field_element_t := + (b_2189) +% (a_2188) in + let x3_2196 : ed25519_field_element_t := + (e_2192) *% (f_2193) in + let y3_2197 : ed25519_field_element_t := + (g_2194) *% (h_2195) in + let t3_2198 : ed25519_field_element_t := + (e_2192) *% (h_2195) in + let z3_2199 : ed25519_field_element_t := + (f_2193) *% (g_2194) in + (x3_2196, y3_2197, z3_2199, t3_2198). + +Definition point_identity : ed_point_t := + (nat_mod_zero , nat_mod_one , nat_mod_one , nat_mod_zero ). + +Definition point_mul (s_2200 : scalar_t) (p_2201 : ed_point_t) : ed_point_t := + let p_2202 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + p_2201 in + let q_2203 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let '(p_2202, q_2203) := + foldi (usize 0) (usize 256) (fun i_2204 '(p_2202, q_2203) => + let '(q_2203) := + if nat_mod_bit (s_2200) (i_2204):bool then (let q_2203 := + point_add (q_2203) (p_2202) in + (q_2203)) else ((q_2203)) in + let p_2202 := + point_add (p_2202) (p_2202) in + (p_2202, q_2203)) + (p_2202, q_2203) in + q_2203. + +Definition point_mul_by_cofactor (p_2205 : ed_point_t) : ed_point_t := + let p2_2206 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (p_2205) (p_2205) in + let p4_2207 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (p2_2206) (p2_2206) in + let p8_2208 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (p4_2207) (p4_2207) in + p8_2208. + +Definition point_neg (p_2209 : ed_point_t) : ed_point_t := + let '(x_2210, y_2211, z_2212, t_2213) := + p_2209 in + ((nat_mod_zero ) -% (x_2210), y_2211, z_2212, (nat_mod_zero ) -% (t_2213)). + +Definition point_eq (p_2214 : ed_point_t) (q_2215 : ed_point_t) : bool := + let '(x1_2216, y1_2217, z1_2218, _) := + p_2214 in + let '(x2_2219, y2_2220, z2_2221, _) := + q_2215 in + (((x1_2216) *% (z2_2221)) =.? ((x2_2219) *% (z1_2218))) && (((y1_2217) *% ( + z2_2221)) =.? ((y2_2220) *% (z1_2218))). + +Definition point_normalize (q_2222 : ed_point_t) : ed_point_t := + let '(qx_2223, qy_2224, qz_2225, _) := + q_2222 in + let px_2226 : ed25519_field_element_t := + (qx_2223) *% (nat_mod_inv (qz_2225)) in + let py_2227 : ed25519_field_element_t := + (qy_2224) *% (nat_mod_inv (qz_2225)) in + let pz_2228 : ed25519_field_element_t := + nat_mod_one in + let pt_2229 : ed25519_field_element_t := + (px_2226) *% (py_2227) in + (px_2226, py_2227, pz_2228, pt_2229). + +Definition secret_expand + (sk_2230 : secret_key_t) + : (serialized_scalar_t '× serialized_scalar_t) := + let h_2231 : sha512_digest_t := + sha512 (seq_from_slice (sk_2230) (usize 0) (usize 32)) in + let h_d_2232 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 32) ( + usize 32) in + let s_2233 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 0) ( + usize 32) in + let s_2233 := + array_upd s_2233 (usize 0) ((array_index (s_2233) (usize 0)) .& (secret ( + @repr WORDSIZE8 248) : int8)) in + let s_2233 := + array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let s_2233 := + array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .| (secret ( + @repr WORDSIZE8 64) : int8)) in + (s_2233, h_d_2232). + +Definition secret_to_public (sk_2234 : secret_key_t) : public_key_t := + let '(s_2235, _) := + secret_expand (sk_2234) in + let base_2236 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let ss_2237 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_2235)) : scalar_t in + let a_2238 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (ss_2237) (base_2236) in + compress (a_2238). + +Definition check_canonical_scalar (s_2239 : serialized_scalar_t) : bool := + (if ((uint8_declassify ((array_index (s_2239) (usize 31)) .& (secret ( + @repr WORDSIZE8 224) : int8))) !=.? ( + @repr WORDSIZE8 0)):bool then (false) else ((nat_mod_from_byte_seq_le ( + array_to_seq (s_2239)) : big_integer_t) <.? ( + nat_mod_from_byte_seq_le ( + array_to_seq (constant_l_v)) : big_integer_t))). + diff --git a/proof-libs/coq/_vc/Hacspec_Edwards25519_Ecvrf.v b/proof-libs/coq/_vc/Hacspec_Edwards25519_Ecvrf.v new file mode 100644 index 000000000..7a3f9305a --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Edwards25519_Ecvrf.v @@ -0,0 +1,349 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Edwards25519. + +Require Import Hacspec_Sha512. + +Require Import Hacspec_Edwards25519_Hash. + +Inductive errorec_t := +| FailedVerify : errorec_t +| MessageTooLarge : errorec_t +| InvalidProof : errorec_t +| InvalidPublicKey : errorec_t +| FailedDecompression : errorec_t +| FailedE2C : errorec_t. + +Notation "'byte_seq_result_t'" := ((result byte_seq errorec_t)) : hacspec_scope. + +Notation "'proof_result_t'" := ((result (ed_point_t '× scalar_t '× scalar_t + ) errorec_t)) : hacspec_scope. + +Notation "'ed_point_result_t'" := (( + result ed_point_t errorec_t)) : hacspec_scope. + +Definition large_mod_canvas_t := nseq (int8) (32). +Definition large_mod_t := + nat_mod 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. + +Definition arr_large_mod_t := nseq (uint64) (usize 4). + +Definition q_v : arr_large_mod_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 9223372036854775807) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551597) : int64 + ] in l). + +Definition c_len_v : uint_size := + usize 16. + +Definition pt_len_v : uint_size := + usize 32. + +Definition q_len_v : uint_size := + usize 32. + +Definition int_byte_t := nseq (uint8) (usize 1). + +Definition zero_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 0) : int8] in l). + +Definition one_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). + +Definition two_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). + +Definition three_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 3) : int8] in l). + +Definition four_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 4) : int8] in l). + +Definition suite_string_v : int_byte_t := + four_v. + +Definition dst_t := nseq (uint8) (usize 39). + +Definition h2c_suite_id_string_v : dst_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 86) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 70) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 95) : int8 + ] in l). + +Definition ecvrf_encode_to_curve_try_and_increment + (encode_to_curve_salt_2457 : byte_seq) + (alpha_2458 : byte_seq) + : ed_point_result_t := + let h_2459 : (option ed_point_t) := + @None ed_point_t in + let x_2460 : ed25519_field_element_t := + nat_mod_zero in + let '(h_2459, x_2460) := + foldi (usize 1) (usize 256) (fun ctr_2461 '(h_2459, x_2460) => + let '(h_2459, x_2460) := + if ((h_2459)) =.? (@None ed_point_t):bool then ( + let ctr_string_2462 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_be (x_2460)) (usize 31) (usize 1) in + let hash_string_2463 : sha512_digest_t := + sha512 (seq_concat (seq_concat (seq_concat (seq_concat ( + array_concat (suite_string_v) (array_to_seq (one_v))) ( + encode_to_curve_salt_2457)) (alpha_2458)) ( + ctr_string_2462)) (array_to_seq (zero_v))) in + let h_2459 := + decompress (array_from_slice (default : uint8) (32) ( + array_to_seq (hash_string_2463)) (usize 0) (usize 32)) in + let x_2460 := + (x_2460) +% (nat_mod_one ) in + (h_2459, x_2460)) else ((h_2459, x_2460)) in + (h_2459, x_2460)) + (h_2459, x_2460) in + bind (option_ok_or (h_2459) (FailedE2C)) (fun h_2464 => + @Ok ed_point_t errorec_t (point_mul_by_cofactor (h_2464))). + +Definition ecvrf_encode_to_curve_h2c_suite + (encode_to_curve_salt_2465 : byte_seq) + (alpha_2466 : byte_seq) + : ed_point_result_t := + let string_to_be_hashed_2467 : seq uint8 := + seq_concat (encode_to_curve_salt_2465) (alpha_2466) in + let dst_2468 : seq uint8 := + array_concat (h2c_suite_id_string_v) (array_to_seq (suite_string_v)) in + let h_2469 : (result ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) error_t) := + ed_encode_to_curve (string_to_be_hashed_2467) (dst_2468) in + bind (option_ok_or (result_ok (h_2469)) (FailedE2C)) (fun h_2470 => + @Ok ed_point_t errorec_t (h_2470)). + +Definition ecvrf_nonce_generation + (sk_2471 : secret_key_t) + (h_string_2472 : byte_seq) + : scalar_t := + let hashed_sk_string_2473 : sha512_digest_t := + sha512 (array_to_le_bytes (sk_2471)) in + let truncated_hashed_sk_string_2474 : seq uint8 := + array_slice (hashed_sk_string_2473) (usize 32) (usize 32) in + let k_string_2475 : sha512_digest_t := + sha512 (seq_concat (truncated_hashed_sk_string_2474) (h_string_2472)) in + let nonce_2476 : big_scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (k_string_2475)) : big_scalar_t in + let nonceseq_2477 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_le (nonce_2476)) (usize 0) (usize 32) in + nat_mod_from_byte_seq_le (nonceseq_2477) : scalar_t. + +Definition ecvrf_challenge_generation + (p1_2478 : ed_point_t) + (p2_2479 : ed_point_t) + (p3_2480 : ed_point_t) + (p4_2481 : ed_point_t) + (p5_2482 : ed_point_t) + : scalar_t := + let string_2483 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (seq_concat (seq_concat ( + array_concat (suite_string_v) (array_to_seq (two_v))) (encode ( + p1_2478))) (encode (p2_2479))) (encode (p3_2480))) (encode ( + p4_2481))) (encode (p5_2482))) (array_to_seq (zero_v)) in + let c_string_2484 : sha512_digest_t := + sha512 (string_2483) in + let truncated_c_string_2485 : seq uint8 := + seq_concat (array_slice (c_string_2484) (usize 0) (c_len_v)) (seq_new_ ( + default : uint8) (usize 16)) in + nat_mod_from_byte_seq_le (truncated_c_string_2485) : scalar_t. + +Definition ecvrf_decode_proof (pi_2486 : byte_seq) : proof_result_t := + let gamma_string_2487 : seq uint8 := + seq_slice (pi_2486) (usize 0) (pt_len_v) in + let c_string_2488 : seq uint8 := + seq_slice (pi_2486) (pt_len_v) (c_len_v) in + let s_string_2489 : seq uint8 := + seq_slice (pi_2486) ((pt_len_v) + (c_len_v)) (q_len_v) in + bind (option_ok_or (decompress (array_from_slice (default : uint8) (32) ( + gamma_string_2487) (usize 0) (usize 32))) (InvalidProof)) ( + fun gamma_2490 => let c_2491 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (c_string_2488) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_2492 : scalar_t := + nat_mod_from_byte_seq_le ((s_string_2489)) : scalar_t in + let s_test_2493 : large_mod_t := + nat_mod_from_byte_seq_le (s_string_2489) : large_mod_t in + let q_2494 : large_mod_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (q_v)) : large_mod_t in + (if ((s_test_2493) >=.? (q_2494)):bool then (@Err ( + ed_point_t '× + scalar_t '× + scalar_t + ) errorec_t (InvalidProof)) else (@Ok ( + ed_point_t '× + scalar_t '× + scalar_t + ) errorec_t ((gamma_2490, c_2491, s_2492))))). + +Definition ecvrf_validate_key + (y_2495 : public_key_t) + : (result unit errorec_t) := + bind (option_ok_or (decompress (y_2495)) (InvalidPublicKey)) (fun y_2496 => + let y_prime_2497 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (y_2496) in + (if ((y_prime_2497) =.? (point_identity )):bool then (@Err unit errorec_t ( + InvalidPublicKey)) else (@Ok unit errorec_t (tt)))). + +Definition ecvrf_prove + (sk_2498 : secret_key_t) + (alpha_2499 : byte_seq) + : byte_seq_result_t := + bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2500 => + let '(x_2501, _) := + secret_expand (sk_2498) in + let x_2502 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (x_2501)) : scalar_t in + let y_2503 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (x_2502) (b_2500) in + let pk_2504 : compressed_ed_point_t := + compress (y_2503) in + let encode_to_curve_salt_2505 : seq uint8 := + array_slice (pk_2504) (usize 0) (usize 32) in + bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2505) ( + alpha_2499)) (fun h_2506 => let h_string_2507 : seq uint8 := + encode (h_2506) in + let gamma_2508 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (x_2502) (h_2506) in + let k_2509 : scalar_t := + ecvrf_nonce_generation (sk_2498) (h_string_2507) in + let u_2510 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (k_2509) (b_2500) in + let v_2511 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (k_2509) (h_2506) in + let c_2512 : scalar_t := + ecvrf_challenge_generation (y_2503) (h_2506) (gamma_2508) (u_2510) ( + v_2511) in + let s_2513 : scalar_t := + (k_2509) +% ((c_2512) *% (x_2502)) in + @Ok byte_seq errorec_t (seq_slice (seq_concat (seq_concat (encode ( + gamma_2508)) (seq_slice (nat_mod_to_byte_seq_le (c_2512)) ( + usize 0) (c_len_v))) (seq_slice (nat_mod_to_byte_seq_le ( + s_2513)) (usize 0) (q_len_v))) (usize 0) (((c_len_v) + ( + q_len_v)) + (pt_len_v))))). + +Definition ecvrf_proof_to_hash (pi_2514 : byte_seq) : byte_seq_result_t := + bind (ecvrf_decode_proof (pi_2514)) (fun '(gamma_2515, _, _) => + @Ok byte_seq errorec_t (array_slice (sha512 (seq_concat (seq_concat ( + array_concat (suite_string_v) (array_to_seq (three_v))) (encode ( + point_mul_by_cofactor (gamma_2515)))) ( + array_to_seq (zero_v)))) (usize 0) (usize 64))). + +Definition ecvrf_verify + (pk_2516 : public_key_t) + (alpha_2517 : byte_seq) + (pi_2518 : byte_seq) + (validate_key_2519 : bool) + : byte_seq_result_t := + bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2520 => + bind (option_ok_or (decompress (pk_2516)) (InvalidPublicKey)) (fun y_2521 => + ifbnd validate_key_2519 : bool + thenbnd (bind (ecvrf_validate_key (pk_2516)) (fun _ => + @Ok unit errorec_t (tt))) + else (tt) >> (fun 'tt => + bind (ecvrf_decode_proof (pi_2518)) (fun '(gamma_2522, c_2523, s_2524) => + let encode_to_curve_salt_2525 : seq uint8 := + array_slice (pk_2516) (usize 0) (usize 32) in + bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2525) ( + alpha_2517)) (fun h_2526 => let u_2527 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (point_mul (s_2524) (b_2520)) (point_neg (point_mul ( + c_2523) (y_2521))) in + let v_2528 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (point_mul (s_2524) (h_2526)) (point_neg (point_mul ( + c_2523) (gamma_2522))) in + let c_prime_2529 : scalar_t := + ecvrf_challenge_generation (y_2521) (h_2526) (gamma_2522) (u_2527) ( + v_2528) in + (if ((c_2523) =.? (c_prime_2529)):bool then (ecvrf_proof_to_hash ( + pi_2518)) else (@Err byte_seq errorec_t (FailedVerify)))))))). + diff --git a/proof-libs/coq/_vc/Hacspec_Edwards25519_Hash.v b/proof-libs/coq/_vc/Hacspec_Edwards25519_Hash.v new file mode 100644 index 000000000..0017ba372 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Edwards25519_Hash.v @@ -0,0 +1,504 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Edwards25519. + +Require Import Hacspec_Sha512. + +Definition b_in_bytes_v : uint_size := + usize 64. + +Definition s_in_bytes_v : uint_size := + usize 128. + +Definition l_v : uint_size := + usize 48. + +Definition j_v : int128 := + @repr WORDSIZE128 486662. + +Definition z_v : int128 := + @repr WORDSIZE128 2. + +Definition arr_ed25519_field_element_t := nseq (uint64) (usize 4). + +Definition ed_field_hash_canvas_t := nseq (int8) (64). +Definition ed_field_hash_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Inductive error_t := +| ExpandMessageAbort : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | ExpandMessageAbort => match y with | ExpandMessageAbort=> true end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Notation "'seq_ed_result_t'" := (( + result seq ed25519_field_element_t error_t)) : hacspec_scope. + +Notation "'ed_point_result_t'" := ((result ed_point_t error_t)) : hacspec_scope. + +Definition p_1_2_v : arr_ed25519_field_element_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 4611686018427387903) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551606) : int64 + ] in l). + +Definition p_3_8_v : arr_ed25519_field_element_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1152921504606846975) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551614) : int64 + ] in l). + +Definition p_5_8_v : arr_ed25519_field_element_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1152921504606846975) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551613) : int64 + ] in l). + +Definition expand_message_xmd + (msg_2290 : byte_seq) + (dst_2291 : byte_seq) + (len_in_bytes_2292 : uint_size) + : byte_seq_result_t := + let ell_2293 : uint_size := + (((len_in_bytes_2292) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in + let result_2294 : (result byte_seq error_t) := + @Err byte_seq error_t (ExpandMessageAbort) in + let '(result_2294) := + if negb ((((ell_2293) >.? (usize 255)) || ((len_in_bytes_2292) >.? ( + usize 65535))) || ((seq_len (dst_2291)) >.? ( + usize 255))):bool then (let dst_prime_2295 : seq uint8 := + seq_push (dst_2291) (uint8_from_usize (seq_len (dst_2291))) in + let z_pad_2296 : seq uint8 := + seq_new_ (default : uint8) (s_in_bytes_v) in + let l_i_b_str_2297 : seq uint8 := + seq_new_ (default : uint8) (usize 2) in + let l_i_b_str_2297 := + seq_upd l_i_b_str_2297 (usize 0) (uint8_from_usize (( + len_in_bytes_2292) / (usize 256))) in + let l_i_b_str_2297 := + seq_upd l_i_b_str_2297 (usize 1) (uint8_from_usize ( + len_in_bytes_2292)) in + let msg_prime_2298 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (z_pad_2296) ( + msg_2290)) (l_i_b_str_2297)) (seq_new_ (default : uint8) ( + usize 1))) (dst_prime_2295) in + let b_0_2299 : seq uint8 := + seq_from_seq (array_to_seq (hash (msg_prime_2298))) in + let b_i_2300 : seq uint8 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_2299) ( + secret (@repr WORDSIZE8 1) : int8)) (dst_prime_2295)))) in + let uniform_bytes_2301 : seq uint8 := + seq_from_seq (b_i_2300) in + let '(b_i_2300, uniform_bytes_2301) := + foldi (usize 2) ((ell_2293) + (usize 1)) (fun i_2302 '( + b_i_2300, + uniform_bytes_2301 + ) => + let t_2303 : seq uint8 := + seq_from_seq (b_0_2299) in + let b_i_2300 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( + t_2303) seq_xor (b_i_2300)) (uint8_from_usize (i_2302))) ( + dst_prime_2295)))) in + let uniform_bytes_2301 := + seq_concat (uniform_bytes_2301) (b_i_2300) in + (b_i_2300, uniform_bytes_2301)) + (b_i_2300, uniform_bytes_2301) in + let result_2294 := + @Ok byte_seq error_t (seq_truncate (uniform_bytes_2301) ( + len_in_bytes_2292)) in + (result_2294)) else ((result_2294)) in + result_2294. + +Definition ed_hash_to_field + (msg_2304 : byte_seq) + (dst_2305 : byte_seq) + (count_2306 : uint_size) + : seq_ed_result_t := + let len_in_bytes_2307 : uint_size := + (count_2306) * (l_v) in + bind (expand_message_xmd (msg_2304) (dst_2305) (len_in_bytes_2307)) ( + fun uniform_bytes_2308 => let output_2309 : seq ed25519_field_element_t := + seq_new_ (default : ed25519_field_element_t) (count_2306) in + let output_2309 := + foldi (usize 0) (count_2306) (fun i_2310 output_2309 => + let elm_offset_2311 : uint_size := + (l_v) * (i_2310) in + let tv_2312 : seq uint8 := + seq_slice (uniform_bytes_2308) (elm_offset_2311) (l_v) in + let u_i_2313 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_2312) : ed_field_hash_t)) ( + usize 32) (usize 32)) : ed25519_field_element_t in + let output_2309 := + seq_upd output_2309 (i_2310) (u_i_2313) in + (output_2309)) + output_2309 in + @Ok seq ed25519_field_element_t error_t (output_2309)). + +Definition ed_is_square (x_2314 : ed25519_field_element_t) : bool := + let c1_2315 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (array_to_be_bytes ( + p_1_2_v)) : ed25519_field_element_t in + let tv_2316 : ed25519_field_element_t := + nat_mod_pow_self (x_2314) (c1_2315) in + ((tv_2316) =.? (nat_mod_zero )) || ((tv_2316) =.? (nat_mod_one )). + +Definition sgn0_m_eq_1 (x_2317 : ed25519_field_element_t) : bool := + ((x_2317) rem (nat_mod_two )) =.? (nat_mod_one ). + +Definition ed_clear_cofactor (x_2318 : ed_point_t) : ed_point_t := + point_mul_by_cofactor (x_2318). + +Definition cmov + (a_2319 : ed25519_field_element_t) + (b_2320 : ed25519_field_element_t) + (c_2321 : bool) + : ed25519_field_element_t := + (if (c_2321):bool then (b_2320) else (a_2319)). + +Definition xor (a_2322 : bool) (b_2323 : bool) : bool := + (if (a_2322):bool then ((if (b_2323):bool then (false) else (true))) else (( + if (b_2323):bool then (true) else (false)))). + +Definition curve25519_to_edwards25519 (p_2324 : ed_point_t) : ed_point_t := + let '(s_2325, t_2326, _, _) := + point_normalize (p_2324) in + let one_2327 : ed25519_field_element_t := + nat_mod_one in + let zero_2328 : ed25519_field_element_t := + nat_mod_zero in + let tv1_2329 : ed25519_field_element_t := + (s_2325) +% (one_2327) in + let tv2_2330 : ed25519_field_element_t := + (tv1_2329) *% (t_2326) in + let tv2_2331 : ed25519_field_element_t := + nat_mod_inv (tv2_2330) in + let v_2332 : ed25519_field_element_t := + (tv2_2331) *% (tv1_2329) in + let v_2333 : ed25519_field_element_t := + (v_2332) *% (s_2325) in + let w_2334 : ed25519_field_element_t := + (tv2_2331) *% (t_2326) in + let tv1_2335 : ed25519_field_element_t := + (s_2325) -% (one_2327) in + let w_2336 : ed25519_field_element_t := + (w_2334) *% (tv1_2335) in + let e_2337 : bool := + (tv2_2331) =.? (zero_2328) in + let w_2338 : ed25519_field_element_t := + cmov (w_2336) (one_2327) (e_2337) in + let c_2339 : ed25519_field_element_t := + (nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 486664) : ed25519_field_element_t) in + let sq_2340 : (option ed25519_field_element_t) := + sqrt (c_2339) in + let v_2341 : ed25519_field_element_t := + (v_2333) *% (option_unwrap (sq_2340)) in + (v_2341, w_2338, one_2327, (v_2341) *% (w_2338)). + +Definition map_to_curve_elligator2 + (u_2342 : ed25519_field_element_t) + : ed_point_t := + let j_2343 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let z_2344 : ed25519_field_element_t := + nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in + let one_2345 : ed25519_field_element_t := + nat_mod_one in + let zero_2346 : ed25519_field_element_t := + nat_mod_zero in + let x1_2347 : ed25519_field_element_t := + ((zero_2346) -% (j_2343)) *% (nat_mod_inv ((one_2345) +% (((z_2344) *% ( + u_2342)) *% (u_2342)))) in + let '(x1_2347) := + if (x1_2347) =.? (zero_2346):bool then (let x1_2347 := + (zero_2346) -% (j_2343) in + (x1_2347)) else ((x1_2347)) in + let gx1_2348 : ed25519_field_element_t := + ((((x1_2347) *% (x1_2347)) *% (x1_2347)) +% (((j_2343) *% (x1_2347)) *% ( + x1_2347))) +% (x1_2347) in + let x2_2349 : ed25519_field_element_t := + ((zero_2346) -% (x1_2347)) -% (j_2343) in + let gx2_2350 : ed25519_field_element_t := + ((((x2_2349) *% (x2_2349)) *% (x2_2349)) +% ((j_2343) *% ((x2_2349) *% ( + x2_2349)))) +% (x2_2349) in + let x_2351 : ed25519_field_element_t := + zero_2346 in + let y_2352 : ed25519_field_element_t := + zero_2346 in + let '(x_2351, y_2352) := + if ed_is_square (gx1_2348):bool then (let x_2351 := + x1_2347 in + let y_2352 := + option_unwrap (sqrt (gx1_2348)) in + let '(y_2352) := + if negb (sgn0_m_eq_1 (y_2352)):bool then (let y_2352 := + (zero_2346) -% (y_2352) in + (y_2352)) else ((y_2352)) in + (x_2351, y_2352)) else (let x_2351 := + x2_2349 in + let y_2352 := + option_unwrap (sqrt (gx2_2350)) in + let '(y_2352) := + if sgn0_m_eq_1 (y_2352):bool then (let y_2352 := + (zero_2346) -% (y_2352) in + (y_2352)) else ((y_2352)) in + (x_2351, y_2352)) in + let s_2353 : ed25519_field_element_t := + x_2351 in + let t_2354 : ed25519_field_element_t := + y_2352 in + (s_2353, t_2354, one_2345, (s_2353) *% (t_2354)). + +Definition map_to_curve_elligator2_straight + (u_2355 : ed25519_field_element_t) + : ed_point_t := + let j_2356 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let z_2357 : ed25519_field_element_t := + nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in + let one_2358 : ed25519_field_element_t := + nat_mod_one in + let zero_2359 : ed25519_field_element_t := + nat_mod_zero in + let tv1_2360 : ed25519_field_element_t := + (u_2355) *% (u_2355) in + let tv1_2361 : ed25519_field_element_t := + (z_2357) *% (tv1_2360) in + let e1_2362 : bool := + (tv1_2361) =.? ((zero_2359) -% (one_2358)) in + let tv1_2363 : ed25519_field_element_t := + cmov (tv1_2361) (zero_2359) (e1_2362) in + let x1_2364 : ed25519_field_element_t := + (tv1_2363) +% (one_2358) in + let x1_2365 : ed25519_field_element_t := + nat_mod_inv (x1_2364) in + let x1_2366 : ed25519_field_element_t := + ((zero_2359) -% (j_2356)) *% (x1_2365) in + let gx1_2367 : ed25519_field_element_t := + (x1_2366) +% (j_2356) in + let gx1_2368 : ed25519_field_element_t := + (gx1_2367) *% (x1_2366) in + let gx1_2369 : ed25519_field_element_t := + (gx1_2368) +% (one_2358) in + let gx1_2370 : ed25519_field_element_t := + (gx1_2369) *% (x1_2366) in + let x2_2371 : ed25519_field_element_t := + ((zero_2359) -% (x1_2366)) -% (j_2356) in + let gx2_2372 : ed25519_field_element_t := + (tv1_2363) *% (gx1_2370) in + let e2_2373 : bool := + ed_is_square (gx1_2370) in + let x_2374 : ed25519_field_element_t := + cmov (x2_2371) (x1_2366) (e2_2373) in + let y2_2375 : ed25519_field_element_t := + cmov (gx2_2372) (gx1_2370) (e2_2373) in + let y_2376 : ed25519_field_element_t := + option_unwrap (sqrt (y2_2375)) in + let e3_2377 : bool := + sgn0_m_eq_1 (y_2376) in + let y_2378 : ed25519_field_element_t := + cmov (y_2376) ((zero_2359) -% (y_2376)) (xor (e2_2373) (e3_2377)) in + let s_2379 : ed25519_field_element_t := + x_2374 in + let t_2380 : ed25519_field_element_t := + y_2378 in + (s_2379, t_2380, one_2358, (s_2379) *% (t_2380)). + +Definition map_to_curve_elligator2_curve25519 + (u_2381 : ed25519_field_element_t) + : ed_point_t := + let j_2382 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let zero_2383 : ed25519_field_element_t := + nat_mod_zero in + let one_2384 : ed25519_field_element_t := + nat_mod_one in + let two_2385 : ed25519_field_element_t := + nat_mod_two in + let c1_2386 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (array_to_be_bytes ( + p_3_8_v)) : ed25519_field_element_t in + let c2_2387 : ed25519_field_element_t := + nat_mod_pow_self (two_2385) (c1_2386) in + let c3_2388 : ed25519_field_element_t := + option_unwrap (sqrt ((zero_2383) -% (one_2384))) in + let c4_2389 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (array_to_be_bytes ( + p_5_8_v)) : ed25519_field_element_t in + let tv1_2390 : ed25519_field_element_t := + (u_2381) *% (u_2381) in + let tv1_2391 : ed25519_field_element_t := + (two_2385) *% (tv1_2390) in + let xd_2392 : ed25519_field_element_t := + (tv1_2391) +% (one_2384) in + let x1n_2393 : ed25519_field_element_t := + (zero_2383) -% (j_2382) in + let tv2_2394 : ed25519_field_element_t := + (xd_2392) *% (xd_2392) in + let gxd_2395 : ed25519_field_element_t := + (tv2_2394) *% (xd_2392) in + let gx1_2396 : ed25519_field_element_t := + (j_2382) *% (tv1_2391) in + let gx1_2397 : ed25519_field_element_t := + (gx1_2396) *% (x1n_2393) in + let gx1_2398 : ed25519_field_element_t := + (gx1_2397) +% (tv2_2394) in + let gx1_2399 : ed25519_field_element_t := + (gx1_2398) *% (x1n_2393) in + let tv3_2400 : ed25519_field_element_t := + (gxd_2395) *% (gxd_2395) in + let tv2_2401 : ed25519_field_element_t := + (tv3_2400) *% (tv3_2400) in + let tv3_2402 : ed25519_field_element_t := + (tv3_2400) *% (gxd_2395) in + let tv3_2403 : ed25519_field_element_t := + (tv3_2402) *% (gx1_2399) in + let tv2_2404 : ed25519_field_element_t := + (tv2_2401) *% (tv3_2403) in + let y11_2405 : ed25519_field_element_t := + nat_mod_pow_self (tv2_2404) (c4_2389) in + let y11_2406 : ed25519_field_element_t := + (y11_2405) *% (tv3_2403) in + let y12_2407 : ed25519_field_element_t := + (y11_2406) *% (c3_2388) in + let tv2_2408 : ed25519_field_element_t := + (y11_2406) *% (y11_2406) in + let tv2_2409 : ed25519_field_element_t := + (tv2_2408) *% (gxd_2395) in + let e1_2410 : bool := + (tv2_2409) =.? (gx1_2399) in + let y1_2411 : ed25519_field_element_t := + cmov (y12_2407) (y11_2406) (e1_2410) in + let x2n_2412 : ed25519_field_element_t := + (x1n_2393) *% (tv1_2391) in + let y21_2413 : ed25519_field_element_t := + (y11_2406) *% (u_2381) in + let y21_2414 : ed25519_field_element_t := + (y21_2413) *% (c2_2387) in + let y22_2415 : ed25519_field_element_t := + (y21_2414) *% (c3_2388) in + let gx2_2416 : ed25519_field_element_t := + (gx1_2399) *% (tv1_2391) in + let tv2_2417 : ed25519_field_element_t := + (y21_2414) *% (y21_2414) in + let tv2_2418 : ed25519_field_element_t := + (tv2_2417) *% (gxd_2395) in + let e2_2419 : bool := + (tv2_2418) =.? (gx2_2416) in + let y2_2420 : ed25519_field_element_t := + cmov (y22_2415) (y21_2414) (e2_2419) in + let tv2_2421 : ed25519_field_element_t := + (y1_2411) *% (y1_2411) in + let tv2_2422 : ed25519_field_element_t := + (tv2_2421) *% (gxd_2395) in + let e3_2423 : bool := + (tv2_2422) =.? (gx1_2399) in + let xn_2424 : ed25519_field_element_t := + cmov (x2n_2412) (x1n_2393) (e3_2423) in + let y_2425 : ed25519_field_element_t := + cmov (y2_2420) (y1_2411) (e3_2423) in + let e4_2426 : bool := + sgn0_m_eq_1 (y_2425) in + let y_2427 : ed25519_field_element_t := + cmov (y_2425) ((zero_2383) -% (y_2425)) (xor (e3_2423) (e4_2426)) in + (xn_2424, xd_2392, y_2427, one_2384). + +Definition map_to_curve_elligator2_edwards25519 + (u_2428 : ed25519_field_element_t) + : ed_point_t := + let j_2429 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let zero_2430 : ed25519_field_element_t := + nat_mod_zero in + let one_2431 : ed25519_field_element_t := + nat_mod_one in + let two_2432 : ed25519_field_element_t := + nat_mod_two in + let c1_2433 : ed25519_field_element_t := + option_unwrap (sqrt ((zero_2430) -% ((j_2429) +% (two_2432)))) in + let '(xmn_2434, xmd_2435, ymn_2436, ymd_2437) := + map_to_curve_elligator2_curve25519 (u_2428) in + let xn_2438 : ed25519_field_element_t := + (xmn_2434) *% (ymd_2437) in + let xn_2439 : ed25519_field_element_t := + (xn_2438) *% (c1_2433) in + let xd_2440 : ed25519_field_element_t := + (xmd_2435) *% (ymn_2436) in + let yn_2441 : ed25519_field_element_t := + (xmn_2434) -% (xmd_2435) in + let yd_2442 : ed25519_field_element_t := + (xmn_2434) +% (xmd_2435) in + let tv1_2443 : ed25519_field_element_t := + (xd_2440) *% (yd_2442) in + let e_2444 : bool := + (tv1_2443) =.? (zero_2430) in + let xn_2445 : ed25519_field_element_t := + cmov (xn_2439) (zero_2430) (e_2444) in + let xd_2446 : ed25519_field_element_t := + cmov (xd_2440) (one_2431) (e_2444) in + let yn_2447 : ed25519_field_element_t := + cmov (yn_2441) (one_2431) (e_2444) in + let yd_2448 : ed25519_field_element_t := + cmov (yd_2442) (one_2431) (e_2444) in + let x_2449 : ed25519_field_element_t := + (xn_2445) *% (nat_mod_inv (xd_2446)) in + let y_2450 : ed25519_field_element_t := + (yn_2447) *% (nat_mod_inv (yd_2448)) in + (x_2449, y_2450, one_2431, (x_2449) *% (y_2450)). + +Definition map_to_curve_elligator2_edwards + (u_2451 : ed25519_field_element_t) + : ed_point_t := + let st_2452 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + map_to_curve_elligator2 (u_2451) in + curve25519_to_edwards25519 (st_2452). + +Definition ed_encode_to_curve + (msg_2453 : byte_seq) + (dst_2454 : byte_seq) + : ed_point_result_t := + bind (ed_hash_to_field (msg_2453) (dst_2454) (usize 1)) (fun u_2455 => + let q_2456 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + map_to_curve_elligator2_edwards (seq_index (u_2455) (usize 0)) in + @Ok ed_point_t error_t (ed_clear_cofactor (q_2456))). + diff --git a/proof-libs/coq/_vc/Hacspec_Gf128.v b/proof-libs/coq/_vc/Hacspec_Gf128.v new file mode 100644 index 000000000..c606e1b76 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Gf128.v @@ -0,0 +1,113 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition blocksize_v : uint_size := + usize 16. + +Definition gf128_block_t := nseq (uint8) (blocksize_v). + +Definition gf128_key_t := nseq (uint8) (blocksize_v). + +Definition gf128_tag_t := nseq (uint8) (blocksize_v). + +Notation "'element_t'" := (uint128) : hacspec_scope. + +Definition irred_v : element_t := + secret (@repr WORDSIZE128 299076299051606071403356588563077529600) : int128. + +Definition fadd (x_317 : element_t) (y_318 : element_t) : element_t := + (x_317) .^ (y_318). + +Definition fmul (x_319 : element_t) (y_320 : element_t) : element_t := + let res_321 : element_t := + secret (@repr WORDSIZE128 0) : int128 in + let sh_322 : uint128 := + x_319 in + let '(res_321, sh_322) := + foldi (usize 0) (usize 128) (fun i_323 '(res_321, sh_322) => + let '(res_321) := + if (uint128_declassify ((y_320) .& ((secret ( + @repr WORDSIZE128 1) : int128) shift_left ((usize 127) - ( + i_323))))) !=.? (uint128_declassify (secret ( + @repr WORDSIZE128 0) : int128)):bool then (let res_321 := + (res_321) .^ (sh_322) in + (res_321)) else ((res_321)) in + let '(sh_322) := + if (uint128_declassify ((sh_322) .& (secret ( + @repr WORDSIZE128 1) : int128))) !=.? (uint128_declassify ( + secret (@repr WORDSIZE128 0) : int128)):bool then (let sh_322 := + ((sh_322) shift_right (usize 1)) .^ (irred_v) in + (sh_322)) else (let sh_322 := + (sh_322) shift_right (usize 1) in + (sh_322)) in + (res_321, sh_322)) + (res_321, sh_322) in + res_321. + +Definition encode (block_324 : gf128_block_t) : element_t := + uint128_from_be_bytes (array_from_seq (16) (array_to_seq (block_324))). + +Definition decode (e_325 : element_t) : gf128_block_t := + array_from_seq (blocksize_v) (array_to_seq (uint128_to_be_bytes (e_325))). + +Definition update + (r_326 : element_t) + (block_327 : gf128_block_t) + (acc_328 : element_t) + : element_t := + fmul (fadd (encode (block_327)) (acc_328)) (r_326). + +Definition poly (msg_329 : byte_seq) (r_330 : element_t) : element_t := + let l_331 : uint_size := + seq_len (msg_329) in + let n_blocks_332 : uint_size := + (l_331) / (blocksize_v) in + let rem_333 : uint_size := + (l_331) %% (blocksize_v) in + let acc_334 : uint128 := + secret (@repr WORDSIZE128 0) : int128 in + let acc_334 := + foldi (usize 0) (n_blocks_332) (fun i_335 acc_334 => + let k_336 : uint_size := + (i_335) * (blocksize_v) in + let block_337 : gf128_block_t := + array_new_ (default : uint8) (blocksize_v) in + let block_337 := + array_update_start (block_337) (seq_slice_range (msg_329) (( + k_336, + (k_336) + (blocksize_v) + ))) in + let acc_334 := + update (r_330) (block_337) (acc_334) in + (acc_334)) + acc_334 in + let '(acc_334) := + if (rem_333) !=.? (usize 0):bool then (let k_338 : uint_size := + (n_blocks_332) * (blocksize_v) in + let last_block_339 : gf128_block_t := + array_new_ (default : uint8) (blocksize_v) in + let last_block_339 := + array_update_slice (last_block_339) (usize 0) (msg_329) (k_338) ( + rem_333) in + let acc_334 := + update (r_330) (last_block_339) (acc_334) in + (acc_334)) else ((acc_334)) in + acc_334. + +Definition gmac (text_340 : byte_seq) (k_341 : gf128_key_t) : gf128_tag_t := + let s_342 : gf128_block_t := + array_new_ (default : uint8) (blocksize_v) in + let r_343 : uint128 := + encode (array_from_seq (blocksize_v) (array_to_seq (k_341))) in + let a_344 : uint128 := + poly (text_340) (r_343) in + array_from_seq (blocksize_v) (array_to_seq (decode (fadd (a_344) (encode ( + s_342))))). + diff --git a/proof-libs/coq/_vc/Hacspec_Gimli.v b/proof-libs/coq/_vc/Hacspec_Gimli.v new file mode 100644 index 000000000..9ab5c8d93 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Gimli.v @@ -0,0 +1,406 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition state_t := nseq (uint32) (usize 12). + +Definition state_idx_t := + nat_mod (usize 12). +Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. +Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. + +Definition swap + (s_1127 : state_t) + (i_1128 : state_idx_t) + (j_1129 : state_idx_t) + : state_t := + let tmp_1130 : uint32 := + array_index (s_1127) (i_1128) in + let s_1127 := + array_upd s_1127 (i_1128) (array_index (s_1127) (j_1129)) in + let s_1127 := + array_upd s_1127 (j_1129) (tmp_1130) in + s_1127. + +Definition gimli_round (s_1131 : state_t) (r_1132 : int32) : state_t := + let s_1131 := + foldi (usize 0) (usize 4) (fun col_1133 s_1131 => + let x_1134 : uint32 := + uint32_rotate_left (array_index (s_1131) (col_1133)) (usize 24) in + let y_1135 : uint32 := + uint32_rotate_left (array_index (s_1131) ((col_1133) + (usize 4))) ( + usize 9) in + let z_1136 : uint32 := + array_index (s_1131) ((col_1133) + (usize 8)) in + let s_1131 := + array_upd s_1131 ((col_1133) + (usize 8)) (((x_1134) .^ (( + z_1136) shift_left (usize 1))) .^ (((y_1135) .& ( + z_1136)) shift_left (usize 2))) in + let s_1131 := + array_upd s_1131 ((col_1133) + (usize 4)) (((y_1135) .^ (x_1134)) .^ ((( + x_1134) .| (z_1136)) shift_left (usize 1))) in + let s_1131 := + array_upd s_1131 (col_1133) (((z_1136) .^ (y_1135)) .^ (((x_1134) .& ( + y_1135)) shift_left (usize 3))) in + (s_1131)) + s_1131 in + let '(s_1131) := + if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( + let s_1131 := + swap (s_1131) (usize 0) (usize 1) in + let s_1131 := + swap (s_1131) (usize 2) (usize 3) in + (s_1131)) else ((s_1131)) in + let '(s_1131) := + if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 2):bool then ( + let s_1131 := + swap (s_1131) (usize 0) (usize 2) in + let s_1131 := + swap (s_1131) (usize 1) (usize 3) in + (s_1131)) else ((s_1131)) in + let '(s_1131) := + if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( + let s_1131 := + array_upd s_1131 (usize 0) ((array_index (s_1131) (usize 0)) .^ (( + secret (@repr WORDSIZE32 2654435584) : int32) .| (secret ( + r_1132) : int32))) in + (s_1131)) else ((s_1131)) in + s_1131. + +Definition gimli (s_1137 : state_t) : state_t := + let s_1137 := + foldi (usize 0) (usize 24) (fun rnd_1138 s_1137 => + let rnd_1139 : int32 := + pub_u32 ((usize 24) - (rnd_1138)) in + let s_1137 := + gimli_round (s_1137) (rnd_1139) in + (s_1137)) + s_1137 in + s_1137. + +Definition block_t := nseq (uint8) (usize 16). + +Definition digest_t := nseq (uint8) (usize 32). + +Definition absorb_block + (input_block_1140 : block_t) + (s_1141 : state_t) + : state_t := + let input_bytes_1142 : seq uint32 := + array_to_le_uint32s (input_block_1140) in + let s_1141 := + array_upd s_1141 (usize 0) ((array_index (s_1141) (usize 0)) .^ (seq_index ( + input_bytes_1142) (usize 0))) in + let s_1141 := + array_upd s_1141 (usize 1) ((array_index (s_1141) (usize 1)) .^ (seq_index ( + input_bytes_1142) (usize 1))) in + let s_1141 := + array_upd s_1141 (usize 2) ((array_index (s_1141) (usize 2)) .^ (seq_index ( + input_bytes_1142) (usize 2))) in + let s_1141 := + array_upd s_1141 (usize 3) ((array_index (s_1141) (usize 3)) .^ (seq_index ( + input_bytes_1142) (usize 3))) in + gimli (s_1141). + +Definition squeeze_block (s_1143 : state_t) : block_t := + let block_1144 : block_t := + array_new_ (default : uint8) (16) in + let block_1144 := + foldi (usize 0) (usize 4) (fun i_1145 block_1144 => + let s_i_1146 : uint32 := + array_index (s_1143) (i_1145) in + let s_i_bytes_1147 : seq uint8 := + uint32_to_le_bytes (s_i_1146) in + let block_1144 := + array_upd block_1144 ((usize 4) * (i_1145)) (seq_index ( + s_i_bytes_1147) (usize 0)) in + let block_1144 := + array_upd block_1144 (((usize 4) * (i_1145)) + (usize 1)) (seq_index ( + s_i_bytes_1147) (usize 1)) in + let block_1144 := + array_upd block_1144 (((usize 4) * (i_1145)) + (usize 2)) (seq_index ( + s_i_bytes_1147) (usize 2)) in + let block_1144 := + array_upd block_1144 (((usize 4) * (i_1145)) + (usize 3)) (seq_index ( + s_i_bytes_1147) (usize 3)) in + (block_1144)) + block_1144 in + block_1144. + +Definition gimli_hash_state + (input_1148 : byte_seq) + (s_1149 : state_t) + : state_t := + let rate_1150 : uint_size := + array_length in + let chunks_1151 : uint_size := + seq_num_exact_chunks (input_1148) (rate_1150) in + let s_1149 := + foldi (usize 0) (chunks_1151) (fun i_1152 s_1149 => + let input_block_1153 : seq uint8 := + seq_get_exact_chunk (input_1148) (rate_1150) (i_1152) in + let full_block_1154 : block_t := + array_from_seq (16) (input_block_1153) in + let s_1149 := + absorb_block (full_block_1154) (s_1149) in + (s_1149)) + s_1149 in + let input_block_1155 : seq uint8 := + seq_get_remainder_chunk (input_1148) (rate_1150) in + let input_block_padded_1156 : block_t := + array_new_ (default : uint8) (16) in + let input_block_padded_1157 : block_t := + array_update_start (input_block_padded_1156) (input_block_1155) in + let input_block_padded_1157 := + array_upd input_block_padded_1157 (seq_len (input_block_1155)) (secret ( + @repr WORDSIZE8 1) : int8) in + let s_1149 := + array_upd s_1149 (usize 11) ((array_index (s_1149) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_1149 := + absorb_block (input_block_padded_1157) (s_1149) in + s_1149. + +Definition gimli_hash (input_bytes_1158 : byte_seq) : digest_t := + let s_1159 : state_t := + array_new_ (default : uint32) (12) in + let s_1160 : state_t := + gimli_hash_state (input_bytes_1158) (s_1159) in + let output_1161 : digest_t := + array_new_ (default : uint8) (32) in + let output_1162 : digest_t := + array_update_start (output_1161) (array_to_seq (squeeze_block (s_1160))) in + let s_1163 : state_t := + gimli (s_1160) in + array_update (output_1162) (array_length ) (array_to_seq (squeeze_block ( + s_1163))). + +Definition nonce_t := nseq (uint8) (usize 16). + +Definition key_t := nseq (uint8) (usize 32). + +Definition tag_t := nseq (uint8) (usize 16). + +Definition process_ad (ad_1164 : byte_seq) (s_1165 : state_t) : state_t := + gimli_hash_state (ad_1164) (s_1165). + +Definition process_msg + (message_1166 : byte_seq) + (s_1167 : state_t) + : (state_t '× byte_seq) := + let ciphertext_1168 : seq uint8 := + seq_new_ (default : uint8) (seq_len (message_1166)) in + let rate_1169 : uint_size := + array_length in + let num_chunks_1170 : uint_size := + seq_num_exact_chunks (message_1166) (rate_1169) in + let '(s_1167, ciphertext_1168) := + foldi (usize 0) (num_chunks_1170) (fun i_1171 '(s_1167, ciphertext_1168) => + let key_block_1172 : block_t := + squeeze_block (s_1167) in + let msg_block_1173 : seq uint8 := + seq_get_exact_chunk (message_1166) (rate_1169) (i_1171) in + let msg_block_1174 : block_t := + array_from_seq (16) (msg_block_1173) in + let ciphertext_1168 := + seq_set_exact_chunk (ciphertext_1168) (rate_1169) (i_1171) ( + array_to_seq ((msg_block_1174) array_xor (key_block_1172))) in + let s_1167 := + absorb_block (msg_block_1174) (s_1167) in + (s_1167, ciphertext_1168)) + (s_1167, ciphertext_1168) in + let key_block_1175 : block_t := + squeeze_block (s_1167) in + let last_block_1176 : seq uint8 := + seq_get_remainder_chunk (message_1166) (rate_1169) in + let block_len_1177 : uint_size := + seq_len (last_block_1176) in + let msg_block_padded_1178 : block_t := + array_new_ (default : uint8) (16) in + let msg_block_padded_1179 : block_t := + array_update_start (msg_block_padded_1178) (last_block_1176) in + let ciphertext_1168 := + seq_set_chunk (ciphertext_1168) (rate_1169) (num_chunks_1170) ( + array_slice_range ((msg_block_padded_1179) array_xor (key_block_1175)) (( + usize 0, + block_len_1177 + ))) in + let msg_block_padded_1179 := + array_upd msg_block_padded_1179 (block_len_1177) ((array_index ( + msg_block_padded_1179) (block_len_1177)) .^ (secret ( + @repr WORDSIZE8 1) : int8)) in + let s_1167 := + array_upd s_1167 (usize 11) ((array_index (s_1167) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_1167 := + absorb_block (msg_block_padded_1179) (s_1167) in + (s_1167, ciphertext_1168). + +Definition process_ct + (ciphertext_1180 : byte_seq) + (s_1181 : state_t) + : (state_t '× byte_seq) := + let message_1182 : seq uint8 := + seq_new_ (default : uint8) (seq_len (ciphertext_1180)) in + let rate_1183 : uint_size := + array_length in + let num_chunks_1184 : uint_size := + seq_num_exact_chunks (ciphertext_1180) (rate_1183) in + let '(s_1181, message_1182) := + foldi (usize 0) (num_chunks_1184) (fun i_1185 '(s_1181, message_1182) => + let key_block_1186 : block_t := + squeeze_block (s_1181) in + let ct_block_1187 : seq uint8 := + seq_get_exact_chunk (ciphertext_1180) (rate_1183) (i_1185) in + let ct_block_1188 : block_t := + array_from_seq (16) (ct_block_1187) in + let msg_block_1189 : block_t := + (ct_block_1188) array_xor (key_block_1186) in + let message_1182 := + seq_set_exact_chunk (message_1182) (rate_1183) (i_1185) (array_to_seq (( + ct_block_1188) array_xor (key_block_1186))) in + let s_1181 := + absorb_block (msg_block_1189) (s_1181) in + (s_1181, message_1182)) + (s_1181, message_1182) in + let key_block_1190 : block_t := + squeeze_block (s_1181) in + let ct_final_1191 : seq uint8 := + seq_get_remainder_chunk (ciphertext_1180) (rate_1183) in + let block_len_1192 : uint_size := + seq_len (ct_final_1191) in + let ct_block_padded_1193 : block_t := + array_new_ (default : uint8) (16) in + let ct_block_padded_1194 : block_t := + array_update_start (ct_block_padded_1193) (ct_final_1191) in + let msg_block_1195 : block_t := + (ct_block_padded_1194) array_xor (key_block_1190) in + let message_1182 := + seq_set_chunk (message_1182) (rate_1183) (num_chunks_1184) ( + array_slice_range (msg_block_1195) ((usize 0, block_len_1192))) in + let msg_block_1196 : block_t := + array_from_slice_range (default : uint8) (16) ( + array_to_seq (msg_block_1195)) ((usize 0, block_len_1192)) in + let msg_block_1196 := + array_upd msg_block_1196 (block_len_1192) ((array_index (msg_block_1196) ( + block_len_1192)) .^ (secret (@repr WORDSIZE8 1) : int8)) in + let s_1181 := + array_upd s_1181 (usize 11) ((array_index (s_1181) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_1181 := + absorb_block (msg_block_1196) (s_1181) in + (s_1181, message_1182). + +Definition nonce_to_u32s (nonce_1197 : nonce_t) : seq uint32 := + let uints_1198 : seq uint32 := + seq_new_ (default : uint32) (usize 4) in + let uints_1198 := + seq_upd uints_1198 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 0, usize 4 + )))) in + let uints_1198 := + seq_upd uints_1198 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 4, usize 8 + )))) in + let uints_1198 := + seq_upd uints_1198 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 8, usize 12 + )))) in + let uints_1198 := + seq_upd uints_1198 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 12, usize 16 + )))) in + uints_1198. + +Definition key_to_u32s (key_1199 : key_t) : seq uint32 := + let uints_1200 : seq uint32 := + seq_new_ (default : uint32) (usize 8) in + let uints_1200 := + seq_upd uints_1200 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 0, usize 4 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 4, usize 8 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 8, usize 12 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 12, usize 16 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 4) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 16, usize 20 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 5) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 20, usize 24 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 6) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 24, usize 28 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 7) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 28, usize 32 + )))) in + uints_1200. + +Definition gimli_aead_encrypt + (message_1201 : byte_seq) + (ad_1202 : byte_seq) + (nonce_1203 : nonce_t) + (key_1204 : key_t) + : (byte_seq '× tag_t) := + let s_1205 : state_t := + array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1203)) (key_to_u32s ( + key_1204))) in + let s_1206 : state_t := + gimli (s_1205) in + let s_1207 : state_t := + process_ad (ad_1202) (s_1206) in + let '(s_1208, ciphertext_1209) := + process_msg (message_1201) (s_1207) in + let tag_1210 : block_t := + squeeze_block (s_1208) in + let tag_1211 : tag_t := + array_from_seq (16) (array_to_seq (tag_1210)) in + (ciphertext_1209, tag_1211). + +Definition gimli_aead_decrypt + (ciphertext_1212 : byte_seq) + (ad_1213 : byte_seq) + (tag_1214 : tag_t) + (nonce_1215 : nonce_t) + (key_1216 : key_t) + : byte_seq := + let s_1217 : state_t := + array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1215)) (key_to_u32s ( + key_1216))) in + let s_1218 : state_t := + gimli (s_1217) in + let s_1219 : state_t := + process_ad (ad_1213) (s_1218) in + let '(s_1220, message_1221) := + process_ct (ciphertext_1212) (s_1219) in + let my_tag_1222 : block_t := + squeeze_block (s_1220) in + let my_tag_1223 : tag_t := + array_from_seq (16) (array_to_seq (my_tag_1222)) in + let out_1224 : seq uint8 := + seq_new_ (default : uint8) (usize 0) in + let '(out_1224) := + if array_equal (my_tag_1223) (tag_1214):bool then (let out_1224 := + message_1221 in + (out_1224)) else ((out_1224)) in + out_1224. + diff --git a/proof-libs/coq/_vc/Hacspec_Hkdf.v b/proof-libs/coq/_vc/Hacspec_Hkdf.v new file mode 100644 index 000000000..c92018f05 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Hkdf.v @@ -0,0 +1,93 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Hmac. + +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition hash_len_v : uint_size := + (usize 256) / (usize 8). + +Inductive hkdf_error_t := +| InvalidOutputLength : hkdf_error_t. + +Notation "'hkdf_byte_seq_result_t'" := (( + result byte_seq hkdf_error_t)) : hacspec_scope. + +Definition extract (salt_713 : byte_seq) (ikm_714 : byte_seq) : prk_t := + let salt_or_zero_715 : seq uint8 := + seq_new_ (default : uint8) (hash_len_v) in + let '(salt_or_zero_715) := + if (seq_len (salt_713)) >.? (usize 0):bool then (let salt_or_zero_715 := + seq_from_seq (salt_713) in + (salt_or_zero_715)) else ((salt_or_zero_715)) in + array_from_seq (_) (array_to_seq (hmac (salt_or_zero_715) (ikm_714))). + +Definition build_hmac_txt + (t_716 : byte_seq) + (info_717 : byte_seq) + (iteration_718 : uint8) + : byte_seq := + let out_719 : seq uint8 := + seq_new_ (default : uint8) (((seq_len (t_716)) + (seq_len (info_717))) + ( + usize 1)) in + let out_719 := + seq_update (out_719) (usize 0) (t_716) in + let out_719 := + seq_update (out_719) (seq_len (t_716)) (info_717) in + let out_719 := + seq_upd out_719 ((seq_len (t_716)) + (seq_len (info_717))) ( + iteration_718) in + out_719. + +Definition div_ceil (a_720 : uint_size) (b_721 : uint_size) : uint_size := + let q_722 : uint_size := + (a_720) / (b_721) in + let '(q_722) := + if ((a_720) %% (b_721)) !=.? (usize 0):bool then (let q_722 := + (q_722) + (usize 1) in + (q_722)) else ((q_722)) in + q_722. + +Definition check_output_limit + (l_723 : uint_size) + : (result uint_size hkdf_error_t) := + let n_724 : uint_size := + div_ceil (l_723) (hash_len_v) in + (if ((n_724) <=.? (usize 255)):bool then (@Ok uint_size hkdf_error_t ( + n_724)) else (@Err uint_size hkdf_error_t (InvalidOutputLength))). + +Definition expand + (prk_725 : byte_seq) + (info_726 : byte_seq) + (l_727 : uint_size) + : hkdf_byte_seq_result_t := + bind (check_output_limit (l_727)) (fun n_728 => let t_i_729 : prk_t := + array_new_ (default : uint8) (_) in + let t_730 : seq uint8 := + seq_new_ (default : uint8) ((n_728) * (hash_size_v)) in + let '(t_i_729, t_730) := + foldi (usize 0) (n_728) (fun i_731 '(t_i_729, t_730) => + let hmac_txt_in_732 : seq uint8 := + (if ((i_731) =.? (usize 0)):bool then (build_hmac_txt (seq_new_ ( + default : uint8) (usize 0)) (info_726) (secret ((pub_u8 ( + i_731)) .+ (@repr WORDSIZE8 1)) : int8)) else ( + build_hmac_txt (seq_from_seq (array_to_seq (t_i_729))) ( + info_726) (secret ((pub_u8 (i_731)) .+ ( + @repr WORDSIZE8 1)) : int8))) in + let t_i_729 := + hmac (prk_725) (hmac_txt_in_732) in + let t_730 := + seq_update (t_730) ((i_731) * (array_len (t_i_729))) ( + array_to_seq (t_i_729)) in + (t_i_729, t_730)) + (t_i_729, t_730) in + @Ok byte_seq hkdf_error_t (seq_slice (t_730) (usize 0) (l_727))). + diff --git a/proof-libs/coq/_vc/Hacspec_Hmac.v b/proof-libs/coq/_vc/Hacspec_Hmac.v new file mode 100644 index 000000000..3c50a5a70 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Hmac.v @@ -0,0 +1,178 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition block_len_v : uint_size := + k_size_v. + +Definition prk_t := nseq (uint8) (hash_size_v). + +Definition block_t := nseq (uint8) (block_len_v). + +Definition i_pad_v : block_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8 + ] in l). + +Definition o_pad_v : block_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8 + ] in l). + +Definition k_block (k_733 : byte_seq) : block_t := + (if ((seq_len (k_733)) >.? (block_len_v)):bool then (array_update_start ( + array_new_ (default : uint8) (block_len_v)) (array_to_seq (hash ( + k_733)))) else (array_update_start (array_new_ (default : uint8) ( + block_len_v)) (k_733))). + +Definition hmac (k_734 : byte_seq) (txt_735 : byte_seq) : prk_t := + let k_block_736 : block_t := + k_block (k_734) in + let h_in_737 : seq uint8 := + seq_from_seq (array_to_seq ((k_block_736) array_xor (i_pad_v))) in + let h_in_737 := + seq_concat (h_in_737) (txt_735) in + let h_inner_738 : sha256_digest_t := + hash (h_in_737) in + let h_in_739 : seq uint8 := + seq_from_seq (array_to_seq ((k_block_736) array_xor (o_pad_v))) in + let h_in_739 := + seq_concat (h_in_739) (array_to_seq (h_inner_738)) in + array_from_seq (hash_size_v) (array_to_seq (hash (h_in_739))). + diff --git a/proof-libs/coq/_vc/Hacspec_Linalg.v b/proof-libs/coq/_vc/Hacspec_Linalg.v new file mode 100644 index 000000000..0dcee9a83 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Linalg.v @@ -0,0 +1,296 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Notation "'dim_type_t'" := (uint_size) : hacspec_scope. + +Notation "'scalar_t'" := (int128) : hacspec_scope. + +Notation "'dims_t'" := ((dim_type_t '× dim_type_t)) : hacspec_scope. + +Notation "'matrix_t'" := ((dims_t '× seq scalar_t)) : hacspec_scope. + +Notation "'mat_res_t'" := ((result matrix_t int8)) : hacspec_scope. + +Notation "'scal_res_t'" := ((result scalar_t int8)) : hacspec_scope. + +Definition dimension_sequence_length_mismatch_v : int8 := + @repr WORDSIZE8 10. + +Definition index_out_of_bounds_v : int8 := + @repr WORDSIZE8 11. + +Definition slice_out_of_bounds_v : int8 := + @repr WORDSIZE8 12. + +Definition dimension_mismatch_v : int8 := + @repr WORDSIZE8 13. + +Definition new_ + (rows_881 : dim_type_t) + (cols_882 : dim_type_t) + (seq_883 : seq scalar_t) + : mat_res_t := + (if (((seq_len (seq_883)) >.? (usize 0)) && (((rows_881) * (cols_882)) =.? ( + seq_len (seq_883)))):bool then (@Ok matrix_t int8 (( + (rows_881, cols_882), + seq_883 + ))) else (@Err matrix_t int8 (dimension_sequence_length_mismatch_v))). + +Definition repeat + (n_884 : dim_type_t) + (m_885 : dim_type_t) + (scalar_886 : scalar_t) + : matrix_t := + let ret_887 : seq int128 := + seq_new_ (default : scalar_t) ((n_884) * (m_885)) in + let ret_887 := + foldi (usize 0) ((n_884) * (m_885)) (fun i_888 ret_887 => + let ret_887 := + seq_upd ret_887 (i_888) (scalar_886) in + (ret_887)) + ret_887 in + ((n_884, m_885), ret_887). + +Definition zeros (n_889 : dim_type_t) (m_890 : dim_type_t) : matrix_t := + repeat (n_889) (m_890) (pub_int128_zero ). + +Definition ones (n_891 : dim_type_t) (m_892 : dim_type_t) : matrix_t := + repeat (n_891) (m_892) (pub_int128_one ). + +Definition identity (n_893 : dim_type_t) (m_894 : dim_type_t) : matrix_t := + let ret_895 : seq int128 := + seq_new_ (default : scalar_t) ((n_893) * (m_894)) in + let ret_895 := + foldi (usize 0) (min (n_893) (m_894)) (fun i_896 ret_895 => + let index_897 : uint_size := + ((i_896) * (min (n_893) (m_894))) + (i_896) in + let ret_895 := + seq_upd ret_895 (index_897) (pub_int128_one ) in + (ret_895)) + ret_895 in + ((n_893, m_894), ret_895). + +Definition index + (m_898 : matrix_t) + (i_899 : dim_type_t) + (j_900 : dim_type_t) + : scal_res_t := + let '(dim_901, seq_902) := + m_898 in + let '(rows_903, cols_904) := + dim_901 in + let index_905 : uint_size := + ((i_899) * (cols_904)) + (j_900) in + (if ((index_905) >=.? ((rows_903) * (cols_904))):bool then ( + @Err scalar_t int8 (index_out_of_bounds_v)) else (@Ok scalar_t int8 ( + seq_index (seq_902) (index_905)))). + +Definition transpose (matrix_906 : matrix_t) : matrix_t := + let '(dim_907, seq_908) := + matrix_906 in + let '(rows_909, cols_910) := + dim_907 in + let ret_911 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (seq_908)) in + let ret_911 := + foldi (usize 0) (rows_909) (fun i_912 ret_911 => + let ret_911 := + foldi (usize 0) (cols_910) (fun j_913 ret_911 => + let seq_index_914 : uint_size := + ((i_912) * (cols_910)) + (j_913) in + let ret_index_915 : uint_size := + ((j_913) * (rows_909)) + (i_912) in + let ret_911 := + seq_upd ret_911 (ret_index_915) (seq_index (seq_908) ( + seq_index_914)) in + (ret_911)) + ret_911 in + (ret_911)) + ret_911 in + ((cols_910, rows_909), ret_911). + +Definition slice + (matrix_916 : matrix_t) + (start_917 : dims_t) + (len_918 : dims_t) + : mat_res_t := + let '(dim_919, seq_920) := + matrix_916 in + let '(rows_921, cols_922) := + dim_919 in + let '(start_row_923, start_col_924) := + start_917 in + let '(len_rows_925, len_cols_926) := + len_918 in + let start_index_927 : uint_size := + ((start_row_923) * (cols_922)) + (start_col_924) in + let ret_928 : seq int128 := + seq_new_ (default : scalar_t) ((len_rows_925) * (len_cols_926)) in + let res_929 : (result matrix_t int8) := + @Err matrix_t int8 (slice_out_of_bounds_v) in + let '(ret_928, res_929) := + if ((start_index_927) + ((len_rows_925) * (len_cols_926))) <=.? (( + rows_921) * (cols_922)):bool then (let ret_928 := + foldi (usize 0) (len_rows_925) (fun i_930 ret_928 => + let ret_928 := + foldi (usize 0) (len_cols_926) (fun j_931 ret_928 => + let ret_index_932 : uint_size := + ((i_930) * (len_cols_926)) + (j_931) in + let seq_index_933 : uint_size := + (((start_row_923) + (i_930)) * (cols_922)) + (( + start_col_924) + (j_931)) in + let ret_928 := + seq_upd ret_928 (ret_index_932) (seq_index (seq_920) ( + seq_index_933)) in + (ret_928)) + ret_928 in + (ret_928)) + ret_928 in + let res_929 := + new_ (len_rows_925) (len_cols_926) (ret_928) in + (ret_928, res_929)) else ((ret_928, res_929)) in + res_929. + +Definition scale (matrix_934 : matrix_t) (scalar_935 : scalar_t) : matrix_t := + let '(dim_936, seq_937) := + matrix_934 in + let ret_938 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (seq_937)) in + let ret_938 := + foldi (usize 0) (seq_len (seq_937)) (fun i_939 ret_938 => + let ret_938 := + seq_upd ret_938 (i_939) ((scalar_935) .* (seq_index (seq_937) ( + i_939))) in + (ret_938)) + ret_938 in + (dim_936, ret_938). + +Definition add + (matrix_1_940 : matrix_t) + (matrix_2_941 : matrix_t) + : mat_res_t := + let '(m1_dim_942, m1_s_943) := + matrix_1_940 in + let '(m2_dim_944, m2_s_945) := + matrix_2_941 in + let ret_946 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (m1_s_943)) in + let res_947 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_946, res_947) := + if (m1_dim_942) =.? (m2_dim_944):bool then (let ret_946 := + foldi (usize 0) (seq_len (m1_s_943)) (fun i_948 ret_946 => + let ret_946 := + seq_upd ret_946 (i_948) ((seq_index (m1_s_943) (i_948)) .+ ( + seq_index (m2_s_945) (i_948))) in + (ret_946)) + ret_946 in + let res_947 := + @Ok matrix_t int8 ((m1_dim_942, ret_946)) in + (ret_946, res_947)) else ((ret_946, res_947)) in + res_947. + +Definition sub + (matrix_1_949 : matrix_t) + (matrix_2_950 : matrix_t) + : mat_res_t := + let '(m1_dim_951, m1_s_952) := + matrix_1_949 in + let '(m2_dim_953, m2_s_954) := + matrix_2_950 in + let ret_955 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (m1_s_952)) in + let res_956 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_955, res_956) := + if (m1_dim_951) =.? (m2_dim_953):bool then (let ret_955 := + foldi (usize 0) (seq_len (m1_s_952)) (fun i_957 ret_955 => + let ret_955 := + seq_upd ret_955 (i_957) ((seq_index (m1_s_952) (i_957)) .- ( + seq_index (m2_s_954) (i_957))) in + (ret_955)) + ret_955 in + let res_956 := + @Ok matrix_t int8 ((m1_dim_951, ret_955)) in + (ret_955, res_956)) else ((ret_955, res_956)) in + res_956. + +Definition component_mul + (matrix_1_958 : matrix_t) + (matrix_2_959 : matrix_t) + : mat_res_t := + let '(m1_dim_960, m1_s_961) := + matrix_1_958 in + let '(m2_dim_962, m2_s_963) := + matrix_2_959 in + let ret_964 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (m1_s_961)) in + let res_965 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_964, res_965) := + if (m1_dim_960) =.? (m2_dim_962):bool then (let ret_964 := + foldi (usize 0) (seq_len (m1_s_961)) (fun i_966 ret_964 => + let ret_964 := + seq_upd ret_964 (i_966) ((seq_index (m1_s_961) (i_966)) .* ( + seq_index (m2_s_963) (i_966))) in + (ret_964)) + ret_964 in + let res_965 := + @Ok matrix_t int8 ((m1_dim_960, ret_964)) in + (ret_964, res_965)) else ((ret_964, res_965)) in + res_965. + +Definition mul + (matrix_1_967 : matrix_t) + (matrix_2_968 : matrix_t) + : mat_res_t := + let '(dim_1_969, seq_1_970) := + matrix_1_967 in + let '(dim_2_971, seq_2_972) := + matrix_2_968 in + let '(l_973, m_974) := + dim_1_969 in + let '(m_975, n_976) := + dim_2_971 in + let ret_977 : seq int128 := + seq_new_ (default : scalar_t) ((l_973) * (n_976)) in + let res_978 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_977, res_978) := + if (m_974) =.? (m_975):bool then (let ret_977 := + foldi (usize 0) (l_973) (fun i_979 ret_977 => + let ret_977 := + foldi (usize 0) (n_976) (fun j_980 ret_977 => + let acc_981 : int128 := + pub_int128_zero in + let index_982 : uint_size := + ((i_979) * (n_976)) + (j_980) in + let acc_981 := + foldi (usize 0) (m_974) (fun k_983 acc_981 => + let index_1_984 : uint_size := + ((i_979) * (m_974)) + (k_983) in + let index_2_985 : uint_size := + ((k_983) * (n_976)) + (j_980) in + let acc_981 := + (acc_981) .+ ((seq_index (seq_1_970) (index_1_984)) .* ( + seq_index (seq_2_972) (index_2_985))) in + (acc_981)) + acc_981 in + let ret_977 := + seq_upd ret_977 (index_982) (acc_981) in + (ret_977)) + ret_977 in + (ret_977)) + ret_977 in + let res_978 := + new_ (l_973) (n_976) (ret_977) in + (ret_977, res_978)) else ((ret_977, res_978)) in + res_978. + diff --git a/proof-libs/coq/_vc/Hacspec_Merlin.v b/proof-libs/coq/_vc/Hacspec_Merlin.v new file mode 100644 index 000000000..15f1316b7 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Merlin.v @@ -0,0 +1,88 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Strobe. + +Notation "'transcript_t'" := (strobe_t) : hacspec_scope. + +Definition merlin_protocol_label : seq uint8 := + [ + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 110) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 48) : int8 + ]. + +Definition encode_uint64 (x_1051 : uint64) : seq uint8 := + array_to_le_bytes (uint64_to_le_bytes (x_1051)). + +Definition encode_usize_as_u32 (x_1052 : uint_size) : seq uint8 := + let x_uint32_1053 : uint32 := + uint32_classify (pub_u32 (x_1052)) in + array_to_le_bytes (uint32_to_le_bytes (x_uint32_1053)). + +Definition new_ (label_1054 : seq uint8) : transcript_t := + let transcript_1055 : (state_uint8_t '× int8 '× int8 '× int8) := + new_strobe (merlin_protocol_label ) in + let dom_sep_1056 : seq uint8 := + [ + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 109) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 112) : int8 + ] in + append_message (transcript_1055) (dom_sep_1056) (label_1054). + +Definition append_message + (transcript_1057 : transcript_t) + (label_1058 : seq uint8) + (message_1059 : seq uint8) + : transcript_t := + let data_len_1060 : seq uint8 := + array_to_be_bytes (uint32_to_le_bytes (uint32_classify (pub_u32 (seq_len ( + message_1059))))) in + let transcript_1057 := + meta_ad (transcript_1057) (label_1058) (false) in + let transcript_1057 := + meta_ad (transcript_1057) (data_len_1060) (true) in + let transcript_1057 := + ad (transcript_1057) (message_1059) (false) in + transcript_1057. + +Definition challenge_bytes + (transcript_1061 : transcript_t) + (label_1062 : seq uint8) + (dest_1063 : seq uint8) + : (transcript_t '× seq uint8) := + let data_len_1064 : seq uint8 := + encode_usize_as_u32 (seq_len (dest_1063)) in + let transcript_1061 := + meta_ad (transcript_1061) (label_1062) (false) in + let transcript_1061 := + meta_ad (transcript_1061) (data_len_1064) (true) in + prf (transcript_1061) (dest_1063) (false). + +Definition append_uint64 + (transcript_1065 : transcript_t) + (label_1066 : seq uint8) + (x_1067 : uint64) + : transcript_t := + append_message (transcript_1065) (label_1066) (encode_uint64 (x_1067)). + diff --git a/proof-libs/coq/_vc/Hacspec_Ntru_Prime.v b/proof-libs/coq/_vc/Hacspec_Ntru_Prime.v new file mode 100644 index 000000000..b40600184 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Ntru_Prime.v @@ -0,0 +1,138 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition build_irreducible (p_1256 : uint_size) : seq int128 := + let irr_1257 : seq int128 := + seq_new_ (default : int128) ((p_1256) + (usize 1)) in + let irr_1257 := + seq_upd irr_1257 (usize 0) (- (@repr WORDSIZE128 1)) in + let irr_1257 := + seq_upd irr_1257 (usize 1) (- (@repr WORDSIZE128 1)) in + let irr_1257 := + seq_upd irr_1257 (p_1256) (@repr WORDSIZE128 1) in + irr_1257. + +Definition round_to_3 (poly_1258 : seq int128) (q_1259 : int128) : seq int128 := + let result_1260 : seq int128 := + (poly_1258) in + let q_12_1261 : int128 := + ((q_1259) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in + let result_1260 := + foldi (usize 0) (seq_len (poly_1258)) (fun i_1262 result_1260 => + let '(result_1260) := + if (seq_index (poly_1258) (i_1262)) >.? (q_12_1261):bool then ( + let result_1260 := + seq_upd result_1260 (i_1262) ((seq_index (poly_1258) (i_1262)) .- ( + q_1259)) in + (result_1260)) else ((result_1260)) in + (result_1260)) + result_1260 in + let result_1260 := + foldi (usize 0) (seq_len (result_1260)) (fun i_1263 result_1260 => + let '(result_1260) := + if ((seq_index (result_1260) (i_1263)) .% (@repr WORDSIZE128 3)) !=.? ( + @repr WORDSIZE128 0):bool then (let result_1260 := + seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( + i_1263)) .- (@repr WORDSIZE128 1)) in + let '(result_1260) := + if ((seq_index (result_1260) (i_1263)) .% ( + @repr WORDSIZE128 3)) !=.? (@repr WORDSIZE128 0):bool then ( + let result_1260 := + seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( + i_1263)) .+ (@repr WORDSIZE128 2)) in + (result_1260)) else ((result_1260)) in + (result_1260)) else ((result_1260)) in + (result_1260)) + result_1260 in + result_1260. + +Definition encrypt + (r_1264 : seq int128) + (h_1265 : seq int128) + (q_1266 : int128) + (irreducible_1267 : seq int128) + : seq int128 := + let pre_1268 : seq int128 := + mul_poly_irr (r_1264) (h_1265) (irreducible_1267) (q_1266) in + round_to_3 (pre_1268) (q_1266). + +Definition ntru_prime_653_encrypt + (r_1269 : seq int128) + (h_1270 : seq int128) + : seq int128 := + let p_1271 : uint_size := + usize 653 in + let q_1272 : int128 := + @repr WORDSIZE128 4621 in + let w_1273 : uint_size := + usize 288 in + let irreducible_1274 : seq int128 := + build_irreducible (p_1271) in + encrypt (r_1269) (h_1270) (q_1272) (irreducible_1274). + +Definition ntru_prime_653_decrypt + (c_1275 : seq int128) + (key_f_1276 : seq int128) + (key_v_1277 : seq int128) + : (seq int128 '× bool) := + let p_1278 : uint_size := + usize 653 in + let q_1279 : int128 := + @repr WORDSIZE128 4621 in + let w_1280 : uint_size := + usize 288 in + let irreducible_1281 : seq int128 := + build_irreducible (p_1278) in + let f_c_1282 : seq int128 := + mul_poly_irr (key_f_1276) (c_1275) (irreducible_1281) (q_1279) in + let f_3_c_and_decryption_ok_1283 : (seq int128 '× bool) := + poly_to_ring (irreducible_1281) (add_poly (f_c_1282) (add_poly (f_c_1282) ( + f_c_1282) (q_1279)) (q_1279)) (q_1279) in + let '(f_3_c_1284, ok_decrypt_1285) := + f_3_c_and_decryption_ok_1283 in + let f_3_c_1286 : seq int128 := + f_3_c_1284 in + let q_12_1287 : int128 := + ((q_1279) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in + let f_3_c_1286 := + foldi (usize 0) (seq_len (f_3_c_1286)) (fun i_1288 f_3_c_1286 => + let '(f_3_c_1286) := + if (seq_index (f_3_c_1286) (i_1288)) >.? (q_12_1287):bool then ( + let f_3_c_1286 := + seq_upd f_3_c_1286 (i_1288) ((seq_index (f_3_c_1286) (i_1288)) .- ( + q_1279)) in + (f_3_c_1286)) else ((f_3_c_1286)) in + (f_3_c_1286)) + f_3_c_1286 in + let e_1289 : seq int128 := + seq_new_ (default : int128) (seq_len (f_3_c_1286)) in + let e_1289 := + foldi (usize 0) (seq_len (e_1289)) (fun i_1290 e_1289 => + let e_1289 := + seq_upd e_1289 (i_1290) ((seq_index (f_3_c_1286) (i_1290)) .% ( + @repr WORDSIZE128 3)) in + (e_1289)) + e_1289 in + let e_1289 := + make_positive (e_1289) (@repr WORDSIZE128 3) in + let r_1291 : seq int128 := + mul_poly_irr (e_1289) (key_v_1277) (irreducible_1281) ( + @repr WORDSIZE128 3) in + let r_1291 := + foldi (usize 0) (seq_len (r_1291)) (fun i_1292 r_1291 => + let '(r_1291) := + if (seq_index (r_1291) (i_1292)) =.? (@repr WORDSIZE128 2):bool then ( + let r_1291 := + seq_upd r_1291 (i_1292) (- (@repr WORDSIZE128 1)) in + (r_1291)) else ((r_1291)) in + (r_1291)) + r_1291 in + (r_1291, ok_decrypt_1285). + diff --git a/proof-libs/coq/_vc/Hacspec_P256.v b/proof-libs/coq/_vc/Hacspec_P256.v new file mode 100644 index 000000000..676c262d4 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_P256.v @@ -0,0 +1,494 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Inductive error_t := +| InvalidAddition : error_t. + +Definition bits_v : uint_size := + usize 256. + +Definition field_canvas_t := nseq (int8) (32). +Definition p256_field_element_t := + nat_mod 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition p256_scalar_t := + nat_mod 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551. + +Notation "'affine_t'" := ((p256_field_element_t '× p256_field_element_t +)) : hacspec_scope. + +Notation "'affine_result_t'" := ((result affine_t error_t)) : hacspec_scope. + +Notation "'p256_jacobian_t'" := (( + p256_field_element_t '× + p256_field_element_t '× + p256_field_element_t +)) : hacspec_scope. + +Notation "'jacobian_result_t'" := (( + result p256_jacobian_t error_t)) : hacspec_scope. + +Definition element_t := nseq (uint8) (usize 32). + +Definition jacobian_to_affine (p_569 : p256_jacobian_t) : affine_t := + let '(x_570, y_571, z_572) := + p_569 in + let z2_573 : p256_field_element_t := + nat_mod_exp (z_572) (@repr WORDSIZE32 2) in + let z2i_574 : p256_field_element_t := + nat_mod_inv (z2_573) in + let z3_575 : p256_field_element_t := + (z_572) *% (z2_573) in + let z3i_576 : p256_field_element_t := + nat_mod_inv (z3_575) in + let x_577 : p256_field_element_t := + (x_570) *% (z2i_574) in + let y_578 : p256_field_element_t := + (y_571) *% (z3i_576) in + (x_577, y_578). + +Definition affine_to_jacobian (p_579 : affine_t) : p256_jacobian_t := + let '(x_580, y_581) := + p_579 in + ( + x_580, + y_581, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t + ). + +Definition point_double (p_582 : p256_jacobian_t) : p256_jacobian_t := + let '(x1_583, y1_584, z1_585) := + p_582 in + let delta_586 : p256_field_element_t := + nat_mod_exp (z1_585) (@repr WORDSIZE32 2) in + let gamma_587 : p256_field_element_t := + nat_mod_exp (y1_584) (@repr WORDSIZE32 2) in + let beta_588 : p256_field_element_t := + (x1_583) *% (gamma_587) in + let alpha_1_589 : p256_field_element_t := + (x1_583) -% (delta_586) in + let alpha_2_590 : p256_field_element_t := + (x1_583) +% (delta_586) in + let alpha_591 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% ((alpha_1_589) *% ( + alpha_2_590)) in + let x3_592 : p256_field_element_t := + (nat_mod_exp (alpha_591) (@repr WORDSIZE32 2)) -% ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 8) : p256_field_element_t) *% (beta_588)) in + let z3_593 : p256_field_element_t := + nat_mod_exp ((y1_584) +% (z1_585)) (@repr WORDSIZE32 2) in + let z3_594 : p256_field_element_t := + (z3_593) -% ((gamma_587) +% (delta_586)) in + let y3_1_595 : p256_field_element_t := + ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 4) : p256_field_element_t) *% (beta_588)) -% ( + x3_592) in + let y3_2_596 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 8) : p256_field_element_t) *% ((gamma_587) *% ( + gamma_587)) in + let y3_597 : p256_field_element_t := + ((alpha_591) *% (y3_1_595)) -% (y3_2_596) in + (x3_592, y3_597, z3_594). + +Definition is_point_at_infinity (p_598 : p256_jacobian_t) : bool := + let '(x_599, y_600, z_601) := + p_598 in + nat_mod_equal (z_601) (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t). + +Definition s1_equal_s2 + (s1_602 : p256_field_element_t) + (s2_603 : p256_field_element_t) + : jacobian_result_t := + (if (nat_mod_equal (s1_602) (s2_603)):bool then ( + @Err p256_jacobian_t error_t (InvalidAddition)) else ( + @Ok p256_jacobian_t error_t (( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t + )))). + +Definition point_add_jacob + (p_604 : p256_jacobian_t) + (q_605 : p256_jacobian_t) + : jacobian_result_t := + let result_606 : (result p256_jacobian_t error_t) := + @Ok p256_jacobian_t error_t (q_605) in + let '(result_606) := + if negb (is_point_at_infinity (p_604)):bool then (let '(result_606) := + if is_point_at_infinity (q_605):bool then (let result_606 := + @Ok p256_jacobian_t error_t (p_604) in + (result_606)) else (let '(x1_607, y1_608, z1_609) := + p_604 in + let '(x2_610, y2_611, z2_612) := + q_605 in + let z1z1_613 : p256_field_element_t := + nat_mod_exp (z1_609) (@repr WORDSIZE32 2) in + let z2z2_614 : p256_field_element_t := + nat_mod_exp (z2_612) (@repr WORDSIZE32 2) in + let u1_615 : p256_field_element_t := + (x1_607) *% (z2z2_614) in + let u2_616 : p256_field_element_t := + (x2_610) *% (z1z1_613) in + let s1_617 : p256_field_element_t := + ((y1_608) *% (z2_612)) *% (z2z2_614) in + let s2_618 : p256_field_element_t := + ((y2_611) *% (z1_609)) *% (z1z1_613) in + let '(result_606) := + if nat_mod_equal (u1_615) (u2_616):bool then (let result_606 := + s1_equal_s2 (s1_617) (s2_618) in + (result_606)) else (let h_619 : p256_field_element_t := + (u2_616) -% (u1_615) in + let i_620 : p256_field_element_t := + nat_mod_exp ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (h_619)) ( + @repr WORDSIZE32 2) in + let j_621 : p256_field_element_t := + (h_619) *% (i_620) in + let r_622 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (( + s2_618) -% (s1_617)) in + let v_623 : p256_field_element_t := + (u1_615) *% (i_620) in + let x3_1_624 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (v_623) in + let x3_2_625 : p256_field_element_t := + (nat_mod_exp (r_622) (@repr WORDSIZE32 2)) -% (j_621) in + let x3_626 : p256_field_element_t := + (x3_2_625) -% (x3_1_624) in + let y3_1_627 : p256_field_element_t := + ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% ( + s1_617)) *% (j_621) in + let y3_2_628 : p256_field_element_t := + (r_622) *% ((v_623) -% (x3_626)) in + let y3_629 : p256_field_element_t := + (y3_2_628) -% (y3_1_627) in + let z3_630 : p256_field_element_t := + nat_mod_exp ((z1_609) +% (z2_612)) (@repr WORDSIZE32 2) in + let z3_631 : p256_field_element_t := + ((z3_630) -% ((z1z1_613) +% (z2z2_614))) *% (h_619) in + let result_606 := + @Ok p256_jacobian_t error_t ((x3_626, y3_629, z3_631)) in + (result_606)) in + (result_606)) in + (result_606)) else ((result_606)) in + result_606. + +Definition ltr_mul + (k_632 : p256_scalar_t) + (p_633 : p256_jacobian_t) + : jacobian_result_t := + let q_634 : ( + p256_field_element_t '× + p256_field_element_t '× + p256_field_element_t + ) := + ( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t + ) in + bind (foldibnd (usize 0) to (bits_v) for q_634 >> (fun i_635 q_634 => + let q_634 := + point_double (q_634) in + ifbnd nat_mod_equal (nat_mod_get_bit (k_632) (((bits_v) - (usize 1)) - ( + i_635))) (nat_mod_one ) : bool + thenbnd (bind (point_add_jacob (q_634) (p_633)) (fun q_634 => @Ok ( + ( + p256_field_element_t '× + p256_field_element_t '× + p256_field_element_t + ) + ) error_t ((q_634)))) + else ((q_634)) >> (fun '(q_634) => + @Ok ( + (p256_field_element_t '× p256_field_element_t '× p256_field_element_t) + ) error_t ((q_634))))) (fun q_634 => @Ok p256_jacobian_t error_t (q_634)). + +Definition p256_point_mul + (k_636 : p256_scalar_t) + (p_637 : affine_t) + : affine_result_t := + bind (ltr_mul (k_636) (affine_to_jacobian (p_637))) (fun jac_638 => + @Ok affine_t error_t (jacobian_to_affine (jac_638))). + +Definition p256_point_mul_base (k_639 : p256_scalar_t) : affine_result_t := + let base_point_640 : (p256_field_element_t '× p256_field_element_t) := + ( + nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 225) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 71) : int8; + secret (@repr WORDSIZE8 248) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 230) : int8; + secret (@repr WORDSIZE8 229) : int8; + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 164) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 125) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 244) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 150) : int8 + ] in l))) : p256_field_element_t, + nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 87) : int8; + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 203) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 245) : int8 + ] in l))) : p256_field_element_t + ) in + p256_point_mul (k_639) (base_point_640). + +Definition point_add_distinct + (p_641 : affine_t) + (q_642 : affine_t) + : affine_result_t := + bind (point_add_jacob (affine_to_jacobian (p_641)) (affine_to_jacobian ( + q_642))) (fun r_643 => @Ok affine_t error_t (jacobian_to_affine ( + r_643))). + +Definition point_add (p_644 : affine_t) (q_645 : affine_t) : affine_result_t := + (if ((p_644) !=.? (q_645)):bool then (point_add_distinct (p_644) ( + q_645)) else (@Ok affine_t error_t (jacobian_to_affine (point_double ( + affine_to_jacobian (p_644)))))). + +Definition p256_validate_private_key (k_646 : byte_seq) : bool := + let valid_647 : bool := + true in + let k_element_648 : p256_scalar_t := + nat_mod_from_byte_seq_be (k_646) : p256_scalar_t in + let k_element_bytes_649 : seq uint8 := + nat_mod_to_byte_seq_be (k_element_648) in + let all_zero_650 : bool := + true in + let '(valid_647, all_zero_650) := + foldi (usize 0) (seq_len (k_646)) (fun i_651 '(valid_647, all_zero_650) => + let '(all_zero_650) := + if negb (uint8_equal (seq_index (k_646) (i_651)) (secret ( + @repr WORDSIZE8 0) : int8)):bool then (let all_zero_650 := + false in + (all_zero_650)) else ((all_zero_650)) in + let '(valid_647) := + if negb (uint8_equal (seq_index (k_element_bytes_649) (i_651)) ( + seq_index (k_646) (i_651))):bool then (let valid_647 := + false in + (valid_647)) else ((valid_647)) in + (valid_647, all_zero_650)) + (valid_647, all_zero_650) in + (valid_647) && (negb (all_zero_650)). + +Definition p256_validate_public_key (p_652 : affine_t) : bool := + let b_653 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 75) : int8 + ]) : p256_field_element_t in + let point_at_infinity_654 : bool := + is_point_at_infinity (affine_to_jacobian (p_652)) in + let '(x_655, y_656) := + p_652 in + let on_curve_657 : bool := + ((y_656) *% (y_656)) =.? (((((x_655) *% (x_655)) *% (x_655)) -% (( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% (x_655))) +% ( + b_653)) in + (negb (point_at_infinity_654)) && (on_curve_657). + +Definition p256_calculate_w + (x_658 : p256_field_element_t) + : p256_field_element_t := + let b_659 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 75) : int8 + ]) : p256_field_element_t in + let exp_660 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 63) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 192) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8 + ]) : p256_field_element_t in + let z_661 : p256_field_element_t := + ((((x_658) *% (x_658)) *% (x_658)) -% ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% (x_658))) +% ( + b_659) in + let w_662 : p256_field_element_t := + nat_mod_pow_felem (z_661) (exp_660) in + w_662. + diff --git a/proof-libs/coq/_vc/Hacspec_Poly1305.v b/proof-libs/coq/_vc/Hacspec_Poly1305.v new file mode 100644 index 000000000..745854dec --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Poly1305.v @@ -0,0 +1,147 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition poly_key_t := nseq (uint8) (usize 32). + +Definition blocksize_v : uint_size := + usize 16. + +Definition poly_block_t := nseq (uint8) (usize 16). + +Definition poly1305_tag_t := nseq (uint8) (usize 16). + +Notation "'sub_block_t'" := (byte_seq) : hacspec_scope. + +Notation "'block_index_t'" := (uint_size) : hacspec_scope. + +Definition field_canvas_t := nseq (int8) (17). +Definition field_element_t := nat_mod 0x03fffffffffffffffffffffffffffffffb. + +Notation "'poly_state_t'" := (( + field_element_t '× + field_element_t '× + poly_key_t +)) : hacspec_scope. + +Definition poly1305_encode_r (b_435 : poly_block_t) : field_element_t := + let n_436 : uint128 := + uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_435))) in + let n_436 := + (n_436) .& (secret ( + @repr WORDSIZE128 21267647620597763993911028882763415551) : int128) in + nat_mod_from_secret_literal (n_436). + +Definition poly1305_encode_block (b_437 : poly_block_t) : field_element_t := + let n_438 : uint128 := + uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_437))) in + let f_439 : field_element_t := + nat_mod_from_secret_literal (n_438) in + (f_439) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ( + usize 128) : field_element_t). + +Definition poly1305_encode_last + (pad_len_440 : block_index_t) + (b_441 : sub_block_t) + : field_element_t := + let n_442 : uint128 := + uint128_from_le_bytes (array_from_slice (default : uint8) (16) (b_441) ( + usize 0) (seq_len (b_441))) in + let f_443 : field_element_t := + nat_mod_from_secret_literal (n_442) in + (f_443) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ((usize 8) * ( + pad_len_440)) : field_element_t). + +Definition poly1305_init (k_444 : poly_key_t) : poly_state_t := + let r_445 : field_element_t := + poly1305_encode_r (array_from_slice (default : uint8) (16) ( + array_to_seq (k_444)) (usize 0) (usize 16)) in + (nat_mod_zero , r_445, k_444). + +Definition poly1305_update_block + (b_446 : poly_block_t) + (st_447 : poly_state_t) + : poly_state_t := + let '(acc_448, r_449, k_450) := + st_447 in + (((poly1305_encode_block (b_446)) +% (acc_448)) *% (r_449), r_449, k_450). + +Definition poly1305_update_blocks + (m_451 : byte_seq) + (st_452 : poly_state_t) + : poly_state_t := + let st_453 : (field_element_t '× field_element_t '× poly_key_t) := + st_452 in + let n_blocks_454 : uint_size := + (seq_len (m_451)) / (blocksize_v) in + let st_453 := + foldi (usize 0) (n_blocks_454) (fun i_455 st_453 => + let block_456 : poly_block_t := + array_from_seq (16) (seq_get_exact_chunk (m_451) (blocksize_v) ( + i_455)) in + let st_453 := + poly1305_update_block (block_456) (st_453) in + (st_453)) + st_453 in + st_453. + +Definition poly1305_update_last + (pad_len_457 : uint_size) + (b_458 : sub_block_t) + (st_459 : poly_state_t) + : poly_state_t := + let st_460 : (field_element_t '× field_element_t '× poly_key_t) := + st_459 in + let '(st_460) := + if (seq_len (b_458)) !=.? (usize 0):bool then (let '(acc_461, r_462, k_463 + ) := + st_460 in + let st_460 := + ( + ((poly1305_encode_last (pad_len_457) (b_458)) +% (acc_461)) *% ( + r_462), + r_462, + k_463 + ) in + (st_460)) else ((st_460)) in + st_460. + +Definition poly1305_update + (m_464 : byte_seq) + (st_465 : poly_state_t) + : poly_state_t := + let st_466 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_update_blocks (m_464) (st_465) in + let last_467 : seq uint8 := + seq_get_remainder_chunk (m_464) (blocksize_v) in + poly1305_update_last (seq_len (last_467)) (last_467) (st_466). + +Definition poly1305_finish (st_468 : poly_state_t) : poly1305_tag_t := + let '(acc_469, _, k_470) := + st_468 in + let n_471 : uint128 := + uint128_from_le_bytes (array_from_slice (default : uint8) (16) ( + array_to_seq (k_470)) (usize 16) (usize 16)) in + let aby_472 : seq uint8 := + nat_mod_to_byte_seq_le (acc_469) in + let a_473 : uint128 := + uint128_from_le_bytes (array_from_slice (default : uint8) (16) (aby_472) ( + usize 0) (usize 16)) in + array_from_seq (16) (array_to_seq (uint128_to_le_bytes ((a_473) .+ (n_471)))). + +Definition poly1305 + (m_474 : byte_seq) + (key_475 : poly_key_t) + : poly1305_tag_t := + let st_476 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_init (key_475) in + let st_476 := + poly1305_update (m_474) (st_476) in + poly1305_finish (st_476). + diff --git a/proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v b/proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v new file mode 100644 index 000000000..32f8905cf --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v @@ -0,0 +1,184 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition riotboot_magic_v : int32 := + @repr WORDSIZE32 1414482258. + +Notation "'fletcher_t'" := ((int32 '× int32)) : hacspec_scope. + +Definition new_fletcher : fletcher_t := + (@repr WORDSIZE32 65535, @repr WORDSIZE32 65535). + +Definition max_chunk_size : uint_size := + usize 360. + +Definition reduce_u32 (x_1293 : int32) : int32 := + ((x_1293) .& (@repr WORDSIZE32 65535)) .+ ((x_1293) shift_right ( + @repr WORDSIZE32 16)). + +Definition combine (lower_1294 : int32) (upper_1295 : int32) : int32 := + (lower_1294) .| ((upper_1295) shift_left (@repr WORDSIZE32 16)). + +Definition update_fletcher + (f_1296 : fletcher_t) + (data_1297 : seq int16) + : fletcher_t := + let max_chunk_size_1298 : uint_size := + max_chunk_size in + let '(a_1299, b_1300) := + f_1296 in + let '(a_1299, b_1300) := + foldi (usize 0) (seq_num_chunks (data_1297) ( + max_chunk_size_1298)) (fun i_1301 '(a_1299, b_1300) => + let '(chunk_len_1302, chunk_1303) := + seq_get_chunk (data_1297) (max_chunk_size_1298) (i_1301) in + let intermediate_a_1304 : int32 := + a_1299 in + let intermediate_b_1305 : int32 := + b_1300 in + let '(intermediate_a_1304, intermediate_b_1305) := + foldi (usize 0) (chunk_len_1302) (fun j_1306 '( + intermediate_a_1304, + intermediate_b_1305 + ) => + let intermediate_a_1304 := + (intermediate_a_1304) .+ (@cast _ uint32 _ (seq_index (chunk_1303) ( + j_1306))) in + let intermediate_b_1305 := + (intermediate_b_1305) .+ (intermediate_a_1304) in + (intermediate_a_1304, intermediate_b_1305)) + (intermediate_a_1304, intermediate_b_1305) in + let a_1299 := + reduce_u32 (intermediate_a_1304) in + let b_1300 := + reduce_u32 (intermediate_b_1305) in + (a_1299, b_1300)) + (a_1299, b_1300) in + let a_1299 := + reduce_u32 (a_1299) in + let b_1300 := + reduce_u32 (b_1300) in + (a_1299, b_1300). + +Definition value (x_1307 : fletcher_t) : int32 := + let '(a_1308, b_1309) := + x_1307 in + combine (a_1308) (b_1309). + +Notation "'header_t'" := ((int32 '× int32 '× int32 '× int32 +)) : hacspec_scope. + +Definition header_as_u16_slice (h_1310 : header_t) : seq int16 := + let '(magic_1311, seq_number_1312, start_addr_1313, _) := + h_1310 in + let magic_1314 : u32_word_t := + u32_to_be_bytes (magic_1311) in + let seq_number_1315 : u32_word_t := + u32_to_be_bytes (seq_number_1312) in + let start_addr_1316 : u32_word_t := + u32_to_be_bytes (start_addr_1313) in + let u8_seq_1317 : seq int8 := + seq_new_ (default : int8) (usize 12) in + let u8_seq_1318 : seq int8 := + seq_update_slice (u8_seq_1317) (usize 0) (array_to_seq (magic_1314)) ( + usize 0) (usize 4) in + let u8_seq_1319 : seq int8 := + seq_update_slice (u8_seq_1318) (usize 4) (array_to_seq (seq_number_1315)) ( + usize 0) (usize 4) in + let u8_seq_1320 : seq int8 := + seq_update_slice (u8_seq_1319) (usize 8) (array_to_seq (start_addr_1316)) ( + usize 0) (usize 4) in + let u16_seq_1321 : seq int16 := + seq_new_ (default : int16) (usize 6) in + let u16_seq_1321 := + foldi (usize 0) (usize 3) (fun i_1322 u16_seq_1321 => + let u16_word_1323 : u16_word_t := + array_from_seq (2) (seq_slice (u8_seq_1320) ((i_1322) * (usize 4)) ( + usize 2)) in + let u16_value_1324 : int16 := + u16_from_be_bytes (u16_word_1323) in + let u16_seq_1321 := + seq_upd u16_seq_1321 (((usize 2) * (i_1322)) + (usize 1)) ( + u16_value_1324) in + let u16_word_1325 : u16_word_t := + array_from_seq (2) (seq_slice (u8_seq_1320) (((i_1322) * (usize 4)) + ( + usize 2)) (usize 2)) in + let u16_value_1326 : int16 := + u16_from_be_bytes (u16_word_1325) in + let u16_seq_1321 := + seq_upd u16_seq_1321 ((usize 2) * (i_1322)) (u16_value_1326) in + (u16_seq_1321)) + u16_seq_1321 in + u16_seq_1321. + +Definition is_valid_header (h_1327 : header_t) : bool := + let '(magic_number_1328, seq_number_1329, start_addr_1330, checksum_1331) := + h_1327 in + let slice_1332 : seq int16 := + header_as_u16_slice (( + magic_number_1328, + seq_number_1329, + start_addr_1330, + checksum_1331 + )) in + let result_1333 : bool := + false in + let '(result_1333) := + if (magic_number_1328) =.? (riotboot_magic_v):bool then ( + let fletcher_1334 : (int32 '× int32) := + new_fletcher in + let fletcher_1335 : (int32 '× int32) := + update_fletcher (fletcher_1334) (slice_1332) in + let sum_1336 : int32 := + value (fletcher_1335) in + let result_1333 := + (sum_1336) =.? (checksum_1331) in + (result_1333)) else ((result_1333)) in + result_1333. + +Definition choose_image (images_1337 : seq header_t) : (bool '× int32) := + let image_1338 : int32 := + @repr WORDSIZE32 0 in + let image_found_1339 : bool := + false in + let '(image_1338, image_found_1339) := + foldi (usize 0) (seq_len (images_1337)) (fun i_1340 '( + image_1338, + image_found_1339 + ) => + let header_1341 : (int32 '× int32 '× int32 '× int32) := + seq_index (images_1337) (i_1340) in + let '(magic_number_1342, seq_number_1343, start_addr_1344, checksum_1345 + ) := + header_1341 in + let '(image_1338, image_found_1339) := + if is_valid_header (( + magic_number_1342, + seq_number_1343, + start_addr_1344, + checksum_1345 + )):bool then (let change_image_1346 : bool := + negb ((image_found_1339) && ((seq_number_1343) <=.? ( + image_1338))) in + let '(image_1338, image_found_1339) := + if change_image_1346:bool then (let image_1338 := + start_addr_1344 in + let image_found_1339 := + true in + (image_1338, image_found_1339)) else (( + image_1338, + image_found_1339 + )) in + (image_1338, image_found_1339)) else ((image_1338, image_found_1339 + )) in + (image_1338, image_found_1339)) + (image_1338, image_found_1339) in + (image_found_1339, image_1338). + diff --git a/proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v b/proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v new file mode 100644 index 000000000..31ad634c8 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v @@ -0,0 +1,224 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition uint32_bits_v : uint_size := + (usize 4) * (usize 8). + +Definition n_queues_v : uint_size := + usize 20. + +Definition n_threads_v : uint_size := + usize 30. + +Definition sentinel_v : int8 := + @repr WORDSIZE8 255. + +Inductive runqueue_id_t := +| RunqueueId : int8 -> runqueue_id_t. + +Inductive thread_id_t := +| ThreadId : int8 -> thread_id_t. + +Definition tail_t := nseq (int8) (n_queues_v). + +Definition next_ids_t := nseq (int8) (n_threads_v). + +Inductive clist_t := +| Clist : (tail_t '× next_ids_t) -> clist_t. + +Definition clist_new : clist_t := + let tail_1347 : tail_t := + array_new_ (default : int8) (n_queues_v) in + let tail_1347 := + foldi (usize 0) (array_len (tail_1347)) (fun i_1348 tail_1347 => + let tail_1347 := + array_upd tail_1347 (i_1348) (sentinel_v) in + (tail_1347)) + tail_1347 in + let next_idxs_1349 : next_ids_t := + array_new_ (default : int8) (n_threads_v) in + let next_idxs_1349 := + foldi (usize 0) (array_len (next_idxs_1349)) (fun i_1350 next_idxs_1349 => + let next_idxs_1349 := + array_upd next_idxs_1349 (i_1350) (sentinel_v) in + (next_idxs_1349)) + next_idxs_1349 in + Clist ((tail_1347, next_idxs_1349)). + +Definition clist_is_empty (x_1351 : clist_t) (rq_1352 : runqueue_id_t) : bool := + let 'RunqueueId (rq_1353) := + rq_1352 in + let 'Clist ((tail_1354, next_ids_1355)) := + x_1351 in + (array_index (tail_1354) (@cast _ uint32 _ (rq_1353))) =.? (sentinel_v). + +Definition clist_push + (x_1356 : clist_t) + (n_1357 : thread_id_t) + (rq_1358 : runqueue_id_t) + : clist_t := + let 'RunqueueId (rq_1359) := + rq_1358 in + let 'ThreadId (n_1360) := + n_1357 in + let 'Clist ((tail_1361, next_idxs_1362)) := + x_1356 in + let '(tail_1361, next_idxs_1362) := + if (array_index (next_idxs_1362) (@cast _ uint32 _ (n_1360))) =.? ( + sentinel_v):bool then (let '(tail_1361, next_idxs_1362) := + if (array_index (tail_1361) (@cast _ uint32 _ (rq_1359))) =.? ( + sentinel_v):bool then (let tail_1361 := + array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in + let next_idxs_1362 := + array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (n_1360) in + (tail_1361, next_idxs_1362)) else (let next_idxs_1362 := + array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (array_index ( + next_idxs_1362) (@cast _ uint32 _ (array_index (tail_1361) ( + @cast _ uint32 _ (rq_1359))))) in + let next_idxs_1362 := + array_upd next_idxs_1362 (@cast _ uint32 _ (array_index ( + tail_1361) (@cast _ uint32 _ (rq_1359)))) (n_1360) in + let tail_1361 := + array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in + (tail_1361, next_idxs_1362)) in + (tail_1361, next_idxs_1362)) else ((tail_1361, next_idxs_1362)) in + Clist ((tail_1361, next_idxs_1362)). + +Definition clist_pop_head + (x_1363 : clist_t) + (rq_1364 : runqueue_id_t) + : (clist_t '× (option int8)) := + let 'RunqueueId (rq_1365) := + rq_1364 in + let 'Clist ((tail_1366, next_idxs_1367)) := + x_1363 in + let out_1368 : (option int8) := + @None int8 in + let '(tail_1366, next_idxs_1367, out_1368) := + if (array_index (tail_1366) (@cast _ uint32 _ (rq_1365))) =.? ( + sentinel_v):bool then ((tail_1366, next_idxs_1367, out_1368)) else ( + let head_1369 : int8 := + array_index (next_idxs_1367) (@cast _ uint32 _ (array_index ( + tail_1366) (@cast _ uint32 _ (rq_1365)))) in + let '(tail_1366, next_idxs_1367) := + if (head_1369) =.? (array_index (tail_1366) (@cast _ uint32 _ ( + rq_1365))):bool then (let tail_1366 := + array_upd tail_1366 (@cast _ uint32 _ (rq_1365)) (sentinel_v) in + (tail_1366, next_idxs_1367)) else (let next_idxs_1367 := + array_upd next_idxs_1367 (@cast _ uint32 _ (array_index ( + tail_1366) (@cast _ uint32 _ (rq_1365)))) (array_index ( + next_idxs_1367) (@cast _ uint32 _ (head_1369))) in + (tail_1366, next_idxs_1367)) in + let next_idxs_1367 := + array_upd next_idxs_1367 (@cast _ uint32 _ (head_1369)) (sentinel_v) in + let out_1368 := + @Some int8 (head_1369) in + (tail_1366, next_idxs_1367, out_1368)) in + (Clist ((tail_1366, next_idxs_1367)), out_1368). + +Definition clist_peek_head + (x_1370 : clist_t) + (rq_1371 : runqueue_id_t) + : (option int8) := + let 'RunqueueId (rq_1372) := + rq_1371 in + let 'Clist ((tail_1373, next_idxs_1374)) := + x_1370 in + (if ((array_index (tail_1373) (@cast _ uint32 _ (rq_1372))) =.? ( + sentinel_v)):bool then (@None int8) else (@Some int8 (array_index ( + next_idxs_1374) (@cast _ uint32 _ (array_index (tail_1373) ( + @cast _ uint32 _ (rq_1372))))))). + +Definition clist_advance + (x_1375 : clist_t) + (rq_1376 : runqueue_id_t) + : clist_t := + let 'RunqueueId (rq_1377) := + rq_1376 in + let 'Clist ((tail_1378, next_idxs_1379)) := + x_1375 in + let '(tail_1378) := + if (array_index (tail_1378) (@cast _ uint32 _ (rq_1377))) !=.? ( + sentinel_v):bool then (let tail_1378 := + array_upd tail_1378 (@cast _ uint32 _ (rq_1377)) (array_index ( + next_idxs_1379) (@cast _ uint32 _ (array_index (tail_1378) ( + @cast _ uint32 _ (rq_1377))))) in + (tail_1378)) else ((tail_1378)) in + Clist ((tail_1378, next_idxs_1379)). + +Inductive run_queue_t := +| RunQueue : (int32 '× clist_t) -> run_queue_t. + +Definition runqueue_new : run_queue_t := + RunQueue ((@repr WORDSIZE32 0, clist_new )). + +Definition runqueue_add + (y_1380 : run_queue_t) + (n_1381 : thread_id_t) + (rq_1382 : runqueue_id_t) + : run_queue_t := + let 'RunqueueId (rq_u8_1383) := + rq_1382 in + let 'RunQueue ((bitcache_1384, queues_1385)) := + y_1380 in + let bitcache_1384 := + (bitcache_1384) .| ((@repr WORDSIZE32 1) shift_left (@cast _ uint32 _ ( + rq_u8_1383))) in + let queues_1385 := + clist_push (queues_1385) (n_1381) (rq_1382) in + RunQueue ((bitcache_1384, queues_1385)). + +Definition runqueue_del + (y_1386 : run_queue_t) + (n_1387 : thread_id_t) + (rq_1388 : runqueue_id_t) + : run_queue_t := + let 'RunqueueId (rq_u8_1389) := + rq_1388 in + let 'RunQueue ((bitcache_1390, queues_1391)) := + y_1386 in + let '(queues_1392, popped_1393) := + clist_pop_head (queues_1391) (rq_1388) in + let '(bitcache_1390) := + if clist_is_empty (queues_1392) (rq_1388):bool then (let bitcache_1390 := + (bitcache_1390) .& (not ((@repr WORDSIZE32 1) shift_left ( + @cast _ uint32 _ (rq_u8_1389)))) in + (bitcache_1390)) else ((bitcache_1390)) in + RunQueue ((bitcache_1390, queues_1392)). + +Definition runqueue_ffs (val_1394 : int32) : int32 := + (pub_u32 (uint32_bits_v)) .- (pub_uint32_leading_zeros (val_1394)). + +Definition runqueue_get_next (y_1395 : run_queue_t) : (option int8) := + let 'RunQueue ((bitcache_1396, queues_1397)) := + y_1395 in + let rq_ffs_1398 : int32 := + runqueue_ffs ((bitcache_1396)) in + let out_1399 : (option int8) := + @None int8 in + let '(out_1399) := + if (rq_ffs_1398) >.? (@repr WORDSIZE32 0):bool then ( + let rq_1400 : runqueue_id_t := + RunqueueId (@cast _ uint8 _ ((rq_ffs_1398) .- (@repr WORDSIZE32 1))) in + let out_1399 := + clist_peek_head (queues_1397) (rq_1400) in + (out_1399)) else ((out_1399)) in + out_1399. + +Definition runqueue_advance + (y_1401 : run_queue_t) + (rq_1402 : runqueue_id_t) + : run_queue_t := + let 'RunQueue ((bitcache_1403, queues_1404)) := + y_1401 in + let queues_1404 := + clist_advance (queues_1404) (rq_1402) in + RunQueue ((bitcache_1403, queues_1404)). + diff --git a/proof-libs/coq/_vc/Hacspec_Ristretto.v b/proof-libs/coq/_vc/Hacspec_Ristretto.v new file mode 100644 index 000000000..9672ef470 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Ristretto.v @@ -0,0 +1,700 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Notation "'ristretto_point_t'" := (( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t +)) : hacspec_scope. + +Notation "'decode_result_t'" := (( + result ristretto_point_t int8)) : hacspec_scope. + +Definition ristretto_point_encoded_t := nseq (uint8) (usize 32). + +Definition byte_string_t := nseq (uint8) (usize 64). + +Definition field_canvas_t := nseq (int8) (32). +Definition field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. + +Definition decoding_error_v : int8 := + @repr WORDSIZE8 20. + +Definition p : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 237) : int8 + ]) : field_element_t. + +Definition d : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 163) : int8 + ]) : field_element_t. + +Definition sqrt_m1 : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 36) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 167) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 24) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 196) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 14) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 176) : int8 + ]) : field_element_t. + +Definition invsqrt_a_minus_d : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 137) : int8; + secret (@repr WORDSIZE8 5) : int8; + secret (@repr WORDSIZE8 207) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 145) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 200) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 93) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 234) : int8 + ]) : field_element_t. + +Definition sqrt_ad_minus_one : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 172) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 201) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 12) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 126) : int8; + secret (@repr WORDSIZE8 151) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 73) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 27) : int8 + ]) : field_element_t. + +Definition one_minus_d_sq : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 144) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 178) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 56) : int8; + secret (@repr WORDSIZE8 205) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 9) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 118) : int8 + ]) : field_element_t. + +Definition d_minus_one_sq : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 122) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 34) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 220) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 30) : int8; + secret (@repr WORDSIZE8 25) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 32) : int8 + ]) : field_element_t. + +Definition base_point_encoded : ristretto_point_encoded_t := + array_from_seq (32) ([ + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 174) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 113) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 132) : int8; + secret (@repr WORDSIZE8 169) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 197) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 165) : int8; + secret (@repr WORDSIZE8 130) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 166) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 118) : int8 + ]). + +Definition base_point : ristretto_point_t := + result_unwrap (decode (base_point_encoded )). + +Definition identity_point : ristretto_point_t := + (fe (usize 0), fe (usize 1), fe (usize 1), fe (usize 0)). + +Definition fe (x_740 : uint_size) : field_element_t := + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + pub_u128 (x_740)) : field_element_t. + +Definition geq_p (x_741 : seq uint8) : bool := + let p_seq_742 : seq uint8 := + [ + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 127) : int8 + ] in + let res_743 : bool := + true in + let res_743 := + foldi (usize 0) (seq_len (p_seq_742)) (fun index_744 res_743 => + let x_index_745 : int8 := + uint8_declassify (seq_index (x_741) (index_744)) in + let p_index_746 : int8 := + uint8_declassify (seq_index (p_seq_742) (index_744)) in + let '(res_743) := + if (x_index_745) !=.? (p_index_746):bool then (let res_743 := + (x_index_745) >.? (p_index_746) in + (res_743)) else ((res_743)) in + (res_743)) + res_743 in + res_743. + +Definition is_negative (e_747 : field_element_t) : bool := + ((e_747) rem (fe (usize 2))) =.? (fe (usize 1)). + +Definition eq (u_748 : field_element_t) (v_749 : field_element_t) : bool := + (u_748) =.? (v_749). + +Definition select + (u_750 : field_element_t) + (cond_751 : bool) + (v_752 : field_element_t) + : field_element_t := + (if (cond_751):bool then (u_750) else (v_752)). + +Definition neg_fe (u_753 : field_element_t) : field_element_t := + (fe (usize 0)) -% (u_753). + +Definition abs (u_754 : field_element_t) : field_element_t := + select (neg_fe (u_754)) (is_negative (u_754)) (u_754). + +Definition sqrt_ratio_m1 + (u_755 : field_element_t) + (v_756 : field_element_t) + : (bool '× field_element_t) := + let v3_757 : field_element_t := + (nat_mod_pow (v_756) (@repr WORDSIZE128 2)) *% (v_756) in + let v7_758 : field_element_t := + (nat_mod_pow (v3_757) (@repr WORDSIZE128 2)) *% (v_756) in + let r_759 : field_element_t := + ((u_755) *% (v3_757)) *% (nat_mod_pow_felem ((u_755) *% (v7_758)) ((( + p ) -% (fe (usize 5))) /% (fe (usize 8)))) in + let check_760 : field_element_t := + (v_756) *% (nat_mod_pow (r_759) (@repr WORDSIZE128 2)) in + let correct_sign_sqrt_761 : bool := + eq (check_760) (u_755) in + let flipped_sign_sqrt_762 : bool := + eq (check_760) (neg_fe (u_755)) in + let flipped_sign_sqrt_i_763 : bool := + eq (check_760) ((neg_fe (u_755)) *% (sqrt_m1 )) in + let r_prime_764 : field_element_t := + (sqrt_m1 ) *% (r_759) in + let r_759 := + select (r_prime_764) ((flipped_sign_sqrt_762) || ( + flipped_sign_sqrt_i_763)) (r_759) in + let r_759 := + abs (r_759) in + let was_square_765 : bool := + (correct_sign_sqrt_761) || (flipped_sign_sqrt_762) in + (was_square_765, r_759). + +Definition map (t_766 : field_element_t) : ristretto_point_t := + let one_767 : field_element_t := + fe (usize 1) in + let minus_one_768 : field_element_t := + neg_fe (one_767) in + let r_769 : field_element_t := + (sqrt_m1 ) *% (nat_mod_pow (t_766) (@repr WORDSIZE128 2)) in + let u_770 : field_element_t := + ((r_769) +% (one_767)) *% (one_minus_d_sq ) in + let v_771 : field_element_t := + ((minus_one_768) -% ((r_769) *% (d ))) *% ((r_769) +% (d )) in + let '(was_square_772, s_773) := + sqrt_ratio_m1 (u_770) (v_771) in + let s_prime_774 : field_element_t := + neg_fe (abs ((s_773) *% (t_766))) in + let s_773 := + select (s_773) (was_square_772) (s_prime_774) in + let c_775 : field_element_t := + select (minus_one_768) (was_square_772) (r_769) in + let n_776 : field_element_t := + (((c_775) *% ((r_769) -% (one_767))) *% (d_minus_one_sq )) -% (v_771) in + let w0_777 : field_element_t := + ((fe (usize 2)) *% (s_773)) *% (v_771) in + let w1_778 : field_element_t := + (n_776) *% (sqrt_ad_minus_one ) in + let w2_779 : field_element_t := + (one_767) -% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in + let w3_780 : field_element_t := + (one_767) +% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in + ( + (w0_777) *% (w3_780), + (w2_779) *% (w1_778), + (w1_778) *% (w3_780), + (w0_777) *% (w2_779) + ). + +Definition one_way_map (b_781 : byte_string_t) : ristretto_point_t := + let r0_bytes_782 : seq uint8 := + array_slice (b_781) (usize 0) (usize 32) in + let r1_bytes_783 : seq uint8 := + array_slice (b_781) (usize 32) (usize 32) in + let r0_bytes_784 : seq int8 := + seq_declassify (r0_bytes_782) in + let r1_bytes_785 : seq int8 := + seq_declassify (r1_bytes_783) in + let r0_bytes_784 := + seq_upd r0_bytes_784 (usize 31) ((seq_index (r0_bytes_784) (usize 31)) .% ( + @repr WORDSIZE8 128)) in + let r1_bytes_785 := + seq_upd r1_bytes_785 (usize 31) ((seq_index (r1_bytes_785) (usize 31)) .% ( + @repr WORDSIZE8 128)) in + let r0_786 : field_element_t := + nat_mod_from_public_byte_seq_le (r0_bytes_784) in + let r1_787 : field_element_t := + nat_mod_from_public_byte_seq_le (r1_bytes_785) in + let p1_788 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + map (r0_786) in + let p2_789 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + map (r1_787) in + add (p1_788) (p2_789). + +Definition encode (u_790 : ristretto_point_t) : ristretto_point_encoded_t := + let '(x0_791, y0_792, z0_793, t0_794) := + u_790 in + let u1_795 : field_element_t := + ((z0_793) +% (y0_792)) *% ((z0_793) -% (y0_792)) in + let u2_796 : field_element_t := + (x0_791) *% (y0_792) in + let '(_, invsqrt_797) := + sqrt_ratio_m1 (fe (usize 1)) ((u1_795) *% (nat_mod_pow (u2_796) ( + @repr WORDSIZE128 2))) in + let den1_798 : field_element_t := + (invsqrt_797) *% (u1_795) in + let den2_799 : field_element_t := + (invsqrt_797) *% (u2_796) in + let z_inv_800 : field_element_t := + ((den1_798) *% (den2_799)) *% (t0_794) in + let ix0_801 : field_element_t := + (x0_791) *% (sqrt_m1 ) in + let iy0_802 : field_element_t := + (y0_792) *% (sqrt_m1 ) in + let enchanted_denominator_803 : field_element_t := + (den1_798) *% (invsqrt_a_minus_d ) in + let rotate_804 : bool := + is_negative ((t0_794) *% (z_inv_800)) in + let x_805 : field_element_t := + select (iy0_802) (rotate_804) (x0_791) in + let y_806 : field_element_t := + select (ix0_801) (rotate_804) (y0_792) in + let z_807 : field_element_t := + z0_793 in + let den_inv_808 : field_element_t := + select (enchanted_denominator_803) (rotate_804) (den2_799) in + let y_806 := + select (neg_fe (y_806)) (is_negative ((x_805) *% (z_inv_800))) (y_806) in + let s_809 : field_element_t := + abs ((den_inv_808) *% ((z_807) -% (y_806))) in + array_update_start (array_new_ (default : uint8) (32)) ( + nat_mod_to_byte_seq_le (s_809)). + +Definition decode (u_810 : ristretto_point_encoded_t) : decode_result_t := + let ret_811 : (result ristretto_point_t int8) := + @Err ristretto_point_t int8 (decoding_error_v) in + let s_812 : field_element_t := + nat_mod_from_byte_seq_le (array_to_seq (u_810)) : field_element_t in + let '(ret_811) := + if (negb (geq_p (array_to_le_bytes (u_810)))) && (negb (is_negative ( + s_812))):bool then (let one_813 : field_element_t := + fe (usize 1) in + let ss_814 : field_element_t := + nat_mod_pow (s_812) (@repr WORDSIZE128 2) in + let u1_815 : field_element_t := + (one_813) -% (ss_814) in + let u2_816 : field_element_t := + (one_813) +% (ss_814) in + let u2_sqr_817 : field_element_t := + nat_mod_pow (u2_816) (@repr WORDSIZE128 2) in + let v_818 : field_element_t := + (neg_fe ((d ) *% (nat_mod_pow (u1_815) (@repr WORDSIZE128 2)))) -% ( + u2_sqr_817) in + let '(was_square_819, invsqrt_820) := + sqrt_ratio_m1 (one_813) ((v_818) *% (u2_sqr_817)) in + let den_x_821 : field_element_t := + (invsqrt_820) *% (u2_816) in + let den_y_822 : field_element_t := + ((invsqrt_820) *% (den_x_821)) *% (v_818) in + let x_823 : field_element_t := + abs (((s_812) +% (s_812)) *% (den_x_821)) in + let y_824 : field_element_t := + (u1_815) *% (den_y_822) in + let t_825 : field_element_t := + (x_823) *% (y_824) in + let '(ret_811) := + if negb (((negb (was_square_819)) || (is_negative (t_825))) || (( + y_824) =.? (fe (usize 0)))):bool then (let ret_811 := + @Ok ristretto_point_t int8 ((x_823, y_824, one_813, t_825)) in + (ret_811)) else ((ret_811)) in + (ret_811)) else ((ret_811)) in + ret_811. + +Definition equals + (u_826 : ristretto_point_t) + (v_827 : ristretto_point_t) + : bool := + let '(x1_828, y1_829, _, _) := + u_826 in + let '(x2_830, y2_831, _, _) := + v_827 in + (((x1_828) *% (y2_831)) =.? ((x2_830) *% (y1_829))) || (((y1_829) *% ( + y2_831)) =.? ((x1_828) *% (x2_830))). + +Definition add + (u_832 : ristretto_point_t) + (v_833 : ristretto_point_t) + : ristretto_point_t := + let '(x1_834, y1_835, z1_836, t1_837) := + u_832 in + let '(x2_838, y2_839, z2_840, t2_841) := + v_833 in + let a_842 : field_element_t := + ((y1_835) -% (x1_834)) *% ((y2_839) +% (x2_838)) in + let b_843 : field_element_t := + ((y1_835) +% (x1_834)) *% ((y2_839) -% (x2_838)) in + let c_844 : field_element_t := + ((fe (usize 2)) *% (z1_836)) *% (t2_841) in + let d_845 : field_element_t := + ((fe (usize 2)) *% (t1_837)) *% (z2_840) in + let e_846 : field_element_t := + (d_845) +% (c_844) in + let f_847 : field_element_t := + (b_843) -% (a_842) in + let g_848 : field_element_t := + (b_843) +% (a_842) in + let h_849 : field_element_t := + (d_845) -% (c_844) in + let x3_850 : field_element_t := + (e_846) *% (f_847) in + let y3_851 : field_element_t := + (g_848) *% (h_849) in + let t3_852 : field_element_t := + (e_846) *% (h_849) in + let z3_853 : field_element_t := + (f_847) *% (g_848) in + (x3_850, y3_851, z3_853, t3_852). + +Definition neg (u_854 : ristretto_point_t) : ristretto_point_t := + let '(x1_855, y1_856, z1_857, t1_858) := + u_854 in + (neg_fe (x1_855), y1_856, neg_fe (z1_857), t1_858). + +Definition sub + (u_859 : ristretto_point_t) + (v_860 : ristretto_point_t) + : ristretto_point_t := + add (u_859) (neg (v_860)). + +Definition double (u_861 : ristretto_point_t) : ristretto_point_t := + let '(x1_862, y1_863, z1_864, _) := + u_861 in + let a_865 : field_element_t := + nat_mod_pow (x1_862) (@repr WORDSIZE128 2) in + let b_866 : field_element_t := + nat_mod_pow (y1_863) (@repr WORDSIZE128 2) in + let c_867 : field_element_t := + (fe (usize 2)) *% (nat_mod_pow (z1_864) (@repr WORDSIZE128 2)) in + let h_868 : field_element_t := + (a_865) +% (b_866) in + let e_869 : field_element_t := + (h_868) -% (nat_mod_pow ((x1_862) +% (y1_863)) (@repr WORDSIZE128 2)) in + let g_870 : field_element_t := + (a_865) -% (b_866) in + let f_871 : field_element_t := + (c_867) +% (g_870) in + let x2_872 : field_element_t := + (e_869) *% (f_871) in + let y2_873 : field_element_t := + (g_870) *% (h_868) in + let t2_874 : field_element_t := + (e_869) *% (h_868) in + let z2_875 : field_element_t := + (f_871) *% (g_870) in + (x2_872, y2_873, z2_875, t2_874). + +Definition mul + (k_876 : scalar_t) + (p_877 : ristretto_point_t) + : ristretto_point_t := + let res_878 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + identity_point in + let temp_879 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + p_877 in + let '(res_878, temp_879) := + foldi (usize 0) (usize 256) (fun i_880 '(res_878, temp_879) => + let '(res_878) := + if (nat_mod_get_bit (k_876) (i_880)) =.? (nat_mod_from_literal ( + 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed) ( + @repr WORDSIZE128 1) : scalar_t):bool then (let res_878 := + add (res_878) (temp_879) in + (res_878)) else ((res_878)) in + let temp_879 := + double (temp_879) in + (res_878, temp_879)) + (res_878, temp_879) in + res_878. + diff --git a/proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v b/proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v new file mode 100644 index 000000000..1e62ce5df --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v @@ -0,0 +1,70 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Require Import Hacspec_Rsa_Pkcs1. + +Definition int_byte_t := nseq (uint8) (usize 1). + +Definition one_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). + +Definition two_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). + +Definition suite_string_v : int_byte_t := + one_v. + +Definition vrf_mgf1 + (n_2644 : rsa_int_t) + (alpha_2645 : byte_seq) + : byte_seq_result_t := + bind (i2osp (rsa_int_from_literal (@cast _ uint128 _ (byte_size_v))) ( + @repr WORDSIZE32 4)) (fun mgf_salt1_2646 => bind (i2osp (n_2644) ( + byte_size_v)) (fun mgf_salt2_2647 => let mgf_salt_2648 : seq uint8 := + seq_concat (mgf_salt1_2646) (mgf_salt2_2647) in + let mgf_string_2649 : seq uint8 := + seq_concat (seq_concat (array_concat (suite_string_v) ( + array_to_seq (one_v))) (mgf_salt_2648)) (alpha_2645) in + bind (mgf1 (mgf_string_2649) ((@cast _ uint32 _ (byte_size_v)) - ( + usize 1))) (fun mgf_2650 => @Ok seq uint8 error_t (mgf_2650)))). + +Definition prove (sk_2651 : sk_t) (alpha_2652 : byte_seq) : byte_seq_result_t := + let '(n_2653, d_2654) := + (sk_2651) in + bind (vrf_mgf1 (n_2653) (alpha_2652)) (fun em_2655 => + let m_2656 : rsa_int_t := + os2ip (em_2655) in + bind (rsasp1 (sk_2651) (m_2656)) (fun s_2657 => i2osp (s_2657) ( + byte_size_v))). + +Definition proof_to_hash (pi_string_2658 : byte_seq) : byte_seq_result_t := + let hash_string_2659 : seq uint8 := + array_concat (suite_string_v) (array_concat (two_v) (pi_string_2658)) in + @Ok seq uint8 error_t (array_slice (sha256 (hash_string_2659)) (usize 0) ( + usize 32)). + +Definition verify + (pk_2660 : pk_t) + (alpha_2661 : byte_seq) + (pi_string_2662 : byte_seq) + : byte_seq_result_t := + let '(n_2663, e_2664) := + (pk_2660) in + let s_2665 : rsa_int_t := + os2ip (pi_string_2662) in + bind (rsavp1 (pk_2660) (s_2665)) (fun m_2666 => bind (vrf_mgf1 (n_2663) ( + alpha_2661)) (fun em_prime_2667 => let m_prime_2668 : rsa_int_t := + os2ip (em_prime_2667) in + (if ((m_2666) =.? (m_prime_2668)):bool then (proof_to_hash ( + pi_string_2662)) else (@Err seq uint8 error_t ( + VerificationFailed))))). + diff --git a/proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v new file mode 100644 index 000000000..150f38634 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v @@ -0,0 +1,121 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition bit_size_v : int32 := + @repr WORDSIZE32 2048. + +Definition byte_size_v : int32 := + (@repr WORDSIZE32 2048) ./ (@repr WORDSIZE32 8). + +Definition hlen_v : uint_size := + usize 32. + +Definition rsa_int_t := nat_mod pow2 2048. + +Inductive error_t := +| InvalidLength : error_t +| MessageTooLarge : error_t +| DecryptionFailed : error_t +| VerificationFailed : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | InvalidLength => match y with | InvalidLength=> true | _ => false end + | MessageTooLarge => match y with | MessageTooLarge=> true | _ => false end + | DecryptionFailed => match y with | DecryptionFailed=> true | _ => false end + | VerificationFailed => + match y with + | VerificationFailed=> true + | _ => false + end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Notation "'pk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. + +Notation "'sk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. + +Notation "'key_pair_t'" := ((pk_t '× sk_t)) : hacspec_scope. + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Notation "'rsa_int_result_t'" := ((result rsa_int_t error_t)) : hacspec_scope. + +Definition rsaep (pk_2530 : pk_t) (m_2531 : rsa_int_t) : rsa_int_result_t := + let '(n_2532, e_2533) := + pk_2530 in + (if ((m_2531) >.? ((n_2532) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (m_2531) (e_2533) (n_2532)))). + +Definition rsadp (sk_2534 : sk_t) (c_2535 : rsa_int_t) : rsa_int_result_t := + let '(n_2536, d_2537) := + sk_2534 in + (if ((c_2535) >.? ((n_2536) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (c_2535) (d_2537) (n_2536)))). + +Definition rsasp1 (sk_2538 : sk_t) (m_2539 : rsa_int_t) : rsa_int_result_t := + let '(n_2540, d_2541) := + sk_2538 in + (if ((m_2539) >.? ((n_2540) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (m_2539) (d_2541) (n_2540)))). + +Definition rsavp1 (pk_2542 : pk_t) (s_2543 : rsa_int_t) : rsa_int_result_t := + let '(n_2544, e_2545) := + pk_2542 in + (if ((s_2543) >.? ((n_2544) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (s_2543) (e_2545) (n_2544)))). + +Definition i2osp + (x_2546 : rsa_int_t) + (x_len_2547 : int32) + : byte_seq_result_t := + (if (((x_2546) >=.? (nat_mod_exp (nat_mod_from_literal (0x) ( + @repr WORDSIZE128 256) : rsa_int_t) (x_len_2547))) && (( + x_len_2547) !=.? (byte_size_v))):bool then (@Err byte_seq error_t ( + InvalidLength)) else (@Ok byte_seq error_t (seq_slice ( + nat_mod_to_byte_seq_be (x_2546)) (@cast _ uint32 _ ((byte_size_v) .- ( + x_len_2547))) (@cast _ uint32 _ (x_len_2547))))). + +Definition os2ip (x_2548 : byte_seq) : rsa_int_t := + nat_mod_from_byte_seq_be (x_2548) : rsa_int_t. + +Definition mgf1 + (mgf_seed_2549 : byte_seq) + (mask_len_2550 : uint_size) + : byte_seq_result_t := + let result_2551 : (result byte_seq error_t) := + @Err byte_seq error_t (InvalidLength) in + ifbnd (mask_len_2550) <.? ((usize 2) .^ ((usize 32) * (hlen_v))) : bool + thenbnd (let t_2552 : seq uint8 := + seq_new_ (default : uint8) (usize 0) in + bind (foldibnd (usize 0) to (((mask_len_2550) + (usize 32)) / ( + usize 32)) for t_2552 >> (fun i_2553 t_2552 => + bind (i2osp (nat_mod_from_literal (0x) (pub_u128 (i_2553)) : rsa_int_t) ( + @repr WORDSIZE32 4)) (fun x_2554 => let t_2552 := + seq_concat (t_2552) (array_to_seq (sha256 (seq_concat ( + mgf_seed_2549) (x_2554)))) in + @Ok (seq uint8) error_t ((t_2552))))) (fun t_2552 => let result_2551 := + @Ok byte_seq error_t (seq_slice (t_2552) (usize 0) (mask_len_2550)) in + @Ok ((result byte_seq error_t)) error_t ((result_2551)))) + else ((result_2551)) >> (fun '(result_2551) => + result_2551). + diff --git a/proof-libs/coq/_vc/Hacspec_Sha1.v b/proof-libs/coq/_vc/Hacspec_Sha1.v new file mode 100644 index 000000000..f633b67ac --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Sha1.v @@ -0,0 +1,205 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition schedule_t := nseq (uint32) (usize 80). + +Definition block_words_v : uint_size := + (usize 512) / (usize 32). + +Definition hash_words_v : uint_size := + (usize 160) / (usize 32). + +Definition block_t := nseq (uint32) (block_words_v). + +Definition hash_t := nseq (uint32) (hash_words_v). + +Definition block_bytes_v : uint_size := + (usize 512) / (usize 8). + +Definition hash_bytes_v : uint_size := + (usize 160) / (usize 8). + +Definition block_bytes_t := nseq (uint8) (block_bytes_v). + +Definition sha1_digest_t := nseq (uint8) (hash_bytes_v). + +Definition bitlength_bytes_v : uint_size := + (usize 64) / (usize 8). + +Definition ch (x_1225 : uint32) (y_1226 : uint32) (z_1227 : uint32) : uint32 := + ((x_1225) .& (y_1226)) .^ ((not (x_1225)) .& (z_1227)). + +Definition parity + (x_1228 : uint32) + (y_1229 : uint32) + (z_1230 : uint32) + : uint32 := + ((x_1228) .^ (y_1229)) .^ (z_1230). + +Definition maj (x_1231 : uint32) (y_1232 : uint32) (z_1233 : uint32) : uint32 := + (((x_1231) .& (y_1232)) .^ ((x_1231) .& (z_1233))) .^ ((y_1232) .& (z_1233)). + +Definition hash_init_v : hash_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1732584193) : int32; + secret (@repr WORDSIZE32 4023233417) : int32; + secret (@repr WORDSIZE32 2562383102) : int32; + secret (@repr WORDSIZE32 271733878) : int32; + secret (@repr WORDSIZE32 3285377520) : int32 + ] in l). + +Definition compress (m_bytes_1234 : block_bytes_t) (h_1235 : hash_t) : hash_t := + let m_1236 : seq uint32 := + array_to_be_uint32s (m_bytes_1234) in + let w_1237 : schedule_t := + array_new_ (default : uint32) (80) in + let w_1237 := + foldi (usize 0) (usize 80) (fun t_1238 w_1237 => + let '(w_1237) := + if (t_1238) <.? (usize 16):bool then (let w_1237 := + array_upd w_1237 (t_1238) (seq_index (m_1236) (t_1238)) in + (w_1237)) else (let w_1237 := + array_upd w_1237 (t_1238) (uint32_rotate_left ((((array_index ( + w_1237) ((t_1238) - (usize 3))) .^ (array_index ( + w_1237) ((t_1238) - (usize 8)))) .^ (array_index ( + w_1237) ((t_1238) - (usize 14)))) .^ (array_index ( + w_1237) ((t_1238) - (usize 16)))) (usize 1)) in + (w_1237)) in + (w_1237)) + w_1237 in + let a_1239 : uint32 := + array_index (h_1235) (usize 0) in + let b_1240 : uint32 := + array_index (h_1235) (usize 1) in + let c_1241 : uint32 := + array_index (h_1235) (usize 2) in + let d_1242 : uint32 := + array_index (h_1235) (usize 3) in + let e_1243 : uint32 := + array_index (h_1235) (usize 4) in + let '(a_1239, b_1240, c_1241, d_1242, e_1243) := + foldi (usize 0) (usize 80) (fun t_1244 '( + a_1239, + b_1240, + c_1241, + d_1242, + e_1243 + ) => + let t_1245 : uint32 := + uint32_zero in + let '(t_1245) := + if ((usize 0) <=.? (t_1244)) && ((t_1244) <.? (usize 20)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (ch (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 1518500249) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let '(t_1245) := + if ((usize 20) <=.? (t_1244)) && ((t_1244) <.? (usize 40)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 1859775393) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let '(t_1245) := + if ((usize 40) <=.? (t_1244)) && ((t_1244) <.? (usize 60)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (maj (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 2400959708) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let '(t_1245) := + if ((usize 60) <=.? (t_1244)) && ((t_1244) <.? (usize 80)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 3395469782) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let e_1243 := + d_1242 in + let d_1242 := + c_1241 in + let c_1241 := + uint32_rotate_left (b_1240) (usize 30) in + let b_1240 := + a_1239 in + let a_1239 := + t_1245 in + (a_1239, b_1240, c_1241, d_1242, e_1243)) + (a_1239, b_1240, c_1241, d_1242, e_1243) in + let h_1235 := + array_upd h_1235 (usize 0) ((a_1239) .+ (array_index (h_1235) ( + usize 0))) in + let h_1235 := + array_upd h_1235 (usize 1) ((b_1240) .+ (array_index (h_1235) ( + usize 1))) in + let h_1235 := + array_upd h_1235 (usize 2) ((c_1241) .+ (array_index (h_1235) ( + usize 2))) in + let h_1235 := + array_upd h_1235 (usize 3) ((d_1242) .+ (array_index (h_1235) ( + usize 3))) in + let h_1235 := + array_upd h_1235 (usize 4) ((e_1243) .+ (array_index (h_1235) ( + usize 4))) in + h_1235. + +Definition hash (msg_1246 : byte_seq) : sha1_digest_t := + let h_1247 : hash_t := + hash_init_v in + let h_1247 := + foldi (usize 0) (seq_num_exact_chunks (msg_1246) ( + block_bytes_v)) (fun i_1248 h_1247 => + let raw_bytes_1249 : seq uint8 := + seq_get_exact_chunk (msg_1246) (block_bytes_v) (i_1248) in + let block_bytes_1250 : block_bytes_t := + array_from_seq (block_bytes_v) (raw_bytes_1249) in + let h_1247 := + compress (block_bytes_1250) (h_1247) in + (h_1247)) + h_1247 in + let raw_bytes_1251 : seq uint8 := + seq_get_remainder_chunk (msg_1246) (block_bytes_v) in + let block_bytes_1252 : block_bytes_t := + array_update_start (array_new_ (default : uint8) (block_bytes_v)) ( + raw_bytes_1251) in + let block_bytes_1252 := + array_upd block_bytes_1252 (seq_len (raw_bytes_1251)) (secret ( + @repr WORDSIZE8 128) : int8) in + let message_bitlength_1253 : uint64 := + secret (pub_u64 ((seq_len (msg_1246)) * (usize 8))) : int64 in + let '(h_1247, block_bytes_1252) := + if (seq_len (raw_bytes_1251)) <.? ((block_bytes_v) - ( + bitlength_bytes_v)):bool then (let block_bytes_1252 := + array_update (block_bytes_1252) ((block_bytes_v) - ( + bitlength_bytes_v)) (array_to_seq (uint64_to_be_bytes ( + message_bitlength_1253))) in + let h_1247 := + compress (block_bytes_1252) (h_1247) in + (h_1247, block_bytes_1252)) else (let h_1247 := + compress (block_bytes_1252) (h_1247) in + let pad_block_1254 : block_bytes_t := + array_new_ (default : uint8) (block_bytes_v) in + let pad_block_1254 := + array_update (pad_block_1254) ((block_bytes_v) - (bitlength_bytes_v)) ( + array_to_seq (uint64_to_be_bytes (message_bitlength_1253))) in + let h_1247 := + compress (pad_block_1254) (h_1247) in + (h_1247, block_bytes_1252)) in + array_from_seq (hash_bytes_v) (array_to_be_bytes (h_1247)). + +Definition sha1 (msg_1255 : byte_seq) : sha1_digest_t := + hash (msg_1255). + diff --git a/proof-libs/coq/_vc/Hacspec_Sha256.v b/proof-libs/coq/_vc/Hacspec_Sha256.v new file mode 100644 index 000000000..782c6f634 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Sha256.v @@ -0,0 +1,305 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition block_size_v : uint_size := + usize 64. + +Definition len_size_v : uint_size := + usize 8. + +Definition k_size_v : uint_size := + usize 64. + +Definition hash_size_v : uint_size := + (usize 256) / (usize 8). + +Definition block_t := nseq (uint8) (block_size_v). + +Definition op_table_type_t := nseq (uint_size) (usize 12). + +Definition sha256_digest_t := nseq (uint8) (hash_size_v). + +Definition round_constants_table_t := nseq (uint32) (k_size_v). + +Definition hash_t := nseq (uint32) (usize 8). + +Definition ch (x_663 : uint32) (y_664 : uint32) (z_665 : uint32) : uint32 := + ((x_663) .& (y_664)) .^ ((not (x_663)) .& (z_665)). + +Definition maj (x_666 : uint32) (y_667 : uint32) (z_668 : uint32) : uint32 := + ((x_666) .& (y_667)) .^ (((x_666) .& (z_668)) .^ ((y_667) .& (z_668))). + +Definition op_table_v : op_table_type_t := + array_from_list uint_size (let l := + [ + usize 2; + usize 13; + usize 22; + usize 6; + usize 11; + usize 25; + usize 7; + usize 18; + usize 3; + usize 17; + usize 19; + usize 10 + ] in l). + +Definition k_table_v : round_constants_table_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1116352408) : int32; + secret (@repr WORDSIZE32 1899447441) : int32; + secret (@repr WORDSIZE32 3049323471) : int32; + secret (@repr WORDSIZE32 3921009573) : int32; + secret (@repr WORDSIZE32 961987163) : int32; + secret (@repr WORDSIZE32 1508970993) : int32; + secret (@repr WORDSIZE32 2453635748) : int32; + secret (@repr WORDSIZE32 2870763221) : int32; + secret (@repr WORDSIZE32 3624381080) : int32; + secret (@repr WORDSIZE32 310598401) : int32; + secret (@repr WORDSIZE32 607225278) : int32; + secret (@repr WORDSIZE32 1426881987) : int32; + secret (@repr WORDSIZE32 1925078388) : int32; + secret (@repr WORDSIZE32 2162078206) : int32; + secret (@repr WORDSIZE32 2614888103) : int32; + secret (@repr WORDSIZE32 3248222580) : int32; + secret (@repr WORDSIZE32 3835390401) : int32; + secret (@repr WORDSIZE32 4022224774) : int32; + secret (@repr WORDSIZE32 264347078) : int32; + secret (@repr WORDSIZE32 604807628) : int32; + secret (@repr WORDSIZE32 770255983) : int32; + secret (@repr WORDSIZE32 1249150122) : int32; + secret (@repr WORDSIZE32 1555081692) : int32; + secret (@repr WORDSIZE32 1996064986) : int32; + secret (@repr WORDSIZE32 2554220882) : int32; + secret (@repr WORDSIZE32 2821834349) : int32; + secret (@repr WORDSIZE32 2952996808) : int32; + secret (@repr WORDSIZE32 3210313671) : int32; + secret (@repr WORDSIZE32 3336571891) : int32; + secret (@repr WORDSIZE32 3584528711) : int32; + secret (@repr WORDSIZE32 113926993) : int32; + secret (@repr WORDSIZE32 338241895) : int32; + secret (@repr WORDSIZE32 666307205) : int32; + secret (@repr WORDSIZE32 773529912) : int32; + secret (@repr WORDSIZE32 1294757372) : int32; + secret (@repr WORDSIZE32 1396182291) : int32; + secret (@repr WORDSIZE32 1695183700) : int32; + secret (@repr WORDSIZE32 1986661051) : int32; + secret (@repr WORDSIZE32 2177026350) : int32; + secret (@repr WORDSIZE32 2456956037) : int32; + secret (@repr WORDSIZE32 2730485921) : int32; + secret (@repr WORDSIZE32 2820302411) : int32; + secret (@repr WORDSIZE32 3259730800) : int32; + secret (@repr WORDSIZE32 3345764771) : int32; + secret (@repr WORDSIZE32 3516065817) : int32; + secret (@repr WORDSIZE32 3600352804) : int32; + secret (@repr WORDSIZE32 4094571909) : int32; + secret (@repr WORDSIZE32 275423344) : int32; + secret (@repr WORDSIZE32 430227734) : int32; + secret (@repr WORDSIZE32 506948616) : int32; + secret (@repr WORDSIZE32 659060556) : int32; + secret (@repr WORDSIZE32 883997877) : int32; + secret (@repr WORDSIZE32 958139571) : int32; + secret (@repr WORDSIZE32 1322822218) : int32; + secret (@repr WORDSIZE32 1537002063) : int32; + secret (@repr WORDSIZE32 1747873779) : int32; + secret (@repr WORDSIZE32 1955562222) : int32; + secret (@repr WORDSIZE32 2024104815) : int32; + secret (@repr WORDSIZE32 2227730452) : int32; + secret (@repr WORDSIZE32 2361852424) : int32; + secret (@repr WORDSIZE32 2428436474) : int32; + secret (@repr WORDSIZE32 2756734187) : int32; + secret (@repr WORDSIZE32 3204031479) : int32; + secret (@repr WORDSIZE32 3329325298) : int32 + ] in l). + +Definition hash_init_v : hash_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1779033703) : int32; + secret (@repr WORDSIZE32 3144134277) : int32; + secret (@repr WORDSIZE32 1013904242) : int32; + secret (@repr WORDSIZE32 2773480762) : int32; + secret (@repr WORDSIZE32 1359893119) : int32; + secret (@repr WORDSIZE32 2600822924) : int32; + secret (@repr WORDSIZE32 528734635) : int32; + secret (@repr WORDSIZE32 1541459225) : int32 + ] in l). + +Definition sigma + (x_669 : uint32) + (i_670 : uint_size) + (op_671 : uint_size) + : uint32 := + let tmp_672 : uint32 := + uint32_rotate_right (x_669) (array_index (op_table_v) (((usize 3) * ( + i_670)) + (usize 2))) in + let '(tmp_672) := + if (op_671) =.? (usize 0):bool then (let tmp_672 := + (x_669) shift_right (array_index (op_table_v) (((usize 3) * (i_670)) + ( + usize 2))) in + (tmp_672)) else ((tmp_672)) in + ((uint32_rotate_right (x_669) (array_index (op_table_v) ((usize 3) * ( + i_670)))) .^ (uint32_rotate_right (x_669) (array_index ( + op_table_v) (((usize 3) * (i_670)) + (usize 1))))) .^ (tmp_672). + +Definition schedule (block_673 : block_t) : round_constants_table_t := + let b_674 : seq uint32 := + array_to_be_uint32s (block_673) in + let s_675 : round_constants_table_t := + array_new_ (default : uint32) (k_size_v) in + let s_675 := + foldi (usize 0) (k_size_v) (fun i_676 s_675 => + let '(s_675) := + if (i_676) <.? (usize 16):bool then (let s_675 := + array_upd s_675 (i_676) (seq_index (b_674) (i_676)) in + (s_675)) else (let t16_677 : uint32 := + array_index (s_675) ((i_676) - (usize 16)) in + let t15_678 : uint32 := + array_index (s_675) ((i_676) - (usize 15)) in + let t7_679 : uint32 := + array_index (s_675) ((i_676) - (usize 7)) in + let t2_680 : uint32 := + array_index (s_675) ((i_676) - (usize 2)) in + let s1_681 : uint32 := + sigma (t2_680) (usize 3) (usize 0) in + let s0_682 : uint32 := + sigma (t15_678) (usize 2) (usize 0) in + let s_675 := + array_upd s_675 (i_676) ((((s1_681) .+ (t7_679)) .+ (s0_682)) .+ ( + t16_677)) in + (s_675)) in + (s_675)) + s_675 in + s_675. + +Definition shuffle + (ws_683 : round_constants_table_t) + (hashi_684 : hash_t) + : hash_t := + let h_685 : hash_t := + hashi_684 in + let h_685 := + foldi (usize 0) (k_size_v) (fun i_686 h_685 => + let a0_687 : uint32 := + array_index (h_685) (usize 0) in + let b0_688 : uint32 := + array_index (h_685) (usize 1) in + let c0_689 : uint32 := + array_index (h_685) (usize 2) in + let d0_690 : uint32 := + array_index (h_685) (usize 3) in + let e0_691 : uint32 := + array_index (h_685) (usize 4) in + let f0_692 : uint32 := + array_index (h_685) (usize 5) in + let g0_693 : uint32 := + array_index (h_685) (usize 6) in + let h0_694 : uint32 := + array_index (h_685) (usize 7) in + let t1_695 : uint32 := + ((((h0_694) .+ (sigma (e0_691) (usize 1) (usize 1))) .+ (ch (e0_691) ( + f0_692) (g0_693))) .+ (array_index (k_table_v) (i_686))) .+ ( + array_index (ws_683) (i_686)) in + let t2_696 : uint32 := + (sigma (a0_687) (usize 0) (usize 1)) .+ (maj (a0_687) (b0_688) ( + c0_689)) in + let h_685 := + array_upd h_685 (usize 0) ((t1_695) .+ (t2_696)) in + let h_685 := + array_upd h_685 (usize 1) (a0_687) in + let h_685 := + array_upd h_685 (usize 2) (b0_688) in + let h_685 := + array_upd h_685 (usize 3) (c0_689) in + let h_685 := + array_upd h_685 (usize 4) ((d0_690) .+ (t1_695)) in + let h_685 := + array_upd h_685 (usize 5) (e0_691) in + let h_685 := + array_upd h_685 (usize 6) (f0_692) in + let h_685 := + array_upd h_685 (usize 7) (g0_693) in + (h_685)) + h_685 in + h_685. + +Definition compress (block_697 : block_t) (h_in_698 : hash_t) : hash_t := + let s_699 : round_constants_table_t := + schedule (block_697) in + let h_700 : hash_t := + shuffle (s_699) (h_in_698) in + let h_700 := + foldi (usize 0) (usize 8) (fun i_701 h_700 => + let h_700 := + array_upd h_700 (i_701) ((array_index (h_700) (i_701)) .+ (array_index ( + h_in_698) (i_701))) in + (h_700)) + h_700 in + h_700. + +Definition hash (msg_702 : byte_seq) : sha256_digest_t := + let h_703 : hash_t := + hash_init_v in + let last_block_704 : block_t := + array_new_ (default : uint8) (block_size_v) in + let last_block_len_705 : uint_size := + usize 0 in + let '(h_703, last_block_704, last_block_len_705) := + foldi (usize 0) (seq_num_chunks (msg_702) (block_size_v)) (fun i_706 '( + h_703, + last_block_704, + last_block_len_705 + ) => + let '(block_len_707, block_708) := + seq_get_chunk (msg_702) (block_size_v) (i_706) in + let '(h_703, last_block_704, last_block_len_705) := + if (block_len_707) <.? (block_size_v):bool then (let last_block_704 := + array_update_start (array_new_ (default : uint8) (block_size_v)) ( + block_708) in + let last_block_len_705 := + block_len_707 in + (h_703, last_block_704, last_block_len_705)) else ( + let compress_input_709 : block_t := + array_from_seq (block_size_v) (block_708) in + let h_703 := + compress (compress_input_709) (h_703) in + (h_703, last_block_704, last_block_len_705)) in + (h_703, last_block_704, last_block_len_705)) + (h_703, last_block_704, last_block_len_705) in + let last_block_704 := + array_upd last_block_704 (last_block_len_705) (secret ( + @repr WORDSIZE8 128) : int8) in + let len_bist_710 : uint64 := + secret (pub_u64 ((seq_len (msg_702)) * (usize 8))) : int64 in + let '(h_703, last_block_704) := + if (last_block_len_705) <.? ((block_size_v) - (len_size_v)):bool then ( + let last_block_704 := + array_update (last_block_704) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint64_to_be_bytes (len_bist_710))) in + let h_703 := + compress (last_block_704) (h_703) in + (h_703, last_block_704)) else (let pad_block_711 : block_t := + array_new_ (default : uint8) (block_size_v) in + let pad_block_711 := + array_update (pad_block_711) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint64_to_be_bytes (len_bist_710))) in + let h_703 := + compress (last_block_704) (h_703) in + let h_703 := + compress (pad_block_711) (h_703) in + (h_703, last_block_704)) in + array_from_seq (hash_size_v) (array_to_be_bytes (h_703)). + +Definition sha256 (msg_712 : byte_seq) : sha256_digest_t := + hash (msg_712). + diff --git a/proof-libs/coq/_vc/Hacspec_Sha3.v b/proof-libs/coq/_vc/Hacspec_Sha3.v new file mode 100644 index 000000000..91088d815 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Sha3.v @@ -0,0 +1,357 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition rounds_v : uint_size := + usize 24. + +Definition sha3224_rate_v : uint_size := + usize 144. + +Definition sha3256_rate_v : uint_size := + usize 136. + +Definition sha3384_rate_v : uint_size := + usize 104. + +Definition sha3512_rate_v : uint_size := + usize 72. + +Definition shake128_rate_v : uint_size := + usize 168. + +Definition shake256_rate_v : uint_size := + usize 136. + +Definition state_t := nseq (uint64) (usize 25). + +Definition row_t := nseq (uint64) (usize 5). + +Definition digest224_t := nseq (uint8) (usize 28). + +Definition digest256_t := nseq (uint8) (usize 32). + +Definition digest384_t := nseq (uint8) (usize 48). + +Definition digest512_t := nseq (uint8) (usize 64). + +Definition round_constants_t := nseq (int64) (rounds_v). + +Definition rotation_constants_t := nseq (uint_size) (usize 25). + +Definition roundconstants_v : round_constants_t := + array_from_list int64 (let l := + [ + @repr WORDSIZE64 1; + @repr WORDSIZE64 32898; + @repr WORDSIZE64 9223372036854808714; + @repr WORDSIZE64 9223372039002292224; + @repr WORDSIZE64 32907; + @repr WORDSIZE64 2147483649; + @repr WORDSIZE64 9223372039002292353; + @repr WORDSIZE64 9223372036854808585; + @repr WORDSIZE64 138; + @repr WORDSIZE64 136; + @repr WORDSIZE64 2147516425; + @repr WORDSIZE64 2147483658; + @repr WORDSIZE64 2147516555; + @repr WORDSIZE64 9223372036854775947; + @repr WORDSIZE64 9223372036854808713; + @repr WORDSIZE64 9223372036854808579; + @repr WORDSIZE64 9223372036854808578; + @repr WORDSIZE64 9223372036854775936; + @repr WORDSIZE64 32778; + @repr WORDSIZE64 9223372039002259466; + @repr WORDSIZE64 9223372039002292353; + @repr WORDSIZE64 9223372036854808704; + @repr WORDSIZE64 2147483649; + @repr WORDSIZE64 9223372039002292232 + ] in l). + +Definition rotc_v : rotation_constants_t := + array_from_list uint_size (let l := + [ + usize 0; + usize 1; + usize 62; + usize 28; + usize 27; + usize 36; + usize 44; + usize 6; + usize 55; + usize 20; + usize 3; + usize 10; + usize 43; + usize 25; + usize 39; + usize 41; + usize 45; + usize 15; + usize 21; + usize 8; + usize 18; + usize 2; + usize 61; + usize 56; + usize 14 + ] in l). + +Definition pi_v : rotation_constants_t := + array_from_list uint_size (let l := + [ + usize 0; + usize 6; + usize 12; + usize 18; + usize 24; + usize 3; + usize 9; + usize 10; + usize 16; + usize 22; + usize 1; + usize 7; + usize 13; + usize 19; + usize 20; + usize 4; + usize 5; + usize 11; + usize 17; + usize 23; + usize 2; + usize 8; + usize 14; + usize 15; + usize 21 + ] in l). + +Definition theta (s_1068 : state_t) : state_t := + let b_1069 : row_t := + array_new_ (default : uint64) (5) in + let b_1069 := + foldi (usize 0) (usize 5) (fun i_1070 b_1069 => + let b_1069 := + array_upd b_1069 (i_1070) (((((array_index (s_1068) (i_1070)) .^ ( + array_index (s_1068) ((i_1070) + (usize 5)))) .^ ( + array_index (s_1068) ((i_1070) + (usize 10)))) .^ (array_index ( + s_1068) ((i_1070) + (usize 15)))) .^ (array_index (s_1068) (( + i_1070) + (usize 20)))) in + (b_1069)) + b_1069 in + let s_1068 := + foldi (usize 0) (usize 5) (fun i_1071 s_1068 => + let u_1072 : uint64 := + array_index (b_1069) (((i_1071) + (usize 1)) %% (usize 5)) in + let t_1073 : uint64 := + (array_index (b_1069) (((i_1071) + (usize 4)) %% (usize 5))) .^ ( + uint64_rotate_left (u_1072) (usize 1)) in + let s_1068 := + foldi (usize 0) (usize 5) (fun j_1074 s_1068 => + let s_1068 := + array_upd s_1068 (((usize 5) * (j_1074)) + (i_1071)) ((array_index ( + s_1068) (((usize 5) * (j_1074)) + (i_1071))) .^ (t_1073)) in + (s_1068)) + s_1068 in + (s_1068)) + s_1068 in + s_1068. + +Definition rho (s_1075 : state_t) : state_t := + let s_1075 := + foldi (usize 0) (usize 25) (fun i_1076 s_1075 => + let u_1077 : uint64 := + array_index (s_1075) (i_1076) in + let s_1075 := + array_upd s_1075 (i_1076) (uint64_rotate_left (u_1077) (array_index ( + rotc_v) (i_1076))) in + (s_1075)) + s_1075 in + s_1075. + +Definition pi (s_1078 : state_t) : state_t := + let v_1079 : state_t := + array_new_ (default : uint64) (25) in + let v_1079 := + foldi (usize 0) (usize 25) (fun i_1080 v_1079 => + let v_1079 := + array_upd v_1079 (i_1080) (array_index (s_1078) (array_index (pi_v) ( + i_1080))) in + (v_1079)) + v_1079 in + v_1079. + +Definition chi (s_1081 : state_t) : state_t := + let b_1082 : row_t := + array_new_ (default : uint64) (5) in + let '(s_1081, b_1082) := + foldi (usize 0) (usize 5) (fun i_1083 '(s_1081, b_1082) => + let b_1082 := + foldi (usize 0) (usize 5) (fun j_1084 b_1082 => + let b_1082 := + array_upd b_1082 (j_1084) (array_index (s_1081) (((usize 5) * ( + i_1083)) + (j_1084))) in + (b_1082)) + b_1082 in + let s_1081 := + foldi (usize 0) (usize 5) (fun j_1085 s_1081 => + let u_1086 : uint64 := + array_index (b_1082) (((j_1085) + (usize 1)) %% (usize 5)) in + let s_1081 := + array_upd s_1081 (((usize 5) * (i_1083)) + (j_1085)) ((array_index ( + s_1081) (((usize 5) * (i_1083)) + (j_1085))) .^ ((not ( + u_1086)) .& (array_index (b_1082) (((j_1085) + ( + usize 2)) %% (usize 5))))) in + (s_1081)) + s_1081 in + (s_1081, b_1082)) + (s_1081, b_1082) in + s_1081. + +Definition iota (s_1087 : state_t) (rndconst_1088 : int64) : state_t := + let s_1087 := + array_upd s_1087 (usize 0) ((array_index (s_1087) (usize 0)) .^ ( + uint64_classify (rndconst_1088))) in + s_1087. + +Definition keccakf1600 (s_1089 : state_t) : state_t := + let s_1089 := + foldi (usize 0) (rounds_v) (fun i_1090 s_1089 => + let s_1089 := + theta (s_1089) in + let s_1089 := + rho (s_1089) in + let s_1089 := + pi (s_1089) in + let s_1089 := + chi (s_1089) in + let s_1089 := + iota (s_1089) (array_index (roundconstants_v) (i_1090)) in + (s_1089)) + s_1089 in + s_1089. + +Definition absorb_block (s_1091 : state_t) (block_1092 : byte_seq) : state_t := + let s_1091 := + foldi (usize 0) (seq_len (block_1092)) (fun i_1093 s_1091 => + let w_1094 : uint_size := + (i_1093) usize_shift_right (@repr WORDSIZE32 3) in + let o_1095 : uint_size := + (usize 8) * ((i_1093) .& (usize 7)) in + let s_1091 := + array_upd s_1091 (w_1094) ((array_index (s_1091) (w_1094)) .^ (( + uint64_from_uint8 (seq_index (block_1092) (i_1093))) shift_left ( + o_1095))) in + (s_1091)) + s_1091 in + keccakf1600 (s_1091). + +Definition squeeze + (s_1096 : state_t) + (nbytes_1097 : uint_size) + (rate_1098 : uint_size) + : byte_seq := + let out_1099 : seq uint8 := + seq_new_ (default : uint8) (nbytes_1097) in + let '(s_1096, out_1099) := + foldi (usize 0) (nbytes_1097) (fun i_1100 '(s_1096, out_1099) => + let pos_1101 : uint_size := + (i_1100) %% (rate_1098) in + let w_1102 : uint_size := + (pos_1101) usize_shift_right (@repr WORDSIZE32 3) in + let o_1103 : uint_size := + (usize 8) * ((pos_1101) .& (usize 7)) in + let b_1104 : uint64 := + ((array_index (s_1096) (w_1102)) shift_right (o_1103)) .& ( + uint64_classify (@repr WORDSIZE64 255)) in + let out_1099 := + seq_upd out_1099 (i_1100) (uint8_from_uint64 (b_1104)) in + let '(s_1096) := + if (((i_1100) + (usize 1)) %% (rate_1098)) =.? (usize 0):bool then ( + let s_1096 := + keccakf1600 (s_1096) in + (s_1096)) else ((s_1096)) in + (s_1096, out_1099)) + (s_1096, out_1099) in + out_1099. + +Definition keccak + (rate_1105 : uint_size) + (data_1106 : byte_seq) + (p_1107 : int8) + (outbytes_1108 : uint_size) + : byte_seq := + let buf_1109 : seq uint8 := + seq_new_ (default : uint8) (rate_1105) in + let last_block_len_1110 : uint_size := + usize 0 in + let s_1111 : state_t := + array_new_ (default : uint64) (25) in + let '(buf_1109, last_block_len_1110, s_1111) := + foldi (usize 0) (seq_num_chunks (data_1106) (rate_1105)) (fun i_1112 '( + buf_1109, + last_block_len_1110, + s_1111 + ) => + let '(block_len_1113, block_1114) := + seq_get_chunk (data_1106) (rate_1105) (i_1112) in + let '(buf_1109, last_block_len_1110, s_1111) := + if (block_len_1113) =.? (rate_1105):bool then (let s_1111 := + absorb_block (s_1111) (block_1114) in + (buf_1109, last_block_len_1110, s_1111)) else (let buf_1109 := + seq_update_start (buf_1109) (block_1114) in + let last_block_len_1110 := + block_len_1113 in + (buf_1109, last_block_len_1110, s_1111)) in + (buf_1109, last_block_len_1110, s_1111)) + (buf_1109, last_block_len_1110, s_1111) in + let buf_1109 := + seq_upd buf_1109 (last_block_len_1110) (secret (p_1107) : int8) in + let buf_1109 := + seq_upd buf_1109 ((rate_1105) - (usize 1)) ((seq_index (buf_1109) (( + rate_1105) - (usize 1))) .| (secret ( + @repr WORDSIZE8 128) : int8)) in + let s_1111 := + absorb_block (s_1111) (buf_1109) in + squeeze (s_1111) (outbytes_1108) (rate_1105). + +Definition sha3224 (data_1115 : byte_seq) : digest224_t := + let t_1116 : seq uint8 := + keccak (sha3224_rate_v) (data_1115) (@repr WORDSIZE8 6) (usize 28) in + array_from_seq (28) (t_1116). + +Definition sha3256 (data_1117 : byte_seq) : digest256_t := + let t_1118 : seq uint8 := + keccak (sha3256_rate_v) (data_1117) (@repr WORDSIZE8 6) (usize 32) in + array_from_seq (32) (t_1118). + +Definition sha3384 (data_1119 : byte_seq) : digest384_t := + let t_1120 : seq uint8 := + keccak (sha3384_rate_v) (data_1119) (@repr WORDSIZE8 6) (usize 48) in + array_from_seq (48) (t_1120). + +Definition sha3512 (data_1121 : byte_seq) : digest512_t := + let t_1122 : seq uint8 := + keccak (sha3512_rate_v) (data_1121) (@repr WORDSIZE8 6) (usize 64) in + array_from_seq (64) (t_1122). + +Definition shake128 + (data_1123 : byte_seq) + (outlen_1124 : uint_size) + : byte_seq := + keccak (shake128_rate_v) (data_1123) (@repr WORDSIZE8 31) (outlen_1124). + +Definition shake256 + (data_1125 : byte_seq) + (outlen_1126 : uint_size) + : byte_seq := + keccak (shake256_rate_v) (data_1125) (@repr WORDSIZE8 31) (outlen_1126). + diff --git a/proof-libs/coq/_vc/Hacspec_Sha512.v b/proof-libs/coq/_vc/Hacspec_Sha512.v new file mode 100644 index 000000000..9e24e3f00 --- /dev/null +++ b/proof-libs/coq/_vc/Hacspec_Sha512.v @@ -0,0 +1,321 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition block_size_v : uint_size := + usize 128. + +Definition len_size_v : uint_size := + usize 16. + +Definition k_size_v : uint_size := + usize 80. + +Definition hash_size_v : uint_size := + (usize 512) / (usize 8). + +Definition block_t := nseq (uint8) (block_size_v). + +Definition op_table_type_t := nseq (uint_size) (usize 12). + +Definition sha512_digest_t := nseq (uint8) (hash_size_v). + +Definition round_constants_table_t := nseq (uint64) (k_size_v). + +Definition hash_t := nseq (uint64) (usize 8). + +Definition ch (x_2240 : uint64) (y_2241 : uint64) (z_2242 : uint64) : uint64 := + ((x_2240) .& (y_2241)) .^ ((not (x_2240)) .& (z_2242)). + +Definition maj (x_2243 : uint64) (y_2244 : uint64) (z_2245 : uint64) : uint64 := + ((x_2243) .& (y_2244)) .^ (((x_2243) .& (z_2245)) .^ ((y_2244) .& (z_2245))). + +Definition op_table_v : op_table_type_t := + array_from_list uint_size (let l := + [ + usize 28; + usize 34; + usize 39; + usize 14; + usize 18; + usize 41; + usize 1; + usize 8; + usize 7; + usize 19; + usize 61; + usize 6 + ] in l). + +Definition k_table_v : round_constants_table_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 4794697086780616226) : int64; + secret (@repr WORDSIZE64 8158064640168781261) : int64; + secret (@repr WORDSIZE64 13096744586834688815) : int64; + secret (@repr WORDSIZE64 16840607885511220156) : int64; + secret (@repr WORDSIZE64 4131703408338449720) : int64; + secret (@repr WORDSIZE64 6480981068601479193) : int64; + secret (@repr WORDSIZE64 10538285296894168987) : int64; + secret (@repr WORDSIZE64 12329834152419229976) : int64; + secret (@repr WORDSIZE64 15566598209576043074) : int64; + secret (@repr WORDSIZE64 1334009975649890238) : int64; + secret (@repr WORDSIZE64 2608012711638119052) : int64; + secret (@repr WORDSIZE64 6128411473006802146) : int64; + secret (@repr WORDSIZE64 8268148722764581231) : int64; + secret (@repr WORDSIZE64 9286055187155687089) : int64; + secret (@repr WORDSIZE64 11230858885718282805) : int64; + secret (@repr WORDSIZE64 13951009754708518548) : int64; + secret (@repr WORDSIZE64 16472876342353939154) : int64; + secret (@repr WORDSIZE64 17275323862435702243) : int64; + secret (@repr WORDSIZE64 1135362057144423861) : int64; + secret (@repr WORDSIZE64 2597628984639134821) : int64; + secret (@repr WORDSIZE64 3308224258029322869) : int64; + secret (@repr WORDSIZE64 5365058923640841347) : int64; + secret (@repr WORDSIZE64 6679025012923562964) : int64; + secret (@repr WORDSIZE64 8573033837759648693) : int64; + secret (@repr WORDSIZE64 10970295158949994411) : int64; + secret (@repr WORDSIZE64 12119686244451234320) : int64; + secret (@repr WORDSIZE64 12683024718118986047) : int64; + secret (@repr WORDSIZE64 13788192230050041572) : int64; + secret (@repr WORDSIZE64 14330467153632333762) : int64; + secret (@repr WORDSIZE64 15395433587784984357) : int64; + secret (@repr WORDSIZE64 489312712824947311) : int64; + secret (@repr WORDSIZE64 1452737877330783856) : int64; + secret (@repr WORDSIZE64 2861767655752347644) : int64; + secret (@repr WORDSIZE64 3322285676063803686) : int64; + secret (@repr WORDSIZE64 5560940570517711597) : int64; + secret (@repr WORDSIZE64 5996557281743188959) : int64; + secret (@repr WORDSIZE64 7280758554555802590) : int64; + secret (@repr WORDSIZE64 8532644243296465576) : int64; + secret (@repr WORDSIZE64 9350256976987008742) : int64; + secret (@repr WORDSIZE64 10552545826968843579) : int64; + secret (@repr WORDSIZE64 11727347734174303076) : int64; + secret (@repr WORDSIZE64 12113106623233404929) : int64; + secret (@repr WORDSIZE64 14000437183269869457) : int64; + secret (@repr WORDSIZE64 14369950271660146224) : int64; + secret (@repr WORDSIZE64 15101387698204529176) : int64; + secret (@repr WORDSIZE64 15463397548674623760) : int64; + secret (@repr WORDSIZE64 17586052441742319658) : int64; + secret (@repr WORDSIZE64 1182934255886127544) : int64; + secret (@repr WORDSIZE64 1847814050463011016) : int64; + secret (@repr WORDSIZE64 2177327727835720531) : int64; + secret (@repr WORDSIZE64 2830643537854262169) : int64; + secret (@repr WORDSIZE64 3796741975233480872) : int64; + secret (@repr WORDSIZE64 4115178125766777443) : int64; + secret (@repr WORDSIZE64 5681478168544905931) : int64; + secret (@repr WORDSIZE64 6601373596472566643) : int64; + secret (@repr WORDSIZE64 7507060721942968483) : int64; + secret (@repr WORDSIZE64 8399075790359081724) : int64; + secret (@repr WORDSIZE64 8693463985226723168) : int64; + secret (@repr WORDSIZE64 9568029438360202098) : int64; + secret (@repr WORDSIZE64 10144078919501101548) : int64; + secret (@repr WORDSIZE64 10430055236837252648) : int64; + secret (@repr WORDSIZE64 11840083180663258601) : int64; + secret (@repr WORDSIZE64 13761210420658862357) : int64; + secret (@repr WORDSIZE64 14299343276471374635) : int64; + secret (@repr WORDSIZE64 14566680578165727644) : int64; + secret (@repr WORDSIZE64 15097957966210449927) : int64; + secret (@repr WORDSIZE64 16922976911328602910) : int64; + secret (@repr WORDSIZE64 17689382322260857208) : int64; + secret (@repr WORDSIZE64 500013540394364858) : int64; + secret (@repr WORDSIZE64 748580250866718886) : int64; + secret (@repr WORDSIZE64 1242879168328830382) : int64; + secret (@repr WORDSIZE64 1977374033974150939) : int64; + secret (@repr WORDSIZE64 2944078676154940804) : int64; + secret (@repr WORDSIZE64 3659926193048069267) : int64; + secret (@repr WORDSIZE64 4368137639120453308) : int64; + secret (@repr WORDSIZE64 4836135668995329356) : int64; + secret (@repr WORDSIZE64 5532061633213252278) : int64; + secret (@repr WORDSIZE64 6448918945643986474) : int64; + secret (@repr WORDSIZE64 6902733635092675308) : int64; + secret (@repr WORDSIZE64 7801388544844847127) : int64 + ] in l). + +Definition hash_init_v : hash_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 7640891576956012808) : int64; + secret (@repr WORDSIZE64 13503953896175478587) : int64; + secret (@repr WORDSIZE64 4354685564936845355) : int64; + secret (@repr WORDSIZE64 11912009170470909681) : int64; + secret (@repr WORDSIZE64 5840696475078001361) : int64; + secret (@repr WORDSIZE64 11170449401992604703) : int64; + secret (@repr WORDSIZE64 2270897969802886507) : int64; + secret (@repr WORDSIZE64 6620516959819538809) : int64 + ] in l). + +Definition sigma + (x_2246 : uint64) + (i_2247 : uint_size) + (op_2248 : uint_size) + : uint64 := + let tmp_2249 : uint64 := + uint64_rotate_right (x_2246) (array_index (op_table_v) (((usize 3) * ( + i_2247)) + (usize 2))) in + let '(tmp_2249) := + if (op_2248) =.? (usize 0):bool then (let tmp_2249 := + (x_2246) shift_right (array_index (op_table_v) (((usize 3) * ( + i_2247)) + (usize 2))) in + (tmp_2249)) else ((tmp_2249)) in + ((uint64_rotate_right (x_2246) (array_index (op_table_v) ((usize 3) * ( + i_2247)))) .^ (uint64_rotate_right (x_2246) (array_index ( + op_table_v) (((usize 3) * (i_2247)) + (usize 1))))) .^ (tmp_2249). + +Definition schedule (block_2250 : block_t) : round_constants_table_t := + let b_2251 : seq uint64 := + array_to_be_uint64s (block_2250) in + let s_2252 : round_constants_table_t := + array_new_ (default : uint64) (k_size_v) in + let s_2252 := + foldi (usize 0) (k_size_v) (fun i_2253 s_2252 => + let '(s_2252) := + if (i_2253) <.? (usize 16):bool then (let s_2252 := + array_upd s_2252 (i_2253) (seq_index (b_2251) (i_2253)) in + (s_2252)) else (let t16_2254 : uint64 := + array_index (s_2252) ((i_2253) - (usize 16)) in + let t15_2255 : uint64 := + array_index (s_2252) ((i_2253) - (usize 15)) in + let t7_2256 : uint64 := + array_index (s_2252) ((i_2253) - (usize 7)) in + let t2_2257 : uint64 := + array_index (s_2252) ((i_2253) - (usize 2)) in + let s1_2258 : uint64 := + sigma (t2_2257) (usize 3) (usize 0) in + let s0_2259 : uint64 := + sigma (t15_2255) (usize 2) (usize 0) in + let s_2252 := + array_upd s_2252 (i_2253) ((((s1_2258) .+ (t7_2256)) .+ ( + s0_2259)) .+ (t16_2254)) in + (s_2252)) in + (s_2252)) + s_2252 in + s_2252. + +Definition shuffle + (ws_2260 : round_constants_table_t) + (hashi_2261 : hash_t) + : hash_t := + let h_2262 : hash_t := + hashi_2261 in + let h_2262 := + foldi (usize 0) (k_size_v) (fun i_2263 h_2262 => + let a0_2264 : uint64 := + array_index (h_2262) (usize 0) in + let b0_2265 : uint64 := + array_index (h_2262) (usize 1) in + let c0_2266 : uint64 := + array_index (h_2262) (usize 2) in + let d0_2267 : uint64 := + array_index (h_2262) (usize 3) in + let e0_2268 : uint64 := + array_index (h_2262) (usize 4) in + let f0_2269 : uint64 := + array_index (h_2262) (usize 5) in + let g0_2270 : uint64 := + array_index (h_2262) (usize 6) in + let h0_2271 : uint64 := + array_index (h_2262) (usize 7) in + let t1_2272 : uint64 := + ((((h0_2271) .+ (sigma (e0_2268) (usize 1) (usize 1))) .+ (ch ( + e0_2268) (f0_2269) (g0_2270))) .+ (array_index (k_table_v) ( + i_2263))) .+ (array_index (ws_2260) (i_2263)) in + let t2_2273 : uint64 := + (sigma (a0_2264) (usize 0) (usize 1)) .+ (maj (a0_2264) (b0_2265) ( + c0_2266)) in + let h_2262 := + array_upd h_2262 (usize 0) ((t1_2272) .+ (t2_2273)) in + let h_2262 := + array_upd h_2262 (usize 1) (a0_2264) in + let h_2262 := + array_upd h_2262 (usize 2) (b0_2265) in + let h_2262 := + array_upd h_2262 (usize 3) (c0_2266) in + let h_2262 := + array_upd h_2262 (usize 4) ((d0_2267) .+ (t1_2272)) in + let h_2262 := + array_upd h_2262 (usize 5) (e0_2268) in + let h_2262 := + array_upd h_2262 (usize 6) (f0_2269) in + let h_2262 := + array_upd h_2262 (usize 7) (g0_2270) in + (h_2262)) + h_2262 in + h_2262. + +Definition compress (block_2274 : block_t) (h_in_2275 : hash_t) : hash_t := + let s_2276 : round_constants_table_t := + schedule (block_2274) in + let h_2277 : hash_t := + shuffle (s_2276) (h_in_2275) in + let h_2277 := + foldi (usize 0) (usize 8) (fun i_2278 h_2277 => + let h_2277 := + array_upd h_2277 (i_2278) ((array_index (h_2277) (i_2278)) .+ ( + array_index (h_in_2275) (i_2278))) in + (h_2277)) + h_2277 in + h_2277. + +Definition hash (msg_2279 : byte_seq) : sha512_digest_t := + let h_2280 : hash_t := + hash_init_v in + let last_block_2281 : block_t := + array_new_ (default : uint8) (block_size_v) in + let last_block_len_2282 : uint_size := + usize 0 in + let '(h_2280, last_block_2281, last_block_len_2282) := + foldi (usize 0) (seq_num_chunks (msg_2279) (block_size_v)) (fun i_2283 '( + h_2280, + last_block_2281, + last_block_len_2282 + ) => + let '(block_len_2284, block_2285) := + seq_get_chunk (msg_2279) (block_size_v) (i_2283) in + let '(h_2280, last_block_2281, last_block_len_2282) := + if (block_len_2284) <.? (block_size_v):bool then (let last_block_2281 := + array_update_start (array_new_ (default : uint8) (block_size_v)) ( + block_2285) in + let last_block_len_2282 := + block_len_2284 in + (h_2280, last_block_2281, last_block_len_2282)) else ( + let compress_input_2286 : block_t := + array_from_seq (block_size_v) (block_2285) in + let h_2280 := + compress (compress_input_2286) (h_2280) in + (h_2280, last_block_2281, last_block_len_2282)) in + (h_2280, last_block_2281, last_block_len_2282)) + (h_2280, last_block_2281, last_block_len_2282) in + let last_block_2281 := + array_upd last_block_2281 (last_block_len_2282) (secret ( + @repr WORDSIZE8 128) : int8) in + let len_bist_2287 : uint128 := + secret (pub_u128 ((seq_len (msg_2279)) * (usize 8))) : int128 in + let '(h_2280, last_block_2281) := + if (last_block_len_2282) <.? ((block_size_v) - (len_size_v)):bool then ( + let last_block_2281 := + array_update (last_block_2281) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint128_to_be_bytes (len_bist_2287))) in + let h_2280 := + compress (last_block_2281) (h_2280) in + (h_2280, last_block_2281)) else (let pad_block_2288 : block_t := + array_new_ (default : uint8) (block_size_v) in + let pad_block_2288 := + array_update (pad_block_2288) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint128_to_be_bytes (len_bist_2287))) in + let h_2280 := + compress (last_block_2281) (h_2280) in + let h_2280 := + compress (pad_block_2288) (h_2280) in + (h_2280, last_block_2281)) in + array_from_seq (hash_size_v) (array_to_be_bytes (h_2280)). + +Definition sha512 (msg_2289 : byte_seq) : sha512_digest_t := + hash (msg_2289). + diff --git a/proof-libs/coq/_vc/Pearlite_Example.v b/proof-libs/coq/_vc/Pearlite_Example.v new file mode 100644 index 000000000..993993b23 --- /dev/null +++ b/proof-libs/coq/_vc/Pearlite_Example.v @@ -0,0 +1,19 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition ensure_something (x_0 : int8) (y_1 : int8) `{x_0 = y_1} : bool := + (x_0) =.? (y_1). + +Theorem ensures_ensure_something : forall result_2 (x_0 : int8) (y_1 : int8), + forall {H_0 : x_0 = y_1}, + @ensure_something x_0 y_1 H_0 = result_2 -> + ~ (result_2 = false). + Proof. Admitted. + diff --git a/proof-libs/coq/_vc/Strobe.v b/proof-libs/coq/_vc/Strobe.v new file mode 100644 index 000000000..62958a562 --- /dev/null +++ b/proof-libs/coq/_vc/Strobe.v @@ -0,0 +1,305 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha3. + +Definition strobe_r_v : int8 := + @repr WORDSIZE8 166. + +Definition flag_i_v : int8 := + @repr WORDSIZE8 1. + +Definition flag_a_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 1). + +Definition flag_c_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 2). + +Definition flag_m_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 4). + +Definition flag_k_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 5). + +Notation "'state_uint64_t'" := (state_t) : hacspec_scope. + +Definition state_uint8_t := nseq (uint8) (usize 200). + +Notation "'strobe_t'" := ((state_uint8_t '× int8 '× int8 '× int8 +)) : hacspec_scope. + +Definition transmute_state_to_u64 + (state_986 : state_uint8_t) + : state_uint64_t := + let new_state_987 : state_t := + array_new_ (default : uint64) (25) in + let new_state_987 := + foldi (usize 0) (array_len (new_state_987)) (fun i_988 new_state_987 => + let word_989 : uint64_word_t := + array_new_ (default : uint8) (8) in + let word_989 := + foldi (usize 0) (array_len (word_989)) (fun j_990 word_989 => + let word_989 := + array_upd word_989 (j_990) (array_index (state_986) (((i_988) * ( + usize 8)) + (j_990))) in + (word_989)) + word_989 in + let new_state_987 := + array_upd new_state_987 (i_988) (uint64_from_le_bytes (word_989)) in + (new_state_987)) + new_state_987 in + new_state_987. + +Definition transmute_state_to_u8 (state_991 : state_uint64_t) : state_uint8_t := + let new_state_992 : state_uint8_t := + array_new_ (default : uint8) (200) in + let new_state_992 := + foldi (usize 0) (array_len (state_991)) (fun i_993 new_state_992 => + let bytes_994 : seq uint8 := + uint64_to_le_bytes (array_index (state_991) (i_993)) in + let new_state_992 := + foldi (usize 0) (seq_len (bytes_994)) (fun j_995 new_state_992 => + let new_state_992 := + array_upd new_state_992 (((i_993) * (usize 8)) + (j_995)) ( + seq_index (bytes_994) (j_995)) in + (new_state_992)) + new_state_992 in + (new_state_992)) + new_state_992 in + new_state_992. + +Definition run_f (strobe_996 : strobe_t) : strobe_t := + let '(state_997, pos_998, pos_begin_999, cur_fl_1000) := + strobe_996 in + let state_997 := + array_upd state_997 (pos_998) ((array_index (state_997) (pos_998)) .^ ( + secret (pos_begin_999) : int8)) in + let state_997 := + array_upd state_997 ((pos_998) .+ (@repr WORDSIZE8 1)) ((array_index ( + state_997) ((pos_998) .+ (@repr WORDSIZE8 1))) .^ (secret ( + @repr WORDSIZE8 4) : int8)) in + let state_997 := + array_upd state_997 ((strobe_r_v) .+ (@repr WORDSIZE8 1)) ((array_index ( + state_997) ((strobe_r_v) .+ (@repr WORDSIZE8 1))) .^ (secret ( + @repr WORDSIZE8 128) : int8)) in + let state_uint64_1001 : state_t := + transmute_state_to_u64 (state_997) in + let state_997 := + transmute_state_to_u8 (keccakf1600 (state_uint64_1001)) in + let pos_998 := + @repr WORDSIZE8 0 in + let pos_begin_999 := + @repr WORDSIZE8 0 in + (state_997, pos_998, pos_begin_999, cur_fl_1000). + +Definition absorb (strobe_1002 : strobe_t) (data_1003 : seq uint8) : strobe_t := + let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := + strobe_1002 in + let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := + foldi (usize 0) (seq_len (data_1003)) (fun i_1008 '( + state_1004, + pos_1005, + pos_begin_1006, + cur_fl_1007 + ) => + let state_1004 := + array_upd state_1004 (pos_1005) ((array_index (state_1004) ( + pos_1005)) .^ (seq_index (data_1003) (i_1008))) in + let pos_1005 := + (pos_1005) .+ (@repr WORDSIZE8 1) in + let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := + if (pos_1005) =.? (strobe_r_v):bool then (let '( + s_1009, + p_1010, + pb_1011, + cf_1012 + ) := + run_f ((state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) in + let state_1004 := + s_1009 in + let pos_1005 := + p_1010 in + let pos_begin_1006 := + pb_1011 in + let cur_fl_1007 := + cf_1012 in + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) else (( + state_1004, + pos_1005, + pos_begin_1006, + cur_fl_1007 + )) in + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007) in + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007). + +Definition squeeze + (strobe_1013 : strobe_t) + (data_1014 : seq uint8) + : (strobe_t '× seq uint8) := + let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := + strobe_1013 in + let '(data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := + foldi (usize 0) (seq_len (data_1014)) (fun i_1019 '( + data_1014, + state_1015, + pos_1016, + pos_begin_1017, + cur_fl_1018 + ) => + let data_1014 := + seq_upd data_1014 (i_1019) (array_index (state_1015) (pos_1016)) in + let state_1015 := + array_upd state_1015 (pos_1016) (uint8_classify (@repr WORDSIZE8 0)) in + let pos_1016 := + (pos_1016) .+ (@repr WORDSIZE8 1) in + let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := + if (pos_1016) =.? (strobe_r_v):bool then (let '( + s_1020, + p_1021, + pb_1022, + cf_1023 + ) := + run_f (((state_1015), pos_1016, pos_begin_1017, cur_fl_1018)) in + let state_1015 := + s_1020 in + let pos_1016 := + p_1021 in + let pos_begin_1017 := + pb_1022 in + let cur_fl_1018 := + cf_1023 in + (state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) else (( + state_1015, + pos_1016, + pos_begin_1017, + cur_fl_1018 + )) in + (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) + (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) in + ((state_1015, pos_1016, pos_begin_1017, cur_fl_1018), data_1014). + +Definition begin_op + (strobe_1024 : strobe_t) + (flags_1025 : int8) + (more_1026 : bool) + : strobe_t := + let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030) := + strobe_1024 in + let ret_1031 : (state_uint8_t '× int8 '× int8 '× int8) := + (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in + let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031) := + if negb (more_1026):bool then (let old_begin_1032 : int8 := + pos_begin_1029 in + let pos_begin_1029 := + (pos_1028) .+ (@repr WORDSIZE8 1) in + let cur_fl_1030 := + flags_1025 in + let data_1033 : seq uint8 := + seq_new_ (default : uint8) (usize 2) in + let data_1033 := + seq_upd data_1033 (usize 0) (secret (old_begin_1032) : int8) in + let data_1033 := + seq_upd data_1033 (usize 1) (secret (flags_1025) : int8) in + let '(s_1034, p_1035, pb_1036, cf_1037) := + absorb ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) ( + data_1033) in + let state_1027 := + s_1034 in + let pos_1028 := + p_1035 in + let pos_begin_1029 := + pb_1036 in + let cur_fl_1030 := + cf_1037 in + let force_f_1038 : bool := + (@repr WORDSIZE8 0) !=.? ((flags_1025) .& ((flag_c_v) .| ( + flag_k_v))) in + let '(ret_1031) := + if (force_f_1038) && ((pos_1028) !=.? (@repr WORDSIZE8 0)):bool then ( + let ret_1031 := + run_f ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) in + (ret_1031)) else (let ret_1031 := + (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in + (ret_1031)) in + (state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031)) else (( + state_1027, + pos_1028, + pos_begin_1029, + cur_fl_1030, + ret_1031 + )) in + ret_1031. + +Definition new_strobe (protocol_label_1039 : seq uint8) : strobe_t := + let st_1040 : state_uint8_t := + array_new_ (default : uint8) (200) in + let st_1040 := + array_set_chunk (st_1040) (usize 6) (usize 0) ([ + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 96) : int8 + ]) in + let st_1040 := + array_set_chunk (st_1040) (usize 6) (usize 1) ([ + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 69) : int8 + ]) in + let st_1040 := + array_set_chunk (st_1040) (usize 6) (usize 2) ([ + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 48) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 50) : int8 + ]) in + let st_uint64_1041 : state_t := + transmute_state_to_u64 (st_1040) in + let st_1040 := + transmute_state_to_u8 (keccakf1600 (st_uint64_1041)) in + meta_ad ((st_1040, @repr WORDSIZE8 0, @repr WORDSIZE8 0, @repr WORDSIZE8 0)) ( + protocol_label_1039) (false). + +Definition meta_ad + (strobe_1042 : strobe_t) + (data_1043 : seq uint8) + (more_1044 : bool) + : strobe_t := + let strobe_1042 := + begin_op (strobe_1042) ((flag_m_v) .| (flag_a_v)) (more_1044) in + absorb (strobe_1042) (data_1043). + +Definition ad + (strobe_1045 : strobe_t) + (data_1046 : seq uint8) + (more_1047 : bool) + : strobe_t := + let strobe_1045 := + begin_op (strobe_1045) (flag_a_v) (more_1047) in + absorb (strobe_1045) (data_1046). + +Definition prf + (strobe_1048 : strobe_t) + (data_1049 : seq uint8) + (more_1050 : bool) + : (strobe_t '× seq uint8) := + let strobe_1048 := + begin_op (strobe_1048) (((flag_i_v) .| (flag_a_v)) .| (flag_c_v)) ( + more_1050) in + squeeze (strobe_1048) (data_1049). + diff --git a/proof-libs/coq/_vc/Tls_Cryptolib.v b/proof-libs/coq/_vc/Tls_Cryptolib.v new file mode 100644 index 000000000..0f2e2125a --- /dev/null +++ b/proof-libs/coq/_vc/Tls_Cryptolib.v @@ -0,0 +1,673 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Aes. + +Require Import Hacspec_Aes128_Gcm. + +Require Import Hacspec_Chacha20. + +Require Import Hacspec_Chacha20poly1305. + +Require Import Hacspec_Curve25519. + +Require Import Hacspec_Ecdsa_P256_Sha256. + +Require Import Hacspec_Gf128. + +Require Import Hacspec_Hkdf. + +Require Import Hacspec_Hmac. + +Require Import Hacspec_P256. + +Require Import Hacspec_Poly1305. + +Require Import Hacspec_Sha256. + +Inductive crypto_error_t := +| CryptoError : crypto_error_t +| HkdfError : crypto_error_t +| InsufficientEntropy : crypto_error_t +| InvalidCert : crypto_error_t +| MacFailed : crypto_error_t +| UnsupportedAlgorithm : crypto_error_t +| VerifyFailed : crypto_error_t. + +Definition empty : byte_seq := + seq_new_ (default : uint8) (usize 0). + +Definition zeros (u_0 : uint_size) : byte_seq := + seq_new_ (default : uint8) (u_0). + +Notation "'entropy_t'" := (byte_seq) : hacspec_scope. + +Definition random_t := nseq (uint8) (usize 32). + +Notation "'dh_sk_t'" := (byte_seq) : hacspec_scope. + +Notation "'dh_pk_t'" := (byte_seq) : hacspec_scope. + +Notation "'signature_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'verification_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'mac_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'key_t'" := (byte_seq) : hacspec_scope. + +Notation "'psk_t'" := (key_t) : hacspec_scope. + +Notation "'digest_t'" := (byte_seq) : hacspec_scope. + +Notation "'hmac_t'" := (byte_seq) : hacspec_scope. + +Notation "'signature_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_iv_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_key_iv_t'" := ((aead_key_t '× aead_iv_t)) : hacspec_scope. + +Inductive named_group_t := +| X25519 : named_group_t +| Secp256r1 : named_group_t. + +Definition eqb_named_group_t (x y : named_group_t) : bool := +match x with + | X25519 => match y with | X25519=> true | _ => false end + | Secp256r1 => match y with | Secp256r1=> true | _ => false end + end. + +Definition eqb_leibniz_named_group_t (x y : named_group_t) : eqb_named_group_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_named_group_t : EqDec (named_group_t) := +Build_EqDec (named_group_t) (eqb_named_group_t) (eqb_leibniz_named_group_t). + + +Inductive hash_algorithm_t := +| SHA256 : hash_algorithm_t +| SHA384 : hash_algorithm_t. + +Definition eqb_hash_algorithm_t (x y : hash_algorithm_t) : bool := +match x with + | SHA256 => match y with | SHA256=> true | _ => false end + | SHA384 => match y with | SHA384=> true | _ => false end + end. + +Definition eqb_leibniz_hash_algorithm_t (x y : hash_algorithm_t) : eqb_hash_algorithm_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_hash_algorithm_t : EqDec (hash_algorithm_t) := +Build_EqDec (hash_algorithm_t) (eqb_hash_algorithm_t) (eqb_leibniz_hash_algorithm_t). + + +Inductive aead_algorithm_t := +| Chacha20Poly1305 : aead_algorithm_t +| Aes128Gcm : aead_algorithm_t +| Aes256Gcm : aead_algorithm_t. + +Definition eqb_aead_algorithm_t (x y : aead_algorithm_t) : bool := +match x with + | Chacha20Poly1305 => match y with | Chacha20Poly1305=> true | _ => false end + | Aes128Gcm => match y with | Aes128Gcm=> true | _ => false end + | Aes256Gcm => match y with | Aes256Gcm=> true | _ => false end + end. + +Definition eqb_leibniz_aead_algorithm_t (x y : aead_algorithm_t) : eqb_aead_algorithm_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_aead_algorithm_t : EqDec (aead_algorithm_t) := +Build_EqDec (aead_algorithm_t) (eqb_aead_algorithm_t) (eqb_leibniz_aead_algorithm_t). + + +Inductive signature_scheme_t := +| ED25519 : signature_scheme_t +| EcdsaSecp256r1Sha256 : signature_scheme_t +| RsaPssRsaSha256 : signature_scheme_t. + +Definition eqb_signature_scheme_t (x y : signature_scheme_t) : bool := +match x with + | ED25519 => match y with | ED25519=> true | _ => false end + | EcdsaSecp256r1Sha256 => + match y with + | EcdsaSecp256r1Sha256=> true + | _ => false + end + | RsaPssRsaSha256 => match y with | RsaPssRsaSha256=> true | _ => false end + end. + +Definition eqb_leibniz_signature_scheme_t (x y : signature_scheme_t) : eqb_signature_scheme_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_signature_scheme_t : EqDec (signature_scheme_t) := +Build_EqDec (signature_scheme_t) (eqb_signature_scheme_t) (eqb_leibniz_signature_scheme_t). + + +Definition hash_len (ha_1 : hash_algorithm_t) : uint_size := + match ha_1 with | SHA256 => usize 32 | SHA384 => usize 48 end. + +Definition hmac_key_len (ha_2 : hash_algorithm_t) : uint_size := + match ha_2 with | SHA256 => usize 32 | SHA384 => usize 48 end. + +Definition ae_key_len (ae_3 : aead_algorithm_t) : uint_size := + match ae_3 with + | Chacha20Poly1305 => usize 32 + | Aes128Gcm => usize 16 + | Aes256Gcm => usize 16 + end. + +Definition ae_iv_len (ae_4 : aead_algorithm_t) : uint_size := + match ae_4 with + | Chacha20Poly1305 => usize 12 + | Aes128Gcm => usize 12 + | Aes256Gcm => usize 12 + end. + +Definition dh_priv_len (gn_5 : named_group_t) : uint_size := + match gn_5 with | X25519 => usize 32 | Secp256r1 => usize 32 end. + +Definition dh_pub_len (gn_6 : named_group_t) : uint_size := + match gn_6 with | X25519 => usize 32 | Secp256r1 => usize 64 end. + +Definition zero_key (ha_7 : hash_algorithm_t) : key_t := + seq_new_ (default : uint8) (usize (hash_len (ha_7))). + +Definition secret_to_public + (group_name_8 : named_group_t) + (x_9 : dh_sk_t) + : (result dh_pk_t crypto_error_t) := + match group_name_8 with + | Secp256r1 => match p256_point_mul_base (nat_mod_from_byte_seq_be ( + x_9) : p256_scalar_t) with + | Ok ((x_10, y_11)) => @Ok dh_pk_t crypto_error_t (seq_concat ( + nat_mod_to_byte_seq_be (x_10)) (nat_mod_to_byte_seq_be (y_11))) + | Err (_) => @Err dh_pk_t crypto_error_t (CryptoError) + end + | X25519 => @Ok dh_pk_t crypto_error_t (seq_from_seq ( + array_to_seq (x25519_secret_to_public (array_from_seq (32) (x_9))))) + end. + +Definition p256_check_point_len + (p_12 : dh_pk_t) + : (result unit crypto_error_t) := + (if ((seq_len (p_12)) !=.? (usize 64)):bool then (@Err unit crypto_error_t ( + CryptoError)) else (@Ok unit crypto_error_t (tt))). + +Definition p256_ecdh + (x_13 : dh_sk_t) + (y_14 : dh_pk_t) + : (result key_t crypto_error_t) := + bind (p256_check_point_len (y_14)) (fun _ => let pk_15 : ( + p256_field_element_t '× + p256_field_element_t + ) := + ( + nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 0, usize 32 + ))) : p256_field_element_t, + nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 32, usize 64 + ))) : p256_field_element_t + ) in + match p256_point_mul (nat_mod_from_byte_seq_be (x_13) : p256_scalar_t) ( + pk_15) with + | Ok ((x_16, y_17)) => @Ok key_t crypto_error_t (seq_concat ( + nat_mod_to_byte_seq_be (x_16)) (nat_mod_to_byte_seq_be (y_17))) + | Err (_) => @Err key_t crypto_error_t (CryptoError) + end). + +Definition ecdh + (group_name_18 : named_group_t) + (x_19 : dh_sk_t) + (y_20 : dh_pk_t) + : (result key_t crypto_error_t) := + match group_name_18 with + | Secp256r1 => p256_ecdh (x_19) (y_20) + | X25519 => @Ok key_t crypto_error_t (seq_from_seq ( + array_to_seq (x25519_scalarmult (array_from_seq (32) (x_19)) ( + array_from_seq (32) (y_20))))) + end. + +Notation "'kem_scheme_t'" := (named_group_t) : hacspec_scope. + +Notation "'kem_sk_t'" := (byte_seq) : hacspec_scope. + +Notation "'kem_pk_t'" := (byte_seq) : hacspec_scope. + +Definition kem_priv_len (ks_21 : kem_scheme_t) : uint_size := + dh_priv_len (ks_21). + +Definition kem_pub_len (ks_22 : kem_scheme_t) : uint_size := + dh_pub_len (ks_22). + +Definition kem_priv_to_pub + (ks_23 : kem_scheme_t) + (sk_24 : kem_sk_t) + : (result kem_pk_t crypto_error_t) := + secret_to_public (ks_23) (sk_24). + +Definition kem_keygen_inner + (ks_25 : kem_scheme_t) + (ent_26 : entropy_t) + : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := + let sk_27 : seq uint8 := + seq_from_seq (seq_slice_range (ent_26) ((usize 0, dh_priv_len (ks_25)))) in + bind (kem_priv_to_pub (ks_25) (sk_27)) (fun pk_28 => @Ok ( + kem_sk_t '× + kem_pk_t + ) crypto_error_t ((sk_27, pk_28))). + +Definition kem_keygen + (ks_29 : kem_scheme_t) + (ent_30 : entropy_t) + : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := + (if ((seq_len (ent_30)) <.? (dh_priv_len (ks_29))):bool then (@Err ( + kem_sk_t '× + kem_pk_t + ) crypto_error_t (InsufficientEntropy)) else (kem_keygen_inner (ks_29) ( + ent_30))). + +Definition kem_encap + (ks_31 : kem_scheme_t) + (pk_32 : kem_pk_t) + (ent_33 : entropy_t) + : (result (key_t '× byte_seq) crypto_error_t) := + bind (kem_keygen (ks_31) (ent_33)) (fun '(x_34, gx_35) => bind (ecdh (ks_31) ( + x_34) (pk_32)) (fun gxy_36 => @Ok (key_t '× byte_seq) crypto_error_t (( + gxy_36, + gx_35 + )))). + +Definition kem_decap + (ks_37 : kem_scheme_t) + (ct_38 : byte_seq) + (sk_39 : kem_sk_t) + : (result key_t crypto_error_t) := + bind (ecdh (ks_37) (sk_39) (ct_38)) (fun gxy_40 => @Ok key_t crypto_error_t ( + gxy_40)). + +Definition hash + (ha_41 : hash_algorithm_t) + (payload_42 : byte_seq) + : (result digest_t crypto_error_t) := + match ha_41 with + | SHA256 => @Ok digest_t crypto_error_t (seq_from_seq (array_to_seq (sha256 ( + payload_42)))) + | SHA384 => @Err digest_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hmac_tag + (ha_43 : hash_algorithm_t) + (mk_44 : mac_key_t) + (payload_45 : byte_seq) + : (result hmac_t crypto_error_t) := + match ha_43 with + | SHA256 => @Ok hmac_t crypto_error_t (seq_from_seq (array_to_seq (hmac ( + mk_44) (payload_45)))) + | SHA384 => @Err hmac_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition check_tag_len + (a_46 : hmac_t) + (b_47 : hmac_t) + : (result unit crypto_error_t) := + (if ((seq_len (a_46)) =.? (seq_len (b_47))):bool then ( + @Ok unit crypto_error_t (tt)) else (@Err unit crypto_error_t ( + MacFailed))). + +Definition check_bytes + (a_48 : uint8) + (b_49 : uint8) + : (result unit crypto_error_t) := + (if (negb (uint8_equal (a_48) (b_49))):bool then (@Err unit crypto_error_t ( + MacFailed)) else (@Ok unit crypto_error_t (tt))). + +Definition hmac_verify + (ha_50 : hash_algorithm_t) + (mk_51 : mac_key_t) + (payload_52 : byte_seq) + (m_53 : hmac_t) + : (result unit crypto_error_t) := + bind (hmac_tag (ha_50) (mk_51) (payload_52)) (fun my_hmac_54 => bind ( + check_tag_len (m_53) (my_hmac_54)) (fun _ => bind (foldibnd (usize 0) to ( + seq_len (m_53)) for tt >> (fun i_55 'tt => + bind (check_bytes (seq_index (my_hmac_54) (i_55)) (seq_index (m_53) ( + i_55))) (fun _ => @Ok unit crypto_error_t (tt)))) (fun _ => + @Ok unit crypto_error_t (tt)))). + +Definition ec_oid_tag_t := nseq (uint8) (usize 9). + +Definition get_length_length (b_56 : byte_seq) : uint_size := + (if (((uint8_declassify (seq_index (b_56) (usize 0))) shift_right ( + usize 7)) =.? (@repr WORDSIZE8 1)):bool then ( + declassify_usize_from_uint8 ((seq_index (b_56) (usize 0)) .& (secret ( + @repr WORDSIZE8 127) : int8))) else (usize 0)). + +Definition get_length (b_57 : byte_seq) (len_58 : uint_size) : uint_size := + (@cast _ uint32 _ (declassify_u32_from_uint32 (uint32_from_be_bytes ( + array_from_slice (default : uint8) (4) (b_57) (usize 0) ( + len_58))))) usize_shift_right (((usize 4) - (len_58)) * (usize 8)). + +Definition get_short_length (b_59 : byte_seq) : uint_size := + declassify_usize_from_uint8 ((seq_index (b_59) (usize 0)) .& (secret ( + @repr WORDSIZE8 127) : int8)). + +Definition verification_key_from_cert + (cert_60 : byte_seq) + : (result verification_key_t crypto_error_t) := + let skip_61 : uint_size := + ((usize 2) + (get_length_length (seq_slice_range (cert_60) (( + usize 1, + seq_len (cert_60) + ))))) + (usize 1) in + let seq1_len_len_62 : uint_size := + get_length_length (seq_slice_range (cert_60) ((skip_61, seq_len (cert_60) + ))) in + let skip_63 : uint_size := + (skip_61) + (usize 1) in + let seq1_len_64 : uint_size := + get_length (seq_slice (cert_60) (skip_63) ((seq_len (cert_60)) - ( + skip_63))) (seq1_len_len_62) in + let seq1_65 : seq uint8 := + seq_slice_range (cert_60) (( + (skip_63) + (seq1_len_len_62), + ((skip_63) + (seq1_len_len_62)) + (seq1_len_64) + )) in + let pk_66 : seq uint8 := + seq_new_ (default : uint8) (usize 0) in + let '(seq1_65, pk_66) := + foldi (usize 0) (seq_len (seq1_65)) (fun i_67 '(seq1_65, pk_66) => + let '(seq1_65, pk_66) := + if (seq_len (seq1_65)) >.? (usize 0):bool then ( + let element_type_68 : int8 := + uint8_declassify (seq_index (seq1_65) (usize 0)) in + let seq1_65 := + seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in + let len_len_69 : uint_size := + get_length_length (seq1_65) in + let len_70 : uint_size := + get_short_length (seq1_65) in + let seq1_65 := + seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in + let '(len_70) := + if (len_len_69) !=.? (usize 0):bool then (let len_70 := + (get_length (seq1_65) (len_len_69)) + (len_len_69) in + (len_70)) else ((len_70)) in + let '(pk_66) := + if ((element_type_68) =.? (@repr WORDSIZE8 48)) && ((seq_len ( + pk_66)) =.? (usize 0)):bool then (let seq2_71 : seq uint8 := + seq_slice (seq1_65) (len_len_69) (len_70) in + let element_type_72 : int8 := + uint8_declassify (seq_index (seq2_71) (usize 0)) in + let seq2_73 : seq uint8 := + seq_slice (seq2_71) (usize 1) ((seq_len (seq2_71)) - ( + usize 1)) in + let '(pk_66) := + if (element_type_72) =.? (@repr WORDSIZE8 48):bool then ( + let len_len_74 : uint_size := + get_length_length (seq2_73) in + let '(pk_66) := + if (len_len_74) =.? (usize 0):bool then ( + let oid_len_75 : uint_size := + get_short_length (seq2_73) in + let '(pk_66) := + if (oid_len_75) >=.? (usize 9):bool then ( + let expected_76 : seq uint8 := + seq_from_seq (array_to_seq (array_from_list uint8 ( + let l := + [ + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 7) : int8; + secret (@repr WORDSIZE8 42) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 1) : int8 + ] in l))) in + let oid_77 : seq uint8 := + seq_slice (seq2_73) (usize 1) (usize 9) in + let ec_pk_oid_78 : bool := + true in + let ec_pk_oid_78 := + foldi (usize 0) (usize 9) (fun i_79 ec_pk_oid_78 => + let oid_byte_equal_80 : bool := + (uint8_declassify (seq_index (oid_77) ( + i_79))) =.? (uint8_declassify (seq_index ( + expected_76) (i_79))) in + let ec_pk_oid_78 := + (ec_pk_oid_78) && (oid_byte_equal_80) in + (ec_pk_oid_78)) + ec_pk_oid_78 in + let '(pk_66) := + if ec_pk_oid_78:bool then ( + let bit_string_81 : seq uint8 := + seq_slice (seq2_73) ((oid_len_75) + (usize 1)) ( + ((seq_len (seq2_73)) - (oid_len_75)) - ( + usize 1)) in + let '(pk_66) := + if (uint8_declassify (seq_index ( + bit_string_81) (usize 0))) =.? ( + @repr WORDSIZE8 3):bool then ( + let pk_len_82 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 1)) in + let zeroes_83 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 2)) in + let uncompressed_84 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 3)) in + let pk_66 := + seq_slice (bit_string_81) (usize 4) (( + pk_len_82) - (usize 2)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + let seq1_65 := + seq_slice (seq1_65) (len_70) ((seq_len (seq1_65)) - (len_70)) in + (seq1_65, pk_66)) else ((seq1_65, pk_66)) in + (seq1_65, pk_66)) + (seq1_65, pk_66) in + (if ((seq_len (pk_66)) =.? (usize 0)):bool then ( + @Err verification_key_t crypto_error_t (InvalidCert)) else ( + @Ok verification_key_t crypto_error_t (pk_66))). + +Definition concat_signature + (r_85 : p256_scalar_t) + (s_86 : p256_scalar_t) + : (result signature_t crypto_error_t) := + let signature_87 : seq uint8 := + seq_concat (seq_concat (seq_new_ (default : uint8) (usize 0)) ( + nat_mod_to_byte_seq_be (r_85))) (nat_mod_to_byte_seq_be (s_86)) in + @Ok signature_t crypto_error_t (signature_87). + +Definition p256_sign + (ps_88 : signature_key_t) + (payload_89 : byte_seq) + (ent_90 : entropy_t) + : (result signature_t crypto_error_t) := + let random_91 : random_t := + array_from_seq (32) (seq_slice_range (ent_90) ((usize 0, usize 32))) in + let nonce_92 : p256_scalar_t := + nat_mod_from_byte_seq_be (array_to_seq (random_91)) : p256_scalar_t in + match ecdsa_p256_sha256_sign (payload_89) (nat_mod_from_byte_seq_be ( + ps_88) : p256_scalar_t) (nonce_92) with + | Ok ((r_93, s_94)) => concat_signature (r_93) (s_94) + | Err (_) => @Err signature_t crypto_error_t (CryptoError) + end. + +Definition sign + (sa_95 : signature_scheme_t) + (ps_96 : signature_key_t) + (payload_97 : byte_seq) + (ent_98 : entropy_t) + : (result signature_t crypto_error_t) := + match sa_95 with + | EcdsaSecp256r1Sha256 => p256_sign (ps_96) (payload_97) (ent_98) + | ED25519 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) + | RsaPssRsaSha256 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition p256_verify + (pk_99 : verification_key_t) + (payload_100 : byte_seq) + (sig_101 : byte_seq) + : (result unit crypto_error_t) := + let '(pk_x_102, pk_y_103) := + ( + nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 0) ( + usize 32)) : p256_field_element_t, + nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 32) ( + usize 32)) : p256_field_element_t + ) in + let '(r_104, s_105) := + ( + nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 0) ( + usize 32)) : p256_scalar_t, + nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 32) ( + usize 32)) : p256_scalar_t + ) in + match ecdsa_p256_sha256_verify (payload_100) ((pk_x_102, pk_y_103)) (( + r_104, + s_105 + )) with + | Ok (tt) => @Ok unit crypto_error_t (tt) + | Err (_) => @Err unit crypto_error_t (VerifyFailed) + end. + +Definition verify + (sa_106 : signature_scheme_t) + (pk_107 : verification_key_t) + (payload_108 : byte_seq) + (sig_109 : byte_seq) + : (result unit crypto_error_t) := + match sa_106 with + | EcdsaSecp256r1Sha256 => p256_verify (pk_107) (payload_108) (sig_109) + | ED25519 => @Err unit crypto_error_t (UnsupportedAlgorithm) + | RsaPssRsaSha256 => @Err unit crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hkdf_extract + (ha_110 : hash_algorithm_t) + (k_111 : key_t) + (salt_112 : key_t) + : (result key_t crypto_error_t) := + match ha_110 with + | SHA256 => @Ok key_t crypto_error_t (seq_from_seq (array_to_seq (extract ( + salt_112) (k_111)))) + | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hkdf_expand + (ha_113 : hash_algorithm_t) + (k_114 : key_t) + (info_115 : byte_seq) + (len_116 : uint_size) + : (result key_t crypto_error_t) := + match ha_113 with + | SHA256 => match expand (k_114) (info_115) (len_116) with + | Ok (b_117) => @Ok key_t crypto_error_t (seq_from_seq (b_117)) + | Err (_) => @Err key_t crypto_error_t (HkdfError) + end + | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition aes128_encrypt + (k_118 : aead_key_t) + (iv_119 : aead_iv_t) + (payload_120 : byte_seq) + (ad_121 : byte_seq) + : (result byte_seq crypto_error_t) := + let '(ctxt_122, tag_123) := + encrypt_aes128 (array_from_seq (_) (k_118)) (array_from_seq (_) (iv_119)) ( + ad_121) (payload_120) in + @Ok byte_seq crypto_error_t (seq_concat (ctxt_122) (seq_from_seq ( + array_to_seq (tag_123)))). + +Definition chacha_encrypt + (k_124 : aead_key_t) + (iv_125 : aead_iv_t) + (payload_126 : byte_seq) + (ad_127 : byte_seq) + : (result byte_seq crypto_error_t) := + let '(ctxt_128, tag_129) := + chacha20_poly1305_encrypt (array_from_seq (32) (k_124)) (array_from_seq ( + 12) (iv_125)) (ad_127) (payload_126) in + @Ok byte_seq crypto_error_t (seq_concat (ctxt_128) (array_to_seq (tag_129))). + +Definition aead_encrypt + (a_130 : aead_algorithm_t) + (k_131 : aead_key_t) + (iv_132 : aead_iv_t) + (payload_133 : byte_seq) + (ad_134 : byte_seq) + : (result byte_seq crypto_error_t) := + match a_130 with + | Aes128Gcm => aes128_encrypt (k_131) (iv_132) (payload_133) (ad_134) + | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) + | Chacha20Poly1305 => chacha_encrypt (k_131) (iv_132) (payload_133) (ad_134) + end. + +Definition aes128_decrypt + (k_135 : aead_key_t) + (iv_136 : aead_iv_t) + (ciphertext_137 : byte_seq) + (ad_138 : byte_seq) + : (result byte_seq crypto_error_t) := + match decrypt_aes128 (array_from_seq (_) (k_135)) (array_from_seq (_) ( + iv_136)) (ad_138) (seq_slice_range (ciphertext_137) (( + usize 0, + (seq_len (ciphertext_137)) - (usize 16) + ))) (array_from_seq (_) (seq_slice_range (ciphertext_137) (( + (seq_len (ciphertext_137)) - (usize 16), + seq_len (ciphertext_137) + )))) with + | Ok (m_139) => @Ok byte_seq crypto_error_t (m_139) + | Err (_) => @Err byte_seq crypto_error_t (MacFailed) + end. + +Definition chacha_decrypt + (k_140 : aead_key_t) + (iv_141 : aead_iv_t) + (ciphertext_142 : byte_seq) + (ad_143 : byte_seq) + : (result byte_seq crypto_error_t) := + match chacha20_poly1305_decrypt (array_from_seq (32) (k_140)) ( + array_from_seq (12) (iv_141)) (ad_143) (seq_slice_range (ciphertext_142) (( + usize 0, + (seq_len (ciphertext_142)) - (usize 16) + ))) (array_from_seq (16) (seq_slice_range (ciphertext_142) (( + (seq_len (ciphertext_142)) - (usize 16), + seq_len (ciphertext_142) + )))) with + | Ok (ptxt_144) => @Ok byte_seq crypto_error_t (ptxt_144) + | Err (_) => @Err byte_seq crypto_error_t (MacFailed) + end. + +Definition aead_decrypt + (a_145 : aead_algorithm_t) + (k_146 : aead_key_t) + (iv_147 : aead_iv_t) + (ciphertext_148 : byte_seq) + (ad_149 : byte_seq) + : (result byte_seq crypto_error_t) := + match a_145 with + | Aes128Gcm => aes128_decrypt (k_146) (iv_147) (ciphertext_148) (ad_149) + | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) + | Chacha20Poly1305 => chacha_decrypt (k_146) (iv_147) (ciphertext_148) ( + ad_149) + end. + diff --git a/proof-libs/coq/docker_build/Dockerfile b/proof-libs/coq/docker_build/Dockerfile new file mode 100644 index 000000000..2892719e2 --- /dev/null +++ b/proof-libs/coq/docker_build/Dockerfile @@ -0,0 +1,12 @@ +FROM coqorg/coq:8.16 +RUN curl https://sh.rustup.rs -sSf | sh -s -- -y +ENV PATH $HOME/.cargo/bin:$PATH +RUN rustup update +RUN rustup toolchain install nightly-2022-07-04 +RUN rustup component add --toolchain nightly-2022-07-04 rustc-dev llvm-tools-preview rust-analysis rust-src +RUN rustc --version +RUN cargo --version +RUN opam config list; opam repo list; opam list +RUN opam repo add coq-released https://coq.inria.fr/opam/released --all-switches +RUN opam update +RUN opam install coq-compcert coq-coqprime coq-quickchick --yes diff --git a/proof-libs/coq/src/Hacspec_Aes.v b/proof-libs/coq/src/Hacspec_Aes.v new file mode 100644 index 000000000..b87f94a3d --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Aes.v @@ -0,0 +1,720 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition blocksize_v : uint_size := + usize 16. + +Definition ivsize_v : uint_size := + usize 12. + +Definition key_length_v : uint_size := + usize 4. + +Definition rounds_v : uint_size := + usize 10. + +Definition key_schedule_length_v : uint_size := + usize 176. + +Definition iterations_v : uint_size := + usize 40. + +Definition invalid_key_expansion_index_v : int8 := + @repr WORDSIZE8 1. + +Definition block_t := nseq (uint8) (blocksize_v). + +Definition word_t := nseq (uint8) (key_length_v). + +Definition round_key_t := nseq (uint8) (blocksize_v). + +Definition aes_nonce_t := nseq (uint8) (ivsize_v). + +Definition s_box_t := nseq (uint8) (usize 256). + +Definition r_con_t := nseq (uint8) (usize 15). + +Definition bytes144_t := nseq (uint8) (usize 144). + +Definition bytes176_t := nseq (uint8) (key_schedule_length_v). + +Definition key128_t := nseq (uint8) (blocksize_v). + +Notation "'byte_seq_result_t'" := ((result byte_seq int8)) : hacspec_scope. + +Notation "'block_result_t'" := ((result block_t int8)) : hacspec_scope. + +Notation "'word_result_t'" := ((result word_t int8)) : hacspec_scope. + +Definition sbox_v : s_box_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 197) : int8; + secret (@repr WORDSIZE8 48) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 103) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 130) : int8; + secret (@repr WORDSIZE8 201) : int8; + secret (@repr WORDSIZE8 125) : int8; + secret (@repr WORDSIZE8 250) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 71) : int8; + secret (@repr WORDSIZE8 240) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 212) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 156) : int8; + secret (@repr WORDSIZE8 164) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 192) : int8; + secret (@repr WORDSIZE8 183) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 38) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 63) : int8; + secret (@repr WORDSIZE8 247) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 52) : int8; + secret (@repr WORDSIZE8 165) : int8; + secret (@repr WORDSIZE8 229) : int8; + secret (@repr WORDSIZE8 241) : int8; + secret (@repr WORDSIZE8 113) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 21) : int8; + secret (@repr WORDSIZE8 4) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 35) : int8; + secret (@repr WORDSIZE8 195) : int8; + secret (@repr WORDSIZE8 24) : int8; + secret (@repr WORDSIZE8 150) : int8; + secret (@repr WORDSIZE8 5) : int8; + secret (@repr WORDSIZE8 154) : int8; + secret (@repr WORDSIZE8 7) : int8; + secret (@repr WORDSIZE8 18) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 178) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 9) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 110) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 214) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 41) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 132) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 177) : int8; + secret (@repr WORDSIZE8 91) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 203) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 207) : int8; + secret (@repr WORDSIZE8 208) : int8; + secret (@repr WORDSIZE8 239) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 133) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 249) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 80) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 159) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 163) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 143) : int8; + secret (@repr WORDSIZE8 146) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 56) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 218) : int8; + secret (@repr WORDSIZE8 33) : int8; + secret (@repr WORDSIZE8 16) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 243) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 205) : int8; + secret (@repr WORDSIZE8 12) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 236) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 151) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 196) : int8; + secret (@repr WORDSIZE8 167) : int8; + secret (@repr WORDSIZE8 126) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 93) : int8; + secret (@repr WORDSIZE8 25) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 220) : int8; + secret (@repr WORDSIZE8 34) : int8; + secret (@repr WORDSIZE8 42) : int8; + secret (@repr WORDSIZE8 144) : int8; + secret (@repr WORDSIZE8 136) : int8; + secret (@repr WORDSIZE8 70) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 184) : int8; + secret (@repr WORDSIZE8 20) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 219) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 73) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 36) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 172) : int8; + secret (@repr WORDSIZE8 98) : int8; + secret (@repr WORDSIZE8 145) : int8; + secret (@repr WORDSIZE8 149) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 200) : int8; + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 109) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 213) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 169) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 86) : int8; + secret (@repr WORDSIZE8 244) : int8; + secret (@repr WORDSIZE8 234) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 122) : int8; + secret (@repr WORDSIZE8 174) : int8; + secret (@repr WORDSIZE8 8) : int8; + secret (@repr WORDSIZE8 186) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 37) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 28) : int8; + secret (@repr WORDSIZE8 166) : int8; + secret (@repr WORDSIZE8 180) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 116) : int8; + secret (@repr WORDSIZE8 31) : int8; + secret (@repr WORDSIZE8 75) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 139) : int8; + secret (@repr WORDSIZE8 138) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 181) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 14) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 87) : int8; + secret (@repr WORDSIZE8 185) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 225) : int8; + secret (@repr WORDSIZE8 248) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 17) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 217) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 30) : int8; + secret (@repr WORDSIZE8 135) : int8; + secret (@repr WORDSIZE8 233) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 40) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 137) : int8; + secret (@repr WORDSIZE8 13) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 230) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 187) : int8; + secret (@repr WORDSIZE8 22) : int8 + ] in l). + +Definition rcon_v : r_con_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 4) : int8; + secret (@repr WORDSIZE8 8) : int8; + secret (@repr WORDSIZE8 16) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 77) : int8 + ] in l). + +Definition sub_bytes (state_150 : block_t) : block_t := + let st_151 : block_t := + state_150 in + let st_151 := + foldi (usize 0) (blocksize_v) (fun i_152 st_151 => + let st_151 := + array_upd st_151 (i_152) (array_index (sbox_v) (uint8_declassify ( + array_index (state_150) (i_152)))) in + (st_151)) + st_151 in + st_151. + +Definition shift_row + (i_153 : uint_size) + (shift_154 : uint_size) + (state_155 : block_t) + : block_t := + let out_156 : block_t := + state_155 in + let out_156 := + array_upd out_156 (i_153) (array_index (state_155) ((i_153) + ((usize 4) * ( + (shift_154) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 4)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 1)) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 8)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 2)) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 12)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 3)) %% (usize 4))))) in + out_156. + +Definition shift_rows (state_157 : block_t) : block_t := + let state_158 : block_t := + shift_row (usize 1) (usize 1) (state_157) in + let state_159 : block_t := + shift_row (usize 2) (usize 2) (state_158) in + shift_row (usize 3) (usize 3) (state_159). + +Definition xtime (x_160 : uint8) : uint8 := + let x1_161 : uint8 := + (x_160) shift_left (usize 1) in + let x7_162 : uint8 := + (x_160) shift_right (usize 7) in + let x71_163 : uint8 := + (x7_162) .& (secret (@repr WORDSIZE8 1) : int8) in + let x711b_164 : uint8 := + (x71_163) .* (secret (@repr WORDSIZE8 27) : int8) in + (x1_161) .^ (x711b_164). + +Definition mix_column (c_165 : uint_size) (state_166 : block_t) : block_t := + let i0_167 : uint_size := + (usize 4) * (c_165) in + let s0_168 : uint8 := + array_index (state_166) (i0_167) in + let s1_169 : uint8 := + array_index (state_166) ((i0_167) + (usize 1)) in + let s2_170 : uint8 := + array_index (state_166) ((i0_167) + (usize 2)) in + let s3_171 : uint8 := + array_index (state_166) ((i0_167) + (usize 3)) in + let st_172 : block_t := + state_166 in + let tmp_173 : uint8 := + (((s0_168) .^ (s1_169)) .^ (s2_170)) .^ (s3_171) in + let st_172 := + array_upd st_172 (i0_167) (((s0_168) .^ (tmp_173)) .^ (xtime ((s0_168) .^ ( + s1_169)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 1)) (((s1_169) .^ (tmp_173)) .^ (xtime ( + (s1_169) .^ (s2_170)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 2)) (((s2_170) .^ (tmp_173)) .^ (xtime ( + (s2_170) .^ (s3_171)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 3)) (((s3_171) .^ (tmp_173)) .^ (xtime ( + (s3_171) .^ (s0_168)))) in + st_172. + +Definition mix_columns (state_174 : block_t) : block_t := + let state_175 : block_t := + mix_column (usize 0) (state_174) in + let state_176 : block_t := + mix_column (usize 1) (state_175) in + let state_177 : block_t := + mix_column (usize 2) (state_176) in + mix_column (usize 3) (state_177). + +Definition add_round_key + (state_178 : block_t) + (key_179 : round_key_t) + : block_t := + let out_180 : block_t := + state_178 in + let out_180 := + foldi (usize 0) (blocksize_v) (fun i_181 out_180 => + let out_180 := + array_upd out_180 (i_181) ((array_index (out_180) (i_181)) .^ ( + array_index (key_179) (i_181))) in + (out_180)) + out_180 in + out_180. + +Definition aes_enc + (state_182 : block_t) + (round_key_183 : round_key_t) + : block_t := + let state_184 : block_t := + sub_bytes (state_182) in + let state_185 : block_t := + shift_rows (state_184) in + let state_186 : block_t := + mix_columns (state_185) in + add_round_key (state_186) (round_key_183). + +Definition aes_enc_last + (state_187 : block_t) + (round_key_188 : round_key_t) + : block_t := + let state_189 : block_t := + sub_bytes (state_187) in + let state_190 : block_t := + shift_rows (state_189) in + add_round_key (state_190) (round_key_188). + +Definition rounds_aes (state_191 : block_t) (key_192 : byte_seq) : block_t := + let out_193 : block_t := + state_191 in + let out_193 := + foldi (usize 0) (seq_num_chunks (key_192) ( + blocksize_v)) (fun i_194 out_193 => + let '(_, key_block_195) := + seq_get_chunk (key_192) (blocksize_v) (i_194) in + let out_193 := + aes_enc (out_193) (array_from_seq (blocksize_v) (key_block_195)) in + (out_193)) + out_193 in + out_193. + +Definition block_cipher_aes + (input_196 : block_t) + (key_197 : byte_seq) + (nr_198 : uint_size) + : block_t := + let k0_199 : round_key_t := + array_from_slice_range (default : uint8) (blocksize_v) (key_197) (( + usize 0, + usize 16 + )) in + let k_200 : seq uint8 := + seq_from_slice_range (key_197) ((usize 16, (nr_198) * (usize 16))) in + let kn_201 : round_key_t := + array_from_slice (default : uint8) (blocksize_v) (key_197) ((nr_198) * ( + usize 16)) (usize 16) in + let state_202 : block_t := + add_round_key (input_196) (k0_199) in + let state_203 : block_t := + rounds_aes (state_202) (k_200) in + aes_enc_last (state_203) (kn_201). + +Definition rotate_word (w_204 : word_t) : word_t := + array_from_list uint8 (let l := + [ + array_index (w_204) (usize 1); + array_index (w_204) (usize 2); + array_index (w_204) (usize 3); + array_index (w_204) (usize 0) + ] in l). + +Definition slice_word (w_205 : word_t) : word_t := + array_from_list uint8 (let l := + [ + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 0))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 1))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 2))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 3))) + ] in l). + +Definition aes_keygen_assist (w_206 : word_t) (rcon_207 : uint8) : word_t := + let k_208 : word_t := + rotate_word (w_206) in + let k_208 := + slice_word (k_208) in + let k_208 := + array_upd k_208 (usize 0) ((array_index (k_208) (usize 0)) .^ ( + rcon_207)) in + k_208. + +Definition key_expansion_word + (w0_209 : word_t) + (w1_210 : word_t) + (i_211 : uint_size) + (nk_212 : uint_size) + (nr_213 : uint_size) + : word_result_t := + let k_214 : word_t := + w1_210 in + let result_215 : (result word_t int8) := + @Err word_t int8 (invalid_key_expansion_index_v) in + let '(k_214, result_215) := + if (i_211) <.? ((usize 4) * ((nr_213) + (usize 1))):bool then (let '(k_214 + ) := + if ((i_211) %% (nk_212)) =.? (usize 0):bool then (let k_214 := + aes_keygen_assist (k_214) (array_index (rcon_v) ((i_211) / ( + nk_212))) in + (k_214)) else (let '(k_214) := + if ((nk_212) >.? (usize 6)) && (((i_211) %% (nk_212)) =.? ( + usize 4)):bool then (let k_214 := + slice_word (k_214) in + (k_214)) else ((k_214)) in + (k_214)) in + let k_214 := + foldi (usize 0) (usize 4) (fun i_216 k_214 => + let k_214 := + array_upd k_214 (i_216) ((array_index (k_214) (i_216)) .^ ( + array_index (w0_209) (i_216))) in + (k_214)) + k_214 in + let result_215 := + @Ok word_t int8 (k_214) in + (k_214, result_215)) else ((k_214, result_215)) in + result_215. + +Definition key_expansion_aes + (key_217 : byte_seq) + (nk_218 : uint_size) + (nr_219 : uint_size) + (key_schedule_length_220 : uint_size) + (key_length_221 : uint_size) + (iterations_222 : uint_size) + : byte_seq_result_t := + let key_ex_223 : seq uint8 := + seq_new_ (default : uint8) (key_schedule_length_220) in + let key_ex_223 := + seq_update_start (key_ex_223) (key_217) in + let word_size_224 : uint_size := + key_length_221 in + bind (foldibnd (usize 0) to ( + iterations_222) for key_ex_223 >> (fun j_225 key_ex_223 => + let i_226 : uint_size := + (j_225) + (word_size_224) in + bind (key_expansion_word (array_from_slice (default : uint8) ( + key_length_v) (key_ex_223) ((usize 4) * ((i_226) - (word_size_224))) ( + usize 4)) (array_from_slice (default : uint8) (key_length_v) ( + key_ex_223) (((usize 4) * (i_226)) - (usize 4)) (usize 4)) (i_226) ( + nk_218) (nr_219)) (fun word_227 => let key_ex_223 := + seq_update (key_ex_223) ((usize 4) * (i_226)) ( + array_to_seq (word_227)) in + @Ok (seq uint8) int8 ((key_ex_223))))) (fun key_ex_223 => + @Ok byte_seq int8 (key_ex_223)). + +Definition aes_encrypt_block + (k_228 : byte_seq) + (input_229 : block_t) + (nk_230 : uint_size) + (nr_231 : uint_size) + (key_schedule_length_232 : uint_size) + (key_length_233 : uint_size) + (iterations_234 : uint_size) + : block_result_t := + bind (key_expansion_aes (k_228) (nk_230) (nr_231) (key_schedule_length_232) ( + key_length_233) (iterations_234)) (fun key_ex_235 => @Ok block_t int8 ( + block_cipher_aes (input_229) (key_ex_235) (nr_231))). + +Definition aes128_encrypt_block + (k_236 : key128_t) + (input_237 : block_t) + : block_t := + result_unwrap (aes_encrypt_block (seq_from_seq (array_to_seq (k_236))) ( + input_237) (key_length_v) (rounds_v) (key_schedule_length_v) ( + key_length_v) (iterations_v)). + +Definition aes_ctr_key_block + (k_238 : byte_seq) + (n_239 : aes_nonce_t) + (c_240 : uint32) + (nk_241 : uint_size) + (nr_242 : uint_size) + (key_schedule_length_243 : uint_size) + (key_length_244 : uint_size) + (iterations_245 : uint_size) + : block_result_t := + let input_246 : block_t := + array_new_ (default : uint8) (blocksize_v) in + let input_246 := + array_update (input_246) (usize 0) (array_to_seq (n_239)) in + let input_246 := + array_update (input_246) (usize 12) (array_to_seq (uint32_to_be_bytes ( + c_240))) in + aes_encrypt_block (k_238) (input_246) (nk_241) (nr_242) ( + key_schedule_length_243) (key_length_244) (iterations_245). + +Definition xor_block + (block_247 : block_t) + (key_block_248 : block_t) + : block_t := + let out_249 : block_t := + block_247 in + let out_249 := + foldi (usize 0) (blocksize_v) (fun i_250 out_249 => + let out_249 := + array_upd out_249 (i_250) ((array_index (out_249) (i_250)) .^ ( + array_index (key_block_248) (i_250))) in + (out_249)) + out_249 in + out_249. + +Definition aes_counter_mode + (key_251 : byte_seq) + (nonce_252 : aes_nonce_t) + (counter_253 : uint32) + (msg_254 : byte_seq) + (nk_255 : uint_size) + (nr_256 : uint_size) + (key_schedule_length_257 : uint_size) + (key_length_258 : uint_size) + (iterations_259 : uint_size) + : byte_seq_result_t := + let ctr_260 : uint32 := + counter_253 in + let blocks_out_261 : seq uint8 := + seq_new_ (default : uint8) (seq_len (msg_254)) in + let n_blocks_262 : uint_size := + seq_num_exact_chunks (msg_254) (blocksize_v) in + bind (foldibnd (usize 0) to (n_blocks_262) for (ctr_260, blocks_out_261 + ) >> (fun i_263 '(ctr_260, blocks_out_261) => + let msg_block_264 : seq uint8 := + seq_get_exact_chunk (msg_254) (blocksize_v) (i_263) in + bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) (nr_256) ( + key_schedule_length_257) (key_length_258) (iterations_259)) ( + fun key_block_265 => let blocks_out_261 := + seq_set_chunk (blocks_out_261) (blocksize_v) (i_263) ( + array_to_seq (xor_block (array_from_seq (blocksize_v) ( + msg_block_264)) (key_block_265))) in + let ctr_260 := + (ctr_260) .+ (secret (@repr WORDSIZE32 1) : int32) in + @Ok (uint32 '× seq uint8) int8 ((ctr_260, blocks_out_261))))) (fun '( + ctr_260, + blocks_out_261 + ) => let last_block_266 : seq uint8 := + seq_get_remainder_chunk (msg_254) (blocksize_v) in + let last_block_len_267 : uint_size := + seq_len (last_block_266) in + ifbnd (last_block_len_267) !=.? (usize 0) : bool + thenbnd (let last_block_268 : block_t := + array_update_start (array_new_ (default : uint8) (blocksize_v)) ( + last_block_266) in + bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) ( + nr_256) (key_schedule_length_257) (key_length_258) (iterations_259)) ( + fun key_block_269 => let blocks_out_261 := + seq_set_chunk (blocks_out_261) (blocksize_v) (n_blocks_262) ( + array_slice_range (xor_block (last_block_268) (key_block_269)) (( + usize 0, + last_block_len_267 + ))) in + @Ok (seq uint8) int8 ((blocks_out_261)))) + else ((blocks_out_261)) >> (fun '(blocks_out_261) => + @Ok byte_seq int8 (blocks_out_261))). + +Definition aes128_encrypt + (key_270 : key128_t) + (nonce_271 : aes_nonce_t) + (counter_272 : uint32) + (msg_273 : byte_seq) + : byte_seq := + result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_270))) ( + nonce_271) (counter_272) (msg_273) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)). + +Definition aes128_decrypt + (key_274 : key128_t) + (nonce_275 : aes_nonce_t) + (counter_276 : uint32) + (ctxt_277 : byte_seq) + : byte_seq := + result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_274))) ( + nonce_275) (counter_276) (ctxt_277) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)). + diff --git a/proof-libs/coq/src/Hacspec_Aes128_Gcm.v b/proof-libs/coq/src/Hacspec_Aes128_Gcm.v new file mode 100644 index 000000000..0d6395bc6 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Aes128_Gcm.v @@ -0,0 +1,126 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Aes. + +Require Import Hacspec_Gf128. + +Notation "'aes_gcm_byte_seq_result_t'" := (( + result byte_seq int8)) : hacspec_scope. + +Definition invalid_tag_v : int8 := + @repr WORDSIZE8 1. + +Definition pad_aad_msg (aad_278 : byte_seq) (msg_279 : byte_seq) : byte_seq := + let laad_280 : uint_size := + seq_len (aad_278) in + let lmsg_281 : uint_size := + seq_len (msg_279) in + let pad_aad_282 : uint_size := + (if (((laad_280) %% (usize 16)) =.? (usize 0)):bool then (laad_280) else (( + laad_280) + ((usize 16) - ((laad_280) %% (usize 16))))) in + let pad_msg_283 : uint_size := + (if (((lmsg_281) %% (usize 16)) =.? (usize 0)):bool then (lmsg_281) else (( + lmsg_281) + ((usize 16) - ((lmsg_281) %% (usize 16))))) in + let padded_msg_284 : seq uint8 := + seq_new_ (default : uint8) (((pad_aad_282) + (pad_msg_283)) + ( + usize 16)) in + let padded_msg_284 := + seq_update (padded_msg_284) (usize 0) (aad_278) in + let padded_msg_284 := + seq_update (padded_msg_284) (pad_aad_282) (msg_279) in + let padded_msg_284 := + seq_update (padded_msg_284) ((pad_aad_282) + (pad_msg_283)) ( + array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( + laad_280)) : int64) .* (secret ( + @repr WORDSIZE64 8) : int64)))) in + let padded_msg_284 := + seq_update (padded_msg_284) (((pad_aad_282) + (pad_msg_283)) + (usize 8)) ( + array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( + lmsg_281)) : int64) .* (secret ( + @repr WORDSIZE64 8) : int64)))) in + padded_msg_284. + +Definition encrypt_aes + (key_285 : byte_seq) + (iv_286 : aes_nonce_t) + (aad_287 : byte_seq) + (msg_288 : byte_seq) + : (byte_seq '× gf128_tag_t) := + let iv0_289 : aes_nonce_t := + array_new_ (default : uint8) (_) in + let mac_key_290 : block_t := + result_unwrap (aes_ctr_key_block (key_285) (iv0_289) (secret ( + @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) in + let tag_mix_291 : block_t := + result_unwrap (aes_ctr_key_block (key_285) ((iv_286)) (secret ( + @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) in + let cipher_text_292 : seq uint8 := + aes128_encrypt (array_from_seq (_) (key_285)) (iv_286) (secret ( + @repr WORDSIZE32 2) : int32) (msg_288) in + let padded_msg_293 : seq uint8 := + pad_aad_msg (aad_287) (cipher_text_292) in + let tag_294 : gf128_tag_t := + gmac (padded_msg_293) (array_from_seq (_) (array_to_seq (mac_key_290))) in + let tag_295 : block_t := + xor_block (array_from_seq (_) (array_to_seq (tag_294))) (tag_mix_291) in + (cipher_text_292, array_from_seq (_) (array_to_seq (tag_295))). + +Definition encrypt_aes128 + (key_296 : key128_t) + (iv_297 : aes_nonce_t) + (aad_298 : byte_seq) + (msg_299 : byte_seq) + : (byte_seq '× gf128_tag_t) := + encrypt_aes (seq_from_seq (array_to_seq (key_296))) (iv_297) (aad_298) ( + msg_299). + +Definition decrypt_aes + (key_300 : byte_seq) + (iv_301 : aes_nonce_t) + (aad_302 : byte_seq) + (cipher_text_303 : byte_seq) + (tag_304 : gf128_tag_t) + : aes_gcm_byte_seq_result_t := + let iv0_305 : aes_nonce_t := + array_new_ (default : uint8) (_) in + bind (aes_ctr_key_block (key_300) (iv0_305) (secret ( + @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) (fun mac_key_306 => + bind (aes_ctr_key_block (key_300) ((iv_301)) (secret ( + @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) ( + fun tag_mix_307 => let padded_msg_308 : seq uint8 := + pad_aad_msg (aad_302) (cipher_text_303) in + let my_tag_309 : gf128_tag_t := + gmac (padded_msg_308) (array_from_seq (_) ( + array_to_seq (mac_key_306))) in + let my_tag_310 : block_t := + xor_block (array_from_seq (_) (array_to_seq (my_tag_309))) ( + tag_mix_307) in + let ptxt_311 : seq uint8 := + aes128_decrypt (array_from_seq (_) (key_300)) (iv_301) (secret ( + @repr WORDSIZE32 2) : int32) (cipher_text_303) in + (if (array_declassify_eq (my_tag_310) (array_from_seq (_) ( + array_to_seq (tag_304)))):bool then (@Ok byte_seq int8 ( + ptxt_311)) else (@Err byte_seq int8 (invalid_tag_v))))). + +Definition decrypt_aes128 + (key_312 : key128_t) + (iv_313 : aes_nonce_t) + (aad_314 : byte_seq) + (cipher_text_315 : byte_seq) + (tag_316 : gf128_tag_t) + : aes_gcm_byte_seq_result_t := + decrypt_aes (seq_from_seq (array_to_seq (key_312))) (iv_313) (aad_314) ( + cipher_text_315) (tag_316). + diff --git a/proof-libs/coq/src/Hacspec_Bip_340.v b/proof-libs/coq/src/Hacspec_Bip_340.v new file mode 100644 index 000000000..461143d44 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Bip_340.v @@ -0,0 +1,530 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Inductive error_t := +| InvalidSecretKey : error_t +| InvalidNonceGenerated : error_t +| InvalidPublicKey : error_t +| InvalidXCoordinate : error_t +| InvalidSignature : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | InvalidSecretKey => match y with | InvalidSecretKey=> true | _ => false end + | InvalidNonceGenerated => + match y with + | InvalidNonceGenerated=> true + | _ => false + end + | InvalidPublicKey => match y with | InvalidPublicKey=> true | _ => false end + | InvalidXCoordinate => + match y with + | InvalidXCoordinate=> true + | _ => false + end + | InvalidSignature => match y with | InvalidSignature=> true | _ => false end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Definition field_canvas_t := nseq (int8) (32). +Definition field_element_t := + nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141. + +Definition big_integer_t := nat_mod pow2 256. + +Notation "'affine_point_t'" := ((field_element_t '× field_element_t +)) : hacspec_scope. + +Definition p_bytes32_t := nseq (int8) (usize 32). + +Inductive point_t := +| Affine : affine_point_t -> point_t +| AtInfinity : point_t. + +Definition finite (p_2555 : point_t) : (option affine_point_t) := + match p_2555 with + | Affine (p_2556) => some (p_2556) + | AtInfinity => @None affine_point_t + end. + +Definition x (p_2557 : affine_point_t) : field_element_t := + let '(x_2558, _) := + p_2557 in + x_2558. + +Definition y (p_2559 : affine_point_t) : field_element_t := + let '(_, y_2560) := + p_2559 in + y_2560. + +Definition has_even_y (p_2561 : affine_point_t) : bool := + ((y (p_2561)) rem (nat_mod_two )) =.? (nat_mod_zero ). + +Definition sqrt (y_2562 : field_element_t) : (option field_element_t) := + let p1_4_2563 : field_element_t := + nat_mod_from_public_byte_seq_be (array_from_list int8 (let l := + [ + @repr WORDSIZE8 63; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 191; + @repr WORDSIZE8 255; + @repr WORDSIZE8 255; + @repr WORDSIZE8 12 + ] in l)) in + let x_2564 : field_element_t := + nat_mod_pow_self (y_2562) (p1_4_2563) in + (if ((nat_mod_pow_self (x_2564) (nat_mod_two )) =.? (y_2562)):bool then ( + some (x_2564)) else (@None field_element_t)). + +Definition lift_x + (x_2565 : field_element_t) + : (result affine_point_t error_t) := + let one_2566 : field_element_t := + nat_mod_one in + let two_2567 : field_element_t := + nat_mod_two in + let three_2568 : field_element_t := + nat_mod_from_literal ( + 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( + @repr WORDSIZE128 3) : field_element_t in + let seven_2569 : field_element_t := + nat_mod_from_literal ( + 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( + @repr WORDSIZE128 7) : field_element_t in + let y_sq_2570 : field_element_t := + (nat_mod_pow_self (x_2565) (three_2568)) +% (seven_2569) in + bind (option_ok_or (sqrt (y_sq_2570)) (InvalidXCoordinate)) (fun y_2571 => + let '(y_2571) := + if ((y_2571) rem (two_2567)) =.? (one_2566):bool then (let y_2571 := + (nat_mod_zero ) -% (y_2571) in + (y_2571)) else ((y_2571)) in + @Ok affine_point_t error_t ((x_2565, y_2571))). + +Definition compute_lam + (p1_2572 : affine_point_t) + (p2_2573 : affine_point_t) + : field_element_t := + let three_2574 : field_element_t := + nat_mod_from_literal ( + 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( + @repr WORDSIZE128 3) : field_element_t in + (if ((p1_2572) !=.? (p2_2573)):bool then (((y (p2_2573)) -% (y ( + p1_2572))) *% (nat_mod_pow_self ((x (p2_2573)) -% (x (p1_2572))) (( + nat_mod_zero ) -% (nat_mod_two )))) else ((((three_2574) *% (x ( + p1_2572))) *% (x (p1_2572))) *% (nat_mod_pow_self (( + nat_mod_two ) *% (y (p1_2572))) ((nat_mod_zero ) -% ( + nat_mod_two ))))). + +Definition point_add (p1_2575 : point_t) (p2_2576 : point_t) : point_t := + let result_2577 : point_t := + AtInfinity in + let '(result_2577) := + if option_is_none (finite (p1_2575)):bool then (let result_2577 := + p2_2576 in + (result_2577)) else (let '(result_2577) := + if option_is_none (finite (p2_2576)):bool then (let result_2577 := + p1_2575 in + (result_2577)) else (let p1_2578 : ( + field_element_t '× + field_element_t + ) := + option_unwrap (finite (p1_2575)) in + let p2_2579 : (field_element_t '× field_element_t) := + option_unwrap (finite (p2_2576)) in + let '(result_2577) := + if negb (((x (p1_2578)) =.? (x (p2_2579))) && ((y (p1_2578)) !=.? ( + y (p2_2579)))):bool then (let lam_2580 : field_element_t := + compute_lam (p1_2578) (p2_2579) in + let x3_2581 : field_element_t := + (((lam_2580) *% (lam_2580)) -% (x (p1_2578))) -% (x ( + p2_2579)) in + let result_2577 := + Affine (( + x3_2581, + ((lam_2580) *% ((x (p1_2578)) -% (x3_2581))) -% (y ( + p1_2578)) + )) in + (result_2577)) else ((result_2577)) in + (result_2577)) in + (result_2577)) in + result_2577. + +Definition point_mul (s_2582 : scalar_t) (p_2583 : point_t) : point_t := + let p_2584 : point_t := + p_2583 in + let q_2585 : point_t := + AtInfinity in + let '(p_2584, q_2585) := + foldi (usize 0) (usize 256) (fun i_2586 '(p_2584, q_2585) => + let '(q_2585) := + if nat_mod_bit (s_2582) (i_2586):bool then (let q_2585 := + point_add (q_2585) (p_2584) in + (q_2585)) else ((q_2585)) in + let p_2584 := + point_add (p_2584) (p_2584) in + (p_2584, q_2585)) + (p_2584, q_2585) in + q_2585. + +Definition point_mul_base (s_2587 : scalar_t) : point_t := + let gx_2588 : p_bytes32_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 121; + @repr WORDSIZE8 190; + @repr WORDSIZE8 102; + @repr WORDSIZE8 126; + @repr WORDSIZE8 249; + @repr WORDSIZE8 220; + @repr WORDSIZE8 187; + @repr WORDSIZE8 172; + @repr WORDSIZE8 85; + @repr WORDSIZE8 160; + @repr WORDSIZE8 98; + @repr WORDSIZE8 149; + @repr WORDSIZE8 206; + @repr WORDSIZE8 135; + @repr WORDSIZE8 11; + @repr WORDSIZE8 7; + @repr WORDSIZE8 2; + @repr WORDSIZE8 155; + @repr WORDSIZE8 252; + @repr WORDSIZE8 219; + @repr WORDSIZE8 45; + @repr WORDSIZE8 206; + @repr WORDSIZE8 40; + @repr WORDSIZE8 217; + @repr WORDSIZE8 89; + @repr WORDSIZE8 242; + @repr WORDSIZE8 129; + @repr WORDSIZE8 91; + @repr WORDSIZE8 22; + @repr WORDSIZE8 248; + @repr WORDSIZE8 23; + @repr WORDSIZE8 152 + ] in l) in + let gy_2589 : p_bytes32_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 72; + @repr WORDSIZE8 58; + @repr WORDSIZE8 218; + @repr WORDSIZE8 119; + @repr WORDSIZE8 38; + @repr WORDSIZE8 163; + @repr WORDSIZE8 196; + @repr WORDSIZE8 101; + @repr WORDSIZE8 93; + @repr WORDSIZE8 164; + @repr WORDSIZE8 251; + @repr WORDSIZE8 252; + @repr WORDSIZE8 14; + @repr WORDSIZE8 17; + @repr WORDSIZE8 8; + @repr WORDSIZE8 168; + @repr WORDSIZE8 253; + @repr WORDSIZE8 23; + @repr WORDSIZE8 180; + @repr WORDSIZE8 72; + @repr WORDSIZE8 166; + @repr WORDSIZE8 133; + @repr WORDSIZE8 84; + @repr WORDSIZE8 25; + @repr WORDSIZE8 156; + @repr WORDSIZE8 71; + @repr WORDSIZE8 208; + @repr WORDSIZE8 143; + @repr WORDSIZE8 251; + @repr WORDSIZE8 16; + @repr WORDSIZE8 212; + @repr WORDSIZE8 184 + ] in l) in + let g_2590 : point_t := + Affine (( + nat_mod_from_public_byte_seq_be (gx_2588), + nat_mod_from_public_byte_seq_be (gy_2589) + )) in + point_mul (s_2587) (g_2590). + +Definition bytes32_t := nseq (uint8) (usize 32). + +Notation "'secret_key_t'" := (bytes32_t) : hacspec_scope. + +Notation "'public_key_t'" := (bytes32_t) : hacspec_scope. + +Notation "'message_t'" := (bytes32_t) : hacspec_scope. + +Notation "'aux_rand_t'" := (bytes32_t) : hacspec_scope. + +Definition signature_t := nseq (uint8) (usize 64). + +Definition tagged_hash + (tag_2591 : public_byte_seq) + (msg_2592 : byte_seq) + : bytes32_t := + let tag_hash_2593 : seq uint8 := + array_to_be_bytes (sha256 (seq_from_public_seq (tag_2591))) in + let hash_2594 : sha256_digest_t := + sha256 (seq_concat (seq_concat (tag_hash_2593) (tag_hash_2593)) ( + msg_2592)) in + array_from_seq (32) (array_to_seq (hash_2594)). + +Definition tagged_hash_aux_prefix_t := nseq (int8) (usize 11). + +Definition bip0340_aux_v : tagged_hash_aux_prefix_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 66; + @repr WORDSIZE8 73; + @repr WORDSIZE8 80; + @repr WORDSIZE8 48; + @repr WORDSIZE8 51; + @repr WORDSIZE8 52; + @repr WORDSIZE8 48; + @repr WORDSIZE8 47; + @repr WORDSIZE8 97; + @repr WORDSIZE8 117; + @repr WORDSIZE8 120 + ] in l). + +Definition hash_aux (aux_rand_2595 : aux_rand_t) : bytes32_t := + tagged_hash (seq_from_seq (array_to_seq (bip0340_aux_v))) (seq_from_seq ( + aux_rand_2595)). + +Definition tagged_hash_nonce_prefix_t := nseq (int8) (usize 13). + +Definition bip0340_nonce_v : tagged_hash_nonce_prefix_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 66; + @repr WORDSIZE8 73; + @repr WORDSIZE8 80; + @repr WORDSIZE8 48; + @repr WORDSIZE8 51; + @repr WORDSIZE8 52; + @repr WORDSIZE8 48; + @repr WORDSIZE8 47; + @repr WORDSIZE8 110; + @repr WORDSIZE8 111; + @repr WORDSIZE8 110; + @repr WORDSIZE8 99; + @repr WORDSIZE8 101 + ] in l). + +Definition hash_nonce + (rand_2596 : bytes32_t) + (pubkey_2597 : bytes32_t) + (msg_2598 : message_t) + : bytes32_t := + let c_2599 : byte_seq := + seq_concat (seq_concat (seq_from_seq (array_to_seq (rand_2596))) ( + array_to_seq (pubkey_2597))) (msg_2598) in + tagged_hash (seq_from_seq (array_to_seq (bip0340_nonce_v))) (c_2599). + +Definition tagged_hash_challenge_prefix_t := nseq (int8) (usize 17). + +Definition bip0340_challenge_v : tagged_hash_challenge_prefix_t := + array_from_list int8 (let l := + [ + @repr WORDSIZE8 66; + @repr WORDSIZE8 73; + @repr WORDSIZE8 80; + @repr WORDSIZE8 48; + @repr WORDSIZE8 51; + @repr WORDSIZE8 52; + @repr WORDSIZE8 48; + @repr WORDSIZE8 47; + @repr WORDSIZE8 99; + @repr WORDSIZE8 104; + @repr WORDSIZE8 97; + @repr WORDSIZE8 108; + @repr WORDSIZE8 108; + @repr WORDSIZE8 101; + @repr WORDSIZE8 110; + @repr WORDSIZE8 103; + @repr WORDSIZE8 101 + ] in l). + +Definition hash_challenge + (rx_2600 : bytes32_t) + (pubkey_2601 : bytes32_t) + (msg_2602 : bytes32_t) + : bytes32_t := + let c_2603 : byte_seq := + seq_concat (seq_concat (seq_from_seq (array_to_seq (rx_2600))) ( + array_to_seq (pubkey_2601))) (array_to_seq (msg_2602)) in + tagged_hash (seq_from_seq (array_to_seq (bip0340_challenge_v))) (c_2603). + +Definition bytes_from_point (p_2604 : affine_point_t) : bytes32_t := + let '(x_2605, _) := + p_2604 in + array_from_seq (32) (nat_mod_to_byte_seq_be (x_2605)). + +Definition bytes_from_scalar (x_2606 : scalar_t) : bytes32_t := + array_from_seq (32) (nat_mod_to_byte_seq_be (x_2606)). + +Definition scalar_from_bytes (b_2607 : bytes32_t) : scalar_t := + nat_mod_from_byte_seq_be (array_to_seq (b_2607)) : scalar_t. + +Definition scalar_from_bytes_strict (b_2608 : bytes32_t) : (option scalar_t) := + let s_2609 : big_integer_t := + nat_mod_from_byte_seq_be (array_to_seq (b_2608)) : big_integer_t in + let max_scalar_2610 : big_integer_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + nat_mod_max_val )) : big_integer_t in + (if ((s_2609) >.? (max_scalar_2610)):bool then (@None scalar_t) else ( + @Some scalar_t (nat_mod_from_byte_seq_be ( + array_to_seq (b_2608)) : scalar_t))). + +Definition seckey_scalar_from_bytes (b_2611 : bytes32_t) : (option scalar_t) := + bind (scalar_from_bytes_strict (b_2611)) (fun s_2612 => (if ((s_2612) =.? ( + nat_mod_zero )):bool then (@None scalar_t) else (@Some scalar_t ( + s_2612)))). + +Definition fieldelem_from_bytes + (b_2613 : public_key_t) + : (option field_element_t) := + let s_2614 : big_integer_t := + nat_mod_from_byte_seq_be (b_2613) : big_integer_t in + let max_fe_2615 : big_integer_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + nat_mod_max_val )) : big_integer_t in + (if ((s_2614) >.? (max_fe_2615)):bool then (@None field_element_t) else ( + @Some field_element_t (nat_mod_from_byte_seq_be ( + b_2613) : field_element_t))). + +Definition xor_bytes (b0_2616 : bytes32_t) (b1_2617 : bytes32_t) : bytes32_t := + let b_2618 : seq uint8 := + seq_new_ (default : uint8) (array_len (b0_2616)) in + let b_2618 := + foldi (usize 0) (array_len (b0_2616)) (fun i_2619 b_2618 => + let b_2618 := + seq_upd b_2618 (i_2619) ((array_index (b0_2616) (i_2619)) .^ ( + array_index (b1_2617) (i_2619))) in + (b_2618)) + b_2618 in + array_from_seq (32) (b_2618). + +Notation "'pubkey_gen_result_t'" := (( + result public_key_t error_t)) : hacspec_scope. + +Definition pubkey_gen (seckey_2620 : secret_key_t) : pubkey_gen_result_t := + bind (option_ok_or (seckey_scalar_from_bytes (seckey_2620)) ( + InvalidSecretKey)) (fun d0_2621 => let p_2622 : ( + field_element_t '× + field_element_t + ) := + option_unwrap (finite (point_mul_base (d0_2621))) in + @Ok public_key_t error_t (bytes_from_point (p_2622))). + +Notation "'sign_result_t'" := ((result signature_t error_t)) : hacspec_scope. + +Definition sign + (msg_2623 : message_t) + (seckey_2624 : secret_key_t) + (aux_rand_2625 : aux_rand_t) + : sign_result_t := + bind (option_ok_or (seckey_scalar_from_bytes (seckey_2624)) ( + InvalidSecretKey)) (fun d0_2626 => let p_2627 : ( + field_element_t '× + field_element_t + ) := + option_unwrap (finite (point_mul_base (d0_2626))) in + let d_2628 : scalar_t := + (if (has_even_y (p_2627)):bool then (d0_2626) else ((nat_mod_zero ) -% ( + d0_2626))) in + let t_2629 : bytes32_t := + xor_bytes (bytes_from_scalar (d_2628)) (hash_aux (aux_rand_2625)) in + let k0_2630 : scalar_t := + scalar_from_bytes (hash_nonce (t_2629) (bytes_from_point (p_2627)) ( + msg_2623)) in + ifbnd (k0_2630) =.? (nat_mod_zero ) : bool + thenbnd (bind (@Err signature_t error_t (InvalidNonceGenerated)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let r_2631 : (field_element_t '× field_element_t) := + option_unwrap (finite (point_mul_base (k0_2630))) in + let k_2632 : scalar_t := + (if (has_even_y (r_2631)):bool then (k0_2630) else ((nat_mod_zero ) -% ( + k0_2630))) in + let e_2633 : scalar_t := + scalar_from_bytes (hash_challenge (bytes_from_point (r_2631)) ( + bytes_from_point (p_2627)) (msg_2623)) in + let sig_2634 : signature_t := + array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( + array_to_seq (bytes_from_point (r_2631)))) (usize 32) ( + array_to_seq (bytes_from_scalar ((k_2632) +% ((e_2633) *% ( + d_2628))))) in + bind (verify (msg_2623) (bytes_from_point (p_2627)) (sig_2634)) (fun _ => + @Ok signature_t error_t (sig_2634)))). + +Notation "'verification_result_t'" := ((result unit error_t)) : hacspec_scope. + +Definition verify + (msg_2635 : message_t) + (pubkey_2636 : public_key_t) + (sig_2637 : signature_t) + : verification_result_t := + bind (option_ok_or (fieldelem_from_bytes (pubkey_2636)) (InvalidPublicKey)) ( + fun p_x_2638 => bind (lift_x (p_x_2638)) (fun p_2639 => bind (option_ok_or ( + fieldelem_from_bytes (array_from_slice (default : uint8) (32) ( + array_to_seq (sig_2637)) (usize 0) (usize 32))) ( + InvalidSignature)) (fun r_2640 => bind (option_ok_or ( + scalar_from_bytes_strict (array_from_slice (default : uint8) (32) ( + array_to_seq (sig_2637)) (usize 32) (usize 32))) ( + InvalidSignature)) (fun s_2641 => let e_2642 : scalar_t := + scalar_from_bytes (hash_challenge (array_from_slice ( + default : uint8) (32) (array_to_seq (sig_2637)) (usize 0) ( + usize 32)) (bytes_from_point (p_2639)) (msg_2635)) in + bind (option_ok_or (finite (point_add (point_mul_base (s_2641)) ( + point_mul ((nat_mod_zero ) -% (e_2642)) (Affine (p_2639))))) ( + InvalidSignature)) (fun r_p_2643 => (if ((negb (has_even_y ( + r_p_2643))) || ((x (r_p_2643)) !=.? (r_2640))):bool then ( + @Err unit error_t (InvalidSignature)) else (@Ok unit error_t ( + tt)))))))). + diff --git a/proof-libs/coq/src/Hacspec_Bls12_381.v b/proof-libs/coq/src/Hacspec_Bls12_381.v new file mode 100644 index 000000000..93170a691 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Bls12_381.v @@ -0,0 +1,772 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +From QuickChick Require Import QuickChick. +Require Import QuickChickLib. +Require Import Hacspec_Lib. + +Definition fp_canvas_t := nseq (int8) (48). +Definition fp_t := + nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. +Instance show_fp_t : Show (fp_t) := Build_Show (fp_t) (fun x => show (GZnZ.val _ x)). +Definition g_fp_t : G (fp_t) := @bindGen Z (fp_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). +Instance gen_fp_t : Gen (fp_t) := Build_Gen fp_t g_fp_t. + + +Definition serialized_fp_t := nseq (uint8) (usize 48). + +Definition array_fp_t := nseq (uint64) (usize 6). + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. +Instance show_scalar_t : Show (scalar_t) := Build_Show (scalar_t) (fun x => show (GZnZ.val _ x)). +Definition g_scalar_t : G (scalar_t) := @bindGen Z (scalar_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). +Instance gen_scalar_t : Gen (scalar_t) := Build_Gen scalar_t g_scalar_t. + + +Notation "'g1_t'" := ((fp_t '× fp_t '× bool)) : hacspec_scope. +Instance show_g1_t : Show (g1_t) := +Build_Show g1_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_g1_t : G (g1_t) := +bindGen arbitrary (fun x0 : fp_t => + bindGen arbitrary (fun x1 : fp_t => + bindGen arbitrary (fun x2 : bool => + returnGen (x0,x1,x2)))). +Instance gen_g1_t : Gen (g1_t) := Build_Gen g1_t g_g1_t. + + +Notation "'fp2_t'" := ((fp_t '× fp_t)) : hacspec_scope. +Instance show_fp2_t : Show (fp2_t) := +Build_Show fp2_t (fun x => + let (x, x0) := x in + (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. +Definition g_fp2_t : G (fp2_t) := +bindGen arbitrary (fun x0 : fp_t => + bindGen arbitrary (fun x1 : fp_t => + returnGen (x0,x1))). +Instance gen_fp2_t : Gen (fp2_t) := Build_Gen fp2_t g_fp2_t. + + +Notation "'g2_t'" := ((fp2_t '× fp2_t '× bool)) : hacspec_scope. +Instance show_g2_t : Show (g2_t) := +Build_Show g2_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_g2_t : G (g2_t) := +bindGen arbitrary (fun x0 : fp2_t => + bindGen arbitrary (fun x1 : fp2_t => + bindGen arbitrary (fun x2 : bool => + returnGen (x0,x1,x2)))). +Instance gen_g2_t : Gen (g2_t) := Build_Gen g2_t g_g2_t. + + +Notation "'fp6_t'" := ((fp2_t '× fp2_t '× fp2_t)) : hacspec_scope. +Instance show_fp6_t : Show (fp6_t) := +Build_Show fp6_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_fp6_t : G (fp6_t) := +bindGen arbitrary (fun x0 : fp2_t => + bindGen arbitrary (fun x1 : fp2_t => + bindGen arbitrary (fun x2 : fp2_t => + returnGen (x0,x1,x2)))). +Instance gen_fp6_t : Gen (fp6_t) := Build_Gen fp6_t g_fp6_t. + + +Notation "'fp12_t'" := ((fp6_t '× fp6_t)) : hacspec_scope. +Instance show_fp12_t : Show (fp12_t) := +Build_Show fp12_t (fun x => + let (x, x0) := x in + (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. +Definition g_fp12_t : G (fp12_t) := +bindGen arbitrary (fun x0 : fp6_t => + bindGen arbitrary (fun x1 : fp6_t => + returnGen (x0,x1))). +Instance gen_fp12_t : Gen (fp12_t) := Build_Gen fp12_t g_fp12_t. + + +Definition fp2fromfp (n_1405 : fp_t) : fp2_t := + (n_1405, nat_mod_zero ). + +Definition fp2zero : fp2_t := + fp2fromfp (nat_mod_zero ). + +Definition fp2neg (n_1406 : fp2_t) : fp2_t := + let '(n1_1407, n2_1408) := + n_1406 in + ((nat_mod_zero ) -% (n1_1407), (nat_mod_zero ) -% (n2_1408)). + +Definition fp2add (n_1409 : fp2_t) (m_1410 : fp2_t) : fp2_t := + let '(n1_1411, n2_1412) := + n_1409 in + let '(m1_1413, m2_1414) := + m_1410 in + ((n1_1411) +% (m1_1413), (n2_1412) +% (m2_1414)). + +Definition fp2sub (n_1415 : fp2_t) (m_1416 : fp2_t) : fp2_t := + fp2add (n_1415) (fp2neg (m_1416)). + +Definition fp2mul (n_1417 : fp2_t) (m_1418 : fp2_t) : fp2_t := + let '(n1_1419, n2_1420) := + n_1417 in + let '(m1_1421, m2_1422) := + m_1418 in + let x1_1423 : fp_t := + ((n1_1419) *% (m1_1421)) -% ((n2_1420) *% (m2_1422)) in + let x2_1424 : fp_t := + ((n1_1419) *% (m2_1422)) +% ((n2_1420) *% (m1_1421)) in + (x1_1423, x2_1424). + +Definition fp2inv (n_1425 : fp2_t) : fp2_t := + let '(n1_1426, n2_1427) := + n_1425 in + let t0_1428 : fp_t := + ((n1_1426) *% (n1_1426)) +% ((n2_1427) *% (n2_1427)) in + let t1_1429 : fp_t := + nat_mod_inv (t0_1428) in + let x1_1430 : fp_t := + (n1_1426) *% (t1_1429) in + let x2_1431 : fp_t := + (nat_mod_zero ) -% ((n2_1427) *% (t1_1429)) in + (x1_1430, x2_1431). + +Definition fp2conjugate (n_1432 : fp2_t) : fp2_t := + let '(n1_1433, n2_1434) := + n_1432 in + (n1_1433, (nat_mod_zero ) -% (n2_1434)). + +Definition fp6fromfp2 (n_1435 : fp2_t) : fp6_t := + (n_1435, fp2zero , fp2zero ). + +Definition fp6zero : fp6_t := + fp6fromfp2 (fp2zero ). + +Definition fp6neg (n_1436 : fp6_t) : fp6_t := + let '(n1_1437, n2_1438, n3_1439) := + n_1436 in + ( + fp2sub (fp2zero ) (n1_1437), + fp2sub (fp2zero ) (n2_1438), + fp2sub (fp2zero ) (n3_1439) + ). + +Definition fp6add (n_1440 : fp6_t) (m_1441 : fp6_t) : fp6_t := + let '(n1_1442, n2_1443, n3_1444) := + n_1440 in + let '(m1_1445, m2_1446, m3_1447) := + m_1441 in + ( + fp2add (n1_1442) (m1_1445), + fp2add (n2_1443) (m2_1446), + fp2add (n3_1444) (m3_1447) + ). + +Definition fp6sub (n_1448 : fp6_t) (m_1449 : fp6_t) : fp6_t := + fp6add (n_1448) (fp6neg (m_1449)). + +Definition fp6mul (n_1450 : fp6_t) (m_1451 : fp6_t) : fp6_t := + let '(n1_1452, n2_1453, n3_1454) := + n_1450 in + let '(m1_1455, m2_1456, m3_1457) := + m_1451 in + let eps_1458 : (fp_t '× fp_t) := + (nat_mod_one , nat_mod_one ) in + let t1_1459 : (fp_t '× fp_t) := + fp2mul (n1_1452) (m1_1455) in + let t2_1460 : (fp_t '× fp_t) := + fp2mul (n2_1453) (m2_1456) in + let t3_1461 : (fp_t '× fp_t) := + fp2mul (n3_1454) (m3_1457) in + let t4_1462 : (fp_t '× fp_t) := + fp2mul (fp2add (n2_1453) (n3_1454)) (fp2add (m2_1456) (m3_1457)) in + let t5_1463 : (fp_t '× fp_t) := + fp2sub (fp2sub (t4_1462) (t2_1460)) (t3_1461) in + let x_1464 : (fp_t '× fp_t) := + fp2add (fp2mul (t5_1463) (eps_1458)) (t1_1459) in + let t4_1465 : (fp_t '× fp_t) := + fp2mul (fp2add (n1_1452) (n2_1453)) (fp2add (m1_1455) (m2_1456)) in + let t5_1466 : (fp_t '× fp_t) := + fp2sub (fp2sub (t4_1465) (t1_1459)) (t2_1460) in + let y_1467 : (fp_t '× fp_t) := + fp2add (t5_1466) (fp2mul (eps_1458) (t3_1461)) in + let t4_1468 : (fp_t '× fp_t) := + fp2mul (fp2add (n1_1452) (n3_1454)) (fp2add (m1_1455) (m3_1457)) in + let t5_1469 : (fp_t '× fp_t) := + fp2sub (fp2sub (t4_1468) (t1_1459)) (t3_1461) in + let z_1470 : (fp_t '× fp_t) := + fp2add (t5_1469) (t2_1460) in + (x_1464, y_1467, z_1470). + +Definition fp6inv (n_1471 : fp6_t) : fp6_t := + let '(n1_1472, n2_1473, n3_1474) := + n_1471 in + let eps_1475 : (fp_t '× fp_t) := + (nat_mod_one , nat_mod_one ) in + let t1_1476 : (fp_t '× fp_t) := + fp2mul (n1_1472) (n1_1472) in + let t2_1477 : (fp_t '× fp_t) := + fp2mul (n2_1473) (n2_1473) in + let t3_1478 : (fp_t '× fp_t) := + fp2mul (n3_1474) (n3_1474) in + let t4_1479 : (fp_t '× fp_t) := + fp2mul (n1_1472) (n2_1473) in + let t5_1480 : (fp_t '× fp_t) := + fp2mul (n1_1472) (n3_1474) in + let t6_1481 : (fp_t '× fp_t) := + fp2mul (n2_1473) (n3_1474) in + let x0_1482 : (fp_t '× fp_t) := + fp2sub (t1_1476) (fp2mul (eps_1475) (t6_1481)) in + let y0_1483 : (fp_t '× fp_t) := + fp2sub (fp2mul (eps_1475) (t3_1478)) (t4_1479) in + let z0_1484 : (fp_t '× fp_t) := + fp2sub (t2_1477) (t5_1480) in + let t0_1485 : (fp_t '× fp_t) := + fp2mul (n1_1472) (x0_1482) in + let t0_1486 : (fp_t '× fp_t) := + fp2add (t0_1485) (fp2mul (eps_1475) (fp2mul (n3_1474) (y0_1483))) in + let t0_1487 : (fp_t '× fp_t) := + fp2add (t0_1486) (fp2mul (eps_1475) (fp2mul (n2_1473) (z0_1484))) in + let t0_1488 : (fp_t '× fp_t) := + fp2inv (t0_1487) in + let x_1489 : (fp_t '× fp_t) := + fp2mul (x0_1482) (t0_1488) in + let y_1490 : (fp_t '× fp_t) := + fp2mul (y0_1483) (t0_1488) in + let z_1491 : (fp_t '× fp_t) := + fp2mul (z0_1484) (t0_1488) in + (x_1489, y_1490, z_1491). + +Definition fp12fromfp6 (n_1492 : fp6_t) : fp12_t := + (n_1492, fp6zero ). + +Definition fp12neg (n_1493 : fp12_t) : fp12_t := + let '(n1_1494, n2_1495) := + n_1493 in + (fp6sub (fp6zero ) (n1_1494), fp6sub (fp6zero ) (n2_1495)). + +Definition fp12add (n_1496 : fp12_t) (m_1497 : fp12_t) : fp12_t := + let '(n1_1498, n2_1499) := + n_1496 in + let '(m1_1500, m2_1501) := + m_1497 in + (fp6add (n1_1498) (m1_1500), fp6add (n2_1499) (m2_1501)). + +Definition fp12sub (n_1502 : fp12_t) (m_1503 : fp12_t) : fp12_t := + fp12add (n_1502) (fp12neg (m_1503)). + +Definition fp12mul (n_1504 : fp12_t) (m_1505 : fp12_t) : fp12_t := + let '(n1_1506, n2_1507) := + n_1504 in + let '(m1_1508, m2_1509) := + m_1505 in + let gamma_1510 : (fp2_t '× fp2_t '× fp2_t) := + (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in + let t1_1511 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n1_1506) (m1_1508) in + let t2_1512 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n2_1507) (m2_1509) in + let x_1513 : (fp2_t '× fp2_t '× fp2_t) := + fp6add (t1_1511) (fp6mul (t2_1512) (gamma_1510)) in + let y_1514 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (fp6add (n1_1506) (n2_1507)) (fp6add (m1_1508) (m2_1509)) in + let y_1515 : (fp2_t '× fp2_t '× fp2_t) := + fp6sub (fp6sub (y_1514) (t1_1511)) (t2_1512) in + (x_1513, y_1515). + +Definition fp12inv (n_1516 : fp12_t) : fp12_t := + let '(n1_1517, n2_1518) := + n_1516 in + let gamma_1519 : (fp2_t '× fp2_t '× fp2_t) := + (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in + let t1_1520 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n1_1517) (n1_1517) in + let t2_1521 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n2_1518) (n2_1518) in + let t1_1522 : (fp2_t '× fp2_t '× fp2_t) := + fp6sub (t1_1520) (fp6mul (gamma_1519) (t2_1521)) in + let t2_1523 : (fp2_t '× fp2_t '× fp2_t) := + fp6inv (t1_1522) in + let x_1524 : (fp2_t '× fp2_t '× fp2_t) := + fp6mul (n1_1517) (t2_1523) in + let y_1525 : (fp2_t '× fp2_t '× fp2_t) := + fp6neg (fp6mul (n2_1518) (t2_1523)) in + (x_1524, y_1525). + +Definition fp12exp (n_1526 : fp12_t) (k_1527 : scalar_t) : fp12_t := + let c_1528 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in + let c_1528 := + foldi (usize 0) (usize 256) (fun i_1529 c_1528 => + let c_1528 := + fp12mul (c_1528) (c_1528) in + let '(c_1528) := + if nat_mod_bit (k_1527) ((usize 255) - (i_1529)):bool then ( + let c_1528 := + fp12mul (c_1528) (n_1526) in + (c_1528)) else ((c_1528)) in + (c_1528)) + c_1528 in + c_1528. + +Definition fp12conjugate (n_1530 : fp12_t) : fp12_t := + let '(n1_1531, n2_1532) := + n_1530 in + (n1_1531, fp6neg (n2_1532)). + +Definition fp12zero : fp12_t := + fp12fromfp6 (fp6zero ). + +Definition g1add_a (p_1533 : g1_t) (q_1534 : g1_t) : g1_t := + let '(x1_1535, y1_1536, _) := + p_1533 in + let '(x2_1537, y2_1538, _) := + q_1534 in + let x_diff_1539 : fp_t := + (x2_1537) -% (x1_1535) in + let y_diff_1540 : fp_t := + (y2_1538) -% (y1_1536) in + let xovery_1541 : fp_t := + (y_diff_1540) *% (nat_mod_inv (x_diff_1539)) in + let x3_1542 : fp_t := + ((nat_mod_exp (xovery_1541) (@repr WORDSIZE32 2)) -% (x1_1535)) -% ( + x2_1537) in + let y3_1543 : fp_t := + ((xovery_1541) *% ((x1_1535) -% (x3_1542))) -% (y1_1536) in + (x3_1542, y3_1543, false). + +Definition g1double_a (p_1544 : g1_t) : g1_t := + let '(x1_1545, y1_1546, _) := + p_1544 in + let x12_1547 : fp_t := + nat_mod_exp (x1_1545) (@repr WORDSIZE32 2) in + let xovery_1548 : fp_t := + ((nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t) *% (x12_1547)) *% (nat_mod_inv (( + nat_mod_two ) *% (y1_1546))) in + let x3_1549 : fp_t := + (nat_mod_exp (xovery_1548) (@repr WORDSIZE32 2)) -% ((nat_mod_two ) *% ( + x1_1545)) in + let y3_1550 : fp_t := + ((xovery_1548) *% ((x1_1545) -% (x3_1549))) -% (y1_1546) in + (x3_1549, y3_1550, false). + +Definition g1double (p_1551 : g1_t) : g1_t := + let '(x1_1552, y1_1553, inf1_1554) := + p_1551 in + (if (((y1_1553) !=.? (nat_mod_zero )) && (negb (inf1_1554))):bool then ( + g1double_a (p_1551)) else ((nat_mod_zero , nat_mod_zero , true))). + +Definition g1add (p_1555 : g1_t) (q_1556 : g1_t) : g1_t := + let '(x1_1557, y1_1558, inf1_1559) := + p_1555 in + let '(x2_1560, y2_1561, inf2_1562) := + q_1556 in + (if (inf1_1559):bool then (q_1556) else ((if (inf2_1562):bool then ( + p_1555) else ((if ((p_1555) =.? (q_1556)):bool then (g1double ( + p_1555)) else ((if (negb (((x1_1557) =.? (x2_1560)) && (( + y1_1558) =.? ((nat_mod_zero ) -% ( + y2_1561))))):bool then (g1add_a (p_1555) ( + q_1556)) else ((nat_mod_zero , nat_mod_zero , true))))))))). + +Definition g1mul (m_1563 : scalar_t) (p_1564 : g1_t) : g1_t := + let t_1565 : (fp_t '× fp_t '× bool) := + (nat_mod_zero , nat_mod_zero , true) in + let t_1565 := + foldi (usize 0) (usize 256) (fun i_1566 t_1565 => + let t_1565 := + g1double (t_1565) in + let '(t_1565) := + if nat_mod_bit (m_1563) ((usize 255) - (i_1566)):bool then ( + let t_1565 := + g1add (t_1565) (p_1564) in + (t_1565)) else ((t_1565)) in + (t_1565)) + t_1565 in + t_1565. + +Definition g1neg (p_1567 : g1_t) : g1_t := + let '(x_1568, y_1569, inf_1570) := + p_1567 in + (x_1568, (nat_mod_zero ) -% (y_1569), inf_1570). + +Definition g2add_a (p_1571 : g2_t) (q_1572 : g2_t) : g2_t := + let '(x1_1573, y1_1574, _) := + p_1571 in + let '(x2_1575, y2_1576, _) := + q_1572 in + let x_diff_1577 : (fp_t '× fp_t) := + fp2sub (x2_1575) (x1_1573) in + let y_diff_1578 : (fp_t '× fp_t) := + fp2sub (y2_1576) (y1_1574) in + let xovery_1579 : (fp_t '× fp_t) := + fp2mul (y_diff_1578) (fp2inv (x_diff_1577)) in + let t1_1580 : (fp_t '× fp_t) := + fp2mul (xovery_1579) (xovery_1579) in + let t2_1581 : (fp_t '× fp_t) := + fp2sub (t1_1580) (x1_1573) in + let x3_1582 : (fp_t '× fp_t) := + fp2sub (t2_1581) (x2_1575) in + let t1_1583 : (fp_t '× fp_t) := + fp2sub (x1_1573) (x3_1582) in + let t2_1584 : (fp_t '× fp_t) := + fp2mul (xovery_1579) (t1_1583) in + let y3_1585 : (fp_t '× fp_t) := + fp2sub (t2_1584) (y1_1574) in + (x3_1582, y3_1585, false). + +Definition g2double_a (p_1586 : g2_t) : g2_t := + let '(x1_1587, y1_1588, _) := + p_1586 in + let x12_1589 : (fp_t '× fp_t) := + fp2mul (x1_1587) (x1_1587) in + let t1_1590 : (fp_t '× fp_t) := + fp2mul (fp2fromfp (nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t)) (x12_1589) in + let t2_1591 : (fp_t '× fp_t) := + fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (y1_1588)) in + let xovery_1592 : (fp_t '× fp_t) := + fp2mul (t1_1590) (t2_1591) in + let t1_1593 : (fp_t '× fp_t) := + fp2mul (xovery_1592) (xovery_1592) in + let t2_1594 : (fp_t '× fp_t) := + fp2mul (fp2fromfp (nat_mod_two )) (x1_1587) in + let x3_1595 : (fp_t '× fp_t) := + fp2sub (t1_1593) (t2_1594) in + let t1_1596 : (fp_t '× fp_t) := + fp2sub (x1_1587) (x3_1595) in + let t2_1597 : (fp_t '× fp_t) := + fp2mul (xovery_1592) (t1_1596) in + let y3_1598 : (fp_t '× fp_t) := + fp2sub (t2_1597) (y1_1588) in + (x3_1595, y3_1598, false). + +Definition g2double (p_1599 : g2_t) : g2_t := + let '(x1_1600, y1_1601, inf1_1602) := + p_1599 in + (if (((y1_1601) !=.? (fp2zero )) && (negb (inf1_1602))):bool then ( + g2double_a (p_1599)) else ((fp2zero , fp2zero , true))). + +Definition g2add (p_1603 : g2_t) (q_1604 : g2_t) : g2_t := + let '(x1_1605, y1_1606, inf1_1607) := + p_1603 in + let '(x2_1608, y2_1609, inf2_1610) := + q_1604 in + (if (inf1_1607):bool then (q_1604) else ((if (inf2_1610):bool then ( + p_1603) else ((if ((p_1603) =.? (q_1604)):bool then (g2double ( + p_1603)) else ((if (negb (((x1_1605) =.? (x2_1608)) && (( + y1_1606) =.? (fp2neg (y2_1609))))):bool then (g2add_a ( + p_1603) (q_1604)) else ((fp2zero , fp2zero , true))))))))). + +Definition g2mul (m_1611 : scalar_t) (p_1612 : g2_t) : g2_t := + let t_1613 : (fp2_t '× fp2_t '× bool) := + (fp2zero , fp2zero , true) in + let t_1613 := + foldi (usize 0) (usize 256) (fun i_1614 t_1613 => + let t_1613 := + g2double (t_1613) in + let '(t_1613) := + if nat_mod_bit (m_1611) ((usize 255) - (i_1614)):bool then ( + let t_1613 := + g2add (t_1613) (p_1612) in + (t_1613)) else ((t_1613)) in + (t_1613)) + t_1613 in + t_1613. + +Definition g2neg (p_1615 : g2_t) : g2_t := + let '(x_1616, y_1617, inf_1618) := + p_1615 in + (x_1616, fp2neg (y_1617), inf_1618). + +Definition twist (p_1619 : g1_t) : (fp12_t '× fp12_t) := + let '(p0_1620, p1_1621, _) := + p_1619 in + let x_1622 : ((fp2_t '× fp2_t '× fp2_t) '× fp6_t) := + ((fp2zero , fp2fromfp (p0_1620), fp2zero ), fp6zero ) in + let y_1623 : (fp6_t '× (fp2_t '× fp2_t '× fp2_t)) := + (fp6zero , (fp2zero , fp2fromfp (p1_1621), fp2zero )) in + (x_1622, y_1623). + +Definition line_double_p (r_1624 : g2_t) (p_1625 : g1_t) : fp12_t := + let '(r0_1626, r1_1627, _) := + r_1624 in + let a_1628 : (fp_t '× fp_t) := + fp2mul (fp2fromfp (nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t)) (fp2mul (r0_1626) (r0_1626)) in + let a_1629 : (fp_t '× fp_t) := + fp2mul (a_1628) (fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (r1_1627))) in + let b_1630 : (fp_t '× fp_t) := + fp2sub (r1_1627) (fp2mul (a_1629) (r0_1626)) in + let a_1631 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (a_1629)) in + let b_1632 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (b_1630)) in + let '(x_1633, y_1634) := + twist (p_1625) in + fp12neg (fp12sub (fp12sub (y_1634) (fp12mul (a_1631) (x_1633))) (b_1632)). + +Definition line_add_p + (r_1635 : g2_t) + (q_1636 : g2_t) + (p_1637 : g1_t) + : fp12_t := + let '(r0_1638, r1_1639, _) := + r_1635 in + let '(q0_1640, q1_1641, _) := + q_1636 in + let a_1642 : (fp_t '× fp_t) := + fp2mul (fp2sub (q1_1641) (r1_1639)) (fp2inv (fp2sub (q0_1640) ( + r0_1638))) in + let b_1643 : (fp_t '× fp_t) := + fp2sub (r1_1639) (fp2mul (a_1642) (r0_1638)) in + let a_1644 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (a_1642)) in + let b_1645 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (b_1643)) in + let '(x_1646, y_1647) := + twist (p_1637) in + fp12neg (fp12sub (fp12sub (y_1647) (fp12mul (a_1644) (x_1646))) (b_1645)). + +Definition frobenius (f_1648 : fp12_t) : fp12_t := + let '((g0_1649, g1_1650, g2_1651), (h0_1652, h1_1653, h2_1654)) := + f_1648 in + let t1_1655 : (fp_t '× fp_t) := + fp2conjugate (g0_1649) in + let t2_1656 : (fp_t '× fp_t) := + fp2conjugate (h0_1652) in + let t3_1657 : (fp_t '× fp_t) := + fp2conjugate (g1_1650) in + let t4_1658 : (fp_t '× fp_t) := + fp2conjugate (h1_1653) in + let t5_1659 : (fp_t '× fp_t) := + fp2conjugate (g2_1651) in + let t6_1660 : (fp_t '× fp_t) := + fp2conjugate (h2_1654) in + let c1_1661 : array_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 10162220747404304312) : int64; + secret (@repr WORDSIZE64 17761815663483519293) : int64; + secret (@repr WORDSIZE64 8873291758750579140) : int64; + secret (@repr WORDSIZE64 1141103941765652303) : int64; + secret (@repr WORDSIZE64 13993175198059990303) : int64; + secret (@repr WORDSIZE64 1802798568193066599) : int64 + ] in l) in + let c1_1662 : seq uint8 := + array_to_le_bytes (c1_1661) in + let c1_1663 : fp_t := + nat_mod_from_byte_seq_le (c1_1662) : fp_t in + let c2_1664 : array_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 3240210268673559283) : int64; + secret (@repr WORDSIZE64 2895069921743240898) : int64; + secret (@repr WORDSIZE64 17009126888523054175) : int64; + secret (@repr WORDSIZE64 6098234018649060207) : int64; + secret (@repr WORDSIZE64 9865672654120263608) : int64; + secret (@repr WORDSIZE64 71000049454473266) : int64 + ] in l) in + let c2_1665 : seq uint8 := + array_to_le_bytes (c2_1664) in + let c2_1666 : fp_t := + nat_mod_from_byte_seq_le (c2_1665) : fp_t in + let gamma11_1667 : (fp_t '× fp_t) := + (c1_1663, c2_1666) in + let gamma12_1668 : (fp_t '× fp_t) := + fp2mul (gamma11_1667) (gamma11_1667) in + let gamma13_1669 : (fp_t '× fp_t) := + fp2mul (gamma12_1668) (gamma11_1667) in + let gamma14_1670 : (fp_t '× fp_t) := + fp2mul (gamma13_1669) (gamma11_1667) in + let gamma15_1671 : (fp_t '× fp_t) := + fp2mul (gamma14_1670) (gamma11_1667) in + let t2_1672 : (fp_t '× fp_t) := + fp2mul (t2_1656) (gamma11_1667) in + let t3_1673 : (fp_t '× fp_t) := + fp2mul (t3_1657) (gamma12_1668) in + let t4_1674 : (fp_t '× fp_t) := + fp2mul (t4_1658) (gamma13_1669) in + let t5_1675 : (fp_t '× fp_t) := + fp2mul (t5_1659) (gamma14_1670) in + let t6_1676 : (fp_t '× fp_t) := + fp2mul (t6_1660) (gamma15_1671) in + ((t1_1655, t3_1673, t5_1675), (t2_1672, t4_1674, t6_1676)). + +Definition final_exponentiation (f_1677 : fp12_t) : fp12_t := + let fp6_1678 : (fp6_t '× fp6_t) := + fp12conjugate (f_1677) in + let finv_1679 : (fp6_t '× fp6_t) := + fp12inv (f_1677) in + let fp6_1_1680 : (fp6_t '× fp6_t) := + fp12mul (fp6_1678) (finv_1679) in + let fp8_1681 : (fp6_t '× fp6_t) := + frobenius (frobenius (fp6_1_1680)) in + let f_1682 : (fp6_t '× fp6_t) := + fp12mul (fp8_1681) (fp6_1_1680) in + let u_1683 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let u_half_1684 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 7566188111470821376) : scalar_t in + let t0_1685 : (fp6_t '× fp6_t) := + fp12mul (f_1682) (f_1682) in + let t1_1686 : (fp6_t '× fp6_t) := + fp12exp (t0_1685) (u_1683) in + let t1_1687 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1686) in + let t2_1688 : (fp6_t '× fp6_t) := + fp12exp (t1_1687) (u_half_1684) in + let t2_1689 : (fp6_t '× fp6_t) := + fp12conjugate (t2_1688) in + let t3_1690 : (fp6_t '× fp6_t) := + fp12conjugate (f_1682) in + let t1_1691 : (fp6_t '× fp6_t) := + fp12mul (t3_1690) (t1_1687) in + let t1_1692 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1691) in + let t1_1693 : (fp6_t '× fp6_t) := + fp12mul (t1_1692) (t2_1689) in + let t2_1694 : (fp6_t '× fp6_t) := + fp12exp (t1_1693) (u_1683) in + let t2_1695 : (fp6_t '× fp6_t) := + fp12conjugate (t2_1694) in + let t3_1696 : (fp6_t '× fp6_t) := + fp12exp (t2_1695) (u_1683) in + let t3_1697 : (fp6_t '× fp6_t) := + fp12conjugate (t3_1696) in + let t1_1698 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1693) in + let t3_1699 : (fp6_t '× fp6_t) := + fp12mul (t1_1698) (t3_1697) in + let t1_1700 : (fp6_t '× fp6_t) := + fp12conjugate (t1_1698) in + let t1_1701 : (fp6_t '× fp6_t) := + frobenius (frobenius (frobenius (t1_1700))) in + let t2_1702 : (fp6_t '× fp6_t) := + frobenius (frobenius (t2_1695)) in + let t1_1703 : (fp6_t '× fp6_t) := + fp12mul (t1_1701) (t2_1702) in + let t2_1704 : (fp6_t '× fp6_t) := + fp12exp (t3_1699) (u_1683) in + let t2_1705 : (fp6_t '× fp6_t) := + fp12conjugate (t2_1704) in + let t2_1706 : (fp6_t '× fp6_t) := + fp12mul (t2_1705) (t0_1685) in + let t2_1707 : (fp6_t '× fp6_t) := + fp12mul (t2_1706) (f_1682) in + let t1_1708 : (fp6_t '× fp6_t) := + fp12mul (t1_1703) (t2_1707) in + let t2_1709 : (fp6_t '× fp6_t) := + frobenius (t3_1699) in + let t1_1710 : (fp6_t '× fp6_t) := + fp12mul (t1_1708) (t2_1709) in + t1_1710. + +Definition pairing (p_1711 : g1_t) (q_1712 : g2_t) : fp12_t := + let t_1713 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let r_1714 : (fp2_t '× fp2_t '× bool) := + q_1712 in + let f_1715 : (fp6_t '× fp6_t) := + fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in + let '(r_1714, f_1715) := + foldi (usize 1) (usize 64) (fun i_1716 '(r_1714, f_1715) => + let lrr_1717 : (fp6_t '× fp6_t) := + line_double_p (r_1714) (p_1711) in + let r_1714 := + g2double (r_1714) in + let f_1715 := + fp12mul (fp12mul (f_1715) (f_1715)) (lrr_1717) in + let '(r_1714, f_1715) := + if nat_mod_bit (t_1713) (((usize 64) - (i_1716)) - ( + usize 1)):bool then (let lrq_1718 : (fp6_t '× fp6_t) := + line_add_p (r_1714) (q_1712) (p_1711) in + let r_1714 := + g2add (r_1714) (q_1712) in + let f_1715 := + fp12mul (f_1715) (lrq_1718) in + (r_1714, f_1715)) else ((r_1714, f_1715)) in + (r_1714, f_1715)) + (r_1714, f_1715) in + final_exponentiation (fp12conjugate (f_1715)). + +Definition test_fp2_prop_add_neg (a_1719 : fp2_t) : bool := + let b_1720 : (fp_t '× fp_t) := + fp2neg (a_1719) in + (fp2fromfp (nat_mod_zero )) =.? (fp2add (a_1719) (b_1720)). +(*QuickChick ( + forAll g_fp2_t (fun a_1719 : fp2_t =>test_fp2_prop_add_neg a_1719)).*) + + +Definition test_fp2_prop_mul_inv (a_1721 : fp2_t) : bool := + let b_1722 : (fp_t '× fp_t) := + fp2inv (a_1721) in + (fp2fromfp (nat_mod_one )) =.? (fp2mul (a_1721) (b_1722)). +(*QuickChick ( + forAll g_fp2_t (fun a_1721 : fp2_t =>test_fp2_prop_mul_inv a_1721)).*) + + +Definition test_extraction_issue : bool := + let b_1723 : (fp_t '× fp_t) := + fp2inv ((nat_mod_one , nat_mod_one )) in + (fp2fromfp (nat_mod_one )) =.? (fp2mul ((nat_mod_one , nat_mod_one )) ( + b_1723)). +(*QuickChick (test_extraction_issue).*) + + +Definition test_fp6_prop_mul_inv (a_1724 : fp6_t) : bool := + let b_1725 : (fp2_t '× fp2_t '× fp2_t) := + fp6inv (a_1724) in + (fp6fromfp2 (fp2fromfp (nat_mod_one ))) =.? (fp6mul (a_1724) (b_1725)). +(*QuickChick ( + forAll g_fp6_t (fun a_1724 : fp6_t =>test_fp6_prop_mul_inv a_1724)).*) + + +Definition test_fp6_prop_add_neg (a_1726 : fp6_t) : bool := + let b_1727 : (fp2_t '× fp2_t '× fp2_t) := + fp6neg (a_1726) in + (fp6fromfp2 (fp2fromfp (nat_mod_zero ))) =.? (fp6add (a_1726) (b_1727)). +(*QuickChick ( + forAll g_fp6_t (fun a_1726 : fp6_t =>test_fp6_prop_add_neg a_1726)).*) + + +Definition test_fp12_prop_add_neg (a_1728 : fp12_t) : bool := + let b_1729 : (fp6_t '× fp6_t) := + fp12neg (a_1728) in + (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_zero )))) =.? (fp12add (a_1728) ( + b_1729)). +(*QuickChick ( + forAll g_fp12_t (fun a_1728 : fp12_t =>test_fp12_prop_add_neg a_1728)).*) + + +Definition test_fp12_prop_mul_inv (a_1730 : fp12_t) : bool := + let b_1731 : (fp6_t '× fp6_t) := + fp12inv (a_1730) in + (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one )))) =.? (fp12mul (a_1730) ( + b_1731)). +(*QuickChick ( + forAll g_fp12_t (fun a_1730 : fp12_t =>test_fp12_prop_mul_inv a_1730)).*) + + diff --git a/proof-libs/coq/src/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/src/Hacspec_Bls12_381_Hash.v new file mode 100644 index 000000000..de305328b --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Bls12_381_Hash.v @@ -0,0 +1,1754 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Bls12_381. + +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition fp_hash_canvas_t := nseq (int8) (64). +Definition fp_hash_t := + nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. + +Definition arr_fp_t := nseq (uint64) (usize 6). + +Definition b_in_bytes_v : uint_size := + usize 32. + +Definition s_in_bytes_v : uint_size := + usize 64. + +Definition l_v : uint_size := + usize 64. + +Definition p_1_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 936899308823769933) : int64; + secret (@repr WORDSIZE64 2706051889235351147) : int64; + secret (@repr WORDSIZE64 12843041017062132063) : int64; + secret (@repr WORDSIZE64 12941209323636816658) : int64; + secret (@repr WORDSIZE64 1105070755758604287) : int64; + secret (@repr WORDSIZE64 15924587544893707605) : int64 + ] in l). + +Definition p_1_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 468449654411884966) : int64; + secret (@repr WORDSIZE64 10576397981472451381) : int64; + secret (@repr WORDSIZE64 15644892545385841839) : int64; + secret (@repr WORDSIZE64 15693976698673184137) : int64; + secret (@repr WORDSIZE64 552535377879302143) : int64; + secret (@repr WORDSIZE64 17185665809301629611) : int64 + ] in l). + +Definition p_3_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 468449654411884966) : int64; + secret (@repr WORDSIZE64 10576397981472451381) : int64; + secret (@repr WORDSIZE64 15644892545385841839) : int64; + secret (@repr WORDSIZE64 15693976698673184137) : int64; + secret (@repr WORDSIZE64 552535377879302143) : int64; + secret (@repr WORDSIZE64 17185665809301629610) : int64 + ] in l). + +Definition expand_message_xmd + (msg_1732 : byte_seq) + (dst_1733 : byte_seq) + (len_in_bytes_1734 : uint_size) + : byte_seq := + let ell_1735 : uint_size := + (((len_in_bytes_1734) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in + let dst_prime_1736 : seq uint8 := + seq_push (dst_1733) (uint8_from_usize (seq_len (dst_1733))) in + let z_pad_1737 : seq uint8 := + seq_new_ (default : uint8) (s_in_bytes_v) in + let l_i_b_str_1738 : seq uint8 := + seq_new_ (default : uint8) (usize 2) in + let l_i_b_str_1738 := + seq_upd l_i_b_str_1738 (usize 0) (uint8_from_usize ((len_in_bytes_1734) / ( + usize 256))) in + let l_i_b_str_1738 := + seq_upd l_i_b_str_1738 (usize 1) (uint8_from_usize (len_in_bytes_1734)) in + let msg_prime_1739 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (z_pad_1737) (msg_1732)) ( + l_i_b_str_1738)) (seq_new_ (default : uint8) (usize 1))) ( + dst_prime_1736) in + let b_0_1740 : seq uint8 := + seq_from_seq (array_to_seq (hash (msg_prime_1739))) in + let b_i_1741 : seq uint8 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_1740) (secret ( + @repr WORDSIZE8 1) : int8)) (dst_prime_1736)))) in + let uniform_bytes_1742 : seq uint8 := + seq_from_seq (b_i_1741) in + let '(b_i_1741, uniform_bytes_1742) := + foldi (usize 2) ((ell_1735) + (usize 1)) (fun i_1743 '( + b_i_1741, + uniform_bytes_1742 + ) => + let t_1744 : seq uint8 := + seq_from_seq (b_0_1740) in + let b_i_1741 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( + t_1744) seq_xor (b_i_1741)) (uint8_from_usize (i_1743))) ( + dst_prime_1736)))) in + let uniform_bytes_1742 := + seq_concat (uniform_bytes_1742) (b_i_1741) in + (b_i_1741, uniform_bytes_1742)) + (b_i_1741, uniform_bytes_1742) in + seq_truncate (uniform_bytes_1742) (len_in_bytes_1734). + +Definition fp_hash_to_field + (msg_1745 : byte_seq) + (dst_1746 : byte_seq) + (count_1747 : uint_size) + : seq fp_t := + let len_in_bytes_1748 : uint_size := + (count_1747) * (l_v) in + let uniform_bytes_1749 : seq uint8 := + expand_message_xmd (msg_1745) (dst_1746) (len_in_bytes_1748) in + let output_1750 : seq fp_t := + seq_new_ (default : fp_t) (count_1747) in + let output_1750 := + foldi (usize 0) (count_1747) (fun i_1751 output_1750 => + let elm_offset_1752 : uint_size := + (l_v) * (i_1751) in + let tv_1753 : seq uint8 := + seq_slice (uniform_bytes_1749) (elm_offset_1752) (l_v) in + let u_i_1754 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1753) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let output_1750 := + seq_upd output_1750 (i_1751) (u_i_1754) in + (output_1750)) + output_1750 in + output_1750. + +Definition fp_sgn0 (x_1755 : fp_t) : bool := + ((x_1755) rem (nat_mod_two )) =.? (nat_mod_one ). + +Definition fp_is_square (x_1756 : fp_t) : bool := + let c1_1757 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let tv_1758 : fp_t := + nat_mod_pow_self (x_1756) (c1_1757) in + ((tv_1758) =.? (nat_mod_zero )) || ((tv_1758) =.? (nat_mod_one )). + +Definition fp_sqrt (x_1759 : fp_t) : fp_t := + let c1_1760 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_4_v)) : fp_t in + nat_mod_pow_self (x_1759) (c1_1760). + +Definition g1_curve_func (x_1761 : fp_t) : fp_t := + (((x_1761) *% (x_1761)) *% (x_1761)) +% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t). + +Definition g1_map_to_curve_svdw (u_1762 : fp_t) : g1_t := + let z_1763 : fp_t := + (nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t) in + let gz_1764 : fp_t := + g1_curve_func (z_1763) in + let tv1_1765 : fp_t := + ((u_1762) *% (u_1762)) *% (gz_1764) in + let tv2_1766 : fp_t := + (nat_mod_one ) +% (tv1_1765) in + let tv1_1767 : fp_t := + (nat_mod_one ) -% (tv1_1765) in + let tv3_1768 : fp_t := + nat_mod_inv ((tv1_1767) *% (tv2_1766)) in + let tv4_1769 : fp_t := + fp_sqrt (((nat_mod_zero ) -% (gz_1764)) *% (((nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t) *% (z_1763)) *% (z_1763))) in + let '(tv4_1769) := + if fp_sgn0 (tv4_1769):bool then (let tv4_1769 := + (nat_mod_zero ) -% (tv4_1769) in + (tv4_1769)) else ((tv4_1769)) in + let tv5_1770 : fp_t := + (((u_1762) *% (tv1_1767)) *% (tv3_1768)) *% (tv4_1769) in + let tv6_1771 : fp_t := + (((nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t)) *% (gz_1764)) *% (nat_mod_inv ((( + nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t) *% ( + z_1763)) *% (z_1763))) in + let x1_1772 : fp_t := + (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) -% ( + tv5_1770) in + let x2_1773 : fp_t := + (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) +% ( + tv5_1770) in + let x3_1774 : fp_t := + (z_1763) +% (((tv6_1771) *% (((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) *% ( + ((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) in + let x_1775 : fp_t := + (if (fp_is_square (g1_curve_func (x1_1772))):bool then (x1_1772) else ((if ( + fp_is_square (g1_curve_func (x2_1773))):bool then (x2_1773) else ( + x3_1774)))) in + let y_1776 : fp_t := + fp_sqrt (g1_curve_func (x_1775)) in + let '(y_1776) := + if (fp_sgn0 (u_1762)) !=.? (fp_sgn0 (y_1776)):bool then (let y_1776 := + (nat_mod_zero ) -% (y_1776) in + (y_1776)) else ((y_1776)) in + (x_1775, y_1776, false). + +Definition g1_clear_cofactor (x_1777 : g1_t) : g1_t := + let h_eff_1778 : scalar_t := + nat_mod_from_literal (_) ( + @repr WORDSIZE128 15132376222941642753) : scalar_t in + g1mul (h_eff_1778) (x_1777). + +Definition g1_hash_to_curve_svdw + (msg_1779 : byte_seq) + (dst_1780 : byte_seq) + : g1_t := + let u_1781 : seq fp_t := + fp_hash_to_field (msg_1779) (dst_1780) (usize 2) in + let q0_1782 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_svdw (seq_index (u_1781) (usize 0)) in + let q1_1783 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_svdw (seq_index (u_1781) (usize 1)) in + let r_1784 : (fp_t '× fp_t '× bool) := + g1add (q0_1782) (q1_1783) in + let p_1785 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (r_1784) in + p_1785. + +Definition g1_encode_to_curve_svdw + (msg_1786 : byte_seq) + (dst_1787 : byte_seq) + : g1_t := + let u_1788 : seq fp_t := + fp_hash_to_field (msg_1786) (dst_1787) (usize 1) in + let q_1789 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_svdw (seq_index (u_1788) (usize 0)) in + let p_1790 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (q_1789) in + p_1790. + +Definition fp2_hash_to_field + (msg_1791 : byte_seq) + (dst_1792 : byte_seq) + (count_1793 : uint_size) + : seq fp2_t := + let len_in_bytes_1794 : uint_size := + ((count_1793) * (usize 2)) * (l_v) in + let uniform_bytes_1795 : seq uint8 := + expand_message_xmd (msg_1791) (dst_1792) (len_in_bytes_1794) in + let output_1796 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (count_1793) in + let output_1796 := + foldi (usize 0) (count_1793) (fun i_1797 output_1796 => + let elm_offset_1798 : uint_size := + ((l_v) * (i_1797)) * (usize 2) in + let tv_1799 : seq uint8 := + seq_slice (uniform_bytes_1795) (elm_offset_1798) (l_v) in + let e_1_1800 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1799) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let elm_offset_1801 : uint_size := + (l_v) * ((usize 1) + ((i_1797) * (usize 2))) in + let tv_1802 : seq uint8 := + seq_slice (uniform_bytes_1795) (elm_offset_1801) (l_v) in + let e_2_1803 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1802) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let output_1796 := + seq_upd output_1796 (i_1797) ((e_1_1800, e_2_1803)) in + (output_1796)) + output_1796 in + output_1796. + +Definition fp2_sgn0 (x_1804 : fp2_t) : bool := + let '(x0_1805, x1_1806) := + x_1804 in + let sign_0_1807 : bool := + fp_sgn0 (x0_1805) in + let zero_0_1808 : bool := + (x0_1805) =.? (nat_mod_zero ) in + let sign_1_1809 : bool := + fp_sgn0 (x1_1806) in + (sign_0_1807) || ((zero_0_1808) && (sign_1_1809)). + +Definition fp2_is_square (x_1810 : fp2_t) : bool := + let c1_1811 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let '(x1_1812, x2_1813) := + x_1810 in + let tv1_1814 : fp_t := + (x1_1812) *% (x1_1812) in + let tv2_1815 : fp_t := + (x2_1813) *% (x2_1813) in + let tv1_1816 : fp_t := + (tv1_1814) +% (tv2_1815) in + let tv1_1817 : fp_t := + nat_mod_pow_self (tv1_1816) (c1_1811) in + let neg1_1818 : fp_t := + (nat_mod_zero ) -% (nat_mod_one ) in + (tv1_1817) !=.? (neg1_1818). + +Definition fp2exp (n_1819 : fp2_t) (k_1820 : fp_t) : fp2_t := + let c_1821 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let c_1821 := + foldi (usize 0) (usize 381) (fun i_1822 c_1821 => + let c_1821 := + fp2mul (c_1821) (c_1821) in + let '(c_1821) := + if nat_mod_bit (k_1820) ((usize 380) - (i_1822)):bool then ( + let c_1821 := + fp2mul (c_1821) (n_1819) in + (c_1821)) else ((c_1821)) in + (c_1821)) + c_1821 in + c_1821. + +Definition fp2_sqrt (a_1823 : fp2_t) : fp2_t := + let c1_1824 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_3_4_v)) : fp_t in + let c2_1825 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let a1_1826 : (fp_t '× fp_t) := + fp2exp (a_1823) (c1_1824) in + let alpha_1827 : (fp_t '× fp_t) := + fp2mul (a1_1826) (fp2mul (a1_1826) (a_1823)) in + let x0_1828 : (fp_t '× fp_t) := + fp2mul (a1_1826) (a_1823) in + let neg1_1829 : (fp_t '× fp_t) := + ((nat_mod_zero ) -% (nat_mod_one ), nat_mod_zero ) in + let b_1830 : (fp_t '× fp_t) := + fp2exp (fp2add (fp2fromfp (nat_mod_one )) (alpha_1827)) (c2_1825) in + (if ((alpha_1827) =.? (neg1_1829)):bool then (fp2mul (( + nat_mod_zero , + nat_mod_one + )) (x0_1828)) else (fp2mul (b_1830) (x0_1828))). + +Definition g2_curve_func (x_1831 : fp2_t) : fp2_t := + fp2add (fp2mul (x_1831) (fp2mul (x_1831) (x_1831))) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t, + nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t + )). + +Definition g2_map_to_curve_svdw (u_1832 : fp2_t) : g2_t := + let z_1833 : (fp_t '× fp_t) := + fp2neg (fp2fromfp (nat_mod_one )) in + let gz_1834 : (fp_t '× fp_t) := + g2_curve_func (z_1833) in + let tv1_1835 : (fp_t '× fp_t) := + fp2mul (fp2mul (u_1832) (u_1832)) (gz_1834) in + let tv2_1836 : (fp_t '× fp_t) := + fp2add (fp2fromfp (nat_mod_one )) (tv1_1835) in + let tv1_1837 : (fp_t '× fp_t) := + fp2sub (fp2fromfp (nat_mod_one )) (tv1_1835) in + let tv3_1838 : (fp_t '× fp_t) := + fp2inv (fp2mul (tv1_1837) (tv2_1836)) in + let tv4_1839 : (fp_t '× fp_t) := + fp2_sqrt (fp2mul (fp2neg (gz_1834)) (fp2mul (fp2fromfp ( + nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) (fp2mul ( + z_1833) (z_1833)))) in + let '(tv4_1839) := + if fp2_sgn0 (tv4_1839):bool then (let tv4_1839 := + fp2neg (tv4_1839) in + (tv4_1839)) else ((tv4_1839)) in + let tv5_1840 : (fp_t '× fp_t) := + fp2mul (fp2mul (fp2mul (u_1832) (tv1_1837)) (tv3_1838)) (tv4_1839) in + let tv6_1841 : (fp_t '× fp_t) := + fp2mul (fp2mul (fp2neg (fp2fromfp (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t))) (gz_1834)) (fp2inv (fp2mul ( + fp2fromfp (nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) ( + fp2mul (z_1833) (z_1833)))) in + let x1_1842 : (fp_t '× fp_t) := + fp2sub (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( + tv5_1840) in + let x2_1843 : (fp_t '× fp_t) := + fp2add (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( + tv5_1840) in + let tv7_1844 : (fp_t '× fp_t) := + fp2mul (fp2mul (tv2_1836) (tv2_1836)) (tv3_1838) in + let x3_1845 : (fp_t '× fp_t) := + fp2add (z_1833) (fp2mul (tv6_1841) (fp2mul (tv7_1844) (tv7_1844))) in + let x_1846 : (fp_t '× fp_t) := + (if (fp2_is_square (g2_curve_func (x1_1842))):bool then (x1_1842) else (( + if (fp2_is_square (g2_curve_func (x2_1843))):bool then ( + x2_1843) else (x3_1845)))) in + let y_1847 : (fp_t '× fp_t) := + fp2_sqrt (g2_curve_func (x_1846)) in + let '(y_1847) := + if (fp2_sgn0 (u_1832)) !=.? (fp2_sgn0 (y_1847)):bool then (let y_1847 := + fp2neg (y_1847) in + (y_1847)) else ((y_1847)) in + (x_1846, y_1847, false). + +Definition psi (p_1848 : g2_t) : g2_t := + let c1_1849 : (fp_t '× fp_t) := + fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( + nat_mod_one )) *% (nat_mod_inv (nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t)))) in + let c2_1850 : (fp_t '× fp_t) := + fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( + nat_mod_one )) *% (nat_mod_inv (nat_mod_two )))) in + let '(x_1851, y_1852, inf_1853) := + p_1848 in + let qx_1854 : (fp_t '× fp_t) := + fp2mul (c1_1849) (fp2conjugate (x_1851)) in + let qy_1855 : (fp_t '× fp_t) := + fp2mul (c2_1850) (fp2conjugate (y_1852)) in + (qx_1854, qy_1855, inf_1853). + +Definition g2_clear_cofactor (p_1856 : g2_t) : g2_t := + let c1_1857 : scalar_t := + nat_mod_from_literal (_) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let t1_1858 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2mul (c1_1857) (p_1856) in + let t1_1859 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2neg (t1_1858) in + let t2_1860 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + psi (p_1856) in + let t3_1861 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2double (p_1856) in + let t3_1862 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + psi (psi (t3_1861)) in + let t3_1863 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1862) (g2neg (t2_1860)) in + let t2_1864 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t1_1859) (t2_1860) in + let t2_1865 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2mul (c1_1857) (t2_1864) in + let t2_1866 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2neg (t2_1865) in + let t3_1867 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1863) (t2_1866) in + let t3_1868 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1867) (g2neg (t1_1859)) in + let q_1869 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (t3_1868) (g2neg (p_1856)) in + q_1869. + +Definition g2_hash_to_curve_svdw + (msg_1870 : byte_seq) + (dst_1871 : byte_seq) + : g2_t := + let u_1872 : seq fp2_t := + fp2_hash_to_field (msg_1870) (dst_1871) (usize 2) in + let q0_1873 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_svdw (seq_index (u_1872) (usize 0)) in + let q1_1874 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_svdw (seq_index (u_1872) (usize 1)) in + let r_1875 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (q0_1873) (q1_1874) in + let p_1876 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (r_1875) in + p_1876. + +Definition g2_encode_to_curve_svdw + (msg_1877 : byte_seq) + (dst_1878 : byte_seq) + : g2_t := + let u_1879 : seq fp2_t := + fp2_hash_to_field (msg_1877) (dst_1878) (usize 1) in + let q_1880 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_svdw (seq_index (u_1879) (usize 0)) in + let p_1881 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (q_1880) in + p_1881. + +Definition g1_iso_a_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 5707120929990979) : int64; + secret (@repr WORDSIZE64 4425131892511951234) : int64; + secret (@repr WORDSIZE64 12748169179688756904) : int64; + secret (@repr WORDSIZE64 15629909748249821612) : int64; + secret (@repr WORDSIZE64 10994253769421683071) : int64; + secret (@repr WORDSIZE64 6698022561392380957) : int64 + ] in l). + +Definition g1_iso_b_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1360808972976160816) : int64; + secret (@repr WORDSIZE64 111203405409480251) : int64; + secret (@repr WORDSIZE64 2312248699302920304) : int64; + secret (@repr WORDSIZE64 11581500465278574325) : int64; + secret (@repr WORDSIZE64 6495071758858381989) : int64; + secret (@repr WORDSIZE64 15117538217124375520) : int64 + ] in l). + +Definition g1_xnum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1270119733718627136) : int64; + secret (@repr WORDSIZE64 13261148298159854981) : int64; + secret (@repr WORDSIZE64 7723742117508874335) : int64; + secret (@repr WORDSIZE64 17465657917644792520) : int64; + secret (@repr WORDSIZE64 6201670911048166766) : int64; + secret (@repr WORDSIZE64 12586459670690286007) : int64 + ] in l). + +Definition g1_xnum_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1668951808976071471) : int64; + secret (@repr WORDSIZE64 398773841247578140) : int64; + secret (@repr WORDSIZE64 8941869963990959127) : int64; + secret (@repr WORDSIZE64 17682789360670468203) : int64; + secret (@repr WORDSIZE64 5204176168283587414) : int64; + secret (@repr WORDSIZE64 16732261237459223483) : int64 + ] in l). + +Definition g1_xnum_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 960393023080265964) : int64; + secret (@repr WORDSIZE64 2094253841180170779) : int64; + secret (@repr WORDSIZE64 14844748873776858085) : int64; + secret (@repr WORDSIZE64 7528018573573808732) : int64; + secret (@repr WORDSIZE64 10776056440809943711) : int64; + secret (@repr WORDSIZE64 16147550488514976944) : int64 + ] in l). + +Definition g1_xnum_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1691355743628586423) : int64; + secret (@repr WORDSIZE64 5622191986793862162) : int64; + secret (@repr WORDSIZE64 15561595211679121189) : int64; + secret (@repr WORDSIZE64 17416319752018800771) : int64; + secret (@repr WORDSIZE64 5996228842464768403) : int64; + secret (@repr WORDSIZE64 14245880009877842017) : int64 + ] in l). + +Definition g1_xnum_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1051997788391994435) : int64; + secret (@repr WORDSIZE64 7368650625050054228) : int64; + secret (@repr WORDSIZE64 11086623519836470079) : int64; + secret (@repr WORDSIZE64 607681821319080984) : int64; + secret (@repr WORDSIZE64 10978131499682789316) : int64; + secret (@repr WORDSIZE64 5842660658088809945) : int64 + ] in l). + +Definition g1_xnum_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1598992431623377919) : int64; + secret (@repr WORDSIZE64 130921168661596853) : int64; + secret (@repr WORDSIZE64 15797696746983946651) : int64; + secret (@repr WORDSIZE64 11444679715590672272) : int64; + secret (@repr WORDSIZE64 11567228658253249817) : int64; + secret (@repr WORDSIZE64 14777367860349315459) : int64 + ] in l). + +Definition g1_xnum_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 967946631563726121) : int64; + secret (@repr WORDSIZE64 7653628713030275775) : int64; + secret (@repr WORDSIZE64 12760252618317466849) : int64; + secret (@repr WORDSIZE64 10378793938173061930) : int64; + secret (@repr WORDSIZE64 10205808941053849290) : int64; + secret (@repr WORDSIZE64 15985511645807504772) : int64 + ] in l). + +Definition g1_xnum_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1709149555065084898) : int64; + secret (@repr WORDSIZE64 16750075057192140371) : int64; + secret (@repr WORDSIZE64 3849985779734105521) : int64; + secret (@repr WORDSIZE64 11998370262181639475) : int64; + secret (@repr WORDSIZE64 4159013751748851119) : int64; + secret (@repr WORDSIZE64 11298218755092433038) : int64 + ] in l). + +Definition g1_xnum_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 580186936973955012) : int64; + secret (@repr WORDSIZE64 8903813505199544589) : int64; + secret (@repr WORDSIZE64 14140024565662700916) : int64; + secret (@repr WORDSIZE64 11728946595272970718) : int64; + secret (@repr WORDSIZE64 5738313744366653077) : int64; + secret (@repr WORDSIZE64 7886252005760951063) : int64 + ] in l). + +Definition g1_xnum_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1628930385436977092) : int64; + secret (@repr WORDSIZE64 3318087848058654498) : int64; + secret (@repr WORDSIZE64 15937899882900905113) : int64; + secret (@repr WORDSIZE64 7449821001803307903) : int64; + secret (@repr WORDSIZE64 11752436998487615353) : int64; + secret (@repr WORDSIZE64 9161465579737517214) : int64 + ] in l). + +Definition g1_xnum_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1167027828517898210) : int64; + secret (@repr WORDSIZE64 8275623842221021965) : int64; + secret (@repr WORDSIZE64 18049808134997311382) : int64; + secret (@repr WORDSIZE64 15351349873550116966) : int64; + secret (@repr WORDSIZE64 17769927732099571180) : int64; + secret (@repr WORDSIZE64 14584871380308065147) : int64 + ] in l). + +Definition g1_xnum_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 495550047642324592) : int64; + secret (@repr WORDSIZE64 13627494601717575229) : int64; + secret (@repr WORDSIZE64 3591512392926246844) : int64; + secret (@repr WORDSIZE64 2576269112800734056) : int64; + secret (@repr WORDSIZE64 14000314106239596831) : int64; + secret (@repr WORDSIZE64 12234233096825917993) : int64 + ] in l). + +Definition g1_xden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 633474091881273774) : int64; + secret (@repr WORDSIZE64 1779737893574802031) : int64; + secret (@repr WORDSIZE64 132274872219551930) : int64; + secret (@repr WORDSIZE64 11283074393783708770) : int64; + secret (@repr WORDSIZE64 13067430171545714168) : int64; + secret (@repr WORDSIZE64 11041975239630265116) : int64 + ] in l). + +Definition g1_xden_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1321272531362356291) : int64; + secret (@repr WORDSIZE64 5238936591227237942) : int64; + secret (@repr WORDSIZE64 8089002360232247308) : int64; + secret (@repr WORDSIZE64 82967328719421271) : int64; + secret (@repr WORDSIZE64 1430641118356186857) : int64; + secret (@repr WORDSIZE64 16557527386785790975) : int64 + ] in l). + +Definition g1_xden_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 804282852993868382) : int64; + secret (@repr WORDSIZE64 9311163821600184607) : int64; + secret (@repr WORDSIZE64 8037026956533927121) : int64; + secret (@repr WORDSIZE64 18205324308570099372) : int64; + secret (@repr WORDSIZE64 15466434890074226396) : int64; + secret (@repr WORDSIZE64 18213183315621985817) : int64 + ] in l). + +Definition g1_xden_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 234844145893171966) : int64; + secret (@repr WORDSIZE64 14428037799351479124) : int64; + secret (@repr WORDSIZE64 6559532710647391569) : int64; + secret (@repr WORDSIZE64 6110444250091843536) : int64; + secret (@repr WORDSIZE64 5293652763671852484) : int64; + secret (@repr WORDSIZE64 1373009181854280920) : int64 + ] in l). + +Definition g1_xden_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1416629893867312296) : int64; + secret (@repr WORDSIZE64 751851957792514173) : int64; + secret (@repr WORDSIZE64 18437674587247370939) : int64; + secret (@repr WORDSIZE64 10190314345946351322) : int64; + secret (@repr WORDSIZE64 11228207967368476701) : int64; + secret (@repr WORDSIZE64 6025034940388909598) : int64 + ] in l). + +Definition g1_xden_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1041270466333271993) : int64; + secret (@repr WORDSIZE64 6140956605115975401) : int64; + secret (@repr WORDSIZE64 4131830461445745997) : int64; + secret (@repr WORDSIZE64 739642499118176303) : int64; + secret (@repr WORDSIZE64 8358912131254619921) : int64; + secret (@repr WORDSIZE64 13847998906088228005) : int64 + ] in l). + +Definition g1_xden_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 536714149743900185) : int64; + secret (@repr WORDSIZE64 1098328982230230817) : int64; + secret (@repr WORDSIZE64 6273329123533496713) : int64; + secret (@repr WORDSIZE64 5633448088282521244) : int64; + secret (@repr WORDSIZE64 16894043798660571244) : int64; + secret (@repr WORDSIZE64 17016134625831438906) : int64 + ] in l). + +Definition g1_xden_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1488347500898461874) : int64; + secret (@repr WORDSIZE64 3509418672874520985) : int64; + secret (@repr WORDSIZE64 7962192351555381416) : int64; + secret (@repr WORDSIZE64 1843909372225399896) : int64; + secret (@repr WORDSIZE64 1127511003250156243) : int64; + secret (@repr WORDSIZE64 1294742680819751518) : int64 + ] in l). + +Definition g1_xden_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 725340084226051970) : int64; + secret (@repr WORDSIZE64 6814521545734988748) : int64; + secret (@repr WORDSIZE64 16176803544133875307) : int64; + secret (@repr WORDSIZE64 8363199516777220149) : int64; + secret (@repr WORDSIZE64 252877309218538352) : int64; + secret (@repr WORDSIZE64 5149562959837648449) : int64 + ] in l). + +Definition g1_xden_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 675470927100193492) : int64; + secret (@repr WORDSIZE64 5146891164735334016) : int64; + secret (@repr WORDSIZE64 17762958817130696759) : int64; + secret (@repr WORDSIZE64 8565656522589412373) : int64; + secret (@repr WORDSIZE64 10599026333335446784) : int64; + secret (@repr WORDSIZE64 3270603789344496906) : int64 + ] in l). + +Definition g1_ynum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 652344406751465184) : int64; + secret (@repr WORDSIZE64 2710356675495255290) : int64; + secret (@repr WORDSIZE64 1273695771440998738) : int64; + secret (@repr WORDSIZE64 3121750372618945491) : int64; + secret (@repr WORDSIZE64 14775319642720936898) : int64; + secret (@repr WORDSIZE64 13733803417833814835) : int64 + ] in l). + +Definition g1_ynum_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1389807578337138705) : int64; + secret (@repr WORDSIZE64 15352831428748068483) : int64; + secret (@repr WORDSIZE64 1307144967559264317) : int64; + secret (@repr WORDSIZE64 1121505450578652468) : int64; + secret (@repr WORDSIZE64 15475889019760388287) : int64; + secret (@repr WORDSIZE64 16183658160488302230) : int64 + ] in l). + +Definition g1_ynum_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 57553299067792998) : int64; + secret (@repr WORDSIZE64 17628079362768849300) : int64; + secret (@repr WORDSIZE64 2689461337731570914) : int64; + secret (@repr WORDSIZE64 14070580367580990887) : int64; + secret (@repr WORDSIZE64 15162865775551710499) : int64; + secret (@repr WORDSIZE64 13321614990632673782) : int64 + ] in l). + +Definition g1_ynum_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 141972750621744161) : int64; + secret (@repr WORDSIZE64 8689824239172478807) : int64; + secret (@repr WORDSIZE64 15288216298323671324) : int64; + secret (@repr WORDSIZE64 712874875091754233) : int64; + secret (@repr WORDSIZE64 16014900032503684588) : int64; + secret (@repr WORDSIZE64 11976580453200426187) : int64 + ] in l). + +Definition g1_ynum_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 633886036738506515) : int64; + secret (@repr WORDSIZE64 6678644607214234052) : int64; + secret (@repr WORDSIZE64 1825425679455244472) : int64; + secret (@repr WORDSIZE64 8755912272271186652) : int64; + secret (@repr WORDSIZE64 3379943669301788840) : int64; + secret (@repr WORDSIZE64 4735212769449148123) : int64 + ] in l). + +Definition g1_ynum_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1612358804494830442) : int64; + secret (@repr WORDSIZE64 2454990789666711200) : int64; + secret (@repr WORDSIZE64 8405916841409361853) : int64; + secret (@repr WORDSIZE64 8525415512662168654) : int64; + secret (@repr WORDSIZE64 2323684950984523890) : int64; + secret (@repr WORDSIZE64 11074978966450447856) : int64 + ] in l). + +Definition g1_ynum_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 336375361001233340) : int64; + secret (@repr WORDSIZE64 12882959944969186108) : int64; + secret (@repr WORDSIZE64 16671121624101127371) : int64; + secret (@repr WORDSIZE64 5922586712221110071) : int64; + secret (@repr WORDSIZE64 5163511947597922654) : int64; + secret (@repr WORDSIZE64 14511152726087948018) : int64 + ] in l). + +Definition g1_ynum_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 686738286210365551) : int64; + secret (@repr WORDSIZE64 16039894141796533876) : int64; + secret (@repr WORDSIZE64 1660145734357211167) : int64; + secret (@repr WORDSIZE64 18231571463891878950) : int64; + secret (@repr WORDSIZE64 4825120264949852469) : int64; + secret (@repr WORDSIZE64 11627815551290637097) : int64 + ] in l). + +Definition g1_ynum_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 719520515476580427) : int64; + secret (@repr WORDSIZE64 16756942182913253819) : int64; + secret (@repr WORDSIZE64 10320769399998235244) : int64; + secret (@repr WORDSIZE64 2200974244968450750) : int64; + secret (@repr WORDSIZE64 7626373186594408355) : int64; + secret (@repr WORDSIZE64 6933025920263103879) : int64 + ] in l). + +Definition g1_ynum_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1016611174344998325) : int64; + secret (@repr WORDSIZE64 2466492548686891555) : int64; + secret (@repr WORDSIZE64 14135124294293452542) : int64; + secret (@repr WORDSIZE64 475233659467912251) : int64; + secret (@repr WORDSIZE64 11186783513499056751) : int64; + secret (@repr WORDSIZE64 3147922594245844016) : int64 + ] in l). + +Definition g1_ynum_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1833315000454533566) : int64; + secret (@repr WORDSIZE64 1007974600900082579) : int64; + secret (@repr WORDSIZE64 14785260176242854207) : int64; + secret (@repr WORDSIZE64 15066861003931772432) : int64; + secret (@repr WORDSIZE64 3584647998681889532) : int64; + secret (@repr WORDSIZE64 16722834201330696498) : int64 + ] in l). + +Definition g1_ynum_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1780164921828767454) : int64; + secret (@repr WORDSIZE64 13337622794239929804) : int64; + secret (@repr WORDSIZE64 5923739534552515142) : int64; + secret (@repr WORDSIZE64 3345046972101780530) : int64; + secret (@repr WORDSIZE64 5321510883028162054) : int64; + secret (@repr WORDSIZE64 14846055306840460686) : int64 + ] in l). + +Definition g1_ynum_k_12_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 799438051374502809) : int64; + secret (@repr WORDSIZE64 15083972834952036164) : int64; + secret (@repr WORDSIZE64 8838227588559581326) : int64; + secret (@repr WORDSIZE64 13846054168121598783) : int64; + secret (@repr WORDSIZE64 488730451382505970) : int64; + secret (@repr WORDSIZE64 958146249756188408) : int64 + ] in l). + +Definition g1_ynum_k_13_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 163716820423854747) : int64; + secret (@repr WORDSIZE64 8285498163857659356) : int64; + secret (@repr WORDSIZE64 8465424830341846400) : int64; + secret (@repr WORDSIZE64 1433942577299613084) : int64; + secret (@repr WORDSIZE64 14325828012864645732) : int64; + secret (@repr WORDSIZE64 4817114329354076467) : int64 + ] in l). + +Definition g1_ynum_k_14_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 414658151749832465) : int64; + secret (@repr WORDSIZE64 189531577938912252) : int64; + secret (@repr WORDSIZE64 6802473390048830824) : int64; + secret (@repr WORDSIZE64 15684647020317539556) : int64; + secret (@repr WORDSIZE64 7755485098777620407) : int64; + secret (@repr WORDSIZE64 9685868895687483979) : int64 + ] in l). + +Definition g1_ynum_k_15_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1578157964224562126) : int64; + secret (@repr WORDSIZE64 5666948055268535989) : int64; + secret (@repr WORDSIZE64 14634479491382401593) : int64; + secret (@repr WORDSIZE64 6317940024988860850) : int64; + secret (@repr WORDSIZE64 13142913832013798519) : int64; + secret (@repr WORDSIZE64 338991247778166276) : int64 + ] in l). + +Definition g1_yden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1590100849350973618) : int64; + secret (@repr WORDSIZE64 5915497081334721257) : int64; + secret (@repr WORDSIZE64 6924968209373727718) : int64; + secret (@repr WORDSIZE64 17204633670617869946) : int64; + secret (@repr WORDSIZE64 572916540828819565) : int64; + secret (@repr WORDSIZE64 92203205520679873) : int64 + ] in l). + +Definition g1_yden_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1829261189398470686) : int64; + secret (@repr WORDSIZE64 1877083417397643448) : int64; + secret (@repr WORDSIZE64 9640042925497046428) : int64; + secret (@repr WORDSIZE64 11862766565471805471) : int64; + secret (@repr WORDSIZE64 8693114993904885301) : int64; + secret (@repr WORDSIZE64 3672140328108400701) : int64 + ] in l). + +Definition g1_yden_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 400243331105348135) : int64; + secret (@repr WORDSIZE64 8046435537999802711) : int64; + secret (@repr WORDSIZE64 8702226981475745585) : int64; + secret (@repr WORDSIZE64 879791671491744492) : int64; + secret (@repr WORDSIZE64 11994630442058346377) : int64; + secret (@repr WORDSIZE64 2172204746352322546) : int64 + ] in l). + +Definition g1_yden_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1637008473169220501) : int64; + secret (@repr WORDSIZE64 17441636237435581649) : int64; + secret (@repr WORDSIZE64 15066165676546511630) : int64; + secret (@repr WORDSIZE64 1314387578457599809) : int64; + secret (@repr WORDSIZE64 8247046336453711789) : int64; + secret (@repr WORDSIZE64 12164906044230685718) : int64 + ] in l). + +Definition g1_yden_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 855930740911588324) : int64; + secret (@repr WORDSIZE64 12685735333705453020) : int64; + secret (@repr WORDSIZE64 14326404096614579120) : int64; + secret (@repr WORDSIZE64 6066025509460822294) : int64; + secret (@repr WORDSIZE64 11676450493790612973) : int64; + secret (@repr WORDSIZE64 15724621714793234461) : int64 + ] in l). + +Definition g1_yden_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 637792788410719021) : int64; + secret (@repr WORDSIZE64 11507373155986977154) : int64; + secret (@repr WORDSIZE64 13186912195705886849) : int64; + secret (@repr WORDSIZE64 14262012144631372388) : int64; + secret (@repr WORDSIZE64 5328758613570342114) : int64; + secret (@repr WORDSIZE64 199925847119476652) : int64 + ] in l). + +Definition g1_yden_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1612297190139091759) : int64; + secret (@repr WORDSIZE64 14103733843373163083) : int64; + secret (@repr WORDSIZE64 6840121186619029743) : int64; + secret (@repr WORDSIZE64 6760859324815900753) : int64; + secret (@repr WORDSIZE64 15418807805142572985) : int64; + secret (@repr WORDSIZE64 4402853133867972444) : int64 + ] in l). + +Definition g1_yden_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1631410310868805610) : int64; + secret (@repr WORDSIZE64 269334146695233390) : int64; + secret (@repr WORDSIZE64 16547411811928854487) : int64; + secret (@repr WORDSIZE64 18353100669930795314) : int64; + secret (@repr WORDSIZE64 13339932232668798692) : int64; + secret (@repr WORDSIZE64 6984591927261867737) : int64 + ] in l). + +Definition g1_yden_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1758313625630302499) : int64; + secret (@repr WORDSIZE64 1881349400343039172) : int64; + secret (@repr WORDSIZE64 18013005311323887904) : int64; + secret (@repr WORDSIZE64 12377427846571989832) : int64; + secret (@repr WORDSIZE64 5967237584920922243) : int64; + secret (@repr WORDSIZE64 7720081932193848650) : int64 + ] in l). + +Definition g1_yden_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1619701357752249884) : int64; + secret (@repr WORDSIZE64 16898074901591262352) : int64; + secret (@repr WORDSIZE64 3609344159736760251) : int64; + secret (@repr WORDSIZE64 5983130161189999867) : int64; + secret (@repr WORDSIZE64 14355327869992416094) : int64; + secret (@repr WORDSIZE64 3778226018344582997) : int64 + ] in l). + +Definition g1_yden_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 347606589330687421) : int64; + secret (@repr WORDSIZE64 5255719044972187933) : int64; + secret (@repr WORDSIZE64 11271894388753671721) : int64; + secret (@repr WORDSIZE64 1033887512062764488) : int64; + secret (@repr WORDSIZE64 8189165486932690436) : int64; + secret (@repr WORDSIZE64 70004379462101672) : int64 + ] in l). + +Definition g1_yden_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 778202887894139711) : int64; + secret (@repr WORDSIZE64 17691595219776375879) : int64; + secret (@repr WORDSIZE64 9193253711563866834) : int64; + secret (@repr WORDSIZE64 10092455202333888821) : int64; + secret (@repr WORDSIZE64 1655469341950262250) : int64; + secret (@repr WORDSIZE64 10845992994110574738) : int64 + ] in l). + +Definition g1_yden_k_12_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 781015344221683683) : int64; + secret (@repr WORDSIZE64 14078588081290548374) : int64; + secret (@repr WORDSIZE64 6067271023149908518) : int64; + secret (@repr WORDSIZE64 9033357708497886086) : int64; + secret (@repr WORDSIZE64 10592474449179118273) : int64; + secret (@repr WORDSIZE64 2204988348113831372) : int64 + ] in l). + +Definition g1_yden_k_13_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 172830037692534587) : int64; + secret (@repr WORDSIZE64 7101012286790006514) : int64; + secret (@repr WORDSIZE64 13787308004332873665) : int64; + secret (@repr WORDSIZE64 14660498759553796110) : int64; + secret (@repr WORDSIZE64 4757234684169342080) : int64; + secret (@repr WORDSIZE64 15130647872920159991) : int64 + ] in l). + +Definition g1_yden_k_14_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1013206390650290238) : int64; + secret (@repr WORDSIZE64 7720336747103001025) : int64; + secret (@repr WORDSIZE64 8197694151986493523) : int64; + secret (@repr WORDSIZE64 3625112747029342752) : int64; + secret (@repr WORDSIZE64 6675167463148394368) : int64; + secret (@repr WORDSIZE64 4905905684016745359) : int64 + ] in l). + +Definition g1_simple_swu_iso (u_1882 : fp_t) : (fp_t '× fp_t) := + let z_1883 : fp_t := + nat_mod_from_literal (_) (@repr WORDSIZE128 11) : fp_t in + let a_1884 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_a_v)) : fp_t in + let b_1885 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_b_v)) : fp_t in + let tv1_1886 : fp_t := + nat_mod_inv ((((z_1883) *% (z_1883)) *% (nat_mod_exp (u_1882) ( + @repr WORDSIZE32 4))) +% (((z_1883) *% (u_1882)) *% (u_1882))) in + let x1_1887 : fp_t := + (((nat_mod_zero ) -% (b_1885)) *% (nat_mod_inv (a_1884))) *% (( + nat_mod_one ) +% (tv1_1886)) in + let '(x1_1887) := + if (tv1_1886) =.? (nat_mod_zero ):bool then (let x1_1887 := + (b_1885) *% (nat_mod_inv ((z_1883) *% (a_1884))) in + (x1_1887)) else ((x1_1887)) in + let gx1_1888 : fp_t := + ((nat_mod_exp (x1_1887) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( + x1_1887))) +% (b_1885) in + let x2_1889 : fp_t := + (((z_1883) *% (u_1882)) *% (u_1882)) *% (x1_1887) in + let gx2_1890 : fp_t := + ((nat_mod_exp (x2_1889) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( + x2_1889))) +% (b_1885) in + let '(x_1891, y_1892) := + (if (fp_is_square (gx1_1888)):bool then ((x1_1887, fp_sqrt (gx1_1888) + )) else ((x2_1889, fp_sqrt (gx2_1890)))) in + let '(y_1892) := + if (fp_sgn0 (u_1882)) !=.? (fp_sgn0 (y_1892)):bool then (let y_1892 := + (nat_mod_zero ) -% (y_1892) in + (y_1892)) else ((y_1892)) in + (x_1891, y_1892). + +Definition g1_isogeny_map (x_1893 : fp_t) (y_1894 : fp_t) : g1_t := + let xnum_k_1895 : seq fp_t := + seq_new_ (default : fp_t) (usize 12) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_0_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_1_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_2_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_3_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_4_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_5_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_6_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_7_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_8_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_9_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_xnum_k_10_v)) : fp_t) in + let xnum_k_1895 := + seq_upd xnum_k_1895 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_xnum_k_11_v)) : fp_t) in + let xden_k_1896 : seq fp_t := + seq_new_ (default : fp_t) (usize 10) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_0_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_1_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_2_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_3_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_4_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_5_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_6_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_7_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_8_v)) : fp_t) in + let xden_k_1896 := + seq_upd xden_k_1896 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_9_v)) : fp_t) in + let ynum_k_1897 : seq fp_t := + seq_new_ (default : fp_t) (usize 16) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_0_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_1_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_2_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_3_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_4_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_5_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_6_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_7_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_8_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_9_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_10_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_11_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 12) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_12_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 13) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_13_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 14) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_14_v)) : fp_t) in + let ynum_k_1897 := + seq_upd ynum_k_1897 (usize 15) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_15_v)) : fp_t) in + let yden_k_1898 : seq fp_t := + seq_new_ (default : fp_t) (usize 15) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_0_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_1_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_2_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_3_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_4_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_5_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_6_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_7_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_8_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_9_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_10_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_11_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 12) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_12_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 13) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_13_v)) : fp_t) in + let yden_k_1898 := + seq_upd yden_k_1898 (usize 14) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_14_v)) : fp_t) in + let xnum_1899 : fp_t := + nat_mod_zero in + let xx_1900 : fp_t := + nat_mod_one in + let '(xnum_1899, xx_1900) := + foldi (usize 0) (seq_len (xnum_k_1895)) (fun i_1901 '(xnum_1899, xx_1900) => + let xnum_1899 := + (xnum_1899) +% ((xx_1900) *% (seq_index (xnum_k_1895) (i_1901))) in + let xx_1900 := + (xx_1900) *% (x_1893) in + (xnum_1899, xx_1900)) + (xnum_1899, xx_1900) in + let xden_1902 : fp_t := + nat_mod_zero in + let xx_1903 : fp_t := + nat_mod_one in + let '(xden_1902, xx_1903) := + foldi (usize 0) (seq_len (xden_k_1896)) (fun i_1904 '(xden_1902, xx_1903) => + let xden_1902 := + (xden_1902) +% ((xx_1903) *% (seq_index (xden_k_1896) (i_1904))) in + let xx_1903 := + (xx_1903) *% (x_1893) in + (xden_1902, xx_1903)) + (xden_1902, xx_1903) in + let xden_1902 := + (xden_1902) +% (xx_1903) in + let ynum_1905 : fp_t := + nat_mod_zero in + let xx_1906 : fp_t := + nat_mod_one in + let '(ynum_1905, xx_1906) := + foldi (usize 0) (seq_len (ynum_k_1897)) (fun i_1907 '(ynum_1905, xx_1906) => + let ynum_1905 := + (ynum_1905) +% ((xx_1906) *% (seq_index (ynum_k_1897) (i_1907))) in + let xx_1906 := + (xx_1906) *% (x_1893) in + (ynum_1905, xx_1906)) + (ynum_1905, xx_1906) in + let yden_1908 : fp_t := + nat_mod_zero in + let xx_1909 : fp_t := + nat_mod_one in + let '(yden_1908, xx_1909) := + foldi (usize 0) (seq_len (yden_k_1898)) (fun i_1910 '(yden_1908, xx_1909) => + let yden_1908 := + (yden_1908) +% ((xx_1909) *% (seq_index (yden_k_1898) (i_1910))) in + let xx_1909 := + (xx_1909) *% (x_1893) in + (yden_1908, xx_1909)) + (yden_1908, xx_1909) in + let yden_1908 := + (yden_1908) +% (xx_1909) in + let xr_1911 : fp_t := + (xnum_1899) *% (nat_mod_inv (xden_1902)) in + let yr_1912 : fp_t := + ((y_1894) *% (ynum_1905)) *% (nat_mod_inv (yden_1908)) in + let inf_1913 : bool := + false in + let '(inf_1913) := + if ((xden_1902) =.? (nat_mod_zero )) || ((yden_1908) =.? ( + nat_mod_zero )):bool then (let inf_1913 := + true in + (inf_1913)) else ((inf_1913)) in + (xr_1911, yr_1912, inf_1913). + +Definition g1_map_to_curve_sswu (u_1914 : fp_t) : g1_t := + let '(xp_1915, yp_1916) := + g1_simple_swu_iso (u_1914) in + let p_1917 : (fp_t '× fp_t '× bool) := + g1_isogeny_map (xp_1915) (yp_1916) in + p_1917. + +Definition g1_hash_to_curve_sswu + (msg_1918 : byte_seq) + (dst_1919 : byte_seq) + : g1_t := + let u_1920 : seq fp_t := + fp_hash_to_field (msg_1918) (dst_1919) (usize 2) in + let q0_1921 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_sswu (seq_index (u_1920) (usize 0)) in + let q1_1922 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_sswu (seq_index (u_1920) (usize 1)) in + let r_1923 : (fp_t '× fp_t '× bool) := + g1add (q0_1921) (q1_1922) in + let p_1924 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (r_1923) in + p_1924. + +Definition g1_encode_to_curve_sswu + (msg_1925 : byte_seq) + (dst_1926 : byte_seq) + : g1_t := + let u_1927 : seq fp_t := + fp_hash_to_field (msg_1925) (dst_1926) (usize 1) in + let q_1928 : (fp_t '× fp_t '× bool) := + g1_map_to_curve_sswu (seq_index (u_1927) (usize 0)) in + let p_1929 : (fp_t '× fp_t '× bool) := + g1_clear_cofactor (q_1928) in + p_1929. + +Definition g2_xnum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 416399692810564414) : int64; + secret (@repr WORDSIZE64 13500519111022079365) : int64; + secret (@repr WORDSIZE64 3658379999393219626) : int64; + secret (@repr WORDSIZE64 9850925049107374429) : int64; + secret (@repr WORDSIZE64 6640057249351452444) : int64; + secret (@repr WORDSIZE64 7077594464397203414) : int64 + ] in l). + +Definition g2_xnum_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058522) : int64 + ] in l). + +Definition g2_xnum_k_2_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058526) : int64 + ] in l). + +Definition g2_xnum_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 624599539215846622) : int64; + secret (@repr WORDSIZE64 1804034592823567431) : int64; + secret (@repr WORDSIZE64 14710942035944605247) : int64; + secret (@repr WORDSIZE64 14776387573661061644) : int64; + secret (@repr WORDSIZE64 736713837172402858) : int64; + secret (@repr WORDSIZE64 10616391696595805069) : int64 + ] in l). + +Definition g2_xnum_k_3_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1665598771242257658) : int64; + secret (@repr WORDSIZE64 17108588296669214228) : int64; + secret (@repr WORDSIZE64 14633519997572878506) : int64; + secret (@repr WORDSIZE64 2510212049010394485) : int64; + secret (@repr WORDSIZE64 8113484923696258161) : int64; + secret (@repr WORDSIZE64 9863633783879261905) : int64 + ] in l). + +Definition g2_xden_k_0_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863523) : int64 + ] in l). + +Definition g2_xden_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863583) : int64 + ] in l). + +Definition g2_ynum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1526798873638736187) : int64; + secret (@repr WORDSIZE64 6459500568425337235) : int64; + secret (@repr WORDSIZE64 1116230615302104219) : int64; + secret (@repr WORDSIZE64 17673314439684154624) : int64; + secret (@repr WORDSIZE64 18197961889718808424) : int64; + secret (@repr WORDSIZE64 1355520937843676934) : int64 + ] in l). + +Definition g2_ynum_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 416399692810564414) : int64; + secret (@repr WORDSIZE64 13500519111022079365) : int64; + secret (@repr WORDSIZE64 3658379999393219626) : int64; + secret (@repr WORDSIZE64 9850925049107374429) : int64; + secret (@repr WORDSIZE64 6640057249351452444) : int64; + secret (@repr WORDSIZE64 7077594464397203390) : int64 + ] in l). + +Definition g2_ynum_k_2_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058524) : int64 + ] in l). + +Definition g2_ynum_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 624599539215846622) : int64; + secret (@repr WORDSIZE64 1804034592823567431) : int64; + secret (@repr WORDSIZE64 14710942035944605247) : int64; + secret (@repr WORDSIZE64 14776387573661061644) : int64; + secret (@repr WORDSIZE64 736713837172402858) : int64; + secret (@repr WORDSIZE64 10616391696595805071) : int64 + ] in l). + +Definition g2_ynum_k_3_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1318599027233453979) : int64; + secret (@repr WORDSIZE64 18155985086623849168) : int64; + secret (@repr WORDSIZE64 8510412652460270214) : int64; + secret (@repr WORDSIZE64 12747851915130467410) : int64; + secret (@repr WORDSIZE64 5654561228188306393) : int64; + secret (@repr WORDSIZE64 16263467779354626832) : int64 + ] in l). + +Definition g2_yden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863163) : int64 + ] in l). + +Definition g2_yden_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863379) : int64 + ] in l). + +Definition g2_yden_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863577) : int64 + ] in l). + +Definition g2_simple_swu_iso (u_1930 : fp2_t) : (fp2_t '× fp2_t) := + let z_1931 : (fp_t '× fp_t) := + fp2neg ((nat_mod_two , nat_mod_one )) in + let a_1932 : (fp_t '× fp_t) := + (nat_mod_zero , nat_mod_from_literal (_) (@repr WORDSIZE128 240) : fp_t) in + let b_1933 : (fp_t '× fp_t) := + ( + nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t, + nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t + ) in + let tv1_1934 : (fp_t '× fp_t) := + fp2inv (fp2add (fp2mul (fp2mul (z_1931) (z_1931)) (fp2mul (fp2mul (u_1930) ( + u_1930)) (fp2mul (u_1930) (u_1930)))) (fp2mul (z_1931) (fp2mul ( + u_1930) (u_1930)))) in + let x1_1935 : (fp_t '× fp_t) := + fp2mul (fp2mul (fp2neg (b_1933)) (fp2inv (a_1932))) (fp2add (fp2fromfp ( + nat_mod_one )) (tv1_1934)) in + let '(x1_1935) := + if (tv1_1934) =.? (fp2zero ):bool then (let x1_1935 := + fp2mul (b_1933) (fp2inv (fp2mul (z_1931) (a_1932))) in + (x1_1935)) else ((x1_1935)) in + let gx1_1936 : (fp_t '× fp_t) := + fp2add (fp2add (fp2mul (fp2mul (x1_1935) (x1_1935)) (x1_1935)) (fp2mul ( + a_1932) (x1_1935))) (b_1933) in + let x2_1937 : (fp_t '× fp_t) := + fp2mul (fp2mul (z_1931) (fp2mul (u_1930) (u_1930))) (x1_1935) in + let gx2_1938 : (fp_t '× fp_t) := + fp2add (fp2add (fp2mul (fp2mul (x2_1937) (x2_1937)) (x2_1937)) (fp2mul ( + a_1932) (x2_1937))) (b_1933) in + let '(x_1939, y_1940) := + (if (fp2_is_square (gx1_1936)):bool then ((x1_1935, fp2_sqrt (gx1_1936) + )) else ((x2_1937, fp2_sqrt (gx2_1938)))) in + let '(y_1940) := + if (fp2_sgn0 (u_1930)) !=.? (fp2_sgn0 (y_1940)):bool then (let y_1940 := + fp2neg (y_1940) in + (y_1940)) else ((y_1940)) in + (x_1939, y_1940). + +Definition g2_isogeny_map (x_1941 : fp2_t) (y_1942 : fp2_t) : g2_t := + let xnum_k_1943 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 4) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t + )) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_1_i_v)) : fp_t + )) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 2) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_r_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_i_v)) : fp_t + )) in + let xnum_k_1943 := + seq_upd xnum_k_1943 (usize 3) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_3_r_v)) : fp_t, + nat_mod_zero + )) in + let xden_k_1944 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 2) in + let xden_k_1944 := + seq_upd xden_k_1944 (usize 0) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_0_i_v)) : fp_t + )) in + let xden_k_1944 := + seq_upd xden_k_1944 (usize 1) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 12) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_1_i_v)) : fp_t + )) in + let ynum_k_1945 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 4) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t + )) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_1_i_v)) : fp_t + )) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 2) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_r_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_i_v)) : fp_t + )) in + let ynum_k_1945 := + seq_upd ynum_k_1945 (usize 3) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_3_r_v)) : fp_t, + nat_mod_zero + )) in + let yden_k_1946 : seq (fp_t '× fp_t) := + seq_new_ (default : fp2_t) (usize 3) in + let yden_k_1946 := + seq_upd yden_k_1946 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t + )) in + let yden_k_1946 := + seq_upd yden_k_1946 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_1_i_v)) : fp_t + )) in + let yden_k_1946 := + seq_upd yden_k_1946 (usize 2) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 18) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_2_i_v)) : fp_t + )) in + let xnum_1947 : (fp_t '× fp_t) := + fp2zero in + let xx_1948 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(xnum_1947, xx_1948) := + foldi (usize 0) (seq_len (xnum_k_1943)) (fun i_1949 '(xnum_1947, xx_1948) => + let xnum_1947 := + fp2add (xnum_1947) (fp2mul (xx_1948) (seq_index (xnum_k_1943) ( + i_1949))) in + let xx_1948 := + fp2mul (xx_1948) (x_1941) in + (xnum_1947, xx_1948)) + (xnum_1947, xx_1948) in + let xden_1950 : (fp_t '× fp_t) := + fp2zero in + let xx_1951 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(xden_1950, xx_1951) := + foldi (usize 0) (seq_len (xden_k_1944)) (fun i_1952 '(xden_1950, xx_1951) => + let xden_1950 := + fp2add (xden_1950) (fp2mul (xx_1951) (seq_index (xden_k_1944) ( + i_1952))) in + let xx_1951 := + fp2mul (xx_1951) (x_1941) in + (xden_1950, xx_1951)) + (xden_1950, xx_1951) in + let xden_1950 := + fp2add (xden_1950) (xx_1951) in + let ynum_1953 : (fp_t '× fp_t) := + fp2zero in + let xx_1954 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(ynum_1953, xx_1954) := + foldi (usize 0) (seq_len (ynum_k_1945)) (fun i_1955 '(ynum_1953, xx_1954) => + let ynum_1953 := + fp2add (ynum_1953) (fp2mul (xx_1954) (seq_index (ynum_k_1945) ( + i_1955))) in + let xx_1954 := + fp2mul (xx_1954) (x_1941) in + (ynum_1953, xx_1954)) + (ynum_1953, xx_1954) in + let yden_1956 : (fp_t '× fp_t) := + fp2zero in + let xx_1957 : (fp_t '× fp_t) := + fp2fromfp (nat_mod_one ) in + let '(yden_1956, xx_1957) := + foldi (usize 0) (seq_len (yden_k_1946)) (fun i_1958 '(yden_1956, xx_1957) => + let yden_1956 := + fp2add (yden_1956) (fp2mul (xx_1957) (seq_index (yden_k_1946) ( + i_1958))) in + let xx_1957 := + fp2mul (xx_1957) (x_1941) in + (yden_1956, xx_1957)) + (yden_1956, xx_1957) in + let yden_1956 := + fp2add (yden_1956) (xx_1957) in + let xr_1959 : (fp_t '× fp_t) := + fp2mul (xnum_1947) (fp2inv (xden_1950)) in + let yr_1960 : (fp_t '× fp_t) := + fp2mul (y_1942) (fp2mul (ynum_1953) (fp2inv (yden_1956))) in + let inf_1961 : bool := + false in + let '(inf_1961) := + if ((xden_1950) =.? (fp2zero )) || ((yden_1956) =.? (fp2zero )):bool then ( + let inf_1961 := + true in + (inf_1961)) else ((inf_1961)) in + (xr_1959, yr_1960, inf_1961). + +Definition g2_map_to_curve_sswu (u_1962 : fp2_t) : g2_t := + let '(xp_1963, yp_1964) := + g2_simple_swu_iso (u_1962) in + let p_1965 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_isogeny_map (xp_1963) (yp_1964) in + p_1965. + +Definition g2_hash_to_curve_sswu + (msg_1966 : byte_seq) + (dst_1967 : byte_seq) + : g2_t := + let u_1968 : seq fp2_t := + fp2_hash_to_field (msg_1966) (dst_1967) (usize 2) in + let q0_1969 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_sswu (seq_index (u_1968) (usize 0)) in + let q1_1970 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_sswu (seq_index (u_1968) (usize 1)) in + let r_1971 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2add (q0_1969) (q1_1970) in + let p_1972 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (r_1971) in + p_1972. + +Definition g2_encode_to_curve_sswu + (msg_1973 : byte_seq) + (dst_1974 : byte_seq) + : g2_t := + let u_1975 : seq fp2_t := + fp2_hash_to_field (msg_1973) (dst_1974) (usize 1) in + let q_1976 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_map_to_curve_sswu (seq_index (u_1975) (usize 0)) in + let p_1977 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := + g2_clear_cofactor (q_1976) in + p_1977. + diff --git a/proof-libs/coq/src/Hacspec_Chacha20.v b/proof-libs/coq/src/Hacspec_Chacha20.v new file mode 100644 index 000000000..a44b16a43 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Chacha20.v @@ -0,0 +1,223 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition state_t := nseq (uint32) (usize 16). + +Definition state_idx_t := + nat_mod (usize 16). +Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. +Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. + +Definition constants_t := nseq (uint32) (usize 4). + +Definition constants_idx_t := + nat_mod (usize 4). +Definition uint_size_in_constants_idx_t(n : uint_size) : constants_idx_t := int_in_nat_mod n. +Coercion uint_size_in_constants_idx_t : uint_size >-> constants_idx_t. + +Definition block_t := nseq (uint8) (usize 64). + +Definition cha_cha_iv_t := nseq (uint8) (usize 12). + +Definition cha_cha_key_t := nseq (uint8) (usize 32). + +Definition chacha20_line + (a_345 : state_idx_t) + (b_346 : state_idx_t) + (d_347 : state_idx_t) + (s_348 : uint_size) + (m_349 : state_t) + : state_t := + let state_350 : state_t := + m_349 in + let state_350 := + array_upd state_350 (a_345) ((array_index (state_350) (a_345)) .+ ( + array_index (state_350) (b_346))) in + let state_350 := + array_upd state_350 (d_347) ((array_index (state_350) (d_347)) .^ ( + array_index (state_350) (a_345))) in + let state_350 := + array_upd state_350 (d_347) (uint32_rotate_left (array_index (state_350) ( + d_347)) (s_348)) in + state_350. + +Definition chacha20_quarter_round + (a_351 : state_idx_t) + (b_352 : state_idx_t) + (c_353 : state_idx_t) + (d_354 : state_idx_t) + (state_355 : state_t) + : state_t := + let state_356 : state_t := + chacha20_line (a_351) (b_352) (d_354) (usize 16) (state_355) in + let state_357 : state_t := + chacha20_line (c_353) (d_354) (b_352) (usize 12) (state_356) in + let state_358 : state_t := + chacha20_line (a_351) (b_352) (d_354) (usize 8) (state_357) in + chacha20_line (c_353) (d_354) (b_352) (usize 7) (state_358). + +Definition chacha20_double_round (state_359 : state_t) : state_t := + let state_360 : state_t := + chacha20_quarter_round (usize 0) (usize 4) (usize 8) (usize 12) ( + state_359) in + let state_361 : state_t := + chacha20_quarter_round (usize 1) (usize 5) (usize 9) (usize 13) ( + state_360) in + let state_362 : state_t := + chacha20_quarter_round (usize 2) (usize 6) (usize 10) (usize 14) ( + state_361) in + let state_363 : state_t := + chacha20_quarter_round (usize 3) (usize 7) (usize 11) (usize 15) ( + state_362) in + let state_364 : state_t := + chacha20_quarter_round (usize 0) (usize 5) (usize 10) (usize 15) ( + state_363) in + let state_365 : state_t := + chacha20_quarter_round (usize 1) (usize 6) (usize 11) (usize 12) ( + state_364) in + let state_366 : state_t := + chacha20_quarter_round (usize 2) (usize 7) (usize 8) (usize 13) ( + state_365) in + chacha20_quarter_round (usize 3) (usize 4) (usize 9) (usize 14) (state_366). + +Definition chacha20_rounds (state_367 : state_t) : state_t := + let st_368 : state_t := + state_367 in + let st_368 := + foldi (usize 0) (usize 10) (fun i_369 st_368 => + let st_368 := + chacha20_double_round (st_368) in + (st_368)) + st_368 in + st_368. + +Definition chacha20_core (ctr_370 : uint32) (st0_371 : state_t) : state_t := + let state_372 : state_t := + st0_371 in + let state_372 := + array_upd state_372 (usize 12) ((array_index (state_372) (usize 12)) .+ ( + ctr_370)) in + let k_373 : state_t := + chacha20_rounds (state_372) in + (k_373) array_add (state_372). + +Definition chacha20_constants_init : constants_t := + let constants_374 : constants_t := + array_new_ (default : uint32) (4) in + let constants_374 := + array_upd constants_374 (usize 0) (secret ( + @repr WORDSIZE32 1634760805) : int32) in + let constants_374 := + array_upd constants_374 (usize 1) (secret ( + @repr WORDSIZE32 857760878) : int32) in + let constants_374 := + array_upd constants_374 (usize 2) (secret ( + @repr WORDSIZE32 2036477234) : int32) in + let constants_374 := + array_upd constants_374 (usize 3) (secret ( + @repr WORDSIZE32 1797285236) : int32) in + constants_374. + +Definition chacha20_init + (key_375 : cha_cha_key_t) + (iv_376 : cha_cha_iv_t) + (ctr_377 : uint32) + : state_t := + let st_378 : state_t := + array_new_ (default : uint32) (16) in + let st_378 := + array_update (st_378) (usize 0) ( + array_to_seq (chacha20_constants_init )) in + let st_378 := + array_update (st_378) (usize 4) (array_to_le_uint32s (key_375)) in + let st_378 := + array_upd st_378 (usize 12) (ctr_377) in + let st_378 := + array_update (st_378) (usize 13) (array_to_le_uint32s (iv_376)) in + st_378. + +Definition chacha20_key_block (state_379 : state_t) : block_t := + let state_380 : state_t := + chacha20_core (secret (@repr WORDSIZE32 0) : int32) (state_379) in + array_from_seq (64) (array_to_le_bytes (state_380)). + +Definition chacha20_key_block0 + (key_381 : cha_cha_key_t) + (iv_382 : cha_cha_iv_t) + : block_t := + let state_383 : state_t := + chacha20_init (key_381) (iv_382) (secret (@repr WORDSIZE32 0) : int32) in + chacha20_key_block (state_383). + +Definition chacha20_encrypt_block + (st0_384 : state_t) + (ctr_385 : uint32) + (plain_386 : block_t) + : block_t := + let st_387 : state_t := + chacha20_core (ctr_385) (st0_384) in + let pl_388 : state_t := + array_from_seq (16) (array_to_le_uint32s (plain_386)) in + let st_389 : state_t := + (pl_388) array_xor (st_387) in + array_from_seq (64) (array_to_le_bytes (st_389)). + +Definition chacha20_encrypt_last + (st0_390 : state_t) + (ctr_391 : uint32) + (plain_392 : byte_seq) + : byte_seq := + let b_393 : block_t := + array_new_ (default : uint8) (64) in + let b_393 := + array_update (b_393) (usize 0) (plain_392) in + let b_393 := + chacha20_encrypt_block (st0_390) (ctr_391) (b_393) in + array_slice (b_393) (usize 0) (seq_len (plain_392)). + +Definition chacha20_update (st0_394 : state_t) (m_395 : byte_seq) : byte_seq := + let blocks_out_396 : seq uint8 := + seq_new_ (default : uint8) (seq_len (m_395)) in + let n_blocks_397 : uint_size := + seq_num_exact_chunks (m_395) (usize 64) in + let blocks_out_396 := + foldi (usize 0) (n_blocks_397) (fun i_398 blocks_out_396 => + let msg_block_399 : seq uint8 := + seq_get_exact_chunk (m_395) (usize 64) (i_398) in + let b_400 : block_t := + chacha20_encrypt_block (st0_394) (secret (pub_u32 (i_398)) : int32) ( + array_from_seq (64) (msg_block_399)) in + let blocks_out_396 := + seq_set_exact_chunk (blocks_out_396) (usize 64) (i_398) ( + array_to_seq (b_400)) in + (blocks_out_396)) + blocks_out_396 in + let last_block_401 : seq uint8 := + seq_get_remainder_chunk (m_395) (usize 64) in + let '(blocks_out_396) := + if (seq_len (last_block_401)) !=.? (usize 0):bool then ( + let b_402 : seq uint8 := + chacha20_encrypt_last (st0_394) (secret (pub_u32 ( + n_blocks_397)) : int32) (last_block_401) in + let blocks_out_396 := + seq_set_chunk (blocks_out_396) (usize 64) (n_blocks_397) (b_402) in + (blocks_out_396)) else ((blocks_out_396)) in + blocks_out_396. + +Definition chacha20 + (key_403 : cha_cha_key_t) + (iv_404 : cha_cha_iv_t) + (ctr_405 : int32) + (m_406 : byte_seq) + : byte_seq := + let state_407 : state_t := + chacha20_init (key_403) (iv_404) (secret (ctr_405) : int32) in + chacha20_update (state_407) (m_406). + diff --git a/proof-libs/coq/src/Hacspec_Chacha20poly1305.v b/proof-libs/coq/src/Hacspec_Chacha20poly1305.v new file mode 100644 index 000000000..206ae34b9 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Chacha20poly1305.v @@ -0,0 +1,98 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Chacha20. + +Require Import Hacspec_Poly1305. + +Inductive error_t := +| InvalidTag : error_t. + +Notation "'cha_cha_poly_key_t'" := (cha_cha_key_t) : hacspec_scope. + +Notation "'cha_cha_poly_iv_t'" := (cha_cha_iv_t) : hacspec_scope. + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Definition init + (key_408 : cha_cha_poly_key_t) + (iv_409 : cha_cha_poly_iv_t) + : poly_state_t := + let key_block0_410 : block_t := + chacha20_key_block0 (key_408) (iv_409) in + let poly_key_411 : poly_key_t := + array_from_slice (default : uint8) (32) (array_to_seq (key_block0_410)) ( + usize 0) (usize 32) in + poly1305_init (poly_key_411). + +Definition poly1305_update_padded + (m_412 : byte_seq) + (st_413 : poly_state_t) + : poly_state_t := + let st_414 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_update_blocks (m_412) (st_413) in + let last_415 : seq uint8 := + seq_get_remainder_chunk (m_412) (usize 16) in + poly1305_update_last (usize 16) (last_415) (st_414). + +Definition finish + (aad_len_416 : uint_size) + (cipher_len_417 : uint_size) + (st_418 : poly_state_t) + : poly1305_tag_t := + let last_block_419 : poly_block_t := + array_new_ (default : uint8) (16) in + let last_block_419 := + array_update (last_block_419) (usize 0) (array_to_seq (uint64_to_le_bytes ( + secret (pub_u64 (aad_len_416)) : int64))) in + let last_block_419 := + array_update (last_block_419) (usize 8) (array_to_seq (uint64_to_le_bytes ( + secret (pub_u64 (cipher_len_417)) : int64))) in + let st_420 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_update_block (last_block_419) (st_418) in + poly1305_finish (st_420). + +Definition chacha20_poly1305_encrypt + (key_421 : cha_cha_poly_key_t) + (iv_422 : cha_cha_poly_iv_t) + (aad_423 : byte_seq) + (msg_424 : byte_seq) + : (byte_seq '× poly1305_tag_t) := + let cipher_text_425 : seq uint8 := + chacha20 (key_421) (iv_422) (@repr WORDSIZE32 1) (msg_424) in + let poly_st_426 : (field_element_t '× field_element_t '× poly_key_t) := + init (key_421) (iv_422) in + let poly_st_426 := + poly1305_update_padded (aad_423) (poly_st_426) in + let poly_st_426 := + poly1305_update_padded (cipher_text_425) (poly_st_426) in + let tag_427 : poly1305_tag_t := + finish (seq_len (aad_423)) (seq_len (cipher_text_425)) (poly_st_426) in + (cipher_text_425, tag_427). + +Definition chacha20_poly1305_decrypt + (key_428 : cha_cha_poly_key_t) + (iv_429 : cha_cha_poly_iv_t) + (aad_430 : byte_seq) + (cipher_text_431 : byte_seq) + (tag_432 : poly1305_tag_t) + : byte_seq_result_t := + let poly_st_433 : (field_element_t '× field_element_t '× poly_key_t) := + init (key_428) (iv_429) in + let poly_st_433 := + poly1305_update_padded (aad_430) (poly_st_433) in + let poly_st_433 := + poly1305_update_padded (cipher_text_431) (poly_st_433) in + let my_tag_434 : poly1305_tag_t := + finish (seq_len (aad_430)) (seq_len (cipher_text_431)) (poly_st_433) in + (if (array_declassify_eq (my_tag_434) (tag_432)):bool then ( + @Ok byte_seq error_t (chacha20 (key_428) (iv_429) (@repr WORDSIZE32 1) ( + cipher_text_431))) else (@Err byte_seq error_t (InvalidTag))). + diff --git a/proof-libs/coq/src/Hacspec_Coverage_Test.v b/proof-libs/coq/src/Hacspec_Coverage_Test.v new file mode 100644 index 000000000..5b3b169f5 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Coverage_Test.v @@ -0,0 +1,163 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition big_integer_test : unit := + let _ : big_int_t := + big_int_zero in + let _ : big_int_t := + big_int_one in + let _ : big_int_t := + big_int_two in + let bi_2669 : big_int_t := + big_int_from_literal (@repr WORDSIZE128 1238) in + let bi_2669 := + big_int_get_bit (bi_2669) (usize 3) in + let bi_2669 := + big_int_set_bit (bi_2669) (big_int_one ) (usize 3) in + let bi_2669 := + big_int_set (bi_2669) (usize 4) (big_int_two ) (usize 2) in + let bi_2669 := + big_int_wrap_add (bi_2669) (big_int_two ) in + let bi_2669 := + big_int_wrap_sub (bi_2669) (big_int_two ) in + let bi_2669 := + big_int_wrap_mul (bi_2669) (big_int_two ) in + let _ : bool := + big_int_equal (big_int_one ) (big_int_two ) in + let bi_2669 := + big_int_sub_mod (bi_2669) (big_int_two ) (big_int_from_literal ( + @repr WORDSIZE128 4)) in + let bi_2669 := + big_int_add_mod (bi_2669) (big_int_two ) (big_int_from_literal ( + @repr WORDSIZE128 4)) in + let bi_2669 := + big_int_mul_mod (bi_2669) (big_int_two ) (big_int_from_literal ( + @repr WORDSIZE128 4)) in + let bi_2669 := + big_int_absolute (bi_2669) in + tt. + +Definition machine_integer_test : unit := + let _ : int32 := + pub_uint32_zero in + let _ : int8 := + pub_uint8_one in + let _ : int128 := + pub_uint128_two in + let mi_2670 : int16 := + pub_uint16_from_literal (@repr WORDSIZE128 1238) in + let mi_2670 := + pub_uint16_get_bit (mi_2670) (usize 3) in + let mi_2670 := + pub_uint16_set_bit (mi_2670) (pub_uint16_one ) (usize 3) in + let mi_2670 := + pub_uint16_set (mi_2670) (usize 4) (pub_uint16_two ) (usize 2) in + let mi_2670 := + pub_uint16_rotate_left (mi_2670) (@repr WORDSIZE32 4) in + let mi_2670 := + pub_uint16_rotate_right (mi_2670) (@repr WORDSIZE32 4) in + let _ : int16 := + pub_uint16_max_val in + let mi_2670 := + pub_uint16_wrap_add (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_wrap_sub (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_wrap_mul (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_exp (mi_2670) (@repr WORDSIZE32 2) in + let mi_2670 := + pub_uint16_divide (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_inv (pub_uint16_from_literal (@repr WORDSIZE128 79)) ( + pub_uint16_two ) in + let _ : bool := + pub_uint16_equal (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_greater_than (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_greater_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_less_than (pub_uint16_one ) (pub_uint16_two ) in + let _ : bool := + pub_uint16_less_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_not_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_greater_than_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_greater_than_or_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_less_than_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_less_than_or_equal_bm (mi_2670) (pub_uint16_two ) in + let mi_2670 := + pub_uint16_sub_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( + @repr WORDSIZE128 4)) in + let mi_2670 := + pub_uint16_add_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( + @repr WORDSIZE128 4)) in + let mi_2670 := + pub_uint16_mul_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( + @repr WORDSIZE128 4)) in + let mi_2670 := + pub_uint16_absolute (mi_2670) in + let _ : uint64 := + secret (@repr WORDSIZE64 12) : int64 in + tt. + +Definition seq_test : unit := + let ns_2671 : seq int8 := + seq_with_capacity (usize 5) in + let ns_2671 := + seq_new_ (default : int8) (usize 5) in + let ns_2671 := + seq_reserve (ns_2671) (usize 10) in + let _ : uint_size := + seq_len (ns_2671) in + let ns_2671 := + seq_slice (ns_2671) (usize 0) (usize 5) in + let ns_2671 := + seq_into_slice (ns_2671) (usize 1) (usize 3) in + let ns_2671 := + seq_slice_range (ns_2671) ((usize 0, usize 2)) in + let ns_2671 := + seq_into_slice_range (ns_2671) ((usize 0, usize 1)) in + let '(ns1_2672, ns2_2673) := + seq_split_off (ns_2671) (usize 1) in + let ns1_2672 := + seq_truncate (ns1_2672) (usize 2) in + let ns2_2673 := + seq_from_slice (ns1_2672) (usize 0) (usize 1) in + let ns_2674 : seq int8 := + seq_concat (ns1_2672) (ns2_2673) in + let ns_2674 := + seq_concat_owned (ns1_2672) (ns2_2673) in + let ns_2674 := + seq_push (ns_2674) (@repr WORDSIZE8 2) in + let ns_2674 := + seq_push_owned (ns_2674) (@repr WORDSIZE8 4) in + let ns_2674 := + seq_from_slice_range (ns_2674) ((usize 0, usize 4)) in + let _ : uint_size := + seq_num_chunks (ns_2674) (usize 2) in + let _ : uint_size := + seq_num_exact_chunks (ns_2674) (usize 2) in + tt. + +Definition arr_name_t := nseq (uint64) (usize 8). + +Definition byte_arr_name_t := nseq (uint8) (usize 128). + +Definition array_test : unit := + tt. + diff --git a/proof-libs/coq/src/Hacspec_Curve25519.v b/proof-libs/coq/src/Hacspec_Curve25519.v new file mode 100644 index 000000000..4d340a361 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Curve25519.v @@ -0,0 +1,170 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition field_canvas_t := nseq (int8) (32). +Definition x25519_field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. + +Notation "'point_t'" := ((x25519_field_element_t '× x25519_field_element_t +)) : hacspec_scope. + +Definition x25519_serialized_point_t := nseq (uint8) (usize 32). + +Definition x25519_serialized_scalar_t := nseq (uint8) (usize 32). + +Definition mask_scalar + (s_477 : x25519_serialized_scalar_t) + : x25519_serialized_scalar_t := + let k_478 : x25519_serialized_scalar_t := + s_477 in + let k_478 := + array_upd k_478 (usize 0) ((array_index (k_478) (usize 0)) .& (secret ( + @repr WORDSIZE8 248) : int8)) in + let k_478 := + array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let k_478 := + array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .| (secret ( + @repr WORDSIZE8 64) : int8)) in + k_478. + +Definition decode_scalar (s_479 : x25519_serialized_scalar_t) : scalar_t := + let k_480 : x25519_serialized_scalar_t := + mask_scalar (s_479) in + nat_mod_from_byte_seq_le (array_to_seq (k_480)) : scalar_t. + +Definition decode_point (u_481 : x25519_serialized_point_t) : point_t := + let u_482 : x25519_serialized_point_t := + u_481 in + let u_482 := + array_upd u_482 (usize 31) ((array_index (u_482) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + ( + nat_mod_from_byte_seq_le (array_to_seq (u_482)) : x25519_field_element_t, + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 1) : x25519_field_element_t + ). + +Definition encode_point (p_483 : point_t) : x25519_serialized_point_t := + let '(x_484, y_485) := + p_483 in + let b_486 : x25519_field_element_t := + (x_484) *% (nat_mod_inv (y_485)) in + array_update_start (array_new_ (default : uint8) (32)) ( + nat_mod_to_byte_seq_le (b_486)). + +Definition point_add_and_double + (q_487 : point_t) + (np_488 : (point_t '× point_t)) + : (point_t '× point_t) := + let '(nq_489, nqp1_490) := + np_488 in + let '(x_1_491, z_1_492) := + q_487 in + let '(x_2_493, z_2_494) := + nq_489 in + let '(x_3_495, z_3_496) := + nqp1_490 in + let a_497 : x25519_field_element_t := + (x_2_493) +% (z_2_494) in + let aa_498 : x25519_field_element_t := + nat_mod_pow (a_497) (@repr WORDSIZE128 2) in + let b_499 : x25519_field_element_t := + (x_2_493) -% (z_2_494) in + let bb_500 : x25519_field_element_t := + (b_499) *% (b_499) in + let e_501 : x25519_field_element_t := + (aa_498) -% (bb_500) in + let c_502 : x25519_field_element_t := + (x_3_495) +% (z_3_496) in + let d_503 : x25519_field_element_t := + (x_3_495) -% (z_3_496) in + let da_504 : x25519_field_element_t := + (d_503) *% (a_497) in + let cb_505 : x25519_field_element_t := + (c_502) *% (b_499) in + let x_3_506 : x25519_field_element_t := + nat_mod_pow ((da_504) +% (cb_505)) (@repr WORDSIZE128 2) in + let z_3_507 : x25519_field_element_t := + (x_1_491) *% (nat_mod_pow ((da_504) -% (cb_505)) (@repr WORDSIZE128 2)) in + let x_2_508 : x25519_field_element_t := + (aa_498) *% (bb_500) in + let e121665_509 : x25519_field_element_t := + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 121665) : x25519_field_element_t in + let z_2_510 : x25519_field_element_t := + (e_501) *% ((aa_498) +% ((e121665_509) *% (e_501))) in + ((x_2_508, z_2_510), (x_3_506, z_3_507)). + +Definition swap (x_511 : (point_t '× point_t)) : (point_t '× point_t) := + let '(x0_512, x1_513) := + x_511 in + (x1_513, x0_512). + +Definition montgomery_ladder + (k_514 : scalar_t) + (init_515 : point_t) + : point_t := + let inf_516 : (x25519_field_element_t '× x25519_field_element_t) := + ( + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 1) : x25519_field_element_t, + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 0) : x25519_field_element_t + ) in + let acc_517 : (point_t '× point_t) := + (inf_516, init_515) in + let acc_517 := + foldi (usize 0) (usize 256) (fun i_518 acc_517 => + let '(acc_517) := + if nat_mod_bit (k_514) ((usize 255) - (i_518)):bool then (let acc_517 := + swap (acc_517) in + let acc_517 := + point_add_and_double (init_515) (acc_517) in + let acc_517 := + swap (acc_517) in + (acc_517)) else (let acc_517 := + point_add_and_double (init_515) (acc_517) in + (acc_517)) in + (acc_517)) + acc_517 in + let '(out_519, _) := + acc_517 in + out_519. + +Definition x25519_scalarmult + (s_520 : x25519_serialized_scalar_t) + (p_521 : x25519_serialized_point_t) + : x25519_serialized_point_t := + let s_522 : scalar_t := + decode_scalar (s_520) in + let p_523 : (x25519_field_element_t '× x25519_field_element_t) := + decode_point (p_521) in + let r_524 : (x25519_field_element_t '× x25519_field_element_t) := + montgomery_ladder (s_522) (p_523) in + encode_point (r_524). + +Definition x25519_secret_to_public + (s_525 : x25519_serialized_scalar_t) + : x25519_serialized_point_t := + let base_526 : x25519_serialized_point_t := + array_new_ (default : uint8) (32) in + let base_526 := + array_upd base_526 (usize 0) (secret (@repr WORDSIZE8 9) : int8) in + x25519_scalarmult (s_525) (base_526). + diff --git a/proof-libs/coq/src/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/src/Hacspec_Ecdsa_P256_Sha256.v new file mode 100644 index 000000000..875bc79a9 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Ecdsa_P256_Sha256.v @@ -0,0 +1,128 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_P256. + +Require Import Hacspec_Sha256. + +Inductive error_t := +| InvalidScalar : error_t +| InvalidSignature : error_t. + +Notation "'p256_public_key_t'" := (affine_t) : hacspec_scope. + +Notation "'p256_secret_key_t'" := (p256_scalar_t) : hacspec_scope. + +Notation "'p256_signature_t'" := ((p256_scalar_t '× p256_scalar_t +)) : hacspec_scope. + +Notation "'p256_signature_result_t'" := (( + result p256_signature_t error_t)) : hacspec_scope. + +Notation "'p256_verify_result_t'" := ((result unit error_t)) : hacspec_scope. + +Notation "'check_result_t'" := ((result unit error_t)) : hacspec_scope. + +Notation "'arithmetic_result_t'" := ((result affine_t error_t)) : hacspec_scope. + +Definition check_scalar_zero (r_527 : p256_scalar_t) : check_result_t := + (if (nat_mod_equal (r_527) (nat_mod_zero )):bool then (@Err unit error_t ( + InvalidScalar)) else (@Ok unit error_t (tt))). + +Definition ecdsa_point_mul_base (x_528 : p256_scalar_t) : arithmetic_result_t := + match p256_point_mul_base (x_528) with + | Ok (s_529) => @Ok affine_t error_t (s_529) + | Err (_) => @Err affine_t error_t (InvalidScalar) + end. + +Definition ecdsa_point_mul + (k_530 : p256_scalar_t) + (p_531 : affine_t) + : arithmetic_result_t := + match p256_point_mul (k_530) (p_531) with + | Ok (s_532) => @Ok affine_t error_t (s_532) + | Err (_) => @Err affine_t error_t (InvalidScalar) + end. + +Definition ecdsa_point_add + (p_533 : affine_t) + (q_534 : affine_t) + : arithmetic_result_t := + match point_add (p_533) (q_534) with + | Ok (s_535) => @Ok affine_t error_t (s_535) + | Err (_) => @Err affine_t error_t (InvalidScalar) + end. + +Definition sign + (payload_536 : byte_seq) + (sk_537 : p256_secret_key_t) + (nonce_538 : p256_scalar_t) + : p256_signature_result_t := + bind (check_scalar_zero (nonce_538)) (fun _ => bind (ecdsa_point_mul_base ( + nonce_538)) (fun '(k_x_539, k_y_540) => let r_541 : p256_scalar_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + k_x_539)) : p256_scalar_t in + bind (check_scalar_zero (r_541)) (fun _ => + let payload_hash_542 : sha256_digest_t := + hash (payload_536) in + let payload_hash_543 : p256_scalar_t := + nat_mod_from_byte_seq_be ( + array_to_seq (payload_hash_542)) : p256_scalar_t in + let rsk_544 : p256_scalar_t := + (r_541) *% (sk_537) in + let hash_rsk_545 : p256_scalar_t := + (payload_hash_543) +% (rsk_544) in + let nonce_inv_546 : p256_scalar_t := + nat_mod_inv (nonce_538) in + let s_547 : p256_scalar_t := + (nonce_inv_546) *% (hash_rsk_545) in + @Ok p256_signature_t error_t ((r_541, s_547))))). + +Definition ecdsa_p256_sha256_sign + (payload_548 : byte_seq) + (sk_549 : p256_secret_key_t) + (nonce_550 : p256_scalar_t) + : p256_signature_result_t := + sign (payload_548) (sk_549) (nonce_550). + +Definition verify + (payload_551 : byte_seq) + (pk_552 : p256_public_key_t) + (signature_553 : p256_signature_t) + : p256_verify_result_t := + let '(r_554, s_555) := + signature_553 in + let payload_hash_556 : sha256_digest_t := + hash (payload_551) in + let payload_hash_557 : p256_scalar_t := + nat_mod_from_byte_seq_be ( + array_to_seq (payload_hash_556)) : p256_scalar_t in + let s_inv_558 : p256_scalar_t := + nat_mod_inv (s_555) in + let u1_559 : p256_scalar_t := + (payload_hash_557) *% (s_inv_558) in + bind (ecdsa_point_mul_base (u1_559)) (fun u1_560 => + let u2_561 : p256_scalar_t := + (r_554) *% (s_inv_558) in + bind (ecdsa_point_mul (u2_561) (pk_552)) (fun u2_562 => bind ( + ecdsa_point_add (u1_560) (u2_562)) (fun '(x_563, y_564) => + let x_565 : p256_scalar_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + x_563)) : p256_scalar_t in + (if ((x_565) =.? (r_554)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature)))))). + +Definition ecdsa_p256_sha256_verify + (payload_566 : byte_seq) + (pk_567 : p256_public_key_t) + (signature_568 : p256_signature_t) + : p256_verify_result_t := + verify (payload_566) (pk_567) (signature_568). + diff --git a/proof-libs/coq/src/Hacspec_Ed25519.v b/proof-libs/coq/src/Hacspec_Ed25519.v new file mode 100644 index 000000000..2f9c9ffb8 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Ed25519.v @@ -0,0 +1,690 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha512. + +Require Import Hacspec_Edwards25519. + +Definition scalar_from_hash (h_1978 : sha512_digest_t) : scalar_t := + let s_1979 : big_scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (h_1978)) : big_scalar_t in + nat_mod_from_byte_seq_le (seq_slice (nat_mod_to_byte_seq_le (s_1979)) ( + usize 0) (usize 32)) : scalar_t. + +Definition sign (sk_1980 : secret_key_t) (msg_1981 : byte_seq) : signature_t := + let '(a_1982, prefix_1983) := + secret_expand (sk_1980) in + let a_1984 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (a_1982)) : scalar_t in + let b_1985 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let a_p_1986 : compressed_ed_point_t := + compress (point_mul (a_1984) (b_1985)) in + let r_1987 : scalar_t := + scalar_from_hash (sha512 (array_concat (prefix_1983) (msg_1981))) in + let r_p_1988 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (r_1987) (b_1985) in + let r_s_1989 : compressed_ed_point_t := + compress (r_p_1988) in + let h_1990 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_s_1989) ( + array_to_seq (a_p_1986))) (msg_1981))) in + let s_1991 : scalar_t := + (r_1987) +% ((h_1990) *% (a_1984)) in + let s_bytes_1992 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_le (s_1991)) (usize 0) (usize 32) in + array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( + array_to_seq (r_s_1989))) (usize 32) (s_bytes_1992). + +Definition zcash_verify + (pk_1993 : public_key_t) + (signature_1994 : signature_t) + (msg_1995 : byte_seq) + : verify_result_t := + let b_1996 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress_non_canonical (base_v)) in + bind (option_ok_or (decompress_non_canonical (pk_1993)) (InvalidPublickey)) ( + fun a_1997 => let r_bytes_1998 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( + usize 0) (usize 32) in + let s_bytes_1999 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1999)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress_non_canonical (r_bytes_1998)) (InvalidR)) ( + fun r_2000 => let s_2001 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1999)) : scalar_t in + let k_2002 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1998) ( + pk_1993)) (msg_1995))) in + let sb_2003 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_2001) (b_1996)) in + let rc_2004 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_2000) in + let ka_2005 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_2002) (a_1997)) in + (if (point_eq (sb_2003) (point_add (rc_2004) (ka_2005))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition ietf_cofactored_verify + (pk_2006 : public_key_t) + (signature_2007 : signature_t) + (msg_2008 : byte_seq) + : verify_result_t := + let b_2009 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_2006)) (InvalidPublickey)) (fun a_2010 => + let r_bytes_2011 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( + usize 0) (usize 32) in + let s_bytes_2012 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2012)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2011)) (InvalidR)) (fun r_2013 => + let s_2014 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2012)) : scalar_t in + let k_2015 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2011) ( + pk_2006)) (msg_2008))) in + let sb_2016 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_2014) (b_2009)) in + let rc_2017 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_2013) in + let ka_2018 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_2015) (a_2010)) in + (if (point_eq (sb_2016) (point_add (rc_2017) (ka_2018))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition ietf_cofactorless_verify + (pk_2019 : public_key_t) + (signature_2020 : signature_t) + (msg_2021 : byte_seq) + : verify_result_t := + let b_2022 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_2019)) (InvalidPublickey)) (fun a_2023 => + let r_bytes_2024 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( + usize 0) (usize 32) in + let s_bytes_2025 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2025)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2024)) (InvalidR)) (fun r_2026 => + let s_2027 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2025)) : scalar_t in + let k_2028 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2024) ( + pk_2019)) (msg_2021))) in + let sb_2029 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_2027) (b_2022) in + let ka_2030 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (k_2028) (a_2023) in + (if (point_eq (sb_2029) (point_add (r_2026) (ka_2030))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition is_identity (p_2031 : ed_point_t) : bool := + point_eq (p_2031) (point_identity ). + +Definition alg2_verify + (pk_2032 : public_key_t) + (signature_2033 : signature_t) + (msg_2034 : byte_seq) + : verify_result_t := + let b_2035 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_2032)) (InvalidPublickey)) (fun a_2036 => + ifbnd is_identity (point_mul_by_cofactor (a_2036)) : bool + thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let r_bytes_2037 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( + usize 0) (usize 32) in + let s_bytes_2038 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2038)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2037)) (InvalidR)) (fun r_2039 => + let s_2040 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2038)) : scalar_t in + let k_2041 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2037) ( + pk_2032)) (msg_2034))) in + let sb_2042 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_2040) (b_2035)) in + let rc_2043 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_2039) in + let ka_2044 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_2041) (a_2036)) in + (if (point_eq (sb_2042) (point_add (rc_2043) (ka_2044))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature))))))). + +Inductive batch_entry_t := +| BatchEntry : (public_key_t '× byte_seq '× signature_t) -> batch_entry_t. + +Definition zcash_batch_verify + (entries_2045 : seq batch_entry_t) + (entropy_2046 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2046)) <.? ((usize 16) * (seq_len ( + entries_2045))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2047 : scalar_t := + nat_mod_zero in + let r_sum_2048 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2049 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2045)) for ( + s_sum_2047, + r_sum_2048, + a_sum_2049 + ) >> (fun i_2050 '(s_sum_2047, r_sum_2048, a_sum_2049) => + let 'BatchEntry ((pk_2051, msg_2052, signature_2053)) := + (seq_index (entries_2045) (i_2050)) in + bind (option_ok_or (decompress_non_canonical (pk_2051)) ( + InvalidPublickey)) (fun a_2054 => + let r_bytes_2055 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2053)) (usize 0) (usize 32) in + let s_bytes_2056 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2053)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2056)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress_non_canonical (r_bytes_2055)) (InvalidR)) ( + fun r_2057 => let s_2058 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2056)) : scalar_t in + let c_2059 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2055) ( + array_to_seq (pk_2051))) (msg_2052))) in + let z_2060 : seq uint8 := + seq_slice (entropy_2046) ((usize 16) * (i_2050)) (usize 16) in + let z_2061 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2060) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2047 := + (s_sum_2047) +% ((s_2058) *% (z_2061)) in + let r_sum_2048 := + point_add (r_sum_2048) (point_mul (z_2061) (r_2057)) in + let a_sum_2049 := + point_add (a_sum_2049) (point_mul ((z_2061) *% (c_2059)) (a_2054)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2047, r_sum_2048, a_sum_2049))))))) (fun '( + s_sum_2047, + r_sum_2048, + a_sum_2049 + ) => let b_2062 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2063 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2047) (b_2062) in + let check_2064 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_2063)) (point_add ( + r_sum_2048) (a_sum_2049))) in + (if (is_identity (check_2064)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition ietf_cofactored_batch_verify + (entries_2065 : seq batch_entry_t) + (entropy_2066 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2066)) <.? ((usize 16) * (seq_len ( + entries_2065))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2067 : scalar_t := + nat_mod_zero in + let r_sum_2068 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2069 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2065)) for ( + s_sum_2067, + r_sum_2068, + a_sum_2069 + ) >> (fun i_2070 '(s_sum_2067, r_sum_2068, a_sum_2069) => + let 'BatchEntry ((pk_2071, msg_2072, signature_2073)) := + (seq_index (entries_2065) (i_2070)) in + bind (option_ok_or (decompress (pk_2071)) (InvalidPublickey)) (fun a_2074 => + let r_bytes_2075 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2073)) (usize 0) (usize 32) in + let s_bytes_2076 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2073)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2076)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2075)) (InvalidR)) (fun r_2077 => + let s_2078 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2076)) : scalar_t in + let c_2079 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2075) ( + array_to_seq (pk_2071))) (msg_2072))) in + let z_2080 : seq uint8 := + seq_slice (entropy_2066) ((usize 16) * (i_2070)) (usize 16) in + let z_2081 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2080) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2067 := + (s_sum_2067) +% ((s_2078) *% (z_2081)) in + let r_sum_2068 := + point_add (r_sum_2068) (point_mul (z_2081) (r_2077)) in + let a_sum_2069 := + point_add (a_sum_2069) (point_mul ((z_2081) *% (c_2079)) (a_2074)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2067, r_sum_2068, a_sum_2069))))))) (fun '( + s_sum_2067, + r_sum_2068, + a_sum_2069 + ) => let b_2082 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2083 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2067) (b_2082) in + let check_2084 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_2083)) (point_add ( + r_sum_2068) (a_sum_2069))) in + (if (is_identity (check_2084)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition ietf_cofactorless_batch_verify + (entries_2085 : seq batch_entry_t) + (entropy_2086 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2086)) <.? ((usize 16) * (seq_len ( + entries_2085))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2087 : scalar_t := + nat_mod_zero in + let r_sum_2088 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2089 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2085)) for ( + s_sum_2087, + r_sum_2088, + a_sum_2089 + ) >> (fun i_2090 '(s_sum_2087, r_sum_2088, a_sum_2089) => + let 'BatchEntry ((pk_2091, msg_2092, signature_2093)) := + (seq_index (entries_2085) (i_2090)) in + bind (option_ok_or (decompress (pk_2091)) (InvalidPublickey)) (fun a_2094 => + let r_bytes_2095 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2093)) (usize 0) (usize 32) in + let s_bytes_2096 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2093)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2096)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2095)) (InvalidR)) (fun r_2097 => + let s_2098 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2096)) : scalar_t in + let c_2099 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2095) ( + array_to_seq (pk_2091))) (msg_2092))) in + let z_2100 : seq uint8 := + seq_slice (entropy_2086) ((usize 16) * (i_2090)) (usize 16) in + let z_2101 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2100) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2087 := + (s_sum_2087) +% ((s_2098) *% (z_2101)) in + let r_sum_2088 := + point_add (r_sum_2088) (point_mul (z_2101) (r_2097)) in + let a_sum_2089 := + point_add (a_sum_2089) (point_mul ((z_2101) *% (c_2099)) (a_2094)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2087, r_sum_2088, a_sum_2089))))))) (fun '( + s_sum_2087, + r_sum_2088, + a_sum_2089 + ) => let b_2102 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2103 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2087) (b_2102) in + let check_2104 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (point_neg (sb_2103)) (point_add (r_sum_2088) (a_sum_2089)) in + (if (is_identity (check_2104)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition alg3_batch_verify + (entries_2105 : seq batch_entry_t) + (entropy_2106 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_2106)) <.? ((usize 16) * (seq_len ( + entries_2105))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let s_sum_2107 : scalar_t := + nat_mod_zero in + let r_sum_2108 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let a_sum_2109 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_2105)) for ( + s_sum_2107, + r_sum_2108, + a_sum_2109 + ) >> (fun i_2110 '(s_sum_2107, r_sum_2108, a_sum_2109) => + let 'BatchEntry ((pk_2111, msg_2112, signature_2113)) := + (seq_index (entries_2105) (i_2110)) in + bind (option_ok_or (decompress (pk_2111)) (InvalidPublickey)) (fun a_2114 => + ifbnd is_identity (point_mul_by_cofactor (a_2114)) : bool + thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => + @Ok unit error_t (tt))) + else (tt) >> (fun 'tt => + let r_bytes_2115 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2113)) (usize 0) (usize 32) in + let s_bytes_2116 : serialized_scalar_t := + array_from_slice (default : uint8) (32) ( + array_to_seq (signature_2113)) (usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_2116)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( + tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_2115)) (InvalidR)) (fun r_2117 => + let s_2118 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2116)) : scalar_t in + let c_2119 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2115) ( + array_to_seq (pk_2111))) (msg_2112))) in + let z_2120 : seq uint8 := + seq_slice (entropy_2106) ((usize 16) * (i_2110)) (usize 16) in + let z_2121 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_2120) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_sum_2107 := + (s_sum_2107) +% ((s_2118) *% (z_2121)) in + let r_sum_2108 := + point_add (r_sum_2108) (point_mul (z_2121) (r_2117)) in + let a_sum_2109 := + point_add (a_sum_2109) (point_mul ((z_2121) *% (c_2119)) (a_2114)) in + @Ok ( + scalar_t '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) '× + ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) + ) error_t ((s_sum_2107, r_sum_2108, a_sum_2109)))))))) (fun '( + s_sum_2107, + r_sum_2108, + a_sum_2109 + ) => let b_2122 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_2123 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (s_sum_2107) (b_2122) in + let check_2124 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_2123)) (point_add ( + r_sum_2108) (a_sum_2109))) in + (if (is_identity (check_2124)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + diff --git a/proof-libs/coq/src/Hacspec_Edwards25519.v b/proof-libs/coq/src/Hacspec_Edwards25519.v new file mode 100644 index 000000000..155089746 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Edwards25519.v @@ -0,0 +1,597 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha512. + +Definition field_canvas_t := nseq (int8) (32). +Definition ed25519_field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. + +Definition big_scalar_canvas_t := nseq (int8) (64). +Definition big_scalar_t := + nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. + +Definition big_integer_canvas_t := nseq (int8) (32). +Definition big_integer_t := + nat_mod 0x8000000000000000000000000000000080000000000000000000000000000000. + +Notation "'ed_point_t'" := (( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t +)) : hacspec_scope. + +Definition compressed_ed_point_t := nseq (uint8) (usize 32). + +Definition serialized_scalar_t := nseq (uint8) (usize 32). + +Definition signature_t := nseq (uint8) (usize 64). + +Notation "'public_key_t'" := (compressed_ed_point_t) : hacspec_scope. + +Notation "'secret_key_t'" := (serialized_scalar_t) : hacspec_scope. + +Inductive error_t := +| InvalidPublickey : error_t +| InvalidSignature : error_t +| InvalidS : error_t +| InvalidR : error_t +| SmallOrderPoint : error_t +| NotEnoughRandomness : error_t. + +Notation "'verify_result_t'" := ((result unit error_t)) : hacspec_scope. + +Definition base_v : compressed_ed_point_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 102) : int8 + ] in l). + +Definition constant_p_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 127) : int8 + ] in l). + +Definition constant_l_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 18) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 214) : int8; + secret (@repr WORDSIZE8 156) : int8; + secret (@repr WORDSIZE8 247) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 249) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 20) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 16) : int8 + ] in l). + +Definition constant_p3_8_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 15) : int8 + ] in l). + +Definition constant_p1_4_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 31) : int8 + ] in l). + +Definition constant_d_v : serialized_scalar_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 163) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 82) : int8 + ] in l). + +Definition is_negative (x_2125 : ed25519_field_element_t) : uint8 := + (if (nat_mod_bit (x_2125) (usize 0)):bool then (secret ( + @repr WORDSIZE8 1) : int8) else (secret (@repr WORDSIZE8 0) : int8)). + +Definition compress (p_2126 : ed_point_t) : compressed_ed_point_t := + let '(x_2127, y_2128, z_2129, _) := + p_2126 in + let z_inv_2130 : ed25519_field_element_t := + nat_mod_inv (z_2129) in + let x_2131 : ed25519_field_element_t := + (x_2127) *% (z_inv_2130) in + let y_2132 : ed25519_field_element_t := + (y_2128) *% (z_inv_2130) in + let s_2133 : byte_seq := + nat_mod_to_byte_seq_le (y_2132) in + let s_2133 := + seq_upd s_2133 (usize 31) ((seq_index (s_2133) (usize 31)) .^ (( + is_negative (x_2131)) shift_left (usize 7))) in + array_from_slice (default : uint8) (32) (s_2133) (usize 0) (usize 32). + +Definition sqrt + (a_2134 : ed25519_field_element_t) + : (option ed25519_field_element_t) := + let p3_8_2135 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_p3_8_v)) : ed25519_field_element_t in + let p1_4_2136 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_p1_4_v)) : ed25519_field_element_t in + let x_c_2137 : ed25519_field_element_t := + nat_mod_pow_self (a_2134) (p3_8_2135) in + let result_2138 : (option ed25519_field_element_t) := + @None ed25519_field_element_t in + let '(result_2138) := + if ((x_c_2137) *% (x_c_2137)) =.? (a_2134):bool then (let result_2138 := + some (x_c_2137) in + (result_2138)) else ((result_2138)) in + let '(result_2138) := + if ((x_c_2137) *% (x_c_2137)) =.? ((nat_mod_zero ) -% (a_2134)):bool then ( + let x_2139 : ed25519_field_element_t := + (nat_mod_pow_self (nat_mod_two ) (p1_4_2136)) *% (x_c_2137) in + let result_2138 := + some (x_2139) in + (result_2138)) else ((result_2138)) in + result_2138. + +Definition check_canonical_point (x_2140 : compressed_ed_point_t) : bool := + let x_2140 := + array_upd x_2140 (usize 31) ((array_index (x_2140) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let x_2141 : big_integer_t := + nat_mod_from_byte_seq_le (array_to_seq (x_2140)) : big_integer_t in + (x_2141) <.? (nat_mod_from_byte_seq_le ( + array_to_seq (constant_p_v)) : big_integer_t). + +Definition decompress (q_2142 : compressed_ed_point_t) : (option ed_point_t) := + let d_2143 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_d_v)) : ed25519_field_element_t in + let x_s_2144 : uint8 := + ((array_index (q_2142) (usize 31)) .& (secret ( + @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in + let y_s_2145 : compressed_ed_point_t := + q_2142 in + let y_s_2145 := + array_upd y_s_2145 (usize 31) ((array_index (y_s_2145) (usize 31)) .& ( + secret (@repr WORDSIZE8 127) : int8)) in + ifbnd negb (check_canonical_point (y_s_2145)) : bool + thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) + else (tt) >> (fun 'tt => + let y_2146 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (y_s_2145)) : ed25519_field_element_t in + let z_2147 : ed25519_field_element_t := + nat_mod_one in + let yy_2148 : ed25519_field_element_t := + (y_2146) *% (y_2146) in + let u_2149 : ed25519_field_element_t := + (yy_2148) -% (z_2147) in + let v_2150 : ed25519_field_element_t := + ((d_2143) *% (yy_2148)) +% (z_2147) in + let xx_2151 : ed25519_field_element_t := + (u_2149) *% (nat_mod_inv (v_2150)) in + bind (sqrt (xx_2151)) (fun x_2152 => let x_r_2153 : uint8 := + is_negative (x_2152) in + ifbnd ((x_2152) =.? (nat_mod_zero )) && ((uint8_declassify (x_s_2144)) =.? ( + @repr WORDSIZE8 1)) : bool + thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) + else (tt) >> (fun 'tt => + let '(x_2152) := + if (uint8_declassify (x_r_2153)) !=.? (uint8_declassify ( + x_s_2144)):bool then (let x_2152 := + (nat_mod_zero ) -% (x_2152) in + (x_2152)) else ((x_2152)) in + some ((x_2152, y_2146, z_2147, (x_2152) *% (y_2146)))))). + +Definition decompress_non_canonical + (p_2154 : compressed_ed_point_t) + : (option ed_point_t) := + let d_2155 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_d_v)) : ed25519_field_element_t in + let x_s_2156 : uint8 := + ((array_index (p_2154) (usize 31)) .& (secret ( + @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in + let y_s_2157 : compressed_ed_point_t := + p_2154 in + let y_s_2157 := + array_upd y_s_2157 (usize 31) ((array_index (y_s_2157) (usize 31)) .& ( + secret (@repr WORDSIZE8 127) : int8)) in + let y_2158 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (y_s_2157)) : ed25519_field_element_t in + let z_2159 : ed25519_field_element_t := + nat_mod_one in + let yy_2160 : ed25519_field_element_t := + (y_2158) *% (y_2158) in + let u_2161 : ed25519_field_element_t := + (yy_2160) -% (z_2159) in + let v_2162 : ed25519_field_element_t := + ((d_2155) *% (yy_2160)) +% (z_2159) in + let xx_2163 : ed25519_field_element_t := + (u_2161) *% (nat_mod_inv (v_2162)) in + bind (sqrt (xx_2163)) (fun x_2164 => let x_r_2165 : uint8 := + is_negative (x_2164) in + let '(x_2164) := + if (uint8_declassify (x_r_2165)) !=.? (uint8_declassify ( + x_s_2156)):bool then (let x_2164 := + (nat_mod_zero ) -% (x_2164) in + (x_2164)) else ((x_2164)) in + some ((x_2164, y_2158, z_2159, (x_2164) *% (y_2158)))). + +Definition encode (p_2166 : ed_point_t) : byte_seq := + let '(x_2167, y_2168, z_2169, _) := + p_2166 in + let z_inv_2170 : ed25519_field_element_t := + nat_mod_inv (z_2169) in + let x_2171 : ed25519_field_element_t := + (x_2167) *% (z_inv_2170) in + let y_2172 : ed25519_field_element_t := + (y_2168) *% (z_inv_2170) in + let s_2173 : byte_seq := + nat_mod_to_byte_seq_le (y_2172) in + let s_2173 := + seq_upd s_2173 (usize 31) ((seq_index (s_2173) (usize 31)) .^ (( + is_negative (x_2171)) shift_left (usize 7))) in + s_2173. + +Definition decode (q_s_2174 : byte_seq) : (option ed_point_t) := + let q_2175 : compressed_ed_point_t := + array_from_slice (default : uint8) (32) (q_s_2174) (usize 0) (usize 32) in + decompress (q_2175). + +Definition point_add (p_2176 : ed_point_t) (q_2177 : ed_point_t) : ed_point_t := + let d_c_2178 : ed25519_field_element_t := + nat_mod_from_byte_seq_le ( + array_to_seq (constant_d_v)) : ed25519_field_element_t in + let two_2179 : ed25519_field_element_t := + nat_mod_two in + let '(x1_2180, y1_2181, z1_2182, t1_2183) := + p_2176 in + let '(x2_2184, y2_2185, z2_2186, t2_2187) := + q_2177 in + let a_2188 : ed25519_field_element_t := + ((y1_2181) -% (x1_2180)) *% ((y2_2185) -% (x2_2184)) in + let b_2189 : ed25519_field_element_t := + ((y1_2181) +% (x1_2180)) *% ((y2_2185) +% (x2_2184)) in + let c_2190 : ed25519_field_element_t := + (((t1_2183) *% (two_2179)) *% (d_c_2178)) *% (t2_2187) in + let d_2191 : ed25519_field_element_t := + ((z1_2182) *% (two_2179)) *% (z2_2186) in + let e_2192 : ed25519_field_element_t := + (b_2189) -% (a_2188) in + let f_2193 : ed25519_field_element_t := + (d_2191) -% (c_2190) in + let g_2194 : ed25519_field_element_t := + (d_2191) +% (c_2190) in + let h_2195 : ed25519_field_element_t := + (b_2189) +% (a_2188) in + let x3_2196 : ed25519_field_element_t := + (e_2192) *% (f_2193) in + let y3_2197 : ed25519_field_element_t := + (g_2194) *% (h_2195) in + let t3_2198 : ed25519_field_element_t := + (e_2192) *% (h_2195) in + let z3_2199 : ed25519_field_element_t := + (f_2193) *% (g_2194) in + (x3_2196, y3_2197, z3_2199, t3_2198). + +Definition point_identity : ed_point_t := + (nat_mod_zero , nat_mod_one , nat_mod_one , nat_mod_zero ). + +Definition point_mul (s_2200 : scalar_t) (p_2201 : ed_point_t) : ed_point_t := + let p_2202 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + p_2201 in + let q_2203 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_identity in + let '(p_2202, q_2203) := + foldi (usize 0) (usize 256) (fun i_2204 '(p_2202, q_2203) => + let '(q_2203) := + if nat_mod_bit (s_2200) (i_2204):bool then (let q_2203 := + point_add (q_2203) (p_2202) in + (q_2203)) else ((q_2203)) in + let p_2202 := + point_add (p_2202) (p_2202) in + (p_2202, q_2203)) + (p_2202, q_2203) in + q_2203. + +Definition point_mul_by_cofactor (p_2205 : ed_point_t) : ed_point_t := + let p2_2206 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (p_2205) (p_2205) in + let p4_2207 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (p2_2206) (p2_2206) in + let p8_2208 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (p4_2207) (p4_2207) in + p8_2208. + +Definition point_neg (p_2209 : ed_point_t) : ed_point_t := + let '(x_2210, y_2211, z_2212, t_2213) := + p_2209 in + ((nat_mod_zero ) -% (x_2210), y_2211, z_2212, (nat_mod_zero ) -% (t_2213)). + +Definition point_eq (p_2214 : ed_point_t) (q_2215 : ed_point_t) : bool := + let '(x1_2216, y1_2217, z1_2218, _) := + p_2214 in + let '(x2_2219, y2_2220, z2_2221, _) := + q_2215 in + (((x1_2216) *% (z2_2221)) =.? ((x2_2219) *% (z1_2218))) && (((y1_2217) *% ( + z2_2221)) =.? ((y2_2220) *% (z1_2218))). + +Definition point_normalize (q_2222 : ed_point_t) : ed_point_t := + let '(qx_2223, qy_2224, qz_2225, _) := + q_2222 in + let px_2226 : ed25519_field_element_t := + (qx_2223) *% (nat_mod_inv (qz_2225)) in + let py_2227 : ed25519_field_element_t := + (qy_2224) *% (nat_mod_inv (qz_2225)) in + let pz_2228 : ed25519_field_element_t := + nat_mod_one in + let pt_2229 : ed25519_field_element_t := + (px_2226) *% (py_2227) in + (px_2226, py_2227, pz_2228, pt_2229). + +Definition secret_expand + (sk_2230 : secret_key_t) + : (serialized_scalar_t '× serialized_scalar_t) := + let h_2231 : sha512_digest_t := + sha512 (seq_from_slice (sk_2230) (usize 0) (usize 32)) in + let h_d_2232 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 32) ( + usize 32) in + let s_2233 : serialized_scalar_t := + array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 0) ( + usize 32) in + let s_2233 := + array_upd s_2233 (usize 0) ((array_index (s_2233) (usize 0)) .& (secret ( + @repr WORDSIZE8 248) : int8)) in + let s_2233 := + array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let s_2233 := + array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .| (secret ( + @repr WORDSIZE8 64) : int8)) in + (s_2233, h_d_2232). + +Definition secret_to_public (sk_2234 : secret_key_t) : public_key_t := + let '(s_2235, _) := + secret_expand (sk_2234) in + let base_2236 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let ss_2237 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_2235)) : scalar_t in + let a_2238 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (ss_2237) (base_2236) in + compress (a_2238). + +Definition check_canonical_scalar (s_2239 : serialized_scalar_t) : bool := + (if ((uint8_declassify ((array_index (s_2239) (usize 31)) .& (secret ( + @repr WORDSIZE8 224) : int8))) !=.? ( + @repr WORDSIZE8 0)):bool then (false) else ((nat_mod_from_byte_seq_le ( + array_to_seq (s_2239)) : big_integer_t) <.? ( + nat_mod_from_byte_seq_le ( + array_to_seq (constant_l_v)) : big_integer_t))). + diff --git a/proof-libs/coq/src/Hacspec_Edwards25519_Ecvrf.v b/proof-libs/coq/src/Hacspec_Edwards25519_Ecvrf.v new file mode 100644 index 000000000..7a3f9305a --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Edwards25519_Ecvrf.v @@ -0,0 +1,349 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Edwards25519. + +Require Import Hacspec_Sha512. + +Require Import Hacspec_Edwards25519_Hash. + +Inductive errorec_t := +| FailedVerify : errorec_t +| MessageTooLarge : errorec_t +| InvalidProof : errorec_t +| InvalidPublicKey : errorec_t +| FailedDecompression : errorec_t +| FailedE2C : errorec_t. + +Notation "'byte_seq_result_t'" := ((result byte_seq errorec_t)) : hacspec_scope. + +Notation "'proof_result_t'" := ((result (ed_point_t '× scalar_t '× scalar_t + ) errorec_t)) : hacspec_scope. + +Notation "'ed_point_result_t'" := (( + result ed_point_t errorec_t)) : hacspec_scope. + +Definition large_mod_canvas_t := nseq (int8) (32). +Definition large_mod_t := + nat_mod 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. + +Definition arr_large_mod_t := nseq (uint64) (usize 4). + +Definition q_v : arr_large_mod_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 9223372036854775807) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551597) : int64 + ] in l). + +Definition c_len_v : uint_size := + usize 16. + +Definition pt_len_v : uint_size := + usize 32. + +Definition q_len_v : uint_size := + usize 32. + +Definition int_byte_t := nseq (uint8) (usize 1). + +Definition zero_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 0) : int8] in l). + +Definition one_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). + +Definition two_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). + +Definition three_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 3) : int8] in l). + +Definition four_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 4) : int8] in l). + +Definition suite_string_v : int_byte_t := + four_v. + +Definition dst_t := nseq (uint8) (usize 39). + +Definition h2c_suite_id_string_v : dst_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 86) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 70) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 95) : int8 + ] in l). + +Definition ecvrf_encode_to_curve_try_and_increment + (encode_to_curve_salt_2457 : byte_seq) + (alpha_2458 : byte_seq) + : ed_point_result_t := + let h_2459 : (option ed_point_t) := + @None ed_point_t in + let x_2460 : ed25519_field_element_t := + nat_mod_zero in + let '(h_2459, x_2460) := + foldi (usize 1) (usize 256) (fun ctr_2461 '(h_2459, x_2460) => + let '(h_2459, x_2460) := + if ((h_2459)) =.? (@None ed_point_t):bool then ( + let ctr_string_2462 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_be (x_2460)) (usize 31) (usize 1) in + let hash_string_2463 : sha512_digest_t := + sha512 (seq_concat (seq_concat (seq_concat (seq_concat ( + array_concat (suite_string_v) (array_to_seq (one_v))) ( + encode_to_curve_salt_2457)) (alpha_2458)) ( + ctr_string_2462)) (array_to_seq (zero_v))) in + let h_2459 := + decompress (array_from_slice (default : uint8) (32) ( + array_to_seq (hash_string_2463)) (usize 0) (usize 32)) in + let x_2460 := + (x_2460) +% (nat_mod_one ) in + (h_2459, x_2460)) else ((h_2459, x_2460)) in + (h_2459, x_2460)) + (h_2459, x_2460) in + bind (option_ok_or (h_2459) (FailedE2C)) (fun h_2464 => + @Ok ed_point_t errorec_t (point_mul_by_cofactor (h_2464))). + +Definition ecvrf_encode_to_curve_h2c_suite + (encode_to_curve_salt_2465 : byte_seq) + (alpha_2466 : byte_seq) + : ed_point_result_t := + let string_to_be_hashed_2467 : seq uint8 := + seq_concat (encode_to_curve_salt_2465) (alpha_2466) in + let dst_2468 : seq uint8 := + array_concat (h2c_suite_id_string_v) (array_to_seq (suite_string_v)) in + let h_2469 : (result ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) error_t) := + ed_encode_to_curve (string_to_be_hashed_2467) (dst_2468) in + bind (option_ok_or (result_ok (h_2469)) (FailedE2C)) (fun h_2470 => + @Ok ed_point_t errorec_t (h_2470)). + +Definition ecvrf_nonce_generation + (sk_2471 : secret_key_t) + (h_string_2472 : byte_seq) + : scalar_t := + let hashed_sk_string_2473 : sha512_digest_t := + sha512 (array_to_le_bytes (sk_2471)) in + let truncated_hashed_sk_string_2474 : seq uint8 := + array_slice (hashed_sk_string_2473) (usize 32) (usize 32) in + let k_string_2475 : sha512_digest_t := + sha512 (seq_concat (truncated_hashed_sk_string_2474) (h_string_2472)) in + let nonce_2476 : big_scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (k_string_2475)) : big_scalar_t in + let nonceseq_2477 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_le (nonce_2476)) (usize 0) (usize 32) in + nat_mod_from_byte_seq_le (nonceseq_2477) : scalar_t. + +Definition ecvrf_challenge_generation + (p1_2478 : ed_point_t) + (p2_2479 : ed_point_t) + (p3_2480 : ed_point_t) + (p4_2481 : ed_point_t) + (p5_2482 : ed_point_t) + : scalar_t := + let string_2483 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (seq_concat (seq_concat ( + array_concat (suite_string_v) (array_to_seq (two_v))) (encode ( + p1_2478))) (encode (p2_2479))) (encode (p3_2480))) (encode ( + p4_2481))) (encode (p5_2482))) (array_to_seq (zero_v)) in + let c_string_2484 : sha512_digest_t := + sha512 (string_2483) in + let truncated_c_string_2485 : seq uint8 := + seq_concat (array_slice (c_string_2484) (usize 0) (c_len_v)) (seq_new_ ( + default : uint8) (usize 16)) in + nat_mod_from_byte_seq_le (truncated_c_string_2485) : scalar_t. + +Definition ecvrf_decode_proof (pi_2486 : byte_seq) : proof_result_t := + let gamma_string_2487 : seq uint8 := + seq_slice (pi_2486) (usize 0) (pt_len_v) in + let c_string_2488 : seq uint8 := + seq_slice (pi_2486) (pt_len_v) (c_len_v) in + let s_string_2489 : seq uint8 := + seq_slice (pi_2486) ((pt_len_v) + (c_len_v)) (q_len_v) in + bind (option_ok_or (decompress (array_from_slice (default : uint8) (32) ( + gamma_string_2487) (usize 0) (usize 32))) (InvalidProof)) ( + fun gamma_2490 => let c_2491 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (c_string_2488) (seq_new_ ( + default : uint8) (usize 16))) : scalar_t in + let s_2492 : scalar_t := + nat_mod_from_byte_seq_le ((s_string_2489)) : scalar_t in + let s_test_2493 : large_mod_t := + nat_mod_from_byte_seq_le (s_string_2489) : large_mod_t in + let q_2494 : large_mod_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (q_v)) : large_mod_t in + (if ((s_test_2493) >=.? (q_2494)):bool then (@Err ( + ed_point_t '× + scalar_t '× + scalar_t + ) errorec_t (InvalidProof)) else (@Ok ( + ed_point_t '× + scalar_t '× + scalar_t + ) errorec_t ((gamma_2490, c_2491, s_2492))))). + +Definition ecvrf_validate_key + (y_2495 : public_key_t) + : (result unit errorec_t) := + bind (option_ok_or (decompress (y_2495)) (InvalidPublicKey)) (fun y_2496 => + let y_prime_2497 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul_by_cofactor (y_2496) in + (if ((y_prime_2497) =.? (point_identity )):bool then (@Err unit errorec_t ( + InvalidPublicKey)) else (@Ok unit errorec_t (tt)))). + +Definition ecvrf_prove + (sk_2498 : secret_key_t) + (alpha_2499 : byte_seq) + : byte_seq_result_t := + bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2500 => + let '(x_2501, _) := + secret_expand (sk_2498) in + let x_2502 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (x_2501)) : scalar_t in + let y_2503 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (x_2502) (b_2500) in + let pk_2504 : compressed_ed_point_t := + compress (y_2503) in + let encode_to_curve_salt_2505 : seq uint8 := + array_slice (pk_2504) (usize 0) (usize 32) in + bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2505) ( + alpha_2499)) (fun h_2506 => let h_string_2507 : seq uint8 := + encode (h_2506) in + let gamma_2508 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (x_2502) (h_2506) in + let k_2509 : scalar_t := + ecvrf_nonce_generation (sk_2498) (h_string_2507) in + let u_2510 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (k_2509) (b_2500) in + let v_2511 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_mul (k_2509) (h_2506) in + let c_2512 : scalar_t := + ecvrf_challenge_generation (y_2503) (h_2506) (gamma_2508) (u_2510) ( + v_2511) in + let s_2513 : scalar_t := + (k_2509) +% ((c_2512) *% (x_2502)) in + @Ok byte_seq errorec_t (seq_slice (seq_concat (seq_concat (encode ( + gamma_2508)) (seq_slice (nat_mod_to_byte_seq_le (c_2512)) ( + usize 0) (c_len_v))) (seq_slice (nat_mod_to_byte_seq_le ( + s_2513)) (usize 0) (q_len_v))) (usize 0) (((c_len_v) + ( + q_len_v)) + (pt_len_v))))). + +Definition ecvrf_proof_to_hash (pi_2514 : byte_seq) : byte_seq_result_t := + bind (ecvrf_decode_proof (pi_2514)) (fun '(gamma_2515, _, _) => + @Ok byte_seq errorec_t (array_slice (sha512 (seq_concat (seq_concat ( + array_concat (suite_string_v) (array_to_seq (three_v))) (encode ( + point_mul_by_cofactor (gamma_2515)))) ( + array_to_seq (zero_v)))) (usize 0) (usize 64))). + +Definition ecvrf_verify + (pk_2516 : public_key_t) + (alpha_2517 : byte_seq) + (pi_2518 : byte_seq) + (validate_key_2519 : bool) + : byte_seq_result_t := + bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2520 => + bind (option_ok_or (decompress (pk_2516)) (InvalidPublicKey)) (fun y_2521 => + ifbnd validate_key_2519 : bool + thenbnd (bind (ecvrf_validate_key (pk_2516)) (fun _ => + @Ok unit errorec_t (tt))) + else (tt) >> (fun 'tt => + bind (ecvrf_decode_proof (pi_2518)) (fun '(gamma_2522, c_2523, s_2524) => + let encode_to_curve_salt_2525 : seq uint8 := + array_slice (pk_2516) (usize 0) (usize 32) in + bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2525) ( + alpha_2517)) (fun h_2526 => let u_2527 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (point_mul (s_2524) (b_2520)) (point_neg (point_mul ( + c_2523) (y_2521))) in + let v_2528 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + point_add (point_mul (s_2524) (h_2526)) (point_neg (point_mul ( + c_2523) (gamma_2522))) in + let c_prime_2529 : scalar_t := + ecvrf_challenge_generation (y_2521) (h_2526) (gamma_2522) (u_2527) ( + v_2528) in + (if ((c_2523) =.? (c_prime_2529)):bool then (ecvrf_proof_to_hash ( + pi_2518)) else (@Err byte_seq errorec_t (FailedVerify)))))))). + diff --git a/proof-libs/coq/src/Hacspec_Edwards25519_Hash.v b/proof-libs/coq/src/Hacspec_Edwards25519_Hash.v new file mode 100644 index 000000000..0017ba372 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Edwards25519_Hash.v @@ -0,0 +1,504 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Edwards25519. + +Require Import Hacspec_Sha512. + +Definition b_in_bytes_v : uint_size := + usize 64. + +Definition s_in_bytes_v : uint_size := + usize 128. + +Definition l_v : uint_size := + usize 48. + +Definition j_v : int128 := + @repr WORDSIZE128 486662. + +Definition z_v : int128 := + @repr WORDSIZE128 2. + +Definition arr_ed25519_field_element_t := nseq (uint64) (usize 4). + +Definition ed_field_hash_canvas_t := nseq (int8) (64). +Definition ed_field_hash_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Inductive error_t := +| ExpandMessageAbort : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | ExpandMessageAbort => match y with | ExpandMessageAbort=> true end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Notation "'seq_ed_result_t'" := (( + result seq ed25519_field_element_t error_t)) : hacspec_scope. + +Notation "'ed_point_result_t'" := ((result ed_point_t error_t)) : hacspec_scope. + +Definition p_1_2_v : arr_ed25519_field_element_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 4611686018427387903) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551606) : int64 + ] in l). + +Definition p_3_8_v : arr_ed25519_field_element_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1152921504606846975) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551614) : int64 + ] in l). + +Definition p_5_8_v : arr_ed25519_field_element_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1152921504606846975) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551615) : int64; + secret (@repr WORDSIZE64 18446744073709551613) : int64 + ] in l). + +Definition expand_message_xmd + (msg_2290 : byte_seq) + (dst_2291 : byte_seq) + (len_in_bytes_2292 : uint_size) + : byte_seq_result_t := + let ell_2293 : uint_size := + (((len_in_bytes_2292) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in + let result_2294 : (result byte_seq error_t) := + @Err byte_seq error_t (ExpandMessageAbort) in + let '(result_2294) := + if negb ((((ell_2293) >.? (usize 255)) || ((len_in_bytes_2292) >.? ( + usize 65535))) || ((seq_len (dst_2291)) >.? ( + usize 255))):bool then (let dst_prime_2295 : seq uint8 := + seq_push (dst_2291) (uint8_from_usize (seq_len (dst_2291))) in + let z_pad_2296 : seq uint8 := + seq_new_ (default : uint8) (s_in_bytes_v) in + let l_i_b_str_2297 : seq uint8 := + seq_new_ (default : uint8) (usize 2) in + let l_i_b_str_2297 := + seq_upd l_i_b_str_2297 (usize 0) (uint8_from_usize (( + len_in_bytes_2292) / (usize 256))) in + let l_i_b_str_2297 := + seq_upd l_i_b_str_2297 (usize 1) (uint8_from_usize ( + len_in_bytes_2292)) in + let msg_prime_2298 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (z_pad_2296) ( + msg_2290)) (l_i_b_str_2297)) (seq_new_ (default : uint8) ( + usize 1))) (dst_prime_2295) in + let b_0_2299 : seq uint8 := + seq_from_seq (array_to_seq (hash (msg_prime_2298))) in + let b_i_2300 : seq uint8 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_2299) ( + secret (@repr WORDSIZE8 1) : int8)) (dst_prime_2295)))) in + let uniform_bytes_2301 : seq uint8 := + seq_from_seq (b_i_2300) in + let '(b_i_2300, uniform_bytes_2301) := + foldi (usize 2) ((ell_2293) + (usize 1)) (fun i_2302 '( + b_i_2300, + uniform_bytes_2301 + ) => + let t_2303 : seq uint8 := + seq_from_seq (b_0_2299) in + let b_i_2300 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( + t_2303) seq_xor (b_i_2300)) (uint8_from_usize (i_2302))) ( + dst_prime_2295)))) in + let uniform_bytes_2301 := + seq_concat (uniform_bytes_2301) (b_i_2300) in + (b_i_2300, uniform_bytes_2301)) + (b_i_2300, uniform_bytes_2301) in + let result_2294 := + @Ok byte_seq error_t (seq_truncate (uniform_bytes_2301) ( + len_in_bytes_2292)) in + (result_2294)) else ((result_2294)) in + result_2294. + +Definition ed_hash_to_field + (msg_2304 : byte_seq) + (dst_2305 : byte_seq) + (count_2306 : uint_size) + : seq_ed_result_t := + let len_in_bytes_2307 : uint_size := + (count_2306) * (l_v) in + bind (expand_message_xmd (msg_2304) (dst_2305) (len_in_bytes_2307)) ( + fun uniform_bytes_2308 => let output_2309 : seq ed25519_field_element_t := + seq_new_ (default : ed25519_field_element_t) (count_2306) in + let output_2309 := + foldi (usize 0) (count_2306) (fun i_2310 output_2309 => + let elm_offset_2311 : uint_size := + (l_v) * (i_2310) in + let tv_2312 : seq uint8 := + seq_slice (uniform_bytes_2308) (elm_offset_2311) (l_v) in + let u_i_2313 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_2312) : ed_field_hash_t)) ( + usize 32) (usize 32)) : ed25519_field_element_t in + let output_2309 := + seq_upd output_2309 (i_2310) (u_i_2313) in + (output_2309)) + output_2309 in + @Ok seq ed25519_field_element_t error_t (output_2309)). + +Definition ed_is_square (x_2314 : ed25519_field_element_t) : bool := + let c1_2315 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (array_to_be_bytes ( + p_1_2_v)) : ed25519_field_element_t in + let tv_2316 : ed25519_field_element_t := + nat_mod_pow_self (x_2314) (c1_2315) in + ((tv_2316) =.? (nat_mod_zero )) || ((tv_2316) =.? (nat_mod_one )). + +Definition sgn0_m_eq_1 (x_2317 : ed25519_field_element_t) : bool := + ((x_2317) rem (nat_mod_two )) =.? (nat_mod_one ). + +Definition ed_clear_cofactor (x_2318 : ed_point_t) : ed_point_t := + point_mul_by_cofactor (x_2318). + +Definition cmov + (a_2319 : ed25519_field_element_t) + (b_2320 : ed25519_field_element_t) + (c_2321 : bool) + : ed25519_field_element_t := + (if (c_2321):bool then (b_2320) else (a_2319)). + +Definition xor (a_2322 : bool) (b_2323 : bool) : bool := + (if (a_2322):bool then ((if (b_2323):bool then (false) else (true))) else (( + if (b_2323):bool then (true) else (false)))). + +Definition curve25519_to_edwards25519 (p_2324 : ed_point_t) : ed_point_t := + let '(s_2325, t_2326, _, _) := + point_normalize (p_2324) in + let one_2327 : ed25519_field_element_t := + nat_mod_one in + let zero_2328 : ed25519_field_element_t := + nat_mod_zero in + let tv1_2329 : ed25519_field_element_t := + (s_2325) +% (one_2327) in + let tv2_2330 : ed25519_field_element_t := + (tv1_2329) *% (t_2326) in + let tv2_2331 : ed25519_field_element_t := + nat_mod_inv (tv2_2330) in + let v_2332 : ed25519_field_element_t := + (tv2_2331) *% (tv1_2329) in + let v_2333 : ed25519_field_element_t := + (v_2332) *% (s_2325) in + let w_2334 : ed25519_field_element_t := + (tv2_2331) *% (t_2326) in + let tv1_2335 : ed25519_field_element_t := + (s_2325) -% (one_2327) in + let w_2336 : ed25519_field_element_t := + (w_2334) *% (tv1_2335) in + let e_2337 : bool := + (tv2_2331) =.? (zero_2328) in + let w_2338 : ed25519_field_element_t := + cmov (w_2336) (one_2327) (e_2337) in + let c_2339 : ed25519_field_element_t := + (nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 486664) : ed25519_field_element_t) in + let sq_2340 : (option ed25519_field_element_t) := + sqrt (c_2339) in + let v_2341 : ed25519_field_element_t := + (v_2333) *% (option_unwrap (sq_2340)) in + (v_2341, w_2338, one_2327, (v_2341) *% (w_2338)). + +Definition map_to_curve_elligator2 + (u_2342 : ed25519_field_element_t) + : ed_point_t := + let j_2343 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let z_2344 : ed25519_field_element_t := + nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in + let one_2345 : ed25519_field_element_t := + nat_mod_one in + let zero_2346 : ed25519_field_element_t := + nat_mod_zero in + let x1_2347 : ed25519_field_element_t := + ((zero_2346) -% (j_2343)) *% (nat_mod_inv ((one_2345) +% (((z_2344) *% ( + u_2342)) *% (u_2342)))) in + let '(x1_2347) := + if (x1_2347) =.? (zero_2346):bool then (let x1_2347 := + (zero_2346) -% (j_2343) in + (x1_2347)) else ((x1_2347)) in + let gx1_2348 : ed25519_field_element_t := + ((((x1_2347) *% (x1_2347)) *% (x1_2347)) +% (((j_2343) *% (x1_2347)) *% ( + x1_2347))) +% (x1_2347) in + let x2_2349 : ed25519_field_element_t := + ((zero_2346) -% (x1_2347)) -% (j_2343) in + let gx2_2350 : ed25519_field_element_t := + ((((x2_2349) *% (x2_2349)) *% (x2_2349)) +% ((j_2343) *% ((x2_2349) *% ( + x2_2349)))) +% (x2_2349) in + let x_2351 : ed25519_field_element_t := + zero_2346 in + let y_2352 : ed25519_field_element_t := + zero_2346 in + let '(x_2351, y_2352) := + if ed_is_square (gx1_2348):bool then (let x_2351 := + x1_2347 in + let y_2352 := + option_unwrap (sqrt (gx1_2348)) in + let '(y_2352) := + if negb (sgn0_m_eq_1 (y_2352)):bool then (let y_2352 := + (zero_2346) -% (y_2352) in + (y_2352)) else ((y_2352)) in + (x_2351, y_2352)) else (let x_2351 := + x2_2349 in + let y_2352 := + option_unwrap (sqrt (gx2_2350)) in + let '(y_2352) := + if sgn0_m_eq_1 (y_2352):bool then (let y_2352 := + (zero_2346) -% (y_2352) in + (y_2352)) else ((y_2352)) in + (x_2351, y_2352)) in + let s_2353 : ed25519_field_element_t := + x_2351 in + let t_2354 : ed25519_field_element_t := + y_2352 in + (s_2353, t_2354, one_2345, (s_2353) *% (t_2354)). + +Definition map_to_curve_elligator2_straight + (u_2355 : ed25519_field_element_t) + : ed_point_t := + let j_2356 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let z_2357 : ed25519_field_element_t := + nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in + let one_2358 : ed25519_field_element_t := + nat_mod_one in + let zero_2359 : ed25519_field_element_t := + nat_mod_zero in + let tv1_2360 : ed25519_field_element_t := + (u_2355) *% (u_2355) in + let tv1_2361 : ed25519_field_element_t := + (z_2357) *% (tv1_2360) in + let e1_2362 : bool := + (tv1_2361) =.? ((zero_2359) -% (one_2358)) in + let tv1_2363 : ed25519_field_element_t := + cmov (tv1_2361) (zero_2359) (e1_2362) in + let x1_2364 : ed25519_field_element_t := + (tv1_2363) +% (one_2358) in + let x1_2365 : ed25519_field_element_t := + nat_mod_inv (x1_2364) in + let x1_2366 : ed25519_field_element_t := + ((zero_2359) -% (j_2356)) *% (x1_2365) in + let gx1_2367 : ed25519_field_element_t := + (x1_2366) +% (j_2356) in + let gx1_2368 : ed25519_field_element_t := + (gx1_2367) *% (x1_2366) in + let gx1_2369 : ed25519_field_element_t := + (gx1_2368) +% (one_2358) in + let gx1_2370 : ed25519_field_element_t := + (gx1_2369) *% (x1_2366) in + let x2_2371 : ed25519_field_element_t := + ((zero_2359) -% (x1_2366)) -% (j_2356) in + let gx2_2372 : ed25519_field_element_t := + (tv1_2363) *% (gx1_2370) in + let e2_2373 : bool := + ed_is_square (gx1_2370) in + let x_2374 : ed25519_field_element_t := + cmov (x2_2371) (x1_2366) (e2_2373) in + let y2_2375 : ed25519_field_element_t := + cmov (gx2_2372) (gx1_2370) (e2_2373) in + let y_2376 : ed25519_field_element_t := + option_unwrap (sqrt (y2_2375)) in + let e3_2377 : bool := + sgn0_m_eq_1 (y_2376) in + let y_2378 : ed25519_field_element_t := + cmov (y_2376) ((zero_2359) -% (y_2376)) (xor (e2_2373) (e3_2377)) in + let s_2379 : ed25519_field_element_t := + x_2374 in + let t_2380 : ed25519_field_element_t := + y_2378 in + (s_2379, t_2380, one_2358, (s_2379) *% (t_2380)). + +Definition map_to_curve_elligator2_curve25519 + (u_2381 : ed25519_field_element_t) + : ed_point_t := + let j_2382 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let zero_2383 : ed25519_field_element_t := + nat_mod_zero in + let one_2384 : ed25519_field_element_t := + nat_mod_one in + let two_2385 : ed25519_field_element_t := + nat_mod_two in + let c1_2386 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (array_to_be_bytes ( + p_3_8_v)) : ed25519_field_element_t in + let c2_2387 : ed25519_field_element_t := + nat_mod_pow_self (two_2385) (c1_2386) in + let c3_2388 : ed25519_field_element_t := + option_unwrap (sqrt ((zero_2383) -% (one_2384))) in + let c4_2389 : ed25519_field_element_t := + nat_mod_from_byte_seq_be (array_to_be_bytes ( + p_5_8_v)) : ed25519_field_element_t in + let tv1_2390 : ed25519_field_element_t := + (u_2381) *% (u_2381) in + let tv1_2391 : ed25519_field_element_t := + (two_2385) *% (tv1_2390) in + let xd_2392 : ed25519_field_element_t := + (tv1_2391) +% (one_2384) in + let x1n_2393 : ed25519_field_element_t := + (zero_2383) -% (j_2382) in + let tv2_2394 : ed25519_field_element_t := + (xd_2392) *% (xd_2392) in + let gxd_2395 : ed25519_field_element_t := + (tv2_2394) *% (xd_2392) in + let gx1_2396 : ed25519_field_element_t := + (j_2382) *% (tv1_2391) in + let gx1_2397 : ed25519_field_element_t := + (gx1_2396) *% (x1n_2393) in + let gx1_2398 : ed25519_field_element_t := + (gx1_2397) +% (tv2_2394) in + let gx1_2399 : ed25519_field_element_t := + (gx1_2398) *% (x1n_2393) in + let tv3_2400 : ed25519_field_element_t := + (gxd_2395) *% (gxd_2395) in + let tv2_2401 : ed25519_field_element_t := + (tv3_2400) *% (tv3_2400) in + let tv3_2402 : ed25519_field_element_t := + (tv3_2400) *% (gxd_2395) in + let tv3_2403 : ed25519_field_element_t := + (tv3_2402) *% (gx1_2399) in + let tv2_2404 : ed25519_field_element_t := + (tv2_2401) *% (tv3_2403) in + let y11_2405 : ed25519_field_element_t := + nat_mod_pow_self (tv2_2404) (c4_2389) in + let y11_2406 : ed25519_field_element_t := + (y11_2405) *% (tv3_2403) in + let y12_2407 : ed25519_field_element_t := + (y11_2406) *% (c3_2388) in + let tv2_2408 : ed25519_field_element_t := + (y11_2406) *% (y11_2406) in + let tv2_2409 : ed25519_field_element_t := + (tv2_2408) *% (gxd_2395) in + let e1_2410 : bool := + (tv2_2409) =.? (gx1_2399) in + let y1_2411 : ed25519_field_element_t := + cmov (y12_2407) (y11_2406) (e1_2410) in + let x2n_2412 : ed25519_field_element_t := + (x1n_2393) *% (tv1_2391) in + let y21_2413 : ed25519_field_element_t := + (y11_2406) *% (u_2381) in + let y21_2414 : ed25519_field_element_t := + (y21_2413) *% (c2_2387) in + let y22_2415 : ed25519_field_element_t := + (y21_2414) *% (c3_2388) in + let gx2_2416 : ed25519_field_element_t := + (gx1_2399) *% (tv1_2391) in + let tv2_2417 : ed25519_field_element_t := + (y21_2414) *% (y21_2414) in + let tv2_2418 : ed25519_field_element_t := + (tv2_2417) *% (gxd_2395) in + let e2_2419 : bool := + (tv2_2418) =.? (gx2_2416) in + let y2_2420 : ed25519_field_element_t := + cmov (y22_2415) (y21_2414) (e2_2419) in + let tv2_2421 : ed25519_field_element_t := + (y1_2411) *% (y1_2411) in + let tv2_2422 : ed25519_field_element_t := + (tv2_2421) *% (gxd_2395) in + let e3_2423 : bool := + (tv2_2422) =.? (gx1_2399) in + let xn_2424 : ed25519_field_element_t := + cmov (x2n_2412) (x1n_2393) (e3_2423) in + let y_2425 : ed25519_field_element_t := + cmov (y2_2420) (y1_2411) (e3_2423) in + let e4_2426 : bool := + sgn0_m_eq_1 (y_2425) in + let y_2427 : ed25519_field_element_t := + cmov (y_2425) ((zero_2383) -% (y_2425)) (xor (e3_2423) (e4_2426)) in + (xn_2424, xd_2392, y_2427, one_2384). + +Definition map_to_curve_elligator2_edwards25519 + (u_2428 : ed25519_field_element_t) + : ed_point_t := + let j_2429 : ed25519_field_element_t := + nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in + let zero_2430 : ed25519_field_element_t := + nat_mod_zero in + let one_2431 : ed25519_field_element_t := + nat_mod_one in + let two_2432 : ed25519_field_element_t := + nat_mod_two in + let c1_2433 : ed25519_field_element_t := + option_unwrap (sqrt ((zero_2430) -% ((j_2429) +% (two_2432)))) in + let '(xmn_2434, xmd_2435, ymn_2436, ymd_2437) := + map_to_curve_elligator2_curve25519 (u_2428) in + let xn_2438 : ed25519_field_element_t := + (xmn_2434) *% (ymd_2437) in + let xn_2439 : ed25519_field_element_t := + (xn_2438) *% (c1_2433) in + let xd_2440 : ed25519_field_element_t := + (xmd_2435) *% (ymn_2436) in + let yn_2441 : ed25519_field_element_t := + (xmn_2434) -% (xmd_2435) in + let yd_2442 : ed25519_field_element_t := + (xmn_2434) +% (xmd_2435) in + let tv1_2443 : ed25519_field_element_t := + (xd_2440) *% (yd_2442) in + let e_2444 : bool := + (tv1_2443) =.? (zero_2430) in + let xn_2445 : ed25519_field_element_t := + cmov (xn_2439) (zero_2430) (e_2444) in + let xd_2446 : ed25519_field_element_t := + cmov (xd_2440) (one_2431) (e_2444) in + let yn_2447 : ed25519_field_element_t := + cmov (yn_2441) (one_2431) (e_2444) in + let yd_2448 : ed25519_field_element_t := + cmov (yd_2442) (one_2431) (e_2444) in + let x_2449 : ed25519_field_element_t := + (xn_2445) *% (nat_mod_inv (xd_2446)) in + let y_2450 : ed25519_field_element_t := + (yn_2447) *% (nat_mod_inv (yd_2448)) in + (x_2449, y_2450, one_2431, (x_2449) *% (y_2450)). + +Definition map_to_curve_elligator2_edwards + (u_2451 : ed25519_field_element_t) + : ed_point_t := + let st_2452 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + map_to_curve_elligator2 (u_2451) in + curve25519_to_edwards25519 (st_2452). + +Definition ed_encode_to_curve + (msg_2453 : byte_seq) + (dst_2454 : byte_seq) + : ed_point_result_t := + bind (ed_hash_to_field (msg_2453) (dst_2454) (usize 1)) (fun u_2455 => + let q_2456 : ( + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t '× + ed25519_field_element_t + ) := + map_to_curve_elligator2_edwards (seq_index (u_2455) (usize 0)) in + @Ok ed_point_t error_t (ed_clear_cofactor (q_2456))). + diff --git a/proof-libs/coq/src/Hacspec_Gf128.v b/proof-libs/coq/src/Hacspec_Gf128.v new file mode 100644 index 000000000..c606e1b76 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Gf128.v @@ -0,0 +1,113 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition blocksize_v : uint_size := + usize 16. + +Definition gf128_block_t := nseq (uint8) (blocksize_v). + +Definition gf128_key_t := nseq (uint8) (blocksize_v). + +Definition gf128_tag_t := nseq (uint8) (blocksize_v). + +Notation "'element_t'" := (uint128) : hacspec_scope. + +Definition irred_v : element_t := + secret (@repr WORDSIZE128 299076299051606071403356588563077529600) : int128. + +Definition fadd (x_317 : element_t) (y_318 : element_t) : element_t := + (x_317) .^ (y_318). + +Definition fmul (x_319 : element_t) (y_320 : element_t) : element_t := + let res_321 : element_t := + secret (@repr WORDSIZE128 0) : int128 in + let sh_322 : uint128 := + x_319 in + let '(res_321, sh_322) := + foldi (usize 0) (usize 128) (fun i_323 '(res_321, sh_322) => + let '(res_321) := + if (uint128_declassify ((y_320) .& ((secret ( + @repr WORDSIZE128 1) : int128) shift_left ((usize 127) - ( + i_323))))) !=.? (uint128_declassify (secret ( + @repr WORDSIZE128 0) : int128)):bool then (let res_321 := + (res_321) .^ (sh_322) in + (res_321)) else ((res_321)) in + let '(sh_322) := + if (uint128_declassify ((sh_322) .& (secret ( + @repr WORDSIZE128 1) : int128))) !=.? (uint128_declassify ( + secret (@repr WORDSIZE128 0) : int128)):bool then (let sh_322 := + ((sh_322) shift_right (usize 1)) .^ (irred_v) in + (sh_322)) else (let sh_322 := + (sh_322) shift_right (usize 1) in + (sh_322)) in + (res_321, sh_322)) + (res_321, sh_322) in + res_321. + +Definition encode (block_324 : gf128_block_t) : element_t := + uint128_from_be_bytes (array_from_seq (16) (array_to_seq (block_324))). + +Definition decode (e_325 : element_t) : gf128_block_t := + array_from_seq (blocksize_v) (array_to_seq (uint128_to_be_bytes (e_325))). + +Definition update + (r_326 : element_t) + (block_327 : gf128_block_t) + (acc_328 : element_t) + : element_t := + fmul (fadd (encode (block_327)) (acc_328)) (r_326). + +Definition poly (msg_329 : byte_seq) (r_330 : element_t) : element_t := + let l_331 : uint_size := + seq_len (msg_329) in + let n_blocks_332 : uint_size := + (l_331) / (blocksize_v) in + let rem_333 : uint_size := + (l_331) %% (blocksize_v) in + let acc_334 : uint128 := + secret (@repr WORDSIZE128 0) : int128 in + let acc_334 := + foldi (usize 0) (n_blocks_332) (fun i_335 acc_334 => + let k_336 : uint_size := + (i_335) * (blocksize_v) in + let block_337 : gf128_block_t := + array_new_ (default : uint8) (blocksize_v) in + let block_337 := + array_update_start (block_337) (seq_slice_range (msg_329) (( + k_336, + (k_336) + (blocksize_v) + ))) in + let acc_334 := + update (r_330) (block_337) (acc_334) in + (acc_334)) + acc_334 in + let '(acc_334) := + if (rem_333) !=.? (usize 0):bool then (let k_338 : uint_size := + (n_blocks_332) * (blocksize_v) in + let last_block_339 : gf128_block_t := + array_new_ (default : uint8) (blocksize_v) in + let last_block_339 := + array_update_slice (last_block_339) (usize 0) (msg_329) (k_338) ( + rem_333) in + let acc_334 := + update (r_330) (last_block_339) (acc_334) in + (acc_334)) else ((acc_334)) in + acc_334. + +Definition gmac (text_340 : byte_seq) (k_341 : gf128_key_t) : gf128_tag_t := + let s_342 : gf128_block_t := + array_new_ (default : uint8) (blocksize_v) in + let r_343 : uint128 := + encode (array_from_seq (blocksize_v) (array_to_seq (k_341))) in + let a_344 : uint128 := + poly (text_340) (r_343) in + array_from_seq (blocksize_v) (array_to_seq (decode (fadd (a_344) (encode ( + s_342))))). + diff --git a/proof-libs/coq/src/Hacspec_Gimli.v b/proof-libs/coq/src/Hacspec_Gimli.v new file mode 100644 index 000000000..9ab5c8d93 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Gimli.v @@ -0,0 +1,406 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition state_t := nseq (uint32) (usize 12). + +Definition state_idx_t := + nat_mod (usize 12). +Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. +Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. + +Definition swap + (s_1127 : state_t) + (i_1128 : state_idx_t) + (j_1129 : state_idx_t) + : state_t := + let tmp_1130 : uint32 := + array_index (s_1127) (i_1128) in + let s_1127 := + array_upd s_1127 (i_1128) (array_index (s_1127) (j_1129)) in + let s_1127 := + array_upd s_1127 (j_1129) (tmp_1130) in + s_1127. + +Definition gimli_round (s_1131 : state_t) (r_1132 : int32) : state_t := + let s_1131 := + foldi (usize 0) (usize 4) (fun col_1133 s_1131 => + let x_1134 : uint32 := + uint32_rotate_left (array_index (s_1131) (col_1133)) (usize 24) in + let y_1135 : uint32 := + uint32_rotate_left (array_index (s_1131) ((col_1133) + (usize 4))) ( + usize 9) in + let z_1136 : uint32 := + array_index (s_1131) ((col_1133) + (usize 8)) in + let s_1131 := + array_upd s_1131 ((col_1133) + (usize 8)) (((x_1134) .^ (( + z_1136) shift_left (usize 1))) .^ (((y_1135) .& ( + z_1136)) shift_left (usize 2))) in + let s_1131 := + array_upd s_1131 ((col_1133) + (usize 4)) (((y_1135) .^ (x_1134)) .^ ((( + x_1134) .| (z_1136)) shift_left (usize 1))) in + let s_1131 := + array_upd s_1131 (col_1133) (((z_1136) .^ (y_1135)) .^ (((x_1134) .& ( + y_1135)) shift_left (usize 3))) in + (s_1131)) + s_1131 in + let '(s_1131) := + if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( + let s_1131 := + swap (s_1131) (usize 0) (usize 1) in + let s_1131 := + swap (s_1131) (usize 2) (usize 3) in + (s_1131)) else ((s_1131)) in + let '(s_1131) := + if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 2):bool then ( + let s_1131 := + swap (s_1131) (usize 0) (usize 2) in + let s_1131 := + swap (s_1131) (usize 1) (usize 3) in + (s_1131)) else ((s_1131)) in + let '(s_1131) := + if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( + let s_1131 := + array_upd s_1131 (usize 0) ((array_index (s_1131) (usize 0)) .^ (( + secret (@repr WORDSIZE32 2654435584) : int32) .| (secret ( + r_1132) : int32))) in + (s_1131)) else ((s_1131)) in + s_1131. + +Definition gimli (s_1137 : state_t) : state_t := + let s_1137 := + foldi (usize 0) (usize 24) (fun rnd_1138 s_1137 => + let rnd_1139 : int32 := + pub_u32 ((usize 24) - (rnd_1138)) in + let s_1137 := + gimli_round (s_1137) (rnd_1139) in + (s_1137)) + s_1137 in + s_1137. + +Definition block_t := nseq (uint8) (usize 16). + +Definition digest_t := nseq (uint8) (usize 32). + +Definition absorb_block + (input_block_1140 : block_t) + (s_1141 : state_t) + : state_t := + let input_bytes_1142 : seq uint32 := + array_to_le_uint32s (input_block_1140) in + let s_1141 := + array_upd s_1141 (usize 0) ((array_index (s_1141) (usize 0)) .^ (seq_index ( + input_bytes_1142) (usize 0))) in + let s_1141 := + array_upd s_1141 (usize 1) ((array_index (s_1141) (usize 1)) .^ (seq_index ( + input_bytes_1142) (usize 1))) in + let s_1141 := + array_upd s_1141 (usize 2) ((array_index (s_1141) (usize 2)) .^ (seq_index ( + input_bytes_1142) (usize 2))) in + let s_1141 := + array_upd s_1141 (usize 3) ((array_index (s_1141) (usize 3)) .^ (seq_index ( + input_bytes_1142) (usize 3))) in + gimli (s_1141). + +Definition squeeze_block (s_1143 : state_t) : block_t := + let block_1144 : block_t := + array_new_ (default : uint8) (16) in + let block_1144 := + foldi (usize 0) (usize 4) (fun i_1145 block_1144 => + let s_i_1146 : uint32 := + array_index (s_1143) (i_1145) in + let s_i_bytes_1147 : seq uint8 := + uint32_to_le_bytes (s_i_1146) in + let block_1144 := + array_upd block_1144 ((usize 4) * (i_1145)) (seq_index ( + s_i_bytes_1147) (usize 0)) in + let block_1144 := + array_upd block_1144 (((usize 4) * (i_1145)) + (usize 1)) (seq_index ( + s_i_bytes_1147) (usize 1)) in + let block_1144 := + array_upd block_1144 (((usize 4) * (i_1145)) + (usize 2)) (seq_index ( + s_i_bytes_1147) (usize 2)) in + let block_1144 := + array_upd block_1144 (((usize 4) * (i_1145)) + (usize 3)) (seq_index ( + s_i_bytes_1147) (usize 3)) in + (block_1144)) + block_1144 in + block_1144. + +Definition gimli_hash_state + (input_1148 : byte_seq) + (s_1149 : state_t) + : state_t := + let rate_1150 : uint_size := + array_length in + let chunks_1151 : uint_size := + seq_num_exact_chunks (input_1148) (rate_1150) in + let s_1149 := + foldi (usize 0) (chunks_1151) (fun i_1152 s_1149 => + let input_block_1153 : seq uint8 := + seq_get_exact_chunk (input_1148) (rate_1150) (i_1152) in + let full_block_1154 : block_t := + array_from_seq (16) (input_block_1153) in + let s_1149 := + absorb_block (full_block_1154) (s_1149) in + (s_1149)) + s_1149 in + let input_block_1155 : seq uint8 := + seq_get_remainder_chunk (input_1148) (rate_1150) in + let input_block_padded_1156 : block_t := + array_new_ (default : uint8) (16) in + let input_block_padded_1157 : block_t := + array_update_start (input_block_padded_1156) (input_block_1155) in + let input_block_padded_1157 := + array_upd input_block_padded_1157 (seq_len (input_block_1155)) (secret ( + @repr WORDSIZE8 1) : int8) in + let s_1149 := + array_upd s_1149 (usize 11) ((array_index (s_1149) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_1149 := + absorb_block (input_block_padded_1157) (s_1149) in + s_1149. + +Definition gimli_hash (input_bytes_1158 : byte_seq) : digest_t := + let s_1159 : state_t := + array_new_ (default : uint32) (12) in + let s_1160 : state_t := + gimli_hash_state (input_bytes_1158) (s_1159) in + let output_1161 : digest_t := + array_new_ (default : uint8) (32) in + let output_1162 : digest_t := + array_update_start (output_1161) (array_to_seq (squeeze_block (s_1160))) in + let s_1163 : state_t := + gimli (s_1160) in + array_update (output_1162) (array_length ) (array_to_seq (squeeze_block ( + s_1163))). + +Definition nonce_t := nseq (uint8) (usize 16). + +Definition key_t := nseq (uint8) (usize 32). + +Definition tag_t := nseq (uint8) (usize 16). + +Definition process_ad (ad_1164 : byte_seq) (s_1165 : state_t) : state_t := + gimli_hash_state (ad_1164) (s_1165). + +Definition process_msg + (message_1166 : byte_seq) + (s_1167 : state_t) + : (state_t '× byte_seq) := + let ciphertext_1168 : seq uint8 := + seq_new_ (default : uint8) (seq_len (message_1166)) in + let rate_1169 : uint_size := + array_length in + let num_chunks_1170 : uint_size := + seq_num_exact_chunks (message_1166) (rate_1169) in + let '(s_1167, ciphertext_1168) := + foldi (usize 0) (num_chunks_1170) (fun i_1171 '(s_1167, ciphertext_1168) => + let key_block_1172 : block_t := + squeeze_block (s_1167) in + let msg_block_1173 : seq uint8 := + seq_get_exact_chunk (message_1166) (rate_1169) (i_1171) in + let msg_block_1174 : block_t := + array_from_seq (16) (msg_block_1173) in + let ciphertext_1168 := + seq_set_exact_chunk (ciphertext_1168) (rate_1169) (i_1171) ( + array_to_seq ((msg_block_1174) array_xor (key_block_1172))) in + let s_1167 := + absorb_block (msg_block_1174) (s_1167) in + (s_1167, ciphertext_1168)) + (s_1167, ciphertext_1168) in + let key_block_1175 : block_t := + squeeze_block (s_1167) in + let last_block_1176 : seq uint8 := + seq_get_remainder_chunk (message_1166) (rate_1169) in + let block_len_1177 : uint_size := + seq_len (last_block_1176) in + let msg_block_padded_1178 : block_t := + array_new_ (default : uint8) (16) in + let msg_block_padded_1179 : block_t := + array_update_start (msg_block_padded_1178) (last_block_1176) in + let ciphertext_1168 := + seq_set_chunk (ciphertext_1168) (rate_1169) (num_chunks_1170) ( + array_slice_range ((msg_block_padded_1179) array_xor (key_block_1175)) (( + usize 0, + block_len_1177 + ))) in + let msg_block_padded_1179 := + array_upd msg_block_padded_1179 (block_len_1177) ((array_index ( + msg_block_padded_1179) (block_len_1177)) .^ (secret ( + @repr WORDSIZE8 1) : int8)) in + let s_1167 := + array_upd s_1167 (usize 11) ((array_index (s_1167) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_1167 := + absorb_block (msg_block_padded_1179) (s_1167) in + (s_1167, ciphertext_1168). + +Definition process_ct + (ciphertext_1180 : byte_seq) + (s_1181 : state_t) + : (state_t '× byte_seq) := + let message_1182 : seq uint8 := + seq_new_ (default : uint8) (seq_len (ciphertext_1180)) in + let rate_1183 : uint_size := + array_length in + let num_chunks_1184 : uint_size := + seq_num_exact_chunks (ciphertext_1180) (rate_1183) in + let '(s_1181, message_1182) := + foldi (usize 0) (num_chunks_1184) (fun i_1185 '(s_1181, message_1182) => + let key_block_1186 : block_t := + squeeze_block (s_1181) in + let ct_block_1187 : seq uint8 := + seq_get_exact_chunk (ciphertext_1180) (rate_1183) (i_1185) in + let ct_block_1188 : block_t := + array_from_seq (16) (ct_block_1187) in + let msg_block_1189 : block_t := + (ct_block_1188) array_xor (key_block_1186) in + let message_1182 := + seq_set_exact_chunk (message_1182) (rate_1183) (i_1185) (array_to_seq (( + ct_block_1188) array_xor (key_block_1186))) in + let s_1181 := + absorb_block (msg_block_1189) (s_1181) in + (s_1181, message_1182)) + (s_1181, message_1182) in + let key_block_1190 : block_t := + squeeze_block (s_1181) in + let ct_final_1191 : seq uint8 := + seq_get_remainder_chunk (ciphertext_1180) (rate_1183) in + let block_len_1192 : uint_size := + seq_len (ct_final_1191) in + let ct_block_padded_1193 : block_t := + array_new_ (default : uint8) (16) in + let ct_block_padded_1194 : block_t := + array_update_start (ct_block_padded_1193) (ct_final_1191) in + let msg_block_1195 : block_t := + (ct_block_padded_1194) array_xor (key_block_1190) in + let message_1182 := + seq_set_chunk (message_1182) (rate_1183) (num_chunks_1184) ( + array_slice_range (msg_block_1195) ((usize 0, block_len_1192))) in + let msg_block_1196 : block_t := + array_from_slice_range (default : uint8) (16) ( + array_to_seq (msg_block_1195)) ((usize 0, block_len_1192)) in + let msg_block_1196 := + array_upd msg_block_1196 (block_len_1192) ((array_index (msg_block_1196) ( + block_len_1192)) .^ (secret (@repr WORDSIZE8 1) : int8)) in + let s_1181 := + array_upd s_1181 (usize 11) ((array_index (s_1181) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_1181 := + absorb_block (msg_block_1196) (s_1181) in + (s_1181, message_1182). + +Definition nonce_to_u32s (nonce_1197 : nonce_t) : seq uint32 := + let uints_1198 : seq uint32 := + seq_new_ (default : uint32) (usize 4) in + let uints_1198 := + seq_upd uints_1198 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 0, usize 4 + )))) in + let uints_1198 := + seq_upd uints_1198 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 4, usize 8 + )))) in + let uints_1198 := + seq_upd uints_1198 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 8, usize 12 + )))) in + let uints_1198 := + seq_upd uints_1198 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 12, usize 16 + )))) in + uints_1198. + +Definition key_to_u32s (key_1199 : key_t) : seq uint32 := + let uints_1200 : seq uint32 := + seq_new_ (default : uint32) (usize 8) in + let uints_1200 := + seq_upd uints_1200 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 0, usize 4 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 4, usize 8 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 8, usize 12 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 12, usize 16 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 4) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 16, usize 20 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 5) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 20, usize 24 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 6) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 24, usize 28 + )))) in + let uints_1200 := + seq_upd uints_1200 (usize 7) (uint32_from_le_bytes (array_from_slice_range ( + default : uint8) (4) (array_to_seq (key_1199)) ((usize 28, usize 32 + )))) in + uints_1200. + +Definition gimli_aead_encrypt + (message_1201 : byte_seq) + (ad_1202 : byte_seq) + (nonce_1203 : nonce_t) + (key_1204 : key_t) + : (byte_seq '× tag_t) := + let s_1205 : state_t := + array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1203)) (key_to_u32s ( + key_1204))) in + let s_1206 : state_t := + gimli (s_1205) in + let s_1207 : state_t := + process_ad (ad_1202) (s_1206) in + let '(s_1208, ciphertext_1209) := + process_msg (message_1201) (s_1207) in + let tag_1210 : block_t := + squeeze_block (s_1208) in + let tag_1211 : tag_t := + array_from_seq (16) (array_to_seq (tag_1210)) in + (ciphertext_1209, tag_1211). + +Definition gimli_aead_decrypt + (ciphertext_1212 : byte_seq) + (ad_1213 : byte_seq) + (tag_1214 : tag_t) + (nonce_1215 : nonce_t) + (key_1216 : key_t) + : byte_seq := + let s_1217 : state_t := + array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1215)) (key_to_u32s ( + key_1216))) in + let s_1218 : state_t := + gimli (s_1217) in + let s_1219 : state_t := + process_ad (ad_1213) (s_1218) in + let '(s_1220, message_1221) := + process_ct (ciphertext_1212) (s_1219) in + let my_tag_1222 : block_t := + squeeze_block (s_1220) in + let my_tag_1223 : tag_t := + array_from_seq (16) (array_to_seq (my_tag_1222)) in + let out_1224 : seq uint8 := + seq_new_ (default : uint8) (usize 0) in + let '(out_1224) := + if array_equal (my_tag_1223) (tag_1214):bool then (let out_1224 := + message_1221 in + (out_1224)) else ((out_1224)) in + out_1224. + diff --git a/proof-libs/coq/src/Hacspec_Hkdf.v b/proof-libs/coq/src/Hacspec_Hkdf.v new file mode 100644 index 000000000..c92018f05 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Hkdf.v @@ -0,0 +1,93 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Hmac. + +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition hash_len_v : uint_size := + (usize 256) / (usize 8). + +Inductive hkdf_error_t := +| InvalidOutputLength : hkdf_error_t. + +Notation "'hkdf_byte_seq_result_t'" := (( + result byte_seq hkdf_error_t)) : hacspec_scope. + +Definition extract (salt_713 : byte_seq) (ikm_714 : byte_seq) : prk_t := + let salt_or_zero_715 : seq uint8 := + seq_new_ (default : uint8) (hash_len_v) in + let '(salt_or_zero_715) := + if (seq_len (salt_713)) >.? (usize 0):bool then (let salt_or_zero_715 := + seq_from_seq (salt_713) in + (salt_or_zero_715)) else ((salt_or_zero_715)) in + array_from_seq (_) (array_to_seq (hmac (salt_or_zero_715) (ikm_714))). + +Definition build_hmac_txt + (t_716 : byte_seq) + (info_717 : byte_seq) + (iteration_718 : uint8) + : byte_seq := + let out_719 : seq uint8 := + seq_new_ (default : uint8) (((seq_len (t_716)) + (seq_len (info_717))) + ( + usize 1)) in + let out_719 := + seq_update (out_719) (usize 0) (t_716) in + let out_719 := + seq_update (out_719) (seq_len (t_716)) (info_717) in + let out_719 := + seq_upd out_719 ((seq_len (t_716)) + (seq_len (info_717))) ( + iteration_718) in + out_719. + +Definition div_ceil (a_720 : uint_size) (b_721 : uint_size) : uint_size := + let q_722 : uint_size := + (a_720) / (b_721) in + let '(q_722) := + if ((a_720) %% (b_721)) !=.? (usize 0):bool then (let q_722 := + (q_722) + (usize 1) in + (q_722)) else ((q_722)) in + q_722. + +Definition check_output_limit + (l_723 : uint_size) + : (result uint_size hkdf_error_t) := + let n_724 : uint_size := + div_ceil (l_723) (hash_len_v) in + (if ((n_724) <=.? (usize 255)):bool then (@Ok uint_size hkdf_error_t ( + n_724)) else (@Err uint_size hkdf_error_t (InvalidOutputLength))). + +Definition expand + (prk_725 : byte_seq) + (info_726 : byte_seq) + (l_727 : uint_size) + : hkdf_byte_seq_result_t := + bind (check_output_limit (l_727)) (fun n_728 => let t_i_729 : prk_t := + array_new_ (default : uint8) (_) in + let t_730 : seq uint8 := + seq_new_ (default : uint8) ((n_728) * (hash_size_v)) in + let '(t_i_729, t_730) := + foldi (usize 0) (n_728) (fun i_731 '(t_i_729, t_730) => + let hmac_txt_in_732 : seq uint8 := + (if ((i_731) =.? (usize 0)):bool then (build_hmac_txt (seq_new_ ( + default : uint8) (usize 0)) (info_726) (secret ((pub_u8 ( + i_731)) .+ (@repr WORDSIZE8 1)) : int8)) else ( + build_hmac_txt (seq_from_seq (array_to_seq (t_i_729))) ( + info_726) (secret ((pub_u8 (i_731)) .+ ( + @repr WORDSIZE8 1)) : int8))) in + let t_i_729 := + hmac (prk_725) (hmac_txt_in_732) in + let t_730 := + seq_update (t_730) ((i_731) * (array_len (t_i_729))) ( + array_to_seq (t_i_729)) in + (t_i_729, t_730)) + (t_i_729, t_730) in + @Ok byte_seq hkdf_error_t (seq_slice (t_730) (usize 0) (l_727))). + diff --git a/proof-libs/coq/src/Hacspec_Hmac.v b/proof-libs/coq/src/Hacspec_Hmac.v new file mode 100644 index 000000000..3c50a5a70 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Hmac.v @@ -0,0 +1,178 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition block_len_v : uint_size := + k_size_v. + +Definition prk_t := nseq (uint8) (hash_size_v). + +Definition block_t := nseq (uint8) (block_len_v). + +Definition i_pad_v : block_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8 + ] in l). + +Definition o_pad_v : block_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8 + ] in l). + +Definition k_block (k_733 : byte_seq) : block_t := + (if ((seq_len (k_733)) >.? (block_len_v)):bool then (array_update_start ( + array_new_ (default : uint8) (block_len_v)) (array_to_seq (hash ( + k_733)))) else (array_update_start (array_new_ (default : uint8) ( + block_len_v)) (k_733))). + +Definition hmac (k_734 : byte_seq) (txt_735 : byte_seq) : prk_t := + let k_block_736 : block_t := + k_block (k_734) in + let h_in_737 : seq uint8 := + seq_from_seq (array_to_seq ((k_block_736) array_xor (i_pad_v))) in + let h_in_737 := + seq_concat (h_in_737) (txt_735) in + let h_inner_738 : sha256_digest_t := + hash (h_in_737) in + let h_in_739 : seq uint8 := + seq_from_seq (array_to_seq ((k_block_736) array_xor (o_pad_v))) in + let h_in_739 := + seq_concat (h_in_739) (array_to_seq (h_inner_738)) in + array_from_seq (hash_size_v) (array_to_seq (hash (h_in_739))). + diff --git a/proof-libs/coq/src/Hacspec_Lib.v b/proof-libs/coq/src/Hacspec_Lib.v new file mode 100644 index 000000000..db9798fa4 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Lib.v @@ -0,0 +1,1783 @@ +Global Set Warnings "-ambiguous-paths". +Global Set Warnings "-uniform-inheritance". +Global Set Warnings "-auto-template". +Global Set Warnings "-disj-pattern-notation". +(*** Integers *) +From Coq Require Import ZArith List. +Import ListNotations. +(* Require Import IntTypes. *) + +Require Import MachineIntegers. +From Coqprime Require GZnZ. + +Require Import Lia. + +Declare Scope hacspec_scope. + +Axiom secret : forall {WS : WORDSIZE}, (@int WS) -> (@int WS). + +Axiom uint8_declassify : int8 -> int8. +Axiom int8_declassify : int8 -> int8. +Axiom uint16_declassify : int16 -> int16. +Axiom int16_declassify : int16 -> int16. +Axiom uint32_declassify : int32 -> int32. +Axiom int32_declassify : int32 -> int32. +Axiom uint64_declassify : int64 -> int64. +Axiom int64_declassify : int64 -> int64. +Axiom uint128_declassify : int128 -> int128. +Axiom int128_declassify : int128 -> int128. + +Axiom uint8_classify : int8 -> int8. +Axiom int8_classify : int8 -> int8. +Axiom uint16_classify : int16 -> int16. +Axiom int16_classify : int16 -> int16. +Axiom uint32_classify : int32 -> int32. +Axiom int32_classify : int32 -> int32. +Axiom uint64_classify : int64 -> int64. +Axiom int64_classify : int64 -> int64. +Axiom uint128_classify : int128 -> int128. +Axiom int128_classify : int128 -> int128. + + +(* CompCert integers' signedness is only interpreted through 'signed' and 'unsigned', + and not in the representation. Therefore, uints are just names for their respective ints. +*) +Definition uint8 := int8. +Definition uint16 := int16. +Definition uint32 := int32. +Definition uint64 := int64. +Definition uint128 := int128. + +Definition uint_size := int32. +Definition int_size := int32. + +Axiom declassify_usize_from_uint8 : uint8 -> uint_size. + +(* Represents any type that can be converted to uint_size and back *) +Class UInt_sizable (A : Type) := { + usize : A -> uint_size; + from_uint_size : uint_size -> A; +}. +Arguments usize {_} {_}. +Arguments from_uint_size {_} {_}. + +Global Instance nat_uint_sizable : UInt_sizable nat := { + usize n := repr (Z.of_nat n); + from_uint_size n := Z.to_nat (unsigned n); +}. + +Global Instance N_uint_sizable : UInt_sizable N := { + usize n := repr (Z.of_N n); + from_uint_size n := Z.to_N (unsigned n); +}. + +Global Instance Z_uint_sizable : UInt_sizable Z := { + usize n := repr n; + from_uint_size n := unsigned n; +}. + + +(* Same, but for int_size *) +Class Int_sizable (A : Type) := { + isize : A -> int_size; + from_int_size : int_size -> A; +}. + +Arguments isize {_} {_}. +Arguments from_int_size {_} {_}. + +Global Instance nat_Int_sizable : Int_sizable nat := { + isize n := repr (Z.of_nat n); + from_int_size n := Z.to_nat (signed n); +}. + +Global Instance N_Int_sizable : Int_sizable N := { + isize n := repr (Z.of_N n); + from_int_size n := Z.to_N (signed n); +}. + +Global Instance Z_Int_sizable : Int_sizable Z := { + isize n := repr n; + from_int_size n := signed n; +}. + + +(**** Public integers *) + +Definition pub_u8 (n : Z) : int8 := repr n. +Definition pub_i8 (n : Z) : int8 := repr n. +Definition pub_u16 (n : Z) : int16 := repr n. +Definition pub_i16 (n : Z) : int16 := repr n. +Definition pub_u32 (n : Z) : int32 := repr n. +Definition pub_i32 (n : Z) : int32 := repr n. +Definition pub_u64 (n : Z) : int64 := repr n. +Definition pub_i64 (n : Z) : int64 := repr n. +Definition pub_u128 (n : Z) : int128 := repr n. +Definition pub_i128 (n : Z) : int128 := repr n. + +(**** Operations *) + +(* Should maybe use size of s instead? *) +Definition uint8_rotate_left (u: int8) (s: int8) : int8 := rol u s. +Definition uint8_rotate_right (u: int8) (s: int8) : int8 := ror u s. + +Definition uint16_rotate_left (u: int16) (s: int16) : int16 := rol u s. +Definition uint16_rotate_right (u: int16) (s: int16) : int16 := ror u s. + +Definition uint32_rotate_left (u: int32) (s: int32) : int32 := rol u s. +Definition uint32_rotate_right (u: int32) (s: int32) : int32 := ror u s. + +Definition uint64_rotate_left (u: int64) (s: int64) : int64 := rol u s. +Definition uint64_rotate_right (u: int64) (s: int64) : int64 := ror u s. + +Definition uint128_rotate_left (u: int128) (s: int128) : int128 := rol u s. +Definition uint128_rotate_right (u: int128) (s: int128) : int128 := ror u s. + +(* should use size u instead of u? *) +Definition usize_shift_right (u: uint_size) (s: int32) : uint_size := ror u s. +Infix "usize_shift_right" := (usize_shift_right) (at level 77) : hacspec_scope. + +(* should use size u instead of u? *) +Definition usize_shift_left (u: uint_size) (s: int32) : uint_size := rol u s. +Infix "usize_shift_left" := (usize_shift_left) (at level 77) : hacspec_scope. + +Definition pub_uint128_wrapping_add (x y: int128) : int128 := add x y. + +Definition shift_left_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := + MachineIntegers.shl i (repr (from_uint_size j)). + +Definition shift_right_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := + MachineIntegers.shr i (repr (from_uint_size j)) . + +Infix "shift_left" := (shift_left_) (at level 77) : hacspec_scope. +Infix "shift_right" := (shift_right_) (at level 77) : hacspec_scope. + +Infix "%%" := Z.rem (at level 40, left associativity) : Z_scope. +Infix ".+" := (MachineIntegers.add) (at level 77) : hacspec_scope. +Infix ".-" := (MachineIntegers.sub) (at level 77) : hacspec_scope. +Notation "-" := (MachineIntegers.neg) (at level 77) : hacspec_scope. +Infix ".*" := (MachineIntegers.mul) (at level 77) : hacspec_scope. +Infix "./" := (MachineIntegers.divs) (at level 77) : hacspec_scope. +Infix ".%" := (MachineIntegers.mods) (at level 77) : hacspec_scope. +Infix ".^" := (MachineIntegers.xor) (at level 77) : hacspec_scope. +Infix ".&" := (MachineIntegers.and) (at level 77) : hacspec_scope. +Infix ".|" := (MachineIntegers.or) (at level 77) : hacspec_scope. +Infix "==" := (MachineIntegers.eq) (at level 32) : hacspec_scope. +(* Definition one := (@one WORDSIZE32). *) +(* Definition zero := (@zero WORDSIZE32). *) +Notation "A × B" := (prod A B) (at level 79, left associativity) : hacspec_scope. + +(*** Positive util *) + +Fixpoint binary_representation_pre (n : nat) {struct n}: positive := + match n with + | O => 1 + | S O => 1 + | S n => Pos.succ (binary_representation_pre n) + end%positive. +Definition binary_representation (n : nat) `(n <> O) := binary_representation_pre n. + +Theorem positive_is_succs : forall n, forall (H : n <> O) (K : S n <> O), + @binary_representation (S n) K = Pos.succ (@binary_representation n H). +Proof. induction n ; [contradiction | reflexivity]. Qed. + +(* Conversion of positive to binary representation *) +Theorem positive_to_positive_succs : forall p, binary_representation (Pos.to_nat p) (Nat.neq_sym _ _ (Nat.lt_neq _ _ (Pos2Nat.is_pos p))) = p. +Proof. + intros p. + generalize dependent (Nat.neq_sym 0 (Pos.to_nat p) (Nat.lt_neq 0 (Pos.to_nat p) (Pos2Nat.is_pos p))). + + destruct Pos.to_nat eqn:ptno. + - contradiction. + - generalize dependent p. + induction n ; intros. + + cbn. + apply Pos2Nat.inj. + symmetry. + apply ptno. + + rewrite positive_is_succs with (H := Nat.neq_succ_0 n). + rewrite IHn with (p := Pos.of_nat (S n)). + * rewrite <- Nat2Pos.inj_succ by apply Nat.neq_succ_0. + rewrite <- ptno. + apply Pos2Nat.id. + * apply Nat2Pos.id. + apply Nat.neq_succ_0. +Qed. + +(*** Uint size util *) + +(* If a natural number is in bound then a smaller natural number is still in bound *) +Lemma range_of_nat_succ : + forall {WS : WORDSIZE}, + forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. +Proof. lia. Qed. + +(* Conversion to equivalent bound *) +Lemma modulus_range_helper : + forall {WS : WORDSIZE}, + forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. +Proof. unfold max_unsigned. lia. Qed. + +Definition unsigned_repr_alt {WS : WORDSIZE} (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := + unsigned_repr a (modulus_range_helper a H). + +Theorem zero_always_modulus {WS : WORDSIZE} : (Z.pred 0 < 0 < modulus)%Z. +Proof. easy. Qed. + +(* any uint_size can be represented as a natural number and a bound *) +(* this is easier for proofs, however less efficient for computation *) +(* as Z uses a binary representation *) +Theorem uint_size_as_nat : + forall (us: uint_size), + { n : nat | + us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z}. +Proof. + destruct us. + exists (Z.to_nat intval). + rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). + + split. + - apply mkint_eq. + rewrite Z_mod_modulus_eq. + rewrite Z.mod_small. + + reflexivity. + + lia. + - apply intrange. +Qed. + +(* destruct uint_size as you would a natural number *) +Definition destruct_uint_size_as_nat (a : uint_size) : forall (P : uint_size -> Prop), + forall (zero_case : P (repr 0)), + forall (succ_case : forall (n : nat), (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z -> P (repr (Z.of_nat n))), + P a. +Proof. + intros. + destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + destruct n. + - apply zero_case. + - apply succ_case. + apply yb. +Qed. + +Ltac destruct_uint_size_as_nat a := + generalize dependent a ; + intros a ; + apply (destruct_uint_size_as_nat a) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt WORDSIZE32 _ H)] ; intros. + +(* induction for uint_size as you would do for a natural number *) +Definition induction_uint_size_as_nat : + forall (P : uint_size -> Prop), + (P (repr 0)) -> + (forall n, + (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus WORDSIZE32)%Z -> + P (repr (Z.of_nat n)) -> + P (repr (Z.succ (Z.of_nat n)))) -> + forall (a : uint_size), P a. +Proof. + intros P H_zero H_ind a. + destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + induction n. + - apply H_zero. + - rewrite Nat2Z.inj_succ. + apply H_ind. + + rewrite <- Nat2Z.inj_succ. + apply yb. + + apply IHn. + lia. +Qed. + +Ltac induction_uint_size_as_nat var := + generalize dependent var ; + intros var ; + apply induction_uint_size_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt WORDSIZE32 _ IH)] ; intros. + +(* conversion of usize to positive or zero and the respective bound *) +Theorem uint_size_as_positive : + forall (us: uint_size), + { pu : unit + positive | + match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus WORDSIZE32)%Z end + }. +Proof. + destruct us. + destruct intval. + - exists (inl tt). apply mkint_eq. reflexivity. + - exists (inr p). + split. + + apply mkint_eq. + rewrite Z_mod_modulus_eq. + symmetry. + apply Zmod_small. + lia. + + apply intrange. + - exfalso. + lia. +Defined. + +(* destruction of uint_size as positive *) +Definition destruct_uint_size_as_positive (a : uint_size) : forall (P : uint_size -> Prop), + (P (repr 0)) -> + (forall b, (Z.pred 0 < Z.pos b < @modulus WORDSIZE32)%Z -> P (repr (Z.pos b))) -> + P a. +Proof. + intros P H_zero H_succ. + destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - apply H_succ. + apply yb. +Qed. + +Ltac destruct_uint_size_as_positive a := + generalize dependent a ; + intros a ; + apply (destruct_uint_size_as_positive a) ; intros. + +(* induction of uint_size as positive *) +Definition induction_uint_size_as_positive : + forall (P : uint_size -> Prop), + (P (repr 0)) -> + (P (repr 1)) -> + (forall b, + (Z.pred 0 < Z.succ (Z.pos b) < @modulus WORDSIZE32)%Z -> + P (repr (Z.pos b)) -> + P (repr (Z.succ (Z.pos b)))) -> + forall (a : uint_size), P a. +Proof. + intros P H_zero H_one H_ind a. + + destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - pose proof (pos_succ_b := positive_to_positive_succs b) + ; symmetry in pos_succ_b + ; rewrite pos_succ_b in * + ; clear pos_succ_b. + + generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). + + induction (Pos.to_nat b). + + contradiction. + + intros n_neq yb. + destruct n. + * apply H_one. + * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. + rewrite Pos2Z.inj_succ in *. + apply H_ind. + -- apply yb. + -- apply IHn. + lia. +Qed. + +Ltac induction_uint_size_as_positive var := + generalize dependent var ; + intros var ; + apply induction_uint_size_as_positive with (a := var) ; intros ; [ | | ]. + +(*** Loops *) + +Open Scope nat_scope. +Fixpoint foldi_ + {acc : Type} + (fuel : nat) + (i : uint_size) + (f : uint_size -> acc -> acc) + (cur : acc) : acc := + match fuel with + | 0 => cur + | S n' => foldi_ n' (add i one) f (f i cur) + end. +Close Scope nat_scope. +Definition foldi + {acc: Type} + (lo: uint_size) + (hi: uint_size) (* {lo <= hi} *) + (f: (uint_size) -> acc -> acc) (* {i < hi} *) + (init: acc) : acc := + match Z.sub (unsigned hi) (unsigned lo) with + | Z0 => init + | Zneg p => init + | Zpos p => foldi_ (Pos.to_nat p) lo f init + end. + +(* Fold done using natural numbers for bounds *) +Fixpoint foldi_nat_ + {acc : Type} + (fuel : nat) + (i : nat) + (f : nat -> acc -> acc) + (cur : acc) : acc := + match fuel with + | O => cur + | S n' => foldi_nat_ n' (S i) f (f i cur) + end. +Definition foldi_nat + {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc) : acc := + match Nat.sub hi lo with + | O => init + | S n' => foldi_nat_ (S n') lo f init + end. + +Lemma foldi__move_S : + forall {acc: Type} + (fuel : nat) + (i : uint_size) + (f : uint_size -> acc -> acc) + (cur : acc), + foldi_ fuel (add i one) f (f i cur) = foldi_ (S fuel) i f cur. +Proof. reflexivity. Qed. + +Lemma foldi__nat_move_S : + forall {acc: Type} + (fuel : nat) + (i : nat) + (f : nat -> acc -> acc) + (cur : acc), + foldi_nat_ fuel (S i) f (f i cur) = foldi_nat_ (S fuel) i f cur. +Proof. reflexivity. Qed. + +(* You can do one iteration of the fold by burning a unit of fuel *) +Lemma foldi__move_S_fuel : + forall {acc: Type} + (fuel : nat) + (i : uint_size) + (f : uint_size -> acc -> acc) + (cur : acc), + (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> + f (add (repr (Z.of_nat fuel)) i) (foldi_ (fuel) i f cur) = foldi_ (S (fuel)) i f cur. +Proof. + intros acc fuel. + induction fuel ; intros. + - cbn. + replace (repr 0) with (@zero WORDSIZE32) by reflexivity. + rewrite add_zero_l. + reflexivity. + - do 2 rewrite <- foldi__move_S. + replace (add (repr (Z.of_nat (S fuel))) i) + with (add (repr (Z.of_nat fuel)) (add i one)). + 2 : { + rewrite <- (add_commut one). + rewrite <- add_assoc. + f_equal. + unfold add. + f_equal. + rewrite unsigned_one. + rewrite Z.add_1_r. + rewrite Nat2Z.inj_succ. + f_equal. + apply unsigned_repr. + lia. + } + rewrite IHfuel. + reflexivity. + lia. +Qed. + +(* You can do one iteration of the fold by burning a unit of fuel *) +Lemma foldi__nat_move_S_fuel : + forall {acc: Type} + (fuel : nat) + (i : nat) + (f : nat -> acc -> acc) + (cur : acc), + (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> + f (fuel + i)%nat (foldi_nat_ fuel i f cur) = foldi_nat_ (S fuel) i f cur. +Proof. + induction fuel ; intros. + - reflexivity. + - do 2 rewrite <- foldi__nat_move_S. + replace (S fuel + i)%nat with (fuel + (S i))%nat by (symmetry ; apply plus_Snm_nSm). + rewrite IHfuel. + + reflexivity. + + lia. +Qed. + +(* folds and natural number folds compute the same thing *) +Lemma foldi_to_foldi_nat : + forall {acc: Type} + (lo: uint_size) (* {lo <= hi} *) + (hi: uint_size) (* {lo <= hi} *) + (f: (uint_size) -> acc -> acc) (* {i < hi} *) + (init: acc), + (unsigned lo <= unsigned hi)%Z -> + foldi lo hi f init = foldi_nat (Z.to_nat (unsigned lo)) (Z.to_nat (unsigned hi)) (fun x => f (repr (Z.of_nat x))) init. +Proof. + intros. + + unfold foldi. + unfold foldi_nat. + + destruct (uint_size_as_nat hi) as [ hi_n [ hi_eq hi_H ] ] ; subst. + rewrite (@unsigned_repr_alt WORDSIZE32 _ hi_H) in *. + rewrite Nat2Z.id. + + destruct (uint_size_as_nat lo) as [ lo_n [ lo_eq lo_H ] ] ; subst. + rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. + rewrite Nat2Z.id. + + remember (hi_n - lo_n)%nat as n. + apply f_equal with (f := Z.of_nat) in Heqn. + rewrite (Nat2Z.inj_sub) in Heqn by (apply Nat2Z.inj_le ; apply H). + rewrite <- Heqn. + + assert (H_bound : (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z) by lia. + + clear Heqn. + induction n. + - reflexivity. + - pose proof (H_max_bound := modulus_range_helper _ (range_of_nat_succ _ H_bound)). + rewrite <- foldi__nat_move_S_fuel by apply H_max_bound. + cbn. + rewrite SuccNat2Pos.id_succ. + rewrite <- foldi__move_S_fuel by apply H_max_bound. + + destruct n. + + cbn. + replace (repr 0) with (@zero WORDSIZE32) by reflexivity. + rewrite add_zero_l. + reflexivity. + + cbn in *. + assert (H_bound_pred: (Z.pred 0 < Z.pos (Pos.of_succ_nat n) < @modulus WORDSIZE32)%Z) by lia. + rewrite <- (IHn H_bound_pred) ; clear IHn. + f_equal. + * unfold add. + f_equal. + rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. + rewrite (unsigned_repr_alt _ H_bound_pred). + do 2 rewrite Zpos_P_of_succ_nat. + rewrite Z.add_succ_l. + f_equal. + rewrite Nat2Z.inj_add. + reflexivity. + * rewrite SuccNat2Pos.id_succ. + rewrite foldi__move_S. + reflexivity. +Qed. + +(* folds can be computed by doing one iteration and incrementing the lower bound *) +Lemma foldi_nat_split_S : + forall {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc), + (lo < hi)%nat -> + foldi_nat lo hi f init = foldi_nat (S lo) hi f (foldi_nat lo (S lo) f init). +Proof. + unfold foldi_nat. + intros. + + assert (succ_sub_diag : forall n, (S n - n = 1)%nat) by lia. + rewrite (succ_sub_diag lo). + + induction hi ; [ lia | ]. + destruct (S hi =? S lo)%nat eqn:hi_eq_lo. + - apply Nat.eqb_eq in hi_eq_lo ; rewrite hi_eq_lo in *. + rewrite (succ_sub_diag lo). + rewrite Nat.sub_diag. + reflexivity. + - apply Nat.eqb_neq in hi_eq_lo. + apply Nat.lt_gt_cases in hi_eq_lo. + destruct hi_eq_lo. + + lia. + + rewrite (Nat.sub_succ_l (S lo)) by apply (Nat.lt_le_pred _ _ H0). + rewrite Nat.sub_succ_l by apply (Nat.lt_le_pred _ _ H). + replace ((S (hi - S lo))) with (hi - lo)%nat by lia. + reflexivity. +Qed. + +(* folds can be split at some valid offset from lower bound *) +Lemma foldi_nat_split_add : + forall (k : nat), + forall {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc), + forall {guarantee: (lo + k <= hi)%nat}, + foldi_nat lo hi f init = foldi_nat (k + lo) hi f (foldi_nat lo (k + lo) f init). +Proof. + induction k ; intros. + - cbn. + unfold foldi_nat. + rewrite Nat.sub_diag. + reflexivity. + - rewrite foldi_nat_split_S by lia. + replace (S k + lo)%nat with (k + S lo)%nat by lia. + specialize (IHk acc (S lo) hi f (foldi_nat lo (S lo) f init)). + rewrite IHk by lia. + f_equal. + rewrite <- foldi_nat_split_S by lia. + reflexivity. +Qed. + +(* folds can be split at some midpoint *) +Lemma foldi_nat_split : + forall (mid : nat), (* {lo <= mid <= hi} *) + forall {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc), + forall {guarantee: (lo <= mid <= hi)%nat}, + foldi_nat lo hi f init = foldi_nat mid hi f (foldi_nat lo mid f init). +Proof. + intros. + assert (mid_is_low_plus_constant : {k : nat | (mid = lo + k)%nat}) by (exists (mid - lo)%nat ; lia). + destruct mid_is_low_plus_constant ; subst. + rewrite Nat.add_comm. + apply foldi_nat_split_add. + apply guarantee. +Qed. + +(* folds can be split at some midpoint *) +Lemma foldi_split : + forall (mid : uint_size), (* {lo <= mid <= hi} *) + forall {acc: Type} + (lo: uint_size) + (hi: uint_size) (* {lo <= hi} *) + (f: uint_size -> acc -> acc) (* {i < hi} *) + (init: acc), + forall {guarantee: (unsigned lo <= unsigned mid <= unsigned hi)%Z}, + foldi lo hi f init = foldi mid hi f (foldi lo mid f init). +Proof. + intros. + do 3 rewrite foldi_to_foldi_nat by lia. + apply foldi_nat_split ; lia. +Qed. + +(*** Default *) + +(* Typeclass handling of default elements, for use in sequences/arrays. + We provide instances for the library integer types *) +Class Default (A : Type) := { + default : A +}. +Global Arguments default {_} {_}. + +(*** Seq *) + +Definition nseq := VectorDef.t. + +Definition seq (A : Type) := list A. + +(* Automatic conversion from nseq/vector/array to seq/list *) +(* Global Coercion VectorDef.to_list : VectorDef.t >-> list. *) + +Definition public_byte_seq := seq int8. +Definition byte_seq := seq int8. +Definition list_len := length. + +Definition seq_index {A: Type} `{Default A} (s: seq A) (i : nat) := + List.nth i s default. + +Definition seq_len {A: Type} (s: seq A) : N := N.of_nat (length s). + +Definition seq_new_ {A: Type} (init : A) (len: nat) : seq A := + Vector.to_list (VectorDef.const init len). + +Definition seq_new {A: Type} `{Default A} (len: nat) : seq A := + seq_new_ default len. + +Fixpoint array_from_list (A: Type) (l: list A) : nseq A (length l) := + match l return (nseq A (length l)) with + | [] => VectorDef.nil A + | x :: xs => VectorDef.cons A x (length xs) (array_from_list A xs) + end. + + (* match l, length l with *) +(* | [], O => VectorDef.nil A *) +(* | (x :: xs), S n => VectorDef.cons A x (length xs) (array_from_list A xs) *) +(* end. *) +(* - apply (VectorDef.cons A a (length l) (array_from_list A l)). *) +(* Defined. *) + + (* match l with *) + (* | [] => VectorDef.nil *) + (* | (x :: xs) => VectorDef.cons A x (length xs) (array_from_list xs) *) + (* end. *) + +(* Definition array_from_list (A: Type) (l: list A) : nseq A (length l) := *) + (* VectorDef.of_list l. *) +(* Proof. *) +(* induction l. *) +(* - apply (VectorDef.nil A). *) +(* - apply (VectorDef.cons A a (length l) IHl). *) +(* Defined. *) + +(* automatic conversion from list to array *) +(* Global Coercion array_from_list : list >-> nseq. *) + + +(**** Array manipulation *) + + +Definition array_new_ {A: Type} (init:A) (len: nat) : nseq A len := + VectorDef.const init len. + +Open Scope nat_scope. +Definition array_index {A: Type} `{Default A} {len : nat} (s: nseq A len) (i: nat) : A. +Proof. + destruct (i nat -> nat -> seq A -> t A len. *) +Definition update_sub {A len slen} `{Default A} (v : nseq A len) (i : nat) (n : nat) (sub : nseq A slen) : nseq A len := + let fix rec x acc := + match x with + | 0 => acc + (* | 0 => array_upd acc 0 (array_index sub 0) *) + | S x => rec x (array_upd acc (i+x) (array_index sub x)) + end in + rec (n - i + 1) v. + +(* Sanity check *) +(* Compute (to_list (update_sub [1;2;3;4;5] 0 4 (of_list [9;8;7;6;12]))). *) + +Definition array_to_seq + {a: Type} + {out_len:nat} + (input: nseq a out_len) + (* {H : List.length input = out_len} *) + : seq a := VectorDef.to_list input. + +Definition array_from_seq + {a: Type} + `{Default a} + (out_len:nat) + (input: seq a) + : nseq a out_len := + let out := VectorDef.const default out_len in + update_sub out 0 (out_len - 1) (Vector.of_list input). + +(* Global Coercion array_from_seq : seq >-> nseq. *) + +Definition slice {A} (l : seq A) (i j : nat) : seq A := + if j <=? i then [] else firstn (j-i+1) (skipn i l). + +Definition lseq_slice {A n} (l : nseq A n) (i j : nat) : nseq A _ := + VectorDef.of_list (slice (VectorDef.to_list l) i j). + +Definition array_from_slice + {a: Type} + `{Default a} + (default_value: a) + (out_len: nat) + (input: seq a) + (start: nat) + (slice_len: nat) + : nseq a out_len := + let out := VectorDef.const default_value out_len in + update_sub out 0 slice_len (lseq_slice (VectorDef.of_list input) start (start + slice_len)). + + +Definition array_slice + {a: Type} + `{Default a} + {len : nat} + (input: nseq a len) + (start: nat) + (slice_len: nat) + : seq a := + slice (array_to_seq input) start (start + slice_len). + + +Definition array_from_slice_range + {a: Type} + `{Default a} + (default_value: a) + (out_len: nat) + (input: seq a) + (start_fin: (uint_size * uint_size)) + : nseq a out_len := + let out := array_new_ default_value out_len in + let (start, fin) := start_fin in + update_sub out 0 ((from_uint_size fin) - (from_uint_size start)) (VectorDef.of_list (slice input (from_uint_size start) (from_uint_size fin))). + + +Definition array_slice_range + {a: Type} + {len : nat} + (input: nseq a len) + (start_fin:(uint_size * uint_size)) + : nseq a _ := + lseq_slice input (from_uint_size (fst start_fin)) (from_uint_size (snd start_fin)). + +Definition array_update + {a: Type} + `{Default a} + {len: nat} + (s: nseq a len) + (start : nat) + (start_s: seq a) + : nseq a len := + update_sub (s) start (length start_s) (VectorDef.of_list start_s). + +Definition array_update_start + {a: Type} + `{Default a} + {len: nat} + (s: nseq a len) + (start_s: seq a) + : nseq a len := + update_sub (s) 0 (length start_s) (VectorDef.of_list start_s). + +Definition array_len {a: Type} {len: nat} (s: nseq a len) := len. +(* May also come up as 'length' instead of 'len' *) +Definition array_length {a: Type} {len: nat} (s: nseq a len) := len. + +(**** Seq manipulation *) + +Definition seq_slice + {a: Type} + `{Default a} + (s: seq a) + (start: nat) + (len: nat) + : seq a := + (slice s start (start + len)). + +Definition seq_slice_range + {a: Type} + `{Default a} + (input: seq a) + (start_fin:(uint_size * uint_size)) + : seq a := + seq_slice input (from_uint_size (fst start_fin)) (from_uint_size (snd start_fin)). + +(* updating a subsequence in a sequence *) +Definition seq_update + {a: Type} + `{Default a} + (s: seq a) + (start: nat) + (input: seq a) + : seq a := + array_to_seq (update_sub (VectorDef.of_list s) start (length input) (VectorDef.of_list input)). + +(* updating only a single value in a sequence*) +Definition seq_upd + {a: Type} + `{Default a} + (s: seq a) + (start: nat) + (v: a) + : seq a := + array_to_seq (update_sub (VectorDef.of_list s) start 1 (VectorDef.of_list [v])). + +Definition sub {a} (s : list a) start n := + slice s start (start + n). + +Definition seq_update_start + {a: Type} + `{Default a} + (s: seq a) + (start_s: seq a) + : seq a := + array_to_seq (update_sub (VectorDef.of_list s) 0 (length start_s) (VectorDef.of_list start_s)). + +Definition array_update_slice + {a : Type} + `{Default a} + {l : nat} + (out: nseq a l) + (start_out: nat) + (input: seq a) + (start_in: nat) + (len: nat) + : nseq a (array_length out) + := + update_sub (out) start_out len + (VectorDef.of_list (sub input start_in len)). + +Definition seq_update_slice + {a : Type} + `{Default a} + (out: seq a) + (start_out: nat) + (input: seq a) + (start_in: nat) + (len: nat) + : nseq a (length out) + := + update_sub (VectorDef.of_list out) start_out len + (VectorDef.of_list (sub input start_in len)). + +Definition seq_concat + {a : Type} + (s1 :seq a) + (s2: seq a) + : seq a := + (s1 ++ s2). + +Definition seq_push + {a : Type} + (s1 :seq a) + (s2: a) + : seq a := + (s1 ++ [s2]). + +Definition seq_from_slice_range + {a: Type} + `{Default a} + (input: seq a) + (start_fin: (uint_size * uint_size)) + : seq a := + let out := array_new_ (default) (length input) in + let (start, fin) := start_fin in + array_to_seq (update_sub out 0 ((from_uint_size fin) - (from_uint_size start)) (VectorDef.of_list (slice input (from_uint_size start) (from_uint_size fin)))). + +Definition seq_from_seq {A} (l : seq A) := l. + + +(**** Chunking *) + +Definition seq_num_chunks {a: Type} (s: seq a) (chunk_len: nat) : nat := + ((length s) + chunk_len - 1) / chunk_len. + +Definition seq_chunk_len + {a: Type} + (s: seq a) + (chunk_len: nat) + (chunk_num: nat) + : nat := + let idx_start := chunk_len * chunk_num in + if (length s) + out_len := seq_chunk_len s chunk_len chunk_num /\ LSeq.length chunk := out_len + )) *) + := + let idx_start := chunk_len * chunk_num in + let out_len := seq_chunk_len s chunk_len chunk_num in + (usize out_len, slice + s idx_start (idx_start + seq_chunk_len s chunk_len chunk_num)). + +Definition seq_set_chunk + {a: Type} + `{Default a} + (s: seq a) + (chunk_len: nat) + (chunk_num: nat) + (chunk: seq a ) : seq a := + let idx_start := chunk_len * chunk_num in + let out_len := seq_chunk_len s chunk_len chunk_num in + VectorDef.to_list (update_sub (VectorDef.of_list s) idx_start out_len (VectorDef.of_list chunk)). + + +Definition seq_num_exact_chunks {a} (l : seq a) (chunk_size : uint_size) : uint_size := + divs (repr (Z.of_nat (length l))) chunk_size. + +(* Until #84 is fixed this returns an empty sequence if not enough *) +Definition seq_get_exact_chunk {a} (l : seq a) (chunk_size chunk_num: uint_size) : seq a := + let '(len, chunk) := seq_get_chunk l (from_uint_size chunk_size) (from_uint_size chunk_num) in + if eq len chunk_size then [] else chunk. + +Definition seq_set_exact_chunk {a} `{H : Default a} := @seq_set_chunk a H. + +Definition seq_get_remainder_chunk : forall {a}, seq a -> uint_size -> seq a := + fun _ l chunk_size => + let chunks := seq_num_chunks l (from_uint_size chunk_size) in + let last_chunk := if 0 @MachineIntegers.xor WS x y :: (seq_xor_ xs ys) + | [], y => y + | x, [] => x + end. +Infix "seq_xor" := seq_xor_ (at level 33) : hacspec_scope. + +Fixpoint seq_truncate {a} (x : seq a) (n : nat) : seq a := (* uint_size *) + match x, n with + | _, 0 => [] + | [], _ => [] + | (x :: xs), S n' => x :: (seq_truncate xs n') + end. + +(**** Numeric operations *) + +(* takes two nseq's and joins them using a function op : a -> a -> a *) +Definition array_join_map + {a: Type} + `{Default a} + {len: nat} + (op: a -> a -> a) + (s1: nseq a len) + (s2 : nseq a len) := + let out := s1 in + foldi (usize 0) (usize len) (fun i out => + let i := from_uint_size i in + array_upd out i (op (array_index s1 i) (array_index s2 i)) + ) out. + +Infix "array_xor" := (array_join_map xor) (at level 33) : hacspec_scope. +Infix "array_add" := (array_join_map add) (at level 33) : hacspec_scope. +Infix "array_minus" := (array_join_map sub) (at level 33) : hacspec_scope. +Infix "array_mul" := (array_join_map mul) (at level 33) : hacspec_scope. +Infix "array_div" := (array_join_map divs) (at level 33) : hacspec_scope. +Infix "array_or" := (array_join_map or) (at level 33) : hacspec_scope. +Infix "array_and" := (array_join_map and) (at level 33) : hacspec_scope. + +Definition array_eq_ + {a: Type} + {len: nat} + (eq: a -> a -> bool) + (s1: nseq a len) + (s2 : nseq a len) + : bool := Vector.eqb _ eq s1 s2. + +Infix "array_eq" := (array_eq_ eq) (at level 33) : hacspec_scope. +Infix "array_neq" := (fun s1 s2 => negb (array_eq_ eq s1 s2)) (at level 33) : hacspec_scope. + + +(**** Integers to arrays *) +Axiom uint32_to_le_bytes : int32 -> nseq int8 4. +Axiom uint32_to_be_bytes : int32 -> nseq int8 4. +Axiom uint32_from_le_bytes : nseq int8 4 -> int32. +Axiom uint32_from_be_bytes : nseq int8 4 -> int32. +Axiom uint64_to_le_bytes : int64 -> nseq int8 8. +Axiom uint64_to_be_bytes : int64 -> nseq int8 8. +Axiom uint64_from_le_bytes : nseq int8 8 -> int64. +Axiom uint64_from_be_bytes : nseq int8 8 -> int64. +Axiom uint128_to_le_bytes : int128 -> nseq int8 16. +Axiom uint128_to_be_bytes : int128 -> nseq int8 16. +Axiom uint128_from_le_bytes : nseq int8 16 -> int128. +Axiom uint128_from_be_bytes : nseq int8 16 -> int128. +Axiom u32_to_le_bytes : int32 -> nseq int8 4. +Axiom u32_to_be_bytes : int32 -> nseq int8 4. +Axiom u32_from_le_bytes : nseq int8 4 -> int32. +Axiom u32_from_be_bytes : nseq int8 4 -> int32. +Axiom u64_to_le_bytes : int64 -> nseq int8 8. +Axiom u64_from_le_bytes : nseq int8 8 -> int64. +Axiom u128_to_le_bytes : int128 -> nseq int8 16. +Axiom u128_to_be_bytes : int128 -> nseq int8 16. +Axiom u128_from_le_bytes : nseq int8 16 -> int128. +Axiom u128_from_be_bytes : nseq int8 16 -> int128. + +(*** Nats *) + + +Definition nat_mod (p : Z) : Set := GZnZ.znz p. + + +Definition nat_mod_equal {p} (a b : nat_mod p) : bool := + Z.eqb (GZnZ.val p a) (GZnZ.val p b). + +Definition nat_mod_zero {p} : nat_mod p := GZnZ.zero p. +Definition nat_mod_one {p} : nat_mod p := GZnZ.one p. +Definition nat_mod_two {p} : nat_mod p := GZnZ.mkznz p _ (GZnZ.modz p 2). + + +(* convenience coercions from nat_mod to Z and N *) +(* Coercion Z.of_N : N >-> Z. *) + +Definition nat_mod_add {n : Z} (a : nat_mod n) (b : nat_mod n) : nat_mod n := GZnZ.add n a b. + +Infix "+%" := nat_mod_add (at level 33) : hacspec_scope. + +Definition nat_mod_mul {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.mul n a b. +Infix "*%" := nat_mod_mul (at level 33) : hacspec_scope. + +Definition nat_mod_sub {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.sub n a b. +Infix "-%" := nat_mod_sub (at level 33) : hacspec_scope. + +Definition nat_mod_div {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.div n a b. +Infix "/%" := nat_mod_div (at level 33) : hacspec_scope. + +(* A % B = (a * B + r) *) + +Definition nat_mod_neg {n : Z} (a:nat_mod n) : nat_mod n := GZnZ.opp n a. + +Definition nat_mod_inv {n : Z} (a:nat_mod n) : nat_mod n := GZnZ.inv n a. + +Definition nat_mod_exp_def {p : Z} (a:nat_mod p) (n : nat) : nat_mod p := + let fix exp_ (e : nat_mod p) (n : nat) := + match n with + | 0%nat => nat_mod_one + | S n => nat_mod_mul a (exp_ a n) + end in + exp_ a n. + +Definition nat_mod_exp {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). +Definition nat_mod_pow {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). +Definition nat_mod_pow_self {p} a n := @nat_mod_exp_def p a (Z.to_nat (from_uint_size n)). + +Close Scope nat_scope. +Open Scope Z_scope. + +(* We assume x < m *) +Definition nat_mod_from_secret_literal {m : Z} (x:int128) : nat_mod m. +Proof. + unfold nat_mod. + (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) + remember ((unsigned x) mod m) as zmodm. + apply (GZnZ.mkznz m zmodm). + rewrite Heqzmodm. + rewrite Zmod_mod. + reflexivity. +Defined. + +Definition nat_mod_from_literal (m : Z) (x:int128) : nat_mod m := nat_mod_from_secret_literal x. + +Axiom nat_mod_to_byte_seq_le : forall {n : Z}, nat_mod n -> seq int8. +Axiom nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8. +Axiom nat_mod_to_public_byte_seq_le : forall (n : Z), nat_mod n -> seq int8. +Axiom nat_mod_to_public_byte_seq_be : forall (n : Z), nat_mod n -> seq int8. + +Definition nat_mod_bit {n : Z} (a : nat_mod n) (i : uint_size) := + Z.testbit (GZnZ.val n a) (from_uint_size i). + +(* Alias for nat_mod_bit *) +Definition nat_get_mod_bit {p} (a : nat_mod p) := nat_mod_bit a. +Definition nat_mod_get_bit {p} (a : nat_mod p) n := + if (nat_mod_bit a n) + then @nat_mod_one p + else @nat_mod_zero p. + +(* +Definition nat_mod_to_public_byte_seq_le (n: pos) (len: uint_size) (x: nat_mod_mod n) : lseq pub_uint8 len = + Definition n' := n % (pow2 (8 * len)) in + Lib.ByteSequence.nat_mod_to_bytes_le len n'*) + +(* Definition nat_to_public_byte_seq_be (n: pos) (len: uint_size) (x: nat_mod n) : lseq pub_uint8 len = + Definition n' := n % (pow2 (8 * len)) in + Lib.ByteSequence.nat_to_bytes_be len n' *) + +Axiom array_declassify_eq : forall {A l}, nseq A l -> nseq A l -> bool. +Axiom array_to_le_uint32s : forall {A l}, nseq A l -> seq uint32. +Axiom array_to_be_uint32s : forall {A l}, nseq A l -> seq uint32. (* nseq uint32 (l/4) *) +Axiom array_to_le_bytes : forall {A l}, nseq A l -> seq uint8. +Axiom array_to_be_bytes : forall {A l}, nseq A l -> seq uint8. +Axiom nat_mod_from_byte_seq_le : forall {A n}, seq A -> nat_mod n. +Axiom nat_mod_from_byte_seq_be : forall {A n}, seq A -> nat_mod n. +Axiom nat_mod_from_public_byte_seq_le : forall {A n}, seq A -> nat_mod n. +Axiom nat_mod_from_public_byte_seq_be : forall {A n}, seq A -> nat_mod n. +Axiom most_significant_bit : forall {m}, nat_mod m -> uint_size -> uint_size. + + +(* We assume 2^x < m *) +Definition nat_mod_pow2 (m : Z) (x : N) : nat_mod m. +Proof. + remember (Z.pow 2 (Z.of_N x) mod m) as y. + apply (GZnZ.mkznz m y). + rewrite Heqy. + rewrite Zmod_mod. + reflexivity. +Defined. + + +Section Casting. + + (* Type casts, as defined in Section 4.5 in https://arxiv.org/pdf/1106.3448.pdf *) + Class Cast A B := cast : A -> B. + + Arguments cast {_} _ {_}. + + Notation "' x" := (cast _ x) (at level 20) : hacspec_scope. + Open Scope hacspec_scope. + + (* Casting to self is always possible *) + Global Instance cast_self {A} : Cast A A := { + cast a := a + }. + + Global Instance cast_transitive {A B C} `{Hab: Cast A B} `{Hbc: Cast B C} : Cast A C := { + cast a := Hbc (Hab a) + }. + + Global Instance cast_prod {A B C D} `{Cast A B} `{Cast C D} : Cast (A * C) (B * D) := { + cast '(a, c) := ('a, 'c) + }. + + Global Instance cast_option {A B} `{Cast A B} : Cast (option A) (option B) := { + cast a := match a with Some a => Some ('a) | None => None end + }. + + Global Instance cast_option_b {A B} `{Cast A B} : Cast A (option B) := { + cast a := Some ('a) + }. + + (* Global Instances for common types *) + + Global Instance cast_nat_to_N : Cast nat N := { + cast := N.of_nat + }. + + Global Instance cast_N_to_Z : Cast N Z := { + cast := Z.of_N + }. + + Global Instance cast_Z_to_int {WORDSIZE} : Cast Z (@int WORDSIZE) := { + cast n := repr n + }. + + Global Instance cast_natmod_to_Z {p} : Cast (nat_mod p) Z := { + cast n := GZnZ.val p n + }. + + (* Note: should be aware of typeclass resolution with int/uint since they are just aliases of each other currently *) + Global Instance cast_int8_to_uint32 : Cast int8 uint32 := { + cast n := repr (unsigned n) + }. + Global Instance cast_int8_to_int32 : Cast int8 int32 := { + cast n := repr (signed n) + }. + + Global Instance cast_uint8_to_uint32 : Cast uint8 uint32 := { + cast n := repr (unsigned n) + }. + + Global Instance cast_int_to_nat `{WORDSIZE} : Cast int nat := { + cast n := Z.to_nat (signed n) + }. + + Close Scope hacspec_scope. +End Casting. + + +Global Arguments pair {_ _} & _ _. +Global Arguments id {_} & _. +Section Coercions. + (* First, in order to have automatic coercions for tuples, we add bidirectionality hints: *) + + (* Integer coercions *) + (* We have nat >-> N >-> Z >-> int/int32 *) + (* and uint >-> Z *) + (* and N >-> nat *) + + Global Coercion N.to_nat : N >-> nat. + Global Coercion Z.of_N : N >-> Z. + + Global Coercion repr : Z >-> int. + + Definition Z_to_int `{WORDSIZE} (n : Z) : int := repr n. + Global Coercion Z_to_int : Z >-> int. + + Definition Z_to_uint_size (n : Z) : uint_size := repr n. + Global Coercion Z_to_uint_size : Z >-> uint_size. + Definition Z_to_int_size (n : Z) : int_size := repr n. + Global Coercion Z_to_int_size : Z >-> int_size. + + Definition N_to_int `{WORDSIZE} (n : N) : int := repr (Z.of_N n). + Global Coercion N.of_nat : nat >-> N. + Global Coercion N_to_int : N >-> int. + Definition N_to_uint_size (n : Z) : uint_size := repr n. + Global Coercion N_to_uint_size : Z >-> uint_size. + Definition nat_to_int `{WORDSIZE} (n : nat) := repr (Z.of_nat n). + Global Coercion nat_to_int : nat >-> int. + + Definition uint_size_to_nat (n : uint_size) : nat := from_uint_size n. + Global Coercion uint_size_to_nat : uint_size >-> nat. + + Definition uint_size_to_Z (n : uint_size) : Z := from_uint_size n. + Global Coercion uint_size_to_Z : uint_size >-> Z. + + Definition uint32_to_nat (n : uint32) : nat := unsigned n. + Global Coercion uint32_to_nat : uint32 >-> nat. + + + Global Coercion GZnZ.val : GZnZ.znz >-> Z. + + Definition int8_to_nat (n : int8) : nat := unsigned n. + Global Coercion int8_to_nat : int8 >-> nat. + Definition int16_to_nat (n : int16) : nat := unsigned n. + Global Coercion int16_to_nat : int16 >-> nat. + Definition int32_to_nat (n : int32) : nat := unsigned n. + Global Coercion int32_to_nat : int32 >-> nat. + Definition int64_to_nat (n : int64) : nat := unsigned n. + Global Coercion int64_to_nat : int64 >-> nat. + Definition int128_to_nat (n : int128) : nat := unsigned n. + Global Coercion int128_to_nat : int128 >-> nat. + + (* coercions int8 >-> int16 >-> ... int128 *) + + Definition int8_to_int16 (n : int8) : int16 := repr n. + Global Coercion int8_to_int16 : int8 >-> int16. + + Definition int8_to_int32 (n : int8) : int32 := repr n. + Global Coercion int8_to_int32 : int8 >-> int32. + + Definition int16_to_int32 (n : int16) : int32 := repr n. + Global Coercion int16_to_int32 : int16 >-> int32. + + Definition int32_to_int64 (n : int32) : int64 := repr n. + Global Coercion int32_to_int64 : int32 >-> int64. + + Definition int64_to_int128 (n : int64) : int128 := repr n. + Global Coercion int64_to_int128 : int64 >-> int128. + + Definition int32_to_int128 (n : int32) : int128 := repr n. + Global Coercion int32_to_int128 : int32 >-> int128. + + Definition uint_size_to_int64 (n : uint_size) : int64 := repr n. + Global Coercion uint_size_to_int64 : uint_size >-> int64. + + + (* coercions into nat_mod *) + Definition Z_in_nat_mod {m : Z} (x:Z) : nat_mod m. + Proof. + unfold nat_mod. + remember ((x) mod m) as zmodm. + apply (GZnZ.mkznz m zmodm). + rewrite Heqzmodm. + rewrite Zmod_mod. + reflexivity. + Defined. + (* Global Coercion Z_in_nat_mod : Z >-> nat_mod. *) + + Definition int_in_nat_mod {m : Z} `{WORDSIZE} (x:int) : nat_mod m. + Proof. + unfold nat_mod. + (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) + remember ((unsigned x) mod m) as zmodm. + apply (GZnZ.mkznz m zmodm). + rewrite Heqzmodm. + rewrite Zmod_mod. + reflexivity. + Show Proof. + Defined. + Global Coercion int_in_nat_mod : int >-> nat_mod. + + Definition uint_size_in_nat_mod (n : uint_size) : nat_mod 16 := int_in_nat_mod n. + Global Coercion uint_size_in_nat_mod : uint_size >-> nat_mod. + +End Coercions. + + +(*** Casting *) + +Definition uint128_from_usize (n : uint_size) : int128 := repr n. +Definition uint64_from_usize (n : uint_size) : int64 := repr n. +Definition uint32_from_usize (n : uint_size) : int32 := repr n. +Definition uint16_from_usize (n : uint_size) : int16 := repr n. +Definition uint8_from_usize (n : uint_size) : int8 := repr n. + +Definition uint128_from_uint8 (n : int8) : int128 := repr n. +Definition uint64_from_uint8 (n : int8) : int64 := repr n. +Definition uint32_from_uint8 (n : int8) : int32 := repr n. +Definition uint16_from_uint8 (n : int8) : int16 := repr n. +Definition usize_from_uint8 (n : int8) : uint_size := repr n. + +Definition uint128_from_uint16 (n : int16) : int128 := repr n. +Definition uint64_from_uint16 (n : int16) : int64 := repr n. +Definition uint32_from_uint16 (n : int16) : int32 := repr n. +Definition uint8_from_uint16 (n : int16) : int8 := repr n. +Definition usize_from_uint16 (n : int16) : uint_size := repr n. + +Definition uint128_from_uint32 (n : int32) : int128 := repr n. +Definition uint64_from_uint32 (n : int32) : int64 := repr n. +Definition uint16_from_uint32 (n : int32) : int16 := repr n. +Definition uint8_from_uint32 (n : int32) : int8 := repr n. +Definition usize_from_uint32 (n : int32) : uint_size := repr n. + +Definition uint128_from_uint64 (n : int64) : int128 := repr n. +Definition uint32_from_uint64 (n : int64) : int32 := repr n. +Definition uint16_from_uint64 (n : int64) : int16 := repr n. +Definition uint8_from_uint64 (n : int64) : int8 := repr n. +Definition usize_from_uint64 (n : int64) : uint_size := repr n. + +Definition uint64_from_uint128 (n : int128) : int64 := repr n. +Definition uint32_from_uint128 (n : int128) : int32 := repr n. +Definition uint16_from_uint128 (n : int128) : int16 := repr n. +Definition uint8_from_uint128 (n : int128) : int8 := repr n. +Definition usize_from_uint128 (n : int128) : uint_size := repr n. + + +(* Comparisons, boolean equality, and notation *) + +Class EqDec (A : Type) := + { eqb : A -> A -> bool ; + eqb_leibniz : forall x y, eqb x y = true <-> x = y }. + +Infix "=.?" := eqb (at level 40) : hacspec_scope. +Infix "!=.?" := (fun a b => negb (eqb a b)) (at level 40) : hacspec_scope. + +Class Comparable (A : Type) := { + ltb : A -> A -> bool; + leb : A -> A -> bool; + gtb : A -> A -> bool; + geb : A -> A -> bool; +}. +Infix "<.?" := ltb (at level 42) : hacspec_scope. +Infix "<=.?" := leb (at level 42) : hacspec_scope. +Infix ">.?" := gtb (at level 42) : hacspec_scope. +Infix ">=.?" := geb (at level 42) : hacspec_scope. + +Theorem eqb_refl : forall {A} {H : EqDec A} (x : A), @eqb A H x x = true. +Proof. + intros. + now rewrite eqb_leibniz. +Qed. + +Global Program Instance nat_eqdec : EqDec nat := { + eqb := Nat.eqb; + eqb_leibniz := Nat.eqb_eq ; +}. + +Global Instance nat_comparable : Comparable nat := { + ltb := Nat.ltb; + leb := Nat.leb; + gtb a b := Nat.ltb b a; + geb a b := Nat.leb b a; +}. + +Global Instance N_eqdec : EqDec N := { + eqb := N.eqb; + eqb_leibniz := N.eqb_eq ; +}. + +Global Instance N_comparable : Comparable N := { + ltb := N.ltb; + leb := N.leb; + gtb a b := N.ltb b a; + geb a b := N.leb b a; +}. + +Global Instance Z_eqdec : EqDec Z := { + eqb := Z.eqb; + eqb_leibniz := Z.eqb_eq ; +}. + +Global Instance Z_comparable : Comparable Z := { + ltb := Z.ltb; + leb := Z.leb; + gtb a b := Z.ltb b a; + geb a b := Z.leb b a; +}. + +Lemma int_eqb_eq : forall {WS : WORDSIZE} (a b : int), eq a b = true <-> a = b. +Proof. + intros. split. + - apply same_if_eq. + - intros. rewrite H. apply eq_true. +Qed. + +Global Instance int_eqdec `{WORDSIZE}: EqDec int := { + eqb := eq; + eqb_leibniz := int_eqb_eq ; +}. + +Global Instance int_comparable `{WORDSIZE} : Comparable int := { + ltb := lt; + leb a b := if eq a b then true else lt a b ; + gtb a b := lt b a; + geb a b := if eq a b then true else lt b a; +}. + +Definition uint8_equal : int8 -> int8 -> bool := eqb. + +Definition nat_mod_val (p : Z) (a : nat_mod p) : Z := GZnZ.val p a. + +Theorem nat_mod_eqb_spec : forall {p} (a b : nat_mod p), Z.eqb (nat_mod_val p a) (nat_mod_val p b) = true <-> a = b. +Proof. + split ; intros. + - apply Z.eqb_eq in H. + destruct a, b. + cbn in H. + apply (GZnZ.zirr p val val0 inZnZ inZnZ0 H). + - subst. + apply Z.eqb_eq. + reflexivity. +Qed. + +Global Instance nat_mod_eqdec {p} : EqDec (nat_mod p) := { + eqb a b := Z.eqb (nat_mod_val p a) (nat_mod_val p b); + eqb_leibniz := nat_mod_eqb_spec; +}. + +Global Instance nat_mod_comparable `{p : Z} : Comparable (nat_mod p) := { + ltb a b := Z.ltb (nat_mod_val p a) (nat_mod_val p b); + leb a b := if Zeq_bool a b then true else Z.ltb (nat_mod_val p a) (nat_mod_val p b) ; + gtb a b := Z.ltb (nat_mod_val p b) (nat_mod_val p a); + geb a b := if Zeq_bool b a then true else Z.ltb (nat_mod_val p b) (nat_mod_val p a) ; +}. + +Fixpoint nat_mod_rem_aux {n : Z} (a:nat_mod n) (b:nat_mod n) (f : nat) {struct f} : nat_mod n := + match f with + | O => a + | S f' => + if geb a b + then nat_mod_rem_aux (nat_mod_sub a b) b f' + else a + end. + +Definition nat_mod_rem {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := + if nat_mod_equal b nat_mod_zero + then nat_mod_one + else nat_mod_rem_aux a b (S (nat_mod_div a b)). + +Infix "rem" := nat_mod_rem (at level 33) : hacspec_scope. + +Global Instance bool_eqdec : EqDec bool := { + eqb := Bool.eqb; + eqb_leibniz := Bool.eqb_true_iff; +}. + +Global Instance string_eqdec : EqDec String.string := { + eqb := String.eqb; + eqb_leibniz := String.eqb_eq ; +}. + +Global Instance unit_eqdec : EqDec unit := { + eqb := fun _ _ => true ; + eqb_leibniz := fun 'tt 'tt => (conj (fun _ => eq_refl) (fun _ => eq_refl)) ; +}. + +Require Import Sumbool. +Open Scope list_scope. + +Fixpoint list_eqdec {A} `{EqDec A} (l1 l2 : list A) : bool := + match l1, l2 with + | x::xs, y::ys => if eqb x y then list_eqdec xs ys else false + | [], [] => true + | _,_ => false + end. + +Lemma list_eqdec_refl : forall {A} `{EqDec A} (l1 : list A), list_eqdec l1 l1 = true. +Proof. + intros ; induction l1 ; cbn ; try rewrite eqb_refl ; easy. +Qed. + +Lemma list_eqdec_sound : forall {A} `{EqDec A} (l1 l2 : list A), list_eqdec l1 l2 = true <-> l1 = l2. +Proof. + intros A H l1. + induction l1 ; induction l2 ; split ; intros ; simpl in * ; try easy ; try inversion H0. + - (* inductive case *) + apply Field_theory.if_true in H0; destruct H0. + f_equal. + (* show heads are equal *) + + apply (proj1 (eqb_leibniz a a0) H0). + (* show tails are equal using induction hypothesis *) + + apply IHl1. assumption. + - rewrite eqb_refl. + apply list_eqdec_refl. +Qed. + +Global Instance List_eqdec {A} `{EqDec A} : EqDec (list A) := { + eqb := list_eqdec; + eqb_leibniz := list_eqdec_sound; +}. + +Lemma vector_eqb_sound : forall {A : Type} {n : nat} `{EqDec A} (v1 v2 : VectorDef.t A n), Vector.eqb _ eqb v1 v2 = true <-> v1 = v2. +Proof. + intros. + apply Vector.eqb_eq. + intros. + apply eqb_leibniz. +Qed. + +Global Program Instance Vector_eqdec {A n} `{EqDec A}: EqDec (VectorDef.t A n) := { + eqb := Vector.eqb _ eqb; + eqb_leibniz := vector_eqb_sound; +}. + +Global Program Instance Dec_eq_prod (A B : Type) `{EqDec A} `{EqDec B} : EqDec (A * B) := { + eqb '(a0, b0) '(a1, b1) := andb (eqb a0 a1) (eqb b0 b1) +}. +Next Obligation. + split ; intros. + - symmetry in H1. + apply Bool.andb_true_eq in H1. destruct H1. + symmetry in H1. apply (eqb_leibniz a0 a) in H1. + symmetry in H2. apply (eqb_leibniz b0 b) in H2. + rewrite H1, H2. reflexivity. + - inversion_clear H1. now do 2 rewrite eqb_refl. +Defined. + +(*** Result *) + +Inductive result (a: Type) (b: Type) := + | Ok : a -> result a b + | Err : b -> result a b. + +Arguments Ok {_ _}. +Arguments Err {_ _}. + +(*** Be Bytes *) + + +Fixpoint nat_be_range_at_position (k : nat) (z : Z) (n : Z) : list bool := + match k with + | O => [] + | S k' => Z.testbit z (n + k') :: nat_be_range_at_position k' z n + end. + +Fixpoint nat_be_range_to_position_ (z : list bool) (val : Z) : Z := + match z with + | [] => val + | x :: xs => nat_be_range_to_position_ xs ((if x then 2 ^ List.length xs else 0) + val) + end. + +Definition nat_be_range_to_position (k : nat) (z : list bool) (n : Z) : Z := + (nat_be_range_to_position_ z 0 * 2^(k * n)). + +Definition nat_be_range (k : nat) (z : Z) (n : nat) : Z := + nat_be_range_to_position_ (nat_be_range_at_position k z (n * k)) 0. (* * 2^(k * n) *) + +Compute nat_be_range 4 0 300. + +Definition u64_to_be_bytes' : int64 -> nseq int8 8 := + fun k => array_from_list (int8) [@nat_to_int WORDSIZE8 (nat_be_range 4 k 7) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 6) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 5) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 4) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 3) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 2) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 1) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 0)]. + +Open Scope hacspec_scope. + +Definition u64_from_be_bytes_fold_fun (i : int8) (s : nat × int64) : nat × int64 := + let (n,v) := s in + (S n, v .+ (@repr WORDSIZE64 ((int8_to_nat i) * 2 ^ (4 * n)))). + +Definition u64_from_be_bytes' : nseq int8 8 -> int64 := + (fun v => snd (VectorDef.fold_right u64_from_be_bytes_fold_fun v (0, @repr WORDSIZE64 0))). + +Definition u64_to_be_bytes : int64 -> nseq int8 8 := u64_to_be_bytes'. +Definition u64_from_be_bytes : nseq int8 8 -> int64 := u64_from_be_bytes'. + +(* Definition nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8 := *) +(* fun k => VectorDef.of_list . *) + +(*** Monad / Bind *) + +Class Monad (M : Type -> Type) := + { bind {A B} (x : M A) (f : A -> M B) : M B ; + ret {A} (x : A) : M A ; + }. + +Definition result2 (b: Type) (a: Type) := result a b. + +Definition result_bind {A B C} (r : result2 C A) (f : A -> result2 C B) : result2 C B := + match r with + Ok a => f a + | Err e => Err e + end. + +Definition result_ret {A C} (a : A) : result2 C A := Ok a. + +Global Instance result_monad {C} : Monad (result2 C) := + Build_Monad (result2 C) (fun A B => @result_bind A B C) (fun A => @result_ret A C). + +Definition option_bind {A B} (r : option A) (f : A -> option B) : option B := + match r with + Some (a) => f a + | None => None + end. + + + +Definition option_ret {A} (a : A) : option A := Some a. + +Global Instance option_monad : Monad option := + Build_Monad option (@option_bind) (@option_ret). + +Definition option_is_none {A} (x : option A) : bool := + match x with + | None => true + | _ => false + end. + +Definition foldi_bind {A : Type} {M : Type -> Type} `{Monad M} (a : uint_size) (b : uint_size) (f : uint_size -> A -> M A) (init : M A) : M A := + @foldi (M A) a b (fun x y => bind y (f x)) init. + +Definition lift_to_result {A B C} (r : result A C) (f : A -> B) : result B C := + result_bind r (fun x => result_ret (f x)). + +Definition result_uint_size_to_result_int64 {C} (r : result uint_size C) := lift_to_result r uint_size_to_int64. + +Definition result_uint_size_unit := (result uint_size unit). +Definition result_int64_unit := (result int64 unit). + +Definition result_uint_size_unit_to_result_int64_unit (r : result_uint_size_unit) : result_int64_unit := result_uint_size_to_result_int64 r. + +Global Coercion lift_to_result_coerce {A B C} (f : A -> B) := (fun (r : result A C) => lift_to_result r f). + +Global Coercion result_uint_size_unit_to_result_int64_unit : result_uint_size_unit >-> result_int64_unit. + +(*** Notation *) + +Notation "'ifbnd' b 'then' x 'else' y '>>' f" := (if b then f x else f y) (at level 200). +Notation "'ifbnd' b 'thenbnd' x 'else' y '>>' f" := (if b then (bind x) f else f y) (at level 200). +Notation "'ifbnd' b 'then' x 'elsebnd' y '>>' f" := (if b then f x else (bind y) f) (at level 200). +Notation "'ifbnd' b 'thenbnd' x 'elsebnd' y '>>' f" := (if b then bind x f else bind y f) (at level 200). + +Notation "'foldibnd' s 'to' e 'for' z '>>' f" := (foldi s e (fun x y => bind y (f x)) (Ok z)) (at level 50). + + +(*** Default *) + +(* Default instances for common types *) +Global Instance nat_default : Default nat := { + default := 0%nat +}. +Global Instance N_default : Default N := { + default := 0%N +}. +Global Instance Z_default : Default Z := { + default := 0%Z +}. +Global Instance uint_size_default : Default uint_size := { + default := zero +}. +Global Instance int_size_default : Default int_size := { + default := zero +}. +Global Instance int_default {WS : WORDSIZE} : Default int := { + default := repr 0 +}. +Global Instance uint8_default : Default uint8 := _. +Global Instance nat_mod_default {p : Z} : Default (nat_mod p) := { + default := nat_mod_zero +}. +Global Instance prod_default {A B} `{Default A} `{Default B} : Default (A × B) := { + default := (default, default) +}. diff --git a/proof-libs/coq/src/Hacspec_Linalg.v b/proof-libs/coq/src/Hacspec_Linalg.v new file mode 100644 index 000000000..0dcee9a83 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Linalg.v @@ -0,0 +1,296 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Notation "'dim_type_t'" := (uint_size) : hacspec_scope. + +Notation "'scalar_t'" := (int128) : hacspec_scope. + +Notation "'dims_t'" := ((dim_type_t '× dim_type_t)) : hacspec_scope. + +Notation "'matrix_t'" := ((dims_t '× seq scalar_t)) : hacspec_scope. + +Notation "'mat_res_t'" := ((result matrix_t int8)) : hacspec_scope. + +Notation "'scal_res_t'" := ((result scalar_t int8)) : hacspec_scope. + +Definition dimension_sequence_length_mismatch_v : int8 := + @repr WORDSIZE8 10. + +Definition index_out_of_bounds_v : int8 := + @repr WORDSIZE8 11. + +Definition slice_out_of_bounds_v : int8 := + @repr WORDSIZE8 12. + +Definition dimension_mismatch_v : int8 := + @repr WORDSIZE8 13. + +Definition new_ + (rows_881 : dim_type_t) + (cols_882 : dim_type_t) + (seq_883 : seq scalar_t) + : mat_res_t := + (if (((seq_len (seq_883)) >.? (usize 0)) && (((rows_881) * (cols_882)) =.? ( + seq_len (seq_883)))):bool then (@Ok matrix_t int8 (( + (rows_881, cols_882), + seq_883 + ))) else (@Err matrix_t int8 (dimension_sequence_length_mismatch_v))). + +Definition repeat + (n_884 : dim_type_t) + (m_885 : dim_type_t) + (scalar_886 : scalar_t) + : matrix_t := + let ret_887 : seq int128 := + seq_new_ (default : scalar_t) ((n_884) * (m_885)) in + let ret_887 := + foldi (usize 0) ((n_884) * (m_885)) (fun i_888 ret_887 => + let ret_887 := + seq_upd ret_887 (i_888) (scalar_886) in + (ret_887)) + ret_887 in + ((n_884, m_885), ret_887). + +Definition zeros (n_889 : dim_type_t) (m_890 : dim_type_t) : matrix_t := + repeat (n_889) (m_890) (pub_int128_zero ). + +Definition ones (n_891 : dim_type_t) (m_892 : dim_type_t) : matrix_t := + repeat (n_891) (m_892) (pub_int128_one ). + +Definition identity (n_893 : dim_type_t) (m_894 : dim_type_t) : matrix_t := + let ret_895 : seq int128 := + seq_new_ (default : scalar_t) ((n_893) * (m_894)) in + let ret_895 := + foldi (usize 0) (min (n_893) (m_894)) (fun i_896 ret_895 => + let index_897 : uint_size := + ((i_896) * (min (n_893) (m_894))) + (i_896) in + let ret_895 := + seq_upd ret_895 (index_897) (pub_int128_one ) in + (ret_895)) + ret_895 in + ((n_893, m_894), ret_895). + +Definition index + (m_898 : matrix_t) + (i_899 : dim_type_t) + (j_900 : dim_type_t) + : scal_res_t := + let '(dim_901, seq_902) := + m_898 in + let '(rows_903, cols_904) := + dim_901 in + let index_905 : uint_size := + ((i_899) * (cols_904)) + (j_900) in + (if ((index_905) >=.? ((rows_903) * (cols_904))):bool then ( + @Err scalar_t int8 (index_out_of_bounds_v)) else (@Ok scalar_t int8 ( + seq_index (seq_902) (index_905)))). + +Definition transpose (matrix_906 : matrix_t) : matrix_t := + let '(dim_907, seq_908) := + matrix_906 in + let '(rows_909, cols_910) := + dim_907 in + let ret_911 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (seq_908)) in + let ret_911 := + foldi (usize 0) (rows_909) (fun i_912 ret_911 => + let ret_911 := + foldi (usize 0) (cols_910) (fun j_913 ret_911 => + let seq_index_914 : uint_size := + ((i_912) * (cols_910)) + (j_913) in + let ret_index_915 : uint_size := + ((j_913) * (rows_909)) + (i_912) in + let ret_911 := + seq_upd ret_911 (ret_index_915) (seq_index (seq_908) ( + seq_index_914)) in + (ret_911)) + ret_911 in + (ret_911)) + ret_911 in + ((cols_910, rows_909), ret_911). + +Definition slice + (matrix_916 : matrix_t) + (start_917 : dims_t) + (len_918 : dims_t) + : mat_res_t := + let '(dim_919, seq_920) := + matrix_916 in + let '(rows_921, cols_922) := + dim_919 in + let '(start_row_923, start_col_924) := + start_917 in + let '(len_rows_925, len_cols_926) := + len_918 in + let start_index_927 : uint_size := + ((start_row_923) * (cols_922)) + (start_col_924) in + let ret_928 : seq int128 := + seq_new_ (default : scalar_t) ((len_rows_925) * (len_cols_926)) in + let res_929 : (result matrix_t int8) := + @Err matrix_t int8 (slice_out_of_bounds_v) in + let '(ret_928, res_929) := + if ((start_index_927) + ((len_rows_925) * (len_cols_926))) <=.? (( + rows_921) * (cols_922)):bool then (let ret_928 := + foldi (usize 0) (len_rows_925) (fun i_930 ret_928 => + let ret_928 := + foldi (usize 0) (len_cols_926) (fun j_931 ret_928 => + let ret_index_932 : uint_size := + ((i_930) * (len_cols_926)) + (j_931) in + let seq_index_933 : uint_size := + (((start_row_923) + (i_930)) * (cols_922)) + (( + start_col_924) + (j_931)) in + let ret_928 := + seq_upd ret_928 (ret_index_932) (seq_index (seq_920) ( + seq_index_933)) in + (ret_928)) + ret_928 in + (ret_928)) + ret_928 in + let res_929 := + new_ (len_rows_925) (len_cols_926) (ret_928) in + (ret_928, res_929)) else ((ret_928, res_929)) in + res_929. + +Definition scale (matrix_934 : matrix_t) (scalar_935 : scalar_t) : matrix_t := + let '(dim_936, seq_937) := + matrix_934 in + let ret_938 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (seq_937)) in + let ret_938 := + foldi (usize 0) (seq_len (seq_937)) (fun i_939 ret_938 => + let ret_938 := + seq_upd ret_938 (i_939) ((scalar_935) .* (seq_index (seq_937) ( + i_939))) in + (ret_938)) + ret_938 in + (dim_936, ret_938). + +Definition add + (matrix_1_940 : matrix_t) + (matrix_2_941 : matrix_t) + : mat_res_t := + let '(m1_dim_942, m1_s_943) := + matrix_1_940 in + let '(m2_dim_944, m2_s_945) := + matrix_2_941 in + let ret_946 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (m1_s_943)) in + let res_947 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_946, res_947) := + if (m1_dim_942) =.? (m2_dim_944):bool then (let ret_946 := + foldi (usize 0) (seq_len (m1_s_943)) (fun i_948 ret_946 => + let ret_946 := + seq_upd ret_946 (i_948) ((seq_index (m1_s_943) (i_948)) .+ ( + seq_index (m2_s_945) (i_948))) in + (ret_946)) + ret_946 in + let res_947 := + @Ok matrix_t int8 ((m1_dim_942, ret_946)) in + (ret_946, res_947)) else ((ret_946, res_947)) in + res_947. + +Definition sub + (matrix_1_949 : matrix_t) + (matrix_2_950 : matrix_t) + : mat_res_t := + let '(m1_dim_951, m1_s_952) := + matrix_1_949 in + let '(m2_dim_953, m2_s_954) := + matrix_2_950 in + let ret_955 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (m1_s_952)) in + let res_956 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_955, res_956) := + if (m1_dim_951) =.? (m2_dim_953):bool then (let ret_955 := + foldi (usize 0) (seq_len (m1_s_952)) (fun i_957 ret_955 => + let ret_955 := + seq_upd ret_955 (i_957) ((seq_index (m1_s_952) (i_957)) .- ( + seq_index (m2_s_954) (i_957))) in + (ret_955)) + ret_955 in + let res_956 := + @Ok matrix_t int8 ((m1_dim_951, ret_955)) in + (ret_955, res_956)) else ((ret_955, res_956)) in + res_956. + +Definition component_mul + (matrix_1_958 : matrix_t) + (matrix_2_959 : matrix_t) + : mat_res_t := + let '(m1_dim_960, m1_s_961) := + matrix_1_958 in + let '(m2_dim_962, m2_s_963) := + matrix_2_959 in + let ret_964 : seq int128 := + seq_new_ (default : scalar_t) (seq_len (m1_s_961)) in + let res_965 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_964, res_965) := + if (m1_dim_960) =.? (m2_dim_962):bool then (let ret_964 := + foldi (usize 0) (seq_len (m1_s_961)) (fun i_966 ret_964 => + let ret_964 := + seq_upd ret_964 (i_966) ((seq_index (m1_s_961) (i_966)) .* ( + seq_index (m2_s_963) (i_966))) in + (ret_964)) + ret_964 in + let res_965 := + @Ok matrix_t int8 ((m1_dim_960, ret_964)) in + (ret_964, res_965)) else ((ret_964, res_965)) in + res_965. + +Definition mul + (matrix_1_967 : matrix_t) + (matrix_2_968 : matrix_t) + : mat_res_t := + let '(dim_1_969, seq_1_970) := + matrix_1_967 in + let '(dim_2_971, seq_2_972) := + matrix_2_968 in + let '(l_973, m_974) := + dim_1_969 in + let '(m_975, n_976) := + dim_2_971 in + let ret_977 : seq int128 := + seq_new_ (default : scalar_t) ((l_973) * (n_976)) in + let res_978 : (result matrix_t int8) := + @Err matrix_t int8 (dimension_mismatch_v) in + let '(ret_977, res_978) := + if (m_974) =.? (m_975):bool then (let ret_977 := + foldi (usize 0) (l_973) (fun i_979 ret_977 => + let ret_977 := + foldi (usize 0) (n_976) (fun j_980 ret_977 => + let acc_981 : int128 := + pub_int128_zero in + let index_982 : uint_size := + ((i_979) * (n_976)) + (j_980) in + let acc_981 := + foldi (usize 0) (m_974) (fun k_983 acc_981 => + let index_1_984 : uint_size := + ((i_979) * (m_974)) + (k_983) in + let index_2_985 : uint_size := + ((k_983) * (n_976)) + (j_980) in + let acc_981 := + (acc_981) .+ ((seq_index (seq_1_970) (index_1_984)) .* ( + seq_index (seq_2_972) (index_2_985))) in + (acc_981)) + acc_981 in + let ret_977 := + seq_upd ret_977 (index_982) (acc_981) in + (ret_977)) + ret_977 in + (ret_977)) + ret_977 in + let res_978 := + new_ (l_973) (n_976) (ret_977) in + (ret_977, res_978)) else ((ret_977, res_978)) in + res_978. + diff --git a/proof-libs/coq/src/Hacspec_Merlin.v b/proof-libs/coq/src/Hacspec_Merlin.v new file mode 100644 index 000000000..15f1316b7 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Merlin.v @@ -0,0 +1,88 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Strobe. + +Notation "'transcript_t'" := (strobe_t) : hacspec_scope. + +Definition merlin_protocol_label : seq uint8 := + [ + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 110) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 48) : int8 + ]. + +Definition encode_uint64 (x_1051 : uint64) : seq uint8 := + array_to_le_bytes (uint64_to_le_bytes (x_1051)). + +Definition encode_usize_as_u32 (x_1052 : uint_size) : seq uint8 := + let x_uint32_1053 : uint32 := + uint32_classify (pub_u32 (x_1052)) in + array_to_le_bytes (uint32_to_le_bytes (x_uint32_1053)). + +Definition new_ (label_1054 : seq uint8) : transcript_t := + let transcript_1055 : (state_uint8_t '× int8 '× int8 '× int8) := + new_strobe (merlin_protocol_label ) in + let dom_sep_1056 : seq uint8 := + [ + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 109) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 112) : int8 + ] in + append_message (transcript_1055) (dom_sep_1056) (label_1054). + +Definition append_message + (transcript_1057 : transcript_t) + (label_1058 : seq uint8) + (message_1059 : seq uint8) + : transcript_t := + let data_len_1060 : seq uint8 := + array_to_be_bytes (uint32_to_le_bytes (uint32_classify (pub_u32 (seq_len ( + message_1059))))) in + let transcript_1057 := + meta_ad (transcript_1057) (label_1058) (false) in + let transcript_1057 := + meta_ad (transcript_1057) (data_len_1060) (true) in + let transcript_1057 := + ad (transcript_1057) (message_1059) (false) in + transcript_1057. + +Definition challenge_bytes + (transcript_1061 : transcript_t) + (label_1062 : seq uint8) + (dest_1063 : seq uint8) + : (transcript_t '× seq uint8) := + let data_len_1064 : seq uint8 := + encode_usize_as_u32 (seq_len (dest_1063)) in + let transcript_1061 := + meta_ad (transcript_1061) (label_1062) (false) in + let transcript_1061 := + meta_ad (transcript_1061) (data_len_1064) (true) in + prf (transcript_1061) (dest_1063) (false). + +Definition append_uint64 + (transcript_1065 : transcript_t) + (label_1066 : seq uint8) + (x_1067 : uint64) + : transcript_t := + append_message (transcript_1065) (label_1066) (encode_uint64 (x_1067)). + diff --git a/proof-libs/coq/src/Hacspec_Ntru_Prime.v b/proof-libs/coq/src/Hacspec_Ntru_Prime.v new file mode 100644 index 000000000..b40600184 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Ntru_Prime.v @@ -0,0 +1,138 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition build_irreducible (p_1256 : uint_size) : seq int128 := + let irr_1257 : seq int128 := + seq_new_ (default : int128) ((p_1256) + (usize 1)) in + let irr_1257 := + seq_upd irr_1257 (usize 0) (- (@repr WORDSIZE128 1)) in + let irr_1257 := + seq_upd irr_1257 (usize 1) (- (@repr WORDSIZE128 1)) in + let irr_1257 := + seq_upd irr_1257 (p_1256) (@repr WORDSIZE128 1) in + irr_1257. + +Definition round_to_3 (poly_1258 : seq int128) (q_1259 : int128) : seq int128 := + let result_1260 : seq int128 := + (poly_1258) in + let q_12_1261 : int128 := + ((q_1259) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in + let result_1260 := + foldi (usize 0) (seq_len (poly_1258)) (fun i_1262 result_1260 => + let '(result_1260) := + if (seq_index (poly_1258) (i_1262)) >.? (q_12_1261):bool then ( + let result_1260 := + seq_upd result_1260 (i_1262) ((seq_index (poly_1258) (i_1262)) .- ( + q_1259)) in + (result_1260)) else ((result_1260)) in + (result_1260)) + result_1260 in + let result_1260 := + foldi (usize 0) (seq_len (result_1260)) (fun i_1263 result_1260 => + let '(result_1260) := + if ((seq_index (result_1260) (i_1263)) .% (@repr WORDSIZE128 3)) !=.? ( + @repr WORDSIZE128 0):bool then (let result_1260 := + seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( + i_1263)) .- (@repr WORDSIZE128 1)) in + let '(result_1260) := + if ((seq_index (result_1260) (i_1263)) .% ( + @repr WORDSIZE128 3)) !=.? (@repr WORDSIZE128 0):bool then ( + let result_1260 := + seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( + i_1263)) .+ (@repr WORDSIZE128 2)) in + (result_1260)) else ((result_1260)) in + (result_1260)) else ((result_1260)) in + (result_1260)) + result_1260 in + result_1260. + +Definition encrypt + (r_1264 : seq int128) + (h_1265 : seq int128) + (q_1266 : int128) + (irreducible_1267 : seq int128) + : seq int128 := + let pre_1268 : seq int128 := + mul_poly_irr (r_1264) (h_1265) (irreducible_1267) (q_1266) in + round_to_3 (pre_1268) (q_1266). + +Definition ntru_prime_653_encrypt + (r_1269 : seq int128) + (h_1270 : seq int128) + : seq int128 := + let p_1271 : uint_size := + usize 653 in + let q_1272 : int128 := + @repr WORDSIZE128 4621 in + let w_1273 : uint_size := + usize 288 in + let irreducible_1274 : seq int128 := + build_irreducible (p_1271) in + encrypt (r_1269) (h_1270) (q_1272) (irreducible_1274). + +Definition ntru_prime_653_decrypt + (c_1275 : seq int128) + (key_f_1276 : seq int128) + (key_v_1277 : seq int128) + : (seq int128 '× bool) := + let p_1278 : uint_size := + usize 653 in + let q_1279 : int128 := + @repr WORDSIZE128 4621 in + let w_1280 : uint_size := + usize 288 in + let irreducible_1281 : seq int128 := + build_irreducible (p_1278) in + let f_c_1282 : seq int128 := + mul_poly_irr (key_f_1276) (c_1275) (irreducible_1281) (q_1279) in + let f_3_c_and_decryption_ok_1283 : (seq int128 '× bool) := + poly_to_ring (irreducible_1281) (add_poly (f_c_1282) (add_poly (f_c_1282) ( + f_c_1282) (q_1279)) (q_1279)) (q_1279) in + let '(f_3_c_1284, ok_decrypt_1285) := + f_3_c_and_decryption_ok_1283 in + let f_3_c_1286 : seq int128 := + f_3_c_1284 in + let q_12_1287 : int128 := + ((q_1279) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in + let f_3_c_1286 := + foldi (usize 0) (seq_len (f_3_c_1286)) (fun i_1288 f_3_c_1286 => + let '(f_3_c_1286) := + if (seq_index (f_3_c_1286) (i_1288)) >.? (q_12_1287):bool then ( + let f_3_c_1286 := + seq_upd f_3_c_1286 (i_1288) ((seq_index (f_3_c_1286) (i_1288)) .- ( + q_1279)) in + (f_3_c_1286)) else ((f_3_c_1286)) in + (f_3_c_1286)) + f_3_c_1286 in + let e_1289 : seq int128 := + seq_new_ (default : int128) (seq_len (f_3_c_1286)) in + let e_1289 := + foldi (usize 0) (seq_len (e_1289)) (fun i_1290 e_1289 => + let e_1289 := + seq_upd e_1289 (i_1290) ((seq_index (f_3_c_1286) (i_1290)) .% ( + @repr WORDSIZE128 3)) in + (e_1289)) + e_1289 in + let e_1289 := + make_positive (e_1289) (@repr WORDSIZE128 3) in + let r_1291 : seq int128 := + mul_poly_irr (e_1289) (key_v_1277) (irreducible_1281) ( + @repr WORDSIZE128 3) in + let r_1291 := + foldi (usize 0) (seq_len (r_1291)) (fun i_1292 r_1291 => + let '(r_1291) := + if (seq_index (r_1291) (i_1292)) =.? (@repr WORDSIZE128 2):bool then ( + let r_1291 := + seq_upd r_1291 (i_1292) (- (@repr WORDSIZE128 1)) in + (r_1291)) else ((r_1291)) in + (r_1291)) + r_1291 in + (r_1291, ok_decrypt_1285). + diff --git a/proof-libs/coq/src/Hacspec_P256.v b/proof-libs/coq/src/Hacspec_P256.v new file mode 100644 index 000000000..676c262d4 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_P256.v @@ -0,0 +1,494 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Inductive error_t := +| InvalidAddition : error_t. + +Definition bits_v : uint_size := + usize 256. + +Definition field_canvas_t := nseq (int8) (32). +Definition p256_field_element_t := + nat_mod 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition p256_scalar_t := + nat_mod 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551. + +Notation "'affine_t'" := ((p256_field_element_t '× p256_field_element_t +)) : hacspec_scope. + +Notation "'affine_result_t'" := ((result affine_t error_t)) : hacspec_scope. + +Notation "'p256_jacobian_t'" := (( + p256_field_element_t '× + p256_field_element_t '× + p256_field_element_t +)) : hacspec_scope. + +Notation "'jacobian_result_t'" := (( + result p256_jacobian_t error_t)) : hacspec_scope. + +Definition element_t := nseq (uint8) (usize 32). + +Definition jacobian_to_affine (p_569 : p256_jacobian_t) : affine_t := + let '(x_570, y_571, z_572) := + p_569 in + let z2_573 : p256_field_element_t := + nat_mod_exp (z_572) (@repr WORDSIZE32 2) in + let z2i_574 : p256_field_element_t := + nat_mod_inv (z2_573) in + let z3_575 : p256_field_element_t := + (z_572) *% (z2_573) in + let z3i_576 : p256_field_element_t := + nat_mod_inv (z3_575) in + let x_577 : p256_field_element_t := + (x_570) *% (z2i_574) in + let y_578 : p256_field_element_t := + (y_571) *% (z3i_576) in + (x_577, y_578). + +Definition affine_to_jacobian (p_579 : affine_t) : p256_jacobian_t := + let '(x_580, y_581) := + p_579 in + ( + x_580, + y_581, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t + ). + +Definition point_double (p_582 : p256_jacobian_t) : p256_jacobian_t := + let '(x1_583, y1_584, z1_585) := + p_582 in + let delta_586 : p256_field_element_t := + nat_mod_exp (z1_585) (@repr WORDSIZE32 2) in + let gamma_587 : p256_field_element_t := + nat_mod_exp (y1_584) (@repr WORDSIZE32 2) in + let beta_588 : p256_field_element_t := + (x1_583) *% (gamma_587) in + let alpha_1_589 : p256_field_element_t := + (x1_583) -% (delta_586) in + let alpha_2_590 : p256_field_element_t := + (x1_583) +% (delta_586) in + let alpha_591 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% ((alpha_1_589) *% ( + alpha_2_590)) in + let x3_592 : p256_field_element_t := + (nat_mod_exp (alpha_591) (@repr WORDSIZE32 2)) -% ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 8) : p256_field_element_t) *% (beta_588)) in + let z3_593 : p256_field_element_t := + nat_mod_exp ((y1_584) +% (z1_585)) (@repr WORDSIZE32 2) in + let z3_594 : p256_field_element_t := + (z3_593) -% ((gamma_587) +% (delta_586)) in + let y3_1_595 : p256_field_element_t := + ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 4) : p256_field_element_t) *% (beta_588)) -% ( + x3_592) in + let y3_2_596 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 8) : p256_field_element_t) *% ((gamma_587) *% ( + gamma_587)) in + let y3_597 : p256_field_element_t := + ((alpha_591) *% (y3_1_595)) -% (y3_2_596) in + (x3_592, y3_597, z3_594). + +Definition is_point_at_infinity (p_598 : p256_jacobian_t) : bool := + let '(x_599, y_600, z_601) := + p_598 in + nat_mod_equal (z_601) (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t). + +Definition s1_equal_s2 + (s1_602 : p256_field_element_t) + (s2_603 : p256_field_element_t) + : jacobian_result_t := + (if (nat_mod_equal (s1_602) (s2_603)):bool then ( + @Err p256_jacobian_t error_t (InvalidAddition)) else ( + @Ok p256_jacobian_t error_t (( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t + )))). + +Definition point_add_jacob + (p_604 : p256_jacobian_t) + (q_605 : p256_jacobian_t) + : jacobian_result_t := + let result_606 : (result p256_jacobian_t error_t) := + @Ok p256_jacobian_t error_t (q_605) in + let '(result_606) := + if negb (is_point_at_infinity (p_604)):bool then (let '(result_606) := + if is_point_at_infinity (q_605):bool then (let result_606 := + @Ok p256_jacobian_t error_t (p_604) in + (result_606)) else (let '(x1_607, y1_608, z1_609) := + p_604 in + let '(x2_610, y2_611, z2_612) := + q_605 in + let z1z1_613 : p256_field_element_t := + nat_mod_exp (z1_609) (@repr WORDSIZE32 2) in + let z2z2_614 : p256_field_element_t := + nat_mod_exp (z2_612) (@repr WORDSIZE32 2) in + let u1_615 : p256_field_element_t := + (x1_607) *% (z2z2_614) in + let u2_616 : p256_field_element_t := + (x2_610) *% (z1z1_613) in + let s1_617 : p256_field_element_t := + ((y1_608) *% (z2_612)) *% (z2z2_614) in + let s2_618 : p256_field_element_t := + ((y2_611) *% (z1_609)) *% (z1z1_613) in + let '(result_606) := + if nat_mod_equal (u1_615) (u2_616):bool then (let result_606 := + s1_equal_s2 (s1_617) (s2_618) in + (result_606)) else (let h_619 : p256_field_element_t := + (u2_616) -% (u1_615) in + let i_620 : p256_field_element_t := + nat_mod_exp ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (h_619)) ( + @repr WORDSIZE32 2) in + let j_621 : p256_field_element_t := + (h_619) *% (i_620) in + let r_622 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (( + s2_618) -% (s1_617)) in + let v_623 : p256_field_element_t := + (u1_615) *% (i_620) in + let x3_1_624 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (v_623) in + let x3_2_625 : p256_field_element_t := + (nat_mod_exp (r_622) (@repr WORDSIZE32 2)) -% (j_621) in + let x3_626 : p256_field_element_t := + (x3_2_625) -% (x3_1_624) in + let y3_1_627 : p256_field_element_t := + ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% ( + s1_617)) *% (j_621) in + let y3_2_628 : p256_field_element_t := + (r_622) *% ((v_623) -% (x3_626)) in + let y3_629 : p256_field_element_t := + (y3_2_628) -% (y3_1_627) in + let z3_630 : p256_field_element_t := + nat_mod_exp ((z1_609) +% (z2_612)) (@repr WORDSIZE32 2) in + let z3_631 : p256_field_element_t := + ((z3_630) -% ((z1z1_613) +% (z2z2_614))) *% (h_619) in + let result_606 := + @Ok p256_jacobian_t error_t ((x3_626, y3_629, z3_631)) in + (result_606)) in + (result_606)) in + (result_606)) else ((result_606)) in + result_606. + +Definition ltr_mul + (k_632 : p256_scalar_t) + (p_633 : p256_jacobian_t) + : jacobian_result_t := + let q_634 : ( + p256_field_element_t '× + p256_field_element_t '× + p256_field_element_t + ) := + ( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t + ) in + bind (foldibnd (usize 0) to (bits_v) for q_634 >> (fun i_635 q_634 => + let q_634 := + point_double (q_634) in + ifbnd nat_mod_equal (nat_mod_get_bit (k_632) (((bits_v) - (usize 1)) - ( + i_635))) (nat_mod_one ) : bool + thenbnd (bind (point_add_jacob (q_634) (p_633)) (fun q_634 => @Ok ( + ( + p256_field_element_t '× + p256_field_element_t '× + p256_field_element_t + ) + ) error_t ((q_634)))) + else ((q_634)) >> (fun '(q_634) => + @Ok ( + (p256_field_element_t '× p256_field_element_t '× p256_field_element_t) + ) error_t ((q_634))))) (fun q_634 => @Ok p256_jacobian_t error_t (q_634)). + +Definition p256_point_mul + (k_636 : p256_scalar_t) + (p_637 : affine_t) + : affine_result_t := + bind (ltr_mul (k_636) (affine_to_jacobian (p_637))) (fun jac_638 => + @Ok affine_t error_t (jacobian_to_affine (jac_638))). + +Definition p256_point_mul_base (k_639 : p256_scalar_t) : affine_result_t := + let base_point_640 : (p256_field_element_t '× p256_field_element_t) := + ( + nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 225) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 71) : int8; + secret (@repr WORDSIZE8 248) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 230) : int8; + secret (@repr WORDSIZE8 229) : int8; + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 164) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 125) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 244) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 150) : int8 + ] in l))) : p256_field_element_t, + nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 87) : int8; + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 203) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 245) : int8 + ] in l))) : p256_field_element_t + ) in + p256_point_mul (k_639) (base_point_640). + +Definition point_add_distinct + (p_641 : affine_t) + (q_642 : affine_t) + : affine_result_t := + bind (point_add_jacob (affine_to_jacobian (p_641)) (affine_to_jacobian ( + q_642))) (fun r_643 => @Ok affine_t error_t (jacobian_to_affine ( + r_643))). + +Definition point_add (p_644 : affine_t) (q_645 : affine_t) : affine_result_t := + (if ((p_644) !=.? (q_645)):bool then (point_add_distinct (p_644) ( + q_645)) else (@Ok affine_t error_t (jacobian_to_affine (point_double ( + affine_to_jacobian (p_644)))))). + +Definition p256_validate_private_key (k_646 : byte_seq) : bool := + let valid_647 : bool := + true in + let k_element_648 : p256_scalar_t := + nat_mod_from_byte_seq_be (k_646) : p256_scalar_t in + let k_element_bytes_649 : seq uint8 := + nat_mod_to_byte_seq_be (k_element_648) in + let all_zero_650 : bool := + true in + let '(valid_647, all_zero_650) := + foldi (usize 0) (seq_len (k_646)) (fun i_651 '(valid_647, all_zero_650) => + let '(all_zero_650) := + if negb (uint8_equal (seq_index (k_646) (i_651)) (secret ( + @repr WORDSIZE8 0) : int8)):bool then (let all_zero_650 := + false in + (all_zero_650)) else ((all_zero_650)) in + let '(valid_647) := + if negb (uint8_equal (seq_index (k_element_bytes_649) (i_651)) ( + seq_index (k_646) (i_651))):bool then (let valid_647 := + false in + (valid_647)) else ((valid_647)) in + (valid_647, all_zero_650)) + (valid_647, all_zero_650) in + (valid_647) && (negb (all_zero_650)). + +Definition p256_validate_public_key (p_652 : affine_t) : bool := + let b_653 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 75) : int8 + ]) : p256_field_element_t in + let point_at_infinity_654 : bool := + is_point_at_infinity (affine_to_jacobian (p_652)) in + let '(x_655, y_656) := + p_652 in + let on_curve_657 : bool := + ((y_656) *% (y_656)) =.? (((((x_655) *% (x_655)) *% (x_655)) -% (( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% (x_655))) +% ( + b_653)) in + (negb (point_at_infinity_654)) && (on_curve_657). + +Definition p256_calculate_w + (x_658 : p256_field_element_t) + : p256_field_element_t := + let b_659 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 75) : int8 + ]) : p256_field_element_t in + let exp_660 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 63) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 192) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8 + ]) : p256_field_element_t in + let z_661 : p256_field_element_t := + ((((x_658) *% (x_658)) *% (x_658)) -% ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% (x_658))) +% ( + b_659) in + let w_662 : p256_field_element_t := + nat_mod_pow_felem (z_661) (exp_660) in + w_662. + diff --git a/proof-libs/coq/src/Hacspec_Poly1305.v b/proof-libs/coq/src/Hacspec_Poly1305.v new file mode 100644 index 000000000..745854dec --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Poly1305.v @@ -0,0 +1,147 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition poly_key_t := nseq (uint8) (usize 32). + +Definition blocksize_v : uint_size := + usize 16. + +Definition poly_block_t := nseq (uint8) (usize 16). + +Definition poly1305_tag_t := nseq (uint8) (usize 16). + +Notation "'sub_block_t'" := (byte_seq) : hacspec_scope. + +Notation "'block_index_t'" := (uint_size) : hacspec_scope. + +Definition field_canvas_t := nseq (int8) (17). +Definition field_element_t := nat_mod 0x03fffffffffffffffffffffffffffffffb. + +Notation "'poly_state_t'" := (( + field_element_t '× + field_element_t '× + poly_key_t +)) : hacspec_scope. + +Definition poly1305_encode_r (b_435 : poly_block_t) : field_element_t := + let n_436 : uint128 := + uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_435))) in + let n_436 := + (n_436) .& (secret ( + @repr WORDSIZE128 21267647620597763993911028882763415551) : int128) in + nat_mod_from_secret_literal (n_436). + +Definition poly1305_encode_block (b_437 : poly_block_t) : field_element_t := + let n_438 : uint128 := + uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_437))) in + let f_439 : field_element_t := + nat_mod_from_secret_literal (n_438) in + (f_439) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ( + usize 128) : field_element_t). + +Definition poly1305_encode_last + (pad_len_440 : block_index_t) + (b_441 : sub_block_t) + : field_element_t := + let n_442 : uint128 := + uint128_from_le_bytes (array_from_slice (default : uint8) (16) (b_441) ( + usize 0) (seq_len (b_441))) in + let f_443 : field_element_t := + nat_mod_from_secret_literal (n_442) in + (f_443) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ((usize 8) * ( + pad_len_440)) : field_element_t). + +Definition poly1305_init (k_444 : poly_key_t) : poly_state_t := + let r_445 : field_element_t := + poly1305_encode_r (array_from_slice (default : uint8) (16) ( + array_to_seq (k_444)) (usize 0) (usize 16)) in + (nat_mod_zero , r_445, k_444). + +Definition poly1305_update_block + (b_446 : poly_block_t) + (st_447 : poly_state_t) + : poly_state_t := + let '(acc_448, r_449, k_450) := + st_447 in + (((poly1305_encode_block (b_446)) +% (acc_448)) *% (r_449), r_449, k_450). + +Definition poly1305_update_blocks + (m_451 : byte_seq) + (st_452 : poly_state_t) + : poly_state_t := + let st_453 : (field_element_t '× field_element_t '× poly_key_t) := + st_452 in + let n_blocks_454 : uint_size := + (seq_len (m_451)) / (blocksize_v) in + let st_453 := + foldi (usize 0) (n_blocks_454) (fun i_455 st_453 => + let block_456 : poly_block_t := + array_from_seq (16) (seq_get_exact_chunk (m_451) (blocksize_v) ( + i_455)) in + let st_453 := + poly1305_update_block (block_456) (st_453) in + (st_453)) + st_453 in + st_453. + +Definition poly1305_update_last + (pad_len_457 : uint_size) + (b_458 : sub_block_t) + (st_459 : poly_state_t) + : poly_state_t := + let st_460 : (field_element_t '× field_element_t '× poly_key_t) := + st_459 in + let '(st_460) := + if (seq_len (b_458)) !=.? (usize 0):bool then (let '(acc_461, r_462, k_463 + ) := + st_460 in + let st_460 := + ( + ((poly1305_encode_last (pad_len_457) (b_458)) +% (acc_461)) *% ( + r_462), + r_462, + k_463 + ) in + (st_460)) else ((st_460)) in + st_460. + +Definition poly1305_update + (m_464 : byte_seq) + (st_465 : poly_state_t) + : poly_state_t := + let st_466 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_update_blocks (m_464) (st_465) in + let last_467 : seq uint8 := + seq_get_remainder_chunk (m_464) (blocksize_v) in + poly1305_update_last (seq_len (last_467)) (last_467) (st_466). + +Definition poly1305_finish (st_468 : poly_state_t) : poly1305_tag_t := + let '(acc_469, _, k_470) := + st_468 in + let n_471 : uint128 := + uint128_from_le_bytes (array_from_slice (default : uint8) (16) ( + array_to_seq (k_470)) (usize 16) (usize 16)) in + let aby_472 : seq uint8 := + nat_mod_to_byte_seq_le (acc_469) in + let a_473 : uint128 := + uint128_from_le_bytes (array_from_slice (default : uint8) (16) (aby_472) ( + usize 0) (usize 16)) in + array_from_seq (16) (array_to_seq (uint128_to_le_bytes ((a_473) .+ (n_471)))). + +Definition poly1305 + (m_474 : byte_seq) + (key_475 : poly_key_t) + : poly1305_tag_t := + let st_476 : (field_element_t '× field_element_t '× poly_key_t) := + poly1305_init (key_475) in + let st_476 := + poly1305_update (m_474) (st_476) in + poly1305_finish (st_476). + diff --git a/proof-libs/coq/src/Hacspec_Riot_Bootloader.v b/proof-libs/coq/src/Hacspec_Riot_Bootloader.v new file mode 100644 index 000000000..32f8905cf --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Riot_Bootloader.v @@ -0,0 +1,184 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition riotboot_magic_v : int32 := + @repr WORDSIZE32 1414482258. + +Notation "'fletcher_t'" := ((int32 '× int32)) : hacspec_scope. + +Definition new_fletcher : fletcher_t := + (@repr WORDSIZE32 65535, @repr WORDSIZE32 65535). + +Definition max_chunk_size : uint_size := + usize 360. + +Definition reduce_u32 (x_1293 : int32) : int32 := + ((x_1293) .& (@repr WORDSIZE32 65535)) .+ ((x_1293) shift_right ( + @repr WORDSIZE32 16)). + +Definition combine (lower_1294 : int32) (upper_1295 : int32) : int32 := + (lower_1294) .| ((upper_1295) shift_left (@repr WORDSIZE32 16)). + +Definition update_fletcher + (f_1296 : fletcher_t) + (data_1297 : seq int16) + : fletcher_t := + let max_chunk_size_1298 : uint_size := + max_chunk_size in + let '(a_1299, b_1300) := + f_1296 in + let '(a_1299, b_1300) := + foldi (usize 0) (seq_num_chunks (data_1297) ( + max_chunk_size_1298)) (fun i_1301 '(a_1299, b_1300) => + let '(chunk_len_1302, chunk_1303) := + seq_get_chunk (data_1297) (max_chunk_size_1298) (i_1301) in + let intermediate_a_1304 : int32 := + a_1299 in + let intermediate_b_1305 : int32 := + b_1300 in + let '(intermediate_a_1304, intermediate_b_1305) := + foldi (usize 0) (chunk_len_1302) (fun j_1306 '( + intermediate_a_1304, + intermediate_b_1305 + ) => + let intermediate_a_1304 := + (intermediate_a_1304) .+ (@cast _ uint32 _ (seq_index (chunk_1303) ( + j_1306))) in + let intermediate_b_1305 := + (intermediate_b_1305) .+ (intermediate_a_1304) in + (intermediate_a_1304, intermediate_b_1305)) + (intermediate_a_1304, intermediate_b_1305) in + let a_1299 := + reduce_u32 (intermediate_a_1304) in + let b_1300 := + reduce_u32 (intermediate_b_1305) in + (a_1299, b_1300)) + (a_1299, b_1300) in + let a_1299 := + reduce_u32 (a_1299) in + let b_1300 := + reduce_u32 (b_1300) in + (a_1299, b_1300). + +Definition value (x_1307 : fletcher_t) : int32 := + let '(a_1308, b_1309) := + x_1307 in + combine (a_1308) (b_1309). + +Notation "'header_t'" := ((int32 '× int32 '× int32 '× int32 +)) : hacspec_scope. + +Definition header_as_u16_slice (h_1310 : header_t) : seq int16 := + let '(magic_1311, seq_number_1312, start_addr_1313, _) := + h_1310 in + let magic_1314 : u32_word_t := + u32_to_be_bytes (magic_1311) in + let seq_number_1315 : u32_word_t := + u32_to_be_bytes (seq_number_1312) in + let start_addr_1316 : u32_word_t := + u32_to_be_bytes (start_addr_1313) in + let u8_seq_1317 : seq int8 := + seq_new_ (default : int8) (usize 12) in + let u8_seq_1318 : seq int8 := + seq_update_slice (u8_seq_1317) (usize 0) (array_to_seq (magic_1314)) ( + usize 0) (usize 4) in + let u8_seq_1319 : seq int8 := + seq_update_slice (u8_seq_1318) (usize 4) (array_to_seq (seq_number_1315)) ( + usize 0) (usize 4) in + let u8_seq_1320 : seq int8 := + seq_update_slice (u8_seq_1319) (usize 8) (array_to_seq (start_addr_1316)) ( + usize 0) (usize 4) in + let u16_seq_1321 : seq int16 := + seq_new_ (default : int16) (usize 6) in + let u16_seq_1321 := + foldi (usize 0) (usize 3) (fun i_1322 u16_seq_1321 => + let u16_word_1323 : u16_word_t := + array_from_seq (2) (seq_slice (u8_seq_1320) ((i_1322) * (usize 4)) ( + usize 2)) in + let u16_value_1324 : int16 := + u16_from_be_bytes (u16_word_1323) in + let u16_seq_1321 := + seq_upd u16_seq_1321 (((usize 2) * (i_1322)) + (usize 1)) ( + u16_value_1324) in + let u16_word_1325 : u16_word_t := + array_from_seq (2) (seq_slice (u8_seq_1320) (((i_1322) * (usize 4)) + ( + usize 2)) (usize 2)) in + let u16_value_1326 : int16 := + u16_from_be_bytes (u16_word_1325) in + let u16_seq_1321 := + seq_upd u16_seq_1321 ((usize 2) * (i_1322)) (u16_value_1326) in + (u16_seq_1321)) + u16_seq_1321 in + u16_seq_1321. + +Definition is_valid_header (h_1327 : header_t) : bool := + let '(magic_number_1328, seq_number_1329, start_addr_1330, checksum_1331) := + h_1327 in + let slice_1332 : seq int16 := + header_as_u16_slice (( + magic_number_1328, + seq_number_1329, + start_addr_1330, + checksum_1331 + )) in + let result_1333 : bool := + false in + let '(result_1333) := + if (magic_number_1328) =.? (riotboot_magic_v):bool then ( + let fletcher_1334 : (int32 '× int32) := + new_fletcher in + let fletcher_1335 : (int32 '× int32) := + update_fletcher (fletcher_1334) (slice_1332) in + let sum_1336 : int32 := + value (fletcher_1335) in + let result_1333 := + (sum_1336) =.? (checksum_1331) in + (result_1333)) else ((result_1333)) in + result_1333. + +Definition choose_image (images_1337 : seq header_t) : (bool '× int32) := + let image_1338 : int32 := + @repr WORDSIZE32 0 in + let image_found_1339 : bool := + false in + let '(image_1338, image_found_1339) := + foldi (usize 0) (seq_len (images_1337)) (fun i_1340 '( + image_1338, + image_found_1339 + ) => + let header_1341 : (int32 '× int32 '× int32 '× int32) := + seq_index (images_1337) (i_1340) in + let '(magic_number_1342, seq_number_1343, start_addr_1344, checksum_1345 + ) := + header_1341 in + let '(image_1338, image_found_1339) := + if is_valid_header (( + magic_number_1342, + seq_number_1343, + start_addr_1344, + checksum_1345 + )):bool then (let change_image_1346 : bool := + negb ((image_found_1339) && ((seq_number_1343) <=.? ( + image_1338))) in + let '(image_1338, image_found_1339) := + if change_image_1346:bool then (let image_1338 := + start_addr_1344 in + let image_found_1339 := + true in + (image_1338, image_found_1339)) else (( + image_1338, + image_found_1339 + )) in + (image_1338, image_found_1339)) else ((image_1338, image_found_1339 + )) in + (image_1338, image_found_1339)) + (image_1338, image_found_1339) in + (image_found_1339, image_1338). + diff --git a/proof-libs/coq/src/Hacspec_Riot_Runqueue.v b/proof-libs/coq/src/Hacspec_Riot_Runqueue.v new file mode 100644 index 000000000..31ad634c8 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Riot_Runqueue.v @@ -0,0 +1,224 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition uint32_bits_v : uint_size := + (usize 4) * (usize 8). + +Definition n_queues_v : uint_size := + usize 20. + +Definition n_threads_v : uint_size := + usize 30. + +Definition sentinel_v : int8 := + @repr WORDSIZE8 255. + +Inductive runqueue_id_t := +| RunqueueId : int8 -> runqueue_id_t. + +Inductive thread_id_t := +| ThreadId : int8 -> thread_id_t. + +Definition tail_t := nseq (int8) (n_queues_v). + +Definition next_ids_t := nseq (int8) (n_threads_v). + +Inductive clist_t := +| Clist : (tail_t '× next_ids_t) -> clist_t. + +Definition clist_new : clist_t := + let tail_1347 : tail_t := + array_new_ (default : int8) (n_queues_v) in + let tail_1347 := + foldi (usize 0) (array_len (tail_1347)) (fun i_1348 tail_1347 => + let tail_1347 := + array_upd tail_1347 (i_1348) (sentinel_v) in + (tail_1347)) + tail_1347 in + let next_idxs_1349 : next_ids_t := + array_new_ (default : int8) (n_threads_v) in + let next_idxs_1349 := + foldi (usize 0) (array_len (next_idxs_1349)) (fun i_1350 next_idxs_1349 => + let next_idxs_1349 := + array_upd next_idxs_1349 (i_1350) (sentinel_v) in + (next_idxs_1349)) + next_idxs_1349 in + Clist ((tail_1347, next_idxs_1349)). + +Definition clist_is_empty (x_1351 : clist_t) (rq_1352 : runqueue_id_t) : bool := + let 'RunqueueId (rq_1353) := + rq_1352 in + let 'Clist ((tail_1354, next_ids_1355)) := + x_1351 in + (array_index (tail_1354) (@cast _ uint32 _ (rq_1353))) =.? (sentinel_v). + +Definition clist_push + (x_1356 : clist_t) + (n_1357 : thread_id_t) + (rq_1358 : runqueue_id_t) + : clist_t := + let 'RunqueueId (rq_1359) := + rq_1358 in + let 'ThreadId (n_1360) := + n_1357 in + let 'Clist ((tail_1361, next_idxs_1362)) := + x_1356 in + let '(tail_1361, next_idxs_1362) := + if (array_index (next_idxs_1362) (@cast _ uint32 _ (n_1360))) =.? ( + sentinel_v):bool then (let '(tail_1361, next_idxs_1362) := + if (array_index (tail_1361) (@cast _ uint32 _ (rq_1359))) =.? ( + sentinel_v):bool then (let tail_1361 := + array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in + let next_idxs_1362 := + array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (n_1360) in + (tail_1361, next_idxs_1362)) else (let next_idxs_1362 := + array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (array_index ( + next_idxs_1362) (@cast _ uint32 _ (array_index (tail_1361) ( + @cast _ uint32 _ (rq_1359))))) in + let next_idxs_1362 := + array_upd next_idxs_1362 (@cast _ uint32 _ (array_index ( + tail_1361) (@cast _ uint32 _ (rq_1359)))) (n_1360) in + let tail_1361 := + array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in + (tail_1361, next_idxs_1362)) in + (tail_1361, next_idxs_1362)) else ((tail_1361, next_idxs_1362)) in + Clist ((tail_1361, next_idxs_1362)). + +Definition clist_pop_head + (x_1363 : clist_t) + (rq_1364 : runqueue_id_t) + : (clist_t '× (option int8)) := + let 'RunqueueId (rq_1365) := + rq_1364 in + let 'Clist ((tail_1366, next_idxs_1367)) := + x_1363 in + let out_1368 : (option int8) := + @None int8 in + let '(tail_1366, next_idxs_1367, out_1368) := + if (array_index (tail_1366) (@cast _ uint32 _ (rq_1365))) =.? ( + sentinel_v):bool then ((tail_1366, next_idxs_1367, out_1368)) else ( + let head_1369 : int8 := + array_index (next_idxs_1367) (@cast _ uint32 _ (array_index ( + tail_1366) (@cast _ uint32 _ (rq_1365)))) in + let '(tail_1366, next_idxs_1367) := + if (head_1369) =.? (array_index (tail_1366) (@cast _ uint32 _ ( + rq_1365))):bool then (let tail_1366 := + array_upd tail_1366 (@cast _ uint32 _ (rq_1365)) (sentinel_v) in + (tail_1366, next_idxs_1367)) else (let next_idxs_1367 := + array_upd next_idxs_1367 (@cast _ uint32 _ (array_index ( + tail_1366) (@cast _ uint32 _ (rq_1365)))) (array_index ( + next_idxs_1367) (@cast _ uint32 _ (head_1369))) in + (tail_1366, next_idxs_1367)) in + let next_idxs_1367 := + array_upd next_idxs_1367 (@cast _ uint32 _ (head_1369)) (sentinel_v) in + let out_1368 := + @Some int8 (head_1369) in + (tail_1366, next_idxs_1367, out_1368)) in + (Clist ((tail_1366, next_idxs_1367)), out_1368). + +Definition clist_peek_head + (x_1370 : clist_t) + (rq_1371 : runqueue_id_t) + : (option int8) := + let 'RunqueueId (rq_1372) := + rq_1371 in + let 'Clist ((tail_1373, next_idxs_1374)) := + x_1370 in + (if ((array_index (tail_1373) (@cast _ uint32 _ (rq_1372))) =.? ( + sentinel_v)):bool then (@None int8) else (@Some int8 (array_index ( + next_idxs_1374) (@cast _ uint32 _ (array_index (tail_1373) ( + @cast _ uint32 _ (rq_1372))))))). + +Definition clist_advance + (x_1375 : clist_t) + (rq_1376 : runqueue_id_t) + : clist_t := + let 'RunqueueId (rq_1377) := + rq_1376 in + let 'Clist ((tail_1378, next_idxs_1379)) := + x_1375 in + let '(tail_1378) := + if (array_index (tail_1378) (@cast _ uint32 _ (rq_1377))) !=.? ( + sentinel_v):bool then (let tail_1378 := + array_upd tail_1378 (@cast _ uint32 _ (rq_1377)) (array_index ( + next_idxs_1379) (@cast _ uint32 _ (array_index (tail_1378) ( + @cast _ uint32 _ (rq_1377))))) in + (tail_1378)) else ((tail_1378)) in + Clist ((tail_1378, next_idxs_1379)). + +Inductive run_queue_t := +| RunQueue : (int32 '× clist_t) -> run_queue_t. + +Definition runqueue_new : run_queue_t := + RunQueue ((@repr WORDSIZE32 0, clist_new )). + +Definition runqueue_add + (y_1380 : run_queue_t) + (n_1381 : thread_id_t) + (rq_1382 : runqueue_id_t) + : run_queue_t := + let 'RunqueueId (rq_u8_1383) := + rq_1382 in + let 'RunQueue ((bitcache_1384, queues_1385)) := + y_1380 in + let bitcache_1384 := + (bitcache_1384) .| ((@repr WORDSIZE32 1) shift_left (@cast _ uint32 _ ( + rq_u8_1383))) in + let queues_1385 := + clist_push (queues_1385) (n_1381) (rq_1382) in + RunQueue ((bitcache_1384, queues_1385)). + +Definition runqueue_del + (y_1386 : run_queue_t) + (n_1387 : thread_id_t) + (rq_1388 : runqueue_id_t) + : run_queue_t := + let 'RunqueueId (rq_u8_1389) := + rq_1388 in + let 'RunQueue ((bitcache_1390, queues_1391)) := + y_1386 in + let '(queues_1392, popped_1393) := + clist_pop_head (queues_1391) (rq_1388) in + let '(bitcache_1390) := + if clist_is_empty (queues_1392) (rq_1388):bool then (let bitcache_1390 := + (bitcache_1390) .& (not ((@repr WORDSIZE32 1) shift_left ( + @cast _ uint32 _ (rq_u8_1389)))) in + (bitcache_1390)) else ((bitcache_1390)) in + RunQueue ((bitcache_1390, queues_1392)). + +Definition runqueue_ffs (val_1394 : int32) : int32 := + (pub_u32 (uint32_bits_v)) .- (pub_uint32_leading_zeros (val_1394)). + +Definition runqueue_get_next (y_1395 : run_queue_t) : (option int8) := + let 'RunQueue ((bitcache_1396, queues_1397)) := + y_1395 in + let rq_ffs_1398 : int32 := + runqueue_ffs ((bitcache_1396)) in + let out_1399 : (option int8) := + @None int8 in + let '(out_1399) := + if (rq_ffs_1398) >.? (@repr WORDSIZE32 0):bool then ( + let rq_1400 : runqueue_id_t := + RunqueueId (@cast _ uint8 _ ((rq_ffs_1398) .- (@repr WORDSIZE32 1))) in + let out_1399 := + clist_peek_head (queues_1397) (rq_1400) in + (out_1399)) else ((out_1399)) in + out_1399. + +Definition runqueue_advance + (y_1401 : run_queue_t) + (rq_1402 : runqueue_id_t) + : run_queue_t := + let 'RunQueue ((bitcache_1403, queues_1404)) := + y_1401 in + let queues_1404 := + clist_advance (queues_1404) (rq_1402) in + RunQueue ((bitcache_1403, queues_1404)). + diff --git a/proof-libs/coq/src/Hacspec_Ristretto.v b/proof-libs/coq/src/Hacspec_Ristretto.v new file mode 100644 index 000000000..9672ef470 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Ristretto.v @@ -0,0 +1,700 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Notation "'ristretto_point_t'" := (( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t +)) : hacspec_scope. + +Notation "'decode_result_t'" := (( + result ristretto_point_t int8)) : hacspec_scope. + +Definition ristretto_point_encoded_t := nseq (uint8) (usize 32). + +Definition byte_string_t := nseq (uint8) (usize 64). + +Definition field_canvas_t := nseq (int8) (32). +Definition field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. + +Definition decoding_error_v : int8 := + @repr WORDSIZE8 20. + +Definition p : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 237) : int8 + ]) : field_element_t. + +Definition d : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 163) : int8 + ]) : field_element_t. + +Definition sqrt_m1 : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 36) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 167) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 24) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 196) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 14) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 176) : int8 + ]) : field_element_t. + +Definition invsqrt_a_minus_d : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 137) : int8; + secret (@repr WORDSIZE8 5) : int8; + secret (@repr WORDSIZE8 207) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 145) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 200) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 93) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 234) : int8 + ]) : field_element_t. + +Definition sqrt_ad_minus_one : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 172) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 201) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 12) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 126) : int8; + secret (@repr WORDSIZE8 151) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 73) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 27) : int8 + ]) : field_element_t. + +Definition one_minus_d_sq : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 144) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 178) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 56) : int8; + secret (@repr WORDSIZE8 205) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 9) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 118) : int8 + ]) : field_element_t. + +Definition d_minus_one_sq : field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 122) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 34) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 220) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 30) : int8; + secret (@repr WORDSIZE8 25) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 32) : int8 + ]) : field_element_t. + +Definition base_point_encoded : ristretto_point_encoded_t := + array_from_seq (32) ([ + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 174) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 113) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 132) : int8; + secret (@repr WORDSIZE8 169) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 197) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 165) : int8; + secret (@repr WORDSIZE8 130) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 166) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 118) : int8 + ]). + +Definition base_point : ristretto_point_t := + result_unwrap (decode (base_point_encoded )). + +Definition identity_point : ristretto_point_t := + (fe (usize 0), fe (usize 1), fe (usize 1), fe (usize 0)). + +Definition fe (x_740 : uint_size) : field_element_t := + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + pub_u128 (x_740)) : field_element_t. + +Definition geq_p (x_741 : seq uint8) : bool := + let p_seq_742 : seq uint8 := + [ + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 127) : int8 + ] in + let res_743 : bool := + true in + let res_743 := + foldi (usize 0) (seq_len (p_seq_742)) (fun index_744 res_743 => + let x_index_745 : int8 := + uint8_declassify (seq_index (x_741) (index_744)) in + let p_index_746 : int8 := + uint8_declassify (seq_index (p_seq_742) (index_744)) in + let '(res_743) := + if (x_index_745) !=.? (p_index_746):bool then (let res_743 := + (x_index_745) >.? (p_index_746) in + (res_743)) else ((res_743)) in + (res_743)) + res_743 in + res_743. + +Definition is_negative (e_747 : field_element_t) : bool := + ((e_747) rem (fe (usize 2))) =.? (fe (usize 1)). + +Definition eq (u_748 : field_element_t) (v_749 : field_element_t) : bool := + (u_748) =.? (v_749). + +Definition select + (u_750 : field_element_t) + (cond_751 : bool) + (v_752 : field_element_t) + : field_element_t := + (if (cond_751):bool then (u_750) else (v_752)). + +Definition neg_fe (u_753 : field_element_t) : field_element_t := + (fe (usize 0)) -% (u_753). + +Definition abs (u_754 : field_element_t) : field_element_t := + select (neg_fe (u_754)) (is_negative (u_754)) (u_754). + +Definition sqrt_ratio_m1 + (u_755 : field_element_t) + (v_756 : field_element_t) + : (bool '× field_element_t) := + let v3_757 : field_element_t := + (nat_mod_pow (v_756) (@repr WORDSIZE128 2)) *% (v_756) in + let v7_758 : field_element_t := + (nat_mod_pow (v3_757) (@repr WORDSIZE128 2)) *% (v_756) in + let r_759 : field_element_t := + ((u_755) *% (v3_757)) *% (nat_mod_pow_felem ((u_755) *% (v7_758)) ((( + p ) -% (fe (usize 5))) /% (fe (usize 8)))) in + let check_760 : field_element_t := + (v_756) *% (nat_mod_pow (r_759) (@repr WORDSIZE128 2)) in + let correct_sign_sqrt_761 : bool := + eq (check_760) (u_755) in + let flipped_sign_sqrt_762 : bool := + eq (check_760) (neg_fe (u_755)) in + let flipped_sign_sqrt_i_763 : bool := + eq (check_760) ((neg_fe (u_755)) *% (sqrt_m1 )) in + let r_prime_764 : field_element_t := + (sqrt_m1 ) *% (r_759) in + let r_759 := + select (r_prime_764) ((flipped_sign_sqrt_762) || ( + flipped_sign_sqrt_i_763)) (r_759) in + let r_759 := + abs (r_759) in + let was_square_765 : bool := + (correct_sign_sqrt_761) || (flipped_sign_sqrt_762) in + (was_square_765, r_759). + +Definition map (t_766 : field_element_t) : ristretto_point_t := + let one_767 : field_element_t := + fe (usize 1) in + let minus_one_768 : field_element_t := + neg_fe (one_767) in + let r_769 : field_element_t := + (sqrt_m1 ) *% (nat_mod_pow (t_766) (@repr WORDSIZE128 2)) in + let u_770 : field_element_t := + ((r_769) +% (one_767)) *% (one_minus_d_sq ) in + let v_771 : field_element_t := + ((minus_one_768) -% ((r_769) *% (d ))) *% ((r_769) +% (d )) in + let '(was_square_772, s_773) := + sqrt_ratio_m1 (u_770) (v_771) in + let s_prime_774 : field_element_t := + neg_fe (abs ((s_773) *% (t_766))) in + let s_773 := + select (s_773) (was_square_772) (s_prime_774) in + let c_775 : field_element_t := + select (minus_one_768) (was_square_772) (r_769) in + let n_776 : field_element_t := + (((c_775) *% ((r_769) -% (one_767))) *% (d_minus_one_sq )) -% (v_771) in + let w0_777 : field_element_t := + ((fe (usize 2)) *% (s_773)) *% (v_771) in + let w1_778 : field_element_t := + (n_776) *% (sqrt_ad_minus_one ) in + let w2_779 : field_element_t := + (one_767) -% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in + let w3_780 : field_element_t := + (one_767) +% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in + ( + (w0_777) *% (w3_780), + (w2_779) *% (w1_778), + (w1_778) *% (w3_780), + (w0_777) *% (w2_779) + ). + +Definition one_way_map (b_781 : byte_string_t) : ristretto_point_t := + let r0_bytes_782 : seq uint8 := + array_slice (b_781) (usize 0) (usize 32) in + let r1_bytes_783 : seq uint8 := + array_slice (b_781) (usize 32) (usize 32) in + let r0_bytes_784 : seq int8 := + seq_declassify (r0_bytes_782) in + let r1_bytes_785 : seq int8 := + seq_declassify (r1_bytes_783) in + let r0_bytes_784 := + seq_upd r0_bytes_784 (usize 31) ((seq_index (r0_bytes_784) (usize 31)) .% ( + @repr WORDSIZE8 128)) in + let r1_bytes_785 := + seq_upd r1_bytes_785 (usize 31) ((seq_index (r1_bytes_785) (usize 31)) .% ( + @repr WORDSIZE8 128)) in + let r0_786 : field_element_t := + nat_mod_from_public_byte_seq_le (r0_bytes_784) in + let r1_787 : field_element_t := + nat_mod_from_public_byte_seq_le (r1_bytes_785) in + let p1_788 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + map (r0_786) in + let p2_789 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + map (r1_787) in + add (p1_788) (p2_789). + +Definition encode (u_790 : ristretto_point_t) : ristretto_point_encoded_t := + let '(x0_791, y0_792, z0_793, t0_794) := + u_790 in + let u1_795 : field_element_t := + ((z0_793) +% (y0_792)) *% ((z0_793) -% (y0_792)) in + let u2_796 : field_element_t := + (x0_791) *% (y0_792) in + let '(_, invsqrt_797) := + sqrt_ratio_m1 (fe (usize 1)) ((u1_795) *% (nat_mod_pow (u2_796) ( + @repr WORDSIZE128 2))) in + let den1_798 : field_element_t := + (invsqrt_797) *% (u1_795) in + let den2_799 : field_element_t := + (invsqrt_797) *% (u2_796) in + let z_inv_800 : field_element_t := + ((den1_798) *% (den2_799)) *% (t0_794) in + let ix0_801 : field_element_t := + (x0_791) *% (sqrt_m1 ) in + let iy0_802 : field_element_t := + (y0_792) *% (sqrt_m1 ) in + let enchanted_denominator_803 : field_element_t := + (den1_798) *% (invsqrt_a_minus_d ) in + let rotate_804 : bool := + is_negative ((t0_794) *% (z_inv_800)) in + let x_805 : field_element_t := + select (iy0_802) (rotate_804) (x0_791) in + let y_806 : field_element_t := + select (ix0_801) (rotate_804) (y0_792) in + let z_807 : field_element_t := + z0_793 in + let den_inv_808 : field_element_t := + select (enchanted_denominator_803) (rotate_804) (den2_799) in + let y_806 := + select (neg_fe (y_806)) (is_negative ((x_805) *% (z_inv_800))) (y_806) in + let s_809 : field_element_t := + abs ((den_inv_808) *% ((z_807) -% (y_806))) in + array_update_start (array_new_ (default : uint8) (32)) ( + nat_mod_to_byte_seq_le (s_809)). + +Definition decode (u_810 : ristretto_point_encoded_t) : decode_result_t := + let ret_811 : (result ristretto_point_t int8) := + @Err ristretto_point_t int8 (decoding_error_v) in + let s_812 : field_element_t := + nat_mod_from_byte_seq_le (array_to_seq (u_810)) : field_element_t in + let '(ret_811) := + if (negb (geq_p (array_to_le_bytes (u_810)))) && (negb (is_negative ( + s_812))):bool then (let one_813 : field_element_t := + fe (usize 1) in + let ss_814 : field_element_t := + nat_mod_pow (s_812) (@repr WORDSIZE128 2) in + let u1_815 : field_element_t := + (one_813) -% (ss_814) in + let u2_816 : field_element_t := + (one_813) +% (ss_814) in + let u2_sqr_817 : field_element_t := + nat_mod_pow (u2_816) (@repr WORDSIZE128 2) in + let v_818 : field_element_t := + (neg_fe ((d ) *% (nat_mod_pow (u1_815) (@repr WORDSIZE128 2)))) -% ( + u2_sqr_817) in + let '(was_square_819, invsqrt_820) := + sqrt_ratio_m1 (one_813) ((v_818) *% (u2_sqr_817)) in + let den_x_821 : field_element_t := + (invsqrt_820) *% (u2_816) in + let den_y_822 : field_element_t := + ((invsqrt_820) *% (den_x_821)) *% (v_818) in + let x_823 : field_element_t := + abs (((s_812) +% (s_812)) *% (den_x_821)) in + let y_824 : field_element_t := + (u1_815) *% (den_y_822) in + let t_825 : field_element_t := + (x_823) *% (y_824) in + let '(ret_811) := + if negb (((negb (was_square_819)) || (is_negative (t_825))) || (( + y_824) =.? (fe (usize 0)))):bool then (let ret_811 := + @Ok ristretto_point_t int8 ((x_823, y_824, one_813, t_825)) in + (ret_811)) else ((ret_811)) in + (ret_811)) else ((ret_811)) in + ret_811. + +Definition equals + (u_826 : ristretto_point_t) + (v_827 : ristretto_point_t) + : bool := + let '(x1_828, y1_829, _, _) := + u_826 in + let '(x2_830, y2_831, _, _) := + v_827 in + (((x1_828) *% (y2_831)) =.? ((x2_830) *% (y1_829))) || (((y1_829) *% ( + y2_831)) =.? ((x1_828) *% (x2_830))). + +Definition add + (u_832 : ristretto_point_t) + (v_833 : ristretto_point_t) + : ristretto_point_t := + let '(x1_834, y1_835, z1_836, t1_837) := + u_832 in + let '(x2_838, y2_839, z2_840, t2_841) := + v_833 in + let a_842 : field_element_t := + ((y1_835) -% (x1_834)) *% ((y2_839) +% (x2_838)) in + let b_843 : field_element_t := + ((y1_835) +% (x1_834)) *% ((y2_839) -% (x2_838)) in + let c_844 : field_element_t := + ((fe (usize 2)) *% (z1_836)) *% (t2_841) in + let d_845 : field_element_t := + ((fe (usize 2)) *% (t1_837)) *% (z2_840) in + let e_846 : field_element_t := + (d_845) +% (c_844) in + let f_847 : field_element_t := + (b_843) -% (a_842) in + let g_848 : field_element_t := + (b_843) +% (a_842) in + let h_849 : field_element_t := + (d_845) -% (c_844) in + let x3_850 : field_element_t := + (e_846) *% (f_847) in + let y3_851 : field_element_t := + (g_848) *% (h_849) in + let t3_852 : field_element_t := + (e_846) *% (h_849) in + let z3_853 : field_element_t := + (f_847) *% (g_848) in + (x3_850, y3_851, z3_853, t3_852). + +Definition neg (u_854 : ristretto_point_t) : ristretto_point_t := + let '(x1_855, y1_856, z1_857, t1_858) := + u_854 in + (neg_fe (x1_855), y1_856, neg_fe (z1_857), t1_858). + +Definition sub + (u_859 : ristretto_point_t) + (v_860 : ristretto_point_t) + : ristretto_point_t := + add (u_859) (neg (v_860)). + +Definition double (u_861 : ristretto_point_t) : ristretto_point_t := + let '(x1_862, y1_863, z1_864, _) := + u_861 in + let a_865 : field_element_t := + nat_mod_pow (x1_862) (@repr WORDSIZE128 2) in + let b_866 : field_element_t := + nat_mod_pow (y1_863) (@repr WORDSIZE128 2) in + let c_867 : field_element_t := + (fe (usize 2)) *% (nat_mod_pow (z1_864) (@repr WORDSIZE128 2)) in + let h_868 : field_element_t := + (a_865) +% (b_866) in + let e_869 : field_element_t := + (h_868) -% (nat_mod_pow ((x1_862) +% (y1_863)) (@repr WORDSIZE128 2)) in + let g_870 : field_element_t := + (a_865) -% (b_866) in + let f_871 : field_element_t := + (c_867) +% (g_870) in + let x2_872 : field_element_t := + (e_869) *% (f_871) in + let y2_873 : field_element_t := + (g_870) *% (h_868) in + let t2_874 : field_element_t := + (e_869) *% (h_868) in + let z2_875 : field_element_t := + (f_871) *% (g_870) in + (x2_872, y2_873, z2_875, t2_874). + +Definition mul + (k_876 : scalar_t) + (p_877 : ristretto_point_t) + : ristretto_point_t := + let res_878 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + identity_point in + let temp_879 : ( + field_element_t '× + field_element_t '× + field_element_t '× + field_element_t + ) := + p_877 in + let '(res_878, temp_879) := + foldi (usize 0) (usize 256) (fun i_880 '(res_878, temp_879) => + let '(res_878) := + if (nat_mod_get_bit (k_876) (i_880)) =.? (nat_mod_from_literal ( + 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed) ( + @repr WORDSIZE128 1) : scalar_t):bool then (let res_878 := + add (res_878) (temp_879) in + (res_878)) else ((res_878)) in + let temp_879 := + double (temp_879) in + (res_878, temp_879)) + (res_878, temp_879) in + res_878. + diff --git a/proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v b/proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v new file mode 100644 index 000000000..1e62ce5df --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v @@ -0,0 +1,70 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Require Import Hacspec_Rsa_Pkcs1. + +Definition int_byte_t := nseq (uint8) (usize 1). + +Definition one_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). + +Definition two_v : int_byte_t := + array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). + +Definition suite_string_v : int_byte_t := + one_v. + +Definition vrf_mgf1 + (n_2644 : rsa_int_t) + (alpha_2645 : byte_seq) + : byte_seq_result_t := + bind (i2osp (rsa_int_from_literal (@cast _ uint128 _ (byte_size_v))) ( + @repr WORDSIZE32 4)) (fun mgf_salt1_2646 => bind (i2osp (n_2644) ( + byte_size_v)) (fun mgf_salt2_2647 => let mgf_salt_2648 : seq uint8 := + seq_concat (mgf_salt1_2646) (mgf_salt2_2647) in + let mgf_string_2649 : seq uint8 := + seq_concat (seq_concat (array_concat (suite_string_v) ( + array_to_seq (one_v))) (mgf_salt_2648)) (alpha_2645) in + bind (mgf1 (mgf_string_2649) ((@cast _ uint32 _ (byte_size_v)) - ( + usize 1))) (fun mgf_2650 => @Ok seq uint8 error_t (mgf_2650)))). + +Definition prove (sk_2651 : sk_t) (alpha_2652 : byte_seq) : byte_seq_result_t := + let '(n_2653, d_2654) := + (sk_2651) in + bind (vrf_mgf1 (n_2653) (alpha_2652)) (fun em_2655 => + let m_2656 : rsa_int_t := + os2ip (em_2655) in + bind (rsasp1 (sk_2651) (m_2656)) (fun s_2657 => i2osp (s_2657) ( + byte_size_v))). + +Definition proof_to_hash (pi_string_2658 : byte_seq) : byte_seq_result_t := + let hash_string_2659 : seq uint8 := + array_concat (suite_string_v) (array_concat (two_v) (pi_string_2658)) in + @Ok seq uint8 error_t (array_slice (sha256 (hash_string_2659)) (usize 0) ( + usize 32)). + +Definition verify + (pk_2660 : pk_t) + (alpha_2661 : byte_seq) + (pi_string_2662 : byte_seq) + : byte_seq_result_t := + let '(n_2663, e_2664) := + (pk_2660) in + let s_2665 : rsa_int_t := + os2ip (pi_string_2662) in + bind (rsavp1 (pk_2660) (s_2665)) (fun m_2666 => bind (vrf_mgf1 (n_2663) ( + alpha_2661)) (fun em_prime_2667 => let m_prime_2668 : rsa_int_t := + os2ip (em_prime_2667) in + (if ((m_2666) =.? (m_prime_2668)):bool then (proof_to_hash ( + pi_string_2662)) else (@Err seq uint8 error_t ( + VerificationFailed))))). + diff --git a/proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v new file mode 100644 index 000000000..150f38634 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v @@ -0,0 +1,121 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition bit_size_v : int32 := + @repr WORDSIZE32 2048. + +Definition byte_size_v : int32 := + (@repr WORDSIZE32 2048) ./ (@repr WORDSIZE32 8). + +Definition hlen_v : uint_size := + usize 32. + +Definition rsa_int_t := nat_mod pow2 2048. + +Inductive error_t := +| InvalidLength : error_t +| MessageTooLarge : error_t +| DecryptionFailed : error_t +| VerificationFailed : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | InvalidLength => match y with | InvalidLength=> true | _ => false end + | MessageTooLarge => match y with | MessageTooLarge=> true | _ => false end + | DecryptionFailed => match y with | DecryptionFailed=> true | _ => false end + | VerificationFailed => + match y with + | VerificationFailed=> true + | _ => false + end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Notation "'pk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. + +Notation "'sk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. + +Notation "'key_pair_t'" := ((pk_t '× sk_t)) : hacspec_scope. + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Notation "'rsa_int_result_t'" := ((result rsa_int_t error_t)) : hacspec_scope. + +Definition rsaep (pk_2530 : pk_t) (m_2531 : rsa_int_t) : rsa_int_result_t := + let '(n_2532, e_2533) := + pk_2530 in + (if ((m_2531) >.? ((n_2532) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (m_2531) (e_2533) (n_2532)))). + +Definition rsadp (sk_2534 : sk_t) (c_2535 : rsa_int_t) : rsa_int_result_t := + let '(n_2536, d_2537) := + sk_2534 in + (if ((c_2535) >.? ((n_2536) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (c_2535) (d_2537) (n_2536)))). + +Definition rsasp1 (sk_2538 : sk_t) (m_2539 : rsa_int_t) : rsa_int_result_t := + let '(n_2540, d_2541) := + sk_2538 in + (if ((m_2539) >.? ((n_2540) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (m_2539) (d_2541) (n_2540)))). + +Definition rsavp1 (pk_2542 : pk_t) (s_2543 : rsa_int_t) : rsa_int_result_t := + let '(n_2544, e_2545) := + pk_2542 in + (if ((s_2543) >.? ((n_2544) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (s_2543) (e_2545) (n_2544)))). + +Definition i2osp + (x_2546 : rsa_int_t) + (x_len_2547 : int32) + : byte_seq_result_t := + (if (((x_2546) >=.? (nat_mod_exp (nat_mod_from_literal (0x) ( + @repr WORDSIZE128 256) : rsa_int_t) (x_len_2547))) && (( + x_len_2547) !=.? (byte_size_v))):bool then (@Err byte_seq error_t ( + InvalidLength)) else (@Ok byte_seq error_t (seq_slice ( + nat_mod_to_byte_seq_be (x_2546)) (@cast _ uint32 _ ((byte_size_v) .- ( + x_len_2547))) (@cast _ uint32 _ (x_len_2547))))). + +Definition os2ip (x_2548 : byte_seq) : rsa_int_t := + nat_mod_from_byte_seq_be (x_2548) : rsa_int_t. + +Definition mgf1 + (mgf_seed_2549 : byte_seq) + (mask_len_2550 : uint_size) + : byte_seq_result_t := + let result_2551 : (result byte_seq error_t) := + @Err byte_seq error_t (InvalidLength) in + ifbnd (mask_len_2550) <.? ((usize 2) .^ ((usize 32) * (hlen_v))) : bool + thenbnd (let t_2552 : seq uint8 := + seq_new_ (default : uint8) (usize 0) in + bind (foldibnd (usize 0) to (((mask_len_2550) + (usize 32)) / ( + usize 32)) for t_2552 >> (fun i_2553 t_2552 => + bind (i2osp (nat_mod_from_literal (0x) (pub_u128 (i_2553)) : rsa_int_t) ( + @repr WORDSIZE32 4)) (fun x_2554 => let t_2552 := + seq_concat (t_2552) (array_to_seq (sha256 (seq_concat ( + mgf_seed_2549) (x_2554)))) in + @Ok (seq uint8) error_t ((t_2552))))) (fun t_2552 => let result_2551 := + @Ok byte_seq error_t (seq_slice (t_2552) (usize 0) (mask_len_2550)) in + @Ok ((result byte_seq error_t)) error_t ((result_2551)))) + else ((result_2551)) >> (fun '(result_2551) => + result_2551). + diff --git a/proof-libs/coq/src/Hacspec_Sha1.v b/proof-libs/coq/src/Hacspec_Sha1.v new file mode 100644 index 000000000..f633b67ac --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Sha1.v @@ -0,0 +1,205 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition schedule_t := nseq (uint32) (usize 80). + +Definition block_words_v : uint_size := + (usize 512) / (usize 32). + +Definition hash_words_v : uint_size := + (usize 160) / (usize 32). + +Definition block_t := nseq (uint32) (block_words_v). + +Definition hash_t := nseq (uint32) (hash_words_v). + +Definition block_bytes_v : uint_size := + (usize 512) / (usize 8). + +Definition hash_bytes_v : uint_size := + (usize 160) / (usize 8). + +Definition block_bytes_t := nseq (uint8) (block_bytes_v). + +Definition sha1_digest_t := nseq (uint8) (hash_bytes_v). + +Definition bitlength_bytes_v : uint_size := + (usize 64) / (usize 8). + +Definition ch (x_1225 : uint32) (y_1226 : uint32) (z_1227 : uint32) : uint32 := + ((x_1225) .& (y_1226)) .^ ((not (x_1225)) .& (z_1227)). + +Definition parity + (x_1228 : uint32) + (y_1229 : uint32) + (z_1230 : uint32) + : uint32 := + ((x_1228) .^ (y_1229)) .^ (z_1230). + +Definition maj (x_1231 : uint32) (y_1232 : uint32) (z_1233 : uint32) : uint32 := + (((x_1231) .& (y_1232)) .^ ((x_1231) .& (z_1233))) .^ ((y_1232) .& (z_1233)). + +Definition hash_init_v : hash_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1732584193) : int32; + secret (@repr WORDSIZE32 4023233417) : int32; + secret (@repr WORDSIZE32 2562383102) : int32; + secret (@repr WORDSIZE32 271733878) : int32; + secret (@repr WORDSIZE32 3285377520) : int32 + ] in l). + +Definition compress (m_bytes_1234 : block_bytes_t) (h_1235 : hash_t) : hash_t := + let m_1236 : seq uint32 := + array_to_be_uint32s (m_bytes_1234) in + let w_1237 : schedule_t := + array_new_ (default : uint32) (80) in + let w_1237 := + foldi (usize 0) (usize 80) (fun t_1238 w_1237 => + let '(w_1237) := + if (t_1238) <.? (usize 16):bool then (let w_1237 := + array_upd w_1237 (t_1238) (seq_index (m_1236) (t_1238)) in + (w_1237)) else (let w_1237 := + array_upd w_1237 (t_1238) (uint32_rotate_left ((((array_index ( + w_1237) ((t_1238) - (usize 3))) .^ (array_index ( + w_1237) ((t_1238) - (usize 8)))) .^ (array_index ( + w_1237) ((t_1238) - (usize 14)))) .^ (array_index ( + w_1237) ((t_1238) - (usize 16)))) (usize 1)) in + (w_1237)) in + (w_1237)) + w_1237 in + let a_1239 : uint32 := + array_index (h_1235) (usize 0) in + let b_1240 : uint32 := + array_index (h_1235) (usize 1) in + let c_1241 : uint32 := + array_index (h_1235) (usize 2) in + let d_1242 : uint32 := + array_index (h_1235) (usize 3) in + let e_1243 : uint32 := + array_index (h_1235) (usize 4) in + let '(a_1239, b_1240, c_1241, d_1242, e_1243) := + foldi (usize 0) (usize 80) (fun t_1244 '( + a_1239, + b_1240, + c_1241, + d_1242, + e_1243 + ) => + let t_1245 : uint32 := + uint32_zero in + let '(t_1245) := + if ((usize 0) <=.? (t_1244)) && ((t_1244) <.? (usize 20)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (ch (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 1518500249) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let '(t_1245) := + if ((usize 20) <=.? (t_1244)) && ((t_1244) <.? (usize 40)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 1859775393) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let '(t_1245) := + if ((usize 40) <=.? (t_1244)) && ((t_1244) <.? (usize 60)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (maj (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 2400959708) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let '(t_1245) := + if ((usize 60) <=.? (t_1244)) && ((t_1244) <.? (usize 80)):bool then ( + let t_1245 := + ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( + c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( + @repr WORDSIZE32 3395469782) : int32)) .+ (array_index ( + w_1237) (t_1244)) in + (t_1245)) else ((t_1245)) in + let e_1243 := + d_1242 in + let d_1242 := + c_1241 in + let c_1241 := + uint32_rotate_left (b_1240) (usize 30) in + let b_1240 := + a_1239 in + let a_1239 := + t_1245 in + (a_1239, b_1240, c_1241, d_1242, e_1243)) + (a_1239, b_1240, c_1241, d_1242, e_1243) in + let h_1235 := + array_upd h_1235 (usize 0) ((a_1239) .+ (array_index (h_1235) ( + usize 0))) in + let h_1235 := + array_upd h_1235 (usize 1) ((b_1240) .+ (array_index (h_1235) ( + usize 1))) in + let h_1235 := + array_upd h_1235 (usize 2) ((c_1241) .+ (array_index (h_1235) ( + usize 2))) in + let h_1235 := + array_upd h_1235 (usize 3) ((d_1242) .+ (array_index (h_1235) ( + usize 3))) in + let h_1235 := + array_upd h_1235 (usize 4) ((e_1243) .+ (array_index (h_1235) ( + usize 4))) in + h_1235. + +Definition hash (msg_1246 : byte_seq) : sha1_digest_t := + let h_1247 : hash_t := + hash_init_v in + let h_1247 := + foldi (usize 0) (seq_num_exact_chunks (msg_1246) ( + block_bytes_v)) (fun i_1248 h_1247 => + let raw_bytes_1249 : seq uint8 := + seq_get_exact_chunk (msg_1246) (block_bytes_v) (i_1248) in + let block_bytes_1250 : block_bytes_t := + array_from_seq (block_bytes_v) (raw_bytes_1249) in + let h_1247 := + compress (block_bytes_1250) (h_1247) in + (h_1247)) + h_1247 in + let raw_bytes_1251 : seq uint8 := + seq_get_remainder_chunk (msg_1246) (block_bytes_v) in + let block_bytes_1252 : block_bytes_t := + array_update_start (array_new_ (default : uint8) (block_bytes_v)) ( + raw_bytes_1251) in + let block_bytes_1252 := + array_upd block_bytes_1252 (seq_len (raw_bytes_1251)) (secret ( + @repr WORDSIZE8 128) : int8) in + let message_bitlength_1253 : uint64 := + secret (pub_u64 ((seq_len (msg_1246)) * (usize 8))) : int64 in + let '(h_1247, block_bytes_1252) := + if (seq_len (raw_bytes_1251)) <.? ((block_bytes_v) - ( + bitlength_bytes_v)):bool then (let block_bytes_1252 := + array_update (block_bytes_1252) ((block_bytes_v) - ( + bitlength_bytes_v)) (array_to_seq (uint64_to_be_bytes ( + message_bitlength_1253))) in + let h_1247 := + compress (block_bytes_1252) (h_1247) in + (h_1247, block_bytes_1252)) else (let h_1247 := + compress (block_bytes_1252) (h_1247) in + let pad_block_1254 : block_bytes_t := + array_new_ (default : uint8) (block_bytes_v) in + let pad_block_1254 := + array_update (pad_block_1254) ((block_bytes_v) - (bitlength_bytes_v)) ( + array_to_seq (uint64_to_be_bytes (message_bitlength_1253))) in + let h_1247 := + compress (pad_block_1254) (h_1247) in + (h_1247, block_bytes_1252)) in + array_from_seq (hash_bytes_v) (array_to_be_bytes (h_1247)). + +Definition sha1 (msg_1255 : byte_seq) : sha1_digest_t := + hash (msg_1255). + diff --git a/proof-libs/coq/src/Hacspec_Sha256.v b/proof-libs/coq/src/Hacspec_Sha256.v new file mode 100644 index 000000000..782c6f634 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Sha256.v @@ -0,0 +1,305 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition block_size_v : uint_size := + usize 64. + +Definition len_size_v : uint_size := + usize 8. + +Definition k_size_v : uint_size := + usize 64. + +Definition hash_size_v : uint_size := + (usize 256) / (usize 8). + +Definition block_t := nseq (uint8) (block_size_v). + +Definition op_table_type_t := nseq (uint_size) (usize 12). + +Definition sha256_digest_t := nseq (uint8) (hash_size_v). + +Definition round_constants_table_t := nseq (uint32) (k_size_v). + +Definition hash_t := nseq (uint32) (usize 8). + +Definition ch (x_663 : uint32) (y_664 : uint32) (z_665 : uint32) : uint32 := + ((x_663) .& (y_664)) .^ ((not (x_663)) .& (z_665)). + +Definition maj (x_666 : uint32) (y_667 : uint32) (z_668 : uint32) : uint32 := + ((x_666) .& (y_667)) .^ (((x_666) .& (z_668)) .^ ((y_667) .& (z_668))). + +Definition op_table_v : op_table_type_t := + array_from_list uint_size (let l := + [ + usize 2; + usize 13; + usize 22; + usize 6; + usize 11; + usize 25; + usize 7; + usize 18; + usize 3; + usize 17; + usize 19; + usize 10 + ] in l). + +Definition k_table_v : round_constants_table_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1116352408) : int32; + secret (@repr WORDSIZE32 1899447441) : int32; + secret (@repr WORDSIZE32 3049323471) : int32; + secret (@repr WORDSIZE32 3921009573) : int32; + secret (@repr WORDSIZE32 961987163) : int32; + secret (@repr WORDSIZE32 1508970993) : int32; + secret (@repr WORDSIZE32 2453635748) : int32; + secret (@repr WORDSIZE32 2870763221) : int32; + secret (@repr WORDSIZE32 3624381080) : int32; + secret (@repr WORDSIZE32 310598401) : int32; + secret (@repr WORDSIZE32 607225278) : int32; + secret (@repr WORDSIZE32 1426881987) : int32; + secret (@repr WORDSIZE32 1925078388) : int32; + secret (@repr WORDSIZE32 2162078206) : int32; + secret (@repr WORDSIZE32 2614888103) : int32; + secret (@repr WORDSIZE32 3248222580) : int32; + secret (@repr WORDSIZE32 3835390401) : int32; + secret (@repr WORDSIZE32 4022224774) : int32; + secret (@repr WORDSIZE32 264347078) : int32; + secret (@repr WORDSIZE32 604807628) : int32; + secret (@repr WORDSIZE32 770255983) : int32; + secret (@repr WORDSIZE32 1249150122) : int32; + secret (@repr WORDSIZE32 1555081692) : int32; + secret (@repr WORDSIZE32 1996064986) : int32; + secret (@repr WORDSIZE32 2554220882) : int32; + secret (@repr WORDSIZE32 2821834349) : int32; + secret (@repr WORDSIZE32 2952996808) : int32; + secret (@repr WORDSIZE32 3210313671) : int32; + secret (@repr WORDSIZE32 3336571891) : int32; + secret (@repr WORDSIZE32 3584528711) : int32; + secret (@repr WORDSIZE32 113926993) : int32; + secret (@repr WORDSIZE32 338241895) : int32; + secret (@repr WORDSIZE32 666307205) : int32; + secret (@repr WORDSIZE32 773529912) : int32; + secret (@repr WORDSIZE32 1294757372) : int32; + secret (@repr WORDSIZE32 1396182291) : int32; + secret (@repr WORDSIZE32 1695183700) : int32; + secret (@repr WORDSIZE32 1986661051) : int32; + secret (@repr WORDSIZE32 2177026350) : int32; + secret (@repr WORDSIZE32 2456956037) : int32; + secret (@repr WORDSIZE32 2730485921) : int32; + secret (@repr WORDSIZE32 2820302411) : int32; + secret (@repr WORDSIZE32 3259730800) : int32; + secret (@repr WORDSIZE32 3345764771) : int32; + secret (@repr WORDSIZE32 3516065817) : int32; + secret (@repr WORDSIZE32 3600352804) : int32; + secret (@repr WORDSIZE32 4094571909) : int32; + secret (@repr WORDSIZE32 275423344) : int32; + secret (@repr WORDSIZE32 430227734) : int32; + secret (@repr WORDSIZE32 506948616) : int32; + secret (@repr WORDSIZE32 659060556) : int32; + secret (@repr WORDSIZE32 883997877) : int32; + secret (@repr WORDSIZE32 958139571) : int32; + secret (@repr WORDSIZE32 1322822218) : int32; + secret (@repr WORDSIZE32 1537002063) : int32; + secret (@repr WORDSIZE32 1747873779) : int32; + secret (@repr WORDSIZE32 1955562222) : int32; + secret (@repr WORDSIZE32 2024104815) : int32; + secret (@repr WORDSIZE32 2227730452) : int32; + secret (@repr WORDSIZE32 2361852424) : int32; + secret (@repr WORDSIZE32 2428436474) : int32; + secret (@repr WORDSIZE32 2756734187) : int32; + secret (@repr WORDSIZE32 3204031479) : int32; + secret (@repr WORDSIZE32 3329325298) : int32 + ] in l). + +Definition hash_init_v : hash_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1779033703) : int32; + secret (@repr WORDSIZE32 3144134277) : int32; + secret (@repr WORDSIZE32 1013904242) : int32; + secret (@repr WORDSIZE32 2773480762) : int32; + secret (@repr WORDSIZE32 1359893119) : int32; + secret (@repr WORDSIZE32 2600822924) : int32; + secret (@repr WORDSIZE32 528734635) : int32; + secret (@repr WORDSIZE32 1541459225) : int32 + ] in l). + +Definition sigma + (x_669 : uint32) + (i_670 : uint_size) + (op_671 : uint_size) + : uint32 := + let tmp_672 : uint32 := + uint32_rotate_right (x_669) (array_index (op_table_v) (((usize 3) * ( + i_670)) + (usize 2))) in + let '(tmp_672) := + if (op_671) =.? (usize 0):bool then (let tmp_672 := + (x_669) shift_right (array_index (op_table_v) (((usize 3) * (i_670)) + ( + usize 2))) in + (tmp_672)) else ((tmp_672)) in + ((uint32_rotate_right (x_669) (array_index (op_table_v) ((usize 3) * ( + i_670)))) .^ (uint32_rotate_right (x_669) (array_index ( + op_table_v) (((usize 3) * (i_670)) + (usize 1))))) .^ (tmp_672). + +Definition schedule (block_673 : block_t) : round_constants_table_t := + let b_674 : seq uint32 := + array_to_be_uint32s (block_673) in + let s_675 : round_constants_table_t := + array_new_ (default : uint32) (k_size_v) in + let s_675 := + foldi (usize 0) (k_size_v) (fun i_676 s_675 => + let '(s_675) := + if (i_676) <.? (usize 16):bool then (let s_675 := + array_upd s_675 (i_676) (seq_index (b_674) (i_676)) in + (s_675)) else (let t16_677 : uint32 := + array_index (s_675) ((i_676) - (usize 16)) in + let t15_678 : uint32 := + array_index (s_675) ((i_676) - (usize 15)) in + let t7_679 : uint32 := + array_index (s_675) ((i_676) - (usize 7)) in + let t2_680 : uint32 := + array_index (s_675) ((i_676) - (usize 2)) in + let s1_681 : uint32 := + sigma (t2_680) (usize 3) (usize 0) in + let s0_682 : uint32 := + sigma (t15_678) (usize 2) (usize 0) in + let s_675 := + array_upd s_675 (i_676) ((((s1_681) .+ (t7_679)) .+ (s0_682)) .+ ( + t16_677)) in + (s_675)) in + (s_675)) + s_675 in + s_675. + +Definition shuffle + (ws_683 : round_constants_table_t) + (hashi_684 : hash_t) + : hash_t := + let h_685 : hash_t := + hashi_684 in + let h_685 := + foldi (usize 0) (k_size_v) (fun i_686 h_685 => + let a0_687 : uint32 := + array_index (h_685) (usize 0) in + let b0_688 : uint32 := + array_index (h_685) (usize 1) in + let c0_689 : uint32 := + array_index (h_685) (usize 2) in + let d0_690 : uint32 := + array_index (h_685) (usize 3) in + let e0_691 : uint32 := + array_index (h_685) (usize 4) in + let f0_692 : uint32 := + array_index (h_685) (usize 5) in + let g0_693 : uint32 := + array_index (h_685) (usize 6) in + let h0_694 : uint32 := + array_index (h_685) (usize 7) in + let t1_695 : uint32 := + ((((h0_694) .+ (sigma (e0_691) (usize 1) (usize 1))) .+ (ch (e0_691) ( + f0_692) (g0_693))) .+ (array_index (k_table_v) (i_686))) .+ ( + array_index (ws_683) (i_686)) in + let t2_696 : uint32 := + (sigma (a0_687) (usize 0) (usize 1)) .+ (maj (a0_687) (b0_688) ( + c0_689)) in + let h_685 := + array_upd h_685 (usize 0) ((t1_695) .+ (t2_696)) in + let h_685 := + array_upd h_685 (usize 1) (a0_687) in + let h_685 := + array_upd h_685 (usize 2) (b0_688) in + let h_685 := + array_upd h_685 (usize 3) (c0_689) in + let h_685 := + array_upd h_685 (usize 4) ((d0_690) .+ (t1_695)) in + let h_685 := + array_upd h_685 (usize 5) (e0_691) in + let h_685 := + array_upd h_685 (usize 6) (f0_692) in + let h_685 := + array_upd h_685 (usize 7) (g0_693) in + (h_685)) + h_685 in + h_685. + +Definition compress (block_697 : block_t) (h_in_698 : hash_t) : hash_t := + let s_699 : round_constants_table_t := + schedule (block_697) in + let h_700 : hash_t := + shuffle (s_699) (h_in_698) in + let h_700 := + foldi (usize 0) (usize 8) (fun i_701 h_700 => + let h_700 := + array_upd h_700 (i_701) ((array_index (h_700) (i_701)) .+ (array_index ( + h_in_698) (i_701))) in + (h_700)) + h_700 in + h_700. + +Definition hash (msg_702 : byte_seq) : sha256_digest_t := + let h_703 : hash_t := + hash_init_v in + let last_block_704 : block_t := + array_new_ (default : uint8) (block_size_v) in + let last_block_len_705 : uint_size := + usize 0 in + let '(h_703, last_block_704, last_block_len_705) := + foldi (usize 0) (seq_num_chunks (msg_702) (block_size_v)) (fun i_706 '( + h_703, + last_block_704, + last_block_len_705 + ) => + let '(block_len_707, block_708) := + seq_get_chunk (msg_702) (block_size_v) (i_706) in + let '(h_703, last_block_704, last_block_len_705) := + if (block_len_707) <.? (block_size_v):bool then (let last_block_704 := + array_update_start (array_new_ (default : uint8) (block_size_v)) ( + block_708) in + let last_block_len_705 := + block_len_707 in + (h_703, last_block_704, last_block_len_705)) else ( + let compress_input_709 : block_t := + array_from_seq (block_size_v) (block_708) in + let h_703 := + compress (compress_input_709) (h_703) in + (h_703, last_block_704, last_block_len_705)) in + (h_703, last_block_704, last_block_len_705)) + (h_703, last_block_704, last_block_len_705) in + let last_block_704 := + array_upd last_block_704 (last_block_len_705) (secret ( + @repr WORDSIZE8 128) : int8) in + let len_bist_710 : uint64 := + secret (pub_u64 ((seq_len (msg_702)) * (usize 8))) : int64 in + let '(h_703, last_block_704) := + if (last_block_len_705) <.? ((block_size_v) - (len_size_v)):bool then ( + let last_block_704 := + array_update (last_block_704) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint64_to_be_bytes (len_bist_710))) in + let h_703 := + compress (last_block_704) (h_703) in + (h_703, last_block_704)) else (let pad_block_711 : block_t := + array_new_ (default : uint8) (block_size_v) in + let pad_block_711 := + array_update (pad_block_711) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint64_to_be_bytes (len_bist_710))) in + let h_703 := + compress (last_block_704) (h_703) in + let h_703 := + compress (pad_block_711) (h_703) in + (h_703, last_block_704)) in + array_from_seq (hash_size_v) (array_to_be_bytes (h_703)). + +Definition sha256 (msg_712 : byte_seq) : sha256_digest_t := + hash (msg_712). + diff --git a/proof-libs/coq/src/Hacspec_Sha3.v b/proof-libs/coq/src/Hacspec_Sha3.v new file mode 100644 index 000000000..91088d815 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Sha3.v @@ -0,0 +1,357 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition rounds_v : uint_size := + usize 24. + +Definition sha3224_rate_v : uint_size := + usize 144. + +Definition sha3256_rate_v : uint_size := + usize 136. + +Definition sha3384_rate_v : uint_size := + usize 104. + +Definition sha3512_rate_v : uint_size := + usize 72. + +Definition shake128_rate_v : uint_size := + usize 168. + +Definition shake256_rate_v : uint_size := + usize 136. + +Definition state_t := nseq (uint64) (usize 25). + +Definition row_t := nseq (uint64) (usize 5). + +Definition digest224_t := nseq (uint8) (usize 28). + +Definition digest256_t := nseq (uint8) (usize 32). + +Definition digest384_t := nseq (uint8) (usize 48). + +Definition digest512_t := nseq (uint8) (usize 64). + +Definition round_constants_t := nseq (int64) (rounds_v). + +Definition rotation_constants_t := nseq (uint_size) (usize 25). + +Definition roundconstants_v : round_constants_t := + array_from_list int64 (let l := + [ + @repr WORDSIZE64 1; + @repr WORDSIZE64 32898; + @repr WORDSIZE64 9223372036854808714; + @repr WORDSIZE64 9223372039002292224; + @repr WORDSIZE64 32907; + @repr WORDSIZE64 2147483649; + @repr WORDSIZE64 9223372039002292353; + @repr WORDSIZE64 9223372036854808585; + @repr WORDSIZE64 138; + @repr WORDSIZE64 136; + @repr WORDSIZE64 2147516425; + @repr WORDSIZE64 2147483658; + @repr WORDSIZE64 2147516555; + @repr WORDSIZE64 9223372036854775947; + @repr WORDSIZE64 9223372036854808713; + @repr WORDSIZE64 9223372036854808579; + @repr WORDSIZE64 9223372036854808578; + @repr WORDSIZE64 9223372036854775936; + @repr WORDSIZE64 32778; + @repr WORDSIZE64 9223372039002259466; + @repr WORDSIZE64 9223372039002292353; + @repr WORDSIZE64 9223372036854808704; + @repr WORDSIZE64 2147483649; + @repr WORDSIZE64 9223372039002292232 + ] in l). + +Definition rotc_v : rotation_constants_t := + array_from_list uint_size (let l := + [ + usize 0; + usize 1; + usize 62; + usize 28; + usize 27; + usize 36; + usize 44; + usize 6; + usize 55; + usize 20; + usize 3; + usize 10; + usize 43; + usize 25; + usize 39; + usize 41; + usize 45; + usize 15; + usize 21; + usize 8; + usize 18; + usize 2; + usize 61; + usize 56; + usize 14 + ] in l). + +Definition pi_v : rotation_constants_t := + array_from_list uint_size (let l := + [ + usize 0; + usize 6; + usize 12; + usize 18; + usize 24; + usize 3; + usize 9; + usize 10; + usize 16; + usize 22; + usize 1; + usize 7; + usize 13; + usize 19; + usize 20; + usize 4; + usize 5; + usize 11; + usize 17; + usize 23; + usize 2; + usize 8; + usize 14; + usize 15; + usize 21 + ] in l). + +Definition theta (s_1068 : state_t) : state_t := + let b_1069 : row_t := + array_new_ (default : uint64) (5) in + let b_1069 := + foldi (usize 0) (usize 5) (fun i_1070 b_1069 => + let b_1069 := + array_upd b_1069 (i_1070) (((((array_index (s_1068) (i_1070)) .^ ( + array_index (s_1068) ((i_1070) + (usize 5)))) .^ ( + array_index (s_1068) ((i_1070) + (usize 10)))) .^ (array_index ( + s_1068) ((i_1070) + (usize 15)))) .^ (array_index (s_1068) (( + i_1070) + (usize 20)))) in + (b_1069)) + b_1069 in + let s_1068 := + foldi (usize 0) (usize 5) (fun i_1071 s_1068 => + let u_1072 : uint64 := + array_index (b_1069) (((i_1071) + (usize 1)) %% (usize 5)) in + let t_1073 : uint64 := + (array_index (b_1069) (((i_1071) + (usize 4)) %% (usize 5))) .^ ( + uint64_rotate_left (u_1072) (usize 1)) in + let s_1068 := + foldi (usize 0) (usize 5) (fun j_1074 s_1068 => + let s_1068 := + array_upd s_1068 (((usize 5) * (j_1074)) + (i_1071)) ((array_index ( + s_1068) (((usize 5) * (j_1074)) + (i_1071))) .^ (t_1073)) in + (s_1068)) + s_1068 in + (s_1068)) + s_1068 in + s_1068. + +Definition rho (s_1075 : state_t) : state_t := + let s_1075 := + foldi (usize 0) (usize 25) (fun i_1076 s_1075 => + let u_1077 : uint64 := + array_index (s_1075) (i_1076) in + let s_1075 := + array_upd s_1075 (i_1076) (uint64_rotate_left (u_1077) (array_index ( + rotc_v) (i_1076))) in + (s_1075)) + s_1075 in + s_1075. + +Definition pi (s_1078 : state_t) : state_t := + let v_1079 : state_t := + array_new_ (default : uint64) (25) in + let v_1079 := + foldi (usize 0) (usize 25) (fun i_1080 v_1079 => + let v_1079 := + array_upd v_1079 (i_1080) (array_index (s_1078) (array_index (pi_v) ( + i_1080))) in + (v_1079)) + v_1079 in + v_1079. + +Definition chi (s_1081 : state_t) : state_t := + let b_1082 : row_t := + array_new_ (default : uint64) (5) in + let '(s_1081, b_1082) := + foldi (usize 0) (usize 5) (fun i_1083 '(s_1081, b_1082) => + let b_1082 := + foldi (usize 0) (usize 5) (fun j_1084 b_1082 => + let b_1082 := + array_upd b_1082 (j_1084) (array_index (s_1081) (((usize 5) * ( + i_1083)) + (j_1084))) in + (b_1082)) + b_1082 in + let s_1081 := + foldi (usize 0) (usize 5) (fun j_1085 s_1081 => + let u_1086 : uint64 := + array_index (b_1082) (((j_1085) + (usize 1)) %% (usize 5)) in + let s_1081 := + array_upd s_1081 (((usize 5) * (i_1083)) + (j_1085)) ((array_index ( + s_1081) (((usize 5) * (i_1083)) + (j_1085))) .^ ((not ( + u_1086)) .& (array_index (b_1082) (((j_1085) + ( + usize 2)) %% (usize 5))))) in + (s_1081)) + s_1081 in + (s_1081, b_1082)) + (s_1081, b_1082) in + s_1081. + +Definition iota (s_1087 : state_t) (rndconst_1088 : int64) : state_t := + let s_1087 := + array_upd s_1087 (usize 0) ((array_index (s_1087) (usize 0)) .^ ( + uint64_classify (rndconst_1088))) in + s_1087. + +Definition keccakf1600 (s_1089 : state_t) : state_t := + let s_1089 := + foldi (usize 0) (rounds_v) (fun i_1090 s_1089 => + let s_1089 := + theta (s_1089) in + let s_1089 := + rho (s_1089) in + let s_1089 := + pi (s_1089) in + let s_1089 := + chi (s_1089) in + let s_1089 := + iota (s_1089) (array_index (roundconstants_v) (i_1090)) in + (s_1089)) + s_1089 in + s_1089. + +Definition absorb_block (s_1091 : state_t) (block_1092 : byte_seq) : state_t := + let s_1091 := + foldi (usize 0) (seq_len (block_1092)) (fun i_1093 s_1091 => + let w_1094 : uint_size := + (i_1093) usize_shift_right (@repr WORDSIZE32 3) in + let o_1095 : uint_size := + (usize 8) * ((i_1093) .& (usize 7)) in + let s_1091 := + array_upd s_1091 (w_1094) ((array_index (s_1091) (w_1094)) .^ (( + uint64_from_uint8 (seq_index (block_1092) (i_1093))) shift_left ( + o_1095))) in + (s_1091)) + s_1091 in + keccakf1600 (s_1091). + +Definition squeeze + (s_1096 : state_t) + (nbytes_1097 : uint_size) + (rate_1098 : uint_size) + : byte_seq := + let out_1099 : seq uint8 := + seq_new_ (default : uint8) (nbytes_1097) in + let '(s_1096, out_1099) := + foldi (usize 0) (nbytes_1097) (fun i_1100 '(s_1096, out_1099) => + let pos_1101 : uint_size := + (i_1100) %% (rate_1098) in + let w_1102 : uint_size := + (pos_1101) usize_shift_right (@repr WORDSIZE32 3) in + let o_1103 : uint_size := + (usize 8) * ((pos_1101) .& (usize 7)) in + let b_1104 : uint64 := + ((array_index (s_1096) (w_1102)) shift_right (o_1103)) .& ( + uint64_classify (@repr WORDSIZE64 255)) in + let out_1099 := + seq_upd out_1099 (i_1100) (uint8_from_uint64 (b_1104)) in + let '(s_1096) := + if (((i_1100) + (usize 1)) %% (rate_1098)) =.? (usize 0):bool then ( + let s_1096 := + keccakf1600 (s_1096) in + (s_1096)) else ((s_1096)) in + (s_1096, out_1099)) + (s_1096, out_1099) in + out_1099. + +Definition keccak + (rate_1105 : uint_size) + (data_1106 : byte_seq) + (p_1107 : int8) + (outbytes_1108 : uint_size) + : byte_seq := + let buf_1109 : seq uint8 := + seq_new_ (default : uint8) (rate_1105) in + let last_block_len_1110 : uint_size := + usize 0 in + let s_1111 : state_t := + array_new_ (default : uint64) (25) in + let '(buf_1109, last_block_len_1110, s_1111) := + foldi (usize 0) (seq_num_chunks (data_1106) (rate_1105)) (fun i_1112 '( + buf_1109, + last_block_len_1110, + s_1111 + ) => + let '(block_len_1113, block_1114) := + seq_get_chunk (data_1106) (rate_1105) (i_1112) in + let '(buf_1109, last_block_len_1110, s_1111) := + if (block_len_1113) =.? (rate_1105):bool then (let s_1111 := + absorb_block (s_1111) (block_1114) in + (buf_1109, last_block_len_1110, s_1111)) else (let buf_1109 := + seq_update_start (buf_1109) (block_1114) in + let last_block_len_1110 := + block_len_1113 in + (buf_1109, last_block_len_1110, s_1111)) in + (buf_1109, last_block_len_1110, s_1111)) + (buf_1109, last_block_len_1110, s_1111) in + let buf_1109 := + seq_upd buf_1109 (last_block_len_1110) (secret (p_1107) : int8) in + let buf_1109 := + seq_upd buf_1109 ((rate_1105) - (usize 1)) ((seq_index (buf_1109) (( + rate_1105) - (usize 1))) .| (secret ( + @repr WORDSIZE8 128) : int8)) in + let s_1111 := + absorb_block (s_1111) (buf_1109) in + squeeze (s_1111) (outbytes_1108) (rate_1105). + +Definition sha3224 (data_1115 : byte_seq) : digest224_t := + let t_1116 : seq uint8 := + keccak (sha3224_rate_v) (data_1115) (@repr WORDSIZE8 6) (usize 28) in + array_from_seq (28) (t_1116). + +Definition sha3256 (data_1117 : byte_seq) : digest256_t := + let t_1118 : seq uint8 := + keccak (sha3256_rate_v) (data_1117) (@repr WORDSIZE8 6) (usize 32) in + array_from_seq (32) (t_1118). + +Definition sha3384 (data_1119 : byte_seq) : digest384_t := + let t_1120 : seq uint8 := + keccak (sha3384_rate_v) (data_1119) (@repr WORDSIZE8 6) (usize 48) in + array_from_seq (48) (t_1120). + +Definition sha3512 (data_1121 : byte_seq) : digest512_t := + let t_1122 : seq uint8 := + keccak (sha3512_rate_v) (data_1121) (@repr WORDSIZE8 6) (usize 64) in + array_from_seq (64) (t_1122). + +Definition shake128 + (data_1123 : byte_seq) + (outlen_1124 : uint_size) + : byte_seq := + keccak (shake128_rate_v) (data_1123) (@repr WORDSIZE8 31) (outlen_1124). + +Definition shake256 + (data_1125 : byte_seq) + (outlen_1126 : uint_size) + : byte_seq := + keccak (shake256_rate_v) (data_1125) (@repr WORDSIZE8 31) (outlen_1126). + diff --git a/proof-libs/coq/src/Hacspec_Sha512.v b/proof-libs/coq/src/Hacspec_Sha512.v new file mode 100644 index 000000000..9e24e3f00 --- /dev/null +++ b/proof-libs/coq/src/Hacspec_Sha512.v @@ -0,0 +1,321 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition block_size_v : uint_size := + usize 128. + +Definition len_size_v : uint_size := + usize 16. + +Definition k_size_v : uint_size := + usize 80. + +Definition hash_size_v : uint_size := + (usize 512) / (usize 8). + +Definition block_t := nseq (uint8) (block_size_v). + +Definition op_table_type_t := nseq (uint_size) (usize 12). + +Definition sha512_digest_t := nseq (uint8) (hash_size_v). + +Definition round_constants_table_t := nseq (uint64) (k_size_v). + +Definition hash_t := nseq (uint64) (usize 8). + +Definition ch (x_2240 : uint64) (y_2241 : uint64) (z_2242 : uint64) : uint64 := + ((x_2240) .& (y_2241)) .^ ((not (x_2240)) .& (z_2242)). + +Definition maj (x_2243 : uint64) (y_2244 : uint64) (z_2245 : uint64) : uint64 := + ((x_2243) .& (y_2244)) .^ (((x_2243) .& (z_2245)) .^ ((y_2244) .& (z_2245))). + +Definition op_table_v : op_table_type_t := + array_from_list uint_size (let l := + [ + usize 28; + usize 34; + usize 39; + usize 14; + usize 18; + usize 41; + usize 1; + usize 8; + usize 7; + usize 19; + usize 61; + usize 6 + ] in l). + +Definition k_table_v : round_constants_table_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 4794697086780616226) : int64; + secret (@repr WORDSIZE64 8158064640168781261) : int64; + secret (@repr WORDSIZE64 13096744586834688815) : int64; + secret (@repr WORDSIZE64 16840607885511220156) : int64; + secret (@repr WORDSIZE64 4131703408338449720) : int64; + secret (@repr WORDSIZE64 6480981068601479193) : int64; + secret (@repr WORDSIZE64 10538285296894168987) : int64; + secret (@repr WORDSIZE64 12329834152419229976) : int64; + secret (@repr WORDSIZE64 15566598209576043074) : int64; + secret (@repr WORDSIZE64 1334009975649890238) : int64; + secret (@repr WORDSIZE64 2608012711638119052) : int64; + secret (@repr WORDSIZE64 6128411473006802146) : int64; + secret (@repr WORDSIZE64 8268148722764581231) : int64; + secret (@repr WORDSIZE64 9286055187155687089) : int64; + secret (@repr WORDSIZE64 11230858885718282805) : int64; + secret (@repr WORDSIZE64 13951009754708518548) : int64; + secret (@repr WORDSIZE64 16472876342353939154) : int64; + secret (@repr WORDSIZE64 17275323862435702243) : int64; + secret (@repr WORDSIZE64 1135362057144423861) : int64; + secret (@repr WORDSIZE64 2597628984639134821) : int64; + secret (@repr WORDSIZE64 3308224258029322869) : int64; + secret (@repr WORDSIZE64 5365058923640841347) : int64; + secret (@repr WORDSIZE64 6679025012923562964) : int64; + secret (@repr WORDSIZE64 8573033837759648693) : int64; + secret (@repr WORDSIZE64 10970295158949994411) : int64; + secret (@repr WORDSIZE64 12119686244451234320) : int64; + secret (@repr WORDSIZE64 12683024718118986047) : int64; + secret (@repr WORDSIZE64 13788192230050041572) : int64; + secret (@repr WORDSIZE64 14330467153632333762) : int64; + secret (@repr WORDSIZE64 15395433587784984357) : int64; + secret (@repr WORDSIZE64 489312712824947311) : int64; + secret (@repr WORDSIZE64 1452737877330783856) : int64; + secret (@repr WORDSIZE64 2861767655752347644) : int64; + secret (@repr WORDSIZE64 3322285676063803686) : int64; + secret (@repr WORDSIZE64 5560940570517711597) : int64; + secret (@repr WORDSIZE64 5996557281743188959) : int64; + secret (@repr WORDSIZE64 7280758554555802590) : int64; + secret (@repr WORDSIZE64 8532644243296465576) : int64; + secret (@repr WORDSIZE64 9350256976987008742) : int64; + secret (@repr WORDSIZE64 10552545826968843579) : int64; + secret (@repr WORDSIZE64 11727347734174303076) : int64; + secret (@repr WORDSIZE64 12113106623233404929) : int64; + secret (@repr WORDSIZE64 14000437183269869457) : int64; + secret (@repr WORDSIZE64 14369950271660146224) : int64; + secret (@repr WORDSIZE64 15101387698204529176) : int64; + secret (@repr WORDSIZE64 15463397548674623760) : int64; + secret (@repr WORDSIZE64 17586052441742319658) : int64; + secret (@repr WORDSIZE64 1182934255886127544) : int64; + secret (@repr WORDSIZE64 1847814050463011016) : int64; + secret (@repr WORDSIZE64 2177327727835720531) : int64; + secret (@repr WORDSIZE64 2830643537854262169) : int64; + secret (@repr WORDSIZE64 3796741975233480872) : int64; + secret (@repr WORDSIZE64 4115178125766777443) : int64; + secret (@repr WORDSIZE64 5681478168544905931) : int64; + secret (@repr WORDSIZE64 6601373596472566643) : int64; + secret (@repr WORDSIZE64 7507060721942968483) : int64; + secret (@repr WORDSIZE64 8399075790359081724) : int64; + secret (@repr WORDSIZE64 8693463985226723168) : int64; + secret (@repr WORDSIZE64 9568029438360202098) : int64; + secret (@repr WORDSIZE64 10144078919501101548) : int64; + secret (@repr WORDSIZE64 10430055236837252648) : int64; + secret (@repr WORDSIZE64 11840083180663258601) : int64; + secret (@repr WORDSIZE64 13761210420658862357) : int64; + secret (@repr WORDSIZE64 14299343276471374635) : int64; + secret (@repr WORDSIZE64 14566680578165727644) : int64; + secret (@repr WORDSIZE64 15097957966210449927) : int64; + secret (@repr WORDSIZE64 16922976911328602910) : int64; + secret (@repr WORDSIZE64 17689382322260857208) : int64; + secret (@repr WORDSIZE64 500013540394364858) : int64; + secret (@repr WORDSIZE64 748580250866718886) : int64; + secret (@repr WORDSIZE64 1242879168328830382) : int64; + secret (@repr WORDSIZE64 1977374033974150939) : int64; + secret (@repr WORDSIZE64 2944078676154940804) : int64; + secret (@repr WORDSIZE64 3659926193048069267) : int64; + secret (@repr WORDSIZE64 4368137639120453308) : int64; + secret (@repr WORDSIZE64 4836135668995329356) : int64; + secret (@repr WORDSIZE64 5532061633213252278) : int64; + secret (@repr WORDSIZE64 6448918945643986474) : int64; + secret (@repr WORDSIZE64 6902733635092675308) : int64; + secret (@repr WORDSIZE64 7801388544844847127) : int64 + ] in l). + +Definition hash_init_v : hash_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 7640891576956012808) : int64; + secret (@repr WORDSIZE64 13503953896175478587) : int64; + secret (@repr WORDSIZE64 4354685564936845355) : int64; + secret (@repr WORDSIZE64 11912009170470909681) : int64; + secret (@repr WORDSIZE64 5840696475078001361) : int64; + secret (@repr WORDSIZE64 11170449401992604703) : int64; + secret (@repr WORDSIZE64 2270897969802886507) : int64; + secret (@repr WORDSIZE64 6620516959819538809) : int64 + ] in l). + +Definition sigma + (x_2246 : uint64) + (i_2247 : uint_size) + (op_2248 : uint_size) + : uint64 := + let tmp_2249 : uint64 := + uint64_rotate_right (x_2246) (array_index (op_table_v) (((usize 3) * ( + i_2247)) + (usize 2))) in + let '(tmp_2249) := + if (op_2248) =.? (usize 0):bool then (let tmp_2249 := + (x_2246) shift_right (array_index (op_table_v) (((usize 3) * ( + i_2247)) + (usize 2))) in + (tmp_2249)) else ((tmp_2249)) in + ((uint64_rotate_right (x_2246) (array_index (op_table_v) ((usize 3) * ( + i_2247)))) .^ (uint64_rotate_right (x_2246) (array_index ( + op_table_v) (((usize 3) * (i_2247)) + (usize 1))))) .^ (tmp_2249). + +Definition schedule (block_2250 : block_t) : round_constants_table_t := + let b_2251 : seq uint64 := + array_to_be_uint64s (block_2250) in + let s_2252 : round_constants_table_t := + array_new_ (default : uint64) (k_size_v) in + let s_2252 := + foldi (usize 0) (k_size_v) (fun i_2253 s_2252 => + let '(s_2252) := + if (i_2253) <.? (usize 16):bool then (let s_2252 := + array_upd s_2252 (i_2253) (seq_index (b_2251) (i_2253)) in + (s_2252)) else (let t16_2254 : uint64 := + array_index (s_2252) ((i_2253) - (usize 16)) in + let t15_2255 : uint64 := + array_index (s_2252) ((i_2253) - (usize 15)) in + let t7_2256 : uint64 := + array_index (s_2252) ((i_2253) - (usize 7)) in + let t2_2257 : uint64 := + array_index (s_2252) ((i_2253) - (usize 2)) in + let s1_2258 : uint64 := + sigma (t2_2257) (usize 3) (usize 0) in + let s0_2259 : uint64 := + sigma (t15_2255) (usize 2) (usize 0) in + let s_2252 := + array_upd s_2252 (i_2253) ((((s1_2258) .+ (t7_2256)) .+ ( + s0_2259)) .+ (t16_2254)) in + (s_2252)) in + (s_2252)) + s_2252 in + s_2252. + +Definition shuffle + (ws_2260 : round_constants_table_t) + (hashi_2261 : hash_t) + : hash_t := + let h_2262 : hash_t := + hashi_2261 in + let h_2262 := + foldi (usize 0) (k_size_v) (fun i_2263 h_2262 => + let a0_2264 : uint64 := + array_index (h_2262) (usize 0) in + let b0_2265 : uint64 := + array_index (h_2262) (usize 1) in + let c0_2266 : uint64 := + array_index (h_2262) (usize 2) in + let d0_2267 : uint64 := + array_index (h_2262) (usize 3) in + let e0_2268 : uint64 := + array_index (h_2262) (usize 4) in + let f0_2269 : uint64 := + array_index (h_2262) (usize 5) in + let g0_2270 : uint64 := + array_index (h_2262) (usize 6) in + let h0_2271 : uint64 := + array_index (h_2262) (usize 7) in + let t1_2272 : uint64 := + ((((h0_2271) .+ (sigma (e0_2268) (usize 1) (usize 1))) .+ (ch ( + e0_2268) (f0_2269) (g0_2270))) .+ (array_index (k_table_v) ( + i_2263))) .+ (array_index (ws_2260) (i_2263)) in + let t2_2273 : uint64 := + (sigma (a0_2264) (usize 0) (usize 1)) .+ (maj (a0_2264) (b0_2265) ( + c0_2266)) in + let h_2262 := + array_upd h_2262 (usize 0) ((t1_2272) .+ (t2_2273)) in + let h_2262 := + array_upd h_2262 (usize 1) (a0_2264) in + let h_2262 := + array_upd h_2262 (usize 2) (b0_2265) in + let h_2262 := + array_upd h_2262 (usize 3) (c0_2266) in + let h_2262 := + array_upd h_2262 (usize 4) ((d0_2267) .+ (t1_2272)) in + let h_2262 := + array_upd h_2262 (usize 5) (e0_2268) in + let h_2262 := + array_upd h_2262 (usize 6) (f0_2269) in + let h_2262 := + array_upd h_2262 (usize 7) (g0_2270) in + (h_2262)) + h_2262 in + h_2262. + +Definition compress (block_2274 : block_t) (h_in_2275 : hash_t) : hash_t := + let s_2276 : round_constants_table_t := + schedule (block_2274) in + let h_2277 : hash_t := + shuffle (s_2276) (h_in_2275) in + let h_2277 := + foldi (usize 0) (usize 8) (fun i_2278 h_2277 => + let h_2277 := + array_upd h_2277 (i_2278) ((array_index (h_2277) (i_2278)) .+ ( + array_index (h_in_2275) (i_2278))) in + (h_2277)) + h_2277 in + h_2277. + +Definition hash (msg_2279 : byte_seq) : sha512_digest_t := + let h_2280 : hash_t := + hash_init_v in + let last_block_2281 : block_t := + array_new_ (default : uint8) (block_size_v) in + let last_block_len_2282 : uint_size := + usize 0 in + let '(h_2280, last_block_2281, last_block_len_2282) := + foldi (usize 0) (seq_num_chunks (msg_2279) (block_size_v)) (fun i_2283 '( + h_2280, + last_block_2281, + last_block_len_2282 + ) => + let '(block_len_2284, block_2285) := + seq_get_chunk (msg_2279) (block_size_v) (i_2283) in + let '(h_2280, last_block_2281, last_block_len_2282) := + if (block_len_2284) <.? (block_size_v):bool then (let last_block_2281 := + array_update_start (array_new_ (default : uint8) (block_size_v)) ( + block_2285) in + let last_block_len_2282 := + block_len_2284 in + (h_2280, last_block_2281, last_block_len_2282)) else ( + let compress_input_2286 : block_t := + array_from_seq (block_size_v) (block_2285) in + let h_2280 := + compress (compress_input_2286) (h_2280) in + (h_2280, last_block_2281, last_block_len_2282)) in + (h_2280, last_block_2281, last_block_len_2282)) + (h_2280, last_block_2281, last_block_len_2282) in + let last_block_2281 := + array_upd last_block_2281 (last_block_len_2282) (secret ( + @repr WORDSIZE8 128) : int8) in + let len_bist_2287 : uint128 := + secret (pub_u128 ((seq_len (msg_2279)) * (usize 8))) : int128 in + let '(h_2280, last_block_2281) := + if (last_block_len_2282) <.? ((block_size_v) - (len_size_v)):bool then ( + let last_block_2281 := + array_update (last_block_2281) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint128_to_be_bytes (len_bist_2287))) in + let h_2280 := + compress (last_block_2281) (h_2280) in + (h_2280, last_block_2281)) else (let pad_block_2288 : block_t := + array_new_ (default : uint8) (block_size_v) in + let pad_block_2288 := + array_update (pad_block_2288) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint128_to_be_bytes (len_bist_2287))) in + let h_2280 := + compress (last_block_2281) (h_2280) in + let h_2280 := + compress (pad_block_2288) (h_2280) in + (h_2280, last_block_2281)) in + array_from_seq (hash_size_v) (array_to_be_bytes (h_2280)). + +Definition sha512 (msg_2289 : byte_seq) : sha512_digest_t := + hash (msg_2289). + diff --git a/proof-libs/coq/src/MachineIntegers.v b/proof-libs/coq/src/MachineIntegers.v new file mode 100644 index 000000000..ba865033b --- /dev/null +++ b/proof-libs/coq/src/MachineIntegers.v @@ -0,0 +1,4886 @@ +(* *********************************************************************) +(* *) +(* The Compcert verified compiler *) +(* *) +(* Xavier Leroy, INRIA Paris-Rocquencourt *) +(* *) +(* Copyright Institut National de Recherche en Informatique et en *) +(* Automatique. All rights reserved. This file is distributed *) +(* under the terms of the GNU General Public License as published by *) +(* the Free Software Foundation, either version 2 of the License, or *) +(* (at your option) any later version. This file is also distributed *) +(* under the terms of the INRIA Non-Commercial License Agreement. *) +(* *) +(* *********************************************************************) + +(** Formalizations of machine integers modulo $2^N$ #2N#. *) + +Require Import Eqdep_dec Zquot Zwf. +From compcert Require Import Coqlib Zbits. +From compcert Require Archi. +Require Import Lia. +(** * Comparisons *) + +Inductive comparison : Type := + | Ceq : comparison (**r same *) + | Cne : comparison (**r different *) + | Clt : comparison (**r less than *) + | Cle : comparison (**r less than or equal *) + | Cgt : comparison (**r greater than *) + | Cge : comparison. (**r greater than or equal *) + +Definition negate_comparison (c: comparison): comparison := + match c with + | Ceq => Cne + | Cne => Ceq + | Clt => Cge + | Cle => Cgt + | Cgt => Cle + | Cge => Clt + end. + +Definition swap_comparison (c: comparison): comparison := + match c with + | Ceq => Ceq + | Cne => Cne + | Clt => Cgt + | Cle => Cge + | Cgt => Clt + | Cge => Cle + end. + +(** * Parameterization by the word size, in bits. *) +Class WORDSIZE := { + wordsize : nat; + wordsize_not_zero: wordsize <> 0%nat; +}. +(* Module Type WORDSIZE. + Parameter wordsize: nat. + Axiom wordsize_not_zero: wordsize <> 0%nat. +End WORDSIZE. *) + +(* To avoid useless definitions of inductors in extracted code. *) +Local Unset Elimination Schemes. +Local Unset Case Analysis Schemes. +Local Set Printing Projections. + +Section Make. +Context {WS : WORDSIZE}. +Global Opaque wordsize wordsize_not_zero. + +(* Variable wordsize : nat. *) +(* Hypothesis wordsize_not_zero: wordsize <> 0%nat. *) + +Definition zwordsize: Z := Z.of_nat wordsize. +Definition modulus : Z := two_power_nat wordsize. +Definition half_modulus : Z := modulus / 2. +Definition max_unsigned : Z := modulus - 1. +Definition max_signed : Z := half_modulus - 1. +Definition min_signed : Z := - half_modulus. + +Remark wordsize_pos: zwordsize > 0. +Proof. + unfold zwordsize. generalize wordsize_not_zero. lia. +Qed. + +Remark modulus_power: modulus = two_p zwordsize. +Proof. + unfold modulus. apply two_power_nat_two_p. +Qed. + +Remark modulus_gt_one: modulus > 1. +Proof. + rewrite modulus_power. apply Z.lt_gt. apply (two_p_monotone_strict 0). + generalize wordsize_pos; lia. +Qed. + +Remark modulus_pos: modulus > 0. +Proof. + generalize modulus_gt_one; lia. +Qed. + +Hint Resolve modulus_pos: ints. + +(** * Representation of machine integers *) + +(** A machine integer (type [int]) is represented as a Coq arbitrary-precision + integer (type [Z]) plus a proof that it is in the range 0 (included) to + [modulus] (excluded). *) + +Record int: Type := mkint { intval: Z; intrange: -1 < intval < modulus }. + +(** Fast normalization modulo [2^wordsize] *) + +Definition Z_mod_modulus (x: Z) : Z := + match x with + | Z0 => 0 + | Zpos p => P_mod_two_p p wordsize + | Zneg p => let r := P_mod_two_p p wordsize in if zeq r 0 then 0 else modulus - r + end. + +Lemma Z_mod_modulus_range: + forall x, 0 <= Z_mod_modulus x < modulus. +Proof (Z_mod_two_p_range wordsize). + +Lemma Z_mod_modulus_range': + forall x, -1 < Z_mod_modulus x < modulus. +Proof. + intros. generalize (Z_mod_modulus_range x); intuition. +Qed. + +Lemma Z_mod_modulus_eq: + forall x, Z_mod_modulus x = x mod modulus. +Proof (Z_mod_two_p_eq wordsize). + +(** The [unsigned] and [signed] functions return the Coq integer corresponding + to the given machine integer, interpreted as unsigned or signed + respectively. *) + +Definition unsigned (n: int) : Z := intval n. + +Definition signed (n: int) : Z := + let x := unsigned n in + if zlt x half_modulus then x else x - modulus. + +(** Conversely, [repr] takes a Coq integer and returns the corresponding + machine integer. The argument is treated modulo [modulus]. *) + +Definition repr (x: Z) : int := + mkint (Z_mod_modulus x) (Z_mod_modulus_range' x). + +Definition zero := repr 0. +Definition one := repr 1. +Definition mone := repr (-1). +Definition iwordsize := repr zwordsize. + +Lemma mkint_eq: + forall x y Px Py, x = y -> mkint x Px = mkint y Py. +Proof. + intros. subst y. + assert (forall (n m: Z) (P1 P2: n < m), P1 = P2). + { + unfold Z.lt; intros. + apply eq_proofs_unicity. + intros c1 c2. destruct c1; destruct c2; (left; reflexivity) || (right; congruence). + } + destruct Px as [Px1 Px2]. destruct Py as [Py1 Py2]. + rewrite (H _ _ Px1 Py1). + rewrite (H _ _ Px2 Py2). + reflexivity. +Qed. + +Lemma eq_dec: forall (x y: int), {x = y} + {x <> y}. +Proof. + intros. destruct x; destruct y. destruct (zeq intval0 intval1). + left. apply mkint_eq. auto. + right. red; intro. injection H. exact n. +Defined. + +(** * Arithmetic and logical operations over machine integers *) + +Definition eq (x y: int) : bool := + if zeq (unsigned x) (unsigned y) then true else false. +Definition lt (x y: int) : bool := + if zlt (signed x) (signed y) then true else false. +Definition ltu (x y: int) : bool := + if zlt (unsigned x) (unsigned y) then true else false. + +Definition neg (x: int) : int := repr (- unsigned x). + +Definition add (x y: int) : int := + repr (unsigned x + unsigned y). +Definition sub (x y: int) : int := + repr (unsigned x - unsigned y). +Definition mul (x y: int) : int := + repr (unsigned x * unsigned y). + +Definition divs (x y: int) : int := + repr (Z.quot (signed x) (signed y)). +Definition mods (x y: int) : int := + repr (Z.rem (signed x) (signed y)). + +Definition divu (x y: int) : int := + repr (unsigned x / unsigned y). +Definition modu (x y: int) : int := + repr ((unsigned x) mod (unsigned y)). + +(** Bitwise boolean operations. *) + +Definition and (x y: int): int := repr (Z.land (unsigned x) (unsigned y)). +Definition or (x y: int): int := repr (Z.lor (unsigned x) (unsigned y)). +Definition xor (x y: int) : int := repr (Z.lxor (unsigned x) (unsigned y)). + +Definition not (x: int) : int := xor x mone. + +(** Shifts and rotates. *) + +Definition shl (x y: int): int := repr (Z.shiftl (unsigned x) (unsigned y)). +Definition shru (x y: int): int := repr (Z.shiftr (unsigned x) (unsigned y)). +Definition shr (x y: int): int := repr (Z.shiftr (signed x) (unsigned y)). + +Definition rol (x y: int) : int := + let n := (unsigned y) mod zwordsize in + repr (Z.lor (Z.shiftl (unsigned x) n) (Z.shiftr (unsigned x) (zwordsize - n))). +Definition ror (x y: int) : int := + let n := (unsigned y) mod zwordsize in + repr (Z.lor (Z.shiftr (unsigned x) n) (Z.shiftl (unsigned x) (zwordsize - n))). + +Definition rolm (x a m: int): int := and (rol x a) m. + +(** Viewed as signed divisions by powers of two, [shrx] rounds towards + zero, while [shr] rounds towards minus infinity. *) + +Definition shrx (x y: int): int := + divs x (shl one y). + +(** High half of full multiply. *) + +Definition mulhu (x y: int): int := repr ((unsigned x * unsigned y) / modulus). +Definition mulhs (x y: int): int := repr ((signed x * signed y) / modulus). + +(** Condition flags *) + +Definition negative (x: int): int := + if lt x zero then one else zero. + +Definition add_carry (x y cin: int): int := + if zlt (unsigned x + unsigned y + unsigned cin) modulus then zero else one. + +Definition add_overflow (x y cin: int): int := + let s := signed x + signed y + signed cin in + if zle min_signed s && zle s max_signed then zero else one. + +Definition sub_borrow (x y bin: int): int := + if zlt (unsigned x - unsigned y - unsigned bin) 0 then one else zero. + +Definition sub_overflow (x y bin: int): int := + let s := signed x - signed y - signed bin in + if zle min_signed s && zle s max_signed then zero else one. + +(** [shr_carry x y] is 1 if [x] is negative and at least one 1 bit is shifted away. *) + +Definition shr_carry (x y: int) : int := + if lt x zero && negb (eq (and x (sub (shl one y) one)) zero) + then one else zero. + +(** Zero and sign extensions *) + +Definition zero_ext (n: Z) (x: int) : int := repr (Zzero_ext n (unsigned x)). +Definition sign_ext (n: Z) (x: int) : int := repr (Zsign_ext n (unsigned x)). + +(** Decomposition of a number as a sum of powers of two. *) + +Definition one_bits (x: int) : list int := + List.map repr (Z_one_bits wordsize (unsigned x) 0). + +(** Recognition of powers of two. *) + +Definition is_power2 (x: int) : option int := + match Z_is_power2 (unsigned x) with + | Some i => Some (repr i) + | None => None + end. + +(** Comparisons. *) + +Definition cmp (c: comparison) (x y: int) : bool := + match c with + | Ceq => eq x y + | Cne => negb (eq x y) + | Clt => lt x y + | Cle => negb (lt y x) + | Cgt => lt y x + | Cge => negb (lt x y) + end. + +Definition cmpu (c: comparison) (x y: int) : bool := + match c with + | Ceq => eq x y + | Cne => negb (eq x y) + | Clt => ltu x y + | Cle => negb (ltu y x) + | Cgt => ltu y x + | Cge => negb (ltu x y) + end. + +Definition is_false (x: int) : Prop := x = zero. +Definition is_true (x: int) : Prop := x <> zero. +Definition notbool (x: int) : int := if eq x zero then one else zero. + +(** x86-style extended division and modulus *) + +Definition divmodu2 (nhi nlo: int) (d: int) : option (int * int) := + if eq_dec d zero then None else + (let (q, r) := Z.div_eucl (unsigned nhi * modulus + unsigned nlo) (unsigned d) in + if zle q max_unsigned then Some(repr q, repr r) else None). + +Definition divmods2 (nhi nlo: int) (d: int) : option (int * int) := + if eq_dec d zero then None else + (let (q, r) := Z.quotrem (signed nhi * modulus + unsigned nlo) (signed d) in + if zle min_signed q && zle q max_signed then Some(repr q, repr r) else None). + +(** * Properties of integers and integer arithmetic *) + +(** ** Properties of [modulus], [max_unsigned], etc. *) + +Remark half_modulus_power: + half_modulus = two_p (zwordsize - 1). +Proof. + unfold half_modulus. rewrite modulus_power. + set (ws1 := zwordsize - 1). + replace (zwordsize) with (Z.succ ws1). + rewrite two_p_S. rewrite Z.mul_comm. apply Z_div_mult. lia. + unfold ws1. generalize wordsize_pos; lia. + unfold ws1. lia. +Qed. + +Remark half_modulus_modulus: modulus = 2 * half_modulus. +Proof. + rewrite half_modulus_power. rewrite modulus_power. + rewrite <- two_p_S. apply f_equal. lia. + generalize wordsize_pos; lia. +Qed. + +(** Relative positions, from greatest to smallest: +<< + max_unsigned + max_signed + 2*wordsize-1 + wordsize + 0 + min_signed +>> +*) + +Remark half_modulus_pos: half_modulus > 0. +Proof. + rewrite half_modulus_power. apply two_p_gt_ZERO. generalize wordsize_pos; lia. +Qed. + +Remark min_signed_neg: min_signed < 0. +Proof. + unfold min_signed. generalize half_modulus_pos. lia. +Qed. + +Remark max_signed_pos: max_signed >= 0. +Proof. + unfold max_signed. generalize half_modulus_pos. lia. +Qed. + +Remark wordsize_max_unsigned: zwordsize <= max_unsigned. +Proof. + assert (zwordsize < modulus). + rewrite modulus_power. apply two_p_strict. + generalize wordsize_pos. lia. + unfold max_unsigned. lia. +Qed. + +Remark two_wordsize_max_unsigned: 2 * zwordsize - 1 <= max_unsigned. +Proof. + assert (2 * zwordsize - 1 < modulus). + rewrite modulus_power. apply two_p_strict_2. generalize wordsize_pos; lia. + unfold max_unsigned; lia. +Qed. + +Remark max_signed_unsigned: max_signed < max_unsigned. +Proof. + unfold max_signed, max_unsigned. rewrite half_modulus_modulus. + generalize half_modulus_pos. lia. +Qed. + +Lemma unsigned_repr_eq: + forall x, unsigned (repr x) = Z.modulo x modulus. +Proof. + intros. simpl. apply Z_mod_modulus_eq. +Qed. + +Lemma signed_repr_eq: + forall x, signed (repr x) = if zlt (Z.modulo x modulus) half_modulus then Z.modulo x modulus else Z.modulo x modulus - modulus. +Proof. + intros. unfold signed. rewrite unsigned_repr_eq. auto. +Qed. + +(** ** Modulo arithmetic *) + +(** [eqm] is equality modulo $2^{wordsize}$ #2wordsize#. *) + +Definition eqm := eqmod modulus. + +Lemma eqm_refl: forall x, eqm x x. +Proof (eqmod_refl modulus). +Hint Resolve eqm_refl: ints. + +Lemma eqm_refl2: + forall x y, x = y -> eqm x y. +Proof (eqmod_refl2 modulus). +Hint Resolve eqm_refl2: ints. + +Lemma eqm_sym: forall x y, eqm x y -> eqm y x. +Proof (eqmod_sym modulus). +Hint Resolve eqm_sym: ints. + +Lemma eqm_trans: forall x y z, eqm x y -> eqm y z -> eqm x z. +Proof (eqmod_trans modulus). +Hint Resolve eqm_trans: ints. + +Lemma eqm_small_eq: + forall x y, eqm x y -> 0 <= x < modulus -> 0 <= y < modulus -> x = y. +Proof (eqmod_small_eq modulus). +Hint Resolve eqm_small_eq: ints. + +Lemma eqm_add: + forall a b c d, eqm a b -> eqm c d -> eqm (a + c) (b + d). +Proof (eqmod_add modulus). +Hint Resolve eqm_add: ints. + +Lemma eqm_neg: + forall x y, eqm x y -> eqm (-x) (-y). +Proof (eqmod_neg modulus). +Hint Resolve eqm_neg: ints. + +Lemma eqm_sub: + forall a b c d, eqm a b -> eqm c d -> eqm (a - c) (b - d). +Proof (eqmod_sub modulus). +Hint Resolve eqm_sub: ints. + +Lemma eqm_mult: + forall a b c d, eqm a c -> eqm b d -> eqm (a * b) (c * d). +Proof (eqmod_mult modulus). +Hint Resolve eqm_mult: ints. + +Lemma eqm_same_bits: + forall x y, + (forall i, 0 <= i < zwordsize -> Z.testbit x i = Z.testbit y i) -> + eqm x y. +Proof (eqmod_same_bits wordsize). + +Lemma same_bits_eqm: + forall x y i, + eqm x y -> + 0 <= i < zwordsize -> + Z.testbit x i = Z.testbit y i. +Proof (same_bits_eqmod wordsize). + +(** ** Properties of the coercions between [Z] and [int] *) + +Lemma eqm_samerepr: forall x y, eqm x y -> repr x = repr y. +Proof. + intros. unfold repr. apply mkint_eq. + rewrite !Z_mod_modulus_eq. apply eqmod_mod_eq. auto with ints. exact H. +Qed. + +Lemma eqm_unsigned_repr: + forall z, eqm z (unsigned (repr z)). +Proof. + unfold eqm; intros. rewrite unsigned_repr_eq. apply eqmod_mod. auto with ints. +Qed. +Hint Resolve eqm_unsigned_repr: ints. + +Lemma eqm_unsigned_repr_l: + forall a b, eqm a b -> eqm (unsigned (repr a)) b. +Proof. + intros. apply eqm_trans with a. + apply eqm_sym. apply eqm_unsigned_repr. auto. +Qed. +Hint Resolve eqm_unsigned_repr_l: ints. + +Lemma eqm_unsigned_repr_r: + forall a b, eqm a b -> eqm a (unsigned (repr b)). +Proof. + intros. apply eqm_trans with b. auto. + apply eqm_unsigned_repr. +Qed. +Hint Resolve eqm_unsigned_repr_r: ints. + +Lemma eqm_signed_unsigned: + forall x, eqm (signed x) (unsigned x). +Proof. + intros; red. unfold signed. set (y := unsigned x). + case (zlt y half_modulus); intro. + apply eqmod_refl. red; exists (-1); ring. +Qed. + +Theorem unsigned_range: + forall i, 0 <= unsigned i < modulus. +Proof. + destruct i. simpl. lia. +Qed. +Hint Resolve unsigned_range: ints. + +Theorem unsigned_range_2: + forall i, 0 <= unsigned i <= max_unsigned. +Proof. + intro; unfold max_unsigned. + generalize (unsigned_range i). lia. +Qed. +Hint Resolve unsigned_range_2: ints. + +Theorem signed_range: + forall i, min_signed <= signed i <= max_signed. +Proof. + intros. unfold signed. + generalize (unsigned_range i). set (n := unsigned i). intros. + case (zlt n half_modulus); intro. + unfold max_signed. generalize min_signed_neg. lia. + unfold min_signed, max_signed. + rewrite half_modulus_modulus in *. lia. +Qed. + +Theorem repr_unsigned: + forall i, repr (unsigned i) = i. +Proof. + destruct i; simpl. unfold repr. apply mkint_eq. + rewrite Z_mod_modulus_eq. apply Z.mod_small; lia. +Qed. +Hint Resolve repr_unsigned: ints. + +Lemma repr_signed: + forall i, repr (signed i) = i. +Proof. + intros. transitivity (repr (unsigned i)). + apply eqm_samerepr. apply eqm_signed_unsigned. auto with ints. +Qed. +Hint Resolve repr_signed: ints. + +Opaque repr. + +Lemma eqm_repr_eq: forall x y, eqm x (unsigned y) -> repr x = y. +Proof. + intros. rewrite <- (repr_unsigned y). apply eqm_samerepr; auto. +Qed. + +Theorem unsigned_repr: + forall z, 0 <= z <= max_unsigned -> unsigned (repr z) = z. +Proof. + intros. rewrite unsigned_repr_eq. + apply Z.mod_small. unfold max_unsigned in H. lia. +Qed. +Hint Resolve unsigned_repr: ints. + +Theorem signed_repr: + forall z, min_signed <= z <= max_signed -> signed (repr z) = z. +Proof. + intros. unfold signed. destruct (zle 0 z). + replace (unsigned (repr z)) with z. + rewrite zlt_true. auto. unfold max_signed in H. lia. + symmetry. apply unsigned_repr. generalize max_signed_unsigned. lia. + pose (z' := z + modulus). + replace (repr z) with (repr z'). + replace (unsigned (repr z')) with z'. + rewrite zlt_false. unfold z'. lia. + unfold z'. unfold min_signed in H. + rewrite half_modulus_modulus. lia. + symmetry. apply unsigned_repr. + unfold z', max_unsigned. unfold min_signed, max_signed in H. + rewrite half_modulus_modulus. lia. + apply eqm_samerepr. unfold z'; red. exists 1. lia. +Qed. + +Ltac extlia := unfold Plt, Ple in *; lia. + +Theorem signed_eq_unsigned: + forall x, unsigned x <= max_signed -> signed x = unsigned x. +Proof. + intros. unfold signed. destruct (zlt (unsigned x) half_modulus). + auto. unfold max_signed in H. extlia. +Qed. + +Theorem signed_positive: + forall x, signed x >= 0 <-> unsigned x <= max_signed. +Proof. + intros. unfold signed, max_signed. + generalize (unsigned_range x) half_modulus_modulus half_modulus_pos; intros. + destruct (zlt (unsigned x) half_modulus); lia. +Qed. + +(** ** Properties of zero, one, minus one *) + +Theorem unsigned_zero: unsigned zero = 0. +Proof. + unfold zero; rewrite unsigned_repr_eq. apply Zmod_0_l. +Qed. + +Theorem unsigned_one: unsigned one = 1. +Proof. + unfold one; rewrite unsigned_repr_eq. apply Z.mod_small. split. lia. + unfold modulus. replace wordsize with (S(Init.Nat.pred wordsize)). + rewrite two_power_nat_S. generalize (two_power_nat_pos (Init.Nat.pred wordsize)). + lia. + generalize wordsize_pos. unfold zwordsize. lia. +Qed. + +Theorem unsigned_mone: unsigned mone = modulus - 1. +Proof. + unfold mone; rewrite unsigned_repr_eq. + replace (-1) with ((modulus - 1) + (-1) * modulus). + rewrite Z_mod_plus_full. apply Z.mod_small. + generalize modulus_pos. lia. lia. +Qed. + +Theorem signed_zero: signed zero = 0. +Proof. + unfold signed. rewrite unsigned_zero. apply zlt_true. generalize half_modulus_pos; lia. +Qed. + +Theorem signed_one: zwordsize > 1 -> signed one = 1. +Proof. + intros. unfold signed. rewrite unsigned_one. apply zlt_true. + change 1 with (two_p 0). rewrite half_modulus_power. apply two_p_monotone_strict. lia. +Qed. + +Theorem signed_mone: signed mone = -1. +Proof. + unfold signed. rewrite unsigned_mone. + rewrite zlt_false. lia. + rewrite half_modulus_modulus. generalize half_modulus_pos. lia. +Qed. + +Theorem one_not_zero: one <> zero. +Proof. + assert (unsigned one <> unsigned zero). + rewrite unsigned_one; rewrite unsigned_zero; congruence. + congruence. +Qed. + +Theorem unsigned_repr_wordsize: + unsigned iwordsize = zwordsize. +Proof. + unfold iwordsize; rewrite unsigned_repr_eq. apply Z.mod_small. + generalize wordsize_pos wordsize_max_unsigned; unfold max_unsigned; lia. +Qed. + +(** ** Properties of equality *) + +Theorem eq_sym: + forall x y, eq x y = eq y x. +Proof. + intros; unfold eq. case (zeq (unsigned x) (unsigned y)); intro. + rewrite e. rewrite zeq_true. auto. + rewrite zeq_false. auto. auto. +Qed. + +Theorem eq_spec: forall (x y: int), if eq x y then x = y else x <> y. +Proof. + intros; unfold eq. case (eq_dec x y); intro. + subst y. rewrite zeq_true. auto. + rewrite zeq_false. auto. + destruct x; destruct y. + simpl. red; intro. elim n. apply mkint_eq. auto. +Qed. + +Theorem eq_true: forall x, eq x x = true. +Proof. + intros. generalize (eq_spec x x); case (eq x x); intros; congruence. +Qed. + +Theorem eq_false: forall x y, x <> y -> eq x y = false. +Proof. + intros. generalize (eq_spec x y); case (eq x y); intros; congruence. +Qed. + +Theorem same_if_eq: forall x y, eq x y = true -> x = y. +Proof. + intros. generalize (eq_spec x y); rewrite H; auto. +Qed. + +Theorem eq_signed: + forall x y, eq x y = if zeq (signed x) (signed y) then true else false. +Proof. + intros. predSpec eq eq_spec x y. + subst x. rewrite zeq_true; auto. + destruct (zeq (signed x) (signed y)); auto. + elim H. rewrite <- (repr_signed x). rewrite <- (repr_signed y). congruence. +Qed. + +(** ** Properties of addition *) + +Theorem add_unsigned: forall x y, add x y = repr (unsigned x + unsigned y). +Proof. intros; reflexivity. +Qed. + +Theorem add_signed: forall x y, add x y = repr (signed x + signed y). +Proof. + intros. rewrite add_unsigned. apply eqm_samerepr. + apply eqm_add; apply eqm_sym; apply eqm_signed_unsigned. +Qed. + +Theorem add_commut: forall x y, add x y = add y x. +Proof. intros; unfold add. decEq. lia. Qed. + +Theorem add_zero: forall x, add x zero = x. +Proof. + intros. unfold add. rewrite unsigned_zero. + rewrite Z.add_0_r. apply repr_unsigned. +Qed. + +Theorem add_zero_l: forall x, add zero x = x. +Proof. + intros. rewrite add_commut. apply add_zero. +Qed. + +Theorem add_assoc: forall x y z, add (add x y) z = add x (add y z). +Proof. + intros; unfold add. + set (x' := unsigned x). + set (y' := unsigned y). + set (z' := unsigned z). + apply eqm_samerepr. + apply eqm_trans with ((x' + y') + z'). + auto with ints. + rewrite <- Z.add_assoc. auto with ints. +Qed. + +Theorem add_permut: forall x y z, add x (add y z) = add y (add x z). +Proof. + intros. rewrite (add_commut y z). rewrite <- add_assoc. apply add_commut. +Qed. + +Theorem add_neg_zero: forall x, add x (neg x) = zero. +Proof. + intros; unfold add, neg, zero. apply eqm_samerepr. + replace 0 with (unsigned x + (- (unsigned x))). + auto with ints. lia. +Qed. + +Theorem unsigned_add_carry: + forall x y, + unsigned (add x y) = unsigned x + unsigned y - unsigned (add_carry x y zero) * modulus. +Proof. + intros. + unfold add, add_carry. rewrite unsigned_zero. rewrite Z.add_0_r. + rewrite unsigned_repr_eq. + generalize (unsigned_range x) (unsigned_range y). intros. + destruct (zlt (unsigned x + unsigned y) modulus). + rewrite unsigned_zero. apply Zmod_unique with 0. lia. lia. + rewrite unsigned_one. apply Zmod_unique with 1. lia. lia. +Qed. + +Corollary unsigned_add_either: + forall x y, + unsigned (add x y) = unsigned x + unsigned y + \/ unsigned (add x y) = unsigned x + unsigned y - modulus. +Proof. + intros. rewrite unsigned_add_carry. unfold add_carry. + rewrite unsigned_zero. rewrite Z.add_0_r. + destruct (zlt (unsigned x + unsigned y) modulus). + rewrite unsigned_zero. left; lia. + rewrite unsigned_one. right; lia. +Qed. + +(** ** Properties of negation *) + +Theorem neg_repr: forall z, neg (repr z) = repr (-z). +Proof. + intros; unfold neg. apply eqm_samerepr. auto with ints. +Qed. + +Theorem neg_zero: neg zero = zero. +Proof. + unfold neg. rewrite unsigned_zero. auto. +Qed. + +Theorem neg_involutive: forall x, neg (neg x) = x. +Proof. + intros; unfold neg. + apply eqm_repr_eq. eapply eqm_trans. apply eqm_neg. + apply eqm_unsigned_repr_l. apply eqm_refl. apply eqm_refl2. lia. +Qed. + +Theorem neg_add_distr: forall x y, neg(add x y) = add (neg x) (neg y). +Proof. + intros; unfold neg, add. apply eqm_samerepr. + apply eqm_trans with (- (unsigned x + unsigned y)). + auto with ints. + replace (- (unsigned x + unsigned y)) + with ((- unsigned x) + (- unsigned y)). + auto with ints. lia. +Qed. + +(** ** Properties of subtraction *) + +Theorem sub_zero_l: forall x, sub x zero = x. +Proof. + intros; unfold sub. rewrite unsigned_zero. + replace (unsigned x - 0) with (unsigned x) by lia. apply repr_unsigned. +Qed. + +Theorem sub_zero_r: forall x, sub zero x = neg x. +Proof. + intros; unfold sub, neg. rewrite unsigned_zero. auto. +Qed. + +Theorem sub_add_opp: forall x y, sub x y = add x (neg y). +Proof. + intros; unfold sub, add, neg. apply eqm_samerepr. + apply eqm_add; auto with ints. +Qed. + +Theorem sub_idem: forall x, sub x x = zero. +Proof. + intros; unfold sub. unfold zero. decEq. lia. +Qed. + +Theorem sub_add_l: forall x y z, sub (add x y) z = add (sub x z) y. +Proof. + intros. repeat rewrite sub_add_opp. + repeat rewrite add_assoc. decEq. apply add_commut. +Qed. + +Theorem sub_add_r: forall x y z, sub x (add y z) = add (sub x z) (neg y). +Proof. + intros. repeat rewrite sub_add_opp. + rewrite neg_add_distr. rewrite add_permut. apply add_commut. +Qed. + +Theorem sub_shifted: + forall x y z, + sub (add x z) (add y z) = sub x y. +Proof. + intros. rewrite sub_add_opp. rewrite neg_add_distr. + rewrite add_assoc. + rewrite (add_commut (neg y) (neg z)). + rewrite <- (add_assoc z). rewrite add_neg_zero. + rewrite (add_commut zero). rewrite add_zero. + symmetry. apply sub_add_opp. +Qed. + +Theorem sub_signed: + forall x y, sub x y = repr (signed x - signed y). +Proof. + intros. unfold sub. apply eqm_samerepr. + apply eqm_sub; apply eqm_sym; apply eqm_signed_unsigned. +Qed. + +Theorem unsigned_sub_borrow: + forall x y, + unsigned (sub x y) = unsigned x - unsigned y + unsigned (sub_borrow x y zero) * modulus. +Proof. + intros. + unfold sub, sub_borrow. rewrite unsigned_zero. rewrite Z.sub_0_r. + rewrite unsigned_repr_eq. + generalize (unsigned_range x) (unsigned_range y). intros. + destruct (zlt (unsigned x - unsigned y) 0). + rewrite unsigned_one. apply Zmod_unique with (-1). lia. lia. + rewrite unsigned_zero. apply Zmod_unique with 0. lia. lia. +Qed. + +(** ** Properties of multiplication *) + +Theorem mul_commut: forall x y, mul x y = mul y x. +Proof. + intros; unfold mul. decEq. ring. +Qed. + +Theorem mul_zero: forall x, mul x zero = zero. +Proof. + intros; unfold mul. rewrite unsigned_zero. + unfold zero. decEq. ring. +Qed. + +Theorem mul_one: forall x, mul x one = x. +Proof. + intros; unfold mul. rewrite unsigned_one. + transitivity (repr (unsigned x)). decEq. ring. + apply repr_unsigned. +Qed. + +Theorem mul_mone: forall x, mul x mone = neg x. +Proof. + intros; unfold mul, neg. rewrite unsigned_mone. + apply eqm_samerepr. + replace (-unsigned x) with (0 - unsigned x) by lia. + replace (unsigned x * (modulus - 1)) with (unsigned x * modulus - unsigned x) by ring. + apply eqm_sub. exists (unsigned x). lia. apply eqm_refl. +Qed. + +Theorem mul_assoc: forall x y z, mul (mul x y) z = mul x (mul y z). +Proof. + intros; unfold mul. + set (x' := unsigned x). + set (y' := unsigned y). + set (z' := unsigned z). + apply eqm_samerepr. apply eqm_trans with ((x' * y') * z'). + auto with ints. + rewrite <- Z.mul_assoc. auto with ints. +Qed. + +Theorem mul_add_distr_l: + forall x y z, mul (add x y) z = add (mul x z) (mul y z). +Proof. + intros; unfold mul, add. + apply eqm_samerepr. + set (x' := unsigned x). + set (y' := unsigned y). + set (z' := unsigned z). + apply eqm_trans with ((x' + y') * z'). + auto with ints. + replace ((x' + y') * z') with (x' * z' + y' * z'). + auto with ints. + ring. +Qed. + +Theorem mul_add_distr_r: + forall x y z, mul x (add y z) = add (mul x y) (mul x z). +Proof. + intros. rewrite mul_commut. rewrite mul_add_distr_l. + decEq; apply mul_commut. +Qed. + +Theorem neg_mul_distr_l: + forall x y, neg(mul x y) = mul (neg x) y. +Proof. + intros. unfold mul, neg. + set (x' := unsigned x). set (y' := unsigned y). + apply eqm_samerepr. apply eqm_trans with (- (x' * y')). + auto with ints. + replace (- (x' * y')) with ((-x') * y') by ring. + auto with ints. +Qed. + +Theorem neg_mul_distr_r: + forall x y, neg(mul x y) = mul x (neg y). +Proof. + intros. rewrite (mul_commut x y). rewrite (mul_commut x (neg y)). + apply neg_mul_distr_l. +Qed. + +Theorem mul_signed: + forall x y, mul x y = repr (signed x * signed y). +Proof. + intros; unfold mul. apply eqm_samerepr. + apply eqm_mult; apply eqm_sym; apply eqm_signed_unsigned. +Qed. + +(** ** Properties of division and modulus *) + +Lemma modu_divu_Euclid: + forall x y, y <> zero -> x = add (mul (divu x y) y) (modu x y). +Proof. + intros. unfold add, mul, divu, modu. + transitivity (repr (unsigned x)). auto with ints. + apply eqm_samerepr. + set (x' := unsigned x). set (y' := unsigned y). + apply eqm_trans with ((x' / y') * y' + x' mod y'). + apply eqm_refl2. rewrite Z.mul_comm. apply Z_div_mod_eq. + generalize (unsigned_range y); intro. + assert (unsigned y <> 0). red; intro. + elim H. rewrite <- (repr_unsigned y). unfold zero. congruence. + unfold y'. lia. + auto with ints. +Qed. + +Theorem modu_divu: + forall x y, y <> zero -> modu x y = sub x (mul (divu x y) y). +Proof. + intros. + assert (forall a b c, a = add b c -> c = sub a b). + intros. subst a. rewrite sub_add_l. rewrite sub_idem. + rewrite add_commut. rewrite add_zero. auto. + apply H0. apply modu_divu_Euclid. auto. +Qed. + +Lemma mods_divs_Euclid: + forall x y, x = add (mul (divs x y) y) (mods x y). +Proof. + intros. unfold add, mul, divs, mods. + transitivity (repr (signed x)). auto with ints. + apply eqm_samerepr. + set (x' := signed x). set (y' := signed y). + apply eqm_trans with ((Z.quot x' y') * y' + Z.rem x' y'). + apply eqm_refl2. rewrite Z.mul_comm. apply Z.quot_rem'. + apply eqm_add; auto with ints. + apply eqm_unsigned_repr_r. apply eqm_mult; auto with ints. + unfold y'. apply eqm_signed_unsigned. +Qed. + +Theorem mods_divs: + forall x y, mods x y = sub x (mul (divs x y) y). +Proof. + intros. + assert (forall a b c, a = add b c -> c = sub a b). + intros. subst a. rewrite sub_add_l. rewrite sub_idem. + rewrite add_commut. rewrite add_zero. auto. + apply H. apply mods_divs_Euclid. +Qed. + +Theorem divu_one: + forall x, divu x one = x. +Proof. + unfold divu; intros. rewrite unsigned_one. rewrite Zdiv_1_r. apply repr_unsigned. +Qed. + +Theorem divs_one: + forall x, zwordsize > 1 -> divs x one = x. +Proof. + unfold divs; intros. rewrite signed_one. rewrite Z.quot_1_r. apply repr_signed. auto. +Qed. + +Theorem modu_one: + forall x, modu x one = zero. +Proof. + intros. rewrite modu_divu. rewrite divu_one. rewrite mul_one. apply sub_idem. + apply one_not_zero. +Qed. + +Theorem divs_mone: + forall x, divs x mone = neg x. +Proof. + unfold divs, neg; intros. + rewrite signed_mone. + replace (Z.quot (signed x) (-1)) with (- (signed x)). + apply eqm_samerepr. apply eqm_neg. apply eqm_signed_unsigned. + set (x' := signed x). + set (one := 1). + change (-1) with (- one). rewrite Zquot_opp_r. + assert (Z.quot x' one = x'). + symmetry. apply Zquot_unique_full with 0. red. + change (Z.abs one) with 1. + destruct (zle 0 x'). left. lia. right. lia. + unfold one; ring. + congruence. +Qed. + +Theorem mods_mone: + forall x, mods x mone = zero. +Proof. + intros. rewrite mods_divs. rewrite divs_mone. + rewrite <- neg_mul_distr_l. rewrite mul_mone. rewrite neg_involutive. apply sub_idem. +Qed. + +Theorem divmodu2_divu_modu: + forall n d, + d <> zero -> divmodu2 zero n d = Some (divu n d, modu n d). +Proof. + unfold divmodu2, divu, modu; intros. + rewrite dec_eq_false by auto. + set (N := unsigned zero * modulus + unsigned n). + assert (E1: unsigned n = N) by (unfold N; rewrite unsigned_zero; ring). rewrite ! E1. + set (D := unsigned d). + set (Q := N / D); set (R := N mod D). + assert (E2: Z.div_eucl N D = (Q, R)). + { unfold Q, R, Z.div, Z.modulo. destruct (Z.div_eucl N D); auto. } + rewrite E2. rewrite zle_true. auto. + assert (unsigned d <> 0). + { red; intros. elim H. rewrite <- (repr_unsigned d). rewrite H0; auto. } + assert (0 < D). + { unfold D. generalize (unsigned_range d); intros. lia. } + assert (0 <= Q <= max_unsigned). + { unfold Q. apply Zdiv_interval_2. + rewrite <- E1; apply unsigned_range_2. + lia. unfold max_unsigned; generalize modulus_pos; lia. lia. } + lia. +Qed. + +Lemma unsigned_signed: + forall n, unsigned n = if lt n zero then signed n + modulus else signed n. +Proof. + intros. unfold lt. rewrite signed_zero. unfold signed. + generalize (unsigned_range n). rewrite half_modulus_modulus. intros. + destruct (zlt (unsigned n) half_modulus). +- rewrite zlt_false by lia. auto. +- rewrite zlt_true by lia. ring. +Qed. + +Theorem divmods2_divs_mods: + forall n d, + d <> zero -> n <> repr min_signed \/ d <> mone -> + divmods2 (if lt n zero then mone else zero) n d = Some (divs n d, mods n d). +Proof. + unfold divmods2, divs, mods; intros. + rewrite dec_eq_false by auto. + set (N := signed (if lt n zero then mone else zero) * modulus + unsigned n). + set (D := signed d). + assert (D <> 0). + { unfold D; red; intros. elim H. rewrite <- (repr_signed d). rewrite H1; auto. } + assert (N = signed n). + { unfold N. rewrite unsigned_signed. destruct (lt n zero). + rewrite signed_mone. ring. + rewrite signed_zero. ring. } + set (Q := Z.quot N D); set (R := Z.rem N D). + assert (E2: Z.quotrem N D = (Q, R)). + { unfold Q, R, Z.quot, Z.rem. destruct (Z.quotrem N D); auto. } + rewrite E2. + assert (min_signed <= N <= max_signed) by (rewrite H2; apply signed_range). + assert (min_signed <= Q <= max_signed). + { unfold Q. destruct (zeq D 1); [ | destruct (zeq D (-1))]. + - (* D = 1 *) + rewrite e. rewrite Z.quot_1_r; auto. + - (* D = -1 *) + rewrite e. change (-1) with (Z.opp 1). rewrite Z.quot_opp_r by lia. + rewrite Z.quot_1_r. + assert (N <> min_signed). + { red; intros; destruct H0. + + elim H0. rewrite <- (repr_signed n). rewrite <- H2. rewrite H4. auto. + + elim H0. rewrite <- (repr_signed d). unfold D in e; rewrite e; auto. } + unfold min_signed, max_signed in *. lia. + - (* |D| > 1 *) + assert (Z.abs (Z.quot N D) < half_modulus). + { rewrite <- Z.quot_abs by lia. apply Zquot_lt_upper_bound. + extlia. extlia. + apply Z.le_lt_trans with (half_modulus * 1). + rewrite Z.mul_1_r. unfold min_signed, max_signed in H3; extlia. + apply Zmult_lt_compat_l. generalize half_modulus_pos; lia. extlia. } + rewrite Z.abs_lt in H4. + unfold min_signed, max_signed; lia. + } + unfold proj_sumbool; rewrite ! zle_true by lia; simpl. + unfold Q, R; rewrite H2; auto. +Qed. + +(** ** Bit-level properties *) + +Definition testbit (x: int) (i: Z) : bool := Z.testbit (unsigned x) i. + +Lemma testbit_repr: + forall x i, + 0 <= i < zwordsize -> + testbit (repr x) i = Z.testbit x i. +Proof. + intros. unfold testbit. apply same_bits_eqm; auto with ints. +Qed. + +Lemma same_bits_eq: + forall x y, + (forall i, 0 <= i < zwordsize -> testbit x i = testbit y i) -> + x = y. +Proof. + intros. rewrite <- (repr_unsigned x). rewrite <- (repr_unsigned y). + apply eqm_samerepr. apply eqm_same_bits. auto. +Qed. + +Lemma bits_above: + forall x i, i >= zwordsize -> testbit x i = false. +Proof. + intros. apply Ztestbit_above with wordsize; auto. apply unsigned_range. +Qed. + +Lemma bits_below: + forall x i, i < 0 -> testbit x i = false. +Proof. + intros. apply Z.testbit_neg_r; auto. +Qed. + +Lemma bits_zero: + forall i, testbit zero i = false. +Proof. + intros. unfold testbit. rewrite unsigned_zero. apply Ztestbit_0. +Qed. + +Remark bits_one: forall n, testbit one n = zeq n 0. +Proof. + unfold testbit; intros. rewrite unsigned_one. apply Ztestbit_1. +Qed. + +Lemma bits_mone: + forall i, 0 <= i < zwordsize -> testbit mone i = true. +Proof. + intros. unfold mone. rewrite testbit_repr; auto. apply Ztestbit_m1. lia. +Qed. + +Hint Rewrite bits_zero bits_mone : ints. + +Ltac bit_solve := + intros; apply same_bits_eq; intros; autorewrite with ints; auto with bool. + +Lemma sign_bit_of_unsigned: + forall x, testbit x (zwordsize - 1) = if zlt (unsigned x) half_modulus then false else true. +Proof. + intros. unfold testbit. + set (ws1 := Init.Nat.pred wordsize). + assert (zwordsize - 1 = Z.of_nat ws1). + unfold zwordsize, ws1. + destruct wordsize as [] eqn:E. + elim wordsize_not_zero; auto. + rewrite Nat2Z.inj_succ. simpl. lia. + assert (half_modulus = two_power_nat ws1). + rewrite two_power_nat_two_p. rewrite <- H. apply half_modulus_power. + rewrite H; rewrite H0. + apply Zsign_bit. rewrite two_power_nat_S. rewrite <- H0. + rewrite <- half_modulus_modulus. apply unsigned_range. +Qed. + +Lemma bits_signed: + forall x i, 0 <= i -> + Z.testbit (signed x) i = testbit x (if zlt i zwordsize then i else zwordsize - 1). +Proof. + intros. + destruct (zlt i zwordsize). + - apply same_bits_eqm. apply eqm_signed_unsigned. lia. + - unfold signed. rewrite sign_bit_of_unsigned. destruct (zlt (unsigned x) half_modulus). + + apply Ztestbit_above with wordsize. apply unsigned_range. auto. + + apply Ztestbit_above_neg with wordsize. + fold modulus. generalize (unsigned_range x). lia. auto. +Qed. + +Lemma bits_le: + forall x y, + (forall i, 0 <= i < zwordsize -> testbit x i = true -> testbit y i = true) -> + unsigned x <= unsigned y. +Proof. + intros. apply Ztestbit_le. generalize (unsigned_range y); lia. + intros. fold (testbit y i). destruct (zlt i zwordsize). + apply H. lia. auto. + fold (testbit x i) in H1. rewrite bits_above in H1; auto. congruence. +Qed. + +(** ** Properties of bitwise and, or, xor *) + +Lemma bits_and: + forall x y i, 0 <= i < zwordsize -> + testbit (and x y) i = testbit x i && testbit y i. +Proof. + intros. unfold and. rewrite testbit_repr; auto. rewrite Z.land_spec; intuition. +Qed. + +Lemma bits_or: + forall x y i, 0 <= i < zwordsize -> + testbit (or x y) i = testbit x i || testbit y i. +Proof. + intros. unfold or. rewrite testbit_repr; auto. rewrite Z.lor_spec; intuition. +Qed. + +Lemma bits_xor: + forall x y i, 0 <= i < zwordsize -> + testbit (xor x y) i = xorb (testbit x i) (testbit y i). +Proof. + intros. unfold xor. rewrite testbit_repr; auto. rewrite Z.lxor_spec; intuition. +Qed. + +Lemma bits_not: + forall x i, 0 <= i < zwordsize -> + testbit (not x) i = negb (testbit x i). +Proof. + intros. unfold not. rewrite bits_xor; auto. rewrite bits_mone; auto. +Qed. + +Hint Rewrite bits_and bits_or bits_xor bits_not: ints. + +Theorem and_commut: forall x y, and x y = and y x. +Proof. + bit_solve. +Qed. + +Theorem and_assoc: forall x y z, and (and x y) z = and x (and y z). +Proof. + bit_solve. +Qed. + +Theorem and_zero: forall x, and x zero = zero. +Proof. + bit_solve. apply andb_b_false. +Qed. + +Corollary and_zero_l: forall x, and zero x = zero. +Proof. + intros. rewrite and_commut. apply and_zero. +Qed. + +Theorem and_mone: forall x, and x mone = x. +Proof. + bit_solve. apply andb_b_true. +Qed. + +Corollary and_mone_l: forall x, and mone x = x. +Proof. + intros. rewrite and_commut. apply and_mone. +Qed. + +Theorem and_idem: forall x, and x x = x. +Proof. + bit_solve. destruct (testbit x i); auto. +Qed. + +Theorem or_commut: forall x y, or x y = or y x. +Proof. + bit_solve. +Qed. + +Theorem or_assoc: forall x y z, or (or x y) z = or x (or y z). +Proof. + bit_solve. +Qed. + +Theorem or_zero: forall x, or x zero = x. +Proof. + bit_solve. +Qed. + +Corollary or_zero_l: forall x, or zero x = x. +Proof. + intros. rewrite or_commut. apply or_zero. +Qed. + +Theorem or_mone: forall x, or x mone = mone. +Proof. + bit_solve. +Qed. + +Theorem or_idem: forall x, or x x = x. +Proof. + bit_solve. destruct (testbit x i); auto. +Qed. + +Theorem and_or_distrib: + forall x y z, + and x (or y z) = or (and x y) (and x z). +Proof. + bit_solve. apply demorgan1. +Qed. + +Corollary and_or_distrib_l: + forall x y z, + and (or x y) z = or (and x z) (and y z). +Proof. + intros. rewrite (and_commut (or x y)). rewrite and_or_distrib. f_equal; apply and_commut. +Qed. + +Theorem or_and_distrib: + forall x y z, + or x (and y z) = and (or x y) (or x z). +Proof. + bit_solve. apply orb_andb_distrib_r. +Qed. + +Corollary or_and_distrib_l: + forall x y z, + or (and x y) z = and (or x z) (or y z). +Proof. + intros. rewrite (or_commut (and x y)). rewrite or_and_distrib. f_equal; apply or_commut. +Qed. + +Theorem and_or_absorb: forall x y, and x (or x y) = x. +Proof. + bit_solve. + assert (forall a b, a && (a || b) = a) by destr_bool. + auto. +Qed. + +Theorem or_and_absorb: forall x y, or x (and x y) = x. +Proof. + bit_solve. + assert (forall a b, a || (a && b) = a) by destr_bool. + auto. +Qed. + +Theorem xor_commut: forall x y, xor x y = xor y x. +Proof. + bit_solve. apply xorb_comm. +Qed. + +Theorem xor_assoc: forall x y z, xor (xor x y) z = xor x (xor y z). +Proof. + bit_solve. apply xorb_assoc. +Qed. + +Theorem xor_zero: forall x, xor x zero = x. +Proof. + bit_solve. apply xorb_false. +Qed. + +Corollary xor_zero_l: forall x, xor zero x = x. +Proof. + intros. rewrite xor_commut. apply xor_zero. +Qed. + +Theorem xor_idem: forall x, xor x x = zero. +Proof. + bit_solve. apply xorb_nilpotent. +Qed. + +Theorem xor_zero_one: xor zero one = one. +Proof. rewrite xor_commut. apply xor_zero. Qed. + +Theorem xor_one_one: xor one one = zero. +Proof. apply xor_idem. Qed. + +Theorem xor_zero_equal: forall x y, xor x y = zero -> x = y. +Proof. + intros. apply same_bits_eq; intros. + assert (xorb (testbit x i) (testbit y i) = false). + rewrite <- bits_xor; auto. rewrite H. apply bits_zero. + destruct (testbit x i); destruct (testbit y i); reflexivity || discriminate. +Qed. + +Theorem xor_is_zero: forall x y, eq (xor x y) zero = eq x y. +Proof. + intros. predSpec eq eq_spec (xor x y) zero. +- apply xor_zero_equal in H. subst y. rewrite eq_true; auto. +- predSpec eq eq_spec x y. ++ elim H; subst y; apply xor_idem. ++ auto. +Qed. + +Theorem and_xor_distrib: + forall x y z, + and x (xor y z) = xor (and x y) (and x z). +Proof. + bit_solve. + assert (forall a b c, a && (xorb b c) = xorb (a && b) (a && c)) by destr_bool. + auto. +Qed. + +Theorem and_le: + forall x y, unsigned (and x y) <= unsigned x. +Proof. + intros. apply bits_le; intros. + rewrite bits_and in H0; auto. rewrite andb_true_iff in H0. tauto. +Qed. + +Theorem or_le: + forall x y, unsigned x <= unsigned (or x y). +Proof. + intros. apply bits_le; intros. + rewrite bits_or; auto. rewrite H0; auto. +Qed. + +(** ** Properties of bitwise complement.*) + +Theorem not_involutive: + forall (x: int), not (not x) = x. +Proof. + intros. unfold not. rewrite xor_assoc. rewrite xor_idem. apply xor_zero. +Qed. + +Theorem not_zero: + not zero = mone. +Proof. + unfold not. rewrite xor_commut. apply xor_zero. +Qed. + +Theorem not_mone: + not mone = zero. +Proof. + rewrite <- (not_involutive zero). symmetry. decEq. apply not_zero. +Qed. + +Theorem not_or_and_not: + forall x y, not (or x y) = and (not x) (not y). +Proof. + bit_solve. apply negb_orb. +Qed. + +Theorem not_and_or_not: + forall x y, not (and x y) = or (not x) (not y). +Proof. + bit_solve. apply negb_andb. +Qed. + +Theorem and_not_self: + forall x, and x (not x) = zero. +Proof. + bit_solve. +Qed. + +Theorem or_not_self: + forall x, or x (not x) = mone. +Proof. + bit_solve. +Qed. + +Theorem xor_not_self: + forall x, xor x (not x) = mone. +Proof. + bit_solve. destruct (testbit x i); auto. +Qed. + +Lemma unsigned_not: + forall x, unsigned (not x) = max_unsigned - unsigned x. +Proof. + intros. transitivity (unsigned (repr(-unsigned x - 1))). + f_equal. bit_solve. rewrite testbit_repr; auto. symmetry. apply Z_one_complement. lia. + rewrite unsigned_repr_eq. apply Zmod_unique with (-1). + unfold max_unsigned. lia. + generalize (unsigned_range x). unfold max_unsigned. lia. +Qed. + +Theorem not_neg: + forall x, not x = add (neg x) mone. +Proof. + bit_solve. + rewrite <- (repr_unsigned x) at 1. unfold add. + rewrite !testbit_repr; auto. + transitivity (Z.testbit (-unsigned x - 1) i). + symmetry. apply Z_one_complement. lia. + apply same_bits_eqm; auto. + replace (-unsigned x - 1) with (-unsigned x + (-1)) by lia. + apply eqm_add. + unfold neg. apply eqm_unsigned_repr. + rewrite unsigned_mone. exists (-1). ring. +Qed. + +Theorem neg_not: + forall x, neg x = add (not x) one. +Proof. + intros. rewrite not_neg. rewrite add_assoc. + replace (add mone one) with zero. rewrite add_zero. auto. + apply eqm_samerepr. rewrite unsigned_mone. rewrite unsigned_one. + exists (-1). ring. +Qed. + +Theorem sub_add_not: + forall x y, sub x y = add (add x (not y)) one. +Proof. + intros. rewrite sub_add_opp. rewrite neg_not. + rewrite ! add_assoc. auto. +Qed. + +Theorem sub_add_not_3: + forall x y b, + b = zero \/ b = one -> + sub (sub x y) b = add (add x (not y)) (xor b one). +Proof. + intros. rewrite ! sub_add_not. rewrite ! add_assoc. f_equal. f_equal. + rewrite <- neg_not. rewrite <- sub_add_opp. destruct H; subst b. + rewrite xor_zero_l. rewrite sub_zero_l. auto. + rewrite xor_idem. rewrite sub_idem. auto. +Qed. + +Theorem sub_borrow_add_carry: + forall x y b, + b = zero \/ b = one -> + sub_borrow x y b = xor (add_carry x (not y) (xor b one)) one. +Proof. + intros. unfold sub_borrow, add_carry. rewrite unsigned_not. + replace (unsigned (xor b one)) with (1 - unsigned b). + destruct (zlt (unsigned x - unsigned y - unsigned b)). + rewrite zlt_true. rewrite xor_zero_l; auto. + unfold max_unsigned; lia. + rewrite zlt_false. rewrite xor_idem; auto. + unfold max_unsigned; lia. + destruct H; subst b. + rewrite xor_zero_l. rewrite unsigned_one, unsigned_zero; auto. + rewrite xor_idem. rewrite unsigned_one, unsigned_zero; auto. +Qed. + +(** ** Connections between [add] and bitwise logical operations. *) + +Lemma Z_add_is_or: + forall i, 0 <= i -> + forall x y, + (forall j, 0 <= j <= i -> Z.testbit x j && Z.testbit y j = false) -> + Z.testbit (x + y) i = Z.testbit x i || Z.testbit y i. +Proof. + intros i0 POS0. pattern i0. apply Zlt_0_ind; auto. + intros i IND POS x y EXCL. + rewrite (Zdecomp x) in *. rewrite (Zdecomp y) in *. + transitivity (Z.testbit (Zshiftin (Z.odd x || Z.odd y) (Z.div2 x + Z.div2 y)) i). + - f_equal. rewrite !Zshiftin_spec. + exploit (EXCL 0). lia. rewrite !Ztestbit_shiftin_base. intros. +Opaque Z.mul. + destruct (Z.odd x); destruct (Z.odd y); simpl in *; discriminate || ring. + - rewrite !Ztestbit_shiftin; auto. + destruct (zeq i 0). + + auto. + + apply IND. lia. intros. + exploit (EXCL (Z.succ j)). lia. + rewrite !Ztestbit_shiftin_succ. auto. + lia. lia. +Qed. + +Theorem add_is_or: + forall x y, + and x y = zero -> + add x y = or x y. +Proof. + bit_solve. unfold add. rewrite testbit_repr; auto. + apply Z_add_is_or. lia. + intros. + assert (testbit (and x y) j = testbit zero j) by congruence. + autorewrite with ints in H2. assumption. lia. +Qed. + +Theorem xor_is_or: + forall x y, and x y = zero -> xor x y = or x y. +Proof. + bit_solve. + assert (testbit (and x y) i = testbit zero i) by congruence. + autorewrite with ints in H1; auto. + destruct (testbit x i); destruct (testbit y i); simpl in *; congruence. +Qed. + +Theorem add_is_xor: + forall x y, + and x y = zero -> + add x y = xor x y. +Proof. + intros. rewrite xor_is_or; auto. apply add_is_or; auto. +Qed. + +Theorem add_and: + forall x y z, + and y z = zero -> + add (and x y) (and x z) = and x (or y z). +Proof. + intros. rewrite add_is_or. + rewrite and_or_distrib; auto. + rewrite (and_commut x y). + rewrite and_assoc. + repeat rewrite <- (and_assoc x). + rewrite (and_commut (and x x)). + rewrite <- and_assoc. + rewrite H. rewrite and_commut. apply and_zero. +Qed. + +(** ** Properties of shifts *) + +Lemma bits_shl: + forall x y i, + 0 <= i < zwordsize -> + testbit (shl x y) i = + if zlt i (unsigned y) then false else testbit x (i - unsigned y). +Proof. + intros. unfold shl. rewrite testbit_repr; auto. + destruct (zlt i (unsigned y)). + apply Z.shiftl_spec_low. auto. + apply Z.shiftl_spec_high. lia. lia. +Qed. + +Lemma bits_shru: + forall x y i, + 0 <= i < zwordsize -> + testbit (shru x y) i = + if zlt (i + unsigned y) zwordsize then testbit x (i + unsigned y) else false. +Proof. + intros. unfold shru. rewrite testbit_repr; auto. + rewrite Z.shiftr_spec. fold (testbit x (i + unsigned y)). + destruct (zlt (i + unsigned y) zwordsize). + auto. + apply bits_above; auto. + lia. +Qed. + +Lemma bits_shr: + forall x y i, + 0 <= i < zwordsize -> + testbit (shr x y) i = + testbit x (if zlt (i + unsigned y) zwordsize then i + unsigned y else zwordsize - 1). +Proof. + intros. unfold shr. rewrite testbit_repr; auto. + rewrite Z.shiftr_spec. apply bits_signed. + generalize (unsigned_range y); lia. + lia. +Qed. + +Hint Rewrite bits_shl bits_shru bits_shr: ints. + +Theorem shl_zero: forall x, shl x zero = x. +Proof. + bit_solve. rewrite unsigned_zero. rewrite zlt_false. f_equal; lia. lia. +Qed. + +Lemma bitwise_binop_shl: + forall f f' x y n, + (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> + f' false false = false -> + f (shl x n) (shl y n) = shl (f x y) n. +Proof. + intros. apply same_bits_eq; intros. + rewrite H; auto. rewrite !bits_shl; auto. + destruct (zlt i (unsigned n)); auto. + rewrite H; auto. generalize (unsigned_range n); lia. +Qed. + +Theorem and_shl: + forall x y n, + and (shl x n) (shl y n) = shl (and x y) n. +Proof. + intros. apply bitwise_binop_shl with andb. exact bits_and. auto. +Qed. + +Theorem or_shl: + forall x y n, + or (shl x n) (shl y n) = shl (or x y) n. +Proof. + intros. apply bitwise_binop_shl with orb. exact bits_or. auto. +Qed. + +Theorem xor_shl: + forall x y n, + xor (shl x n) (shl y n) = shl (xor x y) n. +Proof. + intros. apply bitwise_binop_shl with xorb. exact bits_xor. auto. +Qed. + +Lemma ltu_inv: + forall x y, ltu x y = true -> 0 <= unsigned x < unsigned y. +Proof. + unfold ltu; intros. destruct (zlt (unsigned x) (unsigned y)). + split; auto. generalize (unsigned_range x); lia. + discriminate. +Qed. + +Lemma ltu_iwordsize_inv: + forall x, ltu x iwordsize = true -> 0 <= unsigned x < zwordsize. +Proof. + intros. generalize (ltu_inv _ _ H). rewrite unsigned_repr_wordsize. auto. +Qed. + +Theorem shl_shl: + forall x y z, + ltu y iwordsize = true -> + ltu z iwordsize = true -> + ltu (add y z) iwordsize = true -> + shl (shl x y) z = shl x (add y z). +Proof. + intros. + generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. + assert (unsigned (add y z) = unsigned y + unsigned z). + unfold add. apply unsigned_repr. + generalize two_wordsize_max_unsigned; lia. + apply same_bits_eq; intros. + rewrite bits_shl; auto. + destruct (zlt i (unsigned z)). + - rewrite bits_shl; auto. rewrite zlt_true. auto. lia. + - rewrite bits_shl. destruct (zlt (i - unsigned z) (unsigned y)). + + rewrite bits_shl; auto. rewrite zlt_true. auto. lia. + + rewrite bits_shl; auto. rewrite zlt_false. f_equal. lia. lia. + + lia. +Qed. + +Theorem sub_ltu: + forall x y, + ltu x y = true -> + 0 <= unsigned y - unsigned x <= unsigned y. +Proof. + intros. + generalize (ltu_inv x y H). intros . + split. lia. lia. +Qed. + +Theorem shru_zero: forall x, shru x zero = x. +Proof. + bit_solve. rewrite unsigned_zero. rewrite zlt_true. f_equal; lia. lia. +Qed. + +Lemma bitwise_binop_shru: + forall f f' x y n, + (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> + f' false false = false -> + f (shru x n) (shru y n) = shru (f x y) n. +Proof. + intros. apply same_bits_eq; intros. + rewrite H; auto. rewrite !bits_shru; auto. + destruct (zlt (i + unsigned n) zwordsize); auto. + rewrite H; auto. generalize (unsigned_range n); lia. +Qed. + +Theorem and_shru: + forall x y n, + and (shru x n) (shru y n) = shru (and x y) n. +Proof. + intros. apply bitwise_binop_shru with andb; auto. exact bits_and. +Qed. + +Theorem or_shru: + forall x y n, + or (shru x n) (shru y n) = shru (or x y) n. +Proof. + intros. apply bitwise_binop_shru with orb; auto. exact bits_or. +Qed. + +Theorem xor_shru: + forall x y n, + xor (shru x n) (shru y n) = shru (xor x y) n. +Proof. + intros. apply bitwise_binop_shru with xorb; auto. exact bits_xor. +Qed. + +Theorem shru_shru: + forall x y z, + ltu y iwordsize = true -> + ltu z iwordsize = true -> + ltu (add y z) iwordsize = true -> + shru (shru x y) z = shru x (add y z). +Proof. + intros. + generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. + assert (unsigned (add y z) = unsigned y + unsigned z). + unfold add. apply unsigned_repr. + generalize two_wordsize_max_unsigned; lia. + apply same_bits_eq; intros. + rewrite bits_shru; auto. + destruct (zlt (i + unsigned z) zwordsize). + - rewrite bits_shru. destruct (zlt (i + unsigned z + unsigned y) zwordsize). + + rewrite bits_shru; auto. rewrite zlt_true. f_equal. lia. lia. + + rewrite bits_shru; auto. rewrite zlt_false. auto. lia. + + lia. + - rewrite bits_shru; auto. rewrite zlt_false. auto. lia. +Qed. + +Theorem shr_zero: forall x, shr x zero = x. +Proof. + bit_solve. rewrite unsigned_zero. rewrite zlt_true. f_equal; lia. lia. +Qed. + +Lemma bitwise_binop_shr: + forall f f' x y n, + (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> + f (shr x n) (shr y n) = shr (f x y) n. +Proof. + intros. apply same_bits_eq; intros. + rewrite H; auto. rewrite !bits_shr; auto. + rewrite H; auto. + destruct (zlt (i + unsigned n) zwordsize). + generalize (unsigned_range n); lia. + lia. +Qed. + +Theorem and_shr: + forall x y n, + and (shr x n) (shr y n) = shr (and x y) n. +Proof. + intros. apply bitwise_binop_shr with andb. exact bits_and. +Qed. + +Theorem or_shr: + forall x y n, + or (shr x n) (shr y n) = shr (or x y) n. +Proof. + intros. apply bitwise_binop_shr with orb. exact bits_or. +Qed. + +Theorem xor_shr: + forall x y n, + xor (shr x n) (shr y n) = shr (xor x y) n. +Proof. + intros. apply bitwise_binop_shr with xorb. exact bits_xor. +Qed. + +Theorem shr_shr: + forall x y z, + ltu y iwordsize = true -> + ltu z iwordsize = true -> + ltu (add y z) iwordsize = true -> + shr (shr x y) z = shr x (add y z). +Proof. + intros. + generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. + assert (unsigned (add y z) = unsigned y + unsigned z). + unfold add. apply unsigned_repr. + generalize two_wordsize_max_unsigned; lia. + apply same_bits_eq; intros. + rewrite !bits_shr; auto. f_equal. + destruct (zlt (i + unsigned z) zwordsize). + rewrite H4. replace (i + (unsigned y + unsigned z)) with (i + unsigned z + unsigned y) by lia. auto. + rewrite (zlt_false _ (i + unsigned (add y z))). + destruct (zlt (zwordsize - 1 + unsigned y) zwordsize); lia. + lia. + destruct (zlt (i + unsigned z) zwordsize); lia. +Qed. + +Theorem and_shr_shru: + forall x y z, + and (shr x z) (shru y z) = shru (and x y) z. +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_and; auto. rewrite bits_shr; auto. rewrite !bits_shru; auto. + destruct (zlt (i + unsigned z) zwordsize). + - rewrite bits_and; auto. generalize (unsigned_range z); lia. + - apply andb_false_r. +Qed. + +Theorem shr_and_shru_and: + forall x y z, + shru (shl z y) y = z -> + and (shr x y) z = and (shru x y) z. +Proof. + intros. + rewrite <- H. + rewrite and_shru. rewrite and_shr_shru. auto. +Qed. + +Theorem shru_lt_zero: + forall x, + shru x (repr (zwordsize - 1)) = if lt x zero then one else zero. +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_shru; auto. + rewrite unsigned_repr. + destruct (zeq i 0). + subst i. rewrite Z.add_0_l. rewrite zlt_true. + rewrite sign_bit_of_unsigned. + unfold lt. rewrite signed_zero. unfold signed. + destruct (zlt (unsigned x) half_modulus). + rewrite zlt_false. auto. generalize (unsigned_range x); lia. + rewrite zlt_true. unfold one; rewrite testbit_repr; auto. + generalize (unsigned_range x); lia. + lia. + rewrite zlt_false. + unfold testbit. rewrite Ztestbit_eq. rewrite zeq_false. + destruct (lt x zero). + rewrite unsigned_one. simpl Z.div2. rewrite Z.testbit_0_l; auto. + rewrite unsigned_zero. simpl Z.div2. rewrite Z.testbit_0_l; auto. + auto. lia. lia. + generalize wordsize_max_unsigned; lia. +Qed. + +Theorem shr_lt_zero: + forall x, + shr x (repr (zwordsize - 1)) = if lt x zero then mone else zero. +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_shr; auto. + rewrite unsigned_repr. + transitivity (testbit x (zwordsize - 1)). + f_equal. destruct (zlt (i + (zwordsize - 1)) zwordsize); lia. + rewrite sign_bit_of_unsigned. + unfold lt. rewrite signed_zero. unfold signed. + destruct (zlt (unsigned x) half_modulus). + rewrite zlt_false. rewrite bits_zero; auto. generalize (unsigned_range x); lia. + rewrite zlt_true. rewrite bits_mone; auto. generalize (unsigned_range x); lia. + generalize wordsize_max_unsigned; lia. +Qed. + +(** ** Properties of rotations *) + +Lemma bits_rol: + forall x y i, + 0 <= i < zwordsize -> + testbit (rol x y) i = testbit x ((i - unsigned y) mod zwordsize). +Proof. + intros. unfold rol. + exploit (Z_div_mod_eq (unsigned y) zwordsize). apply wordsize_pos. + set (j := unsigned y mod zwordsize). set (k := unsigned y / zwordsize). + intros EQ. + exploit (Z_mod_lt (unsigned y) zwordsize). apply wordsize_pos. + fold j. intros RANGE. + rewrite testbit_repr; auto. + rewrite Z.lor_spec. rewrite Z.shiftr_spec. 2: lia. + destruct (zlt i j). + - rewrite Z.shiftl_spec_low; auto. simpl. + unfold testbit. f_equal. + symmetry. apply Zmod_unique with (-k - 1). + rewrite EQ. ring. + lia. + - rewrite Z.shiftl_spec_high. + fold (testbit x (i + (zwordsize - j))). + rewrite bits_above. rewrite orb_false_r. + fold (testbit x (i - j)). + f_equal. symmetry. apply Zmod_unique with (-k). + rewrite EQ. ring. + lia. lia. lia. lia. +Qed. + +Lemma bits_ror: + forall x y i, + 0 <= i < zwordsize -> + testbit (ror x y) i = testbit x ((i + unsigned y) mod zwordsize). +Proof. + intros. unfold ror. + exploit (Z_div_mod_eq (unsigned y) zwordsize). apply wordsize_pos. + set (j := unsigned y mod zwordsize). set (k := unsigned y / zwordsize). + intros EQ. + exploit (Z_mod_lt (unsigned y) zwordsize). apply wordsize_pos. + fold j. intros RANGE. + rewrite testbit_repr; auto. + rewrite Z.lor_spec. rewrite Z.shiftr_spec. 2: lia. + destruct (zlt (i + j) zwordsize). + - rewrite Z.shiftl_spec_low; auto. rewrite orb_false_r. + unfold testbit. f_equal. + symmetry. apply Zmod_unique with k. + rewrite EQ. ring. + lia. lia. + - rewrite Z.shiftl_spec_high. + fold (testbit x (i + j)). + rewrite bits_above. simpl. + unfold testbit. f_equal. + symmetry. apply Zmod_unique with (k + 1). + rewrite EQ. ring. + lia. lia. lia. lia. +Qed. + +Hint Rewrite bits_rol bits_ror: ints. + +Theorem shl_rolm: + forall x n, + ltu n iwordsize = true -> + shl x n = rolm x n (shl mone n). +Proof. + intros. generalize (ltu_inv _ _ H). rewrite unsigned_repr_wordsize; intros. + unfold rolm. apply same_bits_eq; intros. + rewrite bits_and; auto. rewrite !bits_shl; auto. rewrite bits_rol; auto. + destruct (zlt i (unsigned n)). + - rewrite andb_false_r; auto. + - generalize (unsigned_range n); intros. + rewrite bits_mone. rewrite andb_true_r. f_equal. + symmetry. apply Z.mod_small. lia. + lia. +Qed. + +Theorem shru_rolm: + forall x n, + ltu n iwordsize = true -> + shru x n = rolm x (sub iwordsize n) (shru mone n). +Proof. + intros. generalize (ltu_inv _ _ H). rewrite unsigned_repr_wordsize; intros. + unfold rolm. apply same_bits_eq; intros. + rewrite bits_and; auto. rewrite !bits_shru; auto. rewrite bits_rol; auto. + destruct (zlt (i + unsigned n) zwordsize). + - generalize (unsigned_range n); intros. + rewrite bits_mone. rewrite andb_true_r. f_equal. + unfold sub. rewrite unsigned_repr. rewrite unsigned_repr_wordsize. + symmetry. apply Zmod_unique with (-1). ring. lia. + rewrite unsigned_repr_wordsize. generalize wordsize_max_unsigned. lia. + lia. + - rewrite andb_false_r; auto. +Qed. + +Theorem rol_zero: + forall x, + rol x zero = x. +Proof. + bit_solve. f_equal. rewrite unsigned_zero. rewrite Z.sub_0_r. + apply Z.mod_small; auto. +Qed. + +Lemma bitwise_binop_rol: + forall f f' x y n, + (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> + rol (f x y) n = f (rol x n) (rol y n). +Proof. + intros. apply same_bits_eq; intros. + rewrite H; auto. rewrite !bits_rol; auto. rewrite H; auto. + apply Z_mod_lt. apply wordsize_pos. +Qed. + +Theorem rol_and: + forall x y n, + rol (and x y) n = and (rol x n) (rol y n). +Proof. + intros. apply bitwise_binop_rol with andb. exact bits_and. +Qed. + +Theorem rol_or: + forall x y n, + rol (or x y) n = or (rol x n) (rol y n). +Proof. + intros. apply bitwise_binop_rol with orb. exact bits_or. +Qed. + +Theorem rol_xor: + forall x y n, + rol (xor x y) n = xor (rol x n) (rol y n). +Proof. + intros. apply bitwise_binop_rol with xorb. exact bits_xor. +Qed. + +Theorem rol_rol: + forall x n m, + Z.divide zwordsize modulus -> + rol (rol x n) m = rol x (modu (add n m) iwordsize). +Proof. + bit_solve. f_equal. apply eqmod_mod_eq. apply wordsize_pos. + set (M := unsigned m); set (N := unsigned n). + apply eqmod_trans with (i - M - N). + apply eqmod_sub. + apply eqmod_sym. apply eqmod_mod. apply wordsize_pos. + apply eqmod_refl. + replace (i - M - N) with (i - (M + N)) by lia. + apply eqmod_sub. + apply eqmod_refl. + apply eqmod_trans with (Z.modulo (unsigned n + unsigned m) zwordsize). + replace (M + N) with (N + M) by lia. apply eqmod_mod. apply wordsize_pos. + unfold modu, add. fold M; fold N. rewrite unsigned_repr_wordsize. + assert (forall a, eqmod zwordsize a (unsigned (repr a))). + intros. eapply eqmod_divides. apply eqm_unsigned_repr. assumption. + eapply eqmod_trans. 2: apply H1. + apply eqmod_refl2. apply eqmod_mod_eq. apply wordsize_pos. auto. + apply Z_mod_lt. apply wordsize_pos. +Qed. + +Theorem rolm_zero: + forall x m, + rolm x zero m = and x m. +Proof. + intros. unfold rolm. rewrite rol_zero. auto. +Qed. + +Theorem rolm_rolm: + forall x n1 m1 n2 m2, + Z.divide zwordsize modulus -> + rolm (rolm x n1 m1) n2 m2 = + rolm x (modu (add n1 n2) iwordsize) + (and (rol m1 n2) m2). +Proof. + intros. + unfold rolm. rewrite rol_and. rewrite and_assoc. + rewrite rol_rol. reflexivity. auto. +Qed. + +Theorem or_rolm: + forall x n m1 m2, + or (rolm x n m1) (rolm x n m2) = rolm x n (or m1 m2). +Proof. + intros; unfold rolm. symmetry. apply and_or_distrib. +Qed. + +Theorem ror_rol: + forall x y, + ltu y iwordsize = true -> + ror x y = rol x (sub iwordsize y). +Proof. + intros. + generalize (ltu_iwordsize_inv _ H); intros. + apply same_bits_eq; intros. + rewrite bits_ror; auto. rewrite bits_rol; auto. f_equal. + unfold sub. rewrite unsigned_repr. rewrite unsigned_repr_wordsize. + apply eqmod_mod_eq. apply wordsize_pos. exists 1. ring. + rewrite unsigned_repr_wordsize. + generalize wordsize_pos; generalize wordsize_max_unsigned; lia. +Qed. + +Theorem ror_rol_neg: + forall x y, (zwordsize | modulus) -> ror x y = rol x (neg y). +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_ror by auto. rewrite bits_rol by auto. + f_equal. apply eqmod_mod_eq. lia. + apply eqmod_trans with (i - (- unsigned y)). + apply eqmod_refl2; lia. + apply eqmod_sub. apply eqmod_refl. + apply eqmod_divides with modulus. + apply eqm_unsigned_repr. auto. +Qed. + +Theorem or_ror: + forall x y z, + ltu y iwordsize = true -> + ltu z iwordsize = true -> + add y z = iwordsize -> + ror x z = or (shl x y) (shru x z). +Proof. + intros. + generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. + unfold ror, or, shl, shru. apply same_bits_eq; intros. + rewrite !testbit_repr; auto. + rewrite !Z.lor_spec. rewrite orb_comm. f_equal; apply same_bits_eqm; auto. + - apply eqm_unsigned_repr_r. apply eqm_refl2. f_equal. + rewrite Z.mod_small; auto. + assert (unsigned (add y z) = zwordsize). + rewrite H1. apply unsigned_repr_wordsize. + unfold add in H5. rewrite unsigned_repr in H5. + lia. + generalize two_wordsize_max_unsigned; lia. + - apply eqm_unsigned_repr_r. apply eqm_refl2. f_equal. + apply Z.mod_small; auto. +Qed. + +(** ** Properties of [is_power2]. *) + +Remark is_power2_inv: + forall n logn, + is_power2 n = Some logn -> + Z_is_power2 (unsigned n) = Some (unsigned logn) /\ 0 <= unsigned logn < zwordsize. +Proof. + unfold is_power2; intros. + destruct (Z_is_power2 (unsigned n)) as [i|] eqn:E; inv H. + assert (0 <= i < zwordsize). + { apply Z_is_power2_range with (unsigned n). + generalize wordsize_pos; lia. + rewrite <- modulus_power. apply unsigned_range. + auto. } + rewrite unsigned_repr; auto. generalize wordsize_max_unsigned; lia. +Qed. + +Lemma is_power2_rng: + forall n logn, + is_power2 n = Some logn -> + 0 <= unsigned logn < zwordsize. +Proof. + intros. apply (is_power2_inv n logn); auto. +Qed. + +Theorem is_power2_range: + forall n logn, + is_power2 n = Some logn -> ltu logn iwordsize = true. +Proof. + intros. unfold ltu. rewrite unsigned_repr_wordsize. + apply zlt_true. generalize (is_power2_rng _ _ H). tauto. +Qed. + +Lemma is_power2_correct: + forall n logn, + is_power2 n = Some logn -> + unsigned n = two_p (unsigned logn). +Proof. + intros. apply is_power2_inv in H. destruct H as [P Q]. + apply Z_is_power2_sound in P. tauto. +Qed. + +Remark two_p_range: + forall n, + 0 <= n < zwordsize -> + 0 <= two_p n <= max_unsigned. +Proof. + intros. split. + assert (two_p n > 0). apply two_p_gt_ZERO. lia. lia. + generalize (two_p_monotone_strict _ _ H). + unfold zwordsize; rewrite <- two_power_nat_two_p. + unfold max_unsigned, modulus. lia. +Qed. + +Lemma is_power2_two_p: + forall n, 0 <= n < zwordsize -> + is_power2 (repr (two_p n)) = Some (repr n). +Proof. + intros. unfold is_power2. rewrite unsigned_repr. + rewrite Z_is_power2_complete by lia; auto. + apply two_p_range. auto. +Qed. + +(** ** Relation between bitwise operations and multiplications / divisions by powers of 2 *) + +(** Left shifts and multiplications by powers of 2. *) + +Lemma shl_mul_two_p: + forall x y, + shl x y = mul x (repr (two_p (unsigned y))). +Proof. + intros. unfold shl, mul. apply eqm_samerepr. + rewrite Zshiftl_mul_two_p. auto with ints. + generalize (unsigned_range y); lia. +Qed. + +Theorem shl_mul: + forall x y, + shl x y = mul x (shl one y). +Proof. + intros. + assert (shl one y = repr (two_p (unsigned y))). + { + rewrite shl_mul_two_p. rewrite mul_commut. rewrite mul_one. auto. + } + rewrite H. apply shl_mul_two_p. +Qed. + +Theorem mul_pow2: + forall x n logn, + is_power2 n = Some logn -> + mul x n = shl x logn. +Proof. + intros. generalize (is_power2_correct n logn H); intro. + rewrite shl_mul_two_p. rewrite <- H0. rewrite repr_unsigned. + auto. +Qed. + +Theorem shifted_or_is_add: + forall x y n, + 0 <= n < zwordsize -> + unsigned y < two_p n -> + or (shl x (repr n)) y = repr(unsigned x * two_p n + unsigned y). +Proof. + intros. rewrite <- add_is_or. + - unfold add. apply eqm_samerepr. apply eqm_add; auto with ints. + rewrite shl_mul_two_p. unfold mul. apply eqm_unsigned_repr_l. + apply eqm_mult; auto with ints. apply eqm_unsigned_repr_l. + apply eqm_refl2. rewrite unsigned_repr. auto. + generalize wordsize_max_unsigned; lia. + - bit_solve. + rewrite unsigned_repr. + destruct (zlt i n). + + auto. + + replace (testbit y i) with false. apply andb_false_r. + symmetry. unfold testbit. + assert (EQ: Z.of_nat (Z.to_nat n) = n) by (apply Z2Nat.id; lia). + apply Ztestbit_above with (Z.to_nat n). + rewrite <- EQ in H0. rewrite <- two_power_nat_two_p in H0. + generalize (unsigned_range y); lia. + rewrite EQ; auto. + + generalize wordsize_max_unsigned; lia. +Qed. + +(** Unsigned right shifts and unsigned divisions by powers of 2. *) + +Lemma shru_div_two_p: + forall x y, + shru x y = repr (unsigned x / two_p (unsigned y)). +Proof. + intros. unfold shru. + rewrite Zshiftr_div_two_p. auto. + generalize (unsigned_range y); lia. +Qed. + +Theorem divu_pow2: + forall x n logn, + is_power2 n = Some logn -> + divu x n = shru x logn. +Proof. + intros. generalize (is_power2_correct n logn H). intro. + symmetry. unfold divu. rewrite H0. apply shru_div_two_p. +Qed. + +(** Signed right shifts and signed divisions by powers of 2. *) + +Lemma shr_div_two_p: + forall x y, + shr x y = repr (signed x / two_p (unsigned y)). +Proof. + intros. unfold shr. + rewrite Zshiftr_div_two_p. auto. + generalize (unsigned_range y); lia. +Qed. + +Theorem divs_pow2: + forall x n logn, + is_power2 n = Some logn -> + divs x n = shrx x logn. +Proof. + intros. generalize (is_power2_correct _ _ H); intro. + unfold shrx. rewrite shl_mul_two_p. + rewrite mul_commut. rewrite mul_one. + rewrite <- H0. rewrite repr_unsigned. auto. +Qed. + +(** Unsigned modulus over [2^n] is masking with [2^n-1]. *) + +Theorem modu_and: + forall x n logn, + is_power2 n = Some logn -> + modu x n = and x (sub n one). +Proof. + intros. generalize (is_power2_correct _ _ H); intro. + generalize (is_power2_rng _ _ H); intro. + apply same_bits_eq; intros. + rewrite bits_and; auto. + unfold sub. rewrite testbit_repr; auto. + rewrite H0. rewrite unsigned_one. + unfold modu. rewrite testbit_repr; auto. rewrite H0. + rewrite Ztestbit_mod_two_p. rewrite Ztestbit_two_p_m1. + destruct (zlt i (unsigned logn)). + rewrite andb_true_r; auto. + rewrite andb_false_r; auto. + tauto. tauto. tauto. tauto. +Qed. + +(** ** Properties of [shrx] (signed division by a power of 2) *) + +Theorem shrx_zero: + forall x, zwordsize > 1 -> shrx x zero = x. +Proof. + intros. unfold shrx. rewrite shl_zero. unfold divs. rewrite signed_one by auto. + rewrite Z.quot_1_r. apply repr_signed. +Qed. + +Theorem shrx_shr: + forall x y, + ltu y (repr (zwordsize - 1)) = true -> + shrx x y = shr (if lt x zero then add x (sub (shl one y) one) else x) y. +Proof. + intros. + set (uy := unsigned y). + assert (0 <= uy < zwordsize - 1). + generalize (ltu_inv _ _ H). rewrite unsigned_repr. auto. + generalize wordsize_pos wordsize_max_unsigned; lia. + rewrite shr_div_two_p. unfold shrx. unfold divs. + assert (shl one y = repr (two_p uy)). + transitivity (mul one (repr (two_p uy))). + symmetry. apply mul_pow2. replace y with (repr uy). + apply is_power2_two_p. lia. apply repr_unsigned. + rewrite mul_commut. apply mul_one. + assert (two_p uy > 0). apply two_p_gt_ZERO. lia. + assert (two_p uy < half_modulus). + rewrite half_modulus_power. + apply two_p_monotone_strict. auto. + assert (two_p uy < modulus). + rewrite modulus_power. apply two_p_monotone_strict. lia. + assert (unsigned (shl one y) = two_p uy). + rewrite H1. apply unsigned_repr. unfold max_unsigned. lia. + assert (signed (shl one y) = two_p uy). + rewrite H1. apply signed_repr. + unfold max_signed. generalize min_signed_neg. lia. + rewrite H6. + rewrite Zquot_Zdiv; auto. + unfold lt. rewrite signed_zero. + destruct (zlt (signed x) 0); auto. + rewrite add_signed. + assert (signed (sub (shl one y) one) = two_p uy - 1). + unfold sub. rewrite H5. rewrite unsigned_one. + apply signed_repr. + generalize min_signed_neg. unfold max_signed. lia. + rewrite H7. rewrite signed_repr. f_equal. f_equal. lia. + generalize (signed_range x). intros. + assert (two_p uy - 1 <= max_signed). unfold max_signed. lia. lia. +Qed. + +Theorem shrx_shr_2: + forall x y, + ltu y (repr (zwordsize - 1)) = true -> + shrx x y = shr (add x (shru (shr x (repr (zwordsize - 1))) (sub iwordsize y))) y. +Proof. + intros. + rewrite shrx_shr by auto. f_equal. + rewrite shr_lt_zero. destruct (lt x zero). +- set (uy := unsigned y). + generalize (unsigned_range y); fold uy; intros. + assert (0 <= uy < zwordsize - 1). + generalize (ltu_inv _ _ H). rewrite unsigned_repr. auto. + generalize wordsize_pos wordsize_max_unsigned; lia. + assert (two_p uy < modulus). + rewrite modulus_power. apply two_p_monotone_strict. lia. + f_equal. rewrite shl_mul_two_p. fold uy. rewrite mul_commut. rewrite mul_one. + unfold sub. rewrite unsigned_one. rewrite unsigned_repr. + rewrite unsigned_repr_wordsize. fold uy. + apply same_bits_eq; intros. rewrite bits_shru by auto. + rewrite testbit_repr by auto. rewrite Ztestbit_two_p_m1 by lia. + rewrite unsigned_repr by (generalize wordsize_max_unsigned; lia). + destruct (zlt i uy). + rewrite zlt_true by lia. rewrite bits_mone by lia. auto. + rewrite zlt_false by lia. auto. + assert (two_p uy > 0) by (apply two_p_gt_ZERO; lia). unfold max_unsigned; lia. +- replace (shru zero (sub iwordsize y)) with zero. + rewrite add_zero; auto. + bit_solve. destruct (zlt (i + unsigned (sub iwordsize y)) zwordsize); auto. +Qed. + +Theorem shrx_carry: + forall x y, + ltu y (repr (zwordsize - 1)) = true -> + shrx x y = add (shr x y) (shr_carry x y). +Proof. + intros. rewrite shrx_shr; auto. unfold shr_carry. + unfold lt. set (sx := signed x). rewrite signed_zero. + destruct (zlt sx 0); simpl. + 2: rewrite add_zero; auto. + set (uy := unsigned y). + assert (0 <= uy < zwordsize - 1). + generalize (ltu_inv _ _ H). rewrite unsigned_repr. auto. + generalize wordsize_pos wordsize_max_unsigned; lia. + assert (shl one y = repr (two_p uy)). + rewrite shl_mul_two_p. rewrite mul_commut. apply mul_one. + assert (and x (sub (shl one y) one) = modu x (repr (two_p uy))). + symmetry. rewrite H1. apply modu_and with (logn := y). + rewrite is_power2_two_p. unfold uy. rewrite repr_unsigned. auto. + lia. + rewrite H2. rewrite H1. + repeat rewrite shr_div_two_p. fold sx. fold uy. + assert (two_p uy > 0). apply two_p_gt_ZERO. lia. + assert (two_p uy < modulus). + rewrite modulus_power. apply two_p_monotone_strict. lia. + assert (two_p uy < half_modulus). + rewrite half_modulus_power. + apply two_p_monotone_strict. auto. + assert (two_p uy < modulus). + rewrite modulus_power. apply two_p_monotone_strict. lia. + assert (sub (repr (two_p uy)) one = repr (two_p uy - 1)). + unfold sub. apply eqm_samerepr. apply eqm_sub. apply eqm_sym; apply eqm_unsigned_repr. + rewrite unsigned_one. apply eqm_refl. + rewrite H7. rewrite add_signed. fold sx. + rewrite (signed_repr (two_p uy - 1)). rewrite signed_repr. + unfold modu. rewrite unsigned_repr. + unfold eq. rewrite unsigned_zero. rewrite unsigned_repr. + assert (unsigned x mod two_p uy = sx mod two_p uy). + apply eqmod_mod_eq; auto. apply eqmod_divides with modulus. + fold eqm. unfold sx. apply eqm_sym. apply eqm_signed_unsigned. + unfold modulus. rewrite two_power_nat_two_p. + exists (two_p (zwordsize - uy)). rewrite <- two_p_is_exp. + f_equal. fold zwordsize; lia. lia. lia. + rewrite H8. rewrite Zdiv_shift; auto. + unfold add. apply eqm_samerepr. apply eqm_add. + apply eqm_unsigned_repr. + destruct (zeq (sx mod two_p uy) 0); simpl. + rewrite unsigned_zero. apply eqm_refl. + rewrite unsigned_one. apply eqm_refl. + generalize (Z_mod_lt (unsigned x) (two_p uy) H3). unfold max_unsigned. lia. + unfold max_unsigned; lia. + generalize (signed_range x). fold sx. intros. split. lia. unfold max_signed. lia. + generalize min_signed_neg. unfold max_signed. lia. +Qed. + +(** Connections between [shr] and [shru]. *) + +Lemma shr_shru_positive: + forall x y, + signed x >= 0 -> + shr x y = shru x y. +Proof. + intros. + rewrite shr_div_two_p. rewrite shru_div_two_p. + rewrite signed_eq_unsigned. auto. apply signed_positive. auto. +Qed. + +Lemma and_positive: + forall x y, signed y >= 0 -> signed (and x y) >= 0. +Proof. + intros. + assert (unsigned y < half_modulus). rewrite signed_positive in H. unfold max_signed in H; lia. + generalize (sign_bit_of_unsigned y). rewrite zlt_true; auto. intros A. + generalize (sign_bit_of_unsigned (and x y)). rewrite bits_and. rewrite A. + rewrite andb_false_r. unfold signed. + destruct (zlt (unsigned (and x y)) half_modulus). + intros. generalize (unsigned_range (and x y)); lia. + congruence. + generalize wordsize_pos; lia. +Qed. + +Theorem shr_and_is_shru_and: + forall x y z, + lt y zero = false -> shr (and x y) z = shru (and x y) z. +Proof. + intros. apply shr_shru_positive. apply and_positive. + unfold lt in H. rewrite signed_zero in H. destruct (zlt (signed y) 0). congruence. auto. +Qed. + +(** ** Properties of integer zero extension and sign extension. *) + +Lemma bits_zero_ext: + forall n x i, 0 <= i -> + testbit (zero_ext n x) i = if zlt i n then testbit x i else false. +Proof. + intros. unfold zero_ext. destruct (zlt i zwordsize). + rewrite testbit_repr; auto. rewrite Zzero_ext_spec. auto. auto. + rewrite !bits_above; auto. destruct (zlt i n); auto. +Qed. + +Lemma bits_sign_ext: + forall n x i, 0 <= i < zwordsize -> + testbit (sign_ext n x) i = testbit x (if zlt i n then i else n - 1). +Proof. + intros. unfold sign_ext. + rewrite testbit_repr; auto. apply Zsign_ext_spec. lia. +Qed. + +Hint Rewrite bits_zero_ext bits_sign_ext: ints. + +Theorem zero_ext_above: + forall n x, n >= zwordsize -> zero_ext n x = x. +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_zero_ext. apply zlt_true. lia. lia. +Qed. + +Theorem zero_ext_below: + forall n x, n <= 0 -> zero_ext n x = zero. +Proof. + intros. bit_solve. destruct (zlt i n); auto. apply bits_below; lia. lia. +Qed. + +Theorem sign_ext_above: + forall n x, n >= zwordsize -> sign_ext n x = x. +Proof. + intros. apply same_bits_eq; intros. + unfold sign_ext; rewrite testbit_repr; auto. + rewrite Zsign_ext_spec. rewrite zlt_true. auto. lia. lia. +Qed. + +Theorem sign_ext_below: + forall n x, n <= 0 -> sign_ext n x = zero. +Proof. + intros. bit_solve. apply bits_below. destruct (zlt i n); lia. +Qed. + +Theorem zero_ext_and: + forall n x, 0 <= n -> zero_ext n x = and x (repr (two_p n - 1)). +Proof. + bit_solve. rewrite testbit_repr; auto. rewrite Ztestbit_two_p_m1; intuition. + destruct (zlt i n). + rewrite andb_true_r; auto. + rewrite andb_false_r; auto. + tauto. +Qed. + +Theorem zero_ext_mod: + forall n x, 0 <= n < zwordsize -> + unsigned (zero_ext n x) = Z.modulo (unsigned x) (two_p n). +Proof. + intros. apply equal_same_bits. intros. + rewrite Ztestbit_mod_two_p; auto. + fold (testbit (zero_ext n x) i). + destruct (zlt i zwordsize). + rewrite bits_zero_ext; auto. + rewrite bits_above. rewrite zlt_false; auto. lia. lia. + lia. +Qed. + +Theorem zero_ext_widen: + forall x n n', 0 <= n <= n' -> + zero_ext n' (zero_ext n x) = zero_ext n x. +Proof. + bit_solve. destruct (zlt i n). + apply zlt_true. lia. + destruct (zlt i n'); auto. + tauto. tauto. +Qed. + +Theorem sign_ext_widen: + forall x n n', 0 < n <= n' -> + sign_ext n' (sign_ext n x) = sign_ext n x. +Proof. + intros. destruct (zlt n' zwordsize). + bit_solve. destruct (zlt i n'). + auto. + rewrite (zlt_false _ i n). + destruct (zlt (n' - 1) n); f_equal; lia. + lia. + destruct (zlt i n'); lia. + apply sign_ext_above; auto. +Qed. + +Theorem sign_zero_ext_widen: + forall x n n', 0 <= n < n' -> + sign_ext n' (zero_ext n x) = zero_ext n x. +Proof. + intros. destruct (zlt n' zwordsize). + bit_solve. + destruct (zlt i n'). + auto. + rewrite !zlt_false. auto. lia. lia. lia. + destruct (zlt i n'); lia. + apply sign_ext_above; auto. +Qed. + +Theorem zero_ext_narrow: + forall x n n', 0 <= n <= n' -> + zero_ext n (zero_ext n' x) = zero_ext n x. +Proof. + bit_solve. destruct (zlt i n). + apply zlt_true. lia. + auto. + lia. lia. lia. +Qed. + +Theorem sign_ext_narrow: + forall x n n', 0 < n <= n' -> + sign_ext n (sign_ext n' x) = sign_ext n x. +Proof. + intros. destruct (zlt n zwordsize). + bit_solve. destruct (zlt i n); f_equal; apply zlt_true; lia. + destruct (zlt i n); lia. + rewrite (sign_ext_above n'). auto. lia. +Qed. + +Theorem zero_sign_ext_narrow: + forall x n n', 0 < n <= n' -> + zero_ext n (sign_ext n' x) = zero_ext n x. +Proof. + intros. destruct (zlt n' zwordsize). + bit_solve. + destruct (zlt i n); auto. + rewrite zlt_true; auto. lia. + lia. lia. + rewrite sign_ext_above; auto. +Qed. + +Theorem zero_ext_idem: + forall n x, 0 <= n -> zero_ext n (zero_ext n x) = zero_ext n x. +Proof. + intros. apply zero_ext_widen. lia. +Qed. + +Theorem sign_ext_idem: + forall n x, 0 < n -> sign_ext n (sign_ext n x) = sign_ext n x. +Proof. + intros. apply sign_ext_widen. lia. +Qed. + +Theorem sign_ext_zero_ext: + forall n x, 0 < n -> sign_ext n (zero_ext n x) = sign_ext n x. +Proof. + intros. destruct (zlt n zwordsize). + bit_solve. + destruct (zlt i n). + rewrite zlt_true; auto. + rewrite zlt_true; auto. lia. + destruct (zlt i n); lia. + rewrite zero_ext_above; auto. +Qed. + +Theorem zero_ext_sign_ext: + forall n x, 0 < n -> zero_ext n (sign_ext n x) = zero_ext n x. +Proof. + intros. apply zero_sign_ext_narrow. lia. +Qed. + +Theorem sign_ext_equal_if_zero_equal: + forall n x y, 0 < n -> + zero_ext n x = zero_ext n y -> + sign_ext n x = sign_ext n y. +Proof. + intros. rewrite <- (sign_ext_zero_ext n x H). + rewrite <- (sign_ext_zero_ext n y H). congruence. +Qed. + +Theorem shru_shl: + forall x y z, ltu y iwordsize = true -> ltu z iwordsize = true -> + shru (shl x y) z = + if ltu z y then shl (zero_ext (zwordsize - unsigned y) x) (sub y z) + else zero_ext (zwordsize - unsigned z) (shru x (sub z y)). +Proof. + intros. apply ltu_iwordsize_inv in H; apply ltu_iwordsize_inv in H0. + unfold ltu. set (Y := unsigned y) in *; set (Z := unsigned z) in *. + apply same_bits_eq; intros. rewrite bits_shru by auto. fold Z. + destruct (zlt Z Y). +- assert (A: unsigned (sub y z) = Y - Z). + { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } + symmetry; rewrite bits_shl, A by lia. + destruct (zlt (i + Z) zwordsize). ++ rewrite bits_shl by lia. fold Y. + destruct (zlt i (Y - Z)); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. + rewrite bits_zero_ext by lia. rewrite zlt_true by lia. f_equal; lia. ++ rewrite bits_zero_ext by lia. rewrite ! zlt_false by lia. auto. +- assert (A: unsigned (sub z y) = Z - Y). + { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } + rewrite bits_zero_ext, bits_shru, A by lia. + destruct (zlt (i + Z) zwordsize); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. + rewrite bits_shl by lia. fold Y. + destruct (zlt (i + Z) Y). ++ rewrite zlt_false by lia. auto. ++ rewrite zlt_true by lia. f_equal; lia. +Qed. + +Corollary zero_ext_shru_shl: + forall n x, + 0 < n < zwordsize -> + let y := repr (zwordsize - n) in + zero_ext n x = shru (shl x y) y. +Proof. + intros. + assert (A: unsigned y = zwordsize - n). + { unfold y. apply unsigned_repr. generalize wordsize_max_unsigned. lia. } + assert (B: ltu y iwordsize = true). + { unfold ltu; rewrite A, unsigned_repr_wordsize. apply zlt_true; lia. } + rewrite shru_shl by auto. unfold ltu; rewrite zlt_false by lia. + rewrite sub_idem, shru_zero. f_equal. rewrite A; lia. +Qed. + +Theorem shr_shl: + forall x y z, ltu y iwordsize = true -> ltu z iwordsize = true -> + shr (shl x y) z = + if ltu z y then shl (sign_ext (zwordsize - unsigned y) x) (sub y z) + else sign_ext (zwordsize - unsigned z) (shr x (sub z y)). +Proof. + intros. apply ltu_iwordsize_inv in H; apply ltu_iwordsize_inv in H0. + unfold ltu. set (Y := unsigned y) in *; set (Z := unsigned z) in *. + apply same_bits_eq; intros. rewrite bits_shr by auto. fold Z. + rewrite bits_shl by (destruct (zlt (i + Z) zwordsize); lia). fold Y. + destruct (zlt Z Y). +- assert (A: unsigned (sub y z) = Y - Z). + { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } + rewrite bits_shl, A by lia. + destruct (zlt i (Y - Z)). ++ apply zlt_true. destruct (zlt (i + Z) zwordsize); lia. ++ rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). + rewrite bits_sign_ext by lia. f_equal. + destruct (zlt (i + Z) zwordsize). + rewrite zlt_true by lia. lia. + rewrite zlt_false by lia. lia. +- assert (A: unsigned (sub z y) = Z - Y). + { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } + rewrite bits_sign_ext by lia. + rewrite bits_shr by (destruct (zlt i (zwordsize - Z)); lia). + rewrite A. rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). + f_equal. destruct (zlt i (zwordsize - Z)). ++ rewrite ! zlt_true by lia. lia. ++ rewrite ! zlt_false by lia. rewrite zlt_true by lia. lia. +Qed. + +Corollary sign_ext_shr_shl: + forall n x, + 0 < n < zwordsize -> + let y := repr (zwordsize - n) in + sign_ext n x = shr (shl x y) y. +Proof. + intros. + assert (A: unsigned y = zwordsize - n). + { unfold y. apply unsigned_repr. generalize wordsize_max_unsigned. lia. } + assert (B: ltu y iwordsize = true). + { unfold ltu; rewrite A, unsigned_repr_wordsize. apply zlt_true; lia. } + rewrite shr_shl by auto. unfold ltu; rewrite zlt_false by lia. + rewrite sub_idem, shr_zero. f_equal. rewrite A; lia. +Qed. + +(** [zero_ext n x] is the unique integer congruent to [x] modulo [2^n] + in the range [0...2^n-1]. *) + +Lemma zero_ext_range: + forall n x, 0 <= n < zwordsize -> 0 <= unsigned (zero_ext n x) < two_p n. +Proof. + intros. rewrite zero_ext_mod; auto. apply Z_mod_lt. apply two_p_gt_ZERO. lia. +Qed. + +Lemma eqmod_zero_ext: + forall n x, 0 <= n < zwordsize -> eqmod (two_p n) (unsigned (zero_ext n x)) (unsigned x). +Proof. + intros. rewrite zero_ext_mod; auto. apply eqmod_sym. apply eqmod_mod. + apply two_p_gt_ZERO. lia. +Qed. + +(** [sign_ext n x] is the unique integer congruent to [x] modulo [2^n] + in the range [-2^(n-1)...2^(n-1) - 1]. *) + +Lemma sign_ext_range: + forall n x, 0 < n < zwordsize -> -two_p (n-1) <= signed (sign_ext n x) < two_p (n-1). +Proof. + intros. rewrite sign_ext_shr_shl; auto. + set (X := shl x (repr (zwordsize - n))). + assert (two_p (n - 1) > 0) by (apply two_p_gt_ZERO; lia). + assert (unsigned (repr (zwordsize - n)) = zwordsize - n). + apply unsigned_repr. + split. lia. generalize wordsize_max_unsigned; lia. + rewrite shr_div_two_p. + rewrite signed_repr. + rewrite H1. + apply Zdiv_interval_1. + lia. lia. apply two_p_gt_ZERO; lia. + replace (- two_p (n - 1) * two_p (zwordsize - n)) + with (- (two_p (n - 1) * two_p (zwordsize - n))) by ring. + rewrite <- two_p_is_exp. + replace (n - 1 + (zwordsize - n)) with (zwordsize - 1) by lia. + rewrite <- half_modulus_power. + generalize (signed_range X). unfold min_signed, max_signed. lia. + lia. lia. + apply Zdiv_interval_2. apply signed_range. + generalize min_signed_neg; lia. + generalize max_signed_pos; lia. + rewrite H1. apply two_p_gt_ZERO. lia. +Qed. + +Lemma eqmod_sign_ext': + forall n x, 0 < n < zwordsize -> + eqmod (two_p n) (unsigned (sign_ext n x)) (unsigned x). +Proof. + intros. + set (N := Z.to_nat n). + assert (Z.of_nat N = n) by (apply Z2Nat.id; lia). + rewrite <- H0. rewrite <- two_power_nat_two_p. + apply eqmod_same_bits; intros. + rewrite H0 in H1. rewrite H0. + fold (testbit (sign_ext n x) i). rewrite bits_sign_ext. + rewrite zlt_true. auto. lia. lia. +Qed. + +Lemma eqmod_sign_ext: + forall n x, 0 < n < zwordsize -> + eqmod (two_p n) (signed (sign_ext n x)) (unsigned x). +Proof. + intros. apply eqmod_trans with (unsigned (sign_ext n x)). + apply eqmod_divides with modulus. apply eqm_signed_unsigned. + exists (two_p (zwordsize - n)). + unfold modulus. rewrite two_power_nat_two_p. fold zwordsize. + rewrite <- two_p_is_exp. f_equal. lia. lia. lia. + apply eqmod_sign_ext'; auto. +Qed. + +(** Combinations of shifts and zero/sign extensions *) + +Lemma shl_zero_ext: + forall n m x, 0 <= n -> + shl (zero_ext n x) m = zero_ext (n + unsigned m) (shl x m). +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_zero_ext, ! bits_shl by lia. + destruct (zlt i (unsigned m)). +- rewrite zlt_true by lia; auto. +- rewrite bits_zero_ext by lia. + destruct (zlt (i - unsigned m) n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. +Qed. + +Lemma shl_sign_ext: + forall n m x, 0 < n -> + shl (sign_ext n x) m = sign_ext (n + unsigned m) (shl x m). +Proof. + intros. generalize (unsigned_range m); intros. + apply same_bits_eq; intros. + rewrite bits_sign_ext, ! bits_shl by lia. + destruct (zlt i (n + unsigned m)). +- rewrite bits_shl by auto. destruct (zlt i (unsigned m)); auto. + rewrite bits_sign_ext by lia. f_equal. apply zlt_true. lia. +- rewrite zlt_false by lia. rewrite bits_shl by lia. rewrite zlt_false by lia. + rewrite bits_sign_ext by lia. f_equal. rewrite zlt_false by lia. lia. +Qed. + +Lemma shru_zero_ext: + forall n m x, 0 <= n -> + shru (zero_ext (n + unsigned m) x) m = zero_ext n (shru x m). +Proof. + intros. bit_solve. +- destruct (zlt (i + unsigned m) zwordsize). +* destruct (zlt i n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. +* destruct (zlt i n); auto. +- generalize (unsigned_range m); lia. +- lia. +Qed. + +Lemma shru_zero_ext_0: + forall n m x, n <= unsigned m -> + shru (zero_ext n x) m = zero. +Proof. + intros. bit_solve. +- destruct (zlt (i + unsigned m) zwordsize); auto. + apply zlt_false. lia. +- generalize (unsigned_range m); lia. +Qed. + +Lemma shr_sign_ext: + forall n m x, 0 < n -> n + unsigned m < zwordsize -> + shr (sign_ext (n + unsigned m) x) m = sign_ext n (shr x m). +Proof. + intros. generalize (unsigned_range m); intros. + apply same_bits_eq; intros. + rewrite bits_sign_ext, bits_shr by auto. + rewrite bits_sign_ext, bits_shr. +- f_equal. + destruct (zlt i n), (zlt (i + unsigned m) zwordsize). ++ apply zlt_true; lia. ++ apply zlt_true; lia. ++ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. ++ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. +- destruct (zlt i n); lia. +- destruct (zlt (i + unsigned m) zwordsize); lia. +Qed. + +Lemma zero_ext_shru_min: + forall s x n, ltu n iwordsize = true -> + zero_ext s (shru x n) = zero_ext (Z.min s (zwordsize - unsigned n)) (shru x n). +Proof. + intros. apply ltu_iwordsize_inv in H. + apply Z.min_case_strong; intros; auto. + bit_solve; try lia. + destruct (zlt i (zwordsize - unsigned n)). + rewrite zlt_true by lia. auto. + destruct (zlt i s); auto. rewrite zlt_false by lia; auto. +Qed. + +Lemma sign_ext_shr_min: + forall s x n, ltu n iwordsize = true -> + sign_ext s (shr x n) = sign_ext (Z.min s (zwordsize - unsigned n)) (shr x n). +Proof. + intros. apply ltu_iwordsize_inv in H. + rewrite Z.min_comm. + destruct (Z.min_spec (zwordsize - unsigned n) s) as [[A B] | [A B]]; rewrite B; auto. + apply same_bits_eq; intros. rewrite ! bits_sign_ext by auto. + destruct (zlt i (zwordsize - unsigned n)). + rewrite zlt_true by lia. auto. + assert (C: testbit (shr x n) (zwordsize - unsigned n - 1) = testbit x (zwordsize - 1)). + { rewrite bits_shr by lia. rewrite zlt_true by lia. f_equal; lia. } + rewrite C. destruct (zlt i s); rewrite bits_shr by lia. + rewrite zlt_false by lia. auto. + rewrite zlt_false by lia. auto. +Qed. + +Lemma shl_zero_ext_min: + forall s x n, ltu n iwordsize = true -> + shl (zero_ext s x) n = shl (zero_ext (Z.min s (zwordsize - unsigned n)) x) n. +Proof. + intros. apply ltu_iwordsize_inv in H. + apply Z.min_case_strong; intros; auto. + apply same_bits_eq; intros. rewrite ! bits_shl by auto. + destruct (zlt i (unsigned n)); auto. + rewrite ! bits_zero_ext by lia. + destruct (zlt (i - unsigned n) s). + rewrite zlt_true by lia; auto. + rewrite zlt_false by lia; auto. +Qed. + +Lemma shl_sign_ext_min: + forall s x n, ltu n iwordsize = true -> + shl (sign_ext s x) n = shl (sign_ext (Z.min s (zwordsize - unsigned n)) x) n. +Proof. + intros. apply ltu_iwordsize_inv in H. + rewrite Z.min_comm. + destruct (Z.min_spec (zwordsize - unsigned n) s) as [[A B] | [A B]]; rewrite B; auto. + apply same_bits_eq; intros. rewrite ! bits_shl by auto. + destruct (zlt i (unsigned n)); auto. + rewrite ! bits_sign_ext by lia. f_equal. + destruct (zlt (i - unsigned n) s). + rewrite zlt_true by lia; auto. + extlia. +Qed. + +(** ** Properties of [one_bits] (decomposition in sum of powers of two) *) + +Theorem one_bits_range: + forall x i, In i (one_bits x) -> ltu i iwordsize = true. +Proof. + assert (A: forall p, 0 <= p < zwordsize -> ltu (repr p) iwordsize = true). + intros. unfold ltu, iwordsize. apply zlt_true. + repeat rewrite unsigned_repr. tauto. + generalize wordsize_max_unsigned; lia. + generalize wordsize_max_unsigned; lia. + unfold one_bits. intros. + destruct (list_in_map_inv _ _ _ H) as [i0 [EQ IN]]. + subst i. apply A. apply Z_one_bits_range with (unsigned x); auto. +Qed. + +Fixpoint int_of_one_bits (l: list int) : int := + match l with + | nil => zero + | a :: b => add (shl one a) (int_of_one_bits b) + end. + +Theorem one_bits_decomp: + forall x, x = int_of_one_bits (one_bits x). +Proof. + intros. + transitivity (repr (powerserie (Z_one_bits wordsize (unsigned x) 0))). + transitivity (repr (unsigned x)). + auto with ints. decEq. apply Z_one_bits_powerserie. + auto with ints. + unfold one_bits. + generalize (Z_one_bits_range wordsize (unsigned x)). + generalize (Z_one_bits wordsize (unsigned x) 0). + induction l. + intros; reflexivity. + intros; simpl. rewrite <- IHl. unfold add. apply eqm_samerepr. + apply eqm_add. rewrite shl_mul_two_p. rewrite mul_commut. + rewrite mul_one. apply eqm_unsigned_repr_r. + rewrite unsigned_repr. auto with ints. + generalize (H a (in_eq _ _)). change (Z.of_nat wordsize) with zwordsize. + generalize wordsize_max_unsigned. lia. + auto with ints. + intros; apply H; auto with coqlib. +Qed. + +(** ** Properties of comparisons *) + +Theorem negate_cmp: + forall c x y, cmp (negate_comparison c) x y = negb (cmp c x y). +Proof. + intros. destruct c; simpl; try rewrite negb_elim; auto. +Qed. + +Theorem negate_cmpu: + forall c x y, cmpu (negate_comparison c) x y = negb (cmpu c x y). +Proof. + intros. destruct c; simpl; try rewrite negb_elim; auto. +Qed. + +Theorem swap_cmp: + forall c x y, cmp (swap_comparison c) x y = cmp c y x. +Proof. + intros. destruct c; simpl; auto. apply eq_sym. decEq. apply eq_sym. +Qed. + +Theorem swap_cmpu: + forall c x y, cmpu (swap_comparison c) x y = cmpu c y x. +Proof. + intros. destruct c; simpl; auto. apply eq_sym. decEq. apply eq_sym. +Qed. + +Lemma translate_eq: + forall x y d, + eq (add x d) (add y d) = eq x y. +Proof. + intros. unfold eq. case (zeq (unsigned x) (unsigned y)); intro. + unfold add. rewrite e. apply zeq_true. + apply zeq_false. unfold add. red; intro. apply n. + apply eqm_small_eq; auto with ints. + replace (unsigned x) with ((unsigned x + unsigned d) - unsigned d). + replace (unsigned y) with ((unsigned y + unsigned d) - unsigned d). + apply eqm_sub. apply eqm_trans with (unsigned (repr (unsigned x + unsigned d))). + eauto with ints. apply eqm_trans with (unsigned (repr (unsigned y + unsigned d))). + eauto with ints. eauto with ints. eauto with ints. + lia. lia. +Qed. + +Lemma translate_ltu: + forall x y d, + 0 <= unsigned x + unsigned d <= max_unsigned -> + 0 <= unsigned y + unsigned d <= max_unsigned -> + ltu (add x d) (add y d) = ltu x y. +Proof. + intros. unfold add. unfold ltu. + repeat rewrite unsigned_repr; auto. case (zlt (unsigned x) (unsigned y)); intro. + apply zlt_true. lia. + apply zlt_false. lia. +Qed. + +Theorem translate_cmpu: + forall c x y d, + 0 <= unsigned x + unsigned d <= max_unsigned -> + 0 <= unsigned y + unsigned d <= max_unsigned -> + cmpu c (add x d) (add y d) = cmpu c x y. +Proof. + intros. unfold cmpu. + rewrite translate_eq. repeat rewrite translate_ltu; auto. +Qed. + +Lemma translate_lt: + forall x y d, + min_signed <= signed x + signed d <= max_signed -> + min_signed <= signed y + signed d <= max_signed -> + lt (add x d) (add y d) = lt x y. +Proof. + intros. repeat rewrite add_signed. unfold lt. + repeat rewrite signed_repr; auto. case (zlt (signed x) (signed y)); intro. + apply zlt_true. lia. + apply zlt_false. lia. +Qed. + +Theorem translate_cmp: + forall c x y d, + min_signed <= signed x + signed d <= max_signed -> + min_signed <= signed y + signed d <= max_signed -> + cmp c (add x d) (add y d) = cmp c x y. +Proof. + intros. unfold cmp. + rewrite translate_eq. repeat rewrite translate_lt; auto. +Qed. + +Theorem notbool_isfalse_istrue: + forall x, is_false x -> is_true (notbool x). +Proof. + unfold is_false, is_true, notbool; intros; subst x. + rewrite eq_true. apply one_not_zero. +Qed. + +Theorem notbool_istrue_isfalse: + forall x, is_true x -> is_false (notbool x). +Proof. + unfold is_false, is_true, notbool; intros. + generalize (eq_spec x zero). case (eq x zero); intro. + contradiction. auto. +Qed. + +Theorem ltu_range_test: + forall x y, + ltu x y = true -> unsigned y <= max_signed -> + 0 <= signed x < unsigned y. +Proof. + intros. + unfold ltu in H. destruct (zlt (unsigned x) (unsigned y)); try discriminate. + rewrite signed_eq_unsigned. + generalize (unsigned_range x). lia. lia. +Qed. + +Theorem lt_sub_overflow: + forall x y, + xor (sub_overflow x y zero) (negative (sub x y)) = if lt x y then one else zero. +Proof. + intros. unfold negative, sub_overflow, lt. rewrite sub_signed. + rewrite signed_zero. rewrite Z.sub_0_r. + generalize (signed_range x) (signed_range y). + set (X := signed x); set (Y := signed y). intros RX RY. + unfold min_signed, max_signed in *. + generalize half_modulus_pos half_modulus_modulus; intros HM MM. + destruct (zle 0 (X - Y)). +- unfold proj_sumbool at 1; rewrite zle_true at 1 by lia. simpl. + rewrite (zlt_false _ X) by lia. + destruct (zlt (X - Y) half_modulus). + + unfold proj_sumbool; rewrite zle_true by lia. + rewrite signed_repr. rewrite zlt_false by lia. apply xor_idem. + unfold min_signed, max_signed; lia. + + unfold proj_sumbool; rewrite zle_false by lia. + replace (signed (repr (X - Y))) with (X - Y - modulus). + rewrite zlt_true by lia. apply xor_idem. + rewrite signed_repr_eq. replace ((X - Y) mod modulus) with (X - Y). + rewrite zlt_false; auto. + symmetry. apply Zmod_unique with 0; lia. +- unfold proj_sumbool at 2. rewrite zle_true at 1 by lia. rewrite andb_true_r. + rewrite (zlt_true _ X) by lia. + destruct (zlt (X - Y) (-half_modulus)). + + unfold proj_sumbool; rewrite zle_false by lia. + replace (signed (repr (X - Y))) with (X - Y + modulus). + rewrite zlt_false by lia. apply xor_zero. + rewrite signed_repr_eq. replace ((X - Y) mod modulus) with (X - Y + modulus). + rewrite zlt_true by lia; auto. + symmetry. apply Zmod_unique with (-1); lia. + + unfold proj_sumbool; rewrite zle_true by lia. + rewrite signed_repr. rewrite zlt_true by lia. apply xor_zero_l. + unfold min_signed, max_signed; lia. +Qed. + +Lemma signed_eq: + forall x y, eq x y = zeq (signed x) (signed y). +Proof. + intros. unfold eq. unfold proj_sumbool. + destruct (zeq (unsigned x) (unsigned y)); + destruct (zeq (signed x) (signed y)); auto. + elim n. unfold signed. rewrite e; auto. + elim n. apply eqm_small_eq; auto with ints. + eapply eqm_trans. apply eqm_sym. apply eqm_signed_unsigned. + rewrite e. apply eqm_signed_unsigned. +Qed. + +Lemma not_lt: + forall x y, negb (lt y x) = (lt x y || eq x y). +Proof. + intros. unfold lt. rewrite signed_eq. unfold proj_sumbool. + destruct (zlt (signed y) (signed x)). + rewrite zlt_false. rewrite zeq_false. auto. lia. lia. + destruct (zeq (signed x) (signed y)). + rewrite zlt_false. auto. lia. + rewrite zlt_true. auto. lia. +Qed. + +Lemma lt_not: + forall x y, lt y x = negb (lt x y) && negb (eq x y). +Proof. + intros. rewrite <- negb_orb. rewrite <- not_lt. rewrite negb_involutive. auto. +Qed. + +Lemma not_ltu: + forall x y, negb (ltu y x) = (ltu x y || eq x y). +Proof. + intros. unfold ltu, eq. + destruct (zlt (unsigned y) (unsigned x)). + rewrite zlt_false. rewrite zeq_false. auto. lia. lia. + destruct (zeq (unsigned x) (unsigned y)). + rewrite zlt_false. auto. lia. + rewrite zlt_true. auto. lia. +Qed. + +Lemma ltu_not: + forall x y, ltu y x = negb (ltu x y) && negb (eq x y). +Proof. + intros. rewrite <- negb_orb. rewrite <- not_ltu. rewrite negb_involutive. auto. +Qed. + +(** ** Non-overlapping test *) + +Definition no_overlap (ofs1: int) (sz1: Z) (ofs2: int) (sz2: Z) : bool := + let x1 := unsigned ofs1 in let x2 := unsigned ofs2 in + zlt (x1 + sz1) modulus && zlt (x2 + sz2) modulus + && (zle (x1 + sz1) x2 || zle (x2 + sz2) x1). + +Lemma no_overlap_sound: + forall ofs1 sz1 ofs2 sz2 base, + sz1 > 0 -> sz2 > 0 -> no_overlap ofs1 sz1 ofs2 sz2 = true -> + unsigned (add base ofs1) + sz1 <= unsigned (add base ofs2) + \/ unsigned (add base ofs2) + sz2 <= unsigned (add base ofs1). +Proof. + intros. + destruct (andb_prop _ _ H1). clear H1. + destruct (andb_prop _ _ H2). clear H2. + apply proj_sumbool_true in H1. + apply proj_sumbool_true in H4. + assert (unsigned ofs1 + sz1 <= unsigned ofs2 \/ unsigned ofs2 + sz2 <= unsigned ofs1). + destruct (orb_prop _ _ H3). left. eapply proj_sumbool_true; eauto. right. eapply proj_sumbool_true; eauto. + clear H3. + generalize (unsigned_range ofs1) (unsigned_range ofs2). intros P Q. + generalize (unsigned_add_either base ofs1) (unsigned_add_either base ofs2). + intros [C|C] [D|D]; lia. +Qed. + +(** ** Size of integers, in bits. *) + +Definition size (x: int) : Z := Zsize (unsigned x). + +Theorem size_zero: size zero = 0. +Proof. + unfold size; rewrite unsigned_zero; auto. +Qed. + +Theorem bits_size_1: + forall x, x = zero \/ testbit x (Z.pred (size x)) = true. +Proof. + intros. destruct (zeq (unsigned x) 0). + left. rewrite <- (repr_unsigned x). rewrite e; auto. + right. apply Ztestbit_size_1. generalize (unsigned_range x); lia. +Qed. + +Theorem bits_size_2: + forall x i, size x <= i -> testbit x i = false. +Proof. + intros. apply Ztestbit_size_2. generalize (unsigned_range x); lia. + fold (size x); lia. +Qed. + +Theorem size_range: + forall x, 0 <= size x <= zwordsize. +Proof. + intros; split. apply Zsize_pos. + destruct (bits_size_1 x). + subst x; unfold size; rewrite unsigned_zero; simpl. generalize wordsize_pos; lia. + destruct (zle (size x) zwordsize); auto. + rewrite bits_above in H. congruence. lia. +Qed. + +Theorem bits_size_3: + forall x n, + 0 <= n -> + (forall i, n <= i < zwordsize -> testbit x i = false) -> + size x <= n. +Proof. + intros. destruct (zle (size x) n). auto. + destruct (bits_size_1 x). + subst x. unfold size; rewrite unsigned_zero; assumption. + rewrite (H0 (Z.pred (size x))) in H1. congruence. + generalize (size_range x); lia. +Qed. + +Theorem bits_size_4: + forall x n, + 0 <= n -> + testbit x (Z.pred n) = true -> + (forall i, n <= i < zwordsize -> testbit x i = false) -> + size x = n. +Proof. + intros. + assert (size x <= n). + apply bits_size_3; auto. + destruct (zlt (size x) n). + rewrite bits_size_2 in H0. congruence. lia. + lia. +Qed. + +Theorem size_interval_1: + forall x, 0 <= unsigned x < two_p (size x). +Proof. + intros; apply Zsize_interval_1. generalize (unsigned_range x); lia. +Qed. + +Theorem size_interval_2: + forall x n, 0 <= n -> 0 <= unsigned x < two_p n -> n >= size x. +Proof. + intros. apply Zsize_interval_2; auto. +Qed. + +Theorem size_and: + forall a b, size (and a b) <= Z.min (size a) (size b). +Proof. + intros. + assert (0 <= Z.min (size a) (size b)). + generalize (size_range a) (size_range b). zify; lia. + apply bits_size_3. auto. intros. + rewrite bits_and by lia. + rewrite andb_false_iff. + generalize (bits_size_2 a i). + generalize (bits_size_2 b i). + zify; intuition. +Qed. + +Corollary and_interval: + forall a b, 0 <= unsigned (and a b) < two_p (Z.min (size a) (size b)). +Proof. + intros. + generalize (size_interval_1 (and a b)); intros. + assert (two_p (size (and a b)) <= two_p (Z.min (size a) (size b))). + apply two_p_monotone. split. generalize (size_range (and a b)); lia. + apply size_and. + lia. +Qed. + +Theorem size_or: + forall a b, size (or a b) = Z.max (size a) (size b). +Proof. + intros. generalize (size_range a) (size_range b); intros. + destruct (bits_size_1 a). + subst a. rewrite size_zero. rewrite or_zero_l. zify; lia. + destruct (bits_size_1 b). + subst b. rewrite size_zero. rewrite or_zero. zify; lia. + zify. destruct H3 as [[P Q] | [P Q]]; subst. + apply bits_size_4. tauto. rewrite bits_or. rewrite H2. apply orb_true_r. + lia. + intros. rewrite bits_or. rewrite !bits_size_2. auto. lia. lia. lia. + apply bits_size_4. tauto. rewrite bits_or. rewrite H1. apply orb_true_l. + destruct (zeq (size a) 0). unfold testbit in H1. rewrite Z.testbit_neg_r in H1. + congruence. lia. lia. + intros. rewrite bits_or. rewrite !bits_size_2. auto. lia. lia. lia. +Qed. + +Corollary or_interval: + forall a b, 0 <= unsigned (or a b) < two_p (Z.max (size a) (size b)). +Proof. + intros. rewrite <- size_or. apply size_interval_1. +Qed. + +Theorem size_xor: + forall a b, size (xor a b) <= Z.max (size a) (size b). +Proof. + intros. + assert (0 <= Z.max (size a) (size b)). + generalize (size_range a) (size_range b). zify; lia. + apply bits_size_3. auto. intros. + rewrite bits_xor. rewrite !bits_size_2. auto. + zify; lia. + zify; lia. + lia. +Qed. + +Corollary xor_interval: + forall a b, 0 <= unsigned (xor a b) < two_p (Z.max (size a) (size b)). +Proof. + intros. + generalize (size_interval_1 (xor a b)); intros. + assert (two_p (size (xor a b)) <= two_p (Z.max (size a) (size b))). + apply two_p_monotone. split. generalize (size_range (xor a b)); lia. + apply size_xor. + lia. +Qed. + +End Make. + +(** * Specialization to integers of size 8, 32, and 64 bits *) + +(* Module Wordsize_32. + Definition wordsize := 32%nat. + Remark wordsize_not_zero: wordsize <> 0%nat. + Proof. unfold wordsize; congruence. Qed. +End Wordsize_32. *) + + + +Section Int32. + Let wordsize32 := 32%nat. + Let wordsize_not_zero: wordsize32 <> 0%nat. + Proof. unfold wordsize32; congruence. Qed. + Instance WORDSIZE32 : WORDSIZE := { + wordsize := wordsize32; + wordsize_not_zero := wordsize_not_zero + }. + + Definition int32 := @int WORDSIZE32. + + Remark int_wordsize_divides_modulus: + Z.divide (Z.of_nat wordsize) modulus. + Proof. + exists (two_p (32-5)); reflexivity. + Qed. + +End Int32. + +Section Int8. + Let wordsize8 := 8%nat. + Let wordsize_not_zero: wordsize8 <> 0%nat. + Proof. unfold wordsize8; congruence. Qed. + Instance WORDSIZE8 : WORDSIZE := { + wordsize := wordsize8; + wordsize_not_zero := wordsize_not_zero + }. + Definition int8 := @int WORDSIZE8. + +End Int8. + +Section Int16. + Let wordsize16 := 16%nat. + Let wordsize_not_zero: wordsize16 <> 0%nat. + Proof. unfold wordsize16; congruence. Qed. + Instance WORDSIZE16 : WORDSIZE := { + wordsize := wordsize16; + wordsize_not_zero := wordsize_not_zero + }. + Definition int16 := @int WORDSIZE16. + +End Int16. + +Section Int64. + Let wordsize64 := 64%nat. + Let wordsize_not_zero: wordsize64 <> 0%nat. + Proof. unfold wordsize64; congruence. Qed. + Instance WORDSIZE64 : WORDSIZE := { + wordsize := wordsize64; + wordsize_not_zero := wordsize_not_zero + }. + + Definition int64 := @int WORDSIZE64. +End Int64. + + +Section Int128. + Let wordsize128 := 128%nat. + Let wordsize_not_zero: wordsize128 <> 0%nat. + Proof. unfold wordsize128; congruence. Qed. + Instance WORDSIZE128 : WORDSIZE := { + wordsize := wordsize128; + wordsize_not_zero := wordsize_not_zero + }. + + Definition int128 := @int WORDSIZE128. + +End Int128. + +(** Shifts with amount given as a 32-bit integer *) + +Section Shift64With32Bit. + +Existing Instance WORDSIZE64. + +Definition iwordsize': int32 := repr (@zwordsize WORDSIZE64). + +Definition shl' (x: int64) (y: int32): int64 := + repr (Z.shiftl (unsigned x) (@unsigned WORDSIZE32 y)). +Definition shru' (x: int64) (y: int32): int64 := + repr (Z.shiftr (unsigned x) (@unsigned WORDSIZE32 y)). +Definition shr' (x: int64) (y: int32): int64 := + repr (Z.shiftr (signed x) (@unsigned WORDSIZE32 y)). +Definition rol' (x: int64) (y: int32): int64 := + rol x (repr (@unsigned WORDSIZE32 y)). +Definition shrx' (x: int64) (y: int32): int64 := + divs x (shl' one y). +Definition shr_carry' (x: int64) (y: int32): int64 := + if lt x zero && negb (eq (and x (sub (shl' one y) one)) zero) + then one else zero. + +Lemma bits_shl': + forall x y i, + 0 <= i < zwordsize -> + testbit (shl' x y) i = + if zlt i (@unsigned WORDSIZE32 y) then false else testbit x (i - @unsigned WORDSIZE32 y). +Proof. + intros. unfold shl'. rewrite testbit_repr; auto. + destruct (zlt i (@unsigned WORDSIZE32 y)). + apply Z.shiftl_spec_low. auto. + apply Z.shiftl_spec_high. lia. lia. +Qed. + +Lemma bits_shru': + forall x y i, + 0 <= i < zwordsize -> + testbit (shru' x y) i = + if zlt (i + @unsigned WORDSIZE32 y) zwordsize then testbit x (i + @unsigned WORDSIZE32 y) else false. +Proof. + intros. unfold shru'. rewrite testbit_repr; auto. + rewrite Z.shiftr_spec. fold (testbit x (i + @unsigned WORDSIZE32 y)). + destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). + auto. + apply bits_above; auto. + lia. +Qed. + +Lemma bits_shr': + forall x y i, + 0 <= i < zwordsize -> + testbit (shr' x y) i = + testbit x (if zlt (i + @unsigned WORDSIZE32 y) zwordsize then i + @unsigned WORDSIZE32 y else zwordsize - 1). +Proof. + intros. unfold shr'. rewrite testbit_repr; auto. + rewrite Z.shiftr_spec. apply bits_signed. + generalize (@unsigned_range WORDSIZE32 y); lia. + lia. +Qed. + +Lemma shl'_mul_two_p: + forall x y, + shl' x y = mul x (repr (two_p (@unsigned WORDSIZE32 y))). +Proof. + intros. unfold shl', mul. apply eqm_samerepr. + rewrite Zshiftl_mul_two_p. apply eqm_mult. apply eqm_refl. apply eqm_unsigned_repr. + generalize (@unsigned_range WORDSIZE32 y); lia. +Qed. + +Lemma shl'_one_two_p: + forall y, shl' one y = repr (two_p (@unsigned WORDSIZE32 y)). +Proof. + intros. rewrite shl'_mul_two_p. rewrite mul_commut. rewrite mul_one. auto. +Qed. + +Theorem shl'_mul: + forall x y, + shl' x y = mul x (shl' one y). +Proof. + intros. rewrite shl'_one_two_p. apply shl'_mul_two_p. +Qed. + +Theorem shl'_zero: + forall x, shl' x (@zero WORDSIZE32) = x. +Proof. + intros. unfold shl'. rewrite (@unsigned_zero WORDSIZE32). unfold Z.shiftl. + apply repr_unsigned. +Qed. + +Theorem shru'_zero : + forall x, shru' x (@zero WORDSIZE32) = x. +Proof. + intros. unfold shru'. rewrite (@unsigned_zero WORDSIZE32). unfold Z.shiftr. + apply repr_unsigned. +Qed. + +Theorem shr'_zero : + forall x, shr' x (@zero WORDSIZE32) = x. +Proof. + intros. unfold shr'. rewrite (@unsigned_zero WORDSIZE32). unfold Z.shiftr. + apply repr_signed. +Qed. + +Theorem shrx'_zero: + forall x, shrx' x (@zero WORDSIZE32) = x. +Proof. + intros. change (shrx' x (@zero WORDSIZE32)) with (shrx x zero). apply shrx_zero. compute; auto. +Qed. + +Theorem shrx'_carry: + forall x y, + @ltu WORDSIZE32 y (@repr WORDSIZE32 63) = true -> + shrx' x y = add (shr' x y) (shr_carry' x y). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 (@repr WORDSIZE32 63)) with 63 in H. + set (y1 := repr (@unsigned WORDSIZE32 y)). + assert (U: unsigned y1 = @unsigned WORDSIZE32 y). + { apply unsigned_repr. assert (63 < max_unsigned) by reflexivity. lia. } + transitivity (shrx x y1). +- unfold shrx', shrx, shl', shl. rewrite U; auto. +- rewrite shrx_carry. ++ f_equal. + unfold shr, shr'. rewrite U; auto. + unfold shr_carry, shr_carry', shl, shl'. rewrite U; auto. ++ unfold ltu. apply zlt_true. rewrite U; tauto. +Qed. + +Theorem shrx'_shr_2: + forall x y, + @ltu WORDSIZE32 y (@repr WORDSIZE32 63) = true -> + shrx' x y = shr' (add x (shru' (shr' x (@repr WORDSIZE32 63)) (@sub WORDSIZE32 (@repr WORDSIZE32 64) y))) y. +Proof. + intros. + set (z := repr (@unsigned WORDSIZE32 y)). + apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 (@repr WORDSIZE32 63)) with 63 in H. + assert (N1: 63 < max_unsigned) by reflexivity. + assert (N2: 63 < @max_unsigned WORDSIZE32) by reflexivity. + assert (A: unsigned z = @unsigned WORDSIZE32 y). + { unfold z; apply unsigned_repr; lia. } + assert (B: unsigned (sub (repr 64) z) = @unsigned WORDSIZE32 (@sub WORDSIZE32 (@repr WORDSIZE32 64) y)). + { unfold z. unfold sub. + change (unsigned (repr 64)) with 64. + change (@unsigned WORDSIZE32 (@repr WORDSIZE32 64)) with 64. + rewrite (unsigned_repr (@unsigned WORDSIZE32 y)) by lia. + rewrite unsigned_repr by lia. rewrite (@unsigned_repr WORDSIZE32) by lia. + reflexivity. + } + unfold shrx', shr', shru', shl'. + rewrite <- A. + change (@unsigned WORDSIZE32 (@repr WORDSIZE32 63)) with (unsigned (repr 63)). + rewrite <- B. + apply (@shrx_shr_2 WORDSIZE64). + unfold ltu. apply zlt_true. change (unsigned z < 63). rewrite A; lia. +Qed. +(* +Remark int_ltu_2_inv: + forall y z, + @ltu WORDSIZE32 y iwordsize' = true -> + @ltu WORDSIZE32 z iwordsize' = true -> + @unsigned WORDSIZE32 (Int.add y z) <= @unsigned WORDSIZE32 iwordsize' -> + let y' := repr (@unsigned WORDSIZE32 y) in + let z' := repr (@unsigned WORDSIZE32 z) in + @unsigned WORDSIZE32 y = unsigned y' + /\ @unsigned WORDSIZE32 z = unsigned z' + /\ ltu y' iwordsize = true + /\ ltu z' iwordsize = true + /\ @unsigned WORDSIZE32 (Int.add y z) = unsigned (add y' z') + /\ add y' z' = repr (@unsigned WORDSIZE32 (Int.add y z)). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H. apply (@ltu_inv WORDSIZE32) in H0. + change (@unsigned WORDSIZE32 iwordsize') with 64 in *. + assert (128 < max_unsigned) by reflexivity. + assert (128 < @max_unsigned WORDSIZE32) by reflexivity. + assert (Y: unsigned y' = @unsigned WORDSIZE32 y) by (apply unsigned_repr; lia). + assert (Z: unsigned z' = @unsigned WORDSIZE32 z) by (apply unsigned_repr; lia). + assert (P: @unsigned WORDSIZE32 (Int.add y z) = unsigned (add y' z')). + { unfold Int.add. rewrite @unsigned WORDSIZE32_repr by lia. + unfold add. rewrite unsigned_repr by lia. congruence. } + intuition auto. + apply zlt_true. rewrite Y; auto. + apply zlt_true. rewrite Z; auto. + rewrite P. rewrite repr_unsigned. auto. +Qed. + +Theorem or_ror': + forall x y z, + @ltu WORDSIZE32 y iwordsize' = true -> + @ltu WORDSIZE32 z iwordsize' = true -> + Int.add y z = iwordsize' -> + ror x (repr (@unsigned WORDSIZE32 z)) = or (shl' x y) (shru' x z). +Proof. + intros. destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. rewrite H1; lia. + replace (shl' x y) with (shl x (repr (@unsigned WORDSIZE32 y))). + replace (shru' x z) with (shru x (repr (@unsigned WORDSIZE32 z))). + apply or_ror; auto. rewrite F, H1. reflexivity. + unfold shru, shru'; rewrite <- B; auto. + unfold shl, shl'; rewrite <- A; auto. +Qed. + +Theorem shl'_shl': + forall x y z, + @ltu WORDSIZE32 y iwordsize' = true -> + @ltu WORDSIZE32 z iwordsize' = true -> + @ltu WORDSIZE32 (Int.add y z) iwordsize' = true -> + shl' (shl' x y) z = shl' x (Int.add y z). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H1. + destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. lia. + set (y' := repr (@unsigned WORDSIZE32 y)) in *. + set (z' := repr (@unsigned WORDSIZE32 z)) in *. + replace (shl' x y) with (shl x y'). + replace (shl' (shl x y') z) with (shl (shl x y') z'). + replace (shl' x (Int.add y z)) with (shl x (add y' z')). + apply shl_shl; auto. apply zlt_true. rewrite <- E. + change (unsigned iwordsize) with zwordsize. tauto. + unfold shl, shl'. rewrite E; auto. + unfold shl at 1, shl'. rewrite <- B; auto. + unfold shl, shl'; rewrite <- A; auto. +Qed. + +Theorem shru'_shru': + forall x y z, + @ltu WORDSIZE32 y iwordsize' = true -> + @ltu WORDSIZE32 z iwordsize' = true -> + @ltu WORDSIZE32 (Int.add y z) iwordsize' = true -> + shru' (shru' x y) z = shru' x (Int.add y z). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H1. + destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. lia. + set (y' := repr (@unsigned WORDSIZE32 y)) in *. + set (z' := repr (@unsigned WORDSIZE32 z)) in *. + replace (shru' x y) with (shru x y'). + replace (shru' (shru x y') z) with (shru (shru x y') z'). + replace (shru' x (Int.add y z)) with (shru x (add y' z')). + apply shru_shru; auto. apply zlt_true. rewrite <- E. + change (unsigned iwordsize) with zwordsize. tauto. + unfold shru, shru'. rewrite E; auto. + unfold shru at 1, shru'. rewrite <- B; auto. + unfold shru, shru'; rewrite <- A; auto. +Qed. + +Theorem shr'_shr': + forall x y z, + @ltu WORDSIZE32 y iwordsize' = true -> + @ltu WORDSIZE32 z iwordsize' = true -> + @ltu WORDSIZE32 (Int.add y z) iwordsize' = true -> + shr' (shr' x y) z = shr' x (Int.add y z). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H1. + destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. lia. + set (y' := repr (@unsigned WORDSIZE32 y)) in *. + set (z' := repr (@unsigned WORDSIZE32 z)) in *. + replace (shr' x y) with (shr x y'). + replace (shr' (shr x y') z) with (shr (shr x y') z'). + replace (shr' x (Int.add y z)) with (shr x (add y' z')). + apply shr_shr; auto. apply zlt_true. rewrite <- E. + change (unsigned iwordsize) with zwordsize. tauto. + unfold shr, shr'. rewrite E; auto. + unfold shr at 1, shr'. rewrite <- B; auto. + unfold shr, shr'; rewrite <- A; auto. +Qed. + +Theorem shru'_shl': + forall x y z, @ltu WORDSIZE32 y iwordsize' = true -> @ltu WORDSIZE32 z iwordsize' = true -> + shru' (shl' x y) z = + if @ltu WORDSIZE32 z y then shl' (zero_ext (zwordsize - @unsigned WORDSIZE32 y) x) (@sub WORDSIZE32 y z) + else zero_ext (zwordsize - @unsigned WORDSIZE32 z) (shru' x (@sub WORDSIZE32 z y)). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H; apply (@ltu_inv WORDSIZE32) in H0. + change (@unsigned WORDSIZE32 iwordsize') with zwordsize in *. + unfold @ltu WORDSIZE32. set (Y := @unsigned WORDSIZE32 y) in *; set (Z := @unsigned WORDSIZE32 z) in *. + apply same_bits_eq; intros. rewrite bits_shru' by auto. fold Z. + destruct (zlt Z Y). +- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 y z) = Y - Z). + { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } + symmetry; rewrite bits_shl', A by lia. + destruct (zlt (i + Z) zwordsize). ++ rewrite bits_shl' by lia. fold Y. + destruct (zlt i (Y - Z)); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. + rewrite bits_zero_ext by lia. rewrite zlt_true by lia. f_equal; lia. ++ rewrite bits_zero_ext by lia. rewrite ! zlt_false by lia. auto. +- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 z y) = Z - Y). + { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } + rewrite bits_zero_ext, bits_shru', A by lia. + destruct (zlt (i + Z) zwordsize); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. + rewrite bits_shl' by lia. fold Y. + destruct (zlt (i + Z) Y). ++ rewrite zlt_false by lia. auto. ++ rewrite zlt_true by lia. f_equal; lia. +Qed. + +Theorem shr'_shl': + forall x y z, @ltu WORDSIZE32 y iwordsize' = true -> @ltu WORDSIZE32 z iwordsize' = true -> + shr' (shl' x y) z = + if @ltu WORDSIZE32 z y then shl' (sign_ext (zwordsize - @unsigned WORDSIZE32 y) x) (@sub WORDSIZE32 y z) + else sign_ext (zwordsize - @unsigned WORDSIZE32 z) (shr' x (@sub WORDSIZE32 z y)). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H; apply (@ltu_inv WORDSIZE32) in H0. + change (@unsigned WORDSIZE32 iwordsize') with zwordsize in *. + unfold @ltu WORDSIZE32. set (Y := @unsigned WORDSIZE32 y) in *; set (Z := @unsigned WORDSIZE32 z) in *. + apply same_bits_eq; intros. rewrite bits_shr' by auto. fold Z. + rewrite bits_shl' by (destruct (zlt (i + Z) zwordsize); lia). fold Y. + destruct (zlt Z Y). +- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 y z) = Y - Z). + { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } + rewrite bits_shl', A by lia. + destruct (zlt i (Y - Z)). ++ apply zlt_true. destruct (zlt (i + Z) zwordsize); lia. ++ rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). + rewrite bits_sign_ext by lia. f_equal. + destruct (zlt (i + Z) zwordsize). + rewrite zlt_true by lia. lia. + rewrite zlt_false by lia. lia. +- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 z y) = Z - Y). + { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } + rewrite bits_sign_ext by lia. + rewrite bits_shr' by (destruct (zlt i (zwordsize - Z)); lia). + rewrite A. rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). + f_equal. destruct (zlt i (zwordsize - Z)). ++ rewrite ! zlt_true by lia. lia. ++ rewrite ! zlt_false by lia. rewrite zlt_true by lia. lia. +Qed. + +Lemma shl'_zero_ext: + forall n m x, 0 <= n -> + shl' (zero_ext n x) m = zero_ext (n + @unsigned WORDSIZE32 m) (shl' x m). +Proof. + intros. apply same_bits_eq; intros. + rewrite bits_zero_ext, ! bits_shl' by lia. + destruct (zlt i (@unsigned WORDSIZE32 m)). +- rewrite zlt_true by lia; auto. +- rewrite bits_zero_ext by lia. + destruct (zlt (i - @unsigned WORDSIZE32 m) n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. +Qed. + +Lemma shl'_sign_ext: + forall n m x, 0 < n -> + shl' (sign_ext n x) m = sign_ext (n + @unsigned WORDSIZE32 m) (shl' x m). +Proof. + intros. generalize (@unsigned_range WORDSIZE32 m); intros. + apply same_bits_eq; intros. + rewrite bits_sign_ext, ! bits_shl' by lia. + destruct (zlt i (n + @unsigned WORDSIZE32 m)). +- rewrite bits_shl' by auto. destruct (zlt i (@unsigned WORDSIZE32 m)); auto. + rewrite bits_sign_ext by lia. f_equal. apply zlt_true. lia. +- rewrite zlt_false by lia. rewrite bits_shl' by lia. rewrite zlt_false by lia. + rewrite bits_sign_ext by lia. f_equal. rewrite zlt_false by lia. lia. +Qed. + +Lemma shru'_zero_ext: + forall n m x, 0 <= n -> + shru' (zero_ext (n + @unsigned WORDSIZE32 m) x) m = zero_ext n (shru' x m). +Proof. + intros. generalize (@unsigned_range WORDSIZE32 m); intros. + bit_solve; [|lia]. rewrite bits_shru', bits_zero_ext, bits_shru' by lia. + destruct (zlt (i + @unsigned WORDSIZE32 m) zwordsize). +* destruct (zlt i n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. +* destruct (zlt i n); auto. +Qed. + +Lemma shru'_zero_ext_0: + forall n m x, n <= @unsigned WORDSIZE32 m -> + shru' (zero_ext n x) m = zero. +Proof. + intros. generalize (@unsigned_range WORDSIZE32 m); intros. + bit_solve. rewrite bits_shru', bits_zero_ext by lia. + destruct (zlt (i + @unsigned WORDSIZE32 m) zwordsize); auto. + apply zlt_false. lia. +Qed. + +Lemma shr'_sign_ext: + forall n m x, 0 < n -> n + @unsigned WORDSIZE32 m < zwordsize -> + shr' (sign_ext (n + @unsigned WORDSIZE32 m) x) m = sign_ext n (shr' x m). +Proof. + intros. generalize (@unsigned_range WORDSIZE32 m); intros. + apply same_bits_eq; intros. + rewrite bits_sign_ext, bits_shr' by auto. + rewrite bits_sign_ext, bits_shr'. +- f_equal. + destruct (zlt i n), (zlt (i + @unsigned WORDSIZE32 m) zwordsize). ++ apply zlt_true; lia. ++ apply zlt_true; lia. ++ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. ++ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. +- destruct (zlt i n); lia. +- destruct (zlt (i + @unsigned WORDSIZE32 m) zwordsize); lia. +Qed. + +Lemma zero_ext_shru'_min: + forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> + zero_ext s (shru' x n) = zero_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) (shru' x n). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. + apply Z.min_case_strong; intros; auto. + bit_solve; try lia. rewrite ! bits_shru' by lia. + destruct (zlt i (zwordsize - @unsigned WORDSIZE32 n)). + rewrite zlt_true by lia. auto. + destruct (zlt i s); auto. rewrite zlt_false by lia; auto. +Qed. + +Lemma sign_ext_shr'_min: + forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> + sign_ext s (shr' x n) = sign_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) (shr' x n). +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. + rewrite Z.min_comm. + destruct (Z.min_spec (zwordsize - @unsigned WORDSIZE32 n) s) as [[A B] | [A B]]; rewrite B; auto. + apply same_bits_eq; intros. rewrite ! bits_sign_ext by auto. + destruct (zlt i (zwordsize - @unsigned WORDSIZE32 n)). + rewrite zlt_true by lia. auto. + assert (C: testbit (shr' x n) (zwordsize - @unsigned WORDSIZE32 n - 1) = testbit x (zwordsize - 1)). + { rewrite bits_shr' by lia. rewrite zlt_true by lia. f_equal; lia. } + rewrite C. destruct (zlt i s); rewrite bits_shr' by lia. + rewrite zlt_false by lia. auto. + rewrite zlt_false by lia. auto. +Qed. + +Lemma shl'_zero_ext_min: + forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> + shl' (zero_ext s x) n = shl' (zero_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) x) n. +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. + apply Z.min_case_strong; intros; auto. + apply same_bits_eq; intros. rewrite ! bits_shl' by auto. + destruct (zlt i (@unsigned WORDSIZE32 n)); auto. + rewrite ! bits_zero_ext by lia. + destruct (zlt (i - @unsigned WORDSIZE32 n) s). + rewrite zlt_true by lia; auto. + rewrite zlt_false by lia; auto. +Qed. + +Lemma shl'_sign_ext_min: + forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> + shl' (sign_ext s x) n = shl' (sign_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) x) n. +Proof. + intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. + rewrite Z.min_comm. + destruct (Z.min_spec (zwordsize - @unsigned WORDSIZE32 n) s) as [[A B] | [A B]]; rewrite B; auto. + apply same_bits_eq; intros. rewrite ! bits_shl' by auto. + destruct (zlt i (@unsigned WORDSIZE32 n)); auto. + rewrite ! bits_sign_ext by lia. f_equal. + destruct (zlt (i - @unsigned WORDSIZE32 n) s). + rewrite zlt_true by lia; auto. + extlia. +Qed. + +(** Powers of two with exponents given as 32-bit ints *) + +Definition one_bits' (x: int64) : list int32 := + List.map @repr WORDSIZE32 (Z_one_bits wordsize (unsigned x) 0). + +Definition is_power2' (x: int64) : option int32 := + match Z_one_bits wordsize (unsigned x) 0 with + | i :: nil => Some (@repr WORDSIZE32 i) + | _ => None + end. + +Theorem one_bits'_range: + forall x i, In i (one_bits' x) -> @ltu WORDSIZE32 i iwordsize' = true. +Proof. + intros. + destruct (list_in_map_inv _ _ _ H) as [i0 [EQ IN]]. + exploit Z_one_bits_range; eauto. fold zwordsize. intros R. + unfold @ltu WORDSIZE32. rewrite EQ. rewrite @unsigned WORDSIZE32_repr. + change (@unsigned WORDSIZE32 iwordsize') with zwordsize. apply zlt_true. lia. + assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. +Qed. + +Fixpoint int_of_one_bits' (l: list int32) : int64 := + match l with + | nil => zero + | a :: b => add (shl' one a) (int_of_one_bits' b) + end. + +Theorem one_bits'_decomp: + forall x, x = int_of_one_bits' (one_bits' x). +Proof. + assert (REC: forall l, + (forall i, In i l -> 0 <= i < zwordsize) -> + int_of_one_bits' (List.map @repr WORDSIZE32 l) = repr (powerserie l)). + { induction l; simpl; intros. + - auto. + - rewrite IHl by eauto. apply eqm_samerepr; apply eqm_add. + + rewrite shl'_one_two_p. rewrite @unsigned WORDSIZE32_repr. apply eqm_sym; apply eqm_unsigned_repr. + exploit (H a). auto. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. + + apply eqm_sym; apply eqm_unsigned_repr. + } + intros. rewrite <- (repr_unsigned x) at 1. unfold one_bits'. rewrite REC. + rewrite <- Z_one_bits_powerserie. auto. apply unsigned_range. + apply Z_one_bits_range. +Qed. + +Lemma is_power2'_rng: + forall n logn, + is_power2' n = Some logn -> + 0 <= @unsigned WORDSIZE32 logn < zwordsize. +Proof. + unfold is_power2'; intros n logn P2. + destruct (Z_one_bits wordsize (unsigned n) 0) as [ | i [ | ? ?]] eqn:B; inv P2. + assert (0 <= i < zwordsize). + { apply Z_one_bits_range with (unsigned n). rewrite B; auto with coqlib. } + rewrite @unsigned WORDSIZE32_repr. auto. + assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. + lia. +Qed. + +Theorem is_power2'_range: + forall n logn, + is_power2' n = Some logn -> @ltu WORDSIZE32 logn iwordsize' = true. +Proof. + intros. unfold @ltu WORDSIZE32. change (@unsigned WORDSIZE32 iwordsize') with zwordsize. + apply zlt_true. generalize (is_power2'_rng _ _ H). tauto. +Qed. + +Lemma is_power2'_correct: + forall n logn, + is_power2' n = Some logn -> + unsigned n = two_p (@unsigned WORDSIZE32 logn). +Proof. + unfold is_power2'; intros. + destruct (Z_one_bits wordsize (unsigned n) 0) as [ | i [ | ? ?]] eqn:B; inv H. + rewrite (Z_one_bits_powerserie wordsize (unsigned n)) by (apply unsigned_range). + rewrite @unsigned WORDSIZE32_repr. rewrite B; simpl. lia. + assert (0 <= i < zwordsize). + { apply Z_one_bits_range with (unsigned n). rewrite B; auto with coqlib. } + assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. + lia. +Qed. + +Theorem mul_pow2': + forall x n logn, + is_power2' n = Some logn -> + mul x n = shl' x logn. +Proof. + intros. rewrite shl'_mul. f_equal. rewrite shl'_one_two_p. + rewrite <- (repr_unsigned n). f_equal. apply is_power2'_correct; auto. +Qed. + +Theorem divu_pow2': + forall x n logn, + is_power2' n = Some logn -> + divu x n = shru' x logn. +Proof. + intros. generalize (is_power2'_correct n logn H). intro. + symmetry. unfold divu. rewrite H0. unfold shru'. rewrite Zshiftr_div_two_p. auto. + eapply is_power2'_rng; eauto. +Qed. + +(** Decomposing 64-bit ints as pairs of 32-bit ints *) + +Definition loword (n: int64) : int32 := @repr WORDSIZE32 (unsigned n). + +Definition hiword (n: int64) : int32 := @repr WORDSIZE32 (unsigned (shru n (repr Int.zwordsize))). + +Definition ofwords (hi lo: int32) : int64 := + or (shl (repr (@unsigned WORDSIZE32 hi)) (repr Int.zwordsize)) (repr (@unsigned WORDSIZE32 lo)). + +Lemma bits_loword: + forall n i, 0 <= i < Int.zwordsize -> Int.testbit (loword n) i = testbit n i. +Proof. + intros. unfold loword. rewrite Int.testbit_repr; auto. +Qed. + +Lemma bits_hiword: + forall n i, 0 <= i < Int.zwordsize -> Int.testbit (hiword n) i = testbit n (i + Int.zwordsize). +Proof. + intros. unfold hiword. rewrite Int.testbit_repr; auto. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + fold (testbit (shru n (repr Int.zwordsize)) i). rewrite bits_shru. + change (unsigned (repr Int.zwordsize)) with Int.zwordsize. + apply zlt_true. lia. lia. +Qed. + +Lemma bits_ofwords: + forall hi lo i, 0 <= i < zwordsize -> + testbit (ofwords hi lo) i = + if zlt i Int.zwordsize then Int.testbit lo i else Int.testbit hi (i - Int.zwordsize). +Proof. + intros. unfold ofwords. rewrite bits_or; auto. rewrite bits_shl; auto. + change (unsigned (repr Int.zwordsize)) with Int.zwordsize. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + destruct (zlt i Int.zwordsize). + rewrite testbit_repr; auto. + rewrite !testbit_repr; auto. + fold (Int.testbit lo i). rewrite Int.bits_above. apply orb_false_r. auto. + lia. +Qed. + +Lemma lo_ofwords: + forall hi lo, loword (ofwords hi lo) = lo. +Proof. + intros. apply Int.same_bits_eq; intros. + rewrite bits_loword; auto. rewrite bits_ofwords. apply zlt_true. lia. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. lia. +Qed. + +Lemma hi_ofwords: + forall hi lo, hiword (ofwords hi lo) = hi. +Proof. + intros. apply Int.same_bits_eq; intros. + rewrite bits_hiword; auto. rewrite bits_ofwords. + rewrite zlt_false. f_equal. lia. lia. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. lia. +Qed. + +Lemma ofwords_recompose: + forall n, ofwords (hiword n) (loword n) = n. +Proof. + intros. apply same_bits_eq; intros. rewrite bits_ofwords; auto. + destruct (zlt i Int.zwordsize). + apply bits_loword. lia. + rewrite bits_hiword. f_equal. lia. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. lia. +Qed. + +Lemma ofwords_add: + forall lo hi, ofwords hi lo = repr (@unsigned WORDSIZE32 hi * two_p 32 + @unsigned WORDSIZE32 lo). +Proof. + intros. unfold ofwords. rewrite shifted_or_is_add. + apply eqm_samerepr. apply eqm_add. apply eqm_mult. + apply eqm_sym; apply eqm_unsigned_repr. + apply eqm_refl. + apply eqm_sym; apply eqm_unsigned_repr. + change Int.zwordsize with 32; change zwordsize with 64; lia. + rewrite unsigned_repr. generalize (@unsigned_range WORDSIZE32 lo). intros [A B]. exact B. + assert (@max_unsigned WORDSIZE32 < max_unsigned) by (compute; auto). + generalize (@unsigned_range WORDSIZE32_2 lo); lia. +Qed. + +Lemma ofwords_add': + forall lo hi, unsigned (ofwords hi lo) = @unsigned WORDSIZE32 hi * two_p 32 + @unsigned WORDSIZE32 lo. +Proof. + intros. rewrite ofwords_add. apply unsigned_repr. + generalize (@unsigned_range WORDSIZE32 hi) (@unsigned_range WORDSIZE32 lo). + change (two_p 32) with Int.modulus. + change Int.modulus with 4294967296. + change max_unsigned with 18446744073709551615. + lia. +Qed. + +Remark eqm_mul_2p32: + forall x y, Int.eqm x y -> eqm (x * two_p 32) (y * two_p 32). +Proof. + intros. destruct H as [k EQ]. exists k. rewrite EQ. + change Int.modulus with (two_p 32). + change modulus with (two_p 32 * two_p 32). + ring. +Qed. + +Lemma ofwords_add'': + forall lo hi, signed (ofwords hi lo) = Int.signed hi * two_p 32 + @unsigned WORDSIZE32 lo. +Proof. + intros. rewrite ofwords_add. + replace (repr (@unsigned WORDSIZE32 hi * two_p 32 + @unsigned WORDSIZE32 lo)) + with (repr (Int.signed hi * two_p 32 + @unsigned WORDSIZE32 lo)). + apply signed_repr. + generalize (Int.signed_range hi) (@unsigned_range WORDSIZE32 lo). + change (two_p 32) with Int.modulus. + change min_signed with (Int.min_signed * Int.modulus). + change max_signed with (Int.max_signed * Int.modulus + Int.modulus - 1). + change Int.modulus with 4294967296. + lia. + apply eqm_samerepr. apply eqm_add. apply eqm_mul_2p32. apply Int.eqm_signed_unsigned. apply eqm_refl. +Qed. + +(** Expressing 64-bit operations in terms of 32-bit operations *) + +Lemma decompose_bitwise_binop: + forall f f64 f32 xh xl yh yl, + (forall x y i, 0 <= i < zwordsize -> testbit (f64 x y) i = f (testbit x i) (testbit y i)) -> + (forall x y i, 0 <= i < Int.zwordsize -> Int.testbit (f32 x y) i = f (Int.testbit x i) (Int.testbit y i)) -> + f64 (ofwords xh xl) (ofwords yh yl) = ofwords (f32 xh yh) (f32 xl yl). +Proof. + intros. apply Int64.same_bits_eq; intros. + rewrite H by auto. rewrite ! bits_ofwords by auto. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + destruct (zlt i Int.zwordsize); rewrite H0 by lia; auto. +Qed. + +Lemma decompose_and: + forall xh xl yh yl, + and (ofwords xh xl) (ofwords yh yl) = ofwords (Int.and xh yh) (Int.and xl yl). +Proof. + intros. apply decompose_bitwise_binop with andb. + apply bits_and. apply Int.bits_and. +Qed. + +Lemma decompose_or: + forall xh xl yh yl, + or (ofwords xh xl) (ofwords yh yl) = ofwords (Int.or xh yh) (Int.or xl yl). +Proof. + intros. apply decompose_bitwise_binop with orb. + apply bits_or. apply Int.bits_or. +Qed. + +Lemma decompose_xor: + forall xh xl yh yl, + xor (ofwords xh xl) (ofwords yh yl) = ofwords (Int.xor xh yh) (Int.xor xl yl). +Proof. + intros. apply decompose_bitwise_binop with xorb. + apply bits_xor. apply Int.bits_xor. +Qed. + +Lemma decompose_not: + forall xh xl, + not (ofwords xh xl) = ofwords (Int.not xh) (Int.not xl). +Proof. + intros. unfold not, Int.not. rewrite <- decompose_xor. f_equal. + apply (Int64.eq_spec mone (ofwords Int.mone Int.mone)). +Qed. + +Lemma decompose_shl_1: + forall xh xl y, + 0 <= @unsigned WORDSIZE32 y < Int.zwordsize -> + shl' (ofwords xh xl) y = + ofwords (Int.or (Int.shl xh y) (Int.shru xl (@sub WORDSIZE32 Int.iwordsize y))) + (Int.shl xl y). +Proof. + intros. + assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize y) = Int.zwordsize - @unsigned WORDSIZE32 y). + { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. + rewrite @unsigned WORDSIZE32_repr_wordsize. generalize Int.wordsize_max_unsigned; lia. } + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + apply Int64.same_bits_eq; intros. + rewrite bits_shl' by auto. symmetry. rewrite bits_ofwords by auto. + destruct (zlt i Int.zwordsize). rewrite Int.bits_shl by lia. + destruct (zlt i (@unsigned WORDSIZE32 y)). auto. + rewrite bits_ofwords by lia. rewrite zlt_true by lia. auto. + rewrite zlt_false by lia. rewrite bits_ofwords by lia. + rewrite Int.bits_or by lia. rewrite Int.bits_shl by lia. + rewrite Int.bits_shru by lia. rewrite H0. + destruct (zlt (i - @unsigned WORDSIZE32 y) (Int.zwordsize)). + rewrite zlt_true by lia. rewrite zlt_true by lia. + rewrite orb_false_l. f_equal. lia. + rewrite zlt_false by lia. rewrite zlt_false by lia. + rewrite orb_false_r. f_equal. lia. +Qed. + +Lemma decompose_shl_2: + forall xh xl y, + Int.zwordsize <= @unsigned WORDSIZE32 y < zwordsize -> + shl' (ofwords xh xl) y = + ofwords (Int.shl xl (@sub WORDSIZE32 y Int.iwordsize)) (@zero WORDSIZE32). +Proof. + intros. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 y Int.iwordsize) = @unsigned WORDSIZE32 y - Int.zwordsize). + { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. + rewrite @unsigned WORDSIZE32_repr_wordsize. generalize (@unsigned_range WORDSIZE32_2 y). lia. } + apply Int64.same_bits_eq; intros. + rewrite bits_shl' by auto. symmetry. rewrite bits_ofwords by auto. + destruct (zlt i Int.zwordsize). rewrite zlt_true by lia. apply Int.bits_zero. + rewrite Int.bits_shl by lia. + destruct (zlt i (@unsigned WORDSIZE32 y)). + rewrite zlt_true by lia. auto. + rewrite zlt_false by lia. + rewrite bits_ofwords by lia. rewrite zlt_true by lia. f_equal. lia. +Qed. + +Lemma decompose_shru_1: + forall xh xl y, + 0 <= @unsigned WORDSIZE32 y < Int.zwordsize -> + shru' (ofwords xh xl) y = + ofwords (Int.shru xh y) + (Int.or (Int.shru xl y) (Int.shl xh (@sub WORDSIZE32 Int.iwordsize y))). +Proof. + intros. + assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize y) = Int.zwordsize - @unsigned WORDSIZE32 y). + { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. + rewrite @unsigned WORDSIZE32_repr_wordsize. generalize Int.wordsize_max_unsigned; lia. } + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + apply Int64.same_bits_eq; intros. + rewrite bits_shru' by auto. symmetry. rewrite bits_ofwords by auto. + destruct (zlt i Int.zwordsize). + rewrite zlt_true by lia. + rewrite bits_ofwords by lia. + rewrite Int.bits_or by lia. rewrite Int.bits_shl by lia. + rewrite Int.bits_shru by lia. rewrite H0. + destruct (zlt (i + @unsigned WORDSIZE32 y) (Int.zwordsize)). + rewrite zlt_true by lia. + rewrite orb_false_r. auto. + rewrite zlt_false by lia. + rewrite orb_false_l. f_equal. lia. + rewrite Int.bits_shru by lia. + destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). + rewrite bits_ofwords by lia. + rewrite zlt_true by lia. rewrite zlt_false by lia. f_equal. lia. + rewrite zlt_false by lia. auto. +Qed. + +Lemma decompose_shru_2: + forall xh xl y, + Int.zwordsize <= @unsigned WORDSIZE32 y < zwordsize -> + shru' (ofwords xh xl) y = + ofwords (@zero WORDSIZE32) (Int.shru xh (@sub WORDSIZE32 y Int.iwordsize)). +Proof. + intros. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 y Int.iwordsize) = @unsigned WORDSIZE32 y - Int.zwordsize). + { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. + rewrite @unsigned WORDSIZE32_repr_wordsize. generalize (@unsigned_range WORDSIZE32_2 y). lia. } + apply Int64.same_bits_eq; intros. + rewrite bits_shru' by auto. symmetry. rewrite bits_ofwords by auto. + destruct (zlt i Int.zwordsize). + rewrite Int.bits_shru by lia. rewrite H1. + destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). + rewrite zlt_true by lia. rewrite bits_ofwords by lia. + rewrite zlt_false by lia. f_equal; lia. + rewrite zlt_false by lia. auto. + rewrite zlt_false by lia. apply Int.bits_zero. +Qed. + +Lemma decompose_shr_1: + forall xh xl y, + 0 <= @unsigned WORDSIZE32 y < Int.zwordsize -> + shr' (ofwords xh xl) y = + ofwords (Int.shr xh y) + (Int.or (Int.shru xl y) (Int.shl xh (@sub WORDSIZE32 Int.iwordsize y))). +Proof. + intros. + assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize y) = Int.zwordsize - @unsigned WORDSIZE32 y). + { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. + rewrite @unsigned WORDSIZE32_repr_wordsize. generalize Int.wordsize_max_unsigned; lia. } + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + apply Int64.same_bits_eq; intros. + rewrite bits_shr' by auto. symmetry. rewrite bits_ofwords by auto. + destruct (zlt i Int.zwordsize). + rewrite zlt_true by lia. + rewrite bits_ofwords by lia. + rewrite Int.bits_or by lia. rewrite Int.bits_shl by lia. + rewrite Int.bits_shru by lia. rewrite H0. + destruct (zlt (i + @unsigned WORDSIZE32 y) (Int.zwordsize)). + rewrite zlt_true by lia. + rewrite orb_false_r. auto. + rewrite zlt_false by lia. + rewrite orb_false_l. f_equal. lia. + rewrite Int.bits_shr by lia. + destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). + rewrite bits_ofwords by lia. + rewrite zlt_true by lia. rewrite zlt_false by lia. f_equal. lia. + rewrite zlt_false by lia. rewrite bits_ofwords by lia. + rewrite zlt_false by lia. f_equal. +Qed. + +Lemma decompose_shr_2: + forall xh xl y, + Int.zwordsize <= @unsigned WORDSIZE32 y < zwordsize -> + shr' (ofwords xh xl) y = + ofwords (Int.shr xh (@sub WORDSIZE32 Int.iwordsize Int.one)) + (Int.shr xh (@sub WORDSIZE32 y Int.iwordsize)). +Proof. + intros. + assert (zwordsize = 2 * Int.zwordsize) by reflexivity. + assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 y Int.iwordsize) = @unsigned WORDSIZE32 y - Int.zwordsize). + { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. + rewrite @unsigned WORDSIZE32_repr_wordsize. generalize (@unsigned_range WORDSIZE32_2 y). lia. } + apply Int64.same_bits_eq; intros. + rewrite bits_shr' by auto. symmetry. rewrite bits_ofwords by auto. + destruct (zlt i Int.zwordsize). + rewrite Int.bits_shr by lia. rewrite H1. + destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). + rewrite zlt_true by lia. rewrite bits_ofwords by lia. + rewrite zlt_false by lia. f_equal; lia. + rewrite zlt_false by lia. rewrite bits_ofwords by lia. + rewrite zlt_false by lia. auto. + rewrite Int.bits_shr by lia. + change (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize Int.one)) with (Int.zwordsize - 1). + destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize); + rewrite bits_ofwords by lia. + symmetry. rewrite zlt_false by lia. f_equal. + destruct (zlt (i - Int.zwordsize + (Int.zwordsize - 1)) Int.zwordsize); lia. + symmetry. rewrite zlt_false by lia. f_equal. + destruct (zlt (i - Int.zwordsize + (Int.zwordsize - 1)) Int.zwordsize); lia. +Qed. + +Lemma decompose_add: + forall xh xl yh yl, + add (ofwords xh xl) (ofwords yh yl) = + ofwords (Int.add (Int.add xh yh) (Int.add_carry xl yl (@zero WORDSIZE32))) + (Int.add xl yl). +Proof. + intros. symmetry. rewrite ofwords_add. rewrite add_unsigned. + apply eqm_samerepr. + rewrite ! ofwords_add'. rewrite (@unsigned WORDSIZE32_add_carry xl yl). + set (cc := Int.add_carry xl yl (@zero WORDSIZE32)). + set (Xl := @unsigned WORDSIZE32 xl); set (Xh := @unsigned WORDSIZE32 xh); + set (Yl := @unsigned WORDSIZE32 yl); set (Yh := @unsigned WORDSIZE32 yh). + change Int.modulus with (two_p 32). + replace (Xh * two_p 32 + Xl + (Yh * two_p 32 + Yl)) + with ((Xh + Yh) * two_p 32 + (Xl + Yl)) by ring. + replace (@unsigned WORDSIZE32 (Int.add (Int.add xh yh) cc) * two_p 32 + + (Xl + Yl - @unsigned WORDSIZE32 cc * two_p 32)) + with ((@unsigned WORDSIZE32 (Int.add (Int.add xh yh) cc) - @unsigned WORDSIZE32 cc) * two_p 32 + + (Xl + Yl)) by ring. + apply eqm_add. 2: apply eqm_refl. apply eqm_mul_2p32. + replace (Xh + Yh) with ((Xh + Yh + @unsigned WORDSIZE32 cc) - @unsigned WORDSIZE32 cc) by ring. + apply Int.eqm_sub. 2: apply Int.eqm_refl. + apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. 2: apply Int.eqm_refl. + apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. +Qed. + +Lemma decompose_sub: + forall xh xl yh yl, + sub (ofwords xh xl) (ofwords yh yl) = + ofwords (@sub WORDSIZE32 (@sub WORDSIZE32 xh yh) (@sub WORDSIZE32_borrow xl yl (@zero WORDSIZE32))) + (@sub WORDSIZE32 xl yl). +Proof. + intros. symmetry. rewrite ofwords_add. + apply eqm_samerepr. + rewrite ! ofwords_add'. rewrite (@unsigned WORDSIZE32_sub_borrow xl yl). + set (bb := @sub WORDSIZE32_borrow xl yl (@zero WORDSIZE32)). + set (Xl := @unsigned WORDSIZE32 xl); set (Xh := @unsigned WORDSIZE32 xh); + set (Yl := @unsigned WORDSIZE32 yl); set (Yh := @unsigned WORDSIZE32 yh). + change Int.modulus with (two_p 32). + replace (Xh * two_p 32 + Xl - (Yh * two_p 32 + Yl)) + with ((Xh - Yh) * two_p 32 + (Xl - Yl)) by ring. + replace (@unsigned WORDSIZE32 (@sub WORDSIZE32 (@sub WORDSIZE32 xh yh) bb) * two_p 32 + + (Xl - Yl + @unsigned WORDSIZE32 bb * two_p 32)) + with ((@unsigned WORDSIZE32 (@sub WORDSIZE32 (@sub WORDSIZE32 xh yh) bb) + @unsigned WORDSIZE32 bb) * two_p 32 + + (Xl - Yl)) by ring. + apply eqm_add. 2: apply eqm_refl. apply eqm_mul_2p32. + replace (Xh - Yh) with ((Xh - Yh - @unsigned WORDSIZE32 bb) + @unsigned WORDSIZE32 bb) by ring. + apply Int.eqm_add. 2: apply Int.eqm_refl. + apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. 2: apply Int.eqm_refl. + apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. +Qed. + +Lemma decompose_sub': + forall xh xl yh yl, + sub (ofwords xh xl) (ofwords yh yl) = + ofwords (Int.add (Int.add xh (Int.not yh)) (Int.add_carry xl (Int.not yl) Int.one)) + (@sub WORDSIZE32 xl yl). +Proof. + intros. rewrite decompose_sub. f_equal. + rewrite @sub WORDSIZE32_borrow_add_carry by auto. + rewrite @sub WORDSIZE32_add_not_3. rewrite Int.xor_assoc. rewrite Int.xor_idem. + rewrite Int.xor_zero. auto. + rewrite Int.xor_zero_l. unfold Int.add_carry. + destruct (zlt (@unsigned WORDSIZE32 xl + @unsigned WORDSIZE32 (Int.not yl) + @unsigned WORDSIZE32 Int.one) Int.modulus); + compute; [right|left]; apply Int.mkint_eq; auto. +Qed. + +Definition mul' (x y: int32) : int64 := repr (@unsigned WORDSIZE32 x * @unsigned WORDSIZE32 y). + +Lemma mul'_mulhu: + forall x y, mul' x y = ofwords (Int.mulhu x y) (Int.mul x y). +Proof. + intros. + rewrite ofwords_add. unfold mul', Int.mulhu, Int.mul. + set (p := @unsigned WORDSIZE32 x * @unsigned WORDSIZE32 y). + set (ph := p / Int.modulus). set (pl := p mod Int.modulus). + transitivity (repr (ph * Int.modulus + pl)). +- f_equal. rewrite Z.mul_comm. apply Z_div_mod_eq. apply Int.modulus_pos. +- apply eqm_samerepr. apply eqm_add. apply eqm_mul_2p32. auto with ints. + rewrite @unsigned WORDSIZE32_repr_eq. apply eqm_refl. +Qed. + +Lemma decompose_mul: + forall xh xl yh yl, + mul (ofwords xh xl) (ofwords yh yl) = + ofwords (Int.add (Int.add (hiword (mul' xl yl)) (Int.mul xl yh)) (Int.mul xh yl)) + (loword (mul' xl yl)). +Proof. + intros. + set (pl := loword (mul' xl yl)); set (ph := hiword (mul' xl yl)). + assert (EQ0: unsigned (mul' xl yl) = @unsigned WORDSIZE32 ph * two_p 32 + @unsigned WORDSIZE32 pl). + { rewrite <- (ofwords_recompose (mul' xl yl)). apply ofwords_add'. } + symmetry. rewrite ofwords_add. unfold mul. rewrite !ofwords_add'. + set (XL := @unsigned WORDSIZE32 xl); set (XH := @unsigned WORDSIZE32 xh); + set (YL := @unsigned WORDSIZE32 yl); set (YH := @unsigned WORDSIZE32 yh). + set (PH := @unsigned WORDSIZE32 ph) in *. set (PL := @unsigned WORDSIZE32 pl) in *. + transitivity (repr (((PH + XL * YH) + XH * YL) * two_p 32 + PL)). + apply eqm_samerepr. apply eqm_add. 2: apply eqm_refl. + apply eqm_mul_2p32. + rewrite Int.add_unsigned. apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. + rewrite Int.add_unsigned. apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. + apply Int.eqm_refl. + unfold Int.mul. apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. + unfold Int.mul. apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. + transitivity (repr (unsigned (mul' xl yl) + (XL * YH + XH * YL) * two_p 32)). + rewrite EQ0. f_equal. ring. + transitivity (repr ((XL * YL + (XL * YH + XH * YL) * two_p 32))). + apply eqm_samerepr. apply eqm_add. 2: apply eqm_refl. + unfold mul'. apply eqm_unsigned_repr_l. apply eqm_refl. + transitivity (repr (0 + (XL * YL + (XL * YH + XH * YL) * two_p 32))). + rewrite Z.add_0_l; auto. + transitivity (repr (XH * YH * (two_p 32 * two_p 32) + (XL * YL + (XL * YH + XH * YL) * two_p 32))). + apply eqm_samerepr. apply eqm_add. 2: apply eqm_refl. + change (two_p 32 * two_p 32) with modulus. exists (- XH * YH). ring. + f_equal. ring. +Qed. + +Lemma decompose_mul_2: + forall xh xl yh yl, + mul (ofwords xh xl) (ofwords yh yl) = + ofwords (Int.add (Int.add (Int.mulhu xl yl) (Int.mul xl yh)) (Int.mul xh yl)) + (Int.mul xl yl). +Proof. + intros. rewrite decompose_mul. rewrite mul'_mulhu. + rewrite hi_ofwords, lo_ofwords. auto. +Qed. + +Lemma decompose_ltu: + forall xh xl yh yl, + ltu (ofwords xh xl) (ofwords yh yl) = if Int.eq xh yh then @ltu WORDSIZE32 xl yl else @ltu WORDSIZE32 xh yh. +Proof. + intros. unfold ltu. rewrite ! ofwords_add'. unfold @ltu WORDSIZE32, Int.eq. + destruct (zeq (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). + rewrite e. destruct (zlt (@unsigned WORDSIZE32 xl) (@unsigned WORDSIZE32 yl)). + apply zlt_true; lia. + apply zlt_false; lia. + change (two_p 32) with Int.modulus. + generalize (@unsigned_range WORDSIZE32 xl) (@unsigned_range WORDSIZE32 yl). + change Int.modulus with 4294967296. intros. + destruct (zlt (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). + apply zlt_true; lia. + apply zlt_false; lia. +Qed. + +Lemma decompose_leu: + forall xh xl yh yl, + negb (ltu (ofwords yh yl) (ofwords xh xl)) = + if Int.eq xh yh then negb (@ltu WORDSIZE32 yl xl) else @ltu WORDSIZE32 xh yh. +Proof. + intros. rewrite decompose_ltu. rewrite Int.eq_sym. + unfold Int.eq. destruct (zeq (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). + auto. + unfold @ltu WORDSIZE32. destruct (zlt (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). + rewrite zlt_false by lia; auto. + rewrite zlt_true by lia; auto. +Qed. + +Lemma decompose_lt: + forall xh xl yh yl, + lt (ofwords xh xl) (ofwords yh yl) = if Int.eq xh yh then @ltu WORDSIZE32 xl yl else Int.lt xh yh. +Proof. + intros. unfold lt. rewrite ! ofwords_add''. rewrite Int.eq_signed. + destruct (zeq (Int.signed xh) (Int.signed yh)). + rewrite e. unfold @ltu WORDSIZE32. destruct (zlt (@unsigned WORDSIZE32 xl) (@unsigned WORDSIZE32 yl)). + apply zlt_true; lia. + apply zlt_false; lia. + change (two_p 32) with Int.modulus. + generalize (@unsigned_range WORDSIZE32 xl) (@unsigned_range WORDSIZE32 yl). + change Int.modulus with 4294967296. intros. + unfold Int.lt. destruct (zlt (Int.signed xh) (Int.signed yh)). + apply zlt_true; lia. + apply zlt_false; lia. +Qed. + +Lemma decompose_le: + forall xh xl yh yl, + negb (lt (ofwords yh yl) (ofwords xh xl)) = + if Int.eq xh yh then negb (@ltu WORDSIZE32 yl xl) else Int.lt xh yh. +Proof. + intros. rewrite decompose_lt. rewrite Int.eq_sym. + rewrite Int.eq_signed. destruct (zeq (Int.signed xh) (Int.signed yh)). + auto. + unfold Int.lt. destruct (zlt (Int.signed xh) (Int.signed yh)). + rewrite zlt_false by lia; auto. + rewrite zlt_true by lia; auto. +Qed. + +(** Utility proofs for mixed 32bit and 64bit arithmetic *) + +Remark int_unsigned_range: + forall x, 0 <= @unsigned WORDSIZE32 x <= max_unsigned. +Proof. + intros. + unfold max_unsigned. unfold modulus. + generalize (@unsigned_range WORDSIZE32 x). + unfold Int.modulus in *. + change (wordsize) with 64%nat in *. + change (Int.wordsize) with 32%nat in *. + unfold two_power_nat. simpl. + lia. +Qed. + +Remark int_unsigned_repr: + forall x, unsigned (repr (@unsigned WORDSIZE32 x)) = @unsigned WORDSIZE32 x. +Proof. + intros. rewrite unsigned_repr. auto. + apply int_unsigned_range. +Qed. + +Lemma int_sub_ltu: + forall x y, + @ltu WORDSIZE32 x y= true -> + @unsigned WORDSIZE32 (@sub WORDSIZE32 y x) = unsigned (sub (repr (@unsigned WORDSIZE32 y)) (repr (@unsigned WORDSIZE32 x))). +Proof. + intros. generalize (@sub WORDSIZE32_ltu x y H). intros. unfold @sub WORDSIZE32. unfold sub. + rewrite @unsigned WORDSIZE32_repr. rewrite unsigned_repr. + rewrite unsigned_repr by apply int_unsigned_range. rewrite int_unsigned_repr. reflexivity. + rewrite unsigned_repr by apply int_unsigned_range. + rewrite int_unsigned_repr. generalize (int_unsigned_range y). + lia. + generalize (@sub WORDSIZE32_ltu x y H). intros. + generalize (@unsigned_range WORDSIZE32_2 y). intros. lia. +Qed. + +End Int64. + +Strategy 0 [Wordsize_64.wordsize]. + +Notation int64 := Int64.int. + +Global Opaque @repr WORDSIZE32 Int64.repr Byte.repr. + +(** * Specialization to offsets in pointer values *) + +Module Wordsize_Ptrofs. + Definition wordsize := if Archi.ptr64 then 64%nat else 32%nat. + Remark wordsize_not_zero: wordsize <> 0%nat. + Proof. unfold wordsize; destruct Archi.ptr64; congruence. Qed. +End Wordsize_Ptrofs. + +Strategy opaque [Wordsize_Ptrofs.wordsize]. + +Module Ptrofs. + +Include Make(Wordsize_Ptrofs). + +Definition to_int (x: int): Int.int := @repr WORDSIZE32 (unsigned x). + +Definition to_int64 (x: int): Int64.int := Int64.repr (unsigned x). + +Definition of_int (x: Int.int) : int := repr (@unsigned WORDSIZE32 x). + +Definition of_intu := of_int. + +Definition of_ints (x: Int.int) : int := repr (Int.signed x). + +Definition of_int64 (x: Int64.int) : int := repr (Int64.unsigned x). + +Definition of_int64u := of_int64. + +Definition of_int64s (x: Int64.int) : int := repr (Int64.signed x). + +Section AGREE32. + +Hypothesis _32: Archi.ptr64 = false. + +Lemma modulus_eq32: modulus = Int.modulus. +Proof. + unfold modulus, wordsize. + change Wordsize_Ptrofs.wordsize with (if Archi.ptr64 then 64%nat else 32%nat). + rewrite _32. reflexivity. +Qed. + +Lemma eqm32: + forall x y, Int.eqm x y <-> eqm x y. +Proof. + intros. unfold Int.eqm, eqm. rewrite modulus_eq32; tauto. +Qed. + +Definition agree32 (a: Ptrofs.int) (b: Int.int) : Prop := + Ptrofs.unsigned a = @unsigned WORDSIZE32 b. + +Lemma agree32_repr: + forall i, agree32 (Ptrofs.repr i) (@repr WORDSIZE32 i). +Proof. + intros; red. rewrite Ptrofs.unsigned_repr_eq, @unsigned WORDSIZE32_repr_eq. + apply f_equal2. auto. apply modulus_eq32. +Qed. + +Lemma agree32_signed: + forall a b, agree32 a b -> Ptrofs.signed a = Int.signed b. +Proof. + unfold agree32; intros. unfold signed, Int.signed, half_modulus, Int.half_modulus. + rewrite modulus_eq32. rewrite H. auto. +Qed. + +Lemma agree32_of_int: + forall b, agree32 (of_int b) b. +Proof. + unfold of_int; intros. rewrite <- (@repr WORDSIZE32_unsigned b) at 2. apply agree32_repr. +Qed. + +Lemma agree32_of_ints: + forall b, agree32 (of_ints b) b. +Proof. + unfold of_int; intros. rewrite <- (@repr WORDSIZE32_signed b) at 2. apply agree32_repr. +Qed. + +Lemma agree32_of_int_eq: + forall a b, agree32 a b -> of_int b = a. +Proof. + unfold agree32, of_int; intros. rewrite <- H. apply repr_unsigned. +Qed. + +Lemma agree32_of_ints_eq: + forall a b, agree32 a b -> of_ints b = a. +Proof. + unfold of_ints; intros. erewrite <- agree32_signed by eauto. apply repr_signed. +Qed. + +Lemma agree32_to_int: + forall a, agree32 a (to_int a). +Proof. + unfold agree32, to_int; intros. rewrite <- (agree32_repr (unsigned a)). + rewrite repr_unsigned; auto. +Qed. + +Lemma agree32_to_int_eq: + forall a b, agree32 a b -> to_int a = b. +Proof. + unfold agree32, to_int; intros. rewrite H. apply @repr WORDSIZE32_unsigned. +Qed. + +Lemma agree32_neg: + forall a1 b1, agree32 a1 b1 -> agree32 (Ptrofs.neg a1) (Int.neg b1). +Proof. + unfold agree32, Ptrofs.neg, Int.neg; intros. rewrite H. apply agree32_repr. +Qed. + +Lemma agree32_add: + forall a1 b1 a2 b2, + agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.add a1 a2) (Int.add b1 b2). +Proof. + unfold agree32, Ptrofs.add, Int.add; intros. rewrite H, H0. apply agree32_repr. +Qed. + +Lemma agree32_sub: + forall a1 b1 a2 b2, + agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.sub a1 a2) (@sub WORDSIZE32 b1 b2). +Proof. + unfold agree32, Ptrofs.sub, @sub WORDSIZE32; intros. rewrite H, H0. apply agree32_repr. +Qed. + +Lemma agree32_mul: + forall a1 b1 a2 b2, + agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.mul a1 a2) (Int.mul b1 b2). +Proof. + unfold agree32, Ptrofs.mul, Int.mul; intros. rewrite H, H0. apply agree32_repr. +Qed. + +Lemma agree32_divs: + forall a1 b1 a2 b2, + agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.divs a1 a2) (Int.divs b1 b2). +Proof. + intros; unfold agree32, Ptrofs.divs, Int.divs. + erewrite ! agree32_signed by eauto. apply agree32_repr. +Qed. + +Lemma of_int_to_int: + forall n, of_int (to_int n) = n. +Proof. + intros; unfold of_int, to_int. apply eqm_repr_eq. rewrite <- eqm32. + apply Int.eqm_sym; apply Int.eqm_unsigned_repr. +Qed. + +Lemma to_int_of_int: + forall n, to_int (of_int n) = n. +Proof. + intros; unfold of_int, to_int. rewrite unsigned_repr. apply @repr WORDSIZE32_unsigned. + unfold max_unsigned. rewrite modulus_eq32. destruct (@unsigned_range WORDSIZE32 n); lia. +Qed. + +End AGREE32. + +Section AGREE64. + +Hypothesis _64: Archi.ptr64 = true. + +Lemma modulus_eq64: modulus = Int64.modulus. +Proof. + unfold modulus, wordsize. + change Wordsize_Ptrofs.wordsize with (if Archi.ptr64 then 64%nat else 32%nat). + rewrite _64. reflexivity. +Qed. + +Lemma eqm64: + forall x y, Int64.eqm x y <-> eqm x y. +Proof. + intros. unfold Int64.eqm, eqm. rewrite modulus_eq64; tauto. +Qed. + +Definition agree64 (a: Ptrofs.int) (b: Int64.int) : Prop := + Ptrofs.unsigned a = Int64.unsigned b. + +Lemma agree64_repr: + forall i, agree64 (Ptrofs.repr i) (Int64.repr i). +Proof. + intros; red. rewrite Ptrofs.unsigned_repr_eq, Int64.unsigned_repr_eq. + apply f_equal2. auto. apply modulus_eq64. +Qed. + +Lemma agree64_signed: + forall a b, agree64 a b -> Ptrofs.signed a = Int64.signed b. +Proof. + unfold agree64; intros. unfold signed, Int64.signed, half_modulus, Int64.half_modulus. + rewrite modulus_eq64. rewrite H. auto. +Qed. + +Lemma agree64_of_int: + forall b, agree64 (of_int64 b) b. +Proof. + unfold of_int64; intros. rewrite <- (Int64.repr_unsigned b) at 2. apply agree64_repr. +Qed. + +Lemma agree64_of_int_eq: + forall a b, agree64 a b -> of_int64 b = a. +Proof. + unfold agree64, of_int64; intros. rewrite <- H. apply repr_unsigned. +Qed. + +Lemma agree64_to_int: + forall a, agree64 a (to_int64 a). +Proof. + unfold agree64, to_int64; intros. rewrite <- (agree64_repr (unsigned a)). + rewrite repr_unsigned; auto. +Qed. + +Lemma agree64_to_int_eq: + forall a b, agree64 a b -> to_int64 a = b. +Proof. + unfold agree64, to_int64; intros. rewrite H. apply Int64.repr_unsigned. +Qed. + +Lemma agree64_neg: + forall a1 b1, agree64 a1 b1 -> agree64 (Ptrofs.neg a1) (Int64.neg b1). +Proof. + unfold agree64, Ptrofs.neg, Int64.neg; intros. rewrite H. apply agree64_repr. +Qed. + +Lemma agree64_add: + forall a1 b1 a2 b2, + agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.add a1 a2) (Int64.add b1 b2). +Proof. + unfold agree64, Ptrofs.add, Int.add; intros. rewrite H, H0. apply agree64_repr. +Qed. + +Lemma agree64_sub: + forall a1 b1 a2 b2, + agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.sub a1 a2) (Int64.sub b1 b2). +Proof. + unfold agree64, Ptrofs.sub, @sub WORDSIZE32; intros. rewrite H, H0. apply agree64_repr. +Qed. + +Lemma agree64_mul: + forall a1 b1 a2 b2, + agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.mul a1 a2) (Int64.mul b1 b2). +Proof. + unfold agree64, Ptrofs.mul, Int.mul; intros. rewrite H, H0. apply agree64_repr. +Qed. + +Lemma agree64_divs: + forall a1 b1 a2 b2, + agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.divs a1 a2) (Int64.divs b1 b2). +Proof. + intros; unfold agree64, Ptrofs.divs, Int64.divs. + erewrite ! agree64_signed by eauto. apply agree64_repr. +Qed. + +Lemma of_int64_to_int64: + forall n, of_int64 (to_int64 n) = n. +Proof. + intros; unfold of_int64, to_int64. apply eqm_repr_eq. rewrite <- eqm64. + apply Int64.eqm_sym; apply Int64.eqm_unsigned_repr. +Qed. + +Lemma to_int64_of_int64: + forall n, to_int64 (of_int64 n) = n. +Proof. + intros; unfold of_int64, to_int64. rewrite unsigned_repr. apply Int64.repr_unsigned. + unfold max_unsigned. rewrite modulus_eq64. destruct (Int64.unsigned_range n); lia. +Qed. + +End AGREE64. + +Global Hint Resolve + agree32_repr agree32_of_int agree32_of_ints agree32_of_int_eq agree32_of_ints_eq + agree32_to_int agree32_to_int_eq agree32_neg agree32_add agree32_sub agree32_mul agree32_divs + agree64_repr agree64_of_int agree64_of_int_eq + agree64_to_int agree64_to_int_eq agree64_neg agree64_add agree64_sub agree64_mul agree64_divs : ptrofs. + +End Ptrofs. + +Strategy 0 [Wordsize_Ptrofs.wordsize]. + +Notation ptrofs := Ptrofs.int. + +Global Opaque Ptrofs.repr. + +Global Hint Resolve + Int.modulus_pos Int.eqm_refl Int.eqm_refl2 Int.eqm_sym Int.eqm_trans + Int.eqm_small_eq Int.eqm_add Int.eqm_neg Int.eqm_sub Int.eqm_mult + Int.eqm_unsigned_repr Int.eqm_unsigned_repr_l Int.eqm_unsigned_repr_r + @unsigned_range WORDSIZE32 @unsigned_range WORDSIZE32_2 + @repr WORDSIZE32_unsigned @repr WORDSIZE32_signed @unsigned WORDSIZE32_repr : ints. + +Global Hint Resolve + Int64.modulus_pos Int64.eqm_refl Int64.eqm_refl2 Int64.eqm_sym Int64.eqm_trans + Int64.eqm_small_eq Int64.eqm_add Int64.eqm_neg Int64.eqm_sub Int64.eqm_mult + Int64.eqm_unsigned_repr Int64.eqm_unsigned_repr_l Int64.eqm_unsigned_repr_r + Int64.unsigned_range Int64.unsigned_range_2 + Int64.repr_unsigned Int64.repr_signed Int64.unsigned_repr : ints. + +Global Hint Resolve + Ptrofs.modulus_pos Ptrofs.eqm_refl Ptrofs.eqm_refl2 Ptrofs.eqm_sym Ptrofs.eqm_trans + Ptrofs.eqm_small_eq Ptrofs.eqm_add Ptrofs.eqm_neg Ptrofs.eqm_sub Ptrofs.eqm_mult + Ptrofs.eqm_unsigned_repr Ptrofs.eqm_unsigned_repr_l Ptrofs.eqm_unsigned_repr_r + Ptrofs.unsigned_range Ptrofs.unsigned_range_2 + Ptrofs.repr_unsigned Ptrofs.repr_signed Ptrofs.unsigned_repr : ints. *) + +End Shift64With32Bit. \ No newline at end of file diff --git a/proof-libs/coq/src/Pearlite_Example.v b/proof-libs/coq/src/Pearlite_Example.v new file mode 100644 index 000000000..782def6e7 --- /dev/null +++ b/proof-libs/coq/src/Pearlite_Example.v @@ -0,0 +1,19 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition ensure_something (x_0 : int8) (y_1 : int8) `{x_0 = y_1} : bool := + (x_0) =.? (y_1). + +Theorem ensures_ensure_something : forall result_2 (x_0 : int8) (y_1 : int8), + forall {H_0 : x_0 = y_1}, + @ensure_something x_0 y_1 H_0 = result_2 -> + ~ (result_2 = false). + Proof. red ; intros. subst. cbn in *. now rewrite (eq_true y_1) in H0. Qed. + diff --git a/proof-libs/coq/src/QuickChickLib.v b/proof-libs/coq/src/QuickChickLib.v new file mode 100644 index 000000000..55e6dc8f3 --- /dev/null +++ b/proof-libs/coq/src/QuickChickLib.v @@ -0,0 +1,100 @@ +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +From QuickChick Require Import QuickChick. +Require Import Coq.Lists.List. + +#[global] Instance show_unit : Show (unit) := Build_Show (unit) (fun _ => "tt"%string). +Definition g_unit : G (unit) := returnGen tt. +#[global] Instance gen_unit : Gen (unit) := Build_Gen unit g_unit. + +#[global] Instance show_int8 : Show (int8) := + Build_Show (int8) (fun x => show (int8_to_nat x)). +Definition g_int8 : G (int8) := + bindGen (* arbitrary *) (choose (0,1000)) (fun x => returnGen (pub_u8 x)). +#[global] Instance gen_int8 : Gen (int8) := Build_Gen int8 g_int8. + +#[global] Instance show_int32 : Show (int32) := + Build_Show (int32) (fun x => show (int32_to_nat x)). +Definition g_int32 : G (int32) := (* restricted *) + bindGen (choose (0,1000)) (fun x => returnGen (pub_u32 x)). +#[global] Instance gen_int32 : Gen (int32) := Build_Gen int32 g_int32. + +#[global] Instance show_int64 : Show (int64) := + Build_Show (int64) (fun x => show (int64_to_nat x)). +Definition g_int64 : G (int64) := + bindGen (* arbitrary *) (choose (0,1000)) (fun x => returnGen (pub_u64 x)). +#[global] Instance gen_int64 : Gen (int64) := Build_Gen int64 g_int64. + +#[global] Instance show_uint_size : Show (uint_size) := + Build_Show (uint_size) (fun x => show x). +Definition g_uint_size : G (uint_size) := arbitrary. +#[global] Instance gen_uint_size : Gen (uint_size) := Build_Gen uint_size g_uint_size. + + +Inductive dependent_pair {A} (n : nat) := +| elem : forall (l : list A), length l = n -> dependent_pair n. + +Fixpoint g_listOf_aux {A} (gen : G (A)) (n : nat) : G (@dependent_pair A n). + destruct n. + - apply (returnGen). + exists []. + easy. + - apply (bindGen gen). + intros a. + apply (bindGen (g_listOf_aux A gen n)). + intros l. + apply returnGen. + destruct l as [l H]. + exists (a :: l). + cbn. + rewrite H. + easy. +Defined. + +Definition g_listOf {A} (gen : G (A)) : G (list A) := + bindGen arbitrary (fun n : nat => bindGen (g_listOf_aux gen n) (fun '(elem _ l _) => returnGen l)). + +#[global] Instance show_nseq {A} `{Show A} n : Show (nseq A n) := + Build_Show (nseq A n) (fun x => + match x with + | Vector.nil _ => "[]"%string + | Vector.cons _ x n xs => ("[" ++ fold_left (fun a b => (a ++ " " ++ show b)) (VectorDef.to_list xs) (show x) ++ "]")%string + end). + +Definition array_from_list_ (A : Type) (n : nat) (l : list A) `{n = (Datatypes.length l)} : nseq A n. +Proof. + rewrite H. + apply array_from_list. +Defined. +Definition g_nseq {A} `{Gen A} n : G (nseq A n). (* (usize *) + intros. + apply (bindGen' (g_listOf_aux (arbitrary : G A) n)). + intros l sem. + apply returnGen. + + destruct l. + apply array_from_list_ with (l := l). + easy. +Defined. + +#[global] Instance gen_nseq {A} `{Gen A} n : Gen (nseq A n) := Build_Gen (nseq A n) (g_nseq n). + +#[global] Instance show_public_byte_seq : Show (public_byte_seq) := + Build_Show (public_byte_seq) (fun x => + match x with + | [] => "[]"%string + | x :: xs => ("[" ++ fold_left (fun a b => (a ++ " " ++ show b)) xs (show x) ++ "]")%string + end). +Definition g_public_byte_seq : G (public_byte_seq) := + listOf arbitrary. + (* @genList int8 gen_int8. *) + (* listOf (g_int8). *) + (* bindGen g_int8 (fun y => *) + (* bindGen g_int8 (fun x => returnGen ([y ; x]))). *) + (* listOf (g_int8). (*arbitrary*) *) +#[global] Instance gen_public_byte_seq : Gen (public_byte_seq) := + Build_Gen public_byte_seq g_public_byte_seq. diff --git a/proof-libs/coq/src/Strobe.v b/proof-libs/coq/src/Strobe.v new file mode 100644 index 000000000..62958a562 --- /dev/null +++ b/proof-libs/coq/src/Strobe.v @@ -0,0 +1,305 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha3. + +Definition strobe_r_v : int8 := + @repr WORDSIZE8 166. + +Definition flag_i_v : int8 := + @repr WORDSIZE8 1. + +Definition flag_a_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 1). + +Definition flag_c_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 2). + +Definition flag_m_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 4). + +Definition flag_k_v : int8 := + (@repr WORDSIZE8 1) shift_left (usize 5). + +Notation "'state_uint64_t'" := (state_t) : hacspec_scope. + +Definition state_uint8_t := nseq (uint8) (usize 200). + +Notation "'strobe_t'" := ((state_uint8_t '× int8 '× int8 '× int8 +)) : hacspec_scope. + +Definition transmute_state_to_u64 + (state_986 : state_uint8_t) + : state_uint64_t := + let new_state_987 : state_t := + array_new_ (default : uint64) (25) in + let new_state_987 := + foldi (usize 0) (array_len (new_state_987)) (fun i_988 new_state_987 => + let word_989 : uint64_word_t := + array_new_ (default : uint8) (8) in + let word_989 := + foldi (usize 0) (array_len (word_989)) (fun j_990 word_989 => + let word_989 := + array_upd word_989 (j_990) (array_index (state_986) (((i_988) * ( + usize 8)) + (j_990))) in + (word_989)) + word_989 in + let new_state_987 := + array_upd new_state_987 (i_988) (uint64_from_le_bytes (word_989)) in + (new_state_987)) + new_state_987 in + new_state_987. + +Definition transmute_state_to_u8 (state_991 : state_uint64_t) : state_uint8_t := + let new_state_992 : state_uint8_t := + array_new_ (default : uint8) (200) in + let new_state_992 := + foldi (usize 0) (array_len (state_991)) (fun i_993 new_state_992 => + let bytes_994 : seq uint8 := + uint64_to_le_bytes (array_index (state_991) (i_993)) in + let new_state_992 := + foldi (usize 0) (seq_len (bytes_994)) (fun j_995 new_state_992 => + let new_state_992 := + array_upd new_state_992 (((i_993) * (usize 8)) + (j_995)) ( + seq_index (bytes_994) (j_995)) in + (new_state_992)) + new_state_992 in + (new_state_992)) + new_state_992 in + new_state_992. + +Definition run_f (strobe_996 : strobe_t) : strobe_t := + let '(state_997, pos_998, pos_begin_999, cur_fl_1000) := + strobe_996 in + let state_997 := + array_upd state_997 (pos_998) ((array_index (state_997) (pos_998)) .^ ( + secret (pos_begin_999) : int8)) in + let state_997 := + array_upd state_997 ((pos_998) .+ (@repr WORDSIZE8 1)) ((array_index ( + state_997) ((pos_998) .+ (@repr WORDSIZE8 1))) .^ (secret ( + @repr WORDSIZE8 4) : int8)) in + let state_997 := + array_upd state_997 ((strobe_r_v) .+ (@repr WORDSIZE8 1)) ((array_index ( + state_997) ((strobe_r_v) .+ (@repr WORDSIZE8 1))) .^ (secret ( + @repr WORDSIZE8 128) : int8)) in + let state_uint64_1001 : state_t := + transmute_state_to_u64 (state_997) in + let state_997 := + transmute_state_to_u8 (keccakf1600 (state_uint64_1001)) in + let pos_998 := + @repr WORDSIZE8 0 in + let pos_begin_999 := + @repr WORDSIZE8 0 in + (state_997, pos_998, pos_begin_999, cur_fl_1000). + +Definition absorb (strobe_1002 : strobe_t) (data_1003 : seq uint8) : strobe_t := + let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := + strobe_1002 in + let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := + foldi (usize 0) (seq_len (data_1003)) (fun i_1008 '( + state_1004, + pos_1005, + pos_begin_1006, + cur_fl_1007 + ) => + let state_1004 := + array_upd state_1004 (pos_1005) ((array_index (state_1004) ( + pos_1005)) .^ (seq_index (data_1003) (i_1008))) in + let pos_1005 := + (pos_1005) .+ (@repr WORDSIZE8 1) in + let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := + if (pos_1005) =.? (strobe_r_v):bool then (let '( + s_1009, + p_1010, + pb_1011, + cf_1012 + ) := + run_f ((state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) in + let state_1004 := + s_1009 in + let pos_1005 := + p_1010 in + let pos_begin_1006 := + pb_1011 in + let cur_fl_1007 := + cf_1012 in + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) else (( + state_1004, + pos_1005, + pos_begin_1006, + cur_fl_1007 + )) in + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007) in + (state_1004, pos_1005, pos_begin_1006, cur_fl_1007). + +Definition squeeze + (strobe_1013 : strobe_t) + (data_1014 : seq uint8) + : (strobe_t '× seq uint8) := + let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := + strobe_1013 in + let '(data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := + foldi (usize 0) (seq_len (data_1014)) (fun i_1019 '( + data_1014, + state_1015, + pos_1016, + pos_begin_1017, + cur_fl_1018 + ) => + let data_1014 := + seq_upd data_1014 (i_1019) (array_index (state_1015) (pos_1016)) in + let state_1015 := + array_upd state_1015 (pos_1016) (uint8_classify (@repr WORDSIZE8 0)) in + let pos_1016 := + (pos_1016) .+ (@repr WORDSIZE8 1) in + let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := + if (pos_1016) =.? (strobe_r_v):bool then (let '( + s_1020, + p_1021, + pb_1022, + cf_1023 + ) := + run_f (((state_1015), pos_1016, pos_begin_1017, cur_fl_1018)) in + let state_1015 := + s_1020 in + let pos_1016 := + p_1021 in + let pos_begin_1017 := + pb_1022 in + let cur_fl_1018 := + cf_1023 in + (state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) else (( + state_1015, + pos_1016, + pos_begin_1017, + cur_fl_1018 + )) in + (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) + (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) in + ((state_1015, pos_1016, pos_begin_1017, cur_fl_1018), data_1014). + +Definition begin_op + (strobe_1024 : strobe_t) + (flags_1025 : int8) + (more_1026 : bool) + : strobe_t := + let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030) := + strobe_1024 in + let ret_1031 : (state_uint8_t '× int8 '× int8 '× int8) := + (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in + let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031) := + if negb (more_1026):bool then (let old_begin_1032 : int8 := + pos_begin_1029 in + let pos_begin_1029 := + (pos_1028) .+ (@repr WORDSIZE8 1) in + let cur_fl_1030 := + flags_1025 in + let data_1033 : seq uint8 := + seq_new_ (default : uint8) (usize 2) in + let data_1033 := + seq_upd data_1033 (usize 0) (secret (old_begin_1032) : int8) in + let data_1033 := + seq_upd data_1033 (usize 1) (secret (flags_1025) : int8) in + let '(s_1034, p_1035, pb_1036, cf_1037) := + absorb ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) ( + data_1033) in + let state_1027 := + s_1034 in + let pos_1028 := + p_1035 in + let pos_begin_1029 := + pb_1036 in + let cur_fl_1030 := + cf_1037 in + let force_f_1038 : bool := + (@repr WORDSIZE8 0) !=.? ((flags_1025) .& ((flag_c_v) .| ( + flag_k_v))) in + let '(ret_1031) := + if (force_f_1038) && ((pos_1028) !=.? (@repr WORDSIZE8 0)):bool then ( + let ret_1031 := + run_f ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) in + (ret_1031)) else (let ret_1031 := + (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in + (ret_1031)) in + (state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031)) else (( + state_1027, + pos_1028, + pos_begin_1029, + cur_fl_1030, + ret_1031 + )) in + ret_1031. + +Definition new_strobe (protocol_label_1039 : seq uint8) : strobe_t := + let st_1040 : state_uint8_t := + array_new_ (default : uint8) (200) in + let st_1040 := + array_set_chunk (st_1040) (usize 6) (usize 0) ([ + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 96) : int8 + ]) in + let st_1040 := + array_set_chunk (st_1040) (usize 6) (usize 1) ([ + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 69) : int8 + ]) in + let st_1040 := + array_set_chunk (st_1040) (usize 6) (usize 2) ([ + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 48) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 50) : int8 + ]) in + let st_uint64_1041 : state_t := + transmute_state_to_u64 (st_1040) in + let st_1040 := + transmute_state_to_u8 (keccakf1600 (st_uint64_1041)) in + meta_ad ((st_1040, @repr WORDSIZE8 0, @repr WORDSIZE8 0, @repr WORDSIZE8 0)) ( + protocol_label_1039) (false). + +Definition meta_ad + (strobe_1042 : strobe_t) + (data_1043 : seq uint8) + (more_1044 : bool) + : strobe_t := + let strobe_1042 := + begin_op (strobe_1042) ((flag_m_v) .| (flag_a_v)) (more_1044) in + absorb (strobe_1042) (data_1043). + +Definition ad + (strobe_1045 : strobe_t) + (data_1046 : seq uint8) + (more_1047 : bool) + : strobe_t := + let strobe_1045 := + begin_op (strobe_1045) (flag_a_v) (more_1047) in + absorb (strobe_1045) (data_1046). + +Definition prf + (strobe_1048 : strobe_t) + (data_1049 : seq uint8) + (more_1050 : bool) + : (strobe_t '× seq uint8) := + let strobe_1048 := + begin_op (strobe_1048) (((flag_i_v) .| (flag_a_v)) .| (flag_c_v)) ( + more_1050) in + squeeze (strobe_1048) (data_1049). + diff --git a/proof-libs/coq/src/Tls_Cryptolib.v b/proof-libs/coq/src/Tls_Cryptolib.v new file mode 100644 index 000000000..0f2e2125a --- /dev/null +++ b/proof-libs/coq/src/Tls_Cryptolib.v @@ -0,0 +1,673 @@ +(** This file was automatically generated using Hacspec **) +Set Warnings "-notation-overridden,-ambiguous-paths". +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Aes. + +Require Import Hacspec_Aes128_Gcm. + +Require Import Hacspec_Chacha20. + +Require Import Hacspec_Chacha20poly1305. + +Require Import Hacspec_Curve25519. + +Require Import Hacspec_Ecdsa_P256_Sha256. + +Require Import Hacspec_Gf128. + +Require Import Hacspec_Hkdf. + +Require Import Hacspec_Hmac. + +Require Import Hacspec_P256. + +Require Import Hacspec_Poly1305. + +Require Import Hacspec_Sha256. + +Inductive crypto_error_t := +| CryptoError : crypto_error_t +| HkdfError : crypto_error_t +| InsufficientEntropy : crypto_error_t +| InvalidCert : crypto_error_t +| MacFailed : crypto_error_t +| UnsupportedAlgorithm : crypto_error_t +| VerifyFailed : crypto_error_t. + +Definition empty : byte_seq := + seq_new_ (default : uint8) (usize 0). + +Definition zeros (u_0 : uint_size) : byte_seq := + seq_new_ (default : uint8) (u_0). + +Notation "'entropy_t'" := (byte_seq) : hacspec_scope. + +Definition random_t := nseq (uint8) (usize 32). + +Notation "'dh_sk_t'" := (byte_seq) : hacspec_scope. + +Notation "'dh_pk_t'" := (byte_seq) : hacspec_scope. + +Notation "'signature_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'verification_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'mac_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'key_t'" := (byte_seq) : hacspec_scope. + +Notation "'psk_t'" := (key_t) : hacspec_scope. + +Notation "'digest_t'" := (byte_seq) : hacspec_scope. + +Notation "'hmac_t'" := (byte_seq) : hacspec_scope. + +Notation "'signature_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_iv_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_key_iv_t'" := ((aead_key_t '× aead_iv_t)) : hacspec_scope. + +Inductive named_group_t := +| X25519 : named_group_t +| Secp256r1 : named_group_t. + +Definition eqb_named_group_t (x y : named_group_t) : bool := +match x with + | X25519 => match y with | X25519=> true | _ => false end + | Secp256r1 => match y with | Secp256r1=> true | _ => false end + end. + +Definition eqb_leibniz_named_group_t (x y : named_group_t) : eqb_named_group_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_named_group_t : EqDec (named_group_t) := +Build_EqDec (named_group_t) (eqb_named_group_t) (eqb_leibniz_named_group_t). + + +Inductive hash_algorithm_t := +| SHA256 : hash_algorithm_t +| SHA384 : hash_algorithm_t. + +Definition eqb_hash_algorithm_t (x y : hash_algorithm_t) : bool := +match x with + | SHA256 => match y with | SHA256=> true | _ => false end + | SHA384 => match y with | SHA384=> true | _ => false end + end. + +Definition eqb_leibniz_hash_algorithm_t (x y : hash_algorithm_t) : eqb_hash_algorithm_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_hash_algorithm_t : EqDec (hash_algorithm_t) := +Build_EqDec (hash_algorithm_t) (eqb_hash_algorithm_t) (eqb_leibniz_hash_algorithm_t). + + +Inductive aead_algorithm_t := +| Chacha20Poly1305 : aead_algorithm_t +| Aes128Gcm : aead_algorithm_t +| Aes256Gcm : aead_algorithm_t. + +Definition eqb_aead_algorithm_t (x y : aead_algorithm_t) : bool := +match x with + | Chacha20Poly1305 => match y with | Chacha20Poly1305=> true | _ => false end + | Aes128Gcm => match y with | Aes128Gcm=> true | _ => false end + | Aes256Gcm => match y with | Aes256Gcm=> true | _ => false end + end. + +Definition eqb_leibniz_aead_algorithm_t (x y : aead_algorithm_t) : eqb_aead_algorithm_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_aead_algorithm_t : EqDec (aead_algorithm_t) := +Build_EqDec (aead_algorithm_t) (eqb_aead_algorithm_t) (eqb_leibniz_aead_algorithm_t). + + +Inductive signature_scheme_t := +| ED25519 : signature_scheme_t +| EcdsaSecp256r1Sha256 : signature_scheme_t +| RsaPssRsaSha256 : signature_scheme_t. + +Definition eqb_signature_scheme_t (x y : signature_scheme_t) : bool := +match x with + | ED25519 => match y with | ED25519=> true | _ => false end + | EcdsaSecp256r1Sha256 => + match y with + | EcdsaSecp256r1Sha256=> true + | _ => false + end + | RsaPssRsaSha256 => match y with | RsaPssRsaSha256=> true | _ => false end + end. + +Definition eqb_leibniz_signature_scheme_t (x y : signature_scheme_t) : eqb_signature_scheme_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_signature_scheme_t : EqDec (signature_scheme_t) := +Build_EqDec (signature_scheme_t) (eqb_signature_scheme_t) (eqb_leibniz_signature_scheme_t). + + +Definition hash_len (ha_1 : hash_algorithm_t) : uint_size := + match ha_1 with | SHA256 => usize 32 | SHA384 => usize 48 end. + +Definition hmac_key_len (ha_2 : hash_algorithm_t) : uint_size := + match ha_2 with | SHA256 => usize 32 | SHA384 => usize 48 end. + +Definition ae_key_len (ae_3 : aead_algorithm_t) : uint_size := + match ae_3 with + | Chacha20Poly1305 => usize 32 + | Aes128Gcm => usize 16 + | Aes256Gcm => usize 16 + end. + +Definition ae_iv_len (ae_4 : aead_algorithm_t) : uint_size := + match ae_4 with + | Chacha20Poly1305 => usize 12 + | Aes128Gcm => usize 12 + | Aes256Gcm => usize 12 + end. + +Definition dh_priv_len (gn_5 : named_group_t) : uint_size := + match gn_5 with | X25519 => usize 32 | Secp256r1 => usize 32 end. + +Definition dh_pub_len (gn_6 : named_group_t) : uint_size := + match gn_6 with | X25519 => usize 32 | Secp256r1 => usize 64 end. + +Definition zero_key (ha_7 : hash_algorithm_t) : key_t := + seq_new_ (default : uint8) (usize (hash_len (ha_7))). + +Definition secret_to_public + (group_name_8 : named_group_t) + (x_9 : dh_sk_t) + : (result dh_pk_t crypto_error_t) := + match group_name_8 with + | Secp256r1 => match p256_point_mul_base (nat_mod_from_byte_seq_be ( + x_9) : p256_scalar_t) with + | Ok ((x_10, y_11)) => @Ok dh_pk_t crypto_error_t (seq_concat ( + nat_mod_to_byte_seq_be (x_10)) (nat_mod_to_byte_seq_be (y_11))) + | Err (_) => @Err dh_pk_t crypto_error_t (CryptoError) + end + | X25519 => @Ok dh_pk_t crypto_error_t (seq_from_seq ( + array_to_seq (x25519_secret_to_public (array_from_seq (32) (x_9))))) + end. + +Definition p256_check_point_len + (p_12 : dh_pk_t) + : (result unit crypto_error_t) := + (if ((seq_len (p_12)) !=.? (usize 64)):bool then (@Err unit crypto_error_t ( + CryptoError)) else (@Ok unit crypto_error_t (tt))). + +Definition p256_ecdh + (x_13 : dh_sk_t) + (y_14 : dh_pk_t) + : (result key_t crypto_error_t) := + bind (p256_check_point_len (y_14)) (fun _ => let pk_15 : ( + p256_field_element_t '× + p256_field_element_t + ) := + ( + nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 0, usize 32 + ))) : p256_field_element_t, + nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 32, usize 64 + ))) : p256_field_element_t + ) in + match p256_point_mul (nat_mod_from_byte_seq_be (x_13) : p256_scalar_t) ( + pk_15) with + | Ok ((x_16, y_17)) => @Ok key_t crypto_error_t (seq_concat ( + nat_mod_to_byte_seq_be (x_16)) (nat_mod_to_byte_seq_be (y_17))) + | Err (_) => @Err key_t crypto_error_t (CryptoError) + end). + +Definition ecdh + (group_name_18 : named_group_t) + (x_19 : dh_sk_t) + (y_20 : dh_pk_t) + : (result key_t crypto_error_t) := + match group_name_18 with + | Secp256r1 => p256_ecdh (x_19) (y_20) + | X25519 => @Ok key_t crypto_error_t (seq_from_seq ( + array_to_seq (x25519_scalarmult (array_from_seq (32) (x_19)) ( + array_from_seq (32) (y_20))))) + end. + +Notation "'kem_scheme_t'" := (named_group_t) : hacspec_scope. + +Notation "'kem_sk_t'" := (byte_seq) : hacspec_scope. + +Notation "'kem_pk_t'" := (byte_seq) : hacspec_scope. + +Definition kem_priv_len (ks_21 : kem_scheme_t) : uint_size := + dh_priv_len (ks_21). + +Definition kem_pub_len (ks_22 : kem_scheme_t) : uint_size := + dh_pub_len (ks_22). + +Definition kem_priv_to_pub + (ks_23 : kem_scheme_t) + (sk_24 : kem_sk_t) + : (result kem_pk_t crypto_error_t) := + secret_to_public (ks_23) (sk_24). + +Definition kem_keygen_inner + (ks_25 : kem_scheme_t) + (ent_26 : entropy_t) + : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := + let sk_27 : seq uint8 := + seq_from_seq (seq_slice_range (ent_26) ((usize 0, dh_priv_len (ks_25)))) in + bind (kem_priv_to_pub (ks_25) (sk_27)) (fun pk_28 => @Ok ( + kem_sk_t '× + kem_pk_t + ) crypto_error_t ((sk_27, pk_28))). + +Definition kem_keygen + (ks_29 : kem_scheme_t) + (ent_30 : entropy_t) + : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := + (if ((seq_len (ent_30)) <.? (dh_priv_len (ks_29))):bool then (@Err ( + kem_sk_t '× + kem_pk_t + ) crypto_error_t (InsufficientEntropy)) else (kem_keygen_inner (ks_29) ( + ent_30))). + +Definition kem_encap + (ks_31 : kem_scheme_t) + (pk_32 : kem_pk_t) + (ent_33 : entropy_t) + : (result (key_t '× byte_seq) crypto_error_t) := + bind (kem_keygen (ks_31) (ent_33)) (fun '(x_34, gx_35) => bind (ecdh (ks_31) ( + x_34) (pk_32)) (fun gxy_36 => @Ok (key_t '× byte_seq) crypto_error_t (( + gxy_36, + gx_35 + )))). + +Definition kem_decap + (ks_37 : kem_scheme_t) + (ct_38 : byte_seq) + (sk_39 : kem_sk_t) + : (result key_t crypto_error_t) := + bind (ecdh (ks_37) (sk_39) (ct_38)) (fun gxy_40 => @Ok key_t crypto_error_t ( + gxy_40)). + +Definition hash + (ha_41 : hash_algorithm_t) + (payload_42 : byte_seq) + : (result digest_t crypto_error_t) := + match ha_41 with + | SHA256 => @Ok digest_t crypto_error_t (seq_from_seq (array_to_seq (sha256 ( + payload_42)))) + | SHA384 => @Err digest_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hmac_tag + (ha_43 : hash_algorithm_t) + (mk_44 : mac_key_t) + (payload_45 : byte_seq) + : (result hmac_t crypto_error_t) := + match ha_43 with + | SHA256 => @Ok hmac_t crypto_error_t (seq_from_seq (array_to_seq (hmac ( + mk_44) (payload_45)))) + | SHA384 => @Err hmac_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition check_tag_len + (a_46 : hmac_t) + (b_47 : hmac_t) + : (result unit crypto_error_t) := + (if ((seq_len (a_46)) =.? (seq_len (b_47))):bool then ( + @Ok unit crypto_error_t (tt)) else (@Err unit crypto_error_t ( + MacFailed))). + +Definition check_bytes + (a_48 : uint8) + (b_49 : uint8) + : (result unit crypto_error_t) := + (if (negb (uint8_equal (a_48) (b_49))):bool then (@Err unit crypto_error_t ( + MacFailed)) else (@Ok unit crypto_error_t (tt))). + +Definition hmac_verify + (ha_50 : hash_algorithm_t) + (mk_51 : mac_key_t) + (payload_52 : byte_seq) + (m_53 : hmac_t) + : (result unit crypto_error_t) := + bind (hmac_tag (ha_50) (mk_51) (payload_52)) (fun my_hmac_54 => bind ( + check_tag_len (m_53) (my_hmac_54)) (fun _ => bind (foldibnd (usize 0) to ( + seq_len (m_53)) for tt >> (fun i_55 'tt => + bind (check_bytes (seq_index (my_hmac_54) (i_55)) (seq_index (m_53) ( + i_55))) (fun _ => @Ok unit crypto_error_t (tt)))) (fun _ => + @Ok unit crypto_error_t (tt)))). + +Definition ec_oid_tag_t := nseq (uint8) (usize 9). + +Definition get_length_length (b_56 : byte_seq) : uint_size := + (if (((uint8_declassify (seq_index (b_56) (usize 0))) shift_right ( + usize 7)) =.? (@repr WORDSIZE8 1)):bool then ( + declassify_usize_from_uint8 ((seq_index (b_56) (usize 0)) .& (secret ( + @repr WORDSIZE8 127) : int8))) else (usize 0)). + +Definition get_length (b_57 : byte_seq) (len_58 : uint_size) : uint_size := + (@cast _ uint32 _ (declassify_u32_from_uint32 (uint32_from_be_bytes ( + array_from_slice (default : uint8) (4) (b_57) (usize 0) ( + len_58))))) usize_shift_right (((usize 4) - (len_58)) * (usize 8)). + +Definition get_short_length (b_59 : byte_seq) : uint_size := + declassify_usize_from_uint8 ((seq_index (b_59) (usize 0)) .& (secret ( + @repr WORDSIZE8 127) : int8)). + +Definition verification_key_from_cert + (cert_60 : byte_seq) + : (result verification_key_t crypto_error_t) := + let skip_61 : uint_size := + ((usize 2) + (get_length_length (seq_slice_range (cert_60) (( + usize 1, + seq_len (cert_60) + ))))) + (usize 1) in + let seq1_len_len_62 : uint_size := + get_length_length (seq_slice_range (cert_60) ((skip_61, seq_len (cert_60) + ))) in + let skip_63 : uint_size := + (skip_61) + (usize 1) in + let seq1_len_64 : uint_size := + get_length (seq_slice (cert_60) (skip_63) ((seq_len (cert_60)) - ( + skip_63))) (seq1_len_len_62) in + let seq1_65 : seq uint8 := + seq_slice_range (cert_60) (( + (skip_63) + (seq1_len_len_62), + ((skip_63) + (seq1_len_len_62)) + (seq1_len_64) + )) in + let pk_66 : seq uint8 := + seq_new_ (default : uint8) (usize 0) in + let '(seq1_65, pk_66) := + foldi (usize 0) (seq_len (seq1_65)) (fun i_67 '(seq1_65, pk_66) => + let '(seq1_65, pk_66) := + if (seq_len (seq1_65)) >.? (usize 0):bool then ( + let element_type_68 : int8 := + uint8_declassify (seq_index (seq1_65) (usize 0)) in + let seq1_65 := + seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in + let len_len_69 : uint_size := + get_length_length (seq1_65) in + let len_70 : uint_size := + get_short_length (seq1_65) in + let seq1_65 := + seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in + let '(len_70) := + if (len_len_69) !=.? (usize 0):bool then (let len_70 := + (get_length (seq1_65) (len_len_69)) + (len_len_69) in + (len_70)) else ((len_70)) in + let '(pk_66) := + if ((element_type_68) =.? (@repr WORDSIZE8 48)) && ((seq_len ( + pk_66)) =.? (usize 0)):bool then (let seq2_71 : seq uint8 := + seq_slice (seq1_65) (len_len_69) (len_70) in + let element_type_72 : int8 := + uint8_declassify (seq_index (seq2_71) (usize 0)) in + let seq2_73 : seq uint8 := + seq_slice (seq2_71) (usize 1) ((seq_len (seq2_71)) - ( + usize 1)) in + let '(pk_66) := + if (element_type_72) =.? (@repr WORDSIZE8 48):bool then ( + let len_len_74 : uint_size := + get_length_length (seq2_73) in + let '(pk_66) := + if (len_len_74) =.? (usize 0):bool then ( + let oid_len_75 : uint_size := + get_short_length (seq2_73) in + let '(pk_66) := + if (oid_len_75) >=.? (usize 9):bool then ( + let expected_76 : seq uint8 := + seq_from_seq (array_to_seq (array_from_list uint8 ( + let l := + [ + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 7) : int8; + secret (@repr WORDSIZE8 42) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 1) : int8 + ] in l))) in + let oid_77 : seq uint8 := + seq_slice (seq2_73) (usize 1) (usize 9) in + let ec_pk_oid_78 : bool := + true in + let ec_pk_oid_78 := + foldi (usize 0) (usize 9) (fun i_79 ec_pk_oid_78 => + let oid_byte_equal_80 : bool := + (uint8_declassify (seq_index (oid_77) ( + i_79))) =.? (uint8_declassify (seq_index ( + expected_76) (i_79))) in + let ec_pk_oid_78 := + (ec_pk_oid_78) && (oid_byte_equal_80) in + (ec_pk_oid_78)) + ec_pk_oid_78 in + let '(pk_66) := + if ec_pk_oid_78:bool then ( + let bit_string_81 : seq uint8 := + seq_slice (seq2_73) ((oid_len_75) + (usize 1)) ( + ((seq_len (seq2_73)) - (oid_len_75)) - ( + usize 1)) in + let '(pk_66) := + if (uint8_declassify (seq_index ( + bit_string_81) (usize 0))) =.? ( + @repr WORDSIZE8 3):bool then ( + let pk_len_82 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 1)) in + let zeroes_83 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 2)) in + let uncompressed_84 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 3)) in + let pk_66 := + seq_slice (bit_string_81) (usize 4) (( + pk_len_82) - (usize 2)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + let seq1_65 := + seq_slice (seq1_65) (len_70) ((seq_len (seq1_65)) - (len_70)) in + (seq1_65, pk_66)) else ((seq1_65, pk_66)) in + (seq1_65, pk_66)) + (seq1_65, pk_66) in + (if ((seq_len (pk_66)) =.? (usize 0)):bool then ( + @Err verification_key_t crypto_error_t (InvalidCert)) else ( + @Ok verification_key_t crypto_error_t (pk_66))). + +Definition concat_signature + (r_85 : p256_scalar_t) + (s_86 : p256_scalar_t) + : (result signature_t crypto_error_t) := + let signature_87 : seq uint8 := + seq_concat (seq_concat (seq_new_ (default : uint8) (usize 0)) ( + nat_mod_to_byte_seq_be (r_85))) (nat_mod_to_byte_seq_be (s_86)) in + @Ok signature_t crypto_error_t (signature_87). + +Definition p256_sign + (ps_88 : signature_key_t) + (payload_89 : byte_seq) + (ent_90 : entropy_t) + : (result signature_t crypto_error_t) := + let random_91 : random_t := + array_from_seq (32) (seq_slice_range (ent_90) ((usize 0, usize 32))) in + let nonce_92 : p256_scalar_t := + nat_mod_from_byte_seq_be (array_to_seq (random_91)) : p256_scalar_t in + match ecdsa_p256_sha256_sign (payload_89) (nat_mod_from_byte_seq_be ( + ps_88) : p256_scalar_t) (nonce_92) with + | Ok ((r_93, s_94)) => concat_signature (r_93) (s_94) + | Err (_) => @Err signature_t crypto_error_t (CryptoError) + end. + +Definition sign + (sa_95 : signature_scheme_t) + (ps_96 : signature_key_t) + (payload_97 : byte_seq) + (ent_98 : entropy_t) + : (result signature_t crypto_error_t) := + match sa_95 with + | EcdsaSecp256r1Sha256 => p256_sign (ps_96) (payload_97) (ent_98) + | ED25519 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) + | RsaPssRsaSha256 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition p256_verify + (pk_99 : verification_key_t) + (payload_100 : byte_seq) + (sig_101 : byte_seq) + : (result unit crypto_error_t) := + let '(pk_x_102, pk_y_103) := + ( + nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 0) ( + usize 32)) : p256_field_element_t, + nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 32) ( + usize 32)) : p256_field_element_t + ) in + let '(r_104, s_105) := + ( + nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 0) ( + usize 32)) : p256_scalar_t, + nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 32) ( + usize 32)) : p256_scalar_t + ) in + match ecdsa_p256_sha256_verify (payload_100) ((pk_x_102, pk_y_103)) (( + r_104, + s_105 + )) with + | Ok (tt) => @Ok unit crypto_error_t (tt) + | Err (_) => @Err unit crypto_error_t (VerifyFailed) + end. + +Definition verify + (sa_106 : signature_scheme_t) + (pk_107 : verification_key_t) + (payload_108 : byte_seq) + (sig_109 : byte_seq) + : (result unit crypto_error_t) := + match sa_106 with + | EcdsaSecp256r1Sha256 => p256_verify (pk_107) (payload_108) (sig_109) + | ED25519 => @Err unit crypto_error_t (UnsupportedAlgorithm) + | RsaPssRsaSha256 => @Err unit crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hkdf_extract + (ha_110 : hash_algorithm_t) + (k_111 : key_t) + (salt_112 : key_t) + : (result key_t crypto_error_t) := + match ha_110 with + | SHA256 => @Ok key_t crypto_error_t (seq_from_seq (array_to_seq (extract ( + salt_112) (k_111)))) + | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hkdf_expand + (ha_113 : hash_algorithm_t) + (k_114 : key_t) + (info_115 : byte_seq) + (len_116 : uint_size) + : (result key_t crypto_error_t) := + match ha_113 with + | SHA256 => match expand (k_114) (info_115) (len_116) with + | Ok (b_117) => @Ok key_t crypto_error_t (seq_from_seq (b_117)) + | Err (_) => @Err key_t crypto_error_t (HkdfError) + end + | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition aes128_encrypt + (k_118 : aead_key_t) + (iv_119 : aead_iv_t) + (payload_120 : byte_seq) + (ad_121 : byte_seq) + : (result byte_seq crypto_error_t) := + let '(ctxt_122, tag_123) := + encrypt_aes128 (array_from_seq (_) (k_118)) (array_from_seq (_) (iv_119)) ( + ad_121) (payload_120) in + @Ok byte_seq crypto_error_t (seq_concat (ctxt_122) (seq_from_seq ( + array_to_seq (tag_123)))). + +Definition chacha_encrypt + (k_124 : aead_key_t) + (iv_125 : aead_iv_t) + (payload_126 : byte_seq) + (ad_127 : byte_seq) + : (result byte_seq crypto_error_t) := + let '(ctxt_128, tag_129) := + chacha20_poly1305_encrypt (array_from_seq (32) (k_124)) (array_from_seq ( + 12) (iv_125)) (ad_127) (payload_126) in + @Ok byte_seq crypto_error_t (seq_concat (ctxt_128) (array_to_seq (tag_129))). + +Definition aead_encrypt + (a_130 : aead_algorithm_t) + (k_131 : aead_key_t) + (iv_132 : aead_iv_t) + (payload_133 : byte_seq) + (ad_134 : byte_seq) + : (result byte_seq crypto_error_t) := + match a_130 with + | Aes128Gcm => aes128_encrypt (k_131) (iv_132) (payload_133) (ad_134) + | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) + | Chacha20Poly1305 => chacha_encrypt (k_131) (iv_132) (payload_133) (ad_134) + end. + +Definition aes128_decrypt + (k_135 : aead_key_t) + (iv_136 : aead_iv_t) + (ciphertext_137 : byte_seq) + (ad_138 : byte_seq) + : (result byte_seq crypto_error_t) := + match decrypt_aes128 (array_from_seq (_) (k_135)) (array_from_seq (_) ( + iv_136)) (ad_138) (seq_slice_range (ciphertext_137) (( + usize 0, + (seq_len (ciphertext_137)) - (usize 16) + ))) (array_from_seq (_) (seq_slice_range (ciphertext_137) (( + (seq_len (ciphertext_137)) - (usize 16), + seq_len (ciphertext_137) + )))) with + | Ok (m_139) => @Ok byte_seq crypto_error_t (m_139) + | Err (_) => @Err byte_seq crypto_error_t (MacFailed) + end. + +Definition chacha_decrypt + (k_140 : aead_key_t) + (iv_141 : aead_iv_t) + (ciphertext_142 : byte_seq) + (ad_143 : byte_seq) + : (result byte_seq crypto_error_t) := + match chacha20_poly1305_decrypt (array_from_seq (32) (k_140)) ( + array_from_seq (12) (iv_141)) (ad_143) (seq_slice_range (ciphertext_142) (( + usize 0, + (seq_len (ciphertext_142)) - (usize 16) + ))) (array_from_seq (16) (seq_slice_range (ciphertext_142) (( + (seq_len (ciphertext_142)) - (usize 16), + seq_len (ciphertext_142) + )))) with + | Ok (ptxt_144) => @Ok byte_seq crypto_error_t (ptxt_144) + | Err (_) => @Err byte_seq crypto_error_t (MacFailed) + end. + +Definition aead_decrypt + (a_145 : aead_algorithm_t) + (k_146 : aead_key_t) + (iv_147 : aead_iv_t) + (ciphertext_148 : byte_seq) + (ad_149 : byte_seq) + : (result byte_seq crypto_error_t) := + match a_145 with + | Aes128Gcm => aes128_decrypt (k_146) (iv_147) (ciphertext_148) (ad_149) + | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) + | Chacha20Poly1305 => chacha_decrypt (k_146) (iv_147) (ciphertext_148) ( + ad_149) + end. + diff --git a/proof-libs/coq/src/_vc/Hacspec_Aes.v b/proof-libs/coq/src/_vc/Hacspec_Aes.v new file mode 100644 index 000000000..bb00b4b98 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Aes.v @@ -0,0 +1,714 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition blocksize_v : uint_size := + usize 16. + +Definition ivsize_v : uint_size := + usize 12. + +Definition key_length_v : uint_size := + usize 4. + +Definition rounds_v : uint_size := + usize 10. + +Definition key_schedule_length_v : uint_size := + usize 176. + +Definition iterations_v : uint_size := + usize 40. + +Definition invalid_key_expansion_index_v : int8 := + @repr WORDSIZE8 1. + +Definition block_t := nseq (uint8) (blocksize_v). + +Definition word_t := nseq (uint8) (key_length_v). + +Definition round_key_t := nseq (uint8) (blocksize_v). + +Definition aes_nonce_t := nseq (uint8) (ivsize_v). + +Definition s_box_t := nseq (uint8) (usize 256). + +Definition r_con_t := nseq (uint8) (usize 15). + +Definition bytes144_t := nseq (uint8) (usize 144). + +Definition bytes176_t := nseq (uint8) (key_schedule_length_v). + +Definition key128_t := nseq (uint8) (blocksize_v). + +Notation "'byte_seq_result_t'" := ((result byte_seq int8)) : hacspec_scope. + +Notation "'block_result_t'" := ((result block_t int8)) : hacspec_scope. + +Notation "'word_result_t'" := ((result word_t int8)) : hacspec_scope. + +Definition sbox_v : s_box_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 123) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 111) : int8; + secret (@repr WORDSIZE8 197) : int8; + secret (@repr WORDSIZE8 48) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 103) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 215) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 202) : int8; + secret (@repr WORDSIZE8 130) : int8; + secret (@repr WORDSIZE8 201) : int8; + secret (@repr WORDSIZE8 125) : int8; + secret (@repr WORDSIZE8 250) : int8; + secret (@repr WORDSIZE8 89) : int8; + secret (@repr WORDSIZE8 71) : int8; + secret (@repr WORDSIZE8 240) : int8; + secret (@repr WORDSIZE8 173) : int8; + secret (@repr WORDSIZE8 212) : int8; + secret (@repr WORDSIZE8 162) : int8; + secret (@repr WORDSIZE8 175) : int8; + secret (@repr WORDSIZE8 156) : int8; + secret (@repr WORDSIZE8 164) : int8; + secret (@repr WORDSIZE8 114) : int8; + secret (@repr WORDSIZE8 192) : int8; + secret (@repr WORDSIZE8 183) : int8; + secret (@repr WORDSIZE8 253) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 38) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 63) : int8; + secret (@repr WORDSIZE8 247) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 52) : int8; + secret (@repr WORDSIZE8 165) : int8; + secret (@repr WORDSIZE8 229) : int8; + secret (@repr WORDSIZE8 241) : int8; + secret (@repr WORDSIZE8 113) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 21) : int8; + secret (@repr WORDSIZE8 4) : int8; + secret (@repr WORDSIZE8 199) : int8; + secret (@repr WORDSIZE8 35) : int8; + secret (@repr WORDSIZE8 195) : int8; + secret (@repr WORDSIZE8 24) : int8; + secret (@repr WORDSIZE8 150) : int8; + secret (@repr WORDSIZE8 5) : int8; + secret (@repr WORDSIZE8 154) : int8; + secret (@repr WORDSIZE8 7) : int8; + secret (@repr WORDSIZE8 18) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 178) : int8; + secret (@repr WORDSIZE8 117) : int8; + secret (@repr WORDSIZE8 9) : int8; + secret (@repr WORDSIZE8 131) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 110) : int8; + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 82) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 214) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 41) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 47) : int8; + secret (@repr WORDSIZE8 132) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 237) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 252) : int8; + secret (@repr WORDSIZE8 177) : int8; + secret (@repr WORDSIZE8 91) : int8; + secret (@repr WORDSIZE8 106) : int8; + secret (@repr WORDSIZE8 203) : int8; + secret (@repr WORDSIZE8 190) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 76) : int8; + secret (@repr WORDSIZE8 88) : int8; + secret (@repr WORDSIZE8 207) : int8; + secret (@repr WORDSIZE8 208) : int8; + secret (@repr WORDSIZE8 239) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 251) : int8; + secret (@repr WORDSIZE8 67) : int8; + secret (@repr WORDSIZE8 77) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 133) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 249) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 80) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 159) : int8; + secret (@repr WORDSIZE8 168) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 163) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 143) : int8; + secret (@repr WORDSIZE8 146) : int8; + secret (@repr WORDSIZE8 157) : int8; + secret (@repr WORDSIZE8 56) : int8; + secret (@repr WORDSIZE8 245) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 218) : int8; + secret (@repr WORDSIZE8 33) : int8; + secret (@repr WORDSIZE8 16) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 243) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 205) : int8; + secret (@repr WORDSIZE8 12) : int8; + secret (@repr WORDSIZE8 19) : int8; + secret (@repr WORDSIZE8 236) : int8; + secret (@repr WORDSIZE8 95) : int8; + secret (@repr WORDSIZE8 151) : int8; + secret (@repr WORDSIZE8 68) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 196) : int8; + secret (@repr WORDSIZE8 167) : int8; + secret (@repr WORDSIZE8 126) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 100) : int8; + secret (@repr WORDSIZE8 93) : int8; + secret (@repr WORDSIZE8 25) : int8; + secret (@repr WORDSIZE8 115) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 220) : int8; + secret (@repr WORDSIZE8 34) : int8; + secret (@repr WORDSIZE8 42) : int8; + secret (@repr WORDSIZE8 144) : int8; + secret (@repr WORDSIZE8 136) : int8; + secret (@repr WORDSIZE8 70) : int8; + secret (@repr WORDSIZE8 238) : int8; + secret (@repr WORDSIZE8 184) : int8; + secret (@repr WORDSIZE8 20) : int8; + secret (@repr WORDSIZE8 222) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 11) : int8; + secret (@repr WORDSIZE8 219) : int8; + secret (@repr WORDSIZE8 224) : int8; + secret (@repr WORDSIZE8 50) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 10) : int8; + secret (@repr WORDSIZE8 73) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 36) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 211) : int8; + secret (@repr WORDSIZE8 172) : int8; + secret (@repr WORDSIZE8 98) : int8; + secret (@repr WORDSIZE8 145) : int8; + secret (@repr WORDSIZE8 149) : int8; + secret (@repr WORDSIZE8 228) : int8; + secret (@repr WORDSIZE8 121) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 200) : int8; + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 109) : int8; + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 213) : int8; + secret (@repr WORDSIZE8 78) : int8; + secret (@repr WORDSIZE8 169) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 86) : int8; + secret (@repr WORDSIZE8 244) : int8; + secret (@repr WORDSIZE8 234) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 122) : int8; + secret (@repr WORDSIZE8 174) : int8; + secret (@repr WORDSIZE8 8) : int8; + secret (@repr WORDSIZE8 186) : int8; + secret (@repr WORDSIZE8 120) : int8; + secret (@repr WORDSIZE8 37) : int8; + secret (@repr WORDSIZE8 46) : int8; + secret (@repr WORDSIZE8 28) : int8; + secret (@repr WORDSIZE8 166) : int8; + secret (@repr WORDSIZE8 180) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 232) : int8; + secret (@repr WORDSIZE8 221) : int8; + secret (@repr WORDSIZE8 116) : int8; + secret (@repr WORDSIZE8 31) : int8; + secret (@repr WORDSIZE8 75) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 139) : int8; + secret (@repr WORDSIZE8 138) : int8; + secret (@repr WORDSIZE8 112) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 181) : int8; + secret (@repr WORDSIZE8 102) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 14) : int8; + secret (@repr WORDSIZE8 97) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 87) : int8; + secret (@repr WORDSIZE8 185) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 193) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 225) : int8; + secret (@repr WORDSIZE8 248) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 17) : int8; + secret (@repr WORDSIZE8 105) : int8; + secret (@repr WORDSIZE8 217) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 148) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 30) : int8; + secret (@repr WORDSIZE8 135) : int8; + secret (@repr WORDSIZE8 233) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 40) : int8; + secret (@repr WORDSIZE8 223) : int8; + secret (@repr WORDSIZE8 140) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 137) : int8; + secret (@repr WORDSIZE8 13) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 230) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 65) : int8; + secret (@repr WORDSIZE8 153) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 84) : int8; + secret (@repr WORDSIZE8 187) : int8; + secret (@repr WORDSIZE8 22) : int8 + ] in l). + +Definition rcon_v : r_con_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 141) : int8; + secret (@repr WORDSIZE8 1) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 4) : int8; + secret (@repr WORDSIZE8 8) : int8; + secret (@repr WORDSIZE8 16) : int8; + secret (@repr WORDSIZE8 32) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 128) : int8; + secret (@repr WORDSIZE8 27) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 108) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 171) : int8; + secret (@repr WORDSIZE8 77) : int8 + ] in l). + +Definition sub_bytes (state_150 : block_t) : block_t := + let st_151 : block_t := + state_150 in + let st_151 := + foldi (usize 0) (blocksize_v) (fun i_152 st_151 => + let st_151 := + array_upd st_151 (i_152) (array_index (sbox_v) (uint8_declassify ( + array_index (state_150) (i_152)))) in + (st_151)) + st_151 in + st_151. + +Definition shift_row + (i_153 : uint_size) + (shift_154 : uint_size) + (state_155 : block_t) + : block_t := + let out_156 : block_t := + state_155 in + let out_156 := + array_upd out_156 (i_153) (array_index (state_155) ((i_153) + ((usize 4) * ( + (shift_154) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 4)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 1)) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 8)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 2)) %% (usize 4))))) in + let out_156 := + array_upd out_156 ((i_153) + (usize 12)) (array_index (state_155) (( + i_153) + ((usize 4) * (((shift_154) + (usize 3)) %% (usize 4))))) in + out_156. + +Definition shift_rows (state_157 : block_t) : block_t := + let state_158 : block_t := + shift_row (usize 1) (usize 1) (state_157) in + let state_159 : block_t := + shift_row (usize 2) (usize 2) (state_158) in + shift_row (usize 3) (usize 3) (state_159). + +Definition xtime (x_160 : uint8) : uint8 := + let x1_161 : uint8 := + (x_160) shift_left (usize 1) in + let x7_162 : uint8 := + (x_160) shift_right (usize 7) in + let x71_163 : uint8 := + (x7_162) .& (secret (@repr WORDSIZE8 1) : int8) in + let x711b_164 : uint8 := + (x71_163) .* (secret (@repr WORDSIZE8 27) : int8) in + (x1_161) .^ (x711b_164). + +Definition mix_column (c_165 : uint_size) (state_166 : block_t) : block_t := + let i0_167 : uint_size := + (usize 4) * (c_165) in + let s0_168 : uint8 := + array_index (state_166) (i0_167) in + let s1_169 : uint8 := + array_index (state_166) ((i0_167) + (usize 1)) in + let s2_170 : uint8 := + array_index (state_166) ((i0_167) + (usize 2)) in + let s3_171 : uint8 := + array_index (state_166) ((i0_167) + (usize 3)) in + let st_172 : block_t := + state_166 in + let tmp_173 : uint8 := + (((s0_168) .^ (s1_169)) .^ (s2_170)) .^ (s3_171) in + let st_172 := + array_upd st_172 (i0_167) (((s0_168) .^ (tmp_173)) .^ (xtime ((s0_168) .^ ( + s1_169)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 1)) (((s1_169) .^ (tmp_173)) .^ (xtime ( + (s1_169) .^ (s2_170)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 2)) (((s2_170) .^ (tmp_173)) .^ (xtime ( + (s2_170) .^ (s3_171)))) in + let st_172 := + array_upd st_172 ((i0_167) + (usize 3)) (((s3_171) .^ (tmp_173)) .^ (xtime ( + (s3_171) .^ (s0_168)))) in + st_172. + +Definition mix_columns (state_174 : block_t) : block_t := + let state_175 : block_t := + mix_column (usize 0) (state_174) in + let state_176 : block_t := + mix_column (usize 1) (state_175) in + let state_177 : block_t := + mix_column (usize 2) (state_176) in + mix_column (usize 3) (state_177). + +Definition add_round_key + (state_178 : block_t) + (key_179 : round_key_t) + : block_t := + let out_180 : block_t := + state_178 in + let out_180 := + foldi (usize 0) (blocksize_v) (fun i_181 out_180 => + let out_180 := + array_upd out_180 (i_181) ((array_index (out_180) (i_181)) .^ ( + array_index (key_179) (i_181))) in + (out_180)) + out_180 in + out_180. + +Definition aes_enc + (state_182 : block_t) + (round_key_183 : round_key_t) + : block_t := + let state_184 : block_t := + sub_bytes (state_182) in + let state_185 : block_t := + shift_rows (state_184) in + let state_186 : block_t := + mix_columns (state_185) in + add_round_key (state_186) (round_key_183). + +Definition aes_enc_last + (state_187 : block_t) + (round_key_188 : round_key_t) + : block_t := + let state_189 : block_t := + sub_bytes (state_187) in + let state_190 : block_t := + shift_rows (state_189) in + add_round_key (state_190) (round_key_188). + +Definition rounds_aes (state_191 : block_t) (key_192 : byte_seq) : block_t := + let out_193 : block_t := + state_191 in + let out_193 := + foldi (usize 0) (seq_num_chunks (key_192) ( + blocksize_v)) (fun i_194 out_193 => + let '(_, key_block_195) := + seq_get_chunk (key_192) (blocksize_v) (i_194) in + let out_193 := + aes_enc (out_193) (array_from_seq (blocksize_v) (key_block_195)) in + (out_193)) + out_193 in + out_193. + +Definition block_cipher_aes + (input_196 : block_t) + (key_197 : byte_seq) + (nr_198 : uint_size) + : block_t := + let k0_199 : round_key_t := + array_from_slice_range (default) (blocksize_v) (key_197) ((usize 0, usize 16 + )) in + let k_200 : seq uint8 := + seq_from_slice_range (key_197) ((usize 16, (nr_198) * (usize 16))) in + let kn_201 : round_key_t := + array_from_slice (default) (blocksize_v) (key_197) ((nr_198) * (usize 16)) ( + usize 16) in + let state_202 : block_t := + add_round_key (input_196) (k0_199) in + let state_203 : block_t := + rounds_aes (state_202) (k_200) in + aes_enc_last (state_203) (kn_201). + +Definition rotate_word (w_204 : word_t) : word_t := + array_from_list uint8 (let l := + [ + array_index (w_204) (usize 1); + array_index (w_204) (usize 2); + array_index (w_204) (usize 3); + array_index (w_204) (usize 0) + ] in l). + +Definition slice_word (w_205 : word_t) : word_t := + array_from_list uint8 (let l := + [ + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 0))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 1))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 2))); + array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( + usize 3))) + ] in l). + +Definition aes_keygen_assist (w_206 : word_t) (rcon_207 : uint8) : word_t := + let k_208 : word_t := + rotate_word (w_206) in + let k_208 := + slice_word (k_208) in + let k_208 := + array_upd k_208 (usize 0) ((array_index (k_208) (usize 0)) .^ ( + rcon_207)) in + k_208. + +Definition key_expansion_word + (w0_209 : word_t) + (w1_210 : word_t) + (i_211 : uint_size) + (nk_212 : uint_size) + (nr_213 : uint_size) + : word_result_t := + let k_214 : word_t := + w1_210 in + let result_215 : (result word_t int8) := + @Err word_t int8 (invalid_key_expansion_index_v) in + let '(k_214, result_215) := + if (i_211) <.? ((usize 4) * ((nr_213) + (usize 1))):bool then (let '(k_214 + ) := + if ((i_211) %% (nk_212)) =.? (usize 0):bool then (let k_214 := + aes_keygen_assist (k_214) (array_index (rcon_v) ((i_211) / ( + nk_212))) in + (k_214)) else (let '(k_214) := + if ((nk_212) >.? (usize 6)) && (((i_211) %% (nk_212)) =.? ( + usize 4)):bool then (let k_214 := + slice_word (k_214) in + (k_214)) else ((k_214)) in + (k_214)) in + let k_214 := + foldi (usize 0) (usize 4) (fun i_216 k_214 => + let k_214 := + array_upd k_214 (i_216) ((array_index (k_214) (i_216)) .^ ( + array_index (w0_209) (i_216))) in + (k_214)) + k_214 in + let result_215 := + @Ok word_t int8 (k_214) in + (k_214, result_215)) else ((k_214, result_215)) in + result_215. + +Definition key_expansion_aes + (key_217 : byte_seq) + (nk_218 : uint_size) + (nr_219 : uint_size) + (key_schedule_length_220 : uint_size) + (key_length_221 : uint_size) + (iterations_222 : uint_size) + : byte_seq_result_t := + let key_ex_223 : seq uint8 := + seq_new_ (default) (key_schedule_length_220) in + let key_ex_223 := + seq_update_start (key_ex_223) (key_217) in + let word_size_224 : uint_size := + key_length_221 in + bind (foldibnd (usize 0) to ( + iterations_222) for key_ex_223 >> (fun j_225 key_ex_223 => + let i_226 : uint_size := + (j_225) + (word_size_224) in + bind (key_expansion_word (array_from_slice (default) (key_length_v) ( + key_ex_223) ((usize 4) * ((i_226) - (word_size_224))) (usize 4)) ( + array_from_slice (default) (key_length_v) (key_ex_223) (((usize 4) * ( + i_226)) - (usize 4)) (usize 4)) (i_226) (nk_218) (nr_219)) ( + fun word_227 => let key_ex_223 := + seq_update (key_ex_223) ((usize 4) * (i_226)) ( + array_to_seq (word_227)) in + Ok ((key_ex_223))))) (fun key_ex_223 => @Ok byte_seq int8 (key_ex_223)). + +Definition aes_encrypt_block + (k_228 : byte_seq) + (input_229 : block_t) + (nk_230 : uint_size) + (nr_231 : uint_size) + (key_schedule_length_232 : uint_size) + (key_length_233 : uint_size) + (iterations_234 : uint_size) + : block_result_t := + bind (key_expansion_aes (k_228) (nk_230) (nr_231) (key_schedule_length_232) ( + key_length_233) (iterations_234)) (fun key_ex_235 => @Ok block_t int8 ( + block_cipher_aes (input_229) (key_ex_235) (nr_231))). + +Definition aes128_encrypt_block + (k_236 : key128_t) + (input_237 : block_t) + : block_t := + result_unwrap (aes_encrypt_block (seq_from_seq (array_to_seq (k_236))) ( + input_237) (key_length_v) (rounds_v) (key_schedule_length_v) ( + key_length_v) (iterations_v)). + +Definition aes_ctr_key_block + (k_238 : byte_seq) + (n_239 : aes_nonce_t) + (c_240 : uint32) + (nk_241 : uint_size) + (nr_242 : uint_size) + (key_schedule_length_243 : uint_size) + (key_length_244 : uint_size) + (iterations_245 : uint_size) + : block_result_t := + let input_246 : block_t := + array_new_ (default) (blocksize_v) in + let input_246 := + array_update (input_246) (usize 0) (array_to_seq (n_239)) in + let input_246 := + array_update (input_246) (usize 12) (array_to_seq (uint32_to_be_bytes ( + c_240))) in + aes_encrypt_block (k_238) (input_246) (nk_241) (nr_242) ( + key_schedule_length_243) (key_length_244) (iterations_245). + +Definition xor_block + (block_247 : block_t) + (key_block_248 : block_t) + : block_t := + let out_249 : block_t := + block_247 in + let out_249 := + foldi (usize 0) (blocksize_v) (fun i_250 out_249 => + let out_249 := + array_upd out_249 (i_250) ((array_index (out_249) (i_250)) .^ ( + array_index (key_block_248) (i_250))) in + (out_249)) + out_249 in + out_249. + +Definition aes_counter_mode + (key_251 : byte_seq) + (nonce_252 : aes_nonce_t) + (counter_253 : uint32) + (msg_254 : byte_seq) + (nk_255 : uint_size) + (nr_256 : uint_size) + (key_schedule_length_257 : uint_size) + (key_length_258 : uint_size) + (iterations_259 : uint_size) + : byte_seq_result_t := + let ctr_260 : uint32 := + counter_253 in + let blocks_out_261 : seq uint8 := + seq_new_ (default) (seq_len (msg_254)) in + let n_blocks_262 : uint_size := + seq_num_exact_chunks (msg_254) (blocksize_v) in + bind (foldibnd (usize 0) to (n_blocks_262) for (ctr_260, blocks_out_261 + ) >> (fun i_263 '(ctr_260, blocks_out_261) => + let msg_block_264 : seq uint8 := + seq_get_exact_chunk (msg_254) (blocksize_v) (i_263) in + bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) (nr_256) ( + key_schedule_length_257) (key_length_258) (iterations_259)) ( + fun key_block_265 => let blocks_out_261 := + seq_set_chunk (blocks_out_261) (blocksize_v) (i_263) ( + array_to_seq (xor_block (array_from_seq (blocksize_v) ( + msg_block_264)) (key_block_265))) in + let ctr_260 := + (ctr_260) .+ (secret (@repr WORDSIZE32 1) : int32) in + Ok ((ctr_260, blocks_out_261))))) (fun '(ctr_260, blocks_out_261) => + let last_block_266 : seq uint8 := + seq_get_remainder_chunk (msg_254) (blocksize_v) in + let last_block_len_267 : uint_size := + seq_len (last_block_266) in + ifbnd (last_block_len_267) !=.? (usize 0) : bool + thenbnd (let last_block_268 : block_t := + array_update_start (array_new_ (default) (blocksize_v)) ( + last_block_266) in + bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) ( + nr_256) (key_schedule_length_257) (key_length_258) (iterations_259)) ( + fun key_block_269 => let blocks_out_261 := + seq_set_chunk (blocks_out_261) (blocksize_v) (n_blocks_262) ( + array_slice_range (xor_block (last_block_268) (key_block_269)) (( + usize 0, + last_block_len_267 + ))) in + Ok ((blocks_out_261)))) + else ((blocks_out_261)) >> (fun '(blocks_out_261) => + @Ok byte_seq int8 (blocks_out_261))). + +Definition aes128_encrypt + (key_270 : key128_t) + (nonce_271 : aes_nonce_t) + (counter_272 : uint32) + (msg_273 : byte_seq) + : byte_seq := + result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_270))) ( + nonce_271) (counter_272) (msg_273) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)). + +Definition aes128_decrypt + (key_274 : key128_t) + (nonce_275 : aes_nonce_t) + (counter_276 : uint32) + (ctxt_277 : byte_seq) + : byte_seq := + result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_274))) ( + nonce_275) (counter_276) (ctxt_277) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v b/proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v new file mode 100644 index 000000000..83a91bc40 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v @@ -0,0 +1,124 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Aes. + +Require Import Hacspec_Gf128. + +Notation "'aes_gcm_byte_seq_result_t'" := (( + result byte_seq int8)) : hacspec_scope. + +Definition invalid_tag_v : int8 := + @repr WORDSIZE8 1. + +Definition pad_aad_msg (aad_278 : byte_seq) (msg_279 : byte_seq) : byte_seq := + let laad_280 : uint_size := + seq_len (aad_278) in + let lmsg_281 : uint_size := + seq_len (msg_279) in + let pad_aad_282 : uint_size := + (if (((laad_280) %% (usize 16)) =.? (usize 0)):bool then (laad_280) else (( + laad_280) + ((usize 16) - ((laad_280) %% (usize 16))))) in + let pad_msg_283 : uint_size := + (if (((lmsg_281) %% (usize 16)) =.? (usize 0)):bool then (lmsg_281) else (( + lmsg_281) + ((usize 16) - ((lmsg_281) %% (usize 16))))) in + let padded_msg_284 : seq uint8 := + seq_new_ (default) (((pad_aad_282) + (pad_msg_283)) + (usize 16)) in + let padded_msg_284 := + seq_update (padded_msg_284) (usize 0) (aad_278) in + let padded_msg_284 := + seq_update (padded_msg_284) (pad_aad_282) (msg_279) in + let padded_msg_284 := + seq_update (padded_msg_284) ((pad_aad_282) + (pad_msg_283)) ( + array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( + laad_280)) : int64) .* (secret ( + @repr WORDSIZE64 8) : int64)))) in + let padded_msg_284 := + seq_update (padded_msg_284) (((pad_aad_282) + (pad_msg_283)) + (usize 8)) ( + array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( + lmsg_281)) : int64) .* (secret ( + @repr WORDSIZE64 8) : int64)))) in + padded_msg_284. + +Definition encrypt_aes + (key_285 : byte_seq) + (iv_286 : aes_nonce_t) + (aad_287 : byte_seq) + (msg_288 : byte_seq) + : (byte_seq × gf128_tag_t) := + let iv0_289 : aes_nonce_t := + array_new_ (default) (_) in + let mac_key_290 : block_t := + result_unwrap (aes_ctr_key_block (key_285) (iv0_289) (secret ( + @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) in + let tag_mix_291 : block_t := + result_unwrap (aes_ctr_key_block (key_285) ((iv_286)) (secret ( + @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) in + let cipher_text_292 : seq uint8 := + aes128_encrypt (array_from_seq (_) (key_285)) (iv_286) (secret ( + @repr WORDSIZE32 2) : int32) (msg_288) in + let padded_msg_293 : seq uint8 := + pad_aad_msg (aad_287) (cipher_text_292) in + let tag_294 : gf128_tag_t := + gmac (padded_msg_293) (array_from_seq (_) (array_to_seq (mac_key_290))) in + let tag_295 : block_t := + xor_block (array_from_seq (_) (array_to_seq (tag_294))) (tag_mix_291) in + (cipher_text_292, array_from_seq (_) (array_to_seq (tag_295))). + +Definition encrypt_aes128 + (key_296 : key128_t) + (iv_297 : aes_nonce_t) + (aad_298 : byte_seq) + (msg_299 : byte_seq) + : (byte_seq × gf128_tag_t) := + encrypt_aes (seq_from_seq (array_to_seq (key_296))) (iv_297) (aad_298) ( + msg_299). + +Definition decrypt_aes + (key_300 : byte_seq) + (iv_301 : aes_nonce_t) + (aad_302 : byte_seq) + (cipher_text_303 : byte_seq) + (tag_304 : gf128_tag_t) + : aes_gcm_byte_seq_result_t := + let iv0_305 : aes_nonce_t := + array_new_ (default) (_) in + bind (aes_ctr_key_block (key_300) (iv0_305) (secret ( + @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) (fun mac_key_306 => + bind (aes_ctr_key_block (key_300) ((iv_301)) (secret ( + @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( + key_schedule_length_v) (key_length_v) (iterations_v)) ( + fun tag_mix_307 => let padded_msg_308 : seq uint8 := + pad_aad_msg (aad_302) (cipher_text_303) in + let my_tag_309 : gf128_tag_t := + gmac (padded_msg_308) (array_from_seq (_) ( + array_to_seq (mac_key_306))) in + let my_tag_310 : block_t := + xor_block (array_from_seq (_) (array_to_seq (my_tag_309))) ( + tag_mix_307) in + let ptxt_311 : seq uint8 := + aes128_decrypt (array_from_seq (_) (key_300)) (iv_301) (secret ( + @repr WORDSIZE32 2) : int32) (cipher_text_303) in + (if (array_declassify_eq (my_tag_310) (array_from_seq (_) ( + array_to_seq (tag_304)))):bool then (@Ok byte_seq int8 ( + ptxt_311)) else (@Err byte_seq int8 (invalid_tag_v))))). + +Definition decrypt_aes128 + (key_312 : key128_t) + (iv_313 : aes_nonce_t) + (aad_314 : byte_seq) + (cipher_text_315 : byte_seq) + (tag_316 : gf128_tag_t) + : aes_gcm_byte_seq_result_t := + decrypt_aes (seq_from_seq (array_to_seq (key_312))) (iv_313) (aad_314) ( + cipher_text_315) (tag_316). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Bls12_381.v b/proof-libs/coq/src/_vc/Hacspec_Bls12_381.v new file mode 100644 index 000000000..bf5cb3088 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Bls12_381.v @@ -0,0 +1,763 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +From QuickChick Require Import QuickChick. +Require Import QuickChickLib. +Require Import Hacspec_Lib. + +Definition fp_canvas_t := nseq (int8) (48). +Definition fp_t := + nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. +Instance show_fp_t : Show (fp_t) := Build_Show (fp_t) (fun x => show (GZnZ.val _ x)). +Definition g_fp_t : G (fp_t) := @bindGen Z (fp_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). +Instance gen_fp_t : Gen (fp_t) := Build_Gen fp_t g_fp_t. + + +Definition serialized_fp_t := nseq (uint8) (usize 48). + +Definition array_fp_t := nseq (uint64) (usize 6). + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. +Instance show_scalar_t : Show (scalar_t) := Build_Show (scalar_t) (fun x => show (GZnZ.val _ x)). +Definition g_scalar_t : G (scalar_t) := @bindGen Z (scalar_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). +Instance gen_scalar_t : Gen (scalar_t) := Build_Gen scalar_t g_scalar_t. + + +Notation "'g1_t'" := ((fp_t × fp_t × bool)) : hacspec_scope. +Instance show_g1_t : Show (g1_t) := +Build_Show g1_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_g1_t : G (g1_t) := +bindGen arbitrary (fun x0 : fp_t => + bindGen arbitrary (fun x1 : fp_t => + bindGen arbitrary (fun x2 : bool => + returnGen (x0,x1,x2)))). +Instance gen_g1_t : Gen (g1_t) := Build_Gen g1_t g_g1_t. + + +Notation "'fp2_t'" := ((fp_t × fp_t)) : hacspec_scope. +Instance show_fp2_t : Show (fp2_t) := +Build_Show fp2_t (fun x => + let (x, x0) := x in + (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. +Definition g_fp2_t : G (fp2_t) := +bindGen arbitrary (fun x0 : fp_t => + bindGen arbitrary (fun x1 : fp_t => + returnGen (x0,x1))). +Instance gen_fp2_t : Gen (fp2_t) := Build_Gen fp2_t g_fp2_t. + + +Notation "'g2_t'" := ((fp2_t × fp2_t × bool)) : hacspec_scope. +Instance show_g2_t : Show (g2_t) := +Build_Show g2_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_g2_t : G (g2_t) := +bindGen arbitrary (fun x0 : fp2_t => + bindGen arbitrary (fun x1 : fp2_t => + bindGen arbitrary (fun x2 : bool => + returnGen (x0,x1,x2)))). +Instance gen_g2_t : Gen (g2_t) := Build_Gen g2_t g_g2_t. + + +Notation "'fp6_t'" := ((fp2_t × fp2_t × fp2_t)) : hacspec_scope. +Instance show_fp6_t : Show (fp6_t) := +Build_Show fp6_t (fun x => + let (x, x0) := x in + let (x, x1) := x in + ( + ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. +Definition g_fp6_t : G (fp6_t) := +bindGen arbitrary (fun x0 : fp2_t => + bindGen arbitrary (fun x1 : fp2_t => + bindGen arbitrary (fun x2 : fp2_t => + returnGen (x0,x1,x2)))). +Instance gen_fp6_t : Gen (fp6_t) := Build_Gen fp6_t g_fp6_t. + + +Notation "'fp12_t'" := ((fp6_t × fp6_t)) : hacspec_scope. +Instance show_fp12_t : Show (fp12_t) := +Build_Show fp12_t (fun x => + let (x, x0) := x in + (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. +Definition g_fp12_t : G (fp12_t) := +bindGen arbitrary (fun x0 : fp6_t => + bindGen arbitrary (fun x1 : fp6_t => + returnGen (x0,x1))). +Instance gen_fp12_t : Gen (fp12_t) := Build_Gen fp12_t g_fp12_t. + + +Definition fp2fromfp (n_1063 : fp_t) : fp2_t := + (n_1063, nat_mod_zero ). + +Definition fp2zero : fp2_t := + fp2fromfp (nat_mod_zero ). + +Definition fp2neg (n_1064 : fp2_t) : fp2_t := + let '(n1_1065, n2_1066) := + n_1064 in + ((nat_mod_zero ) -% (n1_1065), (nat_mod_zero ) -% (n2_1066)). + +Definition fp2add (n_1067 : fp2_t) (m_1068 : fp2_t) : fp2_t := + let '(n1_1069, n2_1070) := + n_1067 in + let '(m1_1071, m2_1072) := + m_1068 in + ((n1_1069) +% (m1_1071), (n2_1070) +% (m2_1072)). + +Definition fp2sub (n_1073 : fp2_t) (m_1074 : fp2_t) : fp2_t := + fp2add (n_1073) (fp2neg (m_1074)). + +Definition fp2mul (n_1075 : fp2_t) (m_1076 : fp2_t) : fp2_t := + let '(n1_1077, n2_1078) := + n_1075 in + let '(m1_1079, m2_1080) := + m_1076 in + let x1_1081 : fp_t := + ((n1_1077) *% (m1_1079)) -% ((n2_1078) *% (m2_1080)) in + let x2_1082 : fp_t := + ((n1_1077) *% (m2_1080)) +% ((n2_1078) *% (m1_1079)) in + (x1_1081, x2_1082). + +Definition fp2inv (n_1083 : fp2_t) : fp2_t := + let '(n1_1084, n2_1085) := + n_1083 in + let t0_1086 : fp_t := + ((n1_1084) *% (n1_1084)) +% ((n2_1085) *% (n2_1085)) in + let t1_1087 : fp_t := + nat_mod_inv (t0_1086) in + let x1_1088 : fp_t := + (n1_1084) *% (t1_1087) in + let x2_1089 : fp_t := + (nat_mod_zero ) -% ((n2_1085) *% (t1_1087)) in + (x1_1088, x2_1089). + +Definition fp2conjugate (n_1090 : fp2_t) : fp2_t := + let '(n1_1091, n2_1092) := + n_1090 in + (n1_1091, (nat_mod_zero ) -% (n2_1092)). + +Definition fp6fromfp2 (n_1093 : fp2_t) : fp6_t := + (n_1093, fp2zero , fp2zero ). + +Definition fp6zero : fp6_t := + fp6fromfp2 (fp2zero ). + +Definition fp6neg (n_1094 : fp6_t) : fp6_t := + let '(n1_1095, n2_1096, n3_1097) := + n_1094 in + ( + fp2sub (fp2zero ) (n1_1095), + fp2sub (fp2zero ) (n2_1096), + fp2sub (fp2zero ) (n3_1097) + ). + +Definition fp6add (n_1098 : fp6_t) (m_1099 : fp6_t) : fp6_t := + let '(n1_1100, n2_1101, n3_1102) := + n_1098 in + let '(m1_1103, m2_1104, m3_1105) := + m_1099 in + ( + fp2add (n1_1100) (m1_1103), + fp2add (n2_1101) (m2_1104), + fp2add (n3_1102) (m3_1105) + ). + +Definition fp6sub (n_1106 : fp6_t) (m_1107 : fp6_t) : fp6_t := + fp6add (n_1106) (fp6neg (m_1107)). + +Definition fp6mul (n_1108 : fp6_t) (m_1109 : fp6_t) : fp6_t := + let '(n1_1110, n2_1111, n3_1112) := + n_1108 in + let '(m1_1113, m2_1114, m3_1115) := + m_1109 in + let eps_1116 : (fp_t × fp_t) := + (nat_mod_one , nat_mod_one ) in + let t1_1117 : (fp_t × fp_t) := + fp2mul (n1_1110) (m1_1113) in + let t2_1118 : (fp_t × fp_t) := + fp2mul (n2_1111) (m2_1114) in + let t3_1119 : (fp_t × fp_t) := + fp2mul (n3_1112) (m3_1115) in + let t4_1120 : (fp_t × fp_t) := + fp2mul (fp2add (n2_1111) (n3_1112)) (fp2add (m2_1114) (m3_1115)) in + let t5_1121 : (fp_t × fp_t) := + fp2sub (fp2sub (t4_1120) (t2_1118)) (t3_1119) in + let x_1122 : (fp_t × fp_t) := + fp2add (fp2mul (t5_1121) (eps_1116)) (t1_1117) in + let t4_1123 : (fp_t × fp_t) := + fp2mul (fp2add (n1_1110) (n2_1111)) (fp2add (m1_1113) (m2_1114)) in + let t5_1124 : (fp_t × fp_t) := + fp2sub (fp2sub (t4_1123) (t1_1117)) (t2_1118) in + let y_1125 : (fp_t × fp_t) := + fp2add (t5_1124) (fp2mul (eps_1116) (t3_1119)) in + let t4_1126 : (fp_t × fp_t) := + fp2mul (fp2add (n1_1110) (n3_1112)) (fp2add (m1_1113) (m3_1115)) in + let t5_1127 : (fp_t × fp_t) := + fp2sub (fp2sub (t4_1126) (t1_1117)) (t3_1119) in + let z_1128 : (fp_t × fp_t) := + fp2add (t5_1127) (t2_1118) in + (x_1122, y_1125, z_1128). + +Definition fp6inv (n_1129 : fp6_t) : fp6_t := + let '(n1_1130, n2_1131, n3_1132) := + n_1129 in + let eps_1133 : (fp_t × fp_t) := + (nat_mod_one , nat_mod_one ) in + let t1_1134 : (fp_t × fp_t) := + fp2mul (n1_1130) (n1_1130) in + let t2_1135 : (fp_t × fp_t) := + fp2mul (n2_1131) (n2_1131) in + let t3_1136 : (fp_t × fp_t) := + fp2mul (n3_1132) (n3_1132) in + let t4_1137 : (fp_t × fp_t) := + fp2mul (n1_1130) (n2_1131) in + let t5_1138 : (fp_t × fp_t) := + fp2mul (n1_1130) (n3_1132) in + let t6_1139 : (fp_t × fp_t) := + fp2mul (n2_1131) (n3_1132) in + let x0_1140 : (fp_t × fp_t) := + fp2sub (t1_1134) (fp2mul (eps_1133) (t6_1139)) in + let y0_1141 : (fp_t × fp_t) := + fp2sub (fp2mul (eps_1133) (t3_1136)) (t4_1137) in + let z0_1142 : (fp_t × fp_t) := + fp2sub (t2_1135) (t5_1138) in + let t0_1143 : (fp_t × fp_t) := + fp2mul (n1_1130) (x0_1140) in + let t0_1144 : (fp_t × fp_t) := + fp2add (t0_1143) (fp2mul (eps_1133) (fp2mul (n3_1132) (y0_1141))) in + let t0_1145 : (fp_t × fp_t) := + fp2add (t0_1144) (fp2mul (eps_1133) (fp2mul (n2_1131) (z0_1142))) in + let t0_1146 : (fp_t × fp_t) := + fp2inv (t0_1145) in + let x_1147 : (fp_t × fp_t) := + fp2mul (x0_1140) (t0_1146) in + let y_1148 : (fp_t × fp_t) := + fp2mul (y0_1141) (t0_1146) in + let z_1149 : (fp_t × fp_t) := + fp2mul (z0_1142) (t0_1146) in + (x_1147, y_1148, z_1149). + +Definition fp12fromfp6 (n_1150 : fp6_t) : fp12_t := + (n_1150, fp6zero ). + +Definition fp12neg (n_1151 : fp12_t) : fp12_t := + let '(n1_1152, n2_1153) := + n_1151 in + (fp6sub (fp6zero ) (n1_1152), fp6sub (fp6zero ) (n2_1153)). + +Definition fp12add (n_1154 : fp12_t) (m_1155 : fp12_t) : fp12_t := + let '(n1_1156, n2_1157) := + n_1154 in + let '(m1_1158, m2_1159) := + m_1155 in + (fp6add (n1_1156) (m1_1158), fp6add (n2_1157) (m2_1159)). + +Definition fp12sub (n_1160 : fp12_t) (m_1161 : fp12_t) : fp12_t := + fp12add (n_1160) (fp12neg (m_1161)). + +Definition fp12mul (n_1162 : fp12_t) (m_1163 : fp12_t) : fp12_t := + let '(n1_1164, n2_1165) := + n_1162 in + let '(m1_1166, m2_1167) := + m_1163 in + let gamma_1168 : (fp2_t × fp2_t × fp2_t) := + (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in + let t1_1169 : (fp2_t × fp2_t × fp2_t) := + fp6mul (n1_1164) (m1_1166) in + let t2_1170 : (fp2_t × fp2_t × fp2_t) := + fp6mul (n2_1165) (m2_1167) in + let x_1171 : (fp2_t × fp2_t × fp2_t) := + fp6add (t1_1169) (fp6mul (t2_1170) (gamma_1168)) in + let y_1172 : (fp2_t × fp2_t × fp2_t) := + fp6mul (fp6add (n1_1164) (n2_1165)) (fp6add (m1_1166) (m2_1167)) in + let y_1173 : (fp2_t × fp2_t × fp2_t) := + fp6sub (fp6sub (y_1172) (t1_1169)) (t2_1170) in + (x_1171, y_1173). + +Definition fp12inv (n_1174 : fp12_t) : fp12_t := + let '(n1_1175, n2_1176) := + n_1174 in + let gamma_1177 : (fp2_t × fp2_t × fp2_t) := + (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in + let t1_1178 : (fp2_t × fp2_t × fp2_t) := + fp6mul (n1_1175) (n1_1175) in + let t2_1179 : (fp2_t × fp2_t × fp2_t) := + fp6mul (n2_1176) (n2_1176) in + let t1_1180 : (fp2_t × fp2_t × fp2_t) := + fp6sub (t1_1178) (fp6mul (gamma_1177) (t2_1179)) in + let t2_1181 : (fp2_t × fp2_t × fp2_t) := + fp6inv (t1_1180) in + let x_1182 : (fp2_t × fp2_t × fp2_t) := + fp6mul (n1_1175) (t2_1181) in + let y_1183 : (fp2_t × fp2_t × fp2_t) := + fp6neg (fp6mul (n2_1176) (t2_1181)) in + (x_1182, y_1183). + +Definition fp12exp (n_1184 : fp12_t) (k_1185 : scalar_t) : fp12_t := + let c_1186 : (fp6_t × fp6_t) := + fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in + let c_1186 := + foldi (usize 0) (usize 256) (fun i_1187 c_1186 => + let c_1186 := + fp12mul (c_1186) (c_1186) in + let '(c_1186) := + if nat_mod_bit (k_1185) ((usize 255) - (i_1187)):bool then ( + let c_1186 := + fp12mul (c_1186) (n_1184) in + (c_1186)) else ((c_1186)) in + (c_1186)) + c_1186 in + c_1186. + +Definition fp12conjugate (n_1188 : fp12_t) : fp12_t := + let '(n1_1189, n2_1190) := + n_1188 in + (n1_1189, fp6neg (n2_1190)). + +Definition fp12zero : fp12_t := + fp12fromfp6 (fp6zero ). + +Definition g1add_a (p_1191 : g1_t) (q_1192 : g1_t) : g1_t := + let '(x1_1193, y1_1194, _) := + p_1191 in + let '(x2_1195, y2_1196, _) := + q_1192 in + let x_diff_1197 : fp_t := + (x2_1195) -% (x1_1193) in + let y_diff_1198 : fp_t := + (y2_1196) -% (y1_1194) in + let xovery_1199 : fp_t := + (y_diff_1198) *% (nat_mod_inv (x_diff_1197)) in + let x3_1200 : fp_t := + ((nat_mod_exp (xovery_1199) (@repr WORDSIZE32 2)) -% (x1_1193)) -% ( + x2_1195) in + let y3_1201 : fp_t := + ((xovery_1199) *% ((x1_1193) -% (x3_1200))) -% (y1_1194) in + (x3_1200, y3_1201, false). + +Definition g1double_a (p_1202 : g1_t) : g1_t := + let '(x1_1203, y1_1204, _) := + p_1202 in + let x12_1205 : fp_t := + nat_mod_exp (x1_1203) (@repr WORDSIZE32 2) in + let xovery_1206 : fp_t := + ((nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t) *% (x12_1205)) *% (nat_mod_inv (( + nat_mod_two ) *% (y1_1204))) in + let x3_1207 : fp_t := + (nat_mod_exp (xovery_1206) (@repr WORDSIZE32 2)) -% ((nat_mod_two ) *% ( + x1_1203)) in + let y3_1208 : fp_t := + ((xovery_1206) *% ((x1_1203) -% (x3_1207))) -% (y1_1204) in + (x3_1207, y3_1208, false). + +Definition g1double (p_1209 : g1_t) : g1_t := + let '(x1_1210, y1_1211, inf1_1212) := + p_1209 in + (if (((y1_1211) !=.? (nat_mod_zero )) && (negb (inf1_1212))):bool then ( + g1double_a (p_1209)) else ((nat_mod_zero , nat_mod_zero , true))). + +Definition g1add (p_1213 : g1_t) (q_1214 : g1_t) : g1_t := + let '(x1_1215, y1_1216, inf1_1217) := + p_1213 in + let '(x2_1218, y2_1219, inf2_1220) := + q_1214 in + (if (inf1_1217):bool then (q_1214) else ((if (inf2_1220):bool then ( + p_1213) else ((if ((p_1213) =.? (q_1214)):bool then (g1double ( + p_1213)) else ((if (negb (((x1_1215) =.? (x2_1218)) && (( + y1_1216) =.? ((nat_mod_zero ) -% ( + y2_1219))))):bool then (g1add_a (p_1213) ( + q_1214)) else ((nat_mod_zero , nat_mod_zero , true))))))))). + +Definition g1mul (m_1221 : scalar_t) (p_1222 : g1_t) : g1_t := + let t_1223 : (fp_t × fp_t × bool) := + (nat_mod_zero , nat_mod_zero , true) in + let t_1223 := + foldi (usize 0) (usize 256) (fun i_1224 t_1223 => + let t_1223 := + g1double (t_1223) in + let '(t_1223) := + if nat_mod_bit (m_1221) ((usize 255) - (i_1224)):bool then ( + let t_1223 := + g1add (t_1223) (p_1222) in + (t_1223)) else ((t_1223)) in + (t_1223)) + t_1223 in + t_1223. + +Definition g1neg (p_1225 : g1_t) : g1_t := + let '(x_1226, y_1227, inf_1228) := + p_1225 in + (x_1226, (nat_mod_zero ) -% (y_1227), inf_1228). + +Definition g2add_a (p_1229 : g2_t) (q_1230 : g2_t) : g2_t := + let '(x1_1231, y1_1232, _) := + p_1229 in + let '(x2_1233, y2_1234, _) := + q_1230 in + let x_diff_1235 : (fp_t × fp_t) := + fp2sub (x2_1233) (x1_1231) in + let y_diff_1236 : (fp_t × fp_t) := + fp2sub (y2_1234) (y1_1232) in + let xovery_1237 : (fp_t × fp_t) := + fp2mul (y_diff_1236) (fp2inv (x_diff_1235)) in + let t1_1238 : (fp_t × fp_t) := + fp2mul (xovery_1237) (xovery_1237) in + let t2_1239 : (fp_t × fp_t) := + fp2sub (t1_1238) (x1_1231) in + let x3_1240 : (fp_t × fp_t) := + fp2sub (t2_1239) (x2_1233) in + let t1_1241 : (fp_t × fp_t) := + fp2sub (x1_1231) (x3_1240) in + let t2_1242 : (fp_t × fp_t) := + fp2mul (xovery_1237) (t1_1241) in + let y3_1243 : (fp_t × fp_t) := + fp2sub (t2_1242) (y1_1232) in + (x3_1240, y3_1243, false). + +Definition g2double_a (p_1244 : g2_t) : g2_t := + let '(x1_1245, y1_1246, _) := + p_1244 in + let x12_1247 : (fp_t × fp_t) := + fp2mul (x1_1245) (x1_1245) in + let t1_1248 : (fp_t × fp_t) := + fp2mul (fp2fromfp (nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t)) (x12_1247) in + let t2_1249 : (fp_t × fp_t) := + fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (y1_1246)) in + let xovery_1250 : (fp_t × fp_t) := + fp2mul (t1_1248) (t2_1249) in + let t1_1251 : (fp_t × fp_t) := + fp2mul (xovery_1250) (xovery_1250) in + let t2_1252 : (fp_t × fp_t) := + fp2mul (fp2fromfp (nat_mod_two )) (x1_1245) in + let x3_1253 : (fp_t × fp_t) := + fp2sub (t1_1251) (t2_1252) in + let t1_1254 : (fp_t × fp_t) := + fp2sub (x1_1245) (x3_1253) in + let t2_1255 : (fp_t × fp_t) := + fp2mul (xovery_1250) (t1_1254) in + let y3_1256 : (fp_t × fp_t) := + fp2sub (t2_1255) (y1_1246) in + (x3_1253, y3_1256, false). + +Definition g2double (p_1257 : g2_t) : g2_t := + let '(x1_1258, y1_1259, inf1_1260) := + p_1257 in + (if (((y1_1259) !=.? (fp2zero )) && (negb (inf1_1260))):bool then ( + g2double_a (p_1257)) else ((fp2zero , fp2zero , true))). + +Definition g2add (p_1261 : g2_t) (q_1262 : g2_t) : g2_t := + let '(x1_1263, y1_1264, inf1_1265) := + p_1261 in + let '(x2_1266, y2_1267, inf2_1268) := + q_1262 in + (if (inf1_1265):bool then (q_1262) else ((if (inf2_1268):bool then ( + p_1261) else ((if ((p_1261) =.? (q_1262)):bool then (g2double ( + p_1261)) else ((if (negb (((x1_1263) =.? (x2_1266)) && (( + y1_1264) =.? (fp2neg (y2_1267))))):bool then (g2add_a ( + p_1261) (q_1262)) else ((fp2zero , fp2zero , true))))))))). + +Definition g2mul (m_1269 : scalar_t) (p_1270 : g2_t) : g2_t := + let t_1271 : (fp2_t × fp2_t × bool) := + (fp2zero , fp2zero , true) in + let t_1271 := + foldi (usize 0) (usize 256) (fun i_1272 t_1271 => + let t_1271 := + g2double (t_1271) in + let '(t_1271) := + if nat_mod_bit (m_1269) ((usize 255) - (i_1272)):bool then ( + let t_1271 := + g2add (t_1271) (p_1270) in + (t_1271)) else ((t_1271)) in + (t_1271)) + t_1271 in + t_1271. + +Definition g2neg (p_1273 : g2_t) : g2_t := + let '(x_1274, y_1275, inf_1276) := + p_1273 in + (x_1274, fp2neg (y_1275), inf_1276). + +Definition twist (p_1277 : g1_t) : (fp12_t × fp12_t) := + let '(p0_1278, p1_1279, _) := + p_1277 in + let x_1280 : ((fp2_t × fp2_t × fp2_t) × fp6_t) := + ((fp2zero , fp2fromfp (p0_1278), fp2zero ), fp6zero ) in + let y_1281 : (fp6_t × (fp2_t × fp2_t × fp2_t)) := + (fp6zero , (fp2zero , fp2fromfp (p1_1279), fp2zero )) in + (x_1280, y_1281). + +Definition line_double_p (r_1282 : g2_t) (p_1283 : g1_t) : fp12_t := + let '(r0_1284, r1_1285, _) := + r_1282 in + let a_1286 : (fp_t × fp_t) := + fp2mul (fp2fromfp (nat_mod_from_literal ( + 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( + @repr WORDSIZE128 3) : fp_t)) (fp2mul (r0_1284) (r0_1284)) in + let a_1287 : (fp_t × fp_t) := + fp2mul (a_1286) (fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (r1_1285))) in + let b_1288 : (fp_t × fp_t) := + fp2sub (r1_1285) (fp2mul (a_1287) (r0_1284)) in + let a_1289 : (fp6_t × fp6_t) := + fp12fromfp6 (fp6fromfp2 (a_1287)) in + let b_1290 : (fp6_t × fp6_t) := + fp12fromfp6 (fp6fromfp2 (b_1288)) in + let '(x_1291, y_1292) := + twist (p_1283) in + fp12neg (fp12sub (fp12sub (y_1292) (fp12mul (a_1289) (x_1291))) (b_1290)). + +Definition line_add_p + (r_1293 : g2_t) + (q_1294 : g2_t) + (p_1295 : g1_t) + : fp12_t := + let '(r0_1296, r1_1297, _) := + r_1293 in + let '(q0_1298, q1_1299, _) := + q_1294 in + let a_1300 : (fp_t × fp_t) := + fp2mul (fp2sub (q1_1299) (r1_1297)) (fp2inv (fp2sub (q0_1298) ( + r0_1296))) in + let b_1301 : (fp_t × fp_t) := + fp2sub (r1_1297) (fp2mul (a_1300) (r0_1296)) in + let a_1302 : (fp6_t × fp6_t) := + fp12fromfp6 (fp6fromfp2 (a_1300)) in + let b_1303 : (fp6_t × fp6_t) := + fp12fromfp6 (fp6fromfp2 (b_1301)) in + let '(x_1304, y_1305) := + twist (p_1295) in + fp12neg (fp12sub (fp12sub (y_1305) (fp12mul (a_1302) (x_1304))) (b_1303)). + +Definition frobenius (f_1306 : fp12_t) : fp12_t := + let '((g0_1307, g1_1308, g2_1309), (h0_1310, h1_1311, h2_1312)) := + f_1306 in + let t1_1313 : (fp_t × fp_t) := + fp2conjugate (g0_1307) in + let t2_1314 : (fp_t × fp_t) := + fp2conjugate (h0_1310) in + let t3_1315 : (fp_t × fp_t) := + fp2conjugate (g1_1308) in + let t4_1316 : (fp_t × fp_t) := + fp2conjugate (h1_1311) in + let t5_1317 : (fp_t × fp_t) := + fp2conjugate (g2_1309) in + let t6_1318 : (fp_t × fp_t) := + fp2conjugate (h2_1312) in + let c1_1319 : array_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 10162220747404304312) : int64; + secret (@repr WORDSIZE64 17761815663483519293) : int64; + secret (@repr WORDSIZE64 8873291758750579140) : int64; + secret (@repr WORDSIZE64 1141103941765652303) : int64; + secret (@repr WORDSIZE64 13993175198059990303) : int64; + secret (@repr WORDSIZE64 1802798568193066599) : int64 + ] in l) in + let c1_1320 : seq uint8 := + array_to_le_bytes (c1_1319) in + let c1_1321 : fp_t := + nat_mod_from_byte_seq_le (c1_1320) : fp_t in + let c2_1322 : array_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 3240210268673559283) : int64; + secret (@repr WORDSIZE64 2895069921743240898) : int64; + secret (@repr WORDSIZE64 17009126888523054175) : int64; + secret (@repr WORDSIZE64 6098234018649060207) : int64; + secret (@repr WORDSIZE64 9865672654120263608) : int64; + secret (@repr WORDSIZE64 71000049454473266) : int64 + ] in l) in + let c2_1323 : seq uint8 := + array_to_le_bytes (c2_1322) in + let c2_1324 : fp_t := + nat_mod_from_byte_seq_le (c2_1323) : fp_t in + let gamma11_1325 : (fp_t × fp_t) := + (c1_1321, c2_1324) in + let gamma12_1326 : (fp_t × fp_t) := + fp2mul (gamma11_1325) (gamma11_1325) in + let gamma13_1327 : (fp_t × fp_t) := + fp2mul (gamma12_1326) (gamma11_1325) in + let gamma14_1328 : (fp_t × fp_t) := + fp2mul (gamma13_1327) (gamma11_1325) in + let gamma15_1329 : (fp_t × fp_t) := + fp2mul (gamma14_1328) (gamma11_1325) in + let t2_1330 : (fp_t × fp_t) := + fp2mul (t2_1314) (gamma11_1325) in + let t3_1331 : (fp_t × fp_t) := + fp2mul (t3_1315) (gamma12_1326) in + let t4_1332 : (fp_t × fp_t) := + fp2mul (t4_1316) (gamma13_1327) in + let t5_1333 : (fp_t × fp_t) := + fp2mul (t5_1317) (gamma14_1328) in + let t6_1334 : (fp_t × fp_t) := + fp2mul (t6_1318) (gamma15_1329) in + ((t1_1313, t3_1331, t5_1333), (t2_1330, t4_1332, t6_1334)). + +Definition final_exponentiation (f_1335 : fp12_t) : fp12_t := + let fp6_1336 : (fp6_t × fp6_t) := + fp12conjugate (f_1335) in + let finv_1337 : (fp6_t × fp6_t) := + fp12inv (f_1335) in + let fp6_1_1338 : (fp6_t × fp6_t) := + fp12mul (fp6_1336) (finv_1337) in + let fp8_1339 : (fp6_t × fp6_t) := + frobenius (frobenius (fp6_1_1338)) in + let f_1340 : (fp6_t × fp6_t) := + fp12mul (fp8_1339) (fp6_1_1338) in + let u_1341 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let t0_1342 : (fp6_t × fp6_t) := + fp12mul (f_1340) (f_1340) in + let t1_1343 : (fp6_t × fp6_t) := + fp12exp (t0_1342) (u_1341) in + let t1_1344 : (fp6_t × fp6_t) := + fp12conjugate (t1_1343) in + let t2_1345 : (fp6_t × fp6_t) := + fp12exp (t1_1344) ((u_1341) /% (nat_mod_two )) in + let t2_1346 : (fp6_t × fp6_t) := + fp12conjugate (t2_1345) in + let t3_1347 : (fp6_t × fp6_t) := + fp12conjugate (f_1340) in + let t1_1348 : (fp6_t × fp6_t) := + fp12mul (t3_1347) (t1_1344) in + let t1_1349 : (fp6_t × fp6_t) := + fp12conjugate (t1_1348) in + let t1_1350 : (fp6_t × fp6_t) := + fp12mul (t1_1349) (t2_1346) in + let t2_1351 : (fp6_t × fp6_t) := + fp12exp (t1_1350) (u_1341) in + let t2_1352 : (fp6_t × fp6_t) := + fp12conjugate (t2_1351) in + let t3_1353 : (fp6_t × fp6_t) := + fp12exp (t2_1352) (u_1341) in + let t3_1354 : (fp6_t × fp6_t) := + fp12conjugate (t3_1353) in + let t1_1355 : (fp6_t × fp6_t) := + fp12conjugate (t1_1350) in + let t3_1356 : (fp6_t × fp6_t) := + fp12mul (t1_1355) (t3_1354) in + let t1_1357 : (fp6_t × fp6_t) := + fp12conjugate (t1_1355) in + let t1_1358 : (fp6_t × fp6_t) := + frobenius (frobenius (frobenius (t1_1357))) in + let t2_1359 : (fp6_t × fp6_t) := + frobenius (frobenius (t2_1352)) in + let t1_1360 : (fp6_t × fp6_t) := + fp12mul (t1_1358) (t2_1359) in + let t2_1361 : (fp6_t × fp6_t) := + fp12exp (t3_1356) (u_1341) in + let t2_1362 : (fp6_t × fp6_t) := + fp12conjugate (t2_1361) in + let t2_1363 : (fp6_t × fp6_t) := + fp12mul (t2_1362) (t0_1342) in + let t2_1364 : (fp6_t × fp6_t) := + fp12mul (t2_1363) (f_1340) in + let t1_1365 : (fp6_t × fp6_t) := + fp12mul (t1_1360) (t2_1364) in + let t2_1366 : (fp6_t × fp6_t) := + frobenius (t3_1356) in + let t1_1367 : (fp6_t × fp6_t) := + fp12mul (t1_1365) (t2_1366) in + t1_1367. + +Definition pairing (p_1368 : g1_t) (q_1369 : g2_t) : fp12_t := + let t_1370 : scalar_t := + nat_mod_from_literal ( + 0x8000000000000000000000000000000000000000000000000000000000000000) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let r_1371 : (fp2_t × fp2_t × bool) := + q_1369 in + let f_1372 : (fp6_t × fp6_t) := + fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in + let '(r_1371, f_1372) := + foldi (usize 1) (usize 64) (fun i_1373 '(r_1371, f_1372) => + let lrr_1374 : (fp6_t × fp6_t) := + line_double_p (r_1371) (p_1368) in + let r_1371 := + g2double (r_1371) in + let f_1372 := + fp12mul (fp12mul (f_1372) (f_1372)) (lrr_1374) in + let '(r_1371, f_1372) := + if nat_mod_bit (t_1370) (((usize 64) - (i_1373)) - ( + usize 1)):bool then (let lrq_1375 : (fp6_t × fp6_t) := + line_add_p (r_1371) (q_1369) (p_1368) in + let r_1371 := + g2add (r_1371) (q_1369) in + let f_1372 := + fp12mul (f_1372) (lrq_1375) in + (r_1371, f_1372)) else ((r_1371, f_1372)) in + (r_1371, f_1372)) + (r_1371, f_1372) in + final_exponentiation (fp12conjugate (f_1372)). + +Definition test_fp2_prop_add_neg (a_1376 : fp2_t) : bool := + let b_1377 : (fp_t × fp_t) := + fp2neg (a_1376) in + (fp2fromfp (nat_mod_zero )) =.? (fp2add (a_1376) (b_1377)). +QuickChick (forAll g_fp2_t (fun a_1376 : fp2_t =>test_fp2_prop_add_neg a_1376)). + + +Definition test_fp2_prop_mul_inv (a_1378 : fp2_t) : bool := + let b_1379 : (fp_t × fp_t) := + fp2inv (a_1378) in + (fp2fromfp (nat_mod_one )) =.? (fp2mul (a_1378) (b_1379)). +QuickChick (forAll g_fp2_t (fun a_1378 : fp2_t =>test_fp2_prop_mul_inv a_1378)). + + +Definition test_extraction_issue : bool := + let b_1380 : (fp_t × fp_t) := + fp2inv ((nat_mod_one , nat_mod_one )) in + (fp2fromfp (nat_mod_one )) =.? (fp2mul ((nat_mod_one , nat_mod_one )) ( + b_1380)). +QuickChick (test_extraction_issue). + + +Definition test_fp6_prop_mul_inv (a_1381 : fp6_t) : bool := + let b_1382 : (fp2_t × fp2_t × fp2_t) := + fp6inv (a_1381) in + (fp6fromfp2 (fp2fromfp (nat_mod_one ))) =.? (fp6mul (a_1381) (b_1382)). +QuickChick (forAll g_fp6_t (fun a_1381 : fp6_t =>test_fp6_prop_mul_inv a_1381)). + + +Definition test_fp6_prop_add_neg (a_1383 : fp6_t) : bool := + let b_1384 : (fp2_t × fp2_t × fp2_t) := + fp6neg (a_1383) in + (fp6fromfp2 (fp2fromfp (nat_mod_zero ))) =.? (fp6add (a_1383) (b_1384)). +QuickChick (forAll g_fp6_t (fun a_1383 : fp6_t =>test_fp6_prop_add_neg a_1383)). + + +Definition test_fp12_prop_add_neg (a_1385 : fp12_t) : bool := + let b_1386 : (fp6_t × fp6_t) := + fp12neg (a_1385) in + (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_zero )))) =.? (fp12add (a_1385) ( + b_1386)). +QuickChick ( + forAll g_fp12_t (fun a_1385 : fp12_t =>test_fp12_prop_add_neg a_1385)). + + +Definition test_fp12_prop_mul_inv (a_1387 : fp12_t) : bool := + let b_1388 : (fp6_t × fp6_t) := + fp12inv (a_1387) in + (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one )))) =.? (fp12mul (a_1387) ( + b_1388)). +QuickChick ( + forAll g_fp12_t (fun a_1387 : fp12_t =>test_fp12_prop_mul_inv a_1387)). + + diff --git a/proof-libs/coq/src/_vc/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/src/_vc/Hacspec_Bls12_381_Hash.v new file mode 100644 index 000000000..c1f7cb776 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Bls12_381_Hash.v @@ -0,0 +1,1752 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Bls12_381. + +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition fp_hash_canvas_t := nseq (int8) (64). +Definition fp_hash_t := + nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. + +Definition arr_fp_t := nseq (uint64) (usize 6). + +Definition b_in_bytes_v : uint_size := + usize 32. + +Definition s_in_bytes_v : uint_size := + usize 64. + +Definition l_v : uint_size := + usize 64. + +Definition p_1_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 936899308823769933) : int64; + secret (@repr WORDSIZE64 2706051889235351147) : int64; + secret (@repr WORDSIZE64 12843041017062132063) : int64; + secret (@repr WORDSIZE64 12941209323636816658) : int64; + secret (@repr WORDSIZE64 1105070755758604287) : int64; + secret (@repr WORDSIZE64 15924587544893707605) : int64 + ] in l). + +Definition p_1_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 468449654411884966) : int64; + secret (@repr WORDSIZE64 10576397981472451381) : int64; + secret (@repr WORDSIZE64 15644892545385841839) : int64; + secret (@repr WORDSIZE64 15693976698673184137) : int64; + secret (@repr WORDSIZE64 552535377879302143) : int64; + secret (@repr WORDSIZE64 17185665809301629611) : int64 + ] in l). + +Definition p_3_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 468449654411884966) : int64; + secret (@repr WORDSIZE64 10576397981472451381) : int64; + secret (@repr WORDSIZE64 15644892545385841839) : int64; + secret (@repr WORDSIZE64 15693976698673184137) : int64; + secret (@repr WORDSIZE64 552535377879302143) : int64; + secret (@repr WORDSIZE64 17185665809301629610) : int64 + ] in l). + +Definition expand_message_xmd + (msg_1389 : byte_seq) + (dst_1390 : byte_seq) + (len_in_bytes_1391 : uint_size) + : byte_seq := + let ell_1392 : uint_size := + (((len_in_bytes_1391) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in + let dst_prime_1393 : seq uint8 := + seq_push (dst_1390) (uint8_from_usize (seq_len (dst_1390))) in + let z_pad_1394 : seq uint8 := + seq_new_ (default) (s_in_bytes_v) in + let l_i_b_str_1395 : seq uint8 := + seq_new_ (default) (usize 2) in + let l_i_b_str_1395 := + seq_upd l_i_b_str_1395 (usize 0) (uint8_from_usize ((len_in_bytes_1391) / ( + usize 256))) in + let l_i_b_str_1395 := + seq_upd l_i_b_str_1395 (usize 1) (uint8_from_usize (len_in_bytes_1391)) in + let msg_prime_1396 : seq uint8 := + seq_concat (seq_concat (seq_concat (seq_concat (z_pad_1394) (msg_1389)) ( + l_i_b_str_1395)) (seq_new_ (default) (usize 1))) (dst_prime_1393) in + let b_0_1397 : seq uint8 := + seq_from_seq (array_to_seq (hash (msg_prime_1396))) in + let b_i_1398 : seq uint8 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_1397) (secret ( + @repr WORDSIZE8 1) : int8)) (dst_prime_1393)))) in + let uniform_bytes_1399 : seq uint8 := + seq_from_seq (b_i_1398) in + let '(b_i_1398, uniform_bytes_1399) := + foldi (usize 2) ((ell_1392) + (usize 1)) (fun i_1400 '( + b_i_1398, + uniform_bytes_1399 + ) => + let t_1401 : seq uint8 := + seq_from_seq (b_0_1397) in + let b_i_1398 := + seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( + t_1401) seq_xor (b_i_1398)) (uint8_from_usize (i_1400))) ( + dst_prime_1393)))) in + let uniform_bytes_1399 := + seq_concat (uniform_bytes_1399) (b_i_1398) in + (b_i_1398, uniform_bytes_1399)) + (b_i_1398, uniform_bytes_1399) in + seq_truncate (uniform_bytes_1399) (len_in_bytes_1391). + +Definition fp_hash_to_field + (msg_1402 : byte_seq) + (dst_1403 : byte_seq) + (count_1404 : uint_size) + : seq fp_t := + let len_in_bytes_1405 : uint_size := + (count_1404) * (l_v) in + let uniform_bytes_1406 : seq uint8 := + expand_message_xmd (msg_1402) (dst_1403) (len_in_bytes_1405) in + let output_1407 : seq fp_t := + seq_new_ (default) (count_1404) in + let output_1407 := + foldi (usize 0) (count_1404) (fun i_1408 output_1407 => + let elm_offset_1409 : uint_size := + (l_v) * (i_1408) in + let tv_1410 : seq uint8 := + seq_slice (uniform_bytes_1406) (elm_offset_1409) (l_v) in + let u_i_1411 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1410) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let output_1407 := + seq_upd output_1407 (i_1408) (u_i_1411) in + (output_1407)) + output_1407 in + output_1407. + +Definition fp_sgn0 (x_1412 : fp_t) : bool := + ((x_1412) rem (nat_mod_two )) =.? (nat_mod_one ). + +Definition fp_is_square (x_1413 : fp_t) : bool := + let c1_1414 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let tv_1415 : fp_t := + nat_mod_pow_self (x_1413) (c1_1414) in + ((tv_1415) =.? (nat_mod_zero )) || ((tv_1415) =.? (nat_mod_one )). + +Definition fp_sqrt (x_1416 : fp_t) : fp_t := + let c1_1417 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_4_v)) : fp_t in + nat_mod_pow_self (x_1416) (c1_1417). + +Definition g1_curve_func (x_1418 : fp_t) : fp_t := + (((x_1418) *% (x_1418)) *% (x_1418)) +% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t). + +Definition g1_map_to_curve_svdw (u_1419 : fp_t) : g1_t := + let z_1420 : fp_t := + (nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t) in + let gz_1421 : fp_t := + g1_curve_func (z_1420) in + let tv1_1422 : fp_t := + ((u_1419) *% (u_1419)) *% (gz_1421) in + let tv2_1423 : fp_t := + (nat_mod_one ) +% (tv1_1422) in + let tv1_1424 : fp_t := + (nat_mod_one ) -% (tv1_1422) in + let tv3_1425 : fp_t := + nat_mod_inv ((tv1_1424) *% (tv2_1423)) in + let tv4_1426 : fp_t := + fp_sqrt (((nat_mod_zero ) -% (gz_1421)) *% (((nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t) *% (z_1420)) *% (z_1420))) in + let '(tv4_1426) := + if fp_sgn0 (tv4_1426):bool then (let tv4_1426 := + (nat_mod_zero ) -% (tv4_1426) in + (tv4_1426)) else ((tv4_1426)) in + let tv5_1427 : fp_t := + (((u_1419) *% (tv1_1424)) *% (tv3_1425)) *% (tv4_1426) in + let tv6_1428 : fp_t := + (((nat_mod_zero ) -% (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t)) *% (gz_1421)) *% (nat_mod_inv ((( + nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t) *% ( + z_1420)) *% (z_1420))) in + let x1_1429 : fp_t := + (((nat_mod_zero ) -% (z_1420)) *% (nat_mod_inv (nat_mod_two ))) -% ( + tv5_1427) in + let x2_1430 : fp_t := + (((nat_mod_zero ) -% (z_1420)) *% (nat_mod_inv (nat_mod_two ))) +% ( + tv5_1427) in + let x3_1431 : fp_t := + (z_1420) +% (((tv6_1428) *% (((tv2_1423) *% (tv2_1423)) *% (tv3_1425))) *% ( + ((tv2_1423) *% (tv2_1423)) *% (tv3_1425))) in + let x_1432 : fp_t := + (if (fp_is_square (g1_curve_func (x1_1429))):bool then (x1_1429) else ((if ( + fp_is_square (g1_curve_func (x2_1430))):bool then (x2_1430) else ( + x3_1431)))) in + let y_1433 : fp_t := + fp_sqrt (g1_curve_func (x_1432)) in + let '(y_1433) := + if (fp_sgn0 (u_1419)) !=.? (fp_sgn0 (y_1433)):bool then (let y_1433 := + (nat_mod_zero ) -% (y_1433) in + (y_1433)) else ((y_1433)) in + (x_1432, y_1433, false). + +Definition g1_clear_cofactor (x_1434 : g1_t) : g1_t := + let h_eff_1435 : scalar_t := + nat_mod_from_literal (_) ( + @repr WORDSIZE128 15132376222941642753) : scalar_t in + g1mul (h_eff_1435) (x_1434). + +Definition g1_hash_to_curve_svdw + (msg_1436 : byte_seq) + (dst_1437 : byte_seq) + : g1_t := + let u_1438 : seq fp_t := + fp_hash_to_field (msg_1436) (dst_1437) (usize 2) in + let q0_1439 : (fp_t × fp_t × bool) := + g1_map_to_curve_svdw (seq_index (u_1438) (usize 0)) in + let q1_1440 : (fp_t × fp_t × bool) := + g1_map_to_curve_svdw (seq_index (u_1438) (usize 1)) in + let r_1441 : (fp_t × fp_t × bool) := + g1add (q0_1439) (q1_1440) in + let p_1442 : (fp_t × fp_t × bool) := + g1_clear_cofactor (r_1441) in + p_1442. + +Definition g1_encode_to_curve_svdw + (msg_1443 : byte_seq) + (dst_1444 : byte_seq) + : g1_t := + let u_1445 : seq fp_t := + fp_hash_to_field (msg_1443) (dst_1444) (usize 1) in + let q_1446 : (fp_t × fp_t × bool) := + g1_map_to_curve_svdw (seq_index (u_1445) (usize 0)) in + let p_1447 : (fp_t × fp_t × bool) := + g1_clear_cofactor (q_1446) in + p_1447. + +Definition fp2_hash_to_field + (msg_1448 : byte_seq) + (dst_1449 : byte_seq) + (count_1450 : uint_size) + : seq fp2_t := + let len_in_bytes_1451 : uint_size := + ((count_1450) * (usize 2)) * (l_v) in + let uniform_bytes_1452 : seq uint8 := + expand_message_xmd (msg_1448) (dst_1449) (len_in_bytes_1451) in + let output_1453 : seq (fp_t × fp_t) := + seq_new_ (default) (count_1450) in + let output_1453 := + foldi (usize 0) (count_1450) (fun i_1454 output_1453 => + let elm_offset_1455 : uint_size := + ((l_v) * (i_1454)) * (usize 2) in + let tv_1456 : seq uint8 := + seq_slice (uniform_bytes_1452) (elm_offset_1455) (l_v) in + let e_1_1457 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1456) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let elm_offset_1458 : uint_size := + (l_v) * ((usize 1) + ((i_1454) * (usize 2))) in + let tv_1459 : seq uint8 := + seq_slice (uniform_bytes_1452) (elm_offset_1458) (l_v) in + let e_2_1460 : fp_t := + nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( + nat_mod_from_byte_seq_be (tv_1459) : fp_hash_t)) (usize 16) ( + usize 48)) : fp_t in + let output_1453 := + seq_upd output_1453 (i_1454) ((e_1_1457, e_2_1460)) in + (output_1453)) + output_1453 in + output_1453. + +Definition fp2_sgn0 (x_1461 : fp2_t) : bool := + let '(x0_1462, x1_1463) := + x_1461 in + let sign_0_1464 : bool := + fp_sgn0 (x0_1462) in + let zero_0_1465 : bool := + (x0_1462) =.? (nat_mod_zero ) in + let sign_1_1466 : bool := + fp_sgn0 (x1_1463) in + (sign_0_1464) || ((zero_0_1465) && (sign_1_1466)). + +Definition fp2_is_square (x_1467 : fp2_t) : bool := + let c1_1468 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let '(x1_1469, x2_1470) := + x_1467 in + let tv1_1471 : fp_t := + (x1_1469) *% (x1_1469) in + let tv2_1472 : fp_t := + (x2_1470) *% (x2_1470) in + let tv1_1473 : fp_t := + (tv1_1471) +% (tv2_1472) in + let tv1_1474 : fp_t := + nat_mod_pow_self (tv1_1473) (c1_1468) in + let neg1_1475 : fp_t := + (nat_mod_zero ) -% (nat_mod_one ) in + (tv1_1474) !=.? (neg1_1475). + +Definition fp2exp (n_1476 : fp2_t) (k_1477 : fp_t) : fp2_t := + let c_1478 : (fp_t × fp_t) := + fp2fromfp (nat_mod_one ) in + let c_1478 := + foldi (usize 0) (usize 381) (fun i_1479 c_1478 => + let c_1478 := + fp2mul (c_1478) (c_1478) in + let '(c_1478) := + if nat_mod_bit (k_1477) ((usize 380) - (i_1479)):bool then ( + let c_1478 := + fp2mul (c_1478) (n_1476) in + (c_1478)) else ((c_1478)) in + (c_1478)) + c_1478 in + c_1478. + +Definition fp2_sqrt (a_1480 : fp2_t) : fp2_t := + let c1_1481 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_3_4_v)) : fp_t in + let c2_1482 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in + let a1_1483 : (fp_t × fp_t) := + fp2exp (a_1480) (c1_1481) in + let alpha_1484 : (fp_t × fp_t) := + fp2mul (a1_1483) (fp2mul (a1_1483) (a_1480)) in + let x0_1485 : (fp_t × fp_t) := + fp2mul (a1_1483) (a_1480) in + let neg1_1486 : (fp_t × fp_t) := + ((nat_mod_zero ) -% (nat_mod_one ), nat_mod_zero ) in + let b_1487 : (fp_t × fp_t) := + fp2exp (fp2add (fp2fromfp (nat_mod_one )) (alpha_1484)) (c2_1482) in + (if ((alpha_1484) =.? (neg1_1486)):bool then (fp2mul (( + nat_mod_zero , + nat_mod_one + )) (x0_1485)) else (fp2mul (b_1487) (x0_1485))). + +Definition g2_curve_func (x_1488 : fp2_t) : fp2_t := + fp2add (fp2mul (x_1488) (fp2mul (x_1488) (x_1488))) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t, + nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t + )). + +Definition g2_map_to_curve_svdw (u_1489 : fp2_t) : g2_t := + let z_1490 : (fp_t × fp_t) := + fp2neg (fp2fromfp (nat_mod_one )) in + let gz_1491 : (fp_t × fp_t) := + g2_curve_func (z_1490) in + let tv1_1492 : (fp_t × fp_t) := + fp2mul (fp2mul (u_1489) (u_1489)) (gz_1491) in + let tv2_1493 : (fp_t × fp_t) := + fp2add (fp2fromfp (nat_mod_one )) (tv1_1492) in + let tv1_1494 : (fp_t × fp_t) := + fp2sub (fp2fromfp (nat_mod_one )) (tv1_1492) in + let tv3_1495 : (fp_t × fp_t) := + fp2inv (fp2mul (tv1_1494) (tv2_1493)) in + let tv4_1496 : (fp_t × fp_t) := + fp2_sqrt (fp2mul (fp2neg (gz_1491)) (fp2mul (fp2fromfp ( + nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) (fp2mul ( + z_1490) (z_1490)))) in + let '(tv4_1496) := + if fp2_sgn0 (tv4_1496):bool then (let tv4_1496 := + fp2neg (tv4_1496) in + (tv4_1496)) else ((tv4_1496)) in + let tv5_1497 : (fp_t × fp_t) := + fp2mul (fp2mul (fp2mul (u_1489) (tv1_1494)) (tv3_1495)) (tv4_1496) in + let tv6_1498 : (fp_t × fp_t) := + fp2mul (fp2mul (fp2neg (fp2fromfp (nat_mod_from_literal (_) ( + @repr WORDSIZE128 4) : fp_t))) (gz_1491)) (fp2inv (fp2mul ( + fp2fromfp (nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) ( + fp2mul (z_1490) (z_1490)))) in + let x1_1499 : (fp_t × fp_t) := + fp2sub (fp2mul (fp2neg (z_1490)) (fp2inv (fp2fromfp (nat_mod_two )))) ( + tv5_1497) in + let x2_1500 : (fp_t × fp_t) := + fp2add (fp2mul (fp2neg (z_1490)) (fp2inv (fp2fromfp (nat_mod_two )))) ( + tv5_1497) in + let tv7_1501 : (fp_t × fp_t) := + fp2mul (fp2mul (tv2_1493) (tv2_1493)) (tv3_1495) in + let x3_1502 : (fp_t × fp_t) := + fp2add (z_1490) (fp2mul (tv6_1498) (fp2mul (tv7_1501) (tv7_1501))) in + let x_1503 : (fp_t × fp_t) := + (if (fp2_is_square (g2_curve_func (x1_1499))):bool then (x1_1499) else (( + if (fp2_is_square (g2_curve_func (x2_1500))):bool then ( + x2_1500) else (x3_1502)))) in + let y_1504 : (fp_t × fp_t) := + fp2_sqrt (g2_curve_func (x_1503)) in + let '(y_1504) := + if (fp2_sgn0 (u_1489)) !=.? (fp2_sgn0 (y_1504)):bool then (let y_1504 := + fp2neg (y_1504) in + (y_1504)) else ((y_1504)) in + (x_1503, y_1504, false). + +Definition psi (p_1505 : g2_t) : g2_t := + let c1_1506 : (fp_t × fp_t) := + fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( + nat_mod_one )) *% (nat_mod_inv (nat_mod_from_literal (_) ( + @repr WORDSIZE128 3) : fp_t)))) in + let c2_1507 : (fp_t × fp_t) := + fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( + nat_mod_one )) *% (nat_mod_inv (nat_mod_two )))) in + let '(x_1508, y_1509, inf_1510) := + p_1505 in + let qx_1511 : (fp_t × fp_t) := + fp2mul (c1_1506) (fp2conjugate (x_1508)) in + let qy_1512 : (fp_t × fp_t) := + fp2mul (c2_1507) (fp2conjugate (y_1509)) in + (qx_1511, qy_1512, inf_1510). + +Definition g2_clear_cofactor (p_1513 : g2_t) : g2_t := + let c1_1514 : scalar_t := + nat_mod_from_literal (_) ( + @repr WORDSIZE128 15132376222941642752) : scalar_t in + let t1_1515 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2mul (c1_1514) (p_1513) in + let t1_1516 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2neg (t1_1515) in + let t2_1517 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + psi (p_1513) in + let t3_1518 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2double (p_1513) in + let t3_1519 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + psi (psi (t3_1518)) in + let t3_1520 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (t3_1519) (g2neg (t2_1517)) in + let t2_1521 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (t1_1516) (t2_1517) in + let t2_1522 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2mul (c1_1514) (t2_1521) in + let t2_1523 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2neg (t2_1522) in + let t3_1524 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (t3_1520) (t2_1523) in + let t3_1525 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (t3_1524) (g2neg (t1_1516)) in + let q_1526 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (t3_1525) (g2neg (p_1513)) in + q_1526. + +Definition g2_hash_to_curve_svdw + (msg_1527 : byte_seq) + (dst_1528 : byte_seq) + : g2_t := + let u_1529 : seq fp2_t := + fp2_hash_to_field (msg_1527) (dst_1528) (usize 2) in + let q0_1530 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_map_to_curve_svdw (seq_index (u_1529) (usize 0)) in + let q1_1531 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_map_to_curve_svdw (seq_index (u_1529) (usize 1)) in + let r_1532 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (q0_1530) (q1_1531) in + let p_1533 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_clear_cofactor (r_1532) in + p_1533. + +Definition g2_encode_to_curve_svdw + (msg_1534 : byte_seq) + (dst_1535 : byte_seq) + : g2_t := + let u_1536 : seq fp2_t := + fp2_hash_to_field (msg_1534) (dst_1535) (usize 1) in + let q_1537 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_map_to_curve_svdw (seq_index (u_1536) (usize 0)) in + let p_1538 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_clear_cofactor (q_1537) in + p_1538. + +Definition g1_iso_a_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 5707120929990979) : int64; + secret (@repr WORDSIZE64 4425131892511951234) : int64; + secret (@repr WORDSIZE64 12748169179688756904) : int64; + secret (@repr WORDSIZE64 15629909748249821612) : int64; + secret (@repr WORDSIZE64 10994253769421683071) : int64; + secret (@repr WORDSIZE64 6698022561392380957) : int64 + ] in l). + +Definition g1_iso_b_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1360808972976160816) : int64; + secret (@repr WORDSIZE64 111203405409480251) : int64; + secret (@repr WORDSIZE64 2312248699302920304) : int64; + secret (@repr WORDSIZE64 11581500465278574325) : int64; + secret (@repr WORDSIZE64 6495071758858381989) : int64; + secret (@repr WORDSIZE64 15117538217124375520) : int64 + ] in l). + +Definition g1_xnum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1270119733718627136) : int64; + secret (@repr WORDSIZE64 13261148298159854981) : int64; + secret (@repr WORDSIZE64 7723742117508874335) : int64; + secret (@repr WORDSIZE64 17465657917644792520) : int64; + secret (@repr WORDSIZE64 6201670911048166766) : int64; + secret (@repr WORDSIZE64 12586459670690286007) : int64 + ] in l). + +Definition g1_xnum_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1668951808976071471) : int64; + secret (@repr WORDSIZE64 398773841247578140) : int64; + secret (@repr WORDSIZE64 8941869963990959127) : int64; + secret (@repr WORDSIZE64 17682789360670468203) : int64; + secret (@repr WORDSIZE64 5204176168283587414) : int64; + secret (@repr WORDSIZE64 16732261237459223483) : int64 + ] in l). + +Definition g1_xnum_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 960393023080265964) : int64; + secret (@repr WORDSIZE64 2094253841180170779) : int64; + secret (@repr WORDSIZE64 14844748873776858085) : int64; + secret (@repr WORDSIZE64 7528018573573808732) : int64; + secret (@repr WORDSIZE64 10776056440809943711) : int64; + secret (@repr WORDSIZE64 16147550488514976944) : int64 + ] in l). + +Definition g1_xnum_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1691355743628586423) : int64; + secret (@repr WORDSIZE64 5622191986793862162) : int64; + secret (@repr WORDSIZE64 15561595211679121189) : int64; + secret (@repr WORDSIZE64 17416319752018800771) : int64; + secret (@repr WORDSIZE64 5996228842464768403) : int64; + secret (@repr WORDSIZE64 14245880009877842017) : int64 + ] in l). + +Definition g1_xnum_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1051997788391994435) : int64; + secret (@repr WORDSIZE64 7368650625050054228) : int64; + secret (@repr WORDSIZE64 11086623519836470079) : int64; + secret (@repr WORDSIZE64 607681821319080984) : int64; + secret (@repr WORDSIZE64 10978131499682789316) : int64; + secret (@repr WORDSIZE64 5842660658088809945) : int64 + ] in l). + +Definition g1_xnum_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1598992431623377919) : int64; + secret (@repr WORDSIZE64 130921168661596853) : int64; + secret (@repr WORDSIZE64 15797696746983946651) : int64; + secret (@repr WORDSIZE64 11444679715590672272) : int64; + secret (@repr WORDSIZE64 11567228658253249817) : int64; + secret (@repr WORDSIZE64 14777367860349315459) : int64 + ] in l). + +Definition g1_xnum_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 967946631563726121) : int64; + secret (@repr WORDSIZE64 7653628713030275775) : int64; + secret (@repr WORDSIZE64 12760252618317466849) : int64; + secret (@repr WORDSIZE64 10378793938173061930) : int64; + secret (@repr WORDSIZE64 10205808941053849290) : int64; + secret (@repr WORDSIZE64 15985511645807504772) : int64 + ] in l). + +Definition g1_xnum_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1709149555065084898) : int64; + secret (@repr WORDSIZE64 16750075057192140371) : int64; + secret (@repr WORDSIZE64 3849985779734105521) : int64; + secret (@repr WORDSIZE64 11998370262181639475) : int64; + secret (@repr WORDSIZE64 4159013751748851119) : int64; + secret (@repr WORDSIZE64 11298218755092433038) : int64 + ] in l). + +Definition g1_xnum_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 580186936973955012) : int64; + secret (@repr WORDSIZE64 8903813505199544589) : int64; + secret (@repr WORDSIZE64 14140024565662700916) : int64; + secret (@repr WORDSIZE64 11728946595272970718) : int64; + secret (@repr WORDSIZE64 5738313744366653077) : int64; + secret (@repr WORDSIZE64 7886252005760951063) : int64 + ] in l). + +Definition g1_xnum_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1628930385436977092) : int64; + secret (@repr WORDSIZE64 3318087848058654498) : int64; + secret (@repr WORDSIZE64 15937899882900905113) : int64; + secret (@repr WORDSIZE64 7449821001803307903) : int64; + secret (@repr WORDSIZE64 11752436998487615353) : int64; + secret (@repr WORDSIZE64 9161465579737517214) : int64 + ] in l). + +Definition g1_xnum_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1167027828517898210) : int64; + secret (@repr WORDSIZE64 8275623842221021965) : int64; + secret (@repr WORDSIZE64 18049808134997311382) : int64; + secret (@repr WORDSIZE64 15351349873550116966) : int64; + secret (@repr WORDSIZE64 17769927732099571180) : int64; + secret (@repr WORDSIZE64 14584871380308065147) : int64 + ] in l). + +Definition g1_xnum_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 495550047642324592) : int64; + secret (@repr WORDSIZE64 13627494601717575229) : int64; + secret (@repr WORDSIZE64 3591512392926246844) : int64; + secret (@repr WORDSIZE64 2576269112800734056) : int64; + secret (@repr WORDSIZE64 14000314106239596831) : int64; + secret (@repr WORDSIZE64 12234233096825917993) : int64 + ] in l). + +Definition g1_xden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 633474091881273774) : int64; + secret (@repr WORDSIZE64 1779737893574802031) : int64; + secret (@repr WORDSIZE64 132274872219551930) : int64; + secret (@repr WORDSIZE64 11283074393783708770) : int64; + secret (@repr WORDSIZE64 13067430171545714168) : int64; + secret (@repr WORDSIZE64 11041975239630265116) : int64 + ] in l). + +Definition g1_xden_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1321272531362356291) : int64; + secret (@repr WORDSIZE64 5238936591227237942) : int64; + secret (@repr WORDSIZE64 8089002360232247308) : int64; + secret (@repr WORDSIZE64 82967328719421271) : int64; + secret (@repr WORDSIZE64 1430641118356186857) : int64; + secret (@repr WORDSIZE64 16557527386785790975) : int64 + ] in l). + +Definition g1_xden_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 804282852993868382) : int64; + secret (@repr WORDSIZE64 9311163821600184607) : int64; + secret (@repr WORDSIZE64 8037026956533927121) : int64; + secret (@repr WORDSIZE64 18205324308570099372) : int64; + secret (@repr WORDSIZE64 15466434890074226396) : int64; + secret (@repr WORDSIZE64 18213183315621985817) : int64 + ] in l). + +Definition g1_xden_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 234844145893171966) : int64; + secret (@repr WORDSIZE64 14428037799351479124) : int64; + secret (@repr WORDSIZE64 6559532710647391569) : int64; + secret (@repr WORDSIZE64 6110444250091843536) : int64; + secret (@repr WORDSIZE64 5293652763671852484) : int64; + secret (@repr WORDSIZE64 1373009181854280920) : int64 + ] in l). + +Definition g1_xden_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1416629893867312296) : int64; + secret (@repr WORDSIZE64 751851957792514173) : int64; + secret (@repr WORDSIZE64 18437674587247370939) : int64; + secret (@repr WORDSIZE64 10190314345946351322) : int64; + secret (@repr WORDSIZE64 11228207967368476701) : int64; + secret (@repr WORDSIZE64 6025034940388909598) : int64 + ] in l). + +Definition g1_xden_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1041270466333271993) : int64; + secret (@repr WORDSIZE64 6140956605115975401) : int64; + secret (@repr WORDSIZE64 4131830461445745997) : int64; + secret (@repr WORDSIZE64 739642499118176303) : int64; + secret (@repr WORDSIZE64 8358912131254619921) : int64; + secret (@repr WORDSIZE64 13847998906088228005) : int64 + ] in l). + +Definition g1_xden_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 536714149743900185) : int64; + secret (@repr WORDSIZE64 1098328982230230817) : int64; + secret (@repr WORDSIZE64 6273329123533496713) : int64; + secret (@repr WORDSIZE64 5633448088282521244) : int64; + secret (@repr WORDSIZE64 16894043798660571244) : int64; + secret (@repr WORDSIZE64 17016134625831438906) : int64 + ] in l). + +Definition g1_xden_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1488347500898461874) : int64; + secret (@repr WORDSIZE64 3509418672874520985) : int64; + secret (@repr WORDSIZE64 7962192351555381416) : int64; + secret (@repr WORDSIZE64 1843909372225399896) : int64; + secret (@repr WORDSIZE64 1127511003250156243) : int64; + secret (@repr WORDSIZE64 1294742680819751518) : int64 + ] in l). + +Definition g1_xden_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 725340084226051970) : int64; + secret (@repr WORDSIZE64 6814521545734988748) : int64; + secret (@repr WORDSIZE64 16176803544133875307) : int64; + secret (@repr WORDSIZE64 8363199516777220149) : int64; + secret (@repr WORDSIZE64 252877309218538352) : int64; + secret (@repr WORDSIZE64 5149562959837648449) : int64 + ] in l). + +Definition g1_xden_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 675470927100193492) : int64; + secret (@repr WORDSIZE64 5146891164735334016) : int64; + secret (@repr WORDSIZE64 17762958817130696759) : int64; + secret (@repr WORDSIZE64 8565656522589412373) : int64; + secret (@repr WORDSIZE64 10599026333335446784) : int64; + secret (@repr WORDSIZE64 3270603789344496906) : int64 + ] in l). + +Definition g1_ynum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 652344406751465184) : int64; + secret (@repr WORDSIZE64 2710356675495255290) : int64; + secret (@repr WORDSIZE64 1273695771440998738) : int64; + secret (@repr WORDSIZE64 3121750372618945491) : int64; + secret (@repr WORDSIZE64 14775319642720936898) : int64; + secret (@repr WORDSIZE64 13733803417833814835) : int64 + ] in l). + +Definition g1_ynum_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1389807578337138705) : int64; + secret (@repr WORDSIZE64 15352831428748068483) : int64; + secret (@repr WORDSIZE64 1307144967559264317) : int64; + secret (@repr WORDSIZE64 1121505450578652468) : int64; + secret (@repr WORDSIZE64 15475889019760388287) : int64; + secret (@repr WORDSIZE64 16183658160488302230) : int64 + ] in l). + +Definition g1_ynum_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 57553299067792998) : int64; + secret (@repr WORDSIZE64 17628079362768849300) : int64; + secret (@repr WORDSIZE64 2689461337731570914) : int64; + secret (@repr WORDSIZE64 14070580367580990887) : int64; + secret (@repr WORDSIZE64 15162865775551710499) : int64; + secret (@repr WORDSIZE64 13321614990632673782) : int64 + ] in l). + +Definition g1_ynum_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 141972750621744161) : int64; + secret (@repr WORDSIZE64 8689824239172478807) : int64; + secret (@repr WORDSIZE64 15288216298323671324) : int64; + secret (@repr WORDSIZE64 712874875091754233) : int64; + secret (@repr WORDSIZE64 16014900032503684588) : int64; + secret (@repr WORDSIZE64 11976580453200426187) : int64 + ] in l). + +Definition g1_ynum_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 633886036738506515) : int64; + secret (@repr WORDSIZE64 6678644607214234052) : int64; + secret (@repr WORDSIZE64 1825425679455244472) : int64; + secret (@repr WORDSIZE64 8755912272271186652) : int64; + secret (@repr WORDSIZE64 3379943669301788840) : int64; + secret (@repr WORDSIZE64 4735212769449148123) : int64 + ] in l). + +Definition g1_ynum_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1612358804494830442) : int64; + secret (@repr WORDSIZE64 2454990789666711200) : int64; + secret (@repr WORDSIZE64 8405916841409361853) : int64; + secret (@repr WORDSIZE64 8525415512662168654) : int64; + secret (@repr WORDSIZE64 2323684950984523890) : int64; + secret (@repr WORDSIZE64 11074978966450447856) : int64 + ] in l). + +Definition g1_ynum_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 336375361001233340) : int64; + secret (@repr WORDSIZE64 12882959944969186108) : int64; + secret (@repr WORDSIZE64 16671121624101127371) : int64; + secret (@repr WORDSIZE64 5922586712221110071) : int64; + secret (@repr WORDSIZE64 5163511947597922654) : int64; + secret (@repr WORDSIZE64 14511152726087948018) : int64 + ] in l). + +Definition g1_ynum_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 686738286210365551) : int64; + secret (@repr WORDSIZE64 16039894141796533876) : int64; + secret (@repr WORDSIZE64 1660145734357211167) : int64; + secret (@repr WORDSIZE64 18231571463891878950) : int64; + secret (@repr WORDSIZE64 4825120264949852469) : int64; + secret (@repr WORDSIZE64 11627815551290637097) : int64 + ] in l). + +Definition g1_ynum_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 719520515476580427) : int64; + secret (@repr WORDSIZE64 16756942182913253819) : int64; + secret (@repr WORDSIZE64 10320769399998235244) : int64; + secret (@repr WORDSIZE64 2200974244968450750) : int64; + secret (@repr WORDSIZE64 7626373186594408355) : int64; + secret (@repr WORDSIZE64 6933025920263103879) : int64 + ] in l). + +Definition g1_ynum_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1016611174344998325) : int64; + secret (@repr WORDSIZE64 2466492548686891555) : int64; + secret (@repr WORDSIZE64 14135124294293452542) : int64; + secret (@repr WORDSIZE64 475233659467912251) : int64; + secret (@repr WORDSIZE64 11186783513499056751) : int64; + secret (@repr WORDSIZE64 3147922594245844016) : int64 + ] in l). + +Definition g1_ynum_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1833315000454533566) : int64; + secret (@repr WORDSIZE64 1007974600900082579) : int64; + secret (@repr WORDSIZE64 14785260176242854207) : int64; + secret (@repr WORDSIZE64 15066861003931772432) : int64; + secret (@repr WORDSIZE64 3584647998681889532) : int64; + secret (@repr WORDSIZE64 16722834201330696498) : int64 + ] in l). + +Definition g1_ynum_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1780164921828767454) : int64; + secret (@repr WORDSIZE64 13337622794239929804) : int64; + secret (@repr WORDSIZE64 5923739534552515142) : int64; + secret (@repr WORDSIZE64 3345046972101780530) : int64; + secret (@repr WORDSIZE64 5321510883028162054) : int64; + secret (@repr WORDSIZE64 14846055306840460686) : int64 + ] in l). + +Definition g1_ynum_k_12_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 799438051374502809) : int64; + secret (@repr WORDSIZE64 15083972834952036164) : int64; + secret (@repr WORDSIZE64 8838227588559581326) : int64; + secret (@repr WORDSIZE64 13846054168121598783) : int64; + secret (@repr WORDSIZE64 488730451382505970) : int64; + secret (@repr WORDSIZE64 958146249756188408) : int64 + ] in l). + +Definition g1_ynum_k_13_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 163716820423854747) : int64; + secret (@repr WORDSIZE64 8285498163857659356) : int64; + secret (@repr WORDSIZE64 8465424830341846400) : int64; + secret (@repr WORDSIZE64 1433942577299613084) : int64; + secret (@repr WORDSIZE64 14325828012864645732) : int64; + secret (@repr WORDSIZE64 4817114329354076467) : int64 + ] in l). + +Definition g1_ynum_k_14_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 414658151749832465) : int64; + secret (@repr WORDSIZE64 189531577938912252) : int64; + secret (@repr WORDSIZE64 6802473390048830824) : int64; + secret (@repr WORDSIZE64 15684647020317539556) : int64; + secret (@repr WORDSIZE64 7755485098777620407) : int64; + secret (@repr WORDSIZE64 9685868895687483979) : int64 + ] in l). + +Definition g1_ynum_k_15_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1578157964224562126) : int64; + secret (@repr WORDSIZE64 5666948055268535989) : int64; + secret (@repr WORDSIZE64 14634479491382401593) : int64; + secret (@repr WORDSIZE64 6317940024988860850) : int64; + secret (@repr WORDSIZE64 13142913832013798519) : int64; + secret (@repr WORDSIZE64 338991247778166276) : int64 + ] in l). + +Definition g1_yden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1590100849350973618) : int64; + secret (@repr WORDSIZE64 5915497081334721257) : int64; + secret (@repr WORDSIZE64 6924968209373727718) : int64; + secret (@repr WORDSIZE64 17204633670617869946) : int64; + secret (@repr WORDSIZE64 572916540828819565) : int64; + secret (@repr WORDSIZE64 92203205520679873) : int64 + ] in l). + +Definition g1_yden_k_1_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1829261189398470686) : int64; + secret (@repr WORDSIZE64 1877083417397643448) : int64; + secret (@repr WORDSIZE64 9640042925497046428) : int64; + secret (@repr WORDSIZE64 11862766565471805471) : int64; + secret (@repr WORDSIZE64 8693114993904885301) : int64; + secret (@repr WORDSIZE64 3672140328108400701) : int64 + ] in l). + +Definition g1_yden_k_2_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 400243331105348135) : int64; + secret (@repr WORDSIZE64 8046435537999802711) : int64; + secret (@repr WORDSIZE64 8702226981475745585) : int64; + secret (@repr WORDSIZE64 879791671491744492) : int64; + secret (@repr WORDSIZE64 11994630442058346377) : int64; + secret (@repr WORDSIZE64 2172204746352322546) : int64 + ] in l). + +Definition g1_yden_k_3_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1637008473169220501) : int64; + secret (@repr WORDSIZE64 17441636237435581649) : int64; + secret (@repr WORDSIZE64 15066165676546511630) : int64; + secret (@repr WORDSIZE64 1314387578457599809) : int64; + secret (@repr WORDSIZE64 8247046336453711789) : int64; + secret (@repr WORDSIZE64 12164906044230685718) : int64 + ] in l). + +Definition g1_yden_k_4_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 855930740911588324) : int64; + secret (@repr WORDSIZE64 12685735333705453020) : int64; + secret (@repr WORDSIZE64 14326404096614579120) : int64; + secret (@repr WORDSIZE64 6066025509460822294) : int64; + secret (@repr WORDSIZE64 11676450493790612973) : int64; + secret (@repr WORDSIZE64 15724621714793234461) : int64 + ] in l). + +Definition g1_yden_k_5_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 637792788410719021) : int64; + secret (@repr WORDSIZE64 11507373155986977154) : int64; + secret (@repr WORDSIZE64 13186912195705886849) : int64; + secret (@repr WORDSIZE64 14262012144631372388) : int64; + secret (@repr WORDSIZE64 5328758613570342114) : int64; + secret (@repr WORDSIZE64 199925847119476652) : int64 + ] in l). + +Definition g1_yden_k_6_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1612297190139091759) : int64; + secret (@repr WORDSIZE64 14103733843373163083) : int64; + secret (@repr WORDSIZE64 6840121186619029743) : int64; + secret (@repr WORDSIZE64 6760859324815900753) : int64; + secret (@repr WORDSIZE64 15418807805142572985) : int64; + secret (@repr WORDSIZE64 4402853133867972444) : int64 + ] in l). + +Definition g1_yden_k_7_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1631410310868805610) : int64; + secret (@repr WORDSIZE64 269334146695233390) : int64; + secret (@repr WORDSIZE64 16547411811928854487) : int64; + secret (@repr WORDSIZE64 18353100669930795314) : int64; + secret (@repr WORDSIZE64 13339932232668798692) : int64; + secret (@repr WORDSIZE64 6984591927261867737) : int64 + ] in l). + +Definition g1_yden_k_8_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1758313625630302499) : int64; + secret (@repr WORDSIZE64 1881349400343039172) : int64; + secret (@repr WORDSIZE64 18013005311323887904) : int64; + secret (@repr WORDSIZE64 12377427846571989832) : int64; + secret (@repr WORDSIZE64 5967237584920922243) : int64; + secret (@repr WORDSIZE64 7720081932193848650) : int64 + ] in l). + +Definition g1_yden_k_9_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1619701357752249884) : int64; + secret (@repr WORDSIZE64 16898074901591262352) : int64; + secret (@repr WORDSIZE64 3609344159736760251) : int64; + secret (@repr WORDSIZE64 5983130161189999867) : int64; + secret (@repr WORDSIZE64 14355327869992416094) : int64; + secret (@repr WORDSIZE64 3778226018344582997) : int64 + ] in l). + +Definition g1_yden_k_10_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 347606589330687421) : int64; + secret (@repr WORDSIZE64 5255719044972187933) : int64; + secret (@repr WORDSIZE64 11271894388753671721) : int64; + secret (@repr WORDSIZE64 1033887512062764488) : int64; + secret (@repr WORDSIZE64 8189165486932690436) : int64; + secret (@repr WORDSIZE64 70004379462101672) : int64 + ] in l). + +Definition g1_yden_k_11_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 778202887894139711) : int64; + secret (@repr WORDSIZE64 17691595219776375879) : int64; + secret (@repr WORDSIZE64 9193253711563866834) : int64; + secret (@repr WORDSIZE64 10092455202333888821) : int64; + secret (@repr WORDSIZE64 1655469341950262250) : int64; + secret (@repr WORDSIZE64 10845992994110574738) : int64 + ] in l). + +Definition g1_yden_k_12_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 781015344221683683) : int64; + secret (@repr WORDSIZE64 14078588081290548374) : int64; + secret (@repr WORDSIZE64 6067271023149908518) : int64; + secret (@repr WORDSIZE64 9033357708497886086) : int64; + secret (@repr WORDSIZE64 10592474449179118273) : int64; + secret (@repr WORDSIZE64 2204988348113831372) : int64 + ] in l). + +Definition g1_yden_k_13_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 172830037692534587) : int64; + secret (@repr WORDSIZE64 7101012286790006514) : int64; + secret (@repr WORDSIZE64 13787308004332873665) : int64; + secret (@repr WORDSIZE64 14660498759553796110) : int64; + secret (@repr WORDSIZE64 4757234684169342080) : int64; + secret (@repr WORDSIZE64 15130647872920159991) : int64 + ] in l). + +Definition g1_yden_k_14_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1013206390650290238) : int64; + secret (@repr WORDSIZE64 7720336747103001025) : int64; + secret (@repr WORDSIZE64 8197694151986493523) : int64; + secret (@repr WORDSIZE64 3625112747029342752) : int64; + secret (@repr WORDSIZE64 6675167463148394368) : int64; + secret (@repr WORDSIZE64 4905905684016745359) : int64 + ] in l). + +Definition g1_simple_swu_iso (u_1539 : fp_t) : (fp_t × fp_t) := + let z_1540 : fp_t := + nat_mod_from_literal (_) (@repr WORDSIZE128 11) : fp_t in + let a_1541 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_a_v)) : fp_t in + let b_1542 : fp_t := + nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_b_v)) : fp_t in + let tv1_1543 : fp_t := + nat_mod_inv ((((z_1540) *% (z_1540)) *% (nat_mod_exp (u_1539) ( + @repr WORDSIZE32 4))) +% (((z_1540) *% (u_1539)) *% (u_1539))) in + let x1_1544 : fp_t := + (((nat_mod_zero ) -% (b_1542)) *% (nat_mod_inv (a_1541))) *% (( + nat_mod_one ) +% (tv1_1543)) in + let '(x1_1544) := + if (tv1_1543) =.? (nat_mod_zero ):bool then (let x1_1544 := + (b_1542) *% (nat_mod_inv ((z_1540) *% (a_1541))) in + (x1_1544)) else ((x1_1544)) in + let gx1_1545 : fp_t := + ((nat_mod_exp (x1_1544) (@repr WORDSIZE32 3)) +% ((a_1541) *% ( + x1_1544))) +% (b_1542) in + let x2_1546 : fp_t := + (((z_1540) *% (u_1539)) *% (u_1539)) *% (x1_1544) in + let gx2_1547 : fp_t := + ((nat_mod_exp (x2_1546) (@repr WORDSIZE32 3)) +% ((a_1541) *% ( + x2_1546))) +% (b_1542) in + let '(x_1548, y_1549) := + (if (fp_is_square (gx1_1545)):bool then ((x1_1544, fp_sqrt (gx1_1545) + )) else ((x2_1546, fp_sqrt (gx2_1547)))) in + let '(y_1549) := + if (fp_sgn0 (u_1539)) !=.? (fp_sgn0 (y_1549)):bool then (let y_1549 := + (nat_mod_zero ) -% (y_1549) in + (y_1549)) else ((y_1549)) in + (x_1548, y_1549). + +Definition g1_isogeny_map (x_1550 : fp_t) (y_1551 : fp_t) : g1_t := + let xnum_k_1552 : seq fp_t := + seq_new_ (default) (usize 12) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_0_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_1_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_2_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_3_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_4_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_5_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_6_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_7_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_8_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xnum_k_9_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_xnum_k_10_v)) : fp_t) in + let xnum_k_1552 := + seq_upd xnum_k_1552 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_xnum_k_11_v)) : fp_t) in + let xden_k_1553 : seq fp_t := + seq_new_ (default) (usize 10) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_0_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_1_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_2_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_3_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_4_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_5_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_6_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_7_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_8_v)) : fp_t) in + let xden_k_1553 := + seq_upd xden_k_1553 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_xden_k_9_v)) : fp_t) in + let ynum_k_1554 : seq fp_t := + seq_new_ (default) (usize 16) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_0_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_1_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_2_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_3_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_4_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_5_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_6_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_7_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_8_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_ynum_k_9_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_10_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_11_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 12) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_12_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 13) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_13_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 14) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_14_v)) : fp_t) in + let ynum_k_1554 := + seq_upd ynum_k_1554 (usize 15) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_ynum_k_15_v)) : fp_t) in + let yden_k_1555 : seq fp_t := + seq_new_ (default) (usize 15) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_0_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_1_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_2_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_3_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_4_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_5_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_6_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_7_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_8_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( + g1_yden_k_9_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 10) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_10_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 11) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_11_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 12) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_12_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 13) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_13_v)) : fp_t) in + let yden_k_1555 := + seq_upd yden_k_1555 (usize 14) (nat_mod_from_byte_seq_be ( + array_to_be_bytes (g1_yden_k_14_v)) : fp_t) in + let xnum_1556 : fp_t := + nat_mod_zero in + let xx_1557 : fp_t := + nat_mod_one in + let '(xnum_1556, xx_1557) := + foldi (usize 0) (seq_len (xnum_k_1552)) (fun i_1558 '(xnum_1556, xx_1557) => + let xnum_1556 := + (xnum_1556) +% ((xx_1557) *% (seq_index (xnum_k_1552) (i_1558))) in + let xx_1557 := + (xx_1557) *% (x_1550) in + (xnum_1556, xx_1557)) + (xnum_1556, xx_1557) in + let xden_1559 : fp_t := + nat_mod_zero in + let xx_1560 : fp_t := + nat_mod_one in + let '(xden_1559, xx_1560) := + foldi (usize 0) (seq_len (xden_k_1553)) (fun i_1561 '(xden_1559, xx_1560) => + let xden_1559 := + (xden_1559) +% ((xx_1560) *% (seq_index (xden_k_1553) (i_1561))) in + let xx_1560 := + (xx_1560) *% (x_1550) in + (xden_1559, xx_1560)) + (xden_1559, xx_1560) in + let xden_1559 := + (xden_1559) +% (xx_1560) in + let ynum_1562 : fp_t := + nat_mod_zero in + let xx_1563 : fp_t := + nat_mod_one in + let '(ynum_1562, xx_1563) := + foldi (usize 0) (seq_len (ynum_k_1554)) (fun i_1564 '(ynum_1562, xx_1563) => + let ynum_1562 := + (ynum_1562) +% ((xx_1563) *% (seq_index (ynum_k_1554) (i_1564))) in + let xx_1563 := + (xx_1563) *% (x_1550) in + (ynum_1562, xx_1563)) + (ynum_1562, xx_1563) in + let yden_1565 : fp_t := + nat_mod_zero in + let xx_1566 : fp_t := + nat_mod_one in + let '(yden_1565, xx_1566) := + foldi (usize 0) (seq_len (yden_k_1555)) (fun i_1567 '(yden_1565, xx_1566) => + let yden_1565 := + (yden_1565) +% ((xx_1566) *% (seq_index (yden_k_1555) (i_1567))) in + let xx_1566 := + (xx_1566) *% (x_1550) in + (yden_1565, xx_1566)) + (yden_1565, xx_1566) in + let yden_1565 := + (yden_1565) +% (xx_1566) in + let xr_1568 : fp_t := + (xnum_1556) *% (nat_mod_inv (xden_1559)) in + let yr_1569 : fp_t := + ((y_1551) *% (ynum_1562)) *% (nat_mod_inv (yden_1565)) in + let inf_1570 : bool := + false in + let '(inf_1570) := + if ((xden_1559) =.? (nat_mod_zero )) || ((yden_1565) =.? ( + nat_mod_zero )):bool then (let inf_1570 := + true in + (inf_1570)) else ((inf_1570)) in + (xr_1568, yr_1569, inf_1570). + +Definition g1_map_to_curve_sswu (u_1571 : fp_t) : g1_t := + let '(xp_1572, yp_1573) := + g1_simple_swu_iso (u_1571) in + let p_1574 : (fp_t × fp_t × bool) := + g1_isogeny_map (xp_1572) (yp_1573) in + p_1574. + +Definition g1_hash_to_curve_sswu + (msg_1575 : byte_seq) + (dst_1576 : byte_seq) + : g1_t := + let u_1577 : seq fp_t := + fp_hash_to_field (msg_1575) (dst_1576) (usize 2) in + let q0_1578 : (fp_t × fp_t × bool) := + g1_map_to_curve_sswu (seq_index (u_1577) (usize 0)) in + let q1_1579 : (fp_t × fp_t × bool) := + g1_map_to_curve_sswu (seq_index (u_1577) (usize 1)) in + let r_1580 : (fp_t × fp_t × bool) := + g1add (q0_1578) (q1_1579) in + let p_1581 : (fp_t × fp_t × bool) := + g1_clear_cofactor (r_1580) in + p_1581. + +Definition g1_encode_to_curve_sswu + (msg_1582 : byte_seq) + (dst_1583 : byte_seq) + : g1_t := + let u_1584 : seq fp_t := + fp_hash_to_field (msg_1582) (dst_1583) (usize 1) in + let q_1585 : (fp_t × fp_t × bool) := + g1_map_to_curve_sswu (seq_index (u_1584) (usize 0)) in + let p_1586 : (fp_t × fp_t × bool) := + g1_clear_cofactor (q_1585) in + p_1586. + +Definition g2_xnum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 416399692810564414) : int64; + secret (@repr WORDSIZE64 13500519111022079365) : int64; + secret (@repr WORDSIZE64 3658379999393219626) : int64; + secret (@repr WORDSIZE64 9850925049107374429) : int64; + secret (@repr WORDSIZE64 6640057249351452444) : int64; + secret (@repr WORDSIZE64 7077594464397203414) : int64 + ] in l). + +Definition g2_xnum_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058522) : int64 + ] in l). + +Definition g2_xnum_k_2_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058526) : int64 + ] in l). + +Definition g2_xnum_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 624599539215846622) : int64; + secret (@repr WORDSIZE64 1804034592823567431) : int64; + secret (@repr WORDSIZE64 14710942035944605247) : int64; + secret (@repr WORDSIZE64 14776387573661061644) : int64; + secret (@repr WORDSIZE64 736713837172402858) : int64; + secret (@repr WORDSIZE64 10616391696595805069) : int64 + ] in l). + +Definition g2_xnum_k_3_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1665598771242257658) : int64; + secret (@repr WORDSIZE64 17108588296669214228) : int64; + secret (@repr WORDSIZE64 14633519997572878506) : int64; + secret (@repr WORDSIZE64 2510212049010394485) : int64; + secret (@repr WORDSIZE64 8113484923696258161) : int64; + secret (@repr WORDSIZE64 9863633783879261905) : int64 + ] in l). + +Definition g2_xden_k_0_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863523) : int64 + ] in l). + +Definition g2_xden_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863583) : int64 + ] in l). + +Definition g2_ynum_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1526798873638736187) : int64; + secret (@repr WORDSIZE64 6459500568425337235) : int64; + secret (@repr WORDSIZE64 1116230615302104219) : int64; + secret (@repr WORDSIZE64 17673314439684154624) : int64; + secret (@repr WORDSIZE64 18197961889718808424) : int64; + secret (@repr WORDSIZE64 1355520937843676934) : int64 + ] in l). + +Definition g2_ynum_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 416399692810564414) : int64; + secret (@repr WORDSIZE64 13500519111022079365) : int64; + secret (@repr WORDSIZE64 3658379999393219626) : int64; + secret (@repr WORDSIZE64 9850925049107374429) : int64; + secret (@repr WORDSIZE64 6640057249351452444) : int64; + secret (@repr WORDSIZE64 7077594464397203390) : int64 + ] in l). + +Definition g2_ynum_k_2_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1249199078431693244) : int64; + secret (@repr WORDSIZE64 3608069185647134863) : int64; + secret (@repr WORDSIZE64 10975139998179658879) : int64; + secret (@repr WORDSIZE64 11106031073612571672) : int64; + secret (@repr WORDSIZE64 1473427674344805717) : int64; + secret (@repr WORDSIZE64 2786039319482058524) : int64 + ] in l). + +Definition g2_ynum_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 624599539215846622) : int64; + secret (@repr WORDSIZE64 1804034592823567431) : int64; + secret (@repr WORDSIZE64 14710942035944605247) : int64; + secret (@repr WORDSIZE64 14776387573661061644) : int64; + secret (@repr WORDSIZE64 736713837172402858) : int64; + secret (@repr WORDSIZE64 10616391696595805071) : int64 + ] in l). + +Definition g2_ynum_k_3_r_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1318599027233453979) : int64; + secret (@repr WORDSIZE64 18155985086623849168) : int64; + secret (@repr WORDSIZE64 8510412652460270214) : int64; + secret (@repr WORDSIZE64 12747851915130467410) : int64; + secret (@repr WORDSIZE64 5654561228188306393) : int64; + secret (@repr WORDSIZE64 16263467779354626832) : int64 + ] in l). + +Definition g2_yden_k_0_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863163) : int64 + ] in l). + +Definition g2_yden_k_1_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863379) : int64 + ] in l). + +Definition g2_yden_k_2_i_v : arr_fp_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 1873798617647539866) : int64; + secret (@repr WORDSIZE64 5412103778470702295) : int64; + secret (@repr WORDSIZE64 7239337960414712511) : int64; + secret (@repr WORDSIZE64 7435674573564081700) : int64; + secret (@repr WORDSIZE64 2210141511517208575) : int64; + secret (@repr WORDSIZE64 13402431016077863577) : int64 + ] in l). + +Definition g2_simple_swu_iso (u_1587 : fp2_t) : (fp2_t × fp2_t) := + let z_1588 : (fp_t × fp_t) := + fp2neg ((nat_mod_two , nat_mod_one )) in + let a_1589 : (fp_t × fp_t) := + (nat_mod_zero , nat_mod_from_literal (_) (@repr WORDSIZE128 240) : fp_t) in + let b_1590 : (fp_t × fp_t) := + ( + nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t, + nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t + ) in + let tv1_1591 : (fp_t × fp_t) := + fp2inv (fp2add (fp2mul (fp2mul (z_1588) (z_1588)) (fp2mul (fp2mul (u_1587) ( + u_1587)) (fp2mul (u_1587) (u_1587)))) (fp2mul (z_1588) (fp2mul ( + u_1587) (u_1587)))) in + let x1_1592 : (fp_t × fp_t) := + fp2mul (fp2mul (fp2neg (b_1590)) (fp2inv (a_1589))) (fp2add (fp2fromfp ( + nat_mod_one )) (tv1_1591)) in + let '(x1_1592) := + if (tv1_1591) =.? (fp2zero ):bool then (let x1_1592 := + fp2mul (b_1590) (fp2inv (fp2mul (z_1588) (a_1589))) in + (x1_1592)) else ((x1_1592)) in + let gx1_1593 : (fp_t × fp_t) := + fp2add (fp2add (fp2mul (fp2mul (x1_1592) (x1_1592)) (x1_1592)) (fp2mul ( + a_1589) (x1_1592))) (b_1590) in + let x2_1594 : (fp_t × fp_t) := + fp2mul (fp2mul (z_1588) (fp2mul (u_1587) (u_1587))) (x1_1592) in + let gx2_1595 : (fp_t × fp_t) := + fp2add (fp2add (fp2mul (fp2mul (x2_1594) (x2_1594)) (x2_1594)) (fp2mul ( + a_1589) (x2_1594))) (b_1590) in + let '(x_1596, y_1597) := + (if (fp2_is_square (gx1_1593)):bool then ((x1_1592, fp2_sqrt (gx1_1593) + )) else ((x2_1594, fp2_sqrt (gx2_1595)))) in + let '(y_1597) := + if (fp2_sgn0 (u_1587)) !=.? (fp2_sgn0 (y_1597)):bool then (let y_1597 := + fp2neg (y_1597) in + (y_1597)) else ((y_1597)) in + (x_1596, y_1597). + +Definition g2_isogeny_map (x_1598 : fp2_t) (y_1599 : fp2_t) : g2_t := + let xnum_k_1600 : seq (fp_t × fp_t) := + seq_new_ (default) (usize 4) in + let xnum_k_1600 := + seq_upd xnum_k_1600 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t + )) in + let xnum_k_1600 := + seq_upd xnum_k_1600 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_1_i_v)) : fp_t + )) in + let xnum_k_1600 := + seq_upd xnum_k_1600 (usize 2) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_r_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_i_v)) : fp_t + )) in + let xnum_k_1600 := + seq_upd xnum_k_1600 (usize 3) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_3_r_v)) : fp_t, + nat_mod_zero + )) in + let xden_k_1601 : seq (fp_t × fp_t) := + seq_new_ (default) (usize 2) in + let xden_k_1601 := + seq_upd xden_k_1601 (usize 0) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_0_i_v)) : fp_t + )) in + let xden_k_1601 := + seq_upd xden_k_1601 (usize 1) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 12) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_1_i_v)) : fp_t + )) in + let ynum_k_1602 : seq (fp_t × fp_t) := + seq_new_ (default) (usize 4) in + let ynum_k_1602 := + seq_upd ynum_k_1602 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t + )) in + let ynum_k_1602 := + seq_upd ynum_k_1602 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_1_i_v)) : fp_t + )) in + let ynum_k_1602 := + seq_upd ynum_k_1602 (usize 2) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_r_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_i_v)) : fp_t + )) in + let ynum_k_1602 := + seq_upd ynum_k_1602 (usize 3) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_3_r_v)) : fp_t, + nat_mod_zero + )) in + let yden_k_1603 : seq (fp_t × fp_t) := + seq_new_ (default) (usize 3) in + let yden_k_1603 := + seq_upd yden_k_1603 (usize 0) (( + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t + )) in + let yden_k_1603 := + seq_upd yden_k_1603 (usize 1) (( + nat_mod_zero , + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_1_i_v)) : fp_t + )) in + let yden_k_1603 := + seq_upd yden_k_1603 (usize 2) (( + nat_mod_from_literal (_) (@repr WORDSIZE128 18) : fp_t, + nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_2_i_v)) : fp_t + )) in + let xnum_1604 : (fp_t × fp_t) := + fp2zero in + let xx_1605 : (fp_t × fp_t) := + fp2fromfp (nat_mod_one ) in + let '(xnum_1604, xx_1605) := + foldi (usize 0) (seq_len (xnum_k_1600)) (fun i_1606 '(xnum_1604, xx_1605) => + let xnum_1604 := + fp2add (xnum_1604) (fp2mul (xx_1605) (seq_index (xnum_k_1600) ( + i_1606))) in + let xx_1605 := + fp2mul (xx_1605) (x_1598) in + (xnum_1604, xx_1605)) + (xnum_1604, xx_1605) in + let xden_1607 : (fp_t × fp_t) := + fp2zero in + let xx_1608 : (fp_t × fp_t) := + fp2fromfp (nat_mod_one ) in + let '(xden_1607, xx_1608) := + foldi (usize 0) (seq_len (xden_k_1601)) (fun i_1609 '(xden_1607, xx_1608) => + let xden_1607 := + fp2add (xden_1607) (fp2mul (xx_1608) (seq_index (xden_k_1601) ( + i_1609))) in + let xx_1608 := + fp2mul (xx_1608) (x_1598) in + (xden_1607, xx_1608)) + (xden_1607, xx_1608) in + let xden_1607 := + fp2add (xden_1607) (xx_1608) in + let ynum_1610 : (fp_t × fp_t) := + fp2zero in + let xx_1611 : (fp_t × fp_t) := + fp2fromfp (nat_mod_one ) in + let '(ynum_1610, xx_1611) := + foldi (usize 0) (seq_len (ynum_k_1602)) (fun i_1612 '(ynum_1610, xx_1611) => + let ynum_1610 := + fp2add (ynum_1610) (fp2mul (xx_1611) (seq_index (ynum_k_1602) ( + i_1612))) in + let xx_1611 := + fp2mul (xx_1611) (x_1598) in + (ynum_1610, xx_1611)) + (ynum_1610, xx_1611) in + let yden_1613 : (fp_t × fp_t) := + fp2zero in + let xx_1614 : (fp_t × fp_t) := + fp2fromfp (nat_mod_one ) in + let '(yden_1613, xx_1614) := + foldi (usize 0) (seq_len (yden_k_1603)) (fun i_1615 '(yden_1613, xx_1614) => + let yden_1613 := + fp2add (yden_1613) (fp2mul (xx_1614) (seq_index (yden_k_1603) ( + i_1615))) in + let xx_1614 := + fp2mul (xx_1614) (x_1598) in + (yden_1613, xx_1614)) + (yden_1613, xx_1614) in + let yden_1613 := + fp2add (yden_1613) (xx_1614) in + let xr_1616 : (fp_t × fp_t) := + fp2mul (xnum_1604) (fp2inv (xden_1607)) in + let yr_1617 : (fp_t × fp_t) := + fp2mul (y_1599) (fp2mul (ynum_1610) (fp2inv (yden_1613))) in + let inf_1618 : bool := + false in + let '(inf_1618) := + if ((xden_1607) =.? (fp2zero )) || ((yden_1613) =.? (fp2zero )):bool then ( + let inf_1618 := + true in + (inf_1618)) else ((inf_1618)) in + (xr_1616, yr_1617, inf_1618). + +Definition g2_map_to_curve_sswu (u_1619 : fp2_t) : g2_t := + let '(xp_1620, yp_1621) := + g2_simple_swu_iso (u_1619) in + let p_1622 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_isogeny_map (xp_1620) (yp_1621) in + p_1622. + +Definition g2_hash_to_curve_sswu + (msg_1623 : byte_seq) + (dst_1624 : byte_seq) + : g2_t := + let u_1625 : seq fp2_t := + fp2_hash_to_field (msg_1623) (dst_1624) (usize 2) in + let q0_1626 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_map_to_curve_sswu (seq_index (u_1625) (usize 0)) in + let q1_1627 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_map_to_curve_sswu (seq_index (u_1625) (usize 1)) in + let r_1628 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2add (q0_1626) (q1_1627) in + let p_1629 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_clear_cofactor (r_1628) in + p_1629. + +Definition g2_encode_to_curve_sswu + (msg_1630 : byte_seq) + (dst_1631 : byte_seq) + : g2_t := + let u_1632 : seq fp2_t := + fp2_hash_to_field (msg_1630) (dst_1631) (usize 1) in + let q_1633 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_map_to_curve_sswu (seq_index (u_1632) (usize 0)) in + let p_1634 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := + g2_clear_cofactor (q_1633) in + p_1634. + diff --git a/proof-libs/coq/src/_vc/Hacspec_Chacha20.v b/proof-libs/coq/src/_vc/Hacspec_Chacha20.v new file mode 100644 index 000000000..f99e1874c --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Chacha20.v @@ -0,0 +1,222 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition state_t := nseq (uint32) (usize 16). + +Definition state_idx_t := + nat_mod (usize 16). +Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. +Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. + +Definition constants_t := nseq (uint32) (usize 4). + +Definition constants_idx_t := + nat_mod (usize 4). +Definition uint_size_in_constants_idx_t(n : uint_size) : constants_idx_t := int_in_nat_mod n. +Coercion uint_size_in_constants_idx_t : uint_size >-> constants_idx_t. + +Definition block_t := nseq (uint8) (usize 64). + +Definition cha_cha_iv_t := nseq (uint8) (usize 12). + +Definition cha_cha_key_t := nseq (uint8) (usize 32). + +Definition chacha20_line + (a_345 : state_idx_t) + (b_346 : state_idx_t) + (d_347 : state_idx_t) + (s_348 : uint_size) + (m_349 : state_t) + : state_t := + let state_350 : state_t := + m_349 in + let state_350 := + array_upd state_350 (a_345) ((array_index (state_350) (a_345)) .+ ( + array_index (state_350) (b_346))) in + let state_350 := + array_upd state_350 (d_347) ((array_index (state_350) (d_347)) .^ ( + array_index (state_350) (a_345))) in + let state_350 := + array_upd state_350 (d_347) (uint32_rotate_left (array_index (state_350) ( + d_347)) (s_348)) in + state_350. + +Definition chacha20_quarter_round + (a_351 : state_idx_t) + (b_352 : state_idx_t) + (c_353 : state_idx_t) + (d_354 : state_idx_t) + (state_355 : state_t) + : state_t := + let state_356 : state_t := + chacha20_line (a_351) (b_352) (d_354) (usize 16) (state_355) in + let state_357 : state_t := + chacha20_line (c_353) (d_354) (b_352) (usize 12) (state_356) in + let state_358 : state_t := + chacha20_line (a_351) (b_352) (d_354) (usize 8) (state_357) in + chacha20_line (c_353) (d_354) (b_352) (usize 7) (state_358). + +Definition chacha20_double_round (state_359 : state_t) : state_t := + let state_360 : state_t := + chacha20_quarter_round (usize 0) (usize 4) (usize 8) (usize 12) ( + state_359) in + let state_361 : state_t := + chacha20_quarter_round (usize 1) (usize 5) (usize 9) (usize 13) ( + state_360) in + let state_362 : state_t := + chacha20_quarter_round (usize 2) (usize 6) (usize 10) (usize 14) ( + state_361) in + let state_363 : state_t := + chacha20_quarter_round (usize 3) (usize 7) (usize 11) (usize 15) ( + state_362) in + let state_364 : state_t := + chacha20_quarter_round (usize 0) (usize 5) (usize 10) (usize 15) ( + state_363) in + let state_365 : state_t := + chacha20_quarter_round (usize 1) (usize 6) (usize 11) (usize 12) ( + state_364) in + let state_366 : state_t := + chacha20_quarter_round (usize 2) (usize 7) (usize 8) (usize 13) ( + state_365) in + chacha20_quarter_round (usize 3) (usize 4) (usize 9) (usize 14) (state_366). + +Definition chacha20_rounds (state_367 : state_t) : state_t := + let st_368 : state_t := + state_367 in + let st_368 := + foldi (usize 0) (usize 10) (fun i_369 st_368 => + let st_368 := + chacha20_double_round (st_368) in + (st_368)) + st_368 in + st_368. + +Definition chacha20_core (ctr_370 : uint32) (st0_371 : state_t) : state_t := + let state_372 : state_t := + st0_371 in + let state_372 := + array_upd state_372 (usize 12) ((array_index (state_372) (usize 12)) .+ ( + ctr_370)) in + let k_373 : state_t := + chacha20_rounds (state_372) in + (k_373) array_add (state_372). + +Definition chacha20_constants_init : constants_t := + let constants_374 : constants_t := + array_new_ (default) (4) in + let constants_374 := + array_upd constants_374 (usize 0) (secret ( + @repr WORDSIZE32 1634760805) : int32) in + let constants_374 := + array_upd constants_374 (usize 1) (secret ( + @repr WORDSIZE32 857760878) : int32) in + let constants_374 := + array_upd constants_374 (usize 2) (secret ( + @repr WORDSIZE32 2036477234) : int32) in + let constants_374 := + array_upd constants_374 (usize 3) (secret ( + @repr WORDSIZE32 1797285236) : int32) in + constants_374. + +Definition chacha20_init + (key_375 : cha_cha_key_t) + (iv_376 : cha_cha_iv_t) + (ctr_377 : uint32) + : state_t := + let st_378 : state_t := + array_new_ (default) (16) in + let st_378 := + array_update (st_378) (usize 0) ( + array_to_seq (chacha20_constants_init )) in + let st_378 := + array_update (st_378) (usize 4) (array_to_le_uint32s (key_375)) in + let st_378 := + array_upd st_378 (usize 12) (ctr_377) in + let st_378 := + array_update (st_378) (usize 13) (array_to_le_uint32s (iv_376)) in + st_378. + +Definition chacha20_key_block (state_379 : state_t) : block_t := + let state_380 : state_t := + chacha20_core (secret (@repr WORDSIZE32 0) : int32) (state_379) in + array_from_seq (64) (array_to_le_bytes (state_380)). + +Definition chacha20_key_block0 + (key_381 : cha_cha_key_t) + (iv_382 : cha_cha_iv_t) + : block_t := + let state_383 : state_t := + chacha20_init (key_381) (iv_382) (secret (@repr WORDSIZE32 0) : int32) in + chacha20_key_block (state_383). + +Definition chacha20_encrypt_block + (st0_384 : state_t) + (ctr_385 : uint32) + (plain_386 : block_t) + : block_t := + let st_387 : state_t := + chacha20_core (ctr_385) (st0_384) in + let pl_388 : state_t := + array_from_seq (16) (array_to_le_uint32s (plain_386)) in + let st_389 : state_t := + (pl_388) array_xor (st_387) in + array_from_seq (64) (array_to_le_bytes (st_389)). + +Definition chacha20_encrypt_last + (st0_390 : state_t) + (ctr_391 : uint32) + (plain_392 : byte_seq) + : byte_seq := + let b_393 : block_t := + array_new_ (default) (64) in + let b_393 := + array_update (b_393) (usize 0) (plain_392) in + let b_393 := + chacha20_encrypt_block (st0_390) (ctr_391) (b_393) in + array_slice (b_393) (usize 0) (seq_len (plain_392)). + +Definition chacha20_update (st0_394 : state_t) (m_395 : byte_seq) : byte_seq := + let blocks_out_396 : seq uint8 := + seq_new_ (default) (seq_len (m_395)) in + let n_blocks_397 : uint_size := + seq_num_exact_chunks (m_395) (usize 64) in + let blocks_out_396 := + foldi (usize 0) (n_blocks_397) (fun i_398 blocks_out_396 => + let msg_block_399 : seq uint8 := + seq_get_exact_chunk (m_395) (usize 64) (i_398) in + let b_400 : block_t := + chacha20_encrypt_block (st0_394) (secret (pub_u32 (i_398)) : int32) ( + array_from_seq (64) (msg_block_399)) in + let blocks_out_396 := + seq_set_exact_chunk (blocks_out_396) (usize 64) (i_398) ( + array_to_seq (b_400)) in + (blocks_out_396)) + blocks_out_396 in + let last_block_401 : seq uint8 := + seq_get_remainder_chunk (m_395) (usize 64) in + let '(blocks_out_396) := + if (seq_len (last_block_401)) !=.? (usize 0):bool then ( + let b_402 : seq uint8 := + chacha20_encrypt_last (st0_394) (secret (pub_u32 ( + n_blocks_397)) : int32) (last_block_401) in + let blocks_out_396 := + seq_set_chunk (blocks_out_396) (usize 64) (n_blocks_397) (b_402) in + (blocks_out_396)) else ((blocks_out_396)) in + blocks_out_396. + +Definition chacha20 + (key_403 : cha_cha_key_t) + (iv_404 : cha_cha_iv_t) + (ctr_405 : int32) + (m_406 : byte_seq) + : byte_seq := + let state_407 : state_t := + chacha20_init (key_403) (iv_404) (secret (ctr_405) : int32) in + chacha20_update (state_407) (m_406). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Chacha20poly1305.v b/proof-libs/coq/src/_vc/Hacspec_Chacha20poly1305.v new file mode 100644 index 000000000..0567711ca --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Chacha20poly1305.v @@ -0,0 +1,97 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Chacha20. + +Require Import Hacspec_Poly1305. + +Inductive error_t := +| InvalidTag : error_t. + +Notation "'cha_cha_poly_key_t'" := (cha_cha_key_t) : hacspec_scope. + +Notation "'cha_cha_poly_iv_t'" := (cha_cha_iv_t) : hacspec_scope. + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Definition init + (key_408 : cha_cha_poly_key_t) + (iv_409 : cha_cha_poly_iv_t) + : poly_state_t := + let key_block0_410 : block_t := + chacha20_key_block0 (key_408) (iv_409) in + let poly_key_411 : poly_key_t := + array_from_slice (default) (32) (array_to_seq (key_block0_410)) (usize 0) ( + usize 32) in + poly1305_init (poly_key_411). + +Definition poly1305_update_padded + (m_412 : byte_seq) + (st_413 : poly_state_t) + : poly_state_t := + let st_414 : (field_element_t × field_element_t × poly_key_t) := + poly1305_update_blocks (m_412) (st_413) in + let last_415 : seq uint8 := + seq_get_remainder_chunk (m_412) (usize 16) in + poly1305_update_last (usize 16) (last_415) (st_414). + +Definition finish + (aad_len_416 : uint_size) + (cipher_len_417 : uint_size) + (st_418 : poly_state_t) + : poly1305_tag_t := + let last_block_419 : poly_block_t := + array_new_ (default) (16) in + let last_block_419 := + array_update (last_block_419) (usize 0) (array_to_seq (uint64_to_le_bytes ( + secret (pub_u64 (aad_len_416)) : int64))) in + let last_block_419 := + array_update (last_block_419) (usize 8) (array_to_seq (uint64_to_le_bytes ( + secret (pub_u64 (cipher_len_417)) : int64))) in + let st_420 : (field_element_t × field_element_t × poly_key_t) := + poly1305_update_block (last_block_419) (st_418) in + poly1305_finish (st_420). + +Definition chacha20_poly1305_encrypt + (key_421 : cha_cha_poly_key_t) + (iv_422 : cha_cha_poly_iv_t) + (aad_423 : byte_seq) + (msg_424 : byte_seq) + : (byte_seq × poly1305_tag_t) := + let cipher_text_425 : seq uint8 := + chacha20 (key_421) (iv_422) (@repr WORDSIZE32 1) (msg_424) in + let poly_st_426 : (field_element_t × field_element_t × poly_key_t) := + init (key_421) (iv_422) in + let poly_st_426 := + poly1305_update_padded (aad_423) (poly_st_426) in + let poly_st_426 := + poly1305_update_padded (cipher_text_425) (poly_st_426) in + let tag_427 : poly1305_tag_t := + finish (seq_len (aad_423)) (seq_len (cipher_text_425)) (poly_st_426) in + (cipher_text_425, tag_427). + +Definition chacha20_poly1305_decrypt + (key_428 : cha_cha_poly_key_t) + (iv_429 : cha_cha_poly_iv_t) + (aad_430 : byte_seq) + (cipher_text_431 : byte_seq) + (tag_432 : poly1305_tag_t) + : byte_seq_result_t := + let poly_st_433 : (field_element_t × field_element_t × poly_key_t) := + init (key_428) (iv_429) in + let poly_st_433 := + poly1305_update_padded (aad_430) (poly_st_433) in + let poly_st_433 := + poly1305_update_padded (cipher_text_431) (poly_st_433) in + let my_tag_434 : poly1305_tag_t := + finish (seq_len (aad_430)) (seq_len (cipher_text_431)) (poly_st_433) in + (if (array_declassify_eq (my_tag_434) (tag_432)):bool then ( + @Ok byte_seq error_t (chacha20 (key_428) (iv_429) (@repr WORDSIZE32 1) ( + cipher_text_431))) else (@Err byte_seq error_t (InvalidTag))). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Curve25519.v b/proof-libs/coq/src/_vc/Hacspec_Curve25519.v new file mode 100644 index 000000000..449f760b5 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Curve25519.v @@ -0,0 +1,169 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition field_canvas_t := nseq (int8) (32). +Definition x25519_field_element_t := + nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition scalar_t := + nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. + +Notation "'point_t'" := ((x25519_field_element_t × x25519_field_element_t +)) : hacspec_scope. + +Definition x25519_serialized_point_t := nseq (uint8) (usize 32). + +Definition x25519_serialized_scalar_t := nseq (uint8) (usize 32). + +Definition mask_scalar + (s_477 : x25519_serialized_scalar_t) + : x25519_serialized_scalar_t := + let k_478 : x25519_serialized_scalar_t := + s_477 in + let k_478 := + array_upd k_478 (usize 0) ((array_index (k_478) (usize 0)) .& (secret ( + @repr WORDSIZE8 248) : int8)) in + let k_478 := + array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + let k_478 := + array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .| (secret ( + @repr WORDSIZE8 64) : int8)) in + k_478. + +Definition decode_scalar (s_479 : x25519_serialized_scalar_t) : scalar_t := + let k_480 : x25519_serialized_scalar_t := + mask_scalar (s_479) in + nat_mod_from_byte_seq_le (array_to_seq (k_480)) : scalar_t. + +Definition decode_point (u_481 : x25519_serialized_point_t) : point_t := + let u_482 : x25519_serialized_point_t := + u_481 in + let u_482 := + array_upd u_482 (usize 31) ((array_index (u_482) (usize 31)) .& (secret ( + @repr WORDSIZE8 127) : int8)) in + ( + nat_mod_from_byte_seq_le (array_to_seq (u_482)) : x25519_field_element_t, + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 1) : x25519_field_element_t + ). + +Definition encode_point (p_483 : point_t) : x25519_serialized_point_t := + let '(x_484, y_485) := + p_483 in + let b_486 : x25519_field_element_t := + (x_484) *% (nat_mod_inv (y_485)) in + array_update_start (array_new_ (default) (32)) (nat_mod_to_byte_seq_le ( + b_486)). + +Definition point_add_and_double + (q_487 : point_t) + (np_488 : (point_t × point_t)) + : (point_t × point_t) := + let '(nq_489, nqp1_490) := + np_488 in + let '(x_1_491, z_1_492) := + q_487 in + let '(x_2_493, z_2_494) := + nq_489 in + let '(x_3_495, z_3_496) := + nqp1_490 in + let a_497 : x25519_field_element_t := + (x_2_493) +% (z_2_494) in + let aa_498 : x25519_field_element_t := + nat_mod_pow (a_497) (@repr WORDSIZE128 2) in + let b_499 : x25519_field_element_t := + (x_2_493) -% (z_2_494) in + let bb_500 : x25519_field_element_t := + (b_499) *% (b_499) in + let e_501 : x25519_field_element_t := + (aa_498) -% (bb_500) in + let c_502 : x25519_field_element_t := + (x_3_495) +% (z_3_496) in + let d_503 : x25519_field_element_t := + (x_3_495) -% (z_3_496) in + let da_504 : x25519_field_element_t := + (d_503) *% (a_497) in + let cb_505 : x25519_field_element_t := + (c_502) *% (b_499) in + let x_3_506 : x25519_field_element_t := + nat_mod_pow ((da_504) +% (cb_505)) (@repr WORDSIZE128 2) in + let z_3_507 : x25519_field_element_t := + (x_1_491) *% (nat_mod_pow ((da_504) -% (cb_505)) (@repr WORDSIZE128 2)) in + let x_2_508 : x25519_field_element_t := + (aa_498) *% (bb_500) in + let e121665_509 : x25519_field_element_t := + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 121665) : x25519_field_element_t in + let z_2_510 : x25519_field_element_t := + (e_501) *% ((aa_498) +% ((e121665_509) *% (e_501))) in + ((x_2_508, z_2_510), (x_3_506, z_3_507)). + +Definition swap (x_511 : (point_t × point_t)) : (point_t × point_t) := + let '(x0_512, x1_513) := + x_511 in + (x1_513, x0_512). + +Definition montgomery_ladder + (k_514 : scalar_t) + (init_515 : point_t) + : point_t := + let inf_516 : (x25519_field_element_t × x25519_field_element_t) := + ( + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 1) : x25519_field_element_t, + nat_mod_from_literal ( + 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( + @repr WORDSIZE128 0) : x25519_field_element_t + ) in + let acc_517 : (point_t × point_t) := + (inf_516, init_515) in + let acc_517 := + foldi (usize 0) (usize 256) (fun i_518 acc_517 => + let '(acc_517) := + if nat_mod_bit (k_514) ((usize 255) - (i_518)):bool then (let acc_517 := + swap (acc_517) in + let acc_517 := + point_add_and_double (init_515) (acc_517) in + let acc_517 := + swap (acc_517) in + (acc_517)) else (let acc_517 := + point_add_and_double (init_515) (acc_517) in + (acc_517)) in + (acc_517)) + acc_517 in + let '(out_519, _) := + acc_517 in + out_519. + +Definition x25519_scalarmult + (s_520 : x25519_serialized_scalar_t) + (p_521 : x25519_serialized_point_t) + : x25519_serialized_point_t := + let s_522 : scalar_t := + decode_scalar (s_520) in + let p_523 : (x25519_field_element_t × x25519_field_element_t) := + decode_point (p_521) in + let r_524 : (x25519_field_element_t × x25519_field_element_t) := + montgomery_ladder (s_522) (p_523) in + encode_point (r_524). + +Definition x25519_secret_to_public + (s_525 : x25519_serialized_scalar_t) + : x25519_serialized_point_t := + let base_526 : x25519_serialized_point_t := + array_new_ (default) (32) in + let base_526 := + array_upd base_526 (usize 0) (secret (@repr WORDSIZE8 9) : int8) in + x25519_scalarmult (s_525) (base_526). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v new file mode 100644 index 000000000..813844eec --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v @@ -0,0 +1,127 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_P256. + +Require Import Hacspec_Sha256. + +Inductive error_t := +| InvalidScalar : error_t +| InvalidSignature : error_t. + +Notation "'p256_public_key_t'" := (affine_t) : hacspec_scope. + +Notation "'p256_secret_key_t'" := (p256_scalar_t) : hacspec_scope. + +Notation "'p256_signature_t'" := ((p256_scalar_t × p256_scalar_t +)) : hacspec_scope. + +Notation "'p256_signature_result_t'" := (( + result p256_signature_t error_t)) : hacspec_scope. + +Notation "'p256_verify_result_t'" := ((result unit error_t)) : hacspec_scope. + +Notation "'check_result_t'" := ((result unit error_t)) : hacspec_scope. + +Notation "'arithmetic_result_t'" := ((result affine_t error_t)) : hacspec_scope. + +Definition check_scalar_zero (r_527 : p256_scalar_t) : check_result_t := + (if (nat_mod_equal (r_527) (nat_mod_zero )):bool then (@Err unit error_t ( + InvalidScalar)) else (@Ok unit error_t (tt))). + +Definition ecdsa_point_mul_base (x_528 : p256_scalar_t) : arithmetic_result_t := + match p256_point_mul_base (x_528) with + | Ok s_529 => @Ok affine_t error_t (s_529) + | Err _ => @Err affine_t error_t (InvalidScalar) + end. + +Definition ecdsa_point_mul + (k_530 : p256_scalar_t) + (p_531 : affine_t) + : arithmetic_result_t := + match p256_point_mul (k_530) (p_531) with + | Ok s_532 => @Ok affine_t error_t (s_532) + | Err _ => @Err affine_t error_t (InvalidScalar) + end. + +Definition ecdsa_point_add + (p_533 : affine_t) + (q_534 : affine_t) + : arithmetic_result_t := + match point_add (p_533) (q_534) with + | Ok s_535 => @Ok affine_t error_t (s_535) + | Err _ => @Err affine_t error_t (InvalidScalar) + end. + +Definition sign + (payload_536 : byte_seq) + (sk_537 : p256_secret_key_t) + (nonce_538 : p256_scalar_t) + : p256_signature_result_t := + bind (check_scalar_zero (nonce_538)) (fun _ => bind (ecdsa_point_mul_base ( + nonce_538)) (fun '(k_x_539, k_y_540) => let r_541 : p256_scalar_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + k_x_539)) : p256_scalar_t in + bind (check_scalar_zero (r_541)) (fun _ => + let payload_hash_542 : sha256_digest_t := + hash (payload_536) in + let payload_hash_543 : p256_scalar_t := + nat_mod_from_byte_seq_be ( + array_to_seq (payload_hash_542)) : p256_scalar_t in + let rsk_544 : p256_scalar_t := + (r_541) *% (sk_537) in + let hash_rsk_545 : p256_scalar_t := + (payload_hash_543) +% (rsk_544) in + let nonce_inv_546 : p256_scalar_t := + nat_mod_inv (nonce_538) in + let s_547 : p256_scalar_t := + (nonce_inv_546) *% (hash_rsk_545) in + @Ok p256_signature_t error_t ((r_541, s_547))))). + +Definition ecdsa_p256_sha256_sign + (payload_548 : byte_seq) + (sk_549 : p256_secret_key_t) + (nonce_550 : p256_scalar_t) + : p256_signature_result_t := + sign (payload_548) (sk_549) (nonce_550). + +Definition verify + (payload_551 : byte_seq) + (pk_552 : p256_public_key_t) + (signature_553 : p256_signature_t) + : p256_verify_result_t := + let '(r_554, s_555) := + signature_553 in + let payload_hash_556 : sha256_digest_t := + hash (payload_551) in + let payload_hash_557 : p256_scalar_t := + nat_mod_from_byte_seq_be ( + array_to_seq (payload_hash_556)) : p256_scalar_t in + let s_inv_558 : p256_scalar_t := + nat_mod_inv (s_555) in + let u1_559 : p256_scalar_t := + (payload_hash_557) *% (s_inv_558) in + bind (ecdsa_point_mul_base (u1_559)) (fun u1_560 => + let u2_561 : p256_scalar_t := + (r_554) *% (s_inv_558) in + bind (ecdsa_point_mul (u2_561) (pk_552)) (fun u2_562 => bind ( + ecdsa_point_add (u1_560) (u2_562)) (fun '(x_563, y_564) => + let x_565 : p256_scalar_t := + nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( + x_563)) : p256_scalar_t in + (if ((x_565) =.? (r_554)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature)))))). + +Definition ecdsa_p256_sha256_verify + (payload_566 : byte_seq) + (pk_567 : p256_public_key_t) + (signature_568 : p256_signature_t) + : p256_verify_result_t := + verify (payload_566) (pk_567) (signature_568). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Ed25519.v b/proof-libs/coq/src/_vc/Hacspec_Ed25519.v new file mode 100644 index 000000000..599394625 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Ed25519.v @@ -0,0 +1,619 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha512. + +Require Import Hacspec_Edwards25519. + +Definition scalar_from_hash (h_1635 : sha512_digest_t) : scalar_t := + let s_1636 : big_scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (h_1635)) : big_scalar_t in + nat_mod_from_byte_seq_le (seq_slice (nat_mod_to_byte_seq_le (s_1636)) ( + usize 0) (usize 32)) : scalar_t. + +Definition sign (sk_1637 : secret_key_t) (msg_1638 : byte_seq) : signature_t := + let '(a_1639, prefix_1640) := + secret_expand (sk_1637) in + let a_1641 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (a_1639)) : scalar_t in + let b_1642 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let a_p_1643 : compressed_ed_point_t := + compress (point_mul (a_1641) (b_1642)) in + let r_1644 : scalar_t := + scalar_from_hash (sha512 (array_concat (prefix_1640) (msg_1638))) in + let r_p_1645 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (r_1644) (b_1642) in + let r_s_1646 : compressed_ed_point_t := + compress (r_p_1645) in + let h_1647 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_s_1646) ( + array_to_seq (a_p_1643))) (msg_1638))) in + let s_1648 : scalar_t := + (r_1644) +% ((h_1647) *% (a_1641)) in + let s_bytes_1649 : seq uint8 := + seq_slice (nat_mod_to_byte_seq_le (s_1648)) (usize 0) (usize 32) in + array_update (array_update (array_new_ (default) (64)) (usize 0) ( + array_to_seq (r_s_1646))) (usize 32) (s_bytes_1649). + +Definition zcash_verify + (pk_1650 : public_key_t) + (signature_1651 : signature_t) + (msg_1652 : byte_seq) + : verify_result_t := + let b_1653 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress_non_canonical (base_v)) in + bind (option_ok_or (decompress_non_canonical (pk_1650)) (InvalidPublickey)) ( + fun a_1654 => let r_bytes_1655 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1651)) ( + usize 0) (usize 32) in + let s_bytes_1656 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1651)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1656)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress_non_canonical (r_bytes_1655)) (InvalidR)) ( + fun r_1657 => let s_1658 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1656)) : scalar_t in + let k_1659 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1655) ( + pk_1650)) (msg_1652))) in + let sb_1660 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_1658) (b_1653)) in + let rc_1661 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_1657) in + let ka_1662 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_1659) (a_1654)) in + (if (point_eq (sb_1660) (point_add (rc_1661) (ka_1662))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition ietf_cofactored_verify + (pk_1663 : public_key_t) + (signature_1664 : signature_t) + (msg_1665 : byte_seq) + : verify_result_t := + let b_1666 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_1663)) (InvalidPublickey)) (fun a_1667 => + let r_bytes_1668 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1664)) ( + usize 0) (usize 32) in + let s_bytes_1669 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1664)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1669)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_1668)) (InvalidR)) (fun r_1670 => + let s_1671 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1669)) : scalar_t in + let k_1672 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1668) ( + pk_1663)) (msg_1665))) in + let sb_1673 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_1671) (b_1666)) in + let rc_1674 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_1670) in + let ka_1675 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_1672) (a_1667)) in + (if (point_eq (sb_1673) (point_add (rc_1674) (ka_1675))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition ietf_cofactorless_verify + (pk_1676 : public_key_t) + (signature_1677 : signature_t) + (msg_1678 : byte_seq) + : verify_result_t := + let b_1679 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_1676)) (InvalidPublickey)) (fun a_1680 => + let r_bytes_1681 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1677)) ( + usize 0) (usize 32) in + let s_bytes_1682 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1677)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1682)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_1681)) (InvalidR)) (fun r_1683 => + let s_1684 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1682)) : scalar_t in + let k_1685 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1681) ( + pk_1676)) (msg_1678))) in + let sb_1686 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (s_1684) (b_1679) in + let ka_1687 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (k_1685) (a_1680) in + (if (point_eq (sb_1686) (point_add (r_1683) (ka_1687))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature)))))). + +Definition is_identity (p_1688 : ed_point_t) : bool := + point_eq (p_1688) (point_identity ). + +Definition alg2_verify + (pk_1689 : public_key_t) + (signature_1690 : signature_t) + (msg_1691 : byte_seq) + : verify_result_t := + let b_1692 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + bind (option_ok_or (decompress (pk_1689)) (InvalidPublickey)) (fun a_1693 => + ifbnd is_identity (point_mul_by_cofactor (a_1693)) : bool + thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + let r_bytes_1694 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1690)) ( + usize 0) (usize 32) in + let s_bytes_1695 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1690)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1695)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_1694)) (InvalidR)) (fun r_1696 => + let s_1697 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1695)) : scalar_t in + let k_1698 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1694) ( + pk_1689)) (msg_1691))) in + let sb_1699 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (s_1697) (b_1692)) in + let rc_1700 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (r_1696) in + let ka_1701 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_mul (k_1698) (a_1693)) in + (if (point_eq (sb_1699) (point_add (rc_1700) (ka_1701))):bool then ( + @Ok unit error_t (tt)) else (@Err unit error_t ( + InvalidSignature))))))). + +Inductive batch_entry_t := +| BatchEntry : (public_key_t × byte_seq × signature_t) -> batch_entry_t. + +Definition zcash_batch_verify + (entries_1702 : seq batch_entry_t) + (entropy_1703 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_1703)) <.? ((usize 16) * (seq_len ( + entries_1702))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + let s_sum_1704 : scalar_t := + nat_mod_zero in + let r_sum_1705 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + let a_sum_1706 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_1702)) for ( + s_sum_1704, + r_sum_1705, + a_sum_1706 + ) >> (fun i_1707 '(s_sum_1704, r_sum_1705, a_sum_1706) => + let 'BatchEntry ((pk_1708, msg_1709, signature_1710)) := + (seq_index (entries_1702) (i_1707)) in + bind (option_ok_or (decompress_non_canonical (pk_1708)) ( + InvalidPublickey)) (fun a_1711 => + let r_bytes_1712 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1710)) ( + usize 0) (usize 32) in + let s_bytes_1713 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1710)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1713)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress_non_canonical (r_bytes_1712)) (InvalidR)) ( + fun r_1714 => let s_1715 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1713)) : scalar_t in + let c_1716 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1712) ( + array_to_seq (pk_1708))) (msg_1709))) in + let z_1717 : seq uint8 := + seq_slice (entropy_1703) ((usize 16) * (i_1707)) (usize 16) in + let z_1718 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_1717) (seq_new_ (default) ( + usize 16))) : scalar_t in + let s_sum_1704 := + (s_sum_1704) +% ((s_1715) *% (z_1718)) in + let r_sum_1705 := + point_add (r_sum_1705) (point_mul (z_1718) (r_1714)) in + let a_sum_1706 := + point_add (a_sum_1706) (point_mul ((z_1718) *% (c_1716)) (a_1711)) in + Ok ((s_sum_1704, r_sum_1705, a_sum_1706))))))) (fun '( + s_sum_1704, + r_sum_1705, + a_sum_1706 + ) => let b_1719 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_1720 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (s_sum_1704) (b_1719) in + let check_1721 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_1720)) (point_add ( + r_sum_1705) (a_sum_1706))) in + (if (is_identity (check_1721)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition ietf_cofactored_batch_verify + (entries_1722 : seq batch_entry_t) + (entropy_1723 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_1723)) <.? ((usize 16) * (seq_len ( + entries_1722))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + let s_sum_1724 : scalar_t := + nat_mod_zero in + let r_sum_1725 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + let a_sum_1726 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_1722)) for ( + s_sum_1724, + r_sum_1725, + a_sum_1726 + ) >> (fun i_1727 '(s_sum_1724, r_sum_1725, a_sum_1726) => + let 'BatchEntry ((pk_1728, msg_1729, signature_1730)) := + (seq_index (entries_1722) (i_1727)) in + bind (option_ok_or (decompress (pk_1728)) (InvalidPublickey)) (fun a_1731 => + let r_bytes_1732 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1730)) ( + usize 0) (usize 32) in + let s_bytes_1733 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1730)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1733)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_1732)) (InvalidR)) (fun r_1734 => + let s_1735 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1733)) : scalar_t in + let c_1736 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1732) ( + array_to_seq (pk_1728))) (msg_1729))) in + let z_1737 : seq uint8 := + seq_slice (entropy_1723) ((usize 16) * (i_1727)) (usize 16) in + let z_1738 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_1737) (seq_new_ (default) ( + usize 16))) : scalar_t in + let s_sum_1724 := + (s_sum_1724) +% ((s_1735) *% (z_1738)) in + let r_sum_1725 := + point_add (r_sum_1725) (point_mul (z_1738) (r_1734)) in + let a_sum_1726 := + point_add (a_sum_1726) (point_mul ((z_1738) *% (c_1736)) (a_1731)) in + Ok ((s_sum_1724, r_sum_1725, a_sum_1726))))))) (fun '( + s_sum_1724, + r_sum_1725, + a_sum_1726 + ) => let b_1739 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_1740 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (s_sum_1724) (b_1739) in + let check_1741 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_1740)) (point_add ( + r_sum_1725) (a_sum_1726))) in + (if (is_identity (check_1741)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition ietf_cofactorless_batch_verify + (entries_1742 : seq batch_entry_t) + (entropy_1743 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_1743)) <.? ((usize 16) * (seq_len ( + entries_1742))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + let s_sum_1744 : scalar_t := + nat_mod_zero in + let r_sum_1745 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + let a_sum_1746 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_1742)) for ( + s_sum_1744, + r_sum_1745, + a_sum_1746 + ) >> (fun i_1747 '(s_sum_1744, r_sum_1745, a_sum_1746) => + let 'BatchEntry ((pk_1748, msg_1749, signature_1750)) := + (seq_index (entries_1742) (i_1747)) in + bind (option_ok_or (decompress (pk_1748)) (InvalidPublickey)) (fun a_1751 => + let r_bytes_1752 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1750)) ( + usize 0) (usize 32) in + let s_bytes_1753 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1750)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1753)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_1752)) (InvalidR)) (fun r_1754 => + let s_1755 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1753)) : scalar_t in + let c_1756 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1752) ( + array_to_seq (pk_1748))) (msg_1749))) in + let z_1757 : seq uint8 := + seq_slice (entropy_1743) ((usize 16) * (i_1747)) (usize 16) in + let z_1758 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_1757) (seq_new_ (default) ( + usize 16))) : scalar_t in + let s_sum_1744 := + (s_sum_1744) +% ((s_1755) *% (z_1758)) in + let r_sum_1745 := + point_add (r_sum_1745) (point_mul (z_1758) (r_1754)) in + let a_sum_1746 := + point_add (a_sum_1746) (point_mul ((z_1758) *% (c_1756)) (a_1751)) in + Ok ((s_sum_1744, r_sum_1745, a_sum_1746))))))) (fun '( + s_sum_1744, + r_sum_1745, + a_sum_1746 + ) => let b_1759 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_1760 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (s_sum_1744) (b_1759) in + let check_1761 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_add (point_neg (sb_1760)) (point_add (r_sum_1745) (a_sum_1746)) in + (if (is_identity (check_1761)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + +Definition alg3_batch_verify + (entries_1762 : seq batch_entry_t) + (entropy_1763 : byte_seq) + : verify_result_t := + ifbnd (seq_len (entropy_1763)) <.? ((usize 16) * (seq_len ( + entries_1762))) : bool + thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + let s_sum_1764 : scalar_t := + nat_mod_zero in + let r_sum_1765 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + let a_sum_1766 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_identity in + bind (foldibnd (usize 0) to (seq_len (entries_1762)) for ( + s_sum_1764, + r_sum_1765, + a_sum_1766 + ) >> (fun i_1767 '(s_sum_1764, r_sum_1765, a_sum_1766) => + let 'BatchEntry ((pk_1768, msg_1769, signature_1770)) := + (seq_index (entries_1762) (i_1767)) in + bind (option_ok_or (decompress (pk_1768)) (InvalidPublickey)) (fun a_1771 => + ifbnd is_identity (point_mul_by_cofactor (a_1771)) : bool + thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + let r_bytes_1772 : compressed_ed_point_t := + array_from_slice (default) (32) (array_to_seq (signature_1770)) ( + usize 0) (usize 32) in + let s_bytes_1773 : serialized_scalar_t := + array_from_slice (default) (32) (array_to_seq (signature_1770)) ( + usize 32) (usize 32) in + ifbnd negb (check_canonical_scalar (s_bytes_1773)) : bool + thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) + else (tt) >> (fun 'tt => + bind (option_ok_or (decompress (r_bytes_1772)) (InvalidR)) (fun r_1774 => + let s_1775 : scalar_t := + nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1773)) : scalar_t in + let c_1776 : scalar_t := + scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1772) ( + array_to_seq (pk_1768))) (msg_1769))) in + let z_1777 : seq uint8 := + seq_slice (entropy_1763) ((usize 16) * (i_1767)) (usize 16) in + let z_1778 : scalar_t := + nat_mod_from_byte_seq_le (seq_concat (z_1777) (seq_new_ (default) ( + usize 16))) : scalar_t in + let s_sum_1764 := + (s_sum_1764) +% ((s_1775) *% (z_1778)) in + let r_sum_1765 := + point_add (r_sum_1765) (point_mul (z_1778) (r_1774)) in + let a_sum_1766 := + point_add (a_sum_1766) (point_mul ((z_1778) *% (c_1776)) (a_1771)) in + Ok ((s_sum_1764, r_sum_1765, a_sum_1766)))))))) (fun '( + s_sum_1764, + r_sum_1765, + a_sum_1766 + ) => let b_1779 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + option_unwrap (decompress (base_v)) in + let sb_1780 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul (s_sum_1764) (b_1779) in + let check_1781 : ( + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t × + ed25519_field_element_t + ) := + point_mul_by_cofactor (point_add (point_neg (sb_1780)) (point_add ( + r_sum_1765) (a_sum_1766))) in + (if (is_identity (check_1781)):bool then (@Ok unit error_t (tt)) else ( + @Err unit error_t (InvalidSignature))))). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Gf128.v b/proof-libs/coq/src/_vc/Hacspec_Gf128.v new file mode 100644 index 000000000..64d5ffc0c --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Gf128.v @@ -0,0 +1,112 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition blocksize_v : uint_size := + usize 16. + +Definition gf128_block_t := nseq (uint8) (blocksize_v). + +Definition gf128_key_t := nseq (uint8) (blocksize_v). + +Definition gf128_tag_t := nseq (uint8) (blocksize_v). + +Notation "'element_t'" := (uint128) : hacspec_scope. + +Definition irred_v : element_t := + secret (@repr WORDSIZE128 299076299051606071403356588563077529600) : int128. + +Definition fadd (x_317 : element_t) (y_318 : element_t) : element_t := + (x_317) .^ (y_318). + +Definition fmul (x_319 : element_t) (y_320 : element_t) : element_t := + let res_321 : element_t := + secret (@repr WORDSIZE128 0) : int128 in + let sh_322 : uint128 := + x_319 in + let '(res_321, sh_322) := + foldi (usize 0) (usize 128) (fun i_323 '(res_321, sh_322) => + let '(res_321) := + if (uint128_declassify ((y_320) .& ((secret ( + @repr WORDSIZE128 1) : int128) shift_left ((usize 127) - ( + i_323))))) !=.? (uint128_declassify (secret ( + @repr WORDSIZE128 0) : int128)):bool then (let res_321 := + (res_321) .^ (sh_322) in + (res_321)) else ((res_321)) in + let '(sh_322) := + if (uint128_declassify ((sh_322) .& (secret ( + @repr WORDSIZE128 1) : int128))) !=.? (uint128_declassify ( + secret (@repr WORDSIZE128 0) : int128)):bool then (let sh_322 := + ((sh_322) shift_right (usize 1)) .^ (irred_v) in + (sh_322)) else (let sh_322 := + (sh_322) shift_right (usize 1) in + (sh_322)) in + (res_321, sh_322)) + (res_321, sh_322) in + res_321. + +Definition encode (block_324 : gf128_block_t) : element_t := + uint128_from_be_bytes (array_from_seq (16) (array_to_seq (block_324))). + +Definition decode (e_325 : element_t) : gf128_block_t := + array_from_seq (blocksize_v) (array_to_seq (uint128_to_be_bytes (e_325))). + +Definition update + (r_326 : element_t) + (block_327 : gf128_block_t) + (acc_328 : element_t) + : element_t := + fmul (fadd (encode (block_327)) (acc_328)) (r_326). + +Definition poly (msg_329 : byte_seq) (r_330 : element_t) : element_t := + let l_331 : uint_size := + seq_len (msg_329) in + let n_blocks_332 : uint_size := + (l_331) / (blocksize_v) in + let rem_333 : uint_size := + (l_331) %% (blocksize_v) in + let acc_334 : uint128 := + secret (@repr WORDSIZE128 0) : int128 in + let acc_334 := + foldi (usize 0) (n_blocks_332) (fun i_335 acc_334 => + let k_336 : uint_size := + (i_335) * (blocksize_v) in + let block_337 : gf128_block_t := + array_new_ (default) (blocksize_v) in + let block_337 := + array_update_start (block_337) (seq_slice_range (msg_329) (( + k_336, + (k_336) + (blocksize_v) + ))) in + let acc_334 := + update (r_330) (block_337) (acc_334) in + (acc_334)) + acc_334 in + let '(acc_334) := + if (rem_333) !=.? (usize 0):bool then (let k_338 : uint_size := + (n_blocks_332) * (blocksize_v) in + let last_block_339 : gf128_block_t := + array_new_ (default) (blocksize_v) in + let last_block_339 := + array_update_slice (last_block_339) (usize 0) (msg_329) (k_338) ( + rem_333) in + let acc_334 := + update (r_330) (last_block_339) (acc_334) in + (acc_334)) else ((acc_334)) in + acc_334. + +Definition gmac (text_340 : byte_seq) (k_341 : gf128_key_t) : gf128_tag_t := + let s_342 : gf128_block_t := + array_new_ (default) (blocksize_v) in + let r_343 : uint128 := + encode (array_from_seq (blocksize_v) (array_to_seq (k_341))) in + let a_344 : uint128 := + poly (text_340) (r_343) in + array_from_seq (blocksize_v) (array_to_seq (decode (fadd (a_344) (encode ( + s_342))))). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Gimli.v b/proof-libs/coq/src/_vc/Hacspec_Gimli.v new file mode 100644 index 000000000..3669b32fd --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Gimli.v @@ -0,0 +1,395 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition state_t := nseq (uint32) (usize 12). + +Definition state_idx_t := + nat_mod (usize 12). +Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. +Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. + +Definition swap + (s_757 : state_t) + (i_758 : state_idx_t) + (j_759 : state_idx_t) + : state_t := + let tmp_760 : uint32 := + array_index (s_757) (i_758) in + let s_757 := + array_upd s_757 (i_758) (array_index (s_757) (j_759)) in + let s_757 := + array_upd s_757 (j_759) (tmp_760) in + s_757. + +Definition gimli_round (s_761 : state_t) (r_762 : int32) : state_t := + let s_761 := + foldi (usize 0) (usize 4) (fun col_763 s_761 => + let x_764 : uint32 := + uint32_rotate_left (array_index (s_761) (col_763)) (usize 24) in + let y_765 : uint32 := + uint32_rotate_left (array_index (s_761) ((col_763) + (usize 4))) ( + usize 9) in + let z_766 : uint32 := + array_index (s_761) ((col_763) + (usize 8)) in + let s_761 := + array_upd s_761 ((col_763) + (usize 8)) (((x_764) .^ (( + z_766) shift_left (usize 1))) .^ (((y_765) .& ( + z_766)) shift_left (usize 2))) in + let s_761 := + array_upd s_761 ((col_763) + (usize 4)) (((y_765) .^ (x_764)) .^ ((( + x_764) .| (z_766)) shift_left (usize 1))) in + let s_761 := + array_upd s_761 (col_763) (((z_766) .^ (y_765)) .^ (((x_764) .& ( + y_765)) shift_left (usize 3))) in + (s_761)) + s_761 in + let '(s_761) := + if ((r_762) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( + let s_761 := + swap (s_761) (usize 0) (usize 1) in + let s_761 := + swap (s_761) (usize 2) (usize 3) in + (s_761)) else ((s_761)) in + let '(s_761) := + if ((r_762) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 2):bool then ( + let s_761 := + swap (s_761) (usize 0) (usize 2) in + let s_761 := + swap (s_761) (usize 1) (usize 3) in + (s_761)) else ((s_761)) in + let '(s_761) := + if ((r_762) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( + let s_761 := + array_upd s_761 (usize 0) ((array_index (s_761) (usize 0)) .^ ((secret ( + @repr WORDSIZE32 2654435584) : int32) .| (secret ( + r_762) : int32))) in + (s_761)) else ((s_761)) in + s_761. + +Definition gimli (s_767 : state_t) : state_t := + let s_767 := + foldi (usize 0) (usize 24) (fun rnd_768 s_767 => + let rnd_769 : int32 := + pub_u32 ((usize 24) - (rnd_768)) in + let s_767 := + gimli_round (s_767) (rnd_769) in + (s_767)) + s_767 in + s_767. + +Definition block_t := nseq (uint8) (usize 16). + +Definition digest_t := nseq (uint8) (usize 32). + +Definition absorb_block + (input_block_770 : block_t) + (s_771 : state_t) + : state_t := + let input_bytes_772 : seq uint32 := + array_to_le_uint32s (input_block_770) in + let s_771 := + array_upd s_771 (usize 0) ((array_index (s_771) (usize 0)) .^ (seq_index ( + input_bytes_772) (usize 0))) in + let s_771 := + array_upd s_771 (usize 1) ((array_index (s_771) (usize 1)) .^ (seq_index ( + input_bytes_772) (usize 1))) in + let s_771 := + array_upd s_771 (usize 2) ((array_index (s_771) (usize 2)) .^ (seq_index ( + input_bytes_772) (usize 2))) in + let s_771 := + array_upd s_771 (usize 3) ((array_index (s_771) (usize 3)) .^ (seq_index ( + input_bytes_772) (usize 3))) in + gimli (s_771). + +Definition squeeze_block (s_773 : state_t) : block_t := + let block_774 : block_t := + array_new_ (default) (16) in + let block_774 := + foldi (usize 0) (usize 4) (fun i_775 block_774 => + let s_i_776 : uint32 := + array_index (s_773) (i_775) in + let s_i_bytes_777 : seq uint8 := + uint32_to_le_bytes (s_i_776) in + let block_774 := + array_upd block_774 ((usize 4) * (i_775)) (seq_index (s_i_bytes_777) ( + usize 0)) in + let block_774 := + array_upd block_774 (((usize 4) * (i_775)) + (usize 1)) (seq_index ( + s_i_bytes_777) (usize 1)) in + let block_774 := + array_upd block_774 (((usize 4) * (i_775)) + (usize 2)) (seq_index ( + s_i_bytes_777) (usize 2)) in + let block_774 := + array_upd block_774 (((usize 4) * (i_775)) + (usize 3)) (seq_index ( + s_i_bytes_777) (usize 3)) in + (block_774)) + block_774 in + block_774. + +Definition gimli_hash_state + (input_778 : byte_seq) + (s_779 : state_t) + : state_t := + let rate_780 : uint_size := + array_length in + let chunks_781 : uint_size := + seq_num_exact_chunks (input_778) (rate_780) in + let s_779 := + foldi (usize 0) (chunks_781) (fun i_782 s_779 => + let input_block_783 : seq uint8 := + seq_get_exact_chunk (input_778) (rate_780) (i_782) in + let full_block_784 : block_t := + array_from_seq (16) (input_block_783) in + let s_779 := + absorb_block (full_block_784) (s_779) in + (s_779)) + s_779 in + let input_block_785 : seq uint8 := + seq_get_remainder_chunk (input_778) (rate_780) in + let input_block_padded_786 : block_t := + array_new_ (default) (16) in + let input_block_padded_787 : block_t := + array_update_start (input_block_padded_786) (input_block_785) in + let input_block_padded_787 := + array_upd input_block_padded_787 (seq_len (input_block_785)) (secret ( + @repr WORDSIZE8 1) : int8) in + let s_779 := + array_upd s_779 (usize 11) ((array_index (s_779) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_779 := + absorb_block (input_block_padded_787) (s_779) in + s_779. + +Definition gimli_hash (input_bytes_788 : byte_seq) : digest_t := + let s_789 : state_t := + array_new_ (default) (12) in + let s_790 : state_t := + gimli_hash_state (input_bytes_788) (s_789) in + let output_791 : digest_t := + array_new_ (default) (32) in + let output_792 : digest_t := + array_update_start (output_791) (array_to_seq (squeeze_block (s_790))) in + let s_793 : state_t := + gimli (s_790) in + array_update (output_792) (array_length ) (array_to_seq (squeeze_block ( + s_793))). + +Definition nonce_t := nseq (uint8) (usize 16). + +Definition key_t := nseq (uint8) (usize 32). + +Definition tag_t := nseq (uint8) (usize 16). + +Definition process_ad (ad_794 : byte_seq) (s_795 : state_t) : state_t := + gimli_hash_state (ad_794) (s_795). + +Definition process_msg + (message_796 : byte_seq) + (s_797 : state_t) + : (state_t × byte_seq) := + let ciphertext_798 : seq uint8 := + seq_new_ (default) (seq_len (message_796)) in + let rate_799 : uint_size := + array_length in + let num_chunks_800 : uint_size := + seq_num_exact_chunks (message_796) (rate_799) in + let '(s_797, ciphertext_798) := + foldi (usize 0) (num_chunks_800) (fun i_801 '(s_797, ciphertext_798) => + let key_block_802 : block_t := + squeeze_block (s_797) in + let msg_block_803 : seq uint8 := + seq_get_exact_chunk (message_796) (rate_799) (i_801) in + let msg_block_804 : block_t := + array_from_seq (16) (msg_block_803) in + let ciphertext_798 := + seq_set_exact_chunk (ciphertext_798) (rate_799) (i_801) (array_to_seq (( + msg_block_804) array_xor (key_block_802))) in + let s_797 := + absorb_block (msg_block_804) (s_797) in + (s_797, ciphertext_798)) + (s_797, ciphertext_798) in + let key_block_805 : block_t := + squeeze_block (s_797) in + let last_block_806 : seq uint8 := + seq_get_remainder_chunk (message_796) (rate_799) in + let block_len_807 : uint_size := + seq_len (last_block_806) in + let msg_block_padded_808 : block_t := + array_new_ (default) (16) in + let msg_block_padded_809 : block_t := + array_update_start (msg_block_padded_808) (last_block_806) in + let ciphertext_798 := + seq_set_chunk (ciphertext_798) (rate_799) (num_chunks_800) ( + array_slice_range ((msg_block_padded_809) array_xor (key_block_805)) (( + usize 0, + block_len_807 + ))) in + let msg_block_padded_809 := + array_upd msg_block_padded_809 (block_len_807) ((array_index ( + msg_block_padded_809) (block_len_807)) .^ (secret ( + @repr WORDSIZE8 1) : int8)) in + let s_797 := + array_upd s_797 (usize 11) ((array_index (s_797) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_797 := + absorb_block (msg_block_padded_809) (s_797) in + (s_797, ciphertext_798). + +Definition process_ct + (ciphertext_810 : byte_seq) + (s_811 : state_t) + : (state_t × byte_seq) := + let message_812 : seq uint8 := + seq_new_ (default) (seq_len (ciphertext_810)) in + let rate_813 : uint_size := + array_length in + let num_chunks_814 : uint_size := + seq_num_exact_chunks (ciphertext_810) (rate_813) in + let '(s_811, message_812) := + foldi (usize 0) (num_chunks_814) (fun i_815 '(s_811, message_812) => + let key_block_816 : block_t := + squeeze_block (s_811) in + let ct_block_817 : seq uint8 := + seq_get_exact_chunk (ciphertext_810) (rate_813) (i_815) in + let ct_block_818 : block_t := + array_from_seq (16) (ct_block_817) in + let msg_block_819 : block_t := + (ct_block_818) array_xor (key_block_816) in + let message_812 := + seq_set_exact_chunk (message_812) (rate_813) (i_815) (array_to_seq (( + ct_block_818) array_xor (key_block_816))) in + let s_811 := + absorb_block (msg_block_819) (s_811) in + (s_811, message_812)) + (s_811, message_812) in + let key_block_820 : block_t := + squeeze_block (s_811) in + let ct_final_821 : seq uint8 := + seq_get_remainder_chunk (ciphertext_810) (rate_813) in + let block_len_822 : uint_size := + seq_len (ct_final_821) in + let ct_block_padded_823 : block_t := + array_new_ (default) (16) in + let ct_block_padded_824 : block_t := + array_update_start (ct_block_padded_823) (ct_final_821) in + let msg_block_825 : block_t := + (ct_block_padded_824) array_xor (key_block_820) in + let message_812 := + seq_set_chunk (message_812) (rate_813) (num_chunks_814) (array_slice_range ( + msg_block_825) ((usize 0, block_len_822))) in + let msg_block_826 : block_t := + array_from_slice_range (default) (16) (array_to_seq (msg_block_825)) (( + usize 0, + block_len_822 + )) in + let msg_block_826 := + array_upd msg_block_826 (block_len_822) ((array_index (msg_block_826) ( + block_len_822)) .^ (secret (@repr WORDSIZE8 1) : int8)) in + let s_811 := + array_upd s_811 (usize 11) ((array_index (s_811) (usize 11)) .^ (secret ( + @repr WORDSIZE32 16777216) : int32)) in + let s_811 := + absorb_block (msg_block_826) (s_811) in + (s_811, message_812). + +Definition nonce_to_u32s (nonce_827 : nonce_t) : seq uint32 := + let uints_828 : seq uint32 := + seq_new_ (default) (usize 4) in + let uints_828 := + seq_upd uints_828 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (nonce_827)) ((usize 0, usize 4)))) in + let uints_828 := + seq_upd uints_828 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (nonce_827)) ((usize 4, usize 8)))) in + let uints_828 := + seq_upd uints_828 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (nonce_827)) ((usize 8, usize 12)))) in + let uints_828 := + seq_upd uints_828 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (nonce_827)) ((usize 12, usize 16)))) in + uints_828. + +Definition key_to_u32s (key_829 : key_t) : seq uint32 := + let uints_830 : seq uint32 := + seq_new_ (default) (usize 8) in + let uints_830 := + seq_upd uints_830 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 0, usize 4)))) in + let uints_830 := + seq_upd uints_830 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 4, usize 8)))) in + let uints_830 := + seq_upd uints_830 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 8, usize 12)))) in + let uints_830 := + seq_upd uints_830 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 12, usize 16)))) in + let uints_830 := + seq_upd uints_830 (usize 4) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 16, usize 20)))) in + let uints_830 := + seq_upd uints_830 (usize 5) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 20, usize 24)))) in + let uints_830 := + seq_upd uints_830 (usize 6) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 24, usize 28)))) in + let uints_830 := + seq_upd uints_830 (usize 7) (uint32_from_le_bytes (array_from_slice_range ( + default) (4) (array_to_seq (key_829)) ((usize 28, usize 32)))) in + uints_830. + +Definition gimli_aead_encrypt + (message_831 : byte_seq) + (ad_832 : byte_seq) + (nonce_833 : nonce_t) + (key_834 : key_t) + : (byte_seq × tag_t) := + let s_835 : state_t := + array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_833)) (key_to_u32s ( + key_834))) in + let s_836 : state_t := + gimli (s_835) in + let s_837 : state_t := + process_ad (ad_832) (s_836) in + let '(s_838, ciphertext_839) := + process_msg (message_831) (s_837) in + let tag_840 : block_t := + squeeze_block (s_838) in + let tag_841 : tag_t := + array_from_seq (16) (array_to_seq (tag_840)) in + (ciphertext_839, tag_841). + +Definition gimli_aead_decrypt + (ciphertext_842 : byte_seq) + (ad_843 : byte_seq) + (tag_844 : tag_t) + (nonce_845 : nonce_t) + (key_846 : key_t) + : byte_seq := + let s_847 : state_t := + array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_845)) (key_to_u32s ( + key_846))) in + let s_848 : state_t := + gimli (s_847) in + let s_849 : state_t := + process_ad (ad_843) (s_848) in + let '(s_850, message_851) := + process_ct (ciphertext_842) (s_849) in + let my_tag_852 : block_t := + squeeze_block (s_850) in + let my_tag_853 : tag_t := + array_from_seq (16) (array_to_seq (my_tag_852)) in + let out_854 : seq uint8 := + seq_new_ (default) (usize 0) in + let '(out_854) := + if array_equal (my_tag_853) (tag_844):bool then (let out_854 := + message_851 in + (out_854)) else ((out_854)) in + out_854. + diff --git a/proof-libs/coq/src/_vc/Hacspec_Hkdf.v b/proof-libs/coq/src/_vc/Hacspec_Hkdf.v new file mode 100644 index 000000000..944f32405 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Hkdf.v @@ -0,0 +1,91 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Hmac. + +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition hash_len_v : uint_size := + (usize 256) / (usize 8). + +Inductive hkdf_error_t := +| InvalidOutputLength : hkdf_error_t. + +Notation "'hkdf_byte_seq_result_t'" := (( + result byte_seq hkdf_error_t)) : hacspec_scope. + +Definition extract (salt_713 : byte_seq) (ikm_714 : byte_seq) : prk_t := + let salt_or_zero_715 : seq uint8 := + seq_new_ (default) (hash_len_v) in + let '(salt_or_zero_715) := + if (seq_len (salt_713)) >.? (usize 0):bool then (let salt_or_zero_715 := + seq_from_seq (salt_713) in + (salt_or_zero_715)) else ((salt_or_zero_715)) in + array_from_seq (_) (array_to_seq (hmac (salt_or_zero_715) (ikm_714))). + +Definition build_hmac_txt + (t_716 : byte_seq) + (info_717 : byte_seq) + (iteration_718 : uint8) + : byte_seq := + let out_719 : seq uint8 := + seq_new_ (default) (((seq_len (t_716)) + (seq_len (info_717))) + ( + usize 1)) in + let out_719 := + seq_update (out_719) (usize 0) (t_716) in + let out_719 := + seq_update (out_719) (seq_len (t_716)) (info_717) in + let out_719 := + seq_upd out_719 ((seq_len (t_716)) + (seq_len (info_717))) ( + iteration_718) in + out_719. + +Definition div_ceil (a_720 : uint_size) (b_721 : uint_size) : uint_size := + let q_722 : uint_size := + (a_720) / (b_721) in + let '(q_722) := + if ((a_720) %% (b_721)) !=.? (usize 0):bool then (let q_722 := + (q_722) + (usize 1) in + (q_722)) else ((q_722)) in + q_722. + +Definition check_output_limit + (l_723 : uint_size) + : (result uint_size hkdf_error_t) := + let n_724 : uint_size := + div_ceil (l_723) (hash_len_v) in + (if ((n_724) <=.? (usize 255)):bool then (@Ok uint_size hkdf_error_t ( + n_724)) else (@Err uint_size hkdf_error_t (InvalidOutputLength))). + +Definition expand + (prk_725 : byte_seq) + (info_726 : byte_seq) + (l_727 : uint_size) + : hkdf_byte_seq_result_t := + bind (check_output_limit (l_727)) (fun n_728 => let t_i_729 : prk_t := + array_new_ (default) (_) in + let t_730 : seq uint8 := + seq_new_ (default) ((n_728) * (hash_size_v)) in + let '(t_i_729, t_730) := + foldi (usize 0) (n_728) (fun i_731 '(t_i_729, t_730) => + let hmac_txt_in_732 : seq uint8 := + (if ((i_731) =.? (usize 0)):bool then (build_hmac_txt (seq_new_ ( + default) (usize 0)) (info_726) (secret ((pub_u8 (i_731)) .+ ( + @repr WORDSIZE8 1)) : int8)) else (build_hmac_txt ( + seq_from_seq (array_to_seq (t_i_729))) (info_726) (secret (( + pub_u8 (i_731)) .+ (@repr WORDSIZE8 1)) : int8))) in + let t_i_729 := + hmac (prk_725) (hmac_txt_in_732) in + let t_730 := + seq_update (t_730) ((i_731) * (array_len (t_i_729))) ( + array_to_seq (t_i_729)) in + (t_i_729, t_730)) + (t_i_729, t_730) in + @Ok byte_seq hkdf_error_t (seq_slice (t_730) (usize 0) (l_727))). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Hmac.v b/proof-libs/coq/src/_vc/Hacspec_Hmac.v new file mode 100644 index 000000000..e9a37708f --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Hmac.v @@ -0,0 +1,177 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition block_len_v : uint_size := + k_size_v. + +Definition prk_t := nseq (uint8) (hash_size_v). + +Definition block_t := nseq (uint8) (block_len_v). + +Definition i_pad_v : block_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8; + secret (@repr WORDSIZE8 54) : int8 + ] in l). + +Definition o_pad_v : block_t := + array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8; + secret (@repr WORDSIZE8 92) : int8 + ] in l). + +Definition k_block (k_733 : byte_seq) : block_t := + (if ((seq_len (k_733)) >.? (block_len_v)):bool then (array_update_start ( + array_new_ (default) (block_len_v)) (array_to_seq (hash ( + k_733)))) else (array_update_start (array_new_ (default) ( + block_len_v)) (k_733))). + +Definition hmac (k_734 : byte_seq) (txt_735 : byte_seq) : prk_t := + let k_block_736 : block_t := + k_block (k_734) in + let h_in_737 : seq uint8 := + seq_from_seq (array_to_seq ((k_block_736) array_xor (i_pad_v))) in + let h_in_737 := + seq_concat (h_in_737) (txt_735) in + let h_inner_738 : sha256_digest_t := + hash (h_in_737) in + let h_in_739 : seq uint8 := + seq_from_seq (array_to_seq ((k_block_736) array_xor (o_pad_v))) in + let h_in_739 := + seq_concat (h_in_739) (array_to_seq (h_inner_738)) in + array_from_seq (hash_size_v) (array_to_seq (hash (h_in_739))). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Linalg.v b/proof-libs/coq/src/_vc/Hacspec_Linalg.v new file mode 100644 index 000000000..72a3df965 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Linalg.v @@ -0,0 +1,64 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Notation "'dim_type_t'" := (uint_size) : hacspec_scope. + +Notation "'scalar_t'" := (int128) : hacspec_scope. + +Notation "'dims_t'" := ((dim_type_t × dim_type_t)) : hacspec_scope. + +Notation "'matrix_t'" := ((dims_t × seq scalar_t)) : hacspec_scope. + +Notation "'mat_res_t'" := ((result matrix_t unit)) : hacspec_scope. + +Definition new_ + (rows_740 : dim_type_t) + (cols_741 : dim_type_t) + (seq_742 : seq scalar_t) + : mat_res_t := + (if (((seq_len (seq_742)) >.? (usize 0)) && (((rows_740) * (cols_741)) =.? ( + seq_len (seq_742)))):bool then (@Ok matrix_t unit (( + (rows_740, cols_741), + seq_742 + ))) else (@Err matrix_t unit (tt))). + +Definition repeat + (n_743 : dim_type_t) + (m_744 : dim_type_t) + (scalar_745 : scalar_t) + : mat_res_t := + let ret_746 : seq int128 := + seq_new_ (default) ((n_743) * (m_744)) in + let ret_746 := + foldi (usize 0) ((n_743) * (m_744)) (fun i_747 ret_746 => + let ret_746 := + seq_upd ret_746 (i_747) (scalar_745) in + (ret_746)) + ret_746 in + new_ (n_743) (m_744) (ret_746). + +Definition zeros (n_748 : dim_type_t) (m_749 : dim_type_t) : mat_res_t := + repeat (n_748) (m_749) (pub_int128_zero ). + +Definition ones (n_750 : dim_type_t) (m_751 : dim_type_t) : mat_res_t := + repeat (n_750) (m_751) (pub_int128_one ). + +Definition identity (n_752 : dim_type_t) (m_753 : dim_type_t) : mat_res_t := + let ret_754 : seq int128 := + seq_new_ (default) ((n_752) * (m_753)) in + let ret_754 := + foldi (usize 0) (min (n_752) (m_753)) (fun i_755 ret_754 => + let index_756 : uint_size := + ((i_755) * (min (n_752) (m_753))) + (i_755) in + let ret_754 := + seq_upd ret_754 (index_756) (pub_int128_one ) in + (ret_754)) + ret_754 in + new_ (n_752) (m_753) (ret_754). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v b/proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v new file mode 100644 index 000000000..1ea95475f --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v @@ -0,0 +1,136 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition build_irreducible (p_914 : uint_size) : seq int128 := + let irr_915 : seq int128 := + seq_new_ (default) ((p_914) + (usize 1)) in + let irr_915 := + seq_upd irr_915 (usize 0) (- (@repr WORDSIZE128 1)) in + let irr_915 := + seq_upd irr_915 (usize 1) (- (@repr WORDSIZE128 1)) in + let irr_915 := + seq_upd irr_915 (p_914) (@repr WORDSIZE128 1) in + irr_915. + +Definition round_to_3 (poly_916 : seq int128) (q_917 : int128) : seq int128 := + let result_918 : seq int128 := + (poly_916) in + let q_12_919 : int128 := + ((q_917) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in + let result_918 := + foldi (usize 0) (seq_len (poly_916)) (fun i_920 result_918 => + let '(result_918) := + if (seq_index (poly_916) (i_920)) >.? (q_12_919):bool then ( + let result_918 := + seq_upd result_918 (i_920) ((seq_index (poly_916) (i_920)) .- ( + q_917)) in + (result_918)) else ((result_918)) in + (result_918)) + result_918 in + let result_918 := + foldi (usize 0) (seq_len (result_918)) (fun i_921 result_918 => + let '(result_918) := + if ((seq_index (result_918) (i_921)) .% (@repr WORDSIZE128 3)) !=.? ( + @repr WORDSIZE128 0):bool then (let result_918 := + seq_upd result_918 (i_921) ((seq_index (result_918) (i_921)) .- ( + @repr WORDSIZE128 1)) in + let '(result_918) := + if ((seq_index (result_918) (i_921)) .% ( + @repr WORDSIZE128 3)) !=.? (@repr WORDSIZE128 0):bool then ( + let result_918 := + seq_upd result_918 (i_921) ((seq_index (result_918) ( + i_921)) .+ (@repr WORDSIZE128 2)) in + (result_918)) else ((result_918)) in + (result_918)) else ((result_918)) in + (result_918)) + result_918 in + result_918. + +Definition encrypt + (r_922 : seq int128) + (h_923 : seq int128) + (q_924 : int128) + (irreducible_925 : seq int128) + : seq int128 := + let pre_926 : seq int128 := + mul_poly_irr (r_922) (h_923) (irreducible_925) (q_924) in + round_to_3 (pre_926) (q_924). + +Definition ntru_prime_653_encrypt + (r_927 : seq int128) + (h_928 : seq int128) + : seq int128 := + let p_929 : uint_size := + usize 653 in + let q_930 : int128 := + @repr WORDSIZE128 4621 in + let w_931 : uint_size := + usize 288 in + let irreducible_932 : seq int128 := + build_irreducible (p_929) in + encrypt (r_927) (h_928) (q_930) (irreducible_932). + +Definition ntru_prime_653_decrypt + (c_933 : seq int128) + (key_f_934 : seq int128) + (key_v_935 : seq int128) + : (seq int128 × bool) := + let p_936 : uint_size := + usize 653 in + let q_937 : int128 := + @repr WORDSIZE128 4621 in + let w_938 : uint_size := + usize 288 in + let irreducible_939 : seq int128 := + build_irreducible (p_936) in + let f_c_940 : seq int128 := + mul_poly_irr (key_f_934) (c_933) (irreducible_939) (q_937) in + let f_3_c_and_decryption_ok_941 : (seq int128 × bool) := + poly_to_ring (irreducible_939) (add_poly (f_c_940) (add_poly (f_c_940) ( + f_c_940) (q_937)) (q_937)) (q_937) in + let '(f_3_c_942, ok_decrypt_943) := + f_3_c_and_decryption_ok_941 in + let f_3_c_944 : seq int128 := + f_3_c_942 in + let q_12_945 : int128 := + ((q_937) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in + let f_3_c_944 := + foldi (usize 0) (seq_len (f_3_c_944)) (fun i_946 f_3_c_944 => + let '(f_3_c_944) := + if (seq_index (f_3_c_944) (i_946)) >.? (q_12_945):bool then ( + let f_3_c_944 := + seq_upd f_3_c_944 (i_946) ((seq_index (f_3_c_944) (i_946)) .- ( + q_937)) in + (f_3_c_944)) else ((f_3_c_944)) in + (f_3_c_944)) + f_3_c_944 in + let e_947 : seq int128 := + seq_new_ (default) (seq_len (f_3_c_944)) in + let e_947 := + foldi (usize 0) (seq_len (e_947)) (fun i_948 e_947 => + let e_947 := + seq_upd e_947 (i_948) ((seq_index (f_3_c_944) (i_948)) .% ( + @repr WORDSIZE128 3)) in + (e_947)) + e_947 in + let e_947 := + make_positive (e_947) (@repr WORDSIZE128 3) in + let r_949 : seq int128 := + mul_poly_irr (e_947) (key_v_935) (irreducible_939) (@repr WORDSIZE128 3) in + let r_949 := + foldi (usize 0) (seq_len (r_949)) (fun i_950 r_949 => + let '(r_949) := + if (seq_index (r_949) (i_950)) =.? (@repr WORDSIZE128 2):bool then ( + let r_949 := + seq_upd r_949 (i_950) (- (@repr WORDSIZE128 1)) in + (r_949)) else ((r_949)) in + (r_949)) + r_949 in + (r_949, ok_decrypt_943). + diff --git a/proof-libs/coq/src/_vc/Hacspec_P256.v b/proof-libs/coq/src/_vc/Hacspec_P256.v new file mode 100644 index 000000000..19a6a01cf --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_P256.v @@ -0,0 +1,486 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Inductive error_t := +| InvalidAddition : error_t. + +Definition bits_v : uint_size := + usize 256. + +Definition field_canvas_t := nseq (int8) (32). +Definition p256_field_element_t := + nat_mod 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff. + +Definition scalar_canvas_t := nseq (int8) (32). +Definition p256_scalar_t := + nat_mod 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551. + +Notation "'affine_t'" := ((p256_field_element_t × p256_field_element_t +)) : hacspec_scope. + +Notation "'affine_result_t'" := ((result affine_t error_t)) : hacspec_scope. + +Notation "'p256_jacobian_t'" := (( + p256_field_element_t × + p256_field_element_t × + p256_field_element_t +)) : hacspec_scope. + +Notation "'jacobian_result_t'" := (( + result p256_jacobian_t error_t)) : hacspec_scope. + +Definition element_t := nseq (uint8) (usize 32). + +Definition jacobian_to_affine (p_569 : p256_jacobian_t) : affine_t := + let '(x_570, y_571, z_572) := + p_569 in + let z2_573 : p256_field_element_t := + nat_mod_exp (z_572) (@repr WORDSIZE32 2) in + let z2i_574 : p256_field_element_t := + nat_mod_inv (z2_573) in + let z3_575 : p256_field_element_t := + (z_572) *% (z2_573) in + let z3i_576 : p256_field_element_t := + nat_mod_inv (z3_575) in + let x_577 : p256_field_element_t := + (x_570) *% (z2i_574) in + let y_578 : p256_field_element_t := + (y_571) *% (z3i_576) in + (x_577, y_578). + +Definition affine_to_jacobian (p_579 : affine_t) : p256_jacobian_t := + let '(x_580, y_581) := + p_579 in + ( + x_580, + y_581, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t + ). + +Definition point_double (p_582 : p256_jacobian_t) : p256_jacobian_t := + let '(x1_583, y1_584, z1_585) := + p_582 in + let delta_586 : p256_field_element_t := + nat_mod_exp (z1_585) (@repr WORDSIZE32 2) in + let gamma_587 : p256_field_element_t := + nat_mod_exp (y1_584) (@repr WORDSIZE32 2) in + let beta_588 : p256_field_element_t := + (x1_583) *% (gamma_587) in + let alpha_1_589 : p256_field_element_t := + (x1_583) -% (delta_586) in + let alpha_2_590 : p256_field_element_t := + (x1_583) +% (delta_586) in + let alpha_591 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% ((alpha_1_589) *% ( + alpha_2_590)) in + let x3_592 : p256_field_element_t := + (nat_mod_exp (alpha_591) (@repr WORDSIZE32 2)) -% ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 8) : p256_field_element_t) *% (beta_588)) in + let z3_593 : p256_field_element_t := + nat_mod_exp ((y1_584) +% (z1_585)) (@repr WORDSIZE32 2) in + let z3_594 : p256_field_element_t := + (z3_593) -% ((gamma_587) +% (delta_586)) in + let y3_1_595 : p256_field_element_t := + ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 4) : p256_field_element_t) *% (beta_588)) -% ( + x3_592) in + let y3_2_596 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 8) : p256_field_element_t) *% ((gamma_587) *% ( + gamma_587)) in + let y3_597 : p256_field_element_t := + ((alpha_591) *% (y3_1_595)) -% (y3_2_596) in + (x3_592, y3_597, z3_594). + +Definition is_point_at_infinity (p_598 : p256_jacobian_t) : bool := + let '(x_599, y_600, z_601) := + p_598 in + nat_mod_equal (z_601) (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t). + +Definition s1_equal_s2 + (s1_602 : p256_field_element_t) + (s2_603 : p256_field_element_t) + : jacobian_result_t := + (if (nat_mod_equal (s1_602) (s2_603)):bool then ( + @Err p256_jacobian_t error_t (InvalidAddition)) else ( + @Ok p256_jacobian_t error_t (( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t + )))). + +Definition point_add_jacob + (p_604 : p256_jacobian_t) + (q_605 : p256_jacobian_t) + : jacobian_result_t := + let result_606 : (result p256_jacobian_t error_t) := + @Ok p256_jacobian_t error_t (q_605) in + let '(result_606) := + if negb (is_point_at_infinity (p_604)):bool then (let '(result_606) := + if is_point_at_infinity (q_605):bool then (let result_606 := + @Ok p256_jacobian_t error_t (p_604) in + (result_606)) else (let '(x1_607, y1_608, z1_609) := + p_604 in + let '(x2_610, y2_611, z2_612) := + q_605 in + let z1z1_613 : p256_field_element_t := + nat_mod_exp (z1_609) (@repr WORDSIZE32 2) in + let z2z2_614 : p256_field_element_t := + nat_mod_exp (z2_612) (@repr WORDSIZE32 2) in + let u1_615 : p256_field_element_t := + (x1_607) *% (z2z2_614) in + let u2_616 : p256_field_element_t := + (x2_610) *% (z1z1_613) in + let s1_617 : p256_field_element_t := + ((y1_608) *% (z2_612)) *% (z2z2_614) in + let s2_618 : p256_field_element_t := + ((y2_611) *% (z1_609)) *% (z1z1_613) in + let '(result_606) := + if nat_mod_equal (u1_615) (u2_616):bool then (let result_606 := + s1_equal_s2 (s1_617) (s2_618) in + (result_606)) else (let h_619 : p256_field_element_t := + (u2_616) -% (u1_615) in + let i_620 : p256_field_element_t := + nat_mod_exp ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (h_619)) ( + @repr WORDSIZE32 2) in + let j_621 : p256_field_element_t := + (h_619) *% (i_620) in + let r_622 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (( + s2_618) -% (s1_617)) in + let v_623 : p256_field_element_t := + (u1_615) *% (i_620) in + let x3_1_624 : p256_field_element_t := + (nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% (v_623) in + let x3_2_625 : p256_field_element_t := + (nat_mod_exp (r_622) (@repr WORDSIZE32 2)) -% (j_621) in + let x3_626 : p256_field_element_t := + (x3_2_625) -% (x3_1_624) in + let y3_1_627 : p256_field_element_t := + ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 2) : p256_field_element_t) *% ( + s1_617)) *% (j_621) in + let y3_2_628 : p256_field_element_t := + (r_622) *% ((v_623) -% (x3_626)) in + let y3_629 : p256_field_element_t := + (y3_2_628) -% (y3_1_627) in + let z3_630 : p256_field_element_t := + nat_mod_exp ((z1_609) +% (z2_612)) (@repr WORDSIZE32 2) in + let z3_631 : p256_field_element_t := + ((z3_630) -% ((z1z1_613) +% (z2z2_614))) *% (h_619) in + let result_606 := + @Ok p256_jacobian_t error_t ((x3_626, y3_629, z3_631)) in + (result_606)) in + (result_606)) in + (result_606)) else ((result_606)) in + result_606. + +Definition ltr_mul + (k_632 : p256_scalar_t) + (p_633 : p256_jacobian_t) + : jacobian_result_t := + let q_634 : ( + p256_field_element_t × + p256_field_element_t × + p256_field_element_t + ) := + ( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 1) : p256_field_element_t, + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 0) : p256_field_element_t + ) in + bind (foldibnd (usize 0) to (bits_v) for q_634 >> (fun i_635 q_634 => + let q_634 := + point_double (q_634) in + ifbnd nat_mod_equal (nat_mod_get_bit (k_632) (((bits_v) - (usize 1)) - ( + i_635))) (nat_mod_one ) : bool + thenbnd (bind (point_add_jacob (q_634) (p_633)) (fun q_634 => Ok ((q_634 + )))) + else ((q_634)) >> (fun '(q_634) => + Ok ((q_634))))) (fun q_634 => @Ok p256_jacobian_t error_t (q_634)). + +Definition p256_point_mul + (k_636 : p256_scalar_t) + (p_637 : affine_t) + : affine_result_t := + bind (ltr_mul (k_636) (affine_to_jacobian (p_637))) (fun jac_638 => + @Ok affine_t error_t (jacobian_to_affine (jac_638))). + +Definition p256_point_mul_base (k_639 : p256_scalar_t) : affine_result_t := + let base_point_640 : (p256_field_element_t × p256_field_element_t) := + ( + nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 23) : int8; + secret (@repr WORDSIZE8 209) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 225) : int8; + secret (@repr WORDSIZE8 44) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 71) : int8; + secret (@repr WORDSIZE8 248) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 230) : int8; + secret (@repr WORDSIZE8 229) : int8; + secret (@repr WORDSIZE8 99) : int8; + secret (@repr WORDSIZE8 164) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 242) : int8; + secret (@repr WORDSIZE8 119) : int8; + secret (@repr WORDSIZE8 3) : int8; + secret (@repr WORDSIZE8 125) : int8; + secret (@repr WORDSIZE8 129) : int8; + secret (@repr WORDSIZE8 45) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 160) : int8; + secret (@repr WORDSIZE8 244) : int8; + secret (@repr WORDSIZE8 161) : int8; + secret (@repr WORDSIZE8 57) : int8; + secret (@repr WORDSIZE8 69) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 194) : int8; + secret (@repr WORDSIZE8 150) : int8 + ] in l))) : p256_field_element_t, + nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := + [ + secret (@repr WORDSIZE8 79) : int8; + secret (@repr WORDSIZE8 227) : int8; + secret (@repr WORDSIZE8 66) : int8; + secret (@repr WORDSIZE8 226) : int8; + secret (@repr WORDSIZE8 254) : int8; + secret (@repr WORDSIZE8 26) : int8; + secret (@repr WORDSIZE8 127) : int8; + secret (@repr WORDSIZE8 155) : int8; + secret (@repr WORDSIZE8 142) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 74) : int8; + secret (@repr WORDSIZE8 124) : int8; + secret (@repr WORDSIZE8 15) : int8; + secret (@repr WORDSIZE8 158) : int8; + secret (@repr WORDSIZE8 22) : int8; + secret (@repr WORDSIZE8 43) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 51) : int8; + secret (@repr WORDSIZE8 87) : int8; + secret (@repr WORDSIZE8 107) : int8; + secret (@repr WORDSIZE8 49) : int8; + secret (@repr WORDSIZE8 94) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 203) : int8; + secret (@repr WORDSIZE8 182) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 104) : int8; + secret (@repr WORDSIZE8 55) : int8; + secret (@repr WORDSIZE8 191) : int8; + secret (@repr WORDSIZE8 81) : int8; + secret (@repr WORDSIZE8 245) : int8 + ] in l))) : p256_field_element_t + ) in + p256_point_mul (k_639) (base_point_640). + +Definition point_add_distinct + (p_641 : affine_t) + (q_642 : affine_t) + : affine_result_t := + bind (point_add_jacob (affine_to_jacobian (p_641)) (affine_to_jacobian ( + q_642))) (fun r_643 => @Ok affine_t error_t (jacobian_to_affine ( + r_643))). + +Definition point_add (p_644 : affine_t) (q_645 : affine_t) : affine_result_t := + (if ((p_644) !=.? (q_645)):bool then (point_add_distinct (p_644) ( + q_645)) else (@Ok affine_t error_t (jacobian_to_affine (point_double ( + affine_to_jacobian (p_644)))))). + +Definition p256_validate_private_key (k_646 : byte_seq) : bool := + let valid_647 : bool := + true in + let k_element_648 : p256_scalar_t := + nat_mod_from_byte_seq_be (k_646) : p256_scalar_t in + let k_element_bytes_649 : seq uint8 := + nat_mod_to_byte_seq_be (k_element_648) in + let all_zero_650 : bool := + true in + let '(valid_647, all_zero_650) := + foldi (usize 0) (seq_len (k_646)) (fun i_651 '(valid_647, all_zero_650) => + let '(all_zero_650) := + if negb (uint8_equal (seq_index (k_646) (i_651)) (secret ( + @repr WORDSIZE8 0) : int8)):bool then (let all_zero_650 := + false in + (all_zero_650)) else ((all_zero_650)) in + let '(valid_647) := + if negb (uint8_equal (seq_index (k_element_bytes_649) (i_651)) ( + seq_index (k_646) (i_651))):bool then (let valid_647 := + false in + (valid_647)) else ((valid_647)) in + (valid_647, all_zero_650)) + (valid_647, all_zero_650) in + (valid_647) && (negb (all_zero_650)). + +Definition p256_validate_public_key (p_652 : affine_t) : bool := + let b_653 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 75) : int8 + ]) : p256_field_element_t in + let point_at_infinity_654 : bool := + is_point_at_infinity (affine_to_jacobian (p_652)) in + let '(x_655, y_656) := + p_652 in + let on_curve_657 : bool := + ((y_656) *% (y_656)) =.? (((((x_655) *% (x_655)) *% (x_655)) -% (( + nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% (x_655))) +% ( + b_653)) in + (negb (point_at_infinity_654)) && (on_curve_657). + +Definition p256_calculate_w + (x_658 : p256_field_element_t) + : p256_field_element_t := + let b_659 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 90) : int8; + secret (@repr WORDSIZE8 198) : int8; + secret (@repr WORDSIZE8 53) : int8; + secret (@repr WORDSIZE8 216) : int8; + secret (@repr WORDSIZE8 170) : int8; + secret (@repr WORDSIZE8 58) : int8; + secret (@repr WORDSIZE8 147) : int8; + secret (@repr WORDSIZE8 231) : int8; + secret (@repr WORDSIZE8 179) : int8; + secret (@repr WORDSIZE8 235) : int8; + secret (@repr WORDSIZE8 189) : int8; + secret (@repr WORDSIZE8 85) : int8; + secret (@repr WORDSIZE8 118) : int8; + secret (@repr WORDSIZE8 152) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 188) : int8; + secret (@repr WORDSIZE8 101) : int8; + secret (@repr WORDSIZE8 29) : int8; + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 204) : int8; + secret (@repr WORDSIZE8 83) : int8; + secret (@repr WORDSIZE8 176) : int8; + secret (@repr WORDSIZE8 246) : int8; + secret (@repr WORDSIZE8 59) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 60) : int8; + secret (@repr WORDSIZE8 62) : int8; + secret (@repr WORDSIZE8 39) : int8; + secret (@repr WORDSIZE8 210) : int8; + secret (@repr WORDSIZE8 96) : int8; + secret (@repr WORDSIZE8 75) : int8 + ]) : p256_field_element_t in + let exp_660 : p256_field_element_t := + nat_mod_from_byte_seq_be ([ + secret (@repr WORDSIZE8 63) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 255) : int8; + secret (@repr WORDSIZE8 192) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 64) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8; + secret (@repr WORDSIZE8 0) : int8 + ]) : p256_field_element_t in + let z_661 : p256_field_element_t := + ((((x_658) *% (x_658)) *% (x_658)) -% ((nat_mod_from_literal ( + 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( + @repr WORDSIZE128 3) : p256_field_element_t) *% (x_658))) +% ( + b_659) in + let w_662 : p256_field_element_t := + nat_mod_pow_felem (z_661) (exp_660) in + w_662. + diff --git a/proof-libs/coq/src/_vc/Hacspec_Poly1305.v b/proof-libs/coq/src/_vc/Hacspec_Poly1305.v new file mode 100644 index 000000000..8ac6f9ac9 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Poly1305.v @@ -0,0 +1,143 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition poly_key_t := nseq (uint8) (usize 32). + +Definition blocksize_v : uint_size := + usize 16. + +Definition poly_block_t := nseq (uint8) (usize 16). + +Definition poly1305_tag_t := nseq (uint8) (usize 16). + +Notation "'sub_block_t'" := (byte_seq) : hacspec_scope. + +Notation "'block_index_t'" := (uint_size) : hacspec_scope. + +Definition field_canvas_t := nseq (int8) (17). +Definition field_element_t := nat_mod 0x03fffffffffffffffffffffffffffffffb. + +Notation "'poly_state_t'" := ((field_element_t × field_element_t × poly_key_t +)) : hacspec_scope. + +Definition poly1305_encode_r (b_435 : poly_block_t) : field_element_t := + let n_436 : uint128 := + uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_435))) in + let n_436 := + (n_436) .& (secret ( + @repr WORDSIZE128 21267647620597763993911028882763415551) : int128) in + nat_mod_from_secret_literal (n_436). + +Definition poly1305_encode_block (b_437 : poly_block_t) : field_element_t := + let n_438 : uint128 := + uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_437))) in + let f_439 : field_element_t := + nat_mod_from_secret_literal (n_438) in + (f_439) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ( + usize 128) : field_element_t). + +Definition poly1305_encode_last + (pad_len_440 : block_index_t) + (b_441 : sub_block_t) + : field_element_t := + let n_442 : uint128 := + uint128_from_le_bytes (array_from_slice (default) (16) (b_441) (usize 0) ( + seq_len (b_441))) in + let f_443 : field_element_t := + nat_mod_from_secret_literal (n_442) in + (f_443) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ((usize 8) * ( + pad_len_440)) : field_element_t). + +Definition poly1305_init (k_444 : poly_key_t) : poly_state_t := + let r_445 : field_element_t := + poly1305_encode_r (array_from_slice (default) (16) (array_to_seq (k_444)) ( + usize 0) (usize 16)) in + (nat_mod_zero , r_445, k_444). + +Definition poly1305_update_block + (b_446 : poly_block_t) + (st_447 : poly_state_t) + : poly_state_t := + let '(acc_448, r_449, k_450) := + st_447 in + (((poly1305_encode_block (b_446)) +% (acc_448)) *% (r_449), r_449, k_450). + +Definition poly1305_update_blocks + (m_451 : byte_seq) + (st_452 : poly_state_t) + : poly_state_t := + let st_453 : (field_element_t × field_element_t × poly_key_t) := + st_452 in + let n_blocks_454 : uint_size := + (seq_len (m_451)) / (blocksize_v) in + let st_453 := + foldi (usize 0) (n_blocks_454) (fun i_455 st_453 => + let block_456 : poly_block_t := + array_from_seq (16) (seq_get_exact_chunk (m_451) (blocksize_v) ( + i_455)) in + let st_453 := + poly1305_update_block (block_456) (st_453) in + (st_453)) + st_453 in + st_453. + +Definition poly1305_update_last + (pad_len_457 : uint_size) + (b_458 : sub_block_t) + (st_459 : poly_state_t) + : poly_state_t := + let st_460 : (field_element_t × field_element_t × poly_key_t) := + st_459 in + let '(st_460) := + if (seq_len (b_458)) !=.? (usize 0):bool then (let '(acc_461, r_462, k_463 + ) := + st_460 in + let st_460 := + ( + ((poly1305_encode_last (pad_len_457) (b_458)) +% (acc_461)) *% ( + r_462), + r_462, + k_463 + ) in + (st_460)) else ((st_460)) in + st_460. + +Definition poly1305_update + (m_464 : byte_seq) + (st_465 : poly_state_t) + : poly_state_t := + let st_466 : (field_element_t × field_element_t × poly_key_t) := + poly1305_update_blocks (m_464) (st_465) in + let last_467 : seq uint8 := + seq_get_remainder_chunk (m_464) (blocksize_v) in + poly1305_update_last (seq_len (last_467)) (last_467) (st_466). + +Definition poly1305_finish (st_468 : poly_state_t) : poly1305_tag_t := + let '(acc_469, _, k_470) := + st_468 in + let n_471 : uint128 := + uint128_from_le_bytes (array_from_slice (default) (16) ( + array_to_seq (k_470)) (usize 16) (usize 16)) in + let aby_472 : seq uint8 := + nat_mod_to_byte_seq_le (acc_469) in + let a_473 : uint128 := + uint128_from_le_bytes (array_from_slice (default) (16) (aby_472) (usize 0) ( + usize 16)) in + array_from_seq (16) (array_to_seq (uint128_to_le_bytes ((a_473) .+ (n_471)))). + +Definition poly1305 + (m_474 : byte_seq) + (key_475 : poly_key_t) + : poly1305_tag_t := + let st_476 : (field_element_t × field_element_t × poly_key_t) := + poly1305_init (key_475) in + let st_476 := + poly1305_update (m_474) (st_476) in + poly1305_finish (st_476). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Riot_Bootloader.v b/proof-libs/coq/src/_vc/Hacspec_Riot_Bootloader.v new file mode 100644 index 000000000..b6ece891b --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Riot_Bootloader.v @@ -0,0 +1,180 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition riotboot_magic_v : int32 := + @repr WORDSIZE32 1414482258. + +Notation "'fletcher_t'" := ((int32 × int32)) : hacspec_scope. + +Definition new_fletcher : fletcher_t := + (@repr WORDSIZE32 65535, @repr WORDSIZE32 65535). + +Definition max_chunk_size : uint_size := + usize 360. + +Definition reduce_u32 (x_951 : int32) : int32 := + ((x_951) .& (@repr WORDSIZE32 65535)) .+ ((x_951) shift_right ( + @repr WORDSIZE32 16)). + +Definition combine (lower_952 : int32) (upper_953 : int32) : int32 := + (lower_952) .| ((upper_953) shift_left (@repr WORDSIZE32 16)). + +Definition update_fletcher + (f_954 : fletcher_t) + (data_955 : seq int16) + : fletcher_t := + let max_chunk_size_956 : uint_size := + max_chunk_size in + let '(a_957, b_958) := + f_954 in + let '(a_957, b_958) := + foldi (usize 0) (seq_num_chunks (data_955) ( + max_chunk_size_956)) (fun i_959 '(a_957, b_958) => + let '(chunk_len_960, chunk_961) := + seq_get_chunk (data_955) (max_chunk_size_956) (i_959) in + let intermediate_a_962 : int32 := + a_957 in + let intermediate_b_963 : int32 := + b_958 in + let '(intermediate_a_962, intermediate_b_963) := + foldi (usize 0) (chunk_len_960) (fun j_964 '( + intermediate_a_962, + intermediate_b_963 + ) => + let intermediate_a_962 := + (intermediate_a_962) .+ (@cast _ uint32 _ (seq_index (chunk_961) ( + j_964))) in + let intermediate_b_963 := + (intermediate_b_963) .+ (intermediate_a_962) in + (intermediate_a_962, intermediate_b_963)) + (intermediate_a_962, intermediate_b_963) in + let a_957 := + reduce_u32 (intermediate_a_962) in + let b_958 := + reduce_u32 (intermediate_b_963) in + (a_957, b_958)) + (a_957, b_958) in + let a_957 := + reduce_u32 (a_957) in + let b_958 := + reduce_u32 (b_958) in + (a_957, b_958). + +Definition value (x_965 : fletcher_t) : int32 := + let '(a_966, b_967) := + x_965 in + combine (a_966) (b_967). + +Notation "'header_t'" := ((int32 × int32 × int32 × int32)) : hacspec_scope. + +Definition header_as_u16_slice (h_968 : header_t) : seq int16 := + let '(magic_969, seq_number_970, start_addr_971, _) := + h_968 in + let magic_972 : u32_word_t := + u32_to_be_bytes (magic_969) in + let seq_number_973 : u32_word_t := + u32_to_be_bytes (seq_number_970) in + let start_addr_974 : u32_word_t := + u32_to_be_bytes (start_addr_971) in + let u8_seq_975 : seq int8 := + seq_new_ (default) (usize 12) in + let u8_seq_976 : seq int8 := + seq_update_slice (u8_seq_975) (usize 0) (array_to_seq (magic_972)) ( + usize 0) (usize 4) in + let u8_seq_977 : seq int8 := + seq_update_slice (u8_seq_976) (usize 4) (array_to_seq (seq_number_973)) ( + usize 0) (usize 4) in + let u8_seq_978 : seq int8 := + seq_update_slice (u8_seq_977) (usize 8) (array_to_seq (start_addr_974)) ( + usize 0) (usize 4) in + let u16_seq_979 : seq int16 := + seq_new_ (default) (usize 6) in + let u16_seq_979 := + foldi (usize 0) (usize 3) (fun i_980 u16_seq_979 => + let u16_word_981 : u16_word_t := + array_from_seq (2) (seq_slice (u8_seq_978) ((i_980) * (usize 4)) ( + usize 2)) in + let u16_value_982 : int16 := + u16_from_be_bytes (u16_word_981) in + let u16_seq_979 := + seq_upd u16_seq_979 (((usize 2) * (i_980)) + (usize 1)) ( + u16_value_982) in + let u16_word_983 : u16_word_t := + array_from_seq (2) (seq_slice (u8_seq_978) (((i_980) * (usize 4)) + ( + usize 2)) (usize 2)) in + let u16_value_984 : int16 := + u16_from_be_bytes (u16_word_983) in + let u16_seq_979 := + seq_upd u16_seq_979 ((usize 2) * (i_980)) (u16_value_984) in + (u16_seq_979)) + u16_seq_979 in + u16_seq_979. + +Definition is_valid_header (h_985 : header_t) : bool := + let '(magic_number_986, seq_number_987, start_addr_988, checksum_989) := + h_985 in + let slice_990 : seq int16 := + header_as_u16_slice (( + magic_number_986, + seq_number_987, + start_addr_988, + checksum_989 + )) in + let result_991 : bool := + false in + let '(result_991) := + if (magic_number_986) =.? (riotboot_magic_v):bool then (let fletcher_992 : ( + int32 × + int32 + ) := + new_fletcher in + let fletcher_993 : (int32 × int32) := + update_fletcher (fletcher_992) (slice_990) in + let sum_994 : int32 := + value (fletcher_993) in + let result_991 := + (sum_994) =.? (checksum_989) in + (result_991)) else ((result_991)) in + result_991. + +Definition choose_image (images_995 : seq header_t) : (bool × int32) := + let image_996 : int32 := + @repr WORDSIZE32 0 in + let image_found_997 : bool := + false in + let '(image_996, image_found_997) := + foldi (usize 0) (seq_len (images_995)) (fun i_998 '( + image_996, + image_found_997 + ) => + let header_999 : (int32 × int32 × int32 × int32) := + seq_index (images_995) (i_998) in + let '(magic_number_1000, seq_number_1001, start_addr_1002, checksum_1003 + ) := + header_999 in + let '(image_996, image_found_997) := + if is_valid_header (( + magic_number_1000, + seq_number_1001, + start_addr_1002, + checksum_1003 + )):bool then (let change_image_1004 : bool := + negb ((image_found_997) && ((seq_number_1001) <=.? (image_996))) in + let '(image_996, image_found_997) := + if change_image_1004:bool then (let image_996 := + start_addr_1002 in + let image_found_997 := + true in + (image_996, image_found_997)) else ((image_996, image_found_997 + )) in + (image_996, image_found_997)) else ((image_996, image_found_997)) in + (image_996, image_found_997)) + (image_996, image_found_997) in + (image_found_997, image_996). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Riot_Runqueue.v b/proof-libs/coq/src/_vc/Hacspec_Riot_Runqueue.v new file mode 100644 index 000000000..9647a3e5c --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Riot_Runqueue.v @@ -0,0 +1,223 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition uint32_bits_v : uint_size := + (usize 4) * (usize 8). + +Definition n_queues_v : uint_size := + usize 20. + +Definition n_threads_v : uint_size := + usize 30. + +Definition sentinel_v : int8 := + @repr WORDSIZE8 255. + +Inductive runqueue_id_t := +| RunqueueId : int8 -> runqueue_id_t. + +Inductive thread_id_t := +| ThreadId : int8 -> thread_id_t. + +Definition tail_t := nseq (int8) (n_queues_v). + +Definition next_ids_t := nseq (int8) (n_threads_v). + +Inductive clist_t := +| Clist : (tail_t × next_ids_t) -> clist_t. + +Definition clist_new : clist_t := + let tail_1005 : tail_t := + array_new_ (default) (n_queues_v) in + let tail_1005 := + foldi (usize 0) (array_len (tail_1005)) (fun i_1006 tail_1005 => + let tail_1005 := + array_upd tail_1005 (i_1006) (sentinel_v) in + (tail_1005)) + tail_1005 in + let next_idxs_1007 : next_ids_t := + array_new_ (default) (n_threads_v) in + let next_idxs_1007 := + foldi (usize 0) (array_len (next_idxs_1007)) (fun i_1008 next_idxs_1007 => + let next_idxs_1007 := + array_upd next_idxs_1007 (i_1008) (sentinel_v) in + (next_idxs_1007)) + next_idxs_1007 in + Clist ((tail_1005, next_idxs_1007)). + +Definition clist_is_empty (x_1009 : clist_t) (rq_1010 : runqueue_id_t) : bool := + let 'RunqueueId (rq_1011) := + rq_1010 in + let 'Clist ((tail_1012, next_ids_1013)) := + x_1009 in + (array_index (tail_1012) (@cast _ uint32 _ (rq_1011))) =.? (sentinel_v). + +Definition clist_push + (x_1014 : clist_t) + (n_1015 : thread_id_t) + (rq_1016 : runqueue_id_t) + : clist_t := + let 'RunqueueId (rq_1017) := + rq_1016 in + let 'ThreadId (n_1018) := + n_1015 in + let 'Clist ((tail_1019, next_idxs_1020)) := + x_1014 in + let '(tail_1019, next_idxs_1020) := + if (array_index (next_idxs_1020) (@cast _ uint32 _ (n_1018))) =.? ( + sentinel_v):bool then (let '(tail_1019, next_idxs_1020) := + if (array_index (tail_1019) (@cast _ uint32 _ (rq_1017))) =.? ( + sentinel_v):bool then (let tail_1019 := + array_upd tail_1019 (@cast _ uint32 _ (rq_1017)) (n_1018) in + let next_idxs_1020 := + array_upd next_idxs_1020 (@cast _ uint32 _ (n_1018)) (n_1018) in + (tail_1019, next_idxs_1020)) else (let next_idxs_1020 := + array_upd next_idxs_1020 (@cast _ uint32 _ (n_1018)) (array_index ( + next_idxs_1020) (@cast _ uint32 _ (array_index (tail_1019) ( + @cast _ uint32 _ (rq_1017))))) in + let next_idxs_1020 := + array_upd next_idxs_1020 (@cast _ uint32 _ (array_index ( + tail_1019) (@cast _ uint32 _ (rq_1017)))) (n_1018) in + let tail_1019 := + array_upd tail_1019 (@cast _ uint32 _ (rq_1017)) (n_1018) in + (tail_1019, next_idxs_1020)) in + (tail_1019, next_idxs_1020)) else ((tail_1019, next_idxs_1020)) in + Clist ((tail_1019, next_idxs_1020)). + +Definition clist_pop_head + (x_1021 : clist_t) + (rq_1022 : runqueue_id_t) + : (clist_t × (option int8)) := + let 'RunqueueId (rq_1023) := + rq_1022 in + let 'Clist ((tail_1024, next_idxs_1025)) := + x_1021 in + let out_1026 : (option int8) := + @None int8 in + let '(tail_1024, next_idxs_1025, out_1026) := + if (array_index (tail_1024) (@cast _ uint32 _ (rq_1023))) =.? ( + sentinel_v):bool then ((tail_1024, next_idxs_1025, out_1026)) else ( + let head_1027 : int8 := + array_index (next_idxs_1025) (@cast _ uint32 _ (array_index ( + tail_1024) (@cast _ uint32 _ (rq_1023)))) in + let '(tail_1024, next_idxs_1025) := + if (head_1027) =.? (array_index (tail_1024) (@cast _ uint32 _ ( + rq_1023))):bool then (let tail_1024 := + array_upd tail_1024 (@cast _ uint32 _ (rq_1023)) (sentinel_v) in + (tail_1024, next_idxs_1025)) else (let next_idxs_1025 := + array_upd next_idxs_1025 (@cast _ uint32 _ (array_index ( + tail_1024) (@cast _ uint32 _ (rq_1023)))) (array_index ( + next_idxs_1025) (@cast _ uint32 _ (head_1027))) in + (tail_1024, next_idxs_1025)) in + let next_idxs_1025 := + array_upd next_idxs_1025 (@cast _ uint32 _ (head_1027)) (sentinel_v) in + let out_1026 := + @Some int8 (head_1027) in + (tail_1024, next_idxs_1025, out_1026)) in + (Clist ((tail_1024, next_idxs_1025)), out_1026). + +Definition clist_peek_head + (x_1028 : clist_t) + (rq_1029 : runqueue_id_t) + : (option int8) := + let 'RunqueueId (rq_1030) := + rq_1029 in + let 'Clist ((tail_1031, next_idxs_1032)) := + x_1028 in + (if ((array_index (tail_1031) (@cast _ uint32 _ (rq_1030))) =.? ( + sentinel_v)):bool then (@None int8) else (@Some int8 (array_index ( + next_idxs_1032) (@cast _ uint32 _ (array_index (tail_1031) ( + @cast _ uint32 _ (rq_1030))))))). + +Definition clist_advance + (x_1033 : clist_t) + (rq_1034 : runqueue_id_t) + : clist_t := + let 'RunqueueId (rq_1035) := + rq_1034 in + let 'Clist ((tail_1036, next_idxs_1037)) := + x_1033 in + let '(tail_1036) := + if (array_index (tail_1036) (@cast _ uint32 _ (rq_1035))) !=.? ( + sentinel_v):bool then (let tail_1036 := + array_upd tail_1036 (@cast _ uint32 _ (rq_1035)) (array_index ( + next_idxs_1037) (@cast _ uint32 _ (array_index (tail_1036) ( + @cast _ uint32 _ (rq_1035))))) in + (tail_1036)) else ((tail_1036)) in + Clist ((tail_1036, next_idxs_1037)). + +Inductive run_queue_t := +| RunQueue : (int32 × clist_t) -> run_queue_t. + +Definition runqueue_new : run_queue_t := + RunQueue ((@repr WORDSIZE32 0, clist_new )). + +Definition runqueue_add + (y_1038 : run_queue_t) + (n_1039 : thread_id_t) + (rq_1040 : runqueue_id_t) + : run_queue_t := + let 'RunqueueId (rq_u8_1041) := + rq_1040 in + let 'RunQueue ((bitcache_1042, queues_1043)) := + y_1038 in + let bitcache_1042 := + (bitcache_1042) .| ((@repr WORDSIZE32 1) shift_left (@cast _ uint32 _ ( + rq_u8_1041))) in + let queues_1043 := + clist_push (queues_1043) (n_1039) (rq_1040) in + RunQueue ((bitcache_1042, queues_1043)). + +Definition runqueue_del + (y_1044 : run_queue_t) + (n_1045 : thread_id_t) + (rq_1046 : runqueue_id_t) + : run_queue_t := + let 'RunqueueId (rq_u8_1047) := + rq_1046 in + let 'RunQueue ((bitcache_1048, queues_1049)) := + y_1044 in + let '(queues_1050, popped_1051) := + clist_pop_head (queues_1049) (rq_1046) in + let '(bitcache_1048) := + if clist_is_empty (queues_1050) (rq_1046):bool then (let bitcache_1048 := + (bitcache_1048) .& (not ((@repr WORDSIZE32 1) shift_left ( + @cast _ uint32 _ (rq_u8_1047)))) in + (bitcache_1048)) else ((bitcache_1048)) in + RunQueue ((bitcache_1048, queues_1050)). + +Definition runqueue_ffs (val_1052 : int32) : int32 := + (pub_u32 (uint32_bits_v)) .- (pub_uint32_leading_zeros (val_1052)). + +Definition runqueue_get_next (y_1053 : run_queue_t) : (option int8) := + let 'RunQueue ((bitcache_1054, queues_1055)) := + y_1053 in + let rq_ffs_1056 : int32 := + runqueue_ffs ((bitcache_1054)) in + let out_1057 : (option int8) := + @None int8 in + let '(out_1057) := + if (rq_ffs_1056) >.? (@repr WORDSIZE32 0):bool then ( + let rq_1058 : runqueue_id_t := + RunqueueId (@cast _ uint8 _ ((rq_ffs_1056) .- (@repr WORDSIZE32 1))) in + let out_1057 := + clist_peek_head (queues_1055) (rq_1058) in + (out_1057)) else ((out_1057)) in + out_1057. + +Definition runqueue_advance + (y_1059 : run_queue_t) + (rq_1060 : runqueue_id_t) + : run_queue_t := + let 'RunQueue ((bitcache_1061, queues_1062)) := + y_1059 in + let queues_1062 := + clist_advance (queues_1062) (rq_1060) in + RunQueue ((bitcache_1061, queues_1062)). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v new file mode 100644 index 000000000..bde095ee3 --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v @@ -0,0 +1,112 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Sha256. + +Definition bit_size_v : int32 := + @repr WORDSIZE32 2048. + +Definition byte_size_v : int32 := + (@repr WORDSIZE32 2048) ./ (@repr WORDSIZE32 8). + +Definition hlen_v : uint_size := + usize 32. + +Definition rsa_int_t := nat_mod pow2 2048. + +Inductive error_t := +| InvalidLength : error_t +| MessageTooLarge : error_t. + +Definition eqb_error_t (x y : error_t) : bool := +match x with + | InvalidLength => match y with | InvalidLength=> true | _ => false end + | MessageTooLarge => match y with | MessageTooLarge=> true | _ => false end + end. + +Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_error_t : EqDec (error_t) := +Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). + + +Notation "'pk_t'" := ((rsa_int_t × rsa_int_t)) : hacspec_scope. + +Notation "'sk_t'" := ((rsa_int_t × rsa_int_t)) : hacspec_scope. + +Notation "'key_pair_t'" := ((pk_t × sk_t)) : hacspec_scope. + +Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. + +Notation "'rsa_int_result_t'" := ((result rsa_int_t error_t)) : hacspec_scope. + +Definition rsaep (pk_1947 : pk_t) (m_1948 : rsa_int_t) : rsa_int_result_t := + let '(n_1949, e_1950) := + pk_1947 in + (if ((m_1948) >.? ((n_1949) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (m_1948) (e_1950) (n_1949)))). + +Definition rsadp (sk_1951 : sk_t) (c_1952 : rsa_int_t) : rsa_int_result_t := + let '(n_1953, d_1954) := + sk_1951 in + (if ((c_1952) >.? ((n_1953) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (c_1952) (d_1954) (n_1953)))). + +Definition rsasp1 (sk_1955 : sk_t) (m_1956 : rsa_int_t) : rsa_int_result_t := + let '(n_1957, d_1958) := + sk_1955 in + (if ((m_1956) >.? ((n_1957) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (m_1956) (d_1958) (n_1957)))). + +Definition rsavp1 (pk_1959 : pk_t) (s_1960 : rsa_int_t) : rsa_int_result_t := + let '(n_1961, e_1962) := + pk_1959 in + (if ((s_1960) >.? ((n_1961) -% (nat_mod_one ))):bool then ( + @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( + nat_mod_pow_mod (s_1960) (e_1962) (n_1961)))). + +Definition i2osp + (x_1963 : rsa_int_t) + (x_len_1964 : int32) + : byte_seq_result_t := + (if (((x_1963) >=.? (nat_mod_exp (nat_mod_from_literal (0x) ( + @repr WORDSIZE128 256) : rsa_int_t) (x_len_1964))) && (( + x_len_1964) !=.? (byte_size_v))):bool then (@Err byte_seq error_t ( + InvalidLength)) else (@Ok byte_seq error_t (seq_slice ( + nat_mod_to_byte_seq_be (x_1963)) (@cast _ uint32 _ ((byte_size_v) .- ( + x_len_1964))) (@cast _ uint32 _ (x_len_1964))))). + +Definition os2ip (x_1965 : byte_seq) : rsa_int_t := + nat_mod_from_byte_seq_be (x_1965) : rsa_int_t. + +Definition mgf1 + (mgf_seed_1966 : byte_seq) + (mask_len_1967 : uint_size) + : byte_seq_result_t := + let result_1968 : (result byte_seq error_t) := + @Err byte_seq error_t (InvalidLength) in + ifbnd (mask_len_1967) <.? ((usize 2) .^ ((usize 32) * (hlen_v))) : bool + thenbnd (let t_1969 : seq uint8 := + seq_new_ (default) (usize 0) in + bind (foldibnd (usize 0) to (((mask_len_1967) + (usize 32)) / ( + usize 32)) for t_1969 >> (fun i_1970 t_1969 => + bind (i2osp (nat_mod_from_literal (0x) (pub_u128 (i_1970)) : rsa_int_t) ( + @repr WORDSIZE32 4)) (fun x_1971 => let t_1969 := + seq_concat (t_1969) (array_to_seq (sha256 (seq_concat ( + mgf_seed_1966) (x_1971)))) in + Ok ((t_1969))))) (fun t_1969 => let result_1968 := + @Ok byte_seq error_t (seq_slice (t_1969) (usize 0) (mask_len_1967)) in + Ok ((result_1968)))) + else ((result_1968)) >> (fun '(result_1968) => + result_1968). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Sha256.v b/proof-libs/coq/src/_vc/Hacspec_Sha256.v new file mode 100644 index 000000000..2e5d8933b --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Sha256.v @@ -0,0 +1,304 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition block_size_v : uint_size := + usize 64. + +Definition len_size_v : uint_size := + usize 8. + +Definition k_size_v : uint_size := + usize 64. + +Definition hash_size_v : uint_size := + (usize 256) / (usize 8). + +Definition block_t := nseq (uint8) (block_size_v). + +Definition op_table_type_t := nseq (uint_size) (usize 12). + +Definition sha256_digest_t := nseq (uint8) (hash_size_v). + +Definition round_constants_table_t := nseq (uint32) (k_size_v). + +Definition hash_t := nseq (uint32) (usize 8). + +Definition ch (x_663 : uint32) (y_664 : uint32) (z_665 : uint32) : uint32 := + ((x_663) .& (y_664)) .^ ((not (x_663)) .& (z_665)). + +Definition maj (x_666 : uint32) (y_667 : uint32) (z_668 : uint32) : uint32 := + ((x_666) .& (y_667)) .^ (((x_666) .& (z_668)) .^ ((y_667) .& (z_668))). + +Definition op_table_v : op_table_type_t := + array_from_list uint_size (let l := + [ + usize 2; + usize 13; + usize 22; + usize 6; + usize 11; + usize 25; + usize 7; + usize 18; + usize 3; + usize 17; + usize 19; + usize 10 + ] in l). + +Definition k_table_v : round_constants_table_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1116352408) : int32; + secret (@repr WORDSIZE32 1899447441) : int32; + secret (@repr WORDSIZE32 3049323471) : int32; + secret (@repr WORDSIZE32 3921009573) : int32; + secret (@repr WORDSIZE32 961987163) : int32; + secret (@repr WORDSIZE32 1508970993) : int32; + secret (@repr WORDSIZE32 2453635748) : int32; + secret (@repr WORDSIZE32 2870763221) : int32; + secret (@repr WORDSIZE32 3624381080) : int32; + secret (@repr WORDSIZE32 310598401) : int32; + secret (@repr WORDSIZE32 607225278) : int32; + secret (@repr WORDSIZE32 1426881987) : int32; + secret (@repr WORDSIZE32 1925078388) : int32; + secret (@repr WORDSIZE32 2162078206) : int32; + secret (@repr WORDSIZE32 2614888103) : int32; + secret (@repr WORDSIZE32 3248222580) : int32; + secret (@repr WORDSIZE32 3835390401) : int32; + secret (@repr WORDSIZE32 4022224774) : int32; + secret (@repr WORDSIZE32 264347078) : int32; + secret (@repr WORDSIZE32 604807628) : int32; + secret (@repr WORDSIZE32 770255983) : int32; + secret (@repr WORDSIZE32 1249150122) : int32; + secret (@repr WORDSIZE32 1555081692) : int32; + secret (@repr WORDSIZE32 1996064986) : int32; + secret (@repr WORDSIZE32 2554220882) : int32; + secret (@repr WORDSIZE32 2821834349) : int32; + secret (@repr WORDSIZE32 2952996808) : int32; + secret (@repr WORDSIZE32 3210313671) : int32; + secret (@repr WORDSIZE32 3336571891) : int32; + secret (@repr WORDSIZE32 3584528711) : int32; + secret (@repr WORDSIZE32 113926993) : int32; + secret (@repr WORDSIZE32 338241895) : int32; + secret (@repr WORDSIZE32 666307205) : int32; + secret (@repr WORDSIZE32 773529912) : int32; + secret (@repr WORDSIZE32 1294757372) : int32; + secret (@repr WORDSIZE32 1396182291) : int32; + secret (@repr WORDSIZE32 1695183700) : int32; + secret (@repr WORDSIZE32 1986661051) : int32; + secret (@repr WORDSIZE32 2177026350) : int32; + secret (@repr WORDSIZE32 2456956037) : int32; + secret (@repr WORDSIZE32 2730485921) : int32; + secret (@repr WORDSIZE32 2820302411) : int32; + secret (@repr WORDSIZE32 3259730800) : int32; + secret (@repr WORDSIZE32 3345764771) : int32; + secret (@repr WORDSIZE32 3516065817) : int32; + secret (@repr WORDSIZE32 3600352804) : int32; + secret (@repr WORDSIZE32 4094571909) : int32; + secret (@repr WORDSIZE32 275423344) : int32; + secret (@repr WORDSIZE32 430227734) : int32; + secret (@repr WORDSIZE32 506948616) : int32; + secret (@repr WORDSIZE32 659060556) : int32; + secret (@repr WORDSIZE32 883997877) : int32; + secret (@repr WORDSIZE32 958139571) : int32; + secret (@repr WORDSIZE32 1322822218) : int32; + secret (@repr WORDSIZE32 1537002063) : int32; + secret (@repr WORDSIZE32 1747873779) : int32; + secret (@repr WORDSIZE32 1955562222) : int32; + secret (@repr WORDSIZE32 2024104815) : int32; + secret (@repr WORDSIZE32 2227730452) : int32; + secret (@repr WORDSIZE32 2361852424) : int32; + secret (@repr WORDSIZE32 2428436474) : int32; + secret (@repr WORDSIZE32 2756734187) : int32; + secret (@repr WORDSIZE32 3204031479) : int32; + secret (@repr WORDSIZE32 3329325298) : int32 + ] in l). + +Definition hash_init_v : hash_t := + array_from_list uint32 (let l := + [ + secret (@repr WORDSIZE32 1779033703) : int32; + secret (@repr WORDSIZE32 3144134277) : int32; + secret (@repr WORDSIZE32 1013904242) : int32; + secret (@repr WORDSIZE32 2773480762) : int32; + secret (@repr WORDSIZE32 1359893119) : int32; + secret (@repr WORDSIZE32 2600822924) : int32; + secret (@repr WORDSIZE32 528734635) : int32; + secret (@repr WORDSIZE32 1541459225) : int32 + ] in l). + +Definition sigma + (x_669 : uint32) + (i_670 : uint_size) + (op_671 : uint_size) + : uint32 := + let tmp_672 : uint32 := + uint32_rotate_right (x_669) (array_index (op_table_v) (((usize 3) * ( + i_670)) + (usize 2))) in + let '(tmp_672) := + if (op_671) =.? (usize 0):bool then (let tmp_672 := + (x_669) shift_right (array_index (op_table_v) (((usize 3) * (i_670)) + ( + usize 2))) in + (tmp_672)) else ((tmp_672)) in + ((uint32_rotate_right (x_669) (array_index (op_table_v) ((usize 3) * ( + i_670)))) .^ (uint32_rotate_right (x_669) (array_index ( + op_table_v) (((usize 3) * (i_670)) + (usize 1))))) .^ (tmp_672). + +Definition schedule (block_673 : block_t) : round_constants_table_t := + let b_674 : seq uint32 := + array_to_be_uint32s (block_673) in + let s_675 : round_constants_table_t := + array_new_ (default) (k_size_v) in + let s_675 := + foldi (usize 0) (k_size_v) (fun i_676 s_675 => + let '(s_675) := + if (i_676) <.? (usize 16):bool then (let s_675 := + array_upd s_675 (i_676) (seq_index (b_674) (i_676)) in + (s_675)) else (let t16_677 : uint32 := + array_index (s_675) ((i_676) - (usize 16)) in + let t15_678 : uint32 := + array_index (s_675) ((i_676) - (usize 15)) in + let t7_679 : uint32 := + array_index (s_675) ((i_676) - (usize 7)) in + let t2_680 : uint32 := + array_index (s_675) ((i_676) - (usize 2)) in + let s1_681 : uint32 := + sigma (t2_680) (usize 3) (usize 0) in + let s0_682 : uint32 := + sigma (t15_678) (usize 2) (usize 0) in + let s_675 := + array_upd s_675 (i_676) ((((s1_681) .+ (t7_679)) .+ (s0_682)) .+ ( + t16_677)) in + (s_675)) in + (s_675)) + s_675 in + s_675. + +Definition shuffle + (ws_683 : round_constants_table_t) + (hashi_684 : hash_t) + : hash_t := + let h_685 : hash_t := + hashi_684 in + let h_685 := + foldi (usize 0) (k_size_v) (fun i_686 h_685 => + let a0_687 : uint32 := + array_index (h_685) (usize 0) in + let b0_688 : uint32 := + array_index (h_685) (usize 1) in + let c0_689 : uint32 := + array_index (h_685) (usize 2) in + let d0_690 : uint32 := + array_index (h_685) (usize 3) in + let e0_691 : uint32 := + array_index (h_685) (usize 4) in + let f0_692 : uint32 := + array_index (h_685) (usize 5) in + let g0_693 : uint32 := + array_index (h_685) (usize 6) in + let h0_694 : uint32 := + array_index (h_685) (usize 7) in + let t1_695 : uint32 := + ((((h0_694) .+ (sigma (e0_691) (usize 1) (usize 1))) .+ (ch (e0_691) ( + f0_692) (g0_693))) .+ (array_index (k_table_v) (i_686))) .+ ( + array_index (ws_683) (i_686)) in + let t2_696 : uint32 := + (sigma (a0_687) (usize 0) (usize 1)) .+ (maj (a0_687) (b0_688) ( + c0_689)) in + let h_685 := + array_upd h_685 (usize 0) ((t1_695) .+ (t2_696)) in + let h_685 := + array_upd h_685 (usize 1) (a0_687) in + let h_685 := + array_upd h_685 (usize 2) (b0_688) in + let h_685 := + array_upd h_685 (usize 3) (c0_689) in + let h_685 := + array_upd h_685 (usize 4) ((d0_690) .+ (t1_695)) in + let h_685 := + array_upd h_685 (usize 5) (e0_691) in + let h_685 := + array_upd h_685 (usize 6) (f0_692) in + let h_685 := + array_upd h_685 (usize 7) (g0_693) in + (h_685)) + h_685 in + h_685. + +Definition compress (block_697 : block_t) (h_in_698 : hash_t) : hash_t := + let s_699 : round_constants_table_t := + schedule (block_697) in + let h_700 : hash_t := + shuffle (s_699) (h_in_698) in + let h_700 := + foldi (usize 0) (usize 8) (fun i_701 h_700 => + let h_700 := + array_upd h_700 (i_701) ((array_index (h_700) (i_701)) .+ (array_index ( + h_in_698) (i_701))) in + (h_700)) + h_700 in + h_700. + +Definition hash (msg_702 : byte_seq) : sha256_digest_t := + let h_703 : hash_t := + hash_init_v in + let last_block_704 : block_t := + array_new_ (default) (block_size_v) in + let last_block_len_705 : uint_size := + usize 0 in + let '(h_703, last_block_704, last_block_len_705) := + foldi (usize 0) (seq_num_chunks (msg_702) (block_size_v)) (fun i_706 '( + h_703, + last_block_704, + last_block_len_705 + ) => + let '(block_len_707, block_708) := + seq_get_chunk (msg_702) (block_size_v) (i_706) in + let '(h_703, last_block_704, last_block_len_705) := + if (block_len_707) <.? (block_size_v):bool then (let last_block_704 := + array_update_start (array_new_ (default) (block_size_v)) ( + block_708) in + let last_block_len_705 := + block_len_707 in + (h_703, last_block_704, last_block_len_705)) else ( + let compress_input_709 : block_t := + array_from_seq (block_size_v) (block_708) in + let h_703 := + compress (compress_input_709) (h_703) in + (h_703, last_block_704, last_block_len_705)) in + (h_703, last_block_704, last_block_len_705)) + (h_703, last_block_704, last_block_len_705) in + let last_block_704 := + array_upd last_block_704 (last_block_len_705) (secret ( + @repr WORDSIZE8 128) : int8) in + let len_bist_710 : uint64 := + secret (pub_u64 ((seq_len (msg_702)) * (usize 8))) : int64 in + let '(h_703, last_block_704) := + if (last_block_len_705) <.? ((block_size_v) - (len_size_v)):bool then ( + let last_block_704 := + array_update (last_block_704) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint64_to_be_bytes (len_bist_710))) in + let h_703 := + compress (last_block_704) (h_703) in + (h_703, last_block_704)) else (let pad_block_711 : block_t := + array_new_ (default) (block_size_v) in + let pad_block_711 := + array_update (pad_block_711) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint64_to_be_bytes (len_bist_710))) in + let h_703 := + compress (last_block_704) (h_703) in + let h_703 := + compress (pad_block_711) (h_703) in + (h_703, last_block_704)) in + array_from_seq (hash_size_v) (array_to_be_bytes (h_703)). + +Definition sha256 (msg_712 : byte_seq) : sha256_digest_t := + hash (msg_712). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Sha3.v b/proof-libs/coq/src/_vc/Hacspec_Sha3.v new file mode 100644 index 000000000..f05ba459c --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Sha3.v @@ -0,0 +1,350 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition rounds_v : uint_size := + usize 24. + +Definition sha3224_rate_v : uint_size := + usize 144. + +Definition sha3256_rate_v : uint_size := + usize 136. + +Definition sha3384_rate_v : uint_size := + usize 104. + +Definition sha3512_rate_v : uint_size := + usize 72. + +Definition shake128_rate_v : uint_size := + usize 168. + +Definition shake256_rate_v : uint_size := + usize 136. + +Definition state_t := nseq (uint64) (usize 25). + +Definition row_t := nseq (uint64) (usize 5). + +Definition digest224_t := nseq (uint8) (usize 28). + +Definition digest256_t := nseq (uint8) (usize 32). + +Definition digest384_t := nseq (uint8) (usize 48). + +Definition digest512_t := nseq (uint8) (usize 64). + +Definition round_constants_t := nseq (int64) (rounds_v). + +Definition rotation_constants_t := nseq (uint_size) (usize 25). + +Definition roundconstants_v : round_constants_t := + array_from_list int64 (let l := + [ + @repr WORDSIZE64 1; + @repr WORDSIZE64 32898; + @repr WORDSIZE64 9223372036854808714; + @repr WORDSIZE64 9223372039002292224; + @repr WORDSIZE64 32907; + @repr WORDSIZE64 2147483649; + @repr WORDSIZE64 9223372039002292353; + @repr WORDSIZE64 9223372036854808585; + @repr WORDSIZE64 138; + @repr WORDSIZE64 136; + @repr WORDSIZE64 2147516425; + @repr WORDSIZE64 2147483658; + @repr WORDSIZE64 2147516555; + @repr WORDSIZE64 9223372036854775947; + @repr WORDSIZE64 9223372036854808713; + @repr WORDSIZE64 9223372036854808579; + @repr WORDSIZE64 9223372036854808578; + @repr WORDSIZE64 9223372036854775936; + @repr WORDSIZE64 32778; + @repr WORDSIZE64 9223372039002259466; + @repr WORDSIZE64 9223372039002292353; + @repr WORDSIZE64 9223372036854808704; + @repr WORDSIZE64 2147483649; + @repr WORDSIZE64 9223372039002292232 + ] in l). + +Definition rotc_v : rotation_constants_t := + array_from_list uint_size (let l := + [ + usize 0; + usize 1; + usize 62; + usize 28; + usize 27; + usize 36; + usize 44; + usize 6; + usize 55; + usize 20; + usize 3; + usize 10; + usize 43; + usize 25; + usize 39; + usize 41; + usize 45; + usize 15; + usize 21; + usize 8; + usize 18; + usize 2; + usize 61; + usize 56; + usize 14 + ] in l). + +Definition pi_v : rotation_constants_t := + array_from_list uint_size (let l := + [ + usize 0; + usize 6; + usize 12; + usize 18; + usize 24; + usize 3; + usize 9; + usize 10; + usize 16; + usize 22; + usize 1; + usize 7; + usize 13; + usize 19; + usize 20; + usize 4; + usize 5; + usize 11; + usize 17; + usize 23; + usize 2; + usize 8; + usize 14; + usize 15; + usize 21 + ] in l). + +Definition theta (s_855 : state_t) : state_t := + let b_856 : row_t := + array_new_ (default) (5) in + let b_856 := + foldi (usize 0) (usize 5) (fun i_857 b_856 => + let b_856 := + array_upd b_856 (i_857) (((((array_index (s_855) (i_857)) .^ ( + array_index (s_855) ((i_857) + (usize 5)))) .^ (array_index ( + s_855) ((i_857) + (usize 10)))) .^ (array_index (s_855) (( + i_857) + (usize 15)))) .^ (array_index (s_855) ((i_857) + ( + usize 20)))) in + (b_856)) + b_856 in + let s_855 := + foldi (usize 0) (usize 5) (fun i_858 s_855 => + let u_859 : uint64 := + array_index (b_856) (((i_858) + (usize 1)) %% (usize 5)) in + let t_860 : uint64 := + (array_index (b_856) (((i_858) + (usize 4)) %% (usize 5))) .^ ( + uint64_rotate_left (u_859) (usize 1)) in + let s_855 := + foldi (usize 0) (usize 5) (fun j_861 s_855 => + let s_855 := + array_upd s_855 (((usize 5) * (j_861)) + (i_858)) ((array_index ( + s_855) (((usize 5) * (j_861)) + (i_858))) .^ (t_860)) in + (s_855)) + s_855 in + (s_855)) + s_855 in + s_855. + +Definition rho (s_862 : state_t) : state_t := + let s_862 := + foldi (usize 0) (usize 25) (fun i_863 s_862 => + let u_864 : uint64 := + array_index (s_862) (i_863) in + let s_862 := + array_upd s_862 (i_863) (uint64_rotate_left (u_864) (array_index ( + rotc_v) (i_863))) in + (s_862)) + s_862 in + s_862. + +Definition pi (s_865 : state_t) : state_t := + let v_866 : state_t := + array_new_ (default) (25) in + let v_866 := + foldi (usize 0) (usize 25) (fun i_867 v_866 => + let v_866 := + array_upd v_866 (i_867) (array_index (s_865) (array_index (pi_v) ( + i_867))) in + (v_866)) + v_866 in + v_866. + +Definition chi (s_868 : state_t) : state_t := + let b_869 : row_t := + array_new_ (default) (5) in + let '(s_868, b_869) := + foldi (usize 0) (usize 5) (fun i_870 '(s_868, b_869) => + let b_869 := + foldi (usize 0) (usize 5) (fun j_871 b_869 => + let b_869 := + array_upd b_869 (j_871) (array_index (s_868) (((usize 5) * ( + i_870)) + (j_871))) in + (b_869)) + b_869 in + let s_868 := + foldi (usize 0) (usize 5) (fun j_872 s_868 => + let u_873 : uint64 := + array_index (b_869) (((j_872) + (usize 1)) %% (usize 5)) in + let s_868 := + array_upd s_868 (((usize 5) * (i_870)) + (j_872)) ((array_index ( + s_868) (((usize 5) * (i_870)) + (j_872))) .^ ((not ( + u_873)) .& (array_index (b_869) (((j_872) + (usize 2)) %% ( + usize 5))))) in + (s_868)) + s_868 in + (s_868, b_869)) + (s_868, b_869) in + s_868. + +Definition iota (s_874 : state_t) (rndconst_875 : int64) : state_t := + let s_874 := + array_upd s_874 (usize 0) ((array_index (s_874) (usize 0)) .^ ( + uint64_classify (rndconst_875))) in + s_874. + +Definition keccakf1600 (s_876 : state_t) : state_t := + let s_876 := + foldi (usize 0) (rounds_v) (fun i_877 s_876 => + let s_876 := + theta (s_876) in + let s_876 := + rho (s_876) in + let s_876 := + pi (s_876) in + let s_876 := + chi (s_876) in + let s_876 := + iota (s_876) (array_index (roundconstants_v) (i_877)) in + (s_876)) + s_876 in + s_876. + +Definition absorb_block (s_878 : state_t) (block_879 : byte_seq) : state_t := + let s_878 := + foldi (usize 0) (seq_len (block_879)) (fun i_880 s_878 => + let w_881 : uint_size := + (i_880) usize_shift_right (@repr WORDSIZE32 3) in + let o_882 : uint_size := + (usize 8) * ((i_880) .& (usize 7)) in + let s_878 := + array_upd s_878 (w_881) ((array_index (s_878) (w_881)) .^ (( + uint64_from_uint8 (seq_index (block_879) (i_880))) shift_left ( + o_882))) in + (s_878)) + s_878 in + keccakf1600 (s_878). + +Definition squeeze + (s_883 : state_t) + (nbytes_884 : uint_size) + (rate_885 : uint_size) + : byte_seq := + let out_886 : seq uint8 := + seq_new_ (default) (nbytes_884) in + let '(s_883, out_886) := + foldi (usize 0) (nbytes_884) (fun i_887 '(s_883, out_886) => + let pos_888 : uint_size := + (i_887) %% (rate_885) in + let w_889 : uint_size := + (pos_888) usize_shift_right (@repr WORDSIZE32 3) in + let o_890 : uint_size := + (usize 8) * ((pos_888) .& (usize 7)) in + let b_891 : uint64 := + ((array_index (s_883) (w_889)) shift_right (o_890)) .& ( + uint64_classify (@repr WORDSIZE64 255)) in + let out_886 := + seq_upd out_886 (i_887) (uint8_from_uint64 (b_891)) in + let '(s_883) := + if (((i_887) + (usize 1)) %% (rate_885)) =.? (usize 0):bool then ( + let s_883 := + keccakf1600 (s_883) in + (s_883)) else ((s_883)) in + (s_883, out_886)) + (s_883, out_886) in + out_886. + +Definition keccak + (rate_892 : uint_size) + (data_893 : byte_seq) + (p_894 : int8) + (outbytes_895 : uint_size) + : byte_seq := + let buf_896 : seq uint8 := + seq_new_ (default) (rate_892) in + let last_block_len_897 : uint_size := + usize 0 in + let s_898 : state_t := + array_new_ (default) (25) in + let '(buf_896, last_block_len_897, s_898) := + foldi (usize 0) (seq_num_chunks (data_893) (rate_892)) (fun i_899 '( + buf_896, + last_block_len_897, + s_898 + ) => + let '(block_len_900, block_901) := + seq_get_chunk (data_893) (rate_892) (i_899) in + let '(buf_896, last_block_len_897, s_898) := + if (block_len_900) =.? (rate_892):bool then (let s_898 := + absorb_block (s_898) (block_901) in + (buf_896, last_block_len_897, s_898)) else (let buf_896 := + seq_update_start (buf_896) (block_901) in + let last_block_len_897 := + block_len_900 in + (buf_896, last_block_len_897, s_898)) in + (buf_896, last_block_len_897, s_898)) + (buf_896, last_block_len_897, s_898) in + let buf_896 := + seq_upd buf_896 (last_block_len_897) (secret (p_894) : int8) in + let buf_896 := + seq_upd buf_896 ((rate_892) - (usize 1)) ((seq_index (buf_896) (( + rate_892) - (usize 1))) .| (secret ( + @repr WORDSIZE8 128) : int8)) in + let s_898 := + absorb_block (s_898) (buf_896) in + squeeze (s_898) (outbytes_895) (rate_892). + +Definition sha3224 (data_902 : byte_seq) : digest224_t := + let t_903 : seq uint8 := + keccak (sha3224_rate_v) (data_902) (@repr WORDSIZE8 6) (usize 28) in + array_from_seq (28) (t_903). + +Definition sha3256 (data_904 : byte_seq) : digest256_t := + let t_905 : seq uint8 := + keccak (sha3256_rate_v) (data_904) (@repr WORDSIZE8 6) (usize 32) in + array_from_seq (32) (t_905). + +Definition sha3384 (data_906 : byte_seq) : digest384_t := + let t_907 : seq uint8 := + keccak (sha3384_rate_v) (data_906) (@repr WORDSIZE8 6) (usize 48) in + array_from_seq (48) (t_907). + +Definition sha3512 (data_908 : byte_seq) : digest512_t := + let t_909 : seq uint8 := + keccak (sha3512_rate_v) (data_908) (@repr WORDSIZE8 6) (usize 64) in + array_from_seq (64) (t_909). + +Definition shake128 (data_910 : byte_seq) (outlen_911 : uint_size) : byte_seq := + keccak (shake128_rate_v) (data_910) (@repr WORDSIZE8 31) (outlen_911). + +Definition shake256 (data_912 : byte_seq) (outlen_913 : uint_size) : byte_seq := + keccak (shake256_rate_v) (data_912) (@repr WORDSIZE8 31) (outlen_913). + diff --git a/proof-libs/coq/src/_vc/Hacspec_Sha512.v b/proof-libs/coq/src/_vc/Hacspec_Sha512.v new file mode 100644 index 000000000..8bf4ac6ad --- /dev/null +++ b/proof-libs/coq/src/_vc/Hacspec_Sha512.v @@ -0,0 +1,320 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Definition block_size_v : uint_size := + usize 128. + +Definition len_size_v : uint_size := + usize 16. + +Definition k_size_v : uint_size := + usize 80. + +Definition hash_size_v : uint_size := + (usize 512) / (usize 8). + +Definition block_t := nseq (uint8) (block_size_v). + +Definition op_table_type_t := nseq (uint_size) (usize 12). + +Definition sha512_digest_t := nseq (uint8) (hash_size_v). + +Definition round_constants_table_t := nseq (uint64) (k_size_v). + +Definition hash_t := nseq (uint64) (usize 8). + +Definition ch (x_1897 : uint64) (y_1898 : uint64) (z_1899 : uint64) : uint64 := + ((x_1897) .& (y_1898)) .^ ((not (x_1897)) .& (z_1899)). + +Definition maj (x_1900 : uint64) (y_1901 : uint64) (z_1902 : uint64) : uint64 := + ((x_1900) .& (y_1901)) .^ (((x_1900) .& (z_1902)) .^ ((y_1901) .& (z_1902))). + +Definition op_table_v : op_table_type_t := + array_from_list uint_size (let l := + [ + usize 28; + usize 34; + usize 39; + usize 14; + usize 18; + usize 41; + usize 1; + usize 8; + usize 7; + usize 19; + usize 61; + usize 6 + ] in l). + +Definition k_table_v : round_constants_table_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 4794697086780616226) : int64; + secret (@repr WORDSIZE64 8158064640168781261) : int64; + secret (@repr WORDSIZE64 13096744586834688815) : int64; + secret (@repr WORDSIZE64 16840607885511220156) : int64; + secret (@repr WORDSIZE64 4131703408338449720) : int64; + secret (@repr WORDSIZE64 6480981068601479193) : int64; + secret (@repr WORDSIZE64 10538285296894168987) : int64; + secret (@repr WORDSIZE64 12329834152419229976) : int64; + secret (@repr WORDSIZE64 15566598209576043074) : int64; + secret (@repr WORDSIZE64 1334009975649890238) : int64; + secret (@repr WORDSIZE64 2608012711638119052) : int64; + secret (@repr WORDSIZE64 6128411473006802146) : int64; + secret (@repr WORDSIZE64 8268148722764581231) : int64; + secret (@repr WORDSIZE64 9286055187155687089) : int64; + secret (@repr WORDSIZE64 11230858885718282805) : int64; + secret (@repr WORDSIZE64 13951009754708518548) : int64; + secret (@repr WORDSIZE64 16472876342353939154) : int64; + secret (@repr WORDSIZE64 17275323862435702243) : int64; + secret (@repr WORDSIZE64 1135362057144423861) : int64; + secret (@repr WORDSIZE64 2597628984639134821) : int64; + secret (@repr WORDSIZE64 3308224258029322869) : int64; + secret (@repr WORDSIZE64 5365058923640841347) : int64; + secret (@repr WORDSIZE64 6679025012923562964) : int64; + secret (@repr WORDSIZE64 8573033837759648693) : int64; + secret (@repr WORDSIZE64 10970295158949994411) : int64; + secret (@repr WORDSIZE64 12119686244451234320) : int64; + secret (@repr WORDSIZE64 12683024718118986047) : int64; + secret (@repr WORDSIZE64 13788192230050041572) : int64; + secret (@repr WORDSIZE64 14330467153632333762) : int64; + secret (@repr WORDSIZE64 15395433587784984357) : int64; + secret (@repr WORDSIZE64 489312712824947311) : int64; + secret (@repr WORDSIZE64 1452737877330783856) : int64; + secret (@repr WORDSIZE64 2861767655752347644) : int64; + secret (@repr WORDSIZE64 3322285676063803686) : int64; + secret (@repr WORDSIZE64 5560940570517711597) : int64; + secret (@repr WORDSIZE64 5996557281743188959) : int64; + secret (@repr WORDSIZE64 7280758554555802590) : int64; + secret (@repr WORDSIZE64 8532644243296465576) : int64; + secret (@repr WORDSIZE64 9350256976987008742) : int64; + secret (@repr WORDSIZE64 10552545826968843579) : int64; + secret (@repr WORDSIZE64 11727347734174303076) : int64; + secret (@repr WORDSIZE64 12113106623233404929) : int64; + secret (@repr WORDSIZE64 14000437183269869457) : int64; + secret (@repr WORDSIZE64 14369950271660146224) : int64; + secret (@repr WORDSIZE64 15101387698204529176) : int64; + secret (@repr WORDSIZE64 15463397548674623760) : int64; + secret (@repr WORDSIZE64 17586052441742319658) : int64; + secret (@repr WORDSIZE64 1182934255886127544) : int64; + secret (@repr WORDSIZE64 1847814050463011016) : int64; + secret (@repr WORDSIZE64 2177327727835720531) : int64; + secret (@repr WORDSIZE64 2830643537854262169) : int64; + secret (@repr WORDSIZE64 3796741975233480872) : int64; + secret (@repr WORDSIZE64 4115178125766777443) : int64; + secret (@repr WORDSIZE64 5681478168544905931) : int64; + secret (@repr WORDSIZE64 6601373596472566643) : int64; + secret (@repr WORDSIZE64 7507060721942968483) : int64; + secret (@repr WORDSIZE64 8399075790359081724) : int64; + secret (@repr WORDSIZE64 8693463985226723168) : int64; + secret (@repr WORDSIZE64 9568029438360202098) : int64; + secret (@repr WORDSIZE64 10144078919501101548) : int64; + secret (@repr WORDSIZE64 10430055236837252648) : int64; + secret (@repr WORDSIZE64 11840083180663258601) : int64; + secret (@repr WORDSIZE64 13761210420658862357) : int64; + secret (@repr WORDSIZE64 14299343276471374635) : int64; + secret (@repr WORDSIZE64 14566680578165727644) : int64; + secret (@repr WORDSIZE64 15097957966210449927) : int64; + secret (@repr WORDSIZE64 16922976911328602910) : int64; + secret (@repr WORDSIZE64 17689382322260857208) : int64; + secret (@repr WORDSIZE64 500013540394364858) : int64; + secret (@repr WORDSIZE64 748580250866718886) : int64; + secret (@repr WORDSIZE64 1242879168328830382) : int64; + secret (@repr WORDSIZE64 1977374033974150939) : int64; + secret (@repr WORDSIZE64 2944078676154940804) : int64; + secret (@repr WORDSIZE64 3659926193048069267) : int64; + secret (@repr WORDSIZE64 4368137639120453308) : int64; + secret (@repr WORDSIZE64 4836135668995329356) : int64; + secret (@repr WORDSIZE64 5532061633213252278) : int64; + secret (@repr WORDSIZE64 6448918945643986474) : int64; + secret (@repr WORDSIZE64 6902733635092675308) : int64; + secret (@repr WORDSIZE64 7801388544844847127) : int64 + ] in l). + +Definition hash_init_v : hash_t := + array_from_list uint64 (let l := + [ + secret (@repr WORDSIZE64 7640891576956012808) : int64; + secret (@repr WORDSIZE64 13503953896175478587) : int64; + secret (@repr WORDSIZE64 4354685564936845355) : int64; + secret (@repr WORDSIZE64 11912009170470909681) : int64; + secret (@repr WORDSIZE64 5840696475078001361) : int64; + secret (@repr WORDSIZE64 11170449401992604703) : int64; + secret (@repr WORDSIZE64 2270897969802886507) : int64; + secret (@repr WORDSIZE64 6620516959819538809) : int64 + ] in l). + +Definition sigma + (x_1903 : uint64) + (i_1904 : uint_size) + (op_1905 : uint_size) + : uint64 := + let tmp_1906 : uint64 := + uint64_rotate_right (x_1903) (array_index (op_table_v) (((usize 3) * ( + i_1904)) + (usize 2))) in + let '(tmp_1906) := + if (op_1905) =.? (usize 0):bool then (let tmp_1906 := + (x_1903) shift_right (array_index (op_table_v) (((usize 3) * ( + i_1904)) + (usize 2))) in + (tmp_1906)) else ((tmp_1906)) in + ((uint64_rotate_right (x_1903) (array_index (op_table_v) ((usize 3) * ( + i_1904)))) .^ (uint64_rotate_right (x_1903) (array_index ( + op_table_v) (((usize 3) * (i_1904)) + (usize 1))))) .^ (tmp_1906). + +Definition schedule (block_1907 : block_t) : round_constants_table_t := + let b_1908 : seq uint64 := + array_to_be_uint64s (block_1907) in + let s_1909 : round_constants_table_t := + array_new_ (default) (k_size_v) in + let s_1909 := + foldi (usize 0) (k_size_v) (fun i_1910 s_1909 => + let '(s_1909) := + if (i_1910) <.? (usize 16):bool then (let s_1909 := + array_upd s_1909 (i_1910) (seq_index (b_1908) (i_1910)) in + (s_1909)) else (let t16_1911 : uint64 := + array_index (s_1909) ((i_1910) - (usize 16)) in + let t15_1912 : uint64 := + array_index (s_1909) ((i_1910) - (usize 15)) in + let t7_1913 : uint64 := + array_index (s_1909) ((i_1910) - (usize 7)) in + let t2_1914 : uint64 := + array_index (s_1909) ((i_1910) - (usize 2)) in + let s1_1915 : uint64 := + sigma (t2_1914) (usize 3) (usize 0) in + let s0_1916 : uint64 := + sigma (t15_1912) (usize 2) (usize 0) in + let s_1909 := + array_upd s_1909 (i_1910) ((((s1_1915) .+ (t7_1913)) .+ ( + s0_1916)) .+ (t16_1911)) in + (s_1909)) in + (s_1909)) + s_1909 in + s_1909. + +Definition shuffle + (ws_1917 : round_constants_table_t) + (hashi_1918 : hash_t) + : hash_t := + let h_1919 : hash_t := + hashi_1918 in + let h_1919 := + foldi (usize 0) (k_size_v) (fun i_1920 h_1919 => + let a0_1921 : uint64 := + array_index (h_1919) (usize 0) in + let b0_1922 : uint64 := + array_index (h_1919) (usize 1) in + let c0_1923 : uint64 := + array_index (h_1919) (usize 2) in + let d0_1924 : uint64 := + array_index (h_1919) (usize 3) in + let e0_1925 : uint64 := + array_index (h_1919) (usize 4) in + let f0_1926 : uint64 := + array_index (h_1919) (usize 5) in + let g0_1927 : uint64 := + array_index (h_1919) (usize 6) in + let h0_1928 : uint64 := + array_index (h_1919) (usize 7) in + let t1_1929 : uint64 := + ((((h0_1928) .+ (sigma (e0_1925) (usize 1) (usize 1))) .+ (ch ( + e0_1925) (f0_1926) (g0_1927))) .+ (array_index (k_table_v) ( + i_1920))) .+ (array_index (ws_1917) (i_1920)) in + let t2_1930 : uint64 := + (sigma (a0_1921) (usize 0) (usize 1)) .+ (maj (a0_1921) (b0_1922) ( + c0_1923)) in + let h_1919 := + array_upd h_1919 (usize 0) ((t1_1929) .+ (t2_1930)) in + let h_1919 := + array_upd h_1919 (usize 1) (a0_1921) in + let h_1919 := + array_upd h_1919 (usize 2) (b0_1922) in + let h_1919 := + array_upd h_1919 (usize 3) (c0_1923) in + let h_1919 := + array_upd h_1919 (usize 4) ((d0_1924) .+ (t1_1929)) in + let h_1919 := + array_upd h_1919 (usize 5) (e0_1925) in + let h_1919 := + array_upd h_1919 (usize 6) (f0_1926) in + let h_1919 := + array_upd h_1919 (usize 7) (g0_1927) in + (h_1919)) + h_1919 in + h_1919. + +Definition compress (block_1931 : block_t) (h_in_1932 : hash_t) : hash_t := + let s_1933 : round_constants_table_t := + schedule (block_1931) in + let h_1934 : hash_t := + shuffle (s_1933) (h_in_1932) in + let h_1934 := + foldi (usize 0) (usize 8) (fun i_1935 h_1934 => + let h_1934 := + array_upd h_1934 (i_1935) ((array_index (h_1934) (i_1935)) .+ ( + array_index (h_in_1932) (i_1935))) in + (h_1934)) + h_1934 in + h_1934. + +Definition hash (msg_1936 : byte_seq) : sha512_digest_t := + let h_1937 : hash_t := + hash_init_v in + let last_block_1938 : block_t := + array_new_ (default) (block_size_v) in + let last_block_len_1939 : uint_size := + usize 0 in + let '(h_1937, last_block_1938, last_block_len_1939) := + foldi (usize 0) (seq_num_chunks (msg_1936) (block_size_v)) (fun i_1940 '( + h_1937, + last_block_1938, + last_block_len_1939 + ) => + let '(block_len_1941, block_1942) := + seq_get_chunk (msg_1936) (block_size_v) (i_1940) in + let '(h_1937, last_block_1938, last_block_len_1939) := + if (block_len_1941) <.? (block_size_v):bool then (let last_block_1938 := + array_update_start (array_new_ (default) (block_size_v)) ( + block_1942) in + let last_block_len_1939 := + block_len_1941 in + (h_1937, last_block_1938, last_block_len_1939)) else ( + let compress_input_1943 : block_t := + array_from_seq (block_size_v) (block_1942) in + let h_1937 := + compress (compress_input_1943) (h_1937) in + (h_1937, last_block_1938, last_block_len_1939)) in + (h_1937, last_block_1938, last_block_len_1939)) + (h_1937, last_block_1938, last_block_len_1939) in + let last_block_1938 := + array_upd last_block_1938 (last_block_len_1939) (secret ( + @repr WORDSIZE8 128) : int8) in + let len_bist_1944 : uint128 := + secret (pub_u128 ((seq_len (msg_1936)) * (usize 8))) : int128 in + let '(h_1937, last_block_1938) := + if (last_block_len_1939) <.? ((block_size_v) - (len_size_v)):bool then ( + let last_block_1938 := + array_update (last_block_1938) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint128_to_be_bytes (len_bist_1944))) in + let h_1937 := + compress (last_block_1938) (h_1937) in + (h_1937, last_block_1938)) else (let pad_block_1945 : block_t := + array_new_ (default) (block_size_v) in + let pad_block_1945 := + array_update (pad_block_1945) ((block_size_v) - (len_size_v)) ( + array_to_seq (uint128_to_be_bytes (len_bist_1944))) in + let h_1937 := + compress (last_block_1938) (h_1937) in + let h_1937 := + compress (pad_block_1945) (h_1937) in + (h_1937, last_block_1938)) in + array_from_seq (hash_size_v) (array_to_be_bytes (h_1937)). + +Definition sha512 (msg_1946 : byte_seq) : sha512_digest_t := + hash (msg_1946). + diff --git a/proof-libs/coq/src/_vc/Tls_Cryptolib.v b/proof-libs/coq/src/_vc/Tls_Cryptolib.v new file mode 100644 index 000000000..b602649a3 --- /dev/null +++ b/proof-libs/coq/src/_vc/Tls_Cryptolib.v @@ -0,0 +1,670 @@ +(** This file was automatically generated using Hacspec **) +Require Import Hacspec_Lib MachineIntegers. +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. +Open Scope hacspec_scope. +Require Import Hacspec_Lib. + +Require Import Hacspec_Aes. + +Require Import Hacspec_Aes128_Gcm. + +Require Import Hacspec_Chacha20. + +Require Import Hacspec_Chacha20poly1305. + +Require Import Hacspec_Curve25519. + +Require Import Hacspec_Ecdsa_P256_Sha256. + +Require Import Hacspec_Gf128. + +Require Import Hacspec_Hkdf. + +Require Import Hacspec_Hmac. + +Require Import Hacspec_P256. + +Require Import Hacspec_Poly1305. + +Require Import Hacspec_Sha256. + +Inductive crypto_error_t := +| CryptoError : crypto_error_t +| HkdfError : crypto_error_t +| InsufficientEntropy : crypto_error_t +| InvalidCert : crypto_error_t +| MacFailed : crypto_error_t +| UnsupportedAlgorithm : crypto_error_t +| VerifyFailed : crypto_error_t. + +Definition empty : byte_seq := + seq_new_ (default) (usize 0). + +Definition zeros (u_0 : uint_size) : byte_seq := + seq_new_ (default) (u_0). + +Notation "'entropy_t'" := (byte_seq) : hacspec_scope. + +Definition random_t := nseq (uint8) (usize 32). + +Notation "'dh_sk_t'" := (byte_seq) : hacspec_scope. + +Notation "'dh_pk_t'" := (byte_seq) : hacspec_scope. + +Notation "'signature_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'verification_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'mac_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_key_t'" := (byte_seq) : hacspec_scope. + +Notation "'key_t'" := (byte_seq) : hacspec_scope. + +Notation "'psk_t'" := (key_t) : hacspec_scope. + +Notation "'digest_t'" := (byte_seq) : hacspec_scope. + +Notation "'hmac_t'" := (byte_seq) : hacspec_scope. + +Notation "'signature_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_iv_t'" := (byte_seq) : hacspec_scope. + +Notation "'aead_key_iv_t'" := ((aead_key_t × aead_iv_t)) : hacspec_scope. + +Inductive named_group_t := +| X25519 : named_group_t +| Secp256r1 : named_group_t. + +Definition eqb_named_group_t (x y : named_group_t) : bool := +match x with + | X25519 => match y with | X25519=> true | _ => false end + | Secp256r1 => match y with | Secp256r1=> true | _ => false end + end. + +Definition eqb_leibniz_named_group_t (x y : named_group_t) : eqb_named_group_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_named_group_t : EqDec (named_group_t) := +Build_EqDec (named_group_t) (eqb_named_group_t) (eqb_leibniz_named_group_t). + + +Inductive hash_algorithm_t := +| SHA256 : hash_algorithm_t +| SHA384 : hash_algorithm_t. + +Definition eqb_hash_algorithm_t (x y : hash_algorithm_t) : bool := +match x with + | SHA256 => match y with | SHA256=> true | _ => false end + | SHA384 => match y with | SHA384=> true | _ => false end + end. + +Definition eqb_leibniz_hash_algorithm_t (x y : hash_algorithm_t) : eqb_hash_algorithm_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_hash_algorithm_t : EqDec (hash_algorithm_t) := +Build_EqDec (hash_algorithm_t) (eqb_hash_algorithm_t) (eqb_leibniz_hash_algorithm_t). + + +Inductive aead_algorithm_t := +| Chacha20Poly1305 : aead_algorithm_t +| Aes128Gcm : aead_algorithm_t +| Aes256Gcm : aead_algorithm_t. + +Definition eqb_aead_algorithm_t (x y : aead_algorithm_t) : bool := +match x with + | Chacha20Poly1305 => match y with | Chacha20Poly1305=> true | _ => false end + | Aes128Gcm => match y with | Aes128Gcm=> true | _ => false end + | Aes256Gcm => match y with | Aes256Gcm=> true | _ => false end + end. + +Definition eqb_leibniz_aead_algorithm_t (x y : aead_algorithm_t) : eqb_aead_algorithm_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_aead_algorithm_t : EqDec (aead_algorithm_t) := +Build_EqDec (aead_algorithm_t) (eqb_aead_algorithm_t) (eqb_leibniz_aead_algorithm_t). + + +Inductive signature_scheme_t := +| ED25519 : signature_scheme_t +| EcdsaSecp256r1Sha256 : signature_scheme_t +| RsaPssRsaSha256 : signature_scheme_t. + +Definition eqb_signature_scheme_t (x y : signature_scheme_t) : bool := +match x with + | ED25519 => match y with | ED25519=> true | _ => false end + | EcdsaSecp256r1Sha256 => + match y with + | EcdsaSecp256r1Sha256=> true + | _ => false + end + | RsaPssRsaSha256 => match y with | RsaPssRsaSha256=> true | _ => false end + end. + +Definition eqb_leibniz_signature_scheme_t (x y : signature_scheme_t) : eqb_signature_scheme_t x y = true <-> x = y. +Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. + +Instance eq_dec_signature_scheme_t : EqDec (signature_scheme_t) := +Build_EqDec (signature_scheme_t) (eqb_signature_scheme_t) (eqb_leibniz_signature_scheme_t). + + +Definition hash_len (ha_1 : hash_algorithm_t) : uint_size := + match ha_1 with | SHA256 => usize 32 | SHA384 => usize 48 end. + +Definition hmac_key_len (ha_2 : hash_algorithm_t) : uint_size := + match ha_2 with | SHA256 => usize 32 | SHA384 => usize 48 end. + +Definition ae_key_len (ae_3 : aead_algorithm_t) : uint_size := + match ae_3 with + | Chacha20Poly1305 => usize 32 + | Aes128Gcm => usize 16 + | Aes256Gcm => usize 16 + end. + +Definition ae_iv_len (ae_4 : aead_algorithm_t) : uint_size := + match ae_4 with + | Chacha20Poly1305 => usize 12 + | Aes128Gcm => usize 12 + | Aes256Gcm => usize 12 + end. + +Definition dh_priv_len (gn_5 : named_group_t) : uint_size := + match gn_5 with | X25519 => usize 32 | Secp256r1 => usize 32 end. + +Definition dh_pub_len (gn_6 : named_group_t) : uint_size := + match gn_6 with | X25519 => usize 32 | Secp256r1 => usize 64 end. + +Definition zero_key (ha_7 : hash_algorithm_t) : key_t := + seq_new_ (default) (usize (hash_len (ha_7))). + +Definition secret_to_public + (group_name_8 : named_group_t) + (x_9 : dh_sk_t) + : (result dh_pk_t crypto_error_t) := + match group_name_8 with + | Secp256r1 => match p256_point_mul_base (nat_mod_from_byte_seq_be ( + x_9) : p256_scalar_t) with + | Ok (x_10, y_11) => @Ok dh_pk_t crypto_error_t (seq_concat ( + nat_mod_to_byte_seq_be (x_10)) (nat_mod_to_byte_seq_be (y_11))) + | Err _ => @Err dh_pk_t crypto_error_t (CryptoError) + end + | X25519 => @Ok dh_pk_t crypto_error_t (seq_from_seq ( + array_to_seq (x25519_secret_to_public (array_from_seq (32) (x_9))))) + end. + +Definition p256_check_point_len + (p_12 : dh_pk_t) + : (result unit crypto_error_t) := + (if ((seq_len (p_12)) !=.? (usize 64)):bool then (@Err unit crypto_error_t ( + CryptoError)) else (@Ok unit crypto_error_t (tt))). + +Definition p256_ecdh + (x_13 : dh_sk_t) + (y_14 : dh_pk_t) + : (result key_t crypto_error_t) := + bind (p256_check_point_len (y_14)) (fun _ => let pk_15 : ( + p256_field_element_t × + p256_field_element_t + ) := + ( + nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 0, usize 32 + ))) : p256_field_element_t, + nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 32, usize 64 + ))) : p256_field_element_t + ) in + match p256_point_mul (nat_mod_from_byte_seq_be (x_13) : p256_scalar_t) ( + pk_15) with + | Ok (x_16, y_17) => @Ok key_t crypto_error_t (seq_concat ( + nat_mod_to_byte_seq_be (x_16)) (nat_mod_to_byte_seq_be (y_17))) + | Err _ => @Err key_t crypto_error_t (CryptoError) + end). + +Definition ecdh + (group_name_18 : named_group_t) + (x_19 : dh_sk_t) + (y_20 : dh_pk_t) + : (result key_t crypto_error_t) := + match group_name_18 with + | Secp256r1 => p256_ecdh (x_19) (y_20) + | X25519 => @Ok key_t crypto_error_t (seq_from_seq ( + array_to_seq (x25519_scalarmult (array_from_seq (32) (x_19)) ( + array_from_seq (32) (y_20))))) + end. + +Notation "'kem_scheme_t'" := (named_group_t) : hacspec_scope. + +Notation "'kem_sk_t'" := (byte_seq) : hacspec_scope. + +Notation "'kem_pk_t'" := (byte_seq) : hacspec_scope. + +Definition kem_priv_len (ks_21 : kem_scheme_t) : uint_size := + dh_priv_len (ks_21). + +Definition kem_pub_len (ks_22 : kem_scheme_t) : uint_size := + dh_pub_len (ks_22). + +Definition kem_priv_to_pub + (ks_23 : kem_scheme_t) + (sk_24 : kem_sk_t) + : (result kem_pk_t crypto_error_t) := + secret_to_public (ks_23) (sk_24). + +Definition kem_keygen_inner + (ks_25 : kem_scheme_t) + (ent_26 : entropy_t) + : (result (kem_sk_t × kem_pk_t) crypto_error_t) := + let sk_27 : seq uint8 := + seq_from_seq (seq_slice_range (ent_26) ((usize 0, dh_priv_len (ks_25)))) in + bind (kem_priv_to_pub (ks_25) (sk_27)) (fun pk_28 => @Ok (kem_sk_t × kem_pk_t + ) crypto_error_t ((sk_27, pk_28))). + +Definition kem_keygen + (ks_29 : kem_scheme_t) + (ent_30 : entropy_t) + : (result (kem_sk_t × kem_pk_t) crypto_error_t) := + (if ((seq_len (ent_30)) <.? (dh_priv_len (ks_29))):bool then (@Err ( + kem_sk_t × + kem_pk_t + ) crypto_error_t (InsufficientEntropy)) else (kem_keygen_inner (ks_29) ( + ent_30))). + +Definition kem_encap + (ks_31 : kem_scheme_t) + (pk_32 : kem_pk_t) + (ent_33 : entropy_t) + : (result (key_t × byte_seq) crypto_error_t) := + bind (kem_keygen (ks_31) (ent_33)) (fun '(x_34, gx_35) => bind (ecdh (ks_31) ( + x_34) (pk_32)) (fun gxy_36 => @Ok (key_t × byte_seq) crypto_error_t (( + gxy_36, + gx_35 + )))). + +Definition kem_decap + (ks_37 : kem_scheme_t) + (ct_38 : byte_seq) + (sk_39 : kem_sk_t) + : (result key_t crypto_error_t) := + bind (ecdh (ks_37) (sk_39) (ct_38)) (fun gxy_40 => @Ok key_t crypto_error_t ( + gxy_40)). + +Definition hash + (ha_41 : hash_algorithm_t) + (payload_42 : byte_seq) + : (result digest_t crypto_error_t) := + match ha_41 with + | SHA256 => @Ok digest_t crypto_error_t (seq_from_seq (array_to_seq (sha256 ( + payload_42)))) + | SHA384 => @Err digest_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hmac_tag + (ha_43 : hash_algorithm_t) + (mk_44 : mac_key_t) + (payload_45 : byte_seq) + : (result hmac_t crypto_error_t) := + match ha_43 with + | SHA256 => @Ok hmac_t crypto_error_t (seq_from_seq (array_to_seq (hmac ( + mk_44) (payload_45)))) + | SHA384 => @Err hmac_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition check_tag_len + (a_46 : hmac_t) + (b_47 : hmac_t) + : (result unit crypto_error_t) := + (if ((seq_len (a_46)) =.? (seq_len (b_47))):bool then ( + @Ok unit crypto_error_t (tt)) else (@Err unit crypto_error_t ( + MacFailed))). + +Definition check_bytes + (a_48 : uint8) + (b_49 : uint8) + : (result unit crypto_error_t) := + (if (negb (uint8_equal (a_48) (b_49))):bool then (@Err unit crypto_error_t ( + MacFailed)) else (@Ok unit crypto_error_t (tt))). + +Definition hmac_verify + (ha_50 : hash_algorithm_t) + (mk_51 : mac_key_t) + (payload_52 : byte_seq) + (m_53 : hmac_t) + : (result unit crypto_error_t) := + bind (hmac_tag (ha_50) (mk_51) (payload_52)) (fun my_hmac_54 => bind ( + check_tag_len (m_53) (my_hmac_54)) (fun _ => bind (foldibnd (usize 0) to ( + seq_len (m_53)) for tt >> (fun i_55 'tt => + bind (check_bytes (seq_index (my_hmac_54) (i_55)) (seq_index (m_53) ( + i_55))) (fun _ => Ok (tt)))) (fun _ => @Ok unit crypto_error_t ( + tt)))). + +Definition ec_oid_tag_t := nseq (uint8) (usize 9). + +Definition get_length_length (b_56 : byte_seq) : uint_size := + (if (((uint8_declassify (seq_index (b_56) (usize 0))) shift_right ( + usize 7)) =.? (@repr WORDSIZE8 1)):bool then ( + declassify_usize_from_uint8 ((seq_index (b_56) (usize 0)) .& (secret ( + @repr WORDSIZE8 127) : int8))) else (usize 0)). + +Definition get_length (b_57 : byte_seq) (len_58 : uint_size) : uint_size := + (@cast _ uint32 _ (declassify_u32_from_uint32 (uint32_from_be_bytes ( + array_from_slice (default) (4) (b_57) (usize 0) ( + len_58))))) usize_shift_right (((usize 4) - (len_58)) * (usize 8)). + +Definition get_short_length (b_59 : byte_seq) : uint_size := + declassify_usize_from_uint8 ((seq_index (b_59) (usize 0)) .& (secret ( + @repr WORDSIZE8 127) : int8)). + +Definition verification_key_from_cert + (cert_60 : byte_seq) + : (result verification_key_t crypto_error_t) := + let skip_61 : uint_size := + ((usize 2) + (get_length_length (seq_slice_range (cert_60) (( + usize 1, + seq_len (cert_60) + ))))) + (usize 1) in + let seq1_len_len_62 : uint_size := + get_length_length (seq_slice_range (cert_60) ((skip_61, seq_len (cert_60) + ))) in + let skip_63 : uint_size := + (skip_61) + (usize 1) in + let seq1_len_64 : uint_size := + get_length (seq_slice (cert_60) (skip_63) ((seq_len (cert_60)) - ( + skip_63))) (seq1_len_len_62) in + let seq1_65 : seq uint8 := + seq_slice_range (cert_60) (( + (skip_63) + (seq1_len_len_62), + ((skip_63) + (seq1_len_len_62)) + (seq1_len_64) + )) in + let pk_66 : seq uint8 := + seq_new_ (default) (usize 0) in + let '(seq1_65, pk_66) := + foldi (usize 0) (seq_len (seq1_65)) (fun i_67 '(seq1_65, pk_66) => + let '(seq1_65, pk_66) := + if (seq_len (seq1_65)) >.? (usize 0):bool then ( + let element_type_68 : int8 := + uint8_declassify (seq_index (seq1_65) (usize 0)) in + let seq1_65 := + seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in + let len_len_69 : uint_size := + get_length_length (seq1_65) in + let len_70 : uint_size := + get_short_length (seq1_65) in + let seq1_65 := + seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in + let '(len_70) := + if (len_len_69) !=.? (usize 0):bool then (let len_70 := + (get_length (seq1_65) (len_len_69)) + (len_len_69) in + (len_70)) else ((len_70)) in + let '(pk_66) := + if ((element_type_68) =.? (@repr WORDSIZE8 48)) && ((seq_len ( + pk_66)) =.? (usize 0)):bool then (let seq2_71 : seq uint8 := + seq_slice (seq1_65) (len_len_69) (len_70) in + let element_type_72 : int8 := + uint8_declassify (seq_index (seq2_71) (usize 0)) in + let seq2_73 : seq uint8 := + seq_slice (seq2_71) (usize 1) ((seq_len (seq2_71)) - ( + usize 1)) in + let '(pk_66) := + if (element_type_72) =.? (@repr WORDSIZE8 48):bool then ( + let len_len_74 : uint_size := + get_length_length (seq2_73) in + let '(pk_66) := + if (len_len_74) =.? (usize 0):bool then ( + let oid_len_75 : uint_size := + get_short_length (seq2_73) in + let '(pk_66) := + if (oid_len_75) >=.? (usize 9):bool then ( + let expected_76 : seq uint8 := + seq_from_seq (array_to_seq (array_from_list uint8 ( + let l := + [ + secret (@repr WORDSIZE8 6) : int8; + secret (@repr WORDSIZE8 7) : int8; + secret (@repr WORDSIZE8 42) : int8; + secret (@repr WORDSIZE8 134) : int8; + secret (@repr WORDSIZE8 72) : int8; + secret (@repr WORDSIZE8 206) : int8; + secret (@repr WORDSIZE8 61) : int8; + secret (@repr WORDSIZE8 2) : int8; + secret (@repr WORDSIZE8 1) : int8 + ] in l))) in + let oid_77 : seq uint8 := + seq_slice (seq2_73) (usize 1) (usize 9) in + let ec_pk_oid_78 : bool := + true in + let ec_pk_oid_78 := + foldi (usize 0) (usize 9) (fun i_79 ec_pk_oid_78 => + let oid_byte_equal_80 : bool := + (uint8_declassify (seq_index (oid_77) ( + i_79))) =.? (uint8_declassify (seq_index ( + expected_76) (i_79))) in + let ec_pk_oid_78 := + (ec_pk_oid_78) && (oid_byte_equal_80) in + (ec_pk_oid_78)) + ec_pk_oid_78 in + let '(pk_66) := + if ec_pk_oid_78:bool then ( + let bit_string_81 : seq uint8 := + seq_slice (seq2_73) ((oid_len_75) + (usize 1)) ( + ((seq_len (seq2_73)) - (oid_len_75)) - ( + usize 1)) in + let '(pk_66) := + if (uint8_declassify (seq_index ( + bit_string_81) (usize 0))) =.? ( + @repr WORDSIZE8 3):bool then ( + let pk_len_82 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 1)) in + let zeroes_83 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 2)) in + let uncompressed_84 : uint_size := + declassify_usize_from_uint8 (seq_index ( + bit_string_81) (usize 3)) in + let pk_66 := + seq_slice (bit_string_81) (usize 4) (( + pk_len_82) - (usize 2)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + (pk_66)) else ((pk_66)) in + let seq1_65 := + seq_slice (seq1_65) (len_70) ((seq_len (seq1_65)) - (len_70)) in + (seq1_65, pk_66)) else ((seq1_65, pk_66)) in + (seq1_65, pk_66)) + (seq1_65, pk_66) in + (if ((seq_len (pk_66)) =.? (usize 0)):bool then ( + @Err verification_key_t crypto_error_t (InvalidCert)) else ( + @Ok verification_key_t crypto_error_t (pk_66))). + +Definition concat_signature + (r_85 : p256_scalar_t) + (s_86 : p256_scalar_t) + : (result signature_t crypto_error_t) := + let signature_87 : seq uint8 := + seq_concat (seq_concat (seq_new_ (default) (usize 0)) ( + nat_mod_to_byte_seq_be (r_85))) (nat_mod_to_byte_seq_be (s_86)) in + @Ok signature_t crypto_error_t (signature_87). + +Definition p256_sign + (ps_88 : signature_key_t) + (payload_89 : byte_seq) + (ent_90 : entropy_t) + : (result signature_t crypto_error_t) := + let random_91 : random_t := + array_from_seq (32) (seq_slice_range (ent_90) ((usize 0, usize 32))) in + let nonce_92 : p256_scalar_t := + nat_mod_from_byte_seq_be (array_to_seq (random_91)) : p256_scalar_t in + match ecdsa_p256_sha256_sign (payload_89) (nat_mod_from_byte_seq_be ( + ps_88) : p256_scalar_t) (nonce_92) with + | Ok (r_93, s_94) => concat_signature (r_93) (s_94) + | Err _ => @Err signature_t crypto_error_t (CryptoError) + end. + +Definition sign + (sa_95 : signature_scheme_t) + (ps_96 : signature_key_t) + (payload_97 : byte_seq) + (ent_98 : entropy_t) + : (result signature_t crypto_error_t) := + match sa_95 with + | EcdsaSecp256r1Sha256 => p256_sign (ps_96) (payload_97) (ent_98) + | ED25519 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) + | RsaPssRsaSha256 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition p256_verify + (pk_99 : verification_key_t) + (payload_100 : byte_seq) + (sig_101 : byte_seq) + : (result unit crypto_error_t) := + let '(pk_x_102, pk_y_103) := + ( + nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 0) ( + usize 32)) : p256_field_element_t, + nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 32) ( + usize 32)) : p256_field_element_t + ) in + let '(r_104, s_105) := + ( + nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 0) ( + usize 32)) : p256_scalar_t, + nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 32) ( + usize 32)) : p256_scalar_t + ) in + match ecdsa_p256_sha256_verify (payload_100) ((pk_x_102, pk_y_103)) (( + r_104, + s_105 + )) with + | Ok tt => @Ok unit crypto_error_t (tt) + | Err _ => @Err unit crypto_error_t (VerifyFailed) + end. + +Definition verify + (sa_106 : signature_scheme_t) + (pk_107 : verification_key_t) + (payload_108 : byte_seq) + (sig_109 : byte_seq) + : (result unit crypto_error_t) := + match sa_106 with + | EcdsaSecp256r1Sha256 => p256_verify (pk_107) (payload_108) (sig_109) + | ED25519 => @Err unit crypto_error_t (UnsupportedAlgorithm) + | RsaPssRsaSha256 => @Err unit crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hkdf_extract + (ha_110 : hash_algorithm_t) + (k_111 : key_t) + (salt_112 : key_t) + : (result key_t crypto_error_t) := + match ha_110 with + | SHA256 => @Ok key_t crypto_error_t (seq_from_seq (array_to_seq (extract ( + salt_112) (k_111)))) + | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition hkdf_expand + (ha_113 : hash_algorithm_t) + (k_114 : key_t) + (info_115 : byte_seq) + (len_116 : uint_size) + : (result key_t crypto_error_t) := + match ha_113 with + | SHA256 => match expand (k_114) (info_115) (len_116) with + | Ok b_117 => @Ok key_t crypto_error_t (seq_from_seq (b_117)) + | Err _ => @Err key_t crypto_error_t (HkdfError) + end + | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) + end. + +Definition aes128_encrypt + (k_118 : aead_key_t) + (iv_119 : aead_iv_t) + (payload_120 : byte_seq) + (ad_121 : byte_seq) + : (result byte_seq crypto_error_t) := + let '(ctxt_122, tag_123) := + encrypt_aes128 (array_from_seq (_) (k_118)) (array_from_seq (_) (iv_119)) ( + ad_121) (payload_120) in + @Ok byte_seq crypto_error_t (seq_concat (ctxt_122) (seq_from_seq ( + array_to_seq (tag_123)))). + +Definition chacha_encrypt + (k_124 : aead_key_t) + (iv_125 : aead_iv_t) + (payload_126 : byte_seq) + (ad_127 : byte_seq) + : (result byte_seq crypto_error_t) := + let '(ctxt_128, tag_129) := + chacha20_poly1305_encrypt (array_from_seq (32) (k_124)) (array_from_seq ( + 12) (iv_125)) (ad_127) (payload_126) in + @Ok byte_seq crypto_error_t (seq_concat (ctxt_128) (array_to_seq (tag_129))). + +Definition aead_encrypt + (a_130 : aead_algorithm_t) + (k_131 : aead_key_t) + (iv_132 : aead_iv_t) + (payload_133 : byte_seq) + (ad_134 : byte_seq) + : (result byte_seq crypto_error_t) := + match a_130 with + | Aes128Gcm => aes128_encrypt (k_131) (iv_132) (payload_133) (ad_134) + | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) + | Chacha20Poly1305 => chacha_encrypt (k_131) (iv_132) (payload_133) (ad_134) + end. + +Definition aes128_decrypt + (k_135 : aead_key_t) + (iv_136 : aead_iv_t) + (ciphertext_137 : byte_seq) + (ad_138 : byte_seq) + : (result byte_seq crypto_error_t) := + match decrypt_aes128 (array_from_seq (_) (k_135)) (array_from_seq (_) ( + iv_136)) (ad_138) (seq_slice_range (ciphertext_137) (( + usize 0, + (seq_len (ciphertext_137)) - (usize 16) + ))) (array_from_seq (_) (seq_slice_range (ciphertext_137) (( + (seq_len (ciphertext_137)) - (usize 16), + seq_len (ciphertext_137) + )))) with + | Ok m_139 => @Ok byte_seq crypto_error_t (m_139) + | Err _ => @Err byte_seq crypto_error_t (MacFailed) + end. + +Definition chacha_decrypt + (k_140 : aead_key_t) + (iv_141 : aead_iv_t) + (ciphertext_142 : byte_seq) + (ad_143 : byte_seq) + : (result byte_seq crypto_error_t) := + match chacha20_poly1305_decrypt (array_from_seq (32) (k_140)) ( + array_from_seq (12) (iv_141)) (ad_143) (seq_slice_range (ciphertext_142) (( + usize 0, + (seq_len (ciphertext_142)) - (usize 16) + ))) (array_from_seq (16) (seq_slice_range (ciphertext_142) (( + (seq_len (ciphertext_142)) - (usize 16), + seq_len (ciphertext_142) + )))) with + | Ok ptxt_144 => @Ok byte_seq crypto_error_t (ptxt_144) + | Err _ => @Err byte_seq crypto_error_t (MacFailed) + end. + +Definition aead_decrypt + (a_145 : aead_algorithm_t) + (k_146 : aead_key_t) + (iv_147 : aead_iv_t) + (ciphertext_148 : byte_seq) + (ad_149 : byte_seq) + : (result byte_seq crypto_error_t) := + match a_145 with + | Aes128Gcm => aes128_decrypt (k_146) (iv_147) (ciphertext_148) (ad_149) + | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) + | Chacha20Poly1305 => chacha_decrypt (k_146) (iv_147) (ciphertext_148) ( + ad_149) + end. + From eca166fb40be9b76be400482a9f9956d2a07ad93 Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Thu, 7 Dec 2023 14:27:32 +0100 Subject: [PATCH 02/12] Move --- proof-libs/coq/{ => coq}/README.md | 0 proof-libs/coq/{ => coq}/_CoqProject | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Aes.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Aes128_Gcm.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Bip_340.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Bls12_381.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Bls12_381_Hash.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Chacha20.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Chacha20poly1305.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Coverage_Test.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Curve25519.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Ecdsa_P256_Sha256.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Ed25519.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Edwards25519.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Edwards25519_Ecvrf.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Edwards25519_Hash.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Gf128.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Gimli.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Hkdf.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Hmac.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Linalg.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Merlin.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Ntru_Prime.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_P256.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Poly1305.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Riot_Bootloader.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Riot_Runqueue.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Ristretto.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Rsa_Fdh_Vrf.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Rsa_Pkcs1.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Sha1.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Sha256.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Sha3.v | 0 proof-libs/coq/{ => coq}/_vc/Hacspec_Sha512.v | 0 proof-libs/coq/{ => coq}/_vc/Pearlite_Example.v | 0 proof-libs/coq/{ => coq}/_vc/Strobe.v | 0 proof-libs/coq/{ => coq}/_vc/Tls_Cryptolib.v | 0 proof-libs/coq/{ => coq}/docker_build/Dockerfile | 0 proof-libs/coq/{ => coq}/src/Hacspec_Aes.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Aes128_Gcm.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Bip_340.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Bls12_381.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Bls12_381_Hash.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Chacha20.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Chacha20poly1305.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Coverage_Test.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Curve25519.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Ecdsa_P256_Sha256.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Ed25519.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Edwards25519.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Edwards25519_Ecvrf.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Edwards25519_Hash.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Gf128.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Gimli.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Hkdf.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Hmac.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Lib.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Linalg.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Merlin.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Ntru_Prime.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_P256.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Poly1305.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Riot_Bootloader.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Riot_Runqueue.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Ristretto.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Rsa_Fdh_Vrf.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Rsa_Pkcs1.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Sha1.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Sha256.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Sha3.v | 0 proof-libs/coq/{ => coq}/src/Hacspec_Sha512.v | 0 proof-libs/coq/{ => coq}/src/MachineIntegers.v | 0 proof-libs/coq/{ => coq}/src/Pearlite_Example.v | 0 proof-libs/coq/{ => coq}/src/QuickChickLib.v | 0 proof-libs/coq/{ => coq}/src/Strobe.v | 0 proof-libs/coq/{ => coq}/src/Tls_Cryptolib.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Aes.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Aes128_Gcm.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Bls12_381.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Bls12_381_Hash.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Chacha20.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Chacha20poly1305.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Curve25519.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Ecdsa_P256_Sha256.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Ed25519.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Gf128.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Gimli.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Hkdf.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Hmac.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Linalg.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Ntru_Prime.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_P256.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Poly1305.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Riot_Bootloader.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Riot_Runqueue.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Rsa_Pkcs1.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Sha256.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Sha3.v | 0 proof-libs/coq/{ => coq}/src/_vc/Hacspec_Sha512.v | 0 proof-libs/coq/{ => coq}/src/_vc/Tls_Cryptolib.v | 0 100 files changed, 0 insertions(+), 0 deletions(-) rename proof-libs/coq/{ => coq}/README.md (100%) rename proof-libs/coq/{ => coq}/_CoqProject (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Aes.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Aes128_Gcm.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Bip_340.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Bls12_381.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Bls12_381_Hash.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Chacha20.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Chacha20poly1305.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Coverage_Test.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Curve25519.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Ecdsa_P256_Sha256.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Ed25519.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Edwards25519.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Edwards25519_Ecvrf.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Edwards25519_Hash.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Gf128.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Gimli.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Hkdf.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Hmac.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Linalg.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Merlin.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Ntru_Prime.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_P256.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Poly1305.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Riot_Bootloader.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Riot_Runqueue.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Ristretto.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Rsa_Fdh_Vrf.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Rsa_Pkcs1.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Sha1.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Sha256.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Sha3.v (100%) rename proof-libs/coq/{ => coq}/_vc/Hacspec_Sha512.v (100%) rename proof-libs/coq/{ => coq}/_vc/Pearlite_Example.v (100%) rename proof-libs/coq/{ => coq}/_vc/Strobe.v (100%) rename proof-libs/coq/{ => coq}/_vc/Tls_Cryptolib.v (100%) rename proof-libs/coq/{ => coq}/docker_build/Dockerfile (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Aes.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Aes128_Gcm.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Bip_340.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Bls12_381.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Bls12_381_Hash.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Chacha20.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Chacha20poly1305.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Coverage_Test.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Curve25519.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Ecdsa_P256_Sha256.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Ed25519.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Edwards25519.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Edwards25519_Ecvrf.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Edwards25519_Hash.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Gf128.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Gimli.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Hkdf.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Hmac.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Lib.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Linalg.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Merlin.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Ntru_Prime.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_P256.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Poly1305.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Riot_Bootloader.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Riot_Runqueue.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Ristretto.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Rsa_Fdh_Vrf.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Rsa_Pkcs1.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Sha1.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Sha256.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Sha3.v (100%) rename proof-libs/coq/{ => coq}/src/Hacspec_Sha512.v (100%) rename proof-libs/coq/{ => coq}/src/MachineIntegers.v (100%) rename proof-libs/coq/{ => coq}/src/Pearlite_Example.v (100%) rename proof-libs/coq/{ => coq}/src/QuickChickLib.v (100%) rename proof-libs/coq/{ => coq}/src/Strobe.v (100%) rename proof-libs/coq/{ => coq}/src/Tls_Cryptolib.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Aes.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Aes128_Gcm.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Bls12_381.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Bls12_381_Hash.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Chacha20.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Chacha20poly1305.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Curve25519.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Ecdsa_P256_Sha256.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Ed25519.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Gf128.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Gimli.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Hkdf.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Hmac.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Linalg.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Ntru_Prime.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_P256.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Poly1305.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Riot_Bootloader.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Riot_Runqueue.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Rsa_Pkcs1.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Sha256.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Sha3.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Hacspec_Sha512.v (100%) rename proof-libs/coq/{ => coq}/src/_vc/Tls_Cryptolib.v (100%) diff --git a/proof-libs/coq/README.md b/proof-libs/coq/coq/README.md similarity index 100% rename from proof-libs/coq/README.md rename to proof-libs/coq/coq/README.md diff --git a/proof-libs/coq/_CoqProject b/proof-libs/coq/coq/_CoqProject similarity index 100% rename from proof-libs/coq/_CoqProject rename to proof-libs/coq/coq/_CoqProject diff --git a/proof-libs/coq/_vc/Hacspec_Aes.v b/proof-libs/coq/coq/_vc/Hacspec_Aes.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Aes.v rename to proof-libs/coq/coq/_vc/Hacspec_Aes.v diff --git a/proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v b/proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Aes128_Gcm.v rename to proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v diff --git a/proof-libs/coq/_vc/Hacspec_Bip_340.v b/proof-libs/coq/coq/_vc/Hacspec_Bip_340.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Bip_340.v rename to proof-libs/coq/coq/_vc/Hacspec_Bip_340.v diff --git a/proof-libs/coq/_vc/Hacspec_Bls12_381.v b/proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Bls12_381.v rename to proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v diff --git a/proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/coq/_vc/Hacspec_Bls12_381_Hash.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Bls12_381_Hash.v rename to proof-libs/coq/coq/_vc/Hacspec_Bls12_381_Hash.v diff --git a/proof-libs/coq/_vc/Hacspec_Chacha20.v b/proof-libs/coq/coq/_vc/Hacspec_Chacha20.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Chacha20.v rename to proof-libs/coq/coq/_vc/Hacspec_Chacha20.v diff --git a/proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v b/proof-libs/coq/coq/_vc/Hacspec_Chacha20poly1305.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Chacha20poly1305.v rename to proof-libs/coq/coq/_vc/Hacspec_Chacha20poly1305.v diff --git a/proof-libs/coq/_vc/Hacspec_Coverage_Test.v b/proof-libs/coq/coq/_vc/Hacspec_Coverage_Test.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Coverage_Test.v rename to proof-libs/coq/coq/_vc/Hacspec_Coverage_Test.v diff --git a/proof-libs/coq/_vc/Hacspec_Curve25519.v b/proof-libs/coq/coq/_vc/Hacspec_Curve25519.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Curve25519.v rename to proof-libs/coq/coq/_vc/Hacspec_Curve25519.v diff --git a/proof-libs/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v rename to proof-libs/coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v diff --git a/proof-libs/coq/_vc/Hacspec_Ed25519.v b/proof-libs/coq/coq/_vc/Hacspec_Ed25519.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Ed25519.v rename to proof-libs/coq/coq/_vc/Hacspec_Ed25519.v diff --git a/proof-libs/coq/_vc/Hacspec_Edwards25519.v b/proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Edwards25519.v rename to proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v diff --git a/proof-libs/coq/_vc/Hacspec_Edwards25519_Ecvrf.v b/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Edwards25519_Ecvrf.v rename to proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v diff --git a/proof-libs/coq/_vc/Hacspec_Edwards25519_Hash.v b/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Hash.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Edwards25519_Hash.v rename to proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Hash.v diff --git a/proof-libs/coq/_vc/Hacspec_Gf128.v b/proof-libs/coq/coq/_vc/Hacspec_Gf128.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Gf128.v rename to proof-libs/coq/coq/_vc/Hacspec_Gf128.v diff --git a/proof-libs/coq/_vc/Hacspec_Gimli.v b/proof-libs/coq/coq/_vc/Hacspec_Gimli.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Gimli.v rename to proof-libs/coq/coq/_vc/Hacspec_Gimli.v diff --git a/proof-libs/coq/_vc/Hacspec_Hkdf.v b/proof-libs/coq/coq/_vc/Hacspec_Hkdf.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Hkdf.v rename to proof-libs/coq/coq/_vc/Hacspec_Hkdf.v diff --git a/proof-libs/coq/_vc/Hacspec_Hmac.v b/proof-libs/coq/coq/_vc/Hacspec_Hmac.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Hmac.v rename to proof-libs/coq/coq/_vc/Hacspec_Hmac.v diff --git a/proof-libs/coq/_vc/Hacspec_Linalg.v b/proof-libs/coq/coq/_vc/Hacspec_Linalg.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Linalg.v rename to proof-libs/coq/coq/_vc/Hacspec_Linalg.v diff --git a/proof-libs/coq/_vc/Hacspec_Merlin.v b/proof-libs/coq/coq/_vc/Hacspec_Merlin.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Merlin.v rename to proof-libs/coq/coq/_vc/Hacspec_Merlin.v diff --git a/proof-libs/coq/_vc/Hacspec_Ntru_Prime.v b/proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Ntru_Prime.v rename to proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v diff --git a/proof-libs/coq/_vc/Hacspec_P256.v b/proof-libs/coq/coq/_vc/Hacspec_P256.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_P256.v rename to proof-libs/coq/coq/_vc/Hacspec_P256.v diff --git a/proof-libs/coq/_vc/Hacspec_Poly1305.v b/proof-libs/coq/coq/_vc/Hacspec_Poly1305.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Poly1305.v rename to proof-libs/coq/coq/_vc/Hacspec_Poly1305.v diff --git a/proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v b/proof-libs/coq/coq/_vc/Hacspec_Riot_Bootloader.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Riot_Bootloader.v rename to proof-libs/coq/coq/_vc/Hacspec_Riot_Bootloader.v diff --git a/proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v b/proof-libs/coq/coq/_vc/Hacspec_Riot_Runqueue.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Riot_Runqueue.v rename to proof-libs/coq/coq/_vc/Hacspec_Riot_Runqueue.v diff --git a/proof-libs/coq/_vc/Hacspec_Ristretto.v b/proof-libs/coq/coq/_vc/Hacspec_Ristretto.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Ristretto.v rename to proof-libs/coq/coq/_vc/Hacspec_Ristretto.v diff --git a/proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v b/proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v rename to proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v diff --git a/proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Rsa_Pkcs1.v rename to proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v diff --git a/proof-libs/coq/_vc/Hacspec_Sha1.v b/proof-libs/coq/coq/_vc/Hacspec_Sha1.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Sha1.v rename to proof-libs/coq/coq/_vc/Hacspec_Sha1.v diff --git a/proof-libs/coq/_vc/Hacspec_Sha256.v b/proof-libs/coq/coq/_vc/Hacspec_Sha256.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Sha256.v rename to proof-libs/coq/coq/_vc/Hacspec_Sha256.v diff --git a/proof-libs/coq/_vc/Hacspec_Sha3.v b/proof-libs/coq/coq/_vc/Hacspec_Sha3.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Sha3.v rename to proof-libs/coq/coq/_vc/Hacspec_Sha3.v diff --git a/proof-libs/coq/_vc/Hacspec_Sha512.v b/proof-libs/coq/coq/_vc/Hacspec_Sha512.v similarity index 100% rename from proof-libs/coq/_vc/Hacspec_Sha512.v rename to proof-libs/coq/coq/_vc/Hacspec_Sha512.v diff --git a/proof-libs/coq/_vc/Pearlite_Example.v b/proof-libs/coq/coq/_vc/Pearlite_Example.v similarity index 100% rename from proof-libs/coq/_vc/Pearlite_Example.v rename to proof-libs/coq/coq/_vc/Pearlite_Example.v diff --git a/proof-libs/coq/_vc/Strobe.v b/proof-libs/coq/coq/_vc/Strobe.v similarity index 100% rename from proof-libs/coq/_vc/Strobe.v rename to proof-libs/coq/coq/_vc/Strobe.v diff --git a/proof-libs/coq/_vc/Tls_Cryptolib.v b/proof-libs/coq/coq/_vc/Tls_Cryptolib.v similarity index 100% rename from proof-libs/coq/_vc/Tls_Cryptolib.v rename to proof-libs/coq/coq/_vc/Tls_Cryptolib.v diff --git a/proof-libs/coq/docker_build/Dockerfile b/proof-libs/coq/coq/docker_build/Dockerfile similarity index 100% rename from proof-libs/coq/docker_build/Dockerfile rename to proof-libs/coq/coq/docker_build/Dockerfile diff --git a/proof-libs/coq/src/Hacspec_Aes.v b/proof-libs/coq/coq/src/Hacspec_Aes.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Aes.v rename to proof-libs/coq/coq/src/Hacspec_Aes.v diff --git a/proof-libs/coq/src/Hacspec_Aes128_Gcm.v b/proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Aes128_Gcm.v rename to proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v diff --git a/proof-libs/coq/src/Hacspec_Bip_340.v b/proof-libs/coq/coq/src/Hacspec_Bip_340.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Bip_340.v rename to proof-libs/coq/coq/src/Hacspec_Bip_340.v diff --git a/proof-libs/coq/src/Hacspec_Bls12_381.v b/proof-libs/coq/coq/src/Hacspec_Bls12_381.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Bls12_381.v rename to proof-libs/coq/coq/src/Hacspec_Bls12_381.v diff --git a/proof-libs/coq/src/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/coq/src/Hacspec_Bls12_381_Hash.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Bls12_381_Hash.v rename to proof-libs/coq/coq/src/Hacspec_Bls12_381_Hash.v diff --git a/proof-libs/coq/src/Hacspec_Chacha20.v b/proof-libs/coq/coq/src/Hacspec_Chacha20.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Chacha20.v rename to proof-libs/coq/coq/src/Hacspec_Chacha20.v diff --git a/proof-libs/coq/src/Hacspec_Chacha20poly1305.v b/proof-libs/coq/coq/src/Hacspec_Chacha20poly1305.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Chacha20poly1305.v rename to proof-libs/coq/coq/src/Hacspec_Chacha20poly1305.v diff --git a/proof-libs/coq/src/Hacspec_Coverage_Test.v b/proof-libs/coq/coq/src/Hacspec_Coverage_Test.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Coverage_Test.v rename to proof-libs/coq/coq/src/Hacspec_Coverage_Test.v diff --git a/proof-libs/coq/src/Hacspec_Curve25519.v b/proof-libs/coq/coq/src/Hacspec_Curve25519.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Curve25519.v rename to proof-libs/coq/coq/src/Hacspec_Curve25519.v diff --git a/proof-libs/coq/src/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Ecdsa_P256_Sha256.v rename to proof-libs/coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v diff --git a/proof-libs/coq/src/Hacspec_Ed25519.v b/proof-libs/coq/coq/src/Hacspec_Ed25519.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Ed25519.v rename to proof-libs/coq/coq/src/Hacspec_Ed25519.v diff --git a/proof-libs/coq/src/Hacspec_Edwards25519.v b/proof-libs/coq/coq/src/Hacspec_Edwards25519.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Edwards25519.v rename to proof-libs/coq/coq/src/Hacspec_Edwards25519.v diff --git a/proof-libs/coq/src/Hacspec_Edwards25519_Ecvrf.v b/proof-libs/coq/coq/src/Hacspec_Edwards25519_Ecvrf.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Edwards25519_Ecvrf.v rename to proof-libs/coq/coq/src/Hacspec_Edwards25519_Ecvrf.v diff --git a/proof-libs/coq/src/Hacspec_Edwards25519_Hash.v b/proof-libs/coq/coq/src/Hacspec_Edwards25519_Hash.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Edwards25519_Hash.v rename to proof-libs/coq/coq/src/Hacspec_Edwards25519_Hash.v diff --git a/proof-libs/coq/src/Hacspec_Gf128.v b/proof-libs/coq/coq/src/Hacspec_Gf128.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Gf128.v rename to proof-libs/coq/coq/src/Hacspec_Gf128.v diff --git a/proof-libs/coq/src/Hacspec_Gimli.v b/proof-libs/coq/coq/src/Hacspec_Gimli.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Gimli.v rename to proof-libs/coq/coq/src/Hacspec_Gimli.v diff --git a/proof-libs/coq/src/Hacspec_Hkdf.v b/proof-libs/coq/coq/src/Hacspec_Hkdf.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Hkdf.v rename to proof-libs/coq/coq/src/Hacspec_Hkdf.v diff --git a/proof-libs/coq/src/Hacspec_Hmac.v b/proof-libs/coq/coq/src/Hacspec_Hmac.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Hmac.v rename to proof-libs/coq/coq/src/Hacspec_Hmac.v diff --git a/proof-libs/coq/src/Hacspec_Lib.v b/proof-libs/coq/coq/src/Hacspec_Lib.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Lib.v rename to proof-libs/coq/coq/src/Hacspec_Lib.v diff --git a/proof-libs/coq/src/Hacspec_Linalg.v b/proof-libs/coq/coq/src/Hacspec_Linalg.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Linalg.v rename to proof-libs/coq/coq/src/Hacspec_Linalg.v diff --git a/proof-libs/coq/src/Hacspec_Merlin.v b/proof-libs/coq/coq/src/Hacspec_Merlin.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Merlin.v rename to proof-libs/coq/coq/src/Hacspec_Merlin.v diff --git a/proof-libs/coq/src/Hacspec_Ntru_Prime.v b/proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Ntru_Prime.v rename to proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v diff --git a/proof-libs/coq/src/Hacspec_P256.v b/proof-libs/coq/coq/src/Hacspec_P256.v similarity index 100% rename from proof-libs/coq/src/Hacspec_P256.v rename to proof-libs/coq/coq/src/Hacspec_P256.v diff --git a/proof-libs/coq/src/Hacspec_Poly1305.v b/proof-libs/coq/coq/src/Hacspec_Poly1305.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Poly1305.v rename to proof-libs/coq/coq/src/Hacspec_Poly1305.v diff --git a/proof-libs/coq/src/Hacspec_Riot_Bootloader.v b/proof-libs/coq/coq/src/Hacspec_Riot_Bootloader.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Riot_Bootloader.v rename to proof-libs/coq/coq/src/Hacspec_Riot_Bootloader.v diff --git a/proof-libs/coq/src/Hacspec_Riot_Runqueue.v b/proof-libs/coq/coq/src/Hacspec_Riot_Runqueue.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Riot_Runqueue.v rename to proof-libs/coq/coq/src/Hacspec_Riot_Runqueue.v diff --git a/proof-libs/coq/src/Hacspec_Ristretto.v b/proof-libs/coq/coq/src/Hacspec_Ristretto.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Ristretto.v rename to proof-libs/coq/coq/src/Hacspec_Ristretto.v diff --git a/proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v b/proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Rsa_Fdh_Vrf.v rename to proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v diff --git a/proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Rsa_Pkcs1.v rename to proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v diff --git a/proof-libs/coq/src/Hacspec_Sha1.v b/proof-libs/coq/coq/src/Hacspec_Sha1.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Sha1.v rename to proof-libs/coq/coq/src/Hacspec_Sha1.v diff --git a/proof-libs/coq/src/Hacspec_Sha256.v b/proof-libs/coq/coq/src/Hacspec_Sha256.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Sha256.v rename to proof-libs/coq/coq/src/Hacspec_Sha256.v diff --git a/proof-libs/coq/src/Hacspec_Sha3.v b/proof-libs/coq/coq/src/Hacspec_Sha3.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Sha3.v rename to proof-libs/coq/coq/src/Hacspec_Sha3.v diff --git a/proof-libs/coq/src/Hacspec_Sha512.v b/proof-libs/coq/coq/src/Hacspec_Sha512.v similarity index 100% rename from proof-libs/coq/src/Hacspec_Sha512.v rename to proof-libs/coq/coq/src/Hacspec_Sha512.v diff --git a/proof-libs/coq/src/MachineIntegers.v b/proof-libs/coq/coq/src/MachineIntegers.v similarity index 100% rename from proof-libs/coq/src/MachineIntegers.v rename to proof-libs/coq/coq/src/MachineIntegers.v diff --git a/proof-libs/coq/src/Pearlite_Example.v b/proof-libs/coq/coq/src/Pearlite_Example.v similarity index 100% rename from proof-libs/coq/src/Pearlite_Example.v rename to proof-libs/coq/coq/src/Pearlite_Example.v diff --git a/proof-libs/coq/src/QuickChickLib.v b/proof-libs/coq/coq/src/QuickChickLib.v similarity index 100% rename from proof-libs/coq/src/QuickChickLib.v rename to proof-libs/coq/coq/src/QuickChickLib.v diff --git a/proof-libs/coq/src/Strobe.v b/proof-libs/coq/coq/src/Strobe.v similarity index 100% rename from proof-libs/coq/src/Strobe.v rename to proof-libs/coq/coq/src/Strobe.v diff --git a/proof-libs/coq/src/Tls_Cryptolib.v b/proof-libs/coq/coq/src/Tls_Cryptolib.v similarity index 100% rename from proof-libs/coq/src/Tls_Cryptolib.v rename to proof-libs/coq/coq/src/Tls_Cryptolib.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Aes.v b/proof-libs/coq/coq/src/_vc/Hacspec_Aes.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Aes.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Aes.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v b/proof-libs/coq/coq/src/_vc/Hacspec_Aes128_Gcm.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Aes128_Gcm.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Aes128_Gcm.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Bls12_381.v b/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Bls12_381.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Bls12_381_Hash.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Chacha20.v b/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Chacha20.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Chacha20poly1305.v b/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20poly1305.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Chacha20poly1305.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Chacha20poly1305.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Curve25519.v b/proof-libs/coq/coq/src/_vc/Hacspec_Curve25519.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Curve25519.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Curve25519.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Ed25519.v b/proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Ed25519.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Gf128.v b/proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Gf128.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Gimli.v b/proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Gimli.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Hkdf.v b/proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Hkdf.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Hmac.v b/proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Hmac.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Linalg.v b/proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Linalg.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v b/proof-libs/coq/coq/src/_vc/Hacspec_Ntru_Prime.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Ntru_Prime.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Ntru_Prime.v diff --git a/proof-libs/coq/src/_vc/Hacspec_P256.v b/proof-libs/coq/coq/src/_vc/Hacspec_P256.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_P256.v rename to proof-libs/coq/coq/src/_vc/Hacspec_P256.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Poly1305.v b/proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Poly1305.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Riot_Bootloader.v b/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Bootloader.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Riot_Bootloader.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Riot_Bootloader.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Riot_Runqueue.v b/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Runqueue.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Riot_Runqueue.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Riot_Runqueue.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Rsa_Pkcs1.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Sha256.v b/proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Sha256.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Sha3.v b/proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Sha3.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v diff --git a/proof-libs/coq/src/_vc/Hacspec_Sha512.v b/proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v similarity index 100% rename from proof-libs/coq/src/_vc/Hacspec_Sha512.v rename to proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v diff --git a/proof-libs/coq/src/_vc/Tls_Cryptolib.v b/proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v similarity index 100% rename from proof-libs/coq/src/_vc/Tls_Cryptolib.v rename to proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v From 776f9237532e8dec013429ca60424d82d1e360b5 Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Thu, 7 Dec 2023 14:31:37 +0100 Subject: [PATCH 03/12] Cleanup --- proof-libs/coq/{ => coq}/.gitignore | 0 proof-libs/coq/coq/_vc/Hacspec_Aes.v | 720 ------- proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v | 126 -- proof-libs/coq/coq/_vc/Hacspec_Bip_340.v | 530 ----- proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v | 772 ------- .../coq/coq/_vc/Hacspec_Bls12_381_Hash.v | 1754 ---------------- proof-libs/coq/coq/_vc/Hacspec_Chacha20.v | 223 --- .../coq/coq/_vc/Hacspec_Chacha20poly1305.v | 98 - .../coq/coq/_vc/Hacspec_Coverage_Test.v | 163 -- proof-libs/coq/coq/_vc/Hacspec_Curve25519.v | 170 -- .../coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v | 128 -- proof-libs/coq/coq/_vc/Hacspec_Ed25519.v | 690 ------- proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v | 597 ------ .../coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v | 349 ---- .../coq/coq/_vc/Hacspec_Edwards25519_Hash.v | 504 ----- proof-libs/coq/coq/_vc/Hacspec_Gf128.v | 113 -- proof-libs/coq/coq/_vc/Hacspec_Gimli.v | 406 ---- proof-libs/coq/coq/_vc/Hacspec_Hkdf.v | 93 - proof-libs/coq/coq/_vc/Hacspec_Hmac.v | 178 -- proof-libs/coq/coq/_vc/Hacspec_Linalg.v | 296 --- proof-libs/coq/coq/_vc/Hacspec_Merlin.v | 88 - proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v | 138 -- proof-libs/coq/coq/_vc/Hacspec_P256.v | 494 ----- proof-libs/coq/coq/_vc/Hacspec_Poly1305.v | 147 -- .../coq/coq/_vc/Hacspec_Riot_Bootloader.v | 184 -- .../coq/coq/_vc/Hacspec_Riot_Runqueue.v | 224 --- proof-libs/coq/coq/_vc/Hacspec_Ristretto.v | 700 ------- proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v | 70 - proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v | 121 -- proof-libs/coq/coq/_vc/Hacspec_Sha1.v | 205 -- proof-libs/coq/coq/_vc/Hacspec_Sha256.v | 305 --- proof-libs/coq/coq/_vc/Hacspec_Sha3.v | 357 ---- proof-libs/coq/coq/_vc/Hacspec_Sha512.v | 321 --- proof-libs/coq/coq/_vc/Pearlite_Example.v | 19 - proof-libs/coq/coq/_vc/Strobe.v | 305 --- proof-libs/coq/coq/_vc/Tls_Cryptolib.v | 673 ------- proof-libs/coq/coq/src/Hacspec_Aes.v | 720 ------- proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v | 126 -- proof-libs/coq/coq/src/Hacspec_Bip_340.v | 530 ----- proof-libs/coq/coq/src/Hacspec_Bls12_381.v | 772 ------- .../coq/coq/src/Hacspec_Bls12_381_Hash.v | 1754 ---------------- proof-libs/coq/coq/src/Hacspec_Chacha20.v | 223 --- .../coq/coq/src/Hacspec_Chacha20poly1305.v | 98 - proof-libs/coq/coq/src/Hacspec_Curve25519.v | 170 -- .../coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v | 128 -- proof-libs/coq/coq/src/Hacspec_Ed25519.v | 690 ------- proof-libs/coq/coq/src/Hacspec_Edwards25519.v | 597 ------ .../coq/coq/src/Hacspec_Edwards25519_Ecvrf.v | 349 ---- .../coq/coq/src/Hacspec_Edwards25519_Hash.v | 504 ----- proof-libs/coq/coq/src/Hacspec_Gf128.v | 113 -- proof-libs/coq/coq/src/Hacspec_Gimli.v | 406 ---- proof-libs/coq/coq/src/Hacspec_Hkdf.v | 93 - proof-libs/coq/coq/src/Hacspec_Hmac.v | 178 -- proof-libs/coq/coq/src/Hacspec_Lib.v | 1783 ----------------- proof-libs/coq/coq/src/Hacspec_Linalg.v | 296 --- proof-libs/coq/coq/src/Hacspec_Merlin.v | 88 - proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v | 138 -- proof-libs/coq/coq/src/Hacspec_P256.v | 494 ----- proof-libs/coq/coq/src/Hacspec_Poly1305.v | 147 -- .../coq/coq/src/Hacspec_Riot_Bootloader.v | 184 -- .../coq/coq/src/Hacspec_Riot_Runqueue.v | 224 --- proof-libs/coq/coq/src/Hacspec_Ristretto.v | 700 ------- proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v | 70 - proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v | 121 -- proof-libs/coq/coq/src/Hacspec_Sha1.v | 205 -- proof-libs/coq/coq/src/Hacspec_Sha256.v | 305 --- proof-libs/coq/coq/src/Hacspec_Sha3.v | 357 ---- proof-libs/coq/coq/src/Hacspec_Sha512.v | 321 --- proof-libs/coq/coq/src/Pearlite_Example.v | 19 - proof-libs/coq/coq/src/Strobe.v | 305 --- proof-libs/coq/coq/src/Tls_Cryptolib.v | 673 ------- proof-libs/coq/coq/src/_vc/Hacspec_Aes.v | 714 ------- .../coq/coq/src/_vc/Hacspec_Aes128_Gcm.v | 124 -- .../coq/coq/src/_vc/Hacspec_Bls12_381.v | 763 ------- .../coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v | 1752 ---------------- proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v | 222 -- .../coq/src/_vc/Hacspec_Chacha20poly1305.v | 97 - .../coq/coq/src/_vc/Hacspec_Curve25519.v | 169 -- .../coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v | 127 -- proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v | 619 ------ proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v | 112 -- proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v | 395 ---- proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v | 91 - proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v | 177 -- proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v | 64 - .../coq/coq/src/_vc/Hacspec_Ntru_Prime.v | 136 -- proof-libs/coq/coq/src/_vc/Hacspec_P256.v | 486 ----- proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v | 143 -- .../coq/coq/src/_vc/Hacspec_Riot_Bootloader.v | 180 -- .../coq/coq/src/_vc/Hacspec_Riot_Runqueue.v | 223 --- .../coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v | 112 -- proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v | 304 --- proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v | 350 ---- proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v | 320 --- proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v | 670 ------- 95 files changed, 34492 deletions(-) rename proof-libs/coq/{ => coq}/.gitignore (100%) delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Aes.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Bip_340.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Bls12_381_Hash.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Chacha20.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Chacha20poly1305.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Coverage_Test.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Curve25519.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Ed25519.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Hash.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Gf128.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Gimli.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Hkdf.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Hmac.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Linalg.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Merlin.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_P256.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Poly1305.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Riot_Bootloader.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Riot_Runqueue.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Ristretto.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Sha1.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Sha256.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Sha3.v delete mode 100644 proof-libs/coq/coq/_vc/Hacspec_Sha512.v delete mode 100644 proof-libs/coq/coq/_vc/Pearlite_Example.v delete mode 100644 proof-libs/coq/coq/_vc/Strobe.v delete mode 100644 proof-libs/coq/coq/_vc/Tls_Cryptolib.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Aes.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Bip_340.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Bls12_381.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Bls12_381_Hash.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Chacha20.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Chacha20poly1305.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Curve25519.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Ed25519.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Edwards25519.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Edwards25519_Ecvrf.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Edwards25519_Hash.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Gf128.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Gimli.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Hkdf.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Hmac.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Lib.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Linalg.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Merlin.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_P256.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Poly1305.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Riot_Bootloader.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Riot_Runqueue.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Ristretto.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Sha1.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Sha256.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Sha3.v delete mode 100644 proof-libs/coq/coq/src/Hacspec_Sha512.v delete mode 100644 proof-libs/coq/coq/src/Pearlite_Example.v delete mode 100644 proof-libs/coq/coq/src/Strobe.v delete mode 100644 proof-libs/coq/coq/src/Tls_Cryptolib.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Aes.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Aes128_Gcm.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Chacha20poly1305.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Curve25519.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Ntru_Prime.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_P256.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Riot_Bootloader.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Riot_Runqueue.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v delete mode 100644 proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v delete mode 100644 proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v diff --git a/proof-libs/coq/.gitignore b/proof-libs/coq/coq/.gitignore similarity index 100% rename from proof-libs/coq/.gitignore rename to proof-libs/coq/coq/.gitignore diff --git a/proof-libs/coq/coq/_vc/Hacspec_Aes.v b/proof-libs/coq/coq/_vc/Hacspec_Aes.v deleted file mode 100644 index b87f94a3d..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Aes.v +++ /dev/null @@ -1,720 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition blocksize_v : uint_size := - usize 16. - -Definition ivsize_v : uint_size := - usize 12. - -Definition key_length_v : uint_size := - usize 4. - -Definition rounds_v : uint_size := - usize 10. - -Definition key_schedule_length_v : uint_size := - usize 176. - -Definition iterations_v : uint_size := - usize 40. - -Definition invalid_key_expansion_index_v : int8 := - @repr WORDSIZE8 1. - -Definition block_t := nseq (uint8) (blocksize_v). - -Definition word_t := nseq (uint8) (key_length_v). - -Definition round_key_t := nseq (uint8) (blocksize_v). - -Definition aes_nonce_t := nseq (uint8) (ivsize_v). - -Definition s_box_t := nseq (uint8) (usize 256). - -Definition r_con_t := nseq (uint8) (usize 15). - -Definition bytes144_t := nseq (uint8) (usize 144). - -Definition bytes176_t := nseq (uint8) (key_schedule_length_v). - -Definition key128_t := nseq (uint8) (blocksize_v). - -Notation "'byte_seq_result_t'" := ((result byte_seq int8)) : hacspec_scope. - -Notation "'block_result_t'" := ((result block_t int8)) : hacspec_scope. - -Notation "'word_result_t'" := ((result word_t int8)) : hacspec_scope. - -Definition sbox_v : s_box_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 197) : int8; - secret (@repr WORDSIZE8 48) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 103) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 130) : int8; - secret (@repr WORDSIZE8 201) : int8; - secret (@repr WORDSIZE8 125) : int8; - secret (@repr WORDSIZE8 250) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 71) : int8; - secret (@repr WORDSIZE8 240) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 212) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 156) : int8; - secret (@repr WORDSIZE8 164) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 192) : int8; - secret (@repr WORDSIZE8 183) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 38) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 63) : int8; - secret (@repr WORDSIZE8 247) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 52) : int8; - secret (@repr WORDSIZE8 165) : int8; - secret (@repr WORDSIZE8 229) : int8; - secret (@repr WORDSIZE8 241) : int8; - secret (@repr WORDSIZE8 113) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 21) : int8; - secret (@repr WORDSIZE8 4) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 35) : int8; - secret (@repr WORDSIZE8 195) : int8; - secret (@repr WORDSIZE8 24) : int8; - secret (@repr WORDSIZE8 150) : int8; - secret (@repr WORDSIZE8 5) : int8; - secret (@repr WORDSIZE8 154) : int8; - secret (@repr WORDSIZE8 7) : int8; - secret (@repr WORDSIZE8 18) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 178) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 9) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 110) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 214) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 41) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 132) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 177) : int8; - secret (@repr WORDSIZE8 91) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 203) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 207) : int8; - secret (@repr WORDSIZE8 208) : int8; - secret (@repr WORDSIZE8 239) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 133) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 249) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 80) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 159) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 163) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 143) : int8; - secret (@repr WORDSIZE8 146) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 56) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 218) : int8; - secret (@repr WORDSIZE8 33) : int8; - secret (@repr WORDSIZE8 16) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 243) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 205) : int8; - secret (@repr WORDSIZE8 12) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 236) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 151) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 196) : int8; - secret (@repr WORDSIZE8 167) : int8; - secret (@repr WORDSIZE8 126) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 93) : int8; - secret (@repr WORDSIZE8 25) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 220) : int8; - secret (@repr WORDSIZE8 34) : int8; - secret (@repr WORDSIZE8 42) : int8; - secret (@repr WORDSIZE8 144) : int8; - secret (@repr WORDSIZE8 136) : int8; - secret (@repr WORDSIZE8 70) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 184) : int8; - secret (@repr WORDSIZE8 20) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 219) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 73) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 36) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 172) : int8; - secret (@repr WORDSIZE8 98) : int8; - secret (@repr WORDSIZE8 145) : int8; - secret (@repr WORDSIZE8 149) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 200) : int8; - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 109) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 213) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 169) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 86) : int8; - secret (@repr WORDSIZE8 244) : int8; - secret (@repr WORDSIZE8 234) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 122) : int8; - secret (@repr WORDSIZE8 174) : int8; - secret (@repr WORDSIZE8 8) : int8; - secret (@repr WORDSIZE8 186) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 37) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 28) : int8; - secret (@repr WORDSIZE8 166) : int8; - secret (@repr WORDSIZE8 180) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 116) : int8; - secret (@repr WORDSIZE8 31) : int8; - secret (@repr WORDSIZE8 75) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 139) : int8; - secret (@repr WORDSIZE8 138) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 181) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 14) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 87) : int8; - secret (@repr WORDSIZE8 185) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 225) : int8; - secret (@repr WORDSIZE8 248) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 17) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 217) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 30) : int8; - secret (@repr WORDSIZE8 135) : int8; - secret (@repr WORDSIZE8 233) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 40) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 137) : int8; - secret (@repr WORDSIZE8 13) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 230) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 187) : int8; - secret (@repr WORDSIZE8 22) : int8 - ] in l). - -Definition rcon_v : r_con_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 4) : int8; - secret (@repr WORDSIZE8 8) : int8; - secret (@repr WORDSIZE8 16) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 77) : int8 - ] in l). - -Definition sub_bytes (state_150 : block_t) : block_t := - let st_151 : block_t := - state_150 in - let st_151 := - foldi (usize 0) (blocksize_v) (fun i_152 st_151 => - let st_151 := - array_upd st_151 (i_152) (array_index (sbox_v) (uint8_declassify ( - array_index (state_150) (i_152)))) in - (st_151)) - st_151 in - st_151. - -Definition shift_row - (i_153 : uint_size) - (shift_154 : uint_size) - (state_155 : block_t) - : block_t := - let out_156 : block_t := - state_155 in - let out_156 := - array_upd out_156 (i_153) (array_index (state_155) ((i_153) + ((usize 4) * ( - (shift_154) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 4)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 1)) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 8)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 2)) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 12)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 3)) %% (usize 4))))) in - out_156. - -Definition shift_rows (state_157 : block_t) : block_t := - let state_158 : block_t := - shift_row (usize 1) (usize 1) (state_157) in - let state_159 : block_t := - shift_row (usize 2) (usize 2) (state_158) in - shift_row (usize 3) (usize 3) (state_159). - -Definition xtime (x_160 : uint8) : uint8 := - let x1_161 : uint8 := - (x_160) shift_left (usize 1) in - let x7_162 : uint8 := - (x_160) shift_right (usize 7) in - let x71_163 : uint8 := - (x7_162) .& (secret (@repr WORDSIZE8 1) : int8) in - let x711b_164 : uint8 := - (x71_163) .* (secret (@repr WORDSIZE8 27) : int8) in - (x1_161) .^ (x711b_164). - -Definition mix_column (c_165 : uint_size) (state_166 : block_t) : block_t := - let i0_167 : uint_size := - (usize 4) * (c_165) in - let s0_168 : uint8 := - array_index (state_166) (i0_167) in - let s1_169 : uint8 := - array_index (state_166) ((i0_167) + (usize 1)) in - let s2_170 : uint8 := - array_index (state_166) ((i0_167) + (usize 2)) in - let s3_171 : uint8 := - array_index (state_166) ((i0_167) + (usize 3)) in - let st_172 : block_t := - state_166 in - let tmp_173 : uint8 := - (((s0_168) .^ (s1_169)) .^ (s2_170)) .^ (s3_171) in - let st_172 := - array_upd st_172 (i0_167) (((s0_168) .^ (tmp_173)) .^ (xtime ((s0_168) .^ ( - s1_169)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 1)) (((s1_169) .^ (tmp_173)) .^ (xtime ( - (s1_169) .^ (s2_170)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 2)) (((s2_170) .^ (tmp_173)) .^ (xtime ( - (s2_170) .^ (s3_171)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 3)) (((s3_171) .^ (tmp_173)) .^ (xtime ( - (s3_171) .^ (s0_168)))) in - st_172. - -Definition mix_columns (state_174 : block_t) : block_t := - let state_175 : block_t := - mix_column (usize 0) (state_174) in - let state_176 : block_t := - mix_column (usize 1) (state_175) in - let state_177 : block_t := - mix_column (usize 2) (state_176) in - mix_column (usize 3) (state_177). - -Definition add_round_key - (state_178 : block_t) - (key_179 : round_key_t) - : block_t := - let out_180 : block_t := - state_178 in - let out_180 := - foldi (usize 0) (blocksize_v) (fun i_181 out_180 => - let out_180 := - array_upd out_180 (i_181) ((array_index (out_180) (i_181)) .^ ( - array_index (key_179) (i_181))) in - (out_180)) - out_180 in - out_180. - -Definition aes_enc - (state_182 : block_t) - (round_key_183 : round_key_t) - : block_t := - let state_184 : block_t := - sub_bytes (state_182) in - let state_185 : block_t := - shift_rows (state_184) in - let state_186 : block_t := - mix_columns (state_185) in - add_round_key (state_186) (round_key_183). - -Definition aes_enc_last - (state_187 : block_t) - (round_key_188 : round_key_t) - : block_t := - let state_189 : block_t := - sub_bytes (state_187) in - let state_190 : block_t := - shift_rows (state_189) in - add_round_key (state_190) (round_key_188). - -Definition rounds_aes (state_191 : block_t) (key_192 : byte_seq) : block_t := - let out_193 : block_t := - state_191 in - let out_193 := - foldi (usize 0) (seq_num_chunks (key_192) ( - blocksize_v)) (fun i_194 out_193 => - let '(_, key_block_195) := - seq_get_chunk (key_192) (blocksize_v) (i_194) in - let out_193 := - aes_enc (out_193) (array_from_seq (blocksize_v) (key_block_195)) in - (out_193)) - out_193 in - out_193. - -Definition block_cipher_aes - (input_196 : block_t) - (key_197 : byte_seq) - (nr_198 : uint_size) - : block_t := - let k0_199 : round_key_t := - array_from_slice_range (default : uint8) (blocksize_v) (key_197) (( - usize 0, - usize 16 - )) in - let k_200 : seq uint8 := - seq_from_slice_range (key_197) ((usize 16, (nr_198) * (usize 16))) in - let kn_201 : round_key_t := - array_from_slice (default : uint8) (blocksize_v) (key_197) ((nr_198) * ( - usize 16)) (usize 16) in - let state_202 : block_t := - add_round_key (input_196) (k0_199) in - let state_203 : block_t := - rounds_aes (state_202) (k_200) in - aes_enc_last (state_203) (kn_201). - -Definition rotate_word (w_204 : word_t) : word_t := - array_from_list uint8 (let l := - [ - array_index (w_204) (usize 1); - array_index (w_204) (usize 2); - array_index (w_204) (usize 3); - array_index (w_204) (usize 0) - ] in l). - -Definition slice_word (w_205 : word_t) : word_t := - array_from_list uint8 (let l := - [ - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 0))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 1))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 2))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 3))) - ] in l). - -Definition aes_keygen_assist (w_206 : word_t) (rcon_207 : uint8) : word_t := - let k_208 : word_t := - rotate_word (w_206) in - let k_208 := - slice_word (k_208) in - let k_208 := - array_upd k_208 (usize 0) ((array_index (k_208) (usize 0)) .^ ( - rcon_207)) in - k_208. - -Definition key_expansion_word - (w0_209 : word_t) - (w1_210 : word_t) - (i_211 : uint_size) - (nk_212 : uint_size) - (nr_213 : uint_size) - : word_result_t := - let k_214 : word_t := - w1_210 in - let result_215 : (result word_t int8) := - @Err word_t int8 (invalid_key_expansion_index_v) in - let '(k_214, result_215) := - if (i_211) <.? ((usize 4) * ((nr_213) + (usize 1))):bool then (let '(k_214 - ) := - if ((i_211) %% (nk_212)) =.? (usize 0):bool then (let k_214 := - aes_keygen_assist (k_214) (array_index (rcon_v) ((i_211) / ( - nk_212))) in - (k_214)) else (let '(k_214) := - if ((nk_212) >.? (usize 6)) && (((i_211) %% (nk_212)) =.? ( - usize 4)):bool then (let k_214 := - slice_word (k_214) in - (k_214)) else ((k_214)) in - (k_214)) in - let k_214 := - foldi (usize 0) (usize 4) (fun i_216 k_214 => - let k_214 := - array_upd k_214 (i_216) ((array_index (k_214) (i_216)) .^ ( - array_index (w0_209) (i_216))) in - (k_214)) - k_214 in - let result_215 := - @Ok word_t int8 (k_214) in - (k_214, result_215)) else ((k_214, result_215)) in - result_215. - -Definition key_expansion_aes - (key_217 : byte_seq) - (nk_218 : uint_size) - (nr_219 : uint_size) - (key_schedule_length_220 : uint_size) - (key_length_221 : uint_size) - (iterations_222 : uint_size) - : byte_seq_result_t := - let key_ex_223 : seq uint8 := - seq_new_ (default : uint8) (key_schedule_length_220) in - let key_ex_223 := - seq_update_start (key_ex_223) (key_217) in - let word_size_224 : uint_size := - key_length_221 in - bind (foldibnd (usize 0) to ( - iterations_222) for key_ex_223 >> (fun j_225 key_ex_223 => - let i_226 : uint_size := - (j_225) + (word_size_224) in - bind (key_expansion_word (array_from_slice (default : uint8) ( - key_length_v) (key_ex_223) ((usize 4) * ((i_226) - (word_size_224))) ( - usize 4)) (array_from_slice (default : uint8) (key_length_v) ( - key_ex_223) (((usize 4) * (i_226)) - (usize 4)) (usize 4)) (i_226) ( - nk_218) (nr_219)) (fun word_227 => let key_ex_223 := - seq_update (key_ex_223) ((usize 4) * (i_226)) ( - array_to_seq (word_227)) in - @Ok (seq uint8) int8 ((key_ex_223))))) (fun key_ex_223 => - @Ok byte_seq int8 (key_ex_223)). - -Definition aes_encrypt_block - (k_228 : byte_seq) - (input_229 : block_t) - (nk_230 : uint_size) - (nr_231 : uint_size) - (key_schedule_length_232 : uint_size) - (key_length_233 : uint_size) - (iterations_234 : uint_size) - : block_result_t := - bind (key_expansion_aes (k_228) (nk_230) (nr_231) (key_schedule_length_232) ( - key_length_233) (iterations_234)) (fun key_ex_235 => @Ok block_t int8 ( - block_cipher_aes (input_229) (key_ex_235) (nr_231))). - -Definition aes128_encrypt_block - (k_236 : key128_t) - (input_237 : block_t) - : block_t := - result_unwrap (aes_encrypt_block (seq_from_seq (array_to_seq (k_236))) ( - input_237) (key_length_v) (rounds_v) (key_schedule_length_v) ( - key_length_v) (iterations_v)). - -Definition aes_ctr_key_block - (k_238 : byte_seq) - (n_239 : aes_nonce_t) - (c_240 : uint32) - (nk_241 : uint_size) - (nr_242 : uint_size) - (key_schedule_length_243 : uint_size) - (key_length_244 : uint_size) - (iterations_245 : uint_size) - : block_result_t := - let input_246 : block_t := - array_new_ (default : uint8) (blocksize_v) in - let input_246 := - array_update (input_246) (usize 0) (array_to_seq (n_239)) in - let input_246 := - array_update (input_246) (usize 12) (array_to_seq (uint32_to_be_bytes ( - c_240))) in - aes_encrypt_block (k_238) (input_246) (nk_241) (nr_242) ( - key_schedule_length_243) (key_length_244) (iterations_245). - -Definition xor_block - (block_247 : block_t) - (key_block_248 : block_t) - : block_t := - let out_249 : block_t := - block_247 in - let out_249 := - foldi (usize 0) (blocksize_v) (fun i_250 out_249 => - let out_249 := - array_upd out_249 (i_250) ((array_index (out_249) (i_250)) .^ ( - array_index (key_block_248) (i_250))) in - (out_249)) - out_249 in - out_249. - -Definition aes_counter_mode - (key_251 : byte_seq) - (nonce_252 : aes_nonce_t) - (counter_253 : uint32) - (msg_254 : byte_seq) - (nk_255 : uint_size) - (nr_256 : uint_size) - (key_schedule_length_257 : uint_size) - (key_length_258 : uint_size) - (iterations_259 : uint_size) - : byte_seq_result_t := - let ctr_260 : uint32 := - counter_253 in - let blocks_out_261 : seq uint8 := - seq_new_ (default : uint8) (seq_len (msg_254)) in - let n_blocks_262 : uint_size := - seq_num_exact_chunks (msg_254) (blocksize_v) in - bind (foldibnd (usize 0) to (n_blocks_262) for (ctr_260, blocks_out_261 - ) >> (fun i_263 '(ctr_260, blocks_out_261) => - let msg_block_264 : seq uint8 := - seq_get_exact_chunk (msg_254) (blocksize_v) (i_263) in - bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) (nr_256) ( - key_schedule_length_257) (key_length_258) (iterations_259)) ( - fun key_block_265 => let blocks_out_261 := - seq_set_chunk (blocks_out_261) (blocksize_v) (i_263) ( - array_to_seq (xor_block (array_from_seq (blocksize_v) ( - msg_block_264)) (key_block_265))) in - let ctr_260 := - (ctr_260) .+ (secret (@repr WORDSIZE32 1) : int32) in - @Ok (uint32 '× seq uint8) int8 ((ctr_260, blocks_out_261))))) (fun '( - ctr_260, - blocks_out_261 - ) => let last_block_266 : seq uint8 := - seq_get_remainder_chunk (msg_254) (blocksize_v) in - let last_block_len_267 : uint_size := - seq_len (last_block_266) in - ifbnd (last_block_len_267) !=.? (usize 0) : bool - thenbnd (let last_block_268 : block_t := - array_update_start (array_new_ (default : uint8) (blocksize_v)) ( - last_block_266) in - bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) ( - nr_256) (key_schedule_length_257) (key_length_258) (iterations_259)) ( - fun key_block_269 => let blocks_out_261 := - seq_set_chunk (blocks_out_261) (blocksize_v) (n_blocks_262) ( - array_slice_range (xor_block (last_block_268) (key_block_269)) (( - usize 0, - last_block_len_267 - ))) in - @Ok (seq uint8) int8 ((blocks_out_261)))) - else ((blocks_out_261)) >> (fun '(blocks_out_261) => - @Ok byte_seq int8 (blocks_out_261))). - -Definition aes128_encrypt - (key_270 : key128_t) - (nonce_271 : aes_nonce_t) - (counter_272 : uint32) - (msg_273 : byte_seq) - : byte_seq := - result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_270))) ( - nonce_271) (counter_272) (msg_273) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)). - -Definition aes128_decrypt - (key_274 : key128_t) - (nonce_275 : aes_nonce_t) - (counter_276 : uint32) - (ctxt_277 : byte_seq) - : byte_seq := - result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_274))) ( - nonce_275) (counter_276) (ctxt_277) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v b/proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v deleted file mode 100644 index 0d6395bc6..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Aes128_Gcm.v +++ /dev/null @@ -1,126 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Aes. - -Require Import Hacspec_Gf128. - -Notation "'aes_gcm_byte_seq_result_t'" := (( - result byte_seq int8)) : hacspec_scope. - -Definition invalid_tag_v : int8 := - @repr WORDSIZE8 1. - -Definition pad_aad_msg (aad_278 : byte_seq) (msg_279 : byte_seq) : byte_seq := - let laad_280 : uint_size := - seq_len (aad_278) in - let lmsg_281 : uint_size := - seq_len (msg_279) in - let pad_aad_282 : uint_size := - (if (((laad_280) %% (usize 16)) =.? (usize 0)):bool then (laad_280) else (( - laad_280) + ((usize 16) - ((laad_280) %% (usize 16))))) in - let pad_msg_283 : uint_size := - (if (((lmsg_281) %% (usize 16)) =.? (usize 0)):bool then (lmsg_281) else (( - lmsg_281) + ((usize 16) - ((lmsg_281) %% (usize 16))))) in - let padded_msg_284 : seq uint8 := - seq_new_ (default : uint8) (((pad_aad_282) + (pad_msg_283)) + ( - usize 16)) in - let padded_msg_284 := - seq_update (padded_msg_284) (usize 0) (aad_278) in - let padded_msg_284 := - seq_update (padded_msg_284) (pad_aad_282) (msg_279) in - let padded_msg_284 := - seq_update (padded_msg_284) ((pad_aad_282) + (pad_msg_283)) ( - array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( - laad_280)) : int64) .* (secret ( - @repr WORDSIZE64 8) : int64)))) in - let padded_msg_284 := - seq_update (padded_msg_284) (((pad_aad_282) + (pad_msg_283)) + (usize 8)) ( - array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( - lmsg_281)) : int64) .* (secret ( - @repr WORDSIZE64 8) : int64)))) in - padded_msg_284. - -Definition encrypt_aes - (key_285 : byte_seq) - (iv_286 : aes_nonce_t) - (aad_287 : byte_seq) - (msg_288 : byte_seq) - : (byte_seq '× gf128_tag_t) := - let iv0_289 : aes_nonce_t := - array_new_ (default : uint8) (_) in - let mac_key_290 : block_t := - result_unwrap (aes_ctr_key_block (key_285) (iv0_289) (secret ( - @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) in - let tag_mix_291 : block_t := - result_unwrap (aes_ctr_key_block (key_285) ((iv_286)) (secret ( - @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) in - let cipher_text_292 : seq uint8 := - aes128_encrypt (array_from_seq (_) (key_285)) (iv_286) (secret ( - @repr WORDSIZE32 2) : int32) (msg_288) in - let padded_msg_293 : seq uint8 := - pad_aad_msg (aad_287) (cipher_text_292) in - let tag_294 : gf128_tag_t := - gmac (padded_msg_293) (array_from_seq (_) (array_to_seq (mac_key_290))) in - let tag_295 : block_t := - xor_block (array_from_seq (_) (array_to_seq (tag_294))) (tag_mix_291) in - (cipher_text_292, array_from_seq (_) (array_to_seq (tag_295))). - -Definition encrypt_aes128 - (key_296 : key128_t) - (iv_297 : aes_nonce_t) - (aad_298 : byte_seq) - (msg_299 : byte_seq) - : (byte_seq '× gf128_tag_t) := - encrypt_aes (seq_from_seq (array_to_seq (key_296))) (iv_297) (aad_298) ( - msg_299). - -Definition decrypt_aes - (key_300 : byte_seq) - (iv_301 : aes_nonce_t) - (aad_302 : byte_seq) - (cipher_text_303 : byte_seq) - (tag_304 : gf128_tag_t) - : aes_gcm_byte_seq_result_t := - let iv0_305 : aes_nonce_t := - array_new_ (default : uint8) (_) in - bind (aes_ctr_key_block (key_300) (iv0_305) (secret ( - @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) (fun mac_key_306 => - bind (aes_ctr_key_block (key_300) ((iv_301)) (secret ( - @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) ( - fun tag_mix_307 => let padded_msg_308 : seq uint8 := - pad_aad_msg (aad_302) (cipher_text_303) in - let my_tag_309 : gf128_tag_t := - gmac (padded_msg_308) (array_from_seq (_) ( - array_to_seq (mac_key_306))) in - let my_tag_310 : block_t := - xor_block (array_from_seq (_) (array_to_seq (my_tag_309))) ( - tag_mix_307) in - let ptxt_311 : seq uint8 := - aes128_decrypt (array_from_seq (_) (key_300)) (iv_301) (secret ( - @repr WORDSIZE32 2) : int32) (cipher_text_303) in - (if (array_declassify_eq (my_tag_310) (array_from_seq (_) ( - array_to_seq (tag_304)))):bool then (@Ok byte_seq int8 ( - ptxt_311)) else (@Err byte_seq int8 (invalid_tag_v))))). - -Definition decrypt_aes128 - (key_312 : key128_t) - (iv_313 : aes_nonce_t) - (aad_314 : byte_seq) - (cipher_text_315 : byte_seq) - (tag_316 : gf128_tag_t) - : aes_gcm_byte_seq_result_t := - decrypt_aes (seq_from_seq (array_to_seq (key_312))) (iv_313) (aad_314) ( - cipher_text_315) (tag_316). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Bip_340.v b/proof-libs/coq/coq/_vc/Hacspec_Bip_340.v deleted file mode 100644 index 461143d44..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Bip_340.v +++ /dev/null @@ -1,530 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Inductive error_t := -| InvalidSecretKey : error_t -| InvalidNonceGenerated : error_t -| InvalidPublicKey : error_t -| InvalidXCoordinate : error_t -| InvalidSignature : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | InvalidSecretKey => match y with | InvalidSecretKey=> true | _ => false end - | InvalidNonceGenerated => - match y with - | InvalidNonceGenerated=> true - | _ => false - end - | InvalidPublicKey => match y with | InvalidPublicKey=> true | _ => false end - | InvalidXCoordinate => - match y with - | InvalidXCoordinate=> true - | _ => false - end - | InvalidSignature => match y with | InvalidSignature=> true | _ => false end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Definition field_canvas_t := nseq (int8) (32). -Definition field_element_t := - nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141. - -Definition big_integer_t := nat_mod pow2 256. - -Notation "'affine_point_t'" := ((field_element_t '× field_element_t -)) : hacspec_scope. - -Definition p_bytes32_t := nseq (int8) (usize 32). - -Inductive point_t := -| Affine : affine_point_t -> point_t -| AtInfinity : point_t. - -Definition finite (p_2555 : point_t) : (option affine_point_t) := - match p_2555 with - | Affine (p_2556) => some (p_2556) - | AtInfinity => @None affine_point_t - end. - -Definition x (p_2557 : affine_point_t) : field_element_t := - let '(x_2558, _) := - p_2557 in - x_2558. - -Definition y (p_2559 : affine_point_t) : field_element_t := - let '(_, y_2560) := - p_2559 in - y_2560. - -Definition has_even_y (p_2561 : affine_point_t) : bool := - ((y (p_2561)) rem (nat_mod_two )) =.? (nat_mod_zero ). - -Definition sqrt (y_2562 : field_element_t) : (option field_element_t) := - let p1_4_2563 : field_element_t := - nat_mod_from_public_byte_seq_be (array_from_list int8 (let l := - [ - @repr WORDSIZE8 63; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 191; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 12 - ] in l)) in - let x_2564 : field_element_t := - nat_mod_pow_self (y_2562) (p1_4_2563) in - (if ((nat_mod_pow_self (x_2564) (nat_mod_two )) =.? (y_2562)):bool then ( - some (x_2564)) else (@None field_element_t)). - -Definition lift_x - (x_2565 : field_element_t) - : (result affine_point_t error_t) := - let one_2566 : field_element_t := - nat_mod_one in - let two_2567 : field_element_t := - nat_mod_two in - let three_2568 : field_element_t := - nat_mod_from_literal ( - 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( - @repr WORDSIZE128 3) : field_element_t in - let seven_2569 : field_element_t := - nat_mod_from_literal ( - 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( - @repr WORDSIZE128 7) : field_element_t in - let y_sq_2570 : field_element_t := - (nat_mod_pow_self (x_2565) (three_2568)) +% (seven_2569) in - bind (option_ok_or (sqrt (y_sq_2570)) (InvalidXCoordinate)) (fun y_2571 => - let '(y_2571) := - if ((y_2571) rem (two_2567)) =.? (one_2566):bool then (let y_2571 := - (nat_mod_zero ) -% (y_2571) in - (y_2571)) else ((y_2571)) in - @Ok affine_point_t error_t ((x_2565, y_2571))). - -Definition compute_lam - (p1_2572 : affine_point_t) - (p2_2573 : affine_point_t) - : field_element_t := - let three_2574 : field_element_t := - nat_mod_from_literal ( - 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( - @repr WORDSIZE128 3) : field_element_t in - (if ((p1_2572) !=.? (p2_2573)):bool then (((y (p2_2573)) -% (y ( - p1_2572))) *% (nat_mod_pow_self ((x (p2_2573)) -% (x (p1_2572))) (( - nat_mod_zero ) -% (nat_mod_two )))) else ((((three_2574) *% (x ( - p1_2572))) *% (x (p1_2572))) *% (nat_mod_pow_self (( - nat_mod_two ) *% (y (p1_2572))) ((nat_mod_zero ) -% ( - nat_mod_two ))))). - -Definition point_add (p1_2575 : point_t) (p2_2576 : point_t) : point_t := - let result_2577 : point_t := - AtInfinity in - let '(result_2577) := - if option_is_none (finite (p1_2575)):bool then (let result_2577 := - p2_2576 in - (result_2577)) else (let '(result_2577) := - if option_is_none (finite (p2_2576)):bool then (let result_2577 := - p1_2575 in - (result_2577)) else (let p1_2578 : ( - field_element_t '× - field_element_t - ) := - option_unwrap (finite (p1_2575)) in - let p2_2579 : (field_element_t '× field_element_t) := - option_unwrap (finite (p2_2576)) in - let '(result_2577) := - if negb (((x (p1_2578)) =.? (x (p2_2579))) && ((y (p1_2578)) !=.? ( - y (p2_2579)))):bool then (let lam_2580 : field_element_t := - compute_lam (p1_2578) (p2_2579) in - let x3_2581 : field_element_t := - (((lam_2580) *% (lam_2580)) -% (x (p1_2578))) -% (x ( - p2_2579)) in - let result_2577 := - Affine (( - x3_2581, - ((lam_2580) *% ((x (p1_2578)) -% (x3_2581))) -% (y ( - p1_2578)) - )) in - (result_2577)) else ((result_2577)) in - (result_2577)) in - (result_2577)) in - result_2577. - -Definition point_mul (s_2582 : scalar_t) (p_2583 : point_t) : point_t := - let p_2584 : point_t := - p_2583 in - let q_2585 : point_t := - AtInfinity in - let '(p_2584, q_2585) := - foldi (usize 0) (usize 256) (fun i_2586 '(p_2584, q_2585) => - let '(q_2585) := - if nat_mod_bit (s_2582) (i_2586):bool then (let q_2585 := - point_add (q_2585) (p_2584) in - (q_2585)) else ((q_2585)) in - let p_2584 := - point_add (p_2584) (p_2584) in - (p_2584, q_2585)) - (p_2584, q_2585) in - q_2585. - -Definition point_mul_base (s_2587 : scalar_t) : point_t := - let gx_2588 : p_bytes32_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 121; - @repr WORDSIZE8 190; - @repr WORDSIZE8 102; - @repr WORDSIZE8 126; - @repr WORDSIZE8 249; - @repr WORDSIZE8 220; - @repr WORDSIZE8 187; - @repr WORDSIZE8 172; - @repr WORDSIZE8 85; - @repr WORDSIZE8 160; - @repr WORDSIZE8 98; - @repr WORDSIZE8 149; - @repr WORDSIZE8 206; - @repr WORDSIZE8 135; - @repr WORDSIZE8 11; - @repr WORDSIZE8 7; - @repr WORDSIZE8 2; - @repr WORDSIZE8 155; - @repr WORDSIZE8 252; - @repr WORDSIZE8 219; - @repr WORDSIZE8 45; - @repr WORDSIZE8 206; - @repr WORDSIZE8 40; - @repr WORDSIZE8 217; - @repr WORDSIZE8 89; - @repr WORDSIZE8 242; - @repr WORDSIZE8 129; - @repr WORDSIZE8 91; - @repr WORDSIZE8 22; - @repr WORDSIZE8 248; - @repr WORDSIZE8 23; - @repr WORDSIZE8 152 - ] in l) in - let gy_2589 : p_bytes32_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 72; - @repr WORDSIZE8 58; - @repr WORDSIZE8 218; - @repr WORDSIZE8 119; - @repr WORDSIZE8 38; - @repr WORDSIZE8 163; - @repr WORDSIZE8 196; - @repr WORDSIZE8 101; - @repr WORDSIZE8 93; - @repr WORDSIZE8 164; - @repr WORDSIZE8 251; - @repr WORDSIZE8 252; - @repr WORDSIZE8 14; - @repr WORDSIZE8 17; - @repr WORDSIZE8 8; - @repr WORDSIZE8 168; - @repr WORDSIZE8 253; - @repr WORDSIZE8 23; - @repr WORDSIZE8 180; - @repr WORDSIZE8 72; - @repr WORDSIZE8 166; - @repr WORDSIZE8 133; - @repr WORDSIZE8 84; - @repr WORDSIZE8 25; - @repr WORDSIZE8 156; - @repr WORDSIZE8 71; - @repr WORDSIZE8 208; - @repr WORDSIZE8 143; - @repr WORDSIZE8 251; - @repr WORDSIZE8 16; - @repr WORDSIZE8 212; - @repr WORDSIZE8 184 - ] in l) in - let g_2590 : point_t := - Affine (( - nat_mod_from_public_byte_seq_be (gx_2588), - nat_mod_from_public_byte_seq_be (gy_2589) - )) in - point_mul (s_2587) (g_2590). - -Definition bytes32_t := nseq (uint8) (usize 32). - -Notation "'secret_key_t'" := (bytes32_t) : hacspec_scope. - -Notation "'public_key_t'" := (bytes32_t) : hacspec_scope. - -Notation "'message_t'" := (bytes32_t) : hacspec_scope. - -Notation "'aux_rand_t'" := (bytes32_t) : hacspec_scope. - -Definition signature_t := nseq (uint8) (usize 64). - -Definition tagged_hash - (tag_2591 : public_byte_seq) - (msg_2592 : byte_seq) - : bytes32_t := - let tag_hash_2593 : seq uint8 := - array_to_be_bytes (sha256 (seq_from_public_seq (tag_2591))) in - let hash_2594 : sha256_digest_t := - sha256 (seq_concat (seq_concat (tag_hash_2593) (tag_hash_2593)) ( - msg_2592)) in - array_from_seq (32) (array_to_seq (hash_2594)). - -Definition tagged_hash_aux_prefix_t := nseq (int8) (usize 11). - -Definition bip0340_aux_v : tagged_hash_aux_prefix_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 66; - @repr WORDSIZE8 73; - @repr WORDSIZE8 80; - @repr WORDSIZE8 48; - @repr WORDSIZE8 51; - @repr WORDSIZE8 52; - @repr WORDSIZE8 48; - @repr WORDSIZE8 47; - @repr WORDSIZE8 97; - @repr WORDSIZE8 117; - @repr WORDSIZE8 120 - ] in l). - -Definition hash_aux (aux_rand_2595 : aux_rand_t) : bytes32_t := - tagged_hash (seq_from_seq (array_to_seq (bip0340_aux_v))) (seq_from_seq ( - aux_rand_2595)). - -Definition tagged_hash_nonce_prefix_t := nseq (int8) (usize 13). - -Definition bip0340_nonce_v : tagged_hash_nonce_prefix_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 66; - @repr WORDSIZE8 73; - @repr WORDSIZE8 80; - @repr WORDSIZE8 48; - @repr WORDSIZE8 51; - @repr WORDSIZE8 52; - @repr WORDSIZE8 48; - @repr WORDSIZE8 47; - @repr WORDSIZE8 110; - @repr WORDSIZE8 111; - @repr WORDSIZE8 110; - @repr WORDSIZE8 99; - @repr WORDSIZE8 101 - ] in l). - -Definition hash_nonce - (rand_2596 : bytes32_t) - (pubkey_2597 : bytes32_t) - (msg_2598 : message_t) - : bytes32_t := - let c_2599 : byte_seq := - seq_concat (seq_concat (seq_from_seq (array_to_seq (rand_2596))) ( - array_to_seq (pubkey_2597))) (msg_2598) in - tagged_hash (seq_from_seq (array_to_seq (bip0340_nonce_v))) (c_2599). - -Definition tagged_hash_challenge_prefix_t := nseq (int8) (usize 17). - -Definition bip0340_challenge_v : tagged_hash_challenge_prefix_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 66; - @repr WORDSIZE8 73; - @repr WORDSIZE8 80; - @repr WORDSIZE8 48; - @repr WORDSIZE8 51; - @repr WORDSIZE8 52; - @repr WORDSIZE8 48; - @repr WORDSIZE8 47; - @repr WORDSIZE8 99; - @repr WORDSIZE8 104; - @repr WORDSIZE8 97; - @repr WORDSIZE8 108; - @repr WORDSIZE8 108; - @repr WORDSIZE8 101; - @repr WORDSIZE8 110; - @repr WORDSIZE8 103; - @repr WORDSIZE8 101 - ] in l). - -Definition hash_challenge - (rx_2600 : bytes32_t) - (pubkey_2601 : bytes32_t) - (msg_2602 : bytes32_t) - : bytes32_t := - let c_2603 : byte_seq := - seq_concat (seq_concat (seq_from_seq (array_to_seq (rx_2600))) ( - array_to_seq (pubkey_2601))) (array_to_seq (msg_2602)) in - tagged_hash (seq_from_seq (array_to_seq (bip0340_challenge_v))) (c_2603). - -Definition bytes_from_point (p_2604 : affine_point_t) : bytes32_t := - let '(x_2605, _) := - p_2604 in - array_from_seq (32) (nat_mod_to_byte_seq_be (x_2605)). - -Definition bytes_from_scalar (x_2606 : scalar_t) : bytes32_t := - array_from_seq (32) (nat_mod_to_byte_seq_be (x_2606)). - -Definition scalar_from_bytes (b_2607 : bytes32_t) : scalar_t := - nat_mod_from_byte_seq_be (array_to_seq (b_2607)) : scalar_t. - -Definition scalar_from_bytes_strict (b_2608 : bytes32_t) : (option scalar_t) := - let s_2609 : big_integer_t := - nat_mod_from_byte_seq_be (array_to_seq (b_2608)) : big_integer_t in - let max_scalar_2610 : big_integer_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - nat_mod_max_val )) : big_integer_t in - (if ((s_2609) >.? (max_scalar_2610)):bool then (@None scalar_t) else ( - @Some scalar_t (nat_mod_from_byte_seq_be ( - array_to_seq (b_2608)) : scalar_t))). - -Definition seckey_scalar_from_bytes (b_2611 : bytes32_t) : (option scalar_t) := - bind (scalar_from_bytes_strict (b_2611)) (fun s_2612 => (if ((s_2612) =.? ( - nat_mod_zero )):bool then (@None scalar_t) else (@Some scalar_t ( - s_2612)))). - -Definition fieldelem_from_bytes - (b_2613 : public_key_t) - : (option field_element_t) := - let s_2614 : big_integer_t := - nat_mod_from_byte_seq_be (b_2613) : big_integer_t in - let max_fe_2615 : big_integer_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - nat_mod_max_val )) : big_integer_t in - (if ((s_2614) >.? (max_fe_2615)):bool then (@None field_element_t) else ( - @Some field_element_t (nat_mod_from_byte_seq_be ( - b_2613) : field_element_t))). - -Definition xor_bytes (b0_2616 : bytes32_t) (b1_2617 : bytes32_t) : bytes32_t := - let b_2618 : seq uint8 := - seq_new_ (default : uint8) (array_len (b0_2616)) in - let b_2618 := - foldi (usize 0) (array_len (b0_2616)) (fun i_2619 b_2618 => - let b_2618 := - seq_upd b_2618 (i_2619) ((array_index (b0_2616) (i_2619)) .^ ( - array_index (b1_2617) (i_2619))) in - (b_2618)) - b_2618 in - array_from_seq (32) (b_2618). - -Notation "'pubkey_gen_result_t'" := (( - result public_key_t error_t)) : hacspec_scope. - -Definition pubkey_gen (seckey_2620 : secret_key_t) : pubkey_gen_result_t := - bind (option_ok_or (seckey_scalar_from_bytes (seckey_2620)) ( - InvalidSecretKey)) (fun d0_2621 => let p_2622 : ( - field_element_t '× - field_element_t - ) := - option_unwrap (finite (point_mul_base (d0_2621))) in - @Ok public_key_t error_t (bytes_from_point (p_2622))). - -Notation "'sign_result_t'" := ((result signature_t error_t)) : hacspec_scope. - -Definition sign - (msg_2623 : message_t) - (seckey_2624 : secret_key_t) - (aux_rand_2625 : aux_rand_t) - : sign_result_t := - bind (option_ok_or (seckey_scalar_from_bytes (seckey_2624)) ( - InvalidSecretKey)) (fun d0_2626 => let p_2627 : ( - field_element_t '× - field_element_t - ) := - option_unwrap (finite (point_mul_base (d0_2626))) in - let d_2628 : scalar_t := - (if (has_even_y (p_2627)):bool then (d0_2626) else ((nat_mod_zero ) -% ( - d0_2626))) in - let t_2629 : bytes32_t := - xor_bytes (bytes_from_scalar (d_2628)) (hash_aux (aux_rand_2625)) in - let k0_2630 : scalar_t := - scalar_from_bytes (hash_nonce (t_2629) (bytes_from_point (p_2627)) ( - msg_2623)) in - ifbnd (k0_2630) =.? (nat_mod_zero ) : bool - thenbnd (bind (@Err signature_t error_t (InvalidNonceGenerated)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let r_2631 : (field_element_t '× field_element_t) := - option_unwrap (finite (point_mul_base (k0_2630))) in - let k_2632 : scalar_t := - (if (has_even_y (r_2631)):bool then (k0_2630) else ((nat_mod_zero ) -% ( - k0_2630))) in - let e_2633 : scalar_t := - scalar_from_bytes (hash_challenge (bytes_from_point (r_2631)) ( - bytes_from_point (p_2627)) (msg_2623)) in - let sig_2634 : signature_t := - array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( - array_to_seq (bytes_from_point (r_2631)))) (usize 32) ( - array_to_seq (bytes_from_scalar ((k_2632) +% ((e_2633) *% ( - d_2628))))) in - bind (verify (msg_2623) (bytes_from_point (p_2627)) (sig_2634)) (fun _ => - @Ok signature_t error_t (sig_2634)))). - -Notation "'verification_result_t'" := ((result unit error_t)) : hacspec_scope. - -Definition verify - (msg_2635 : message_t) - (pubkey_2636 : public_key_t) - (sig_2637 : signature_t) - : verification_result_t := - bind (option_ok_or (fieldelem_from_bytes (pubkey_2636)) (InvalidPublicKey)) ( - fun p_x_2638 => bind (lift_x (p_x_2638)) (fun p_2639 => bind (option_ok_or ( - fieldelem_from_bytes (array_from_slice (default : uint8) (32) ( - array_to_seq (sig_2637)) (usize 0) (usize 32))) ( - InvalidSignature)) (fun r_2640 => bind (option_ok_or ( - scalar_from_bytes_strict (array_from_slice (default : uint8) (32) ( - array_to_seq (sig_2637)) (usize 32) (usize 32))) ( - InvalidSignature)) (fun s_2641 => let e_2642 : scalar_t := - scalar_from_bytes (hash_challenge (array_from_slice ( - default : uint8) (32) (array_to_seq (sig_2637)) (usize 0) ( - usize 32)) (bytes_from_point (p_2639)) (msg_2635)) in - bind (option_ok_or (finite (point_add (point_mul_base (s_2641)) ( - point_mul ((nat_mod_zero ) -% (e_2642)) (Affine (p_2639))))) ( - InvalidSignature)) (fun r_p_2643 => (if ((negb (has_even_y ( - r_p_2643))) || ((x (r_p_2643)) !=.? (r_2640))):bool then ( - @Err unit error_t (InvalidSignature)) else (@Ok unit error_t ( - tt)))))))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v b/proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v deleted file mode 100644 index 93170a691..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Bls12_381.v +++ /dev/null @@ -1,772 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -From QuickChick Require Import QuickChick. -Require Import QuickChickLib. -Require Import Hacspec_Lib. - -Definition fp_canvas_t := nseq (int8) (48). -Definition fp_t := - nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. -Instance show_fp_t : Show (fp_t) := Build_Show (fp_t) (fun x => show (GZnZ.val _ x)). -Definition g_fp_t : G (fp_t) := @bindGen Z (fp_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). -Instance gen_fp_t : Gen (fp_t) := Build_Gen fp_t g_fp_t. - - -Definition serialized_fp_t := nseq (uint8) (usize 48). - -Definition array_fp_t := nseq (uint64) (usize 6). - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. -Instance show_scalar_t : Show (scalar_t) := Build_Show (scalar_t) (fun x => show (GZnZ.val _ x)). -Definition g_scalar_t : G (scalar_t) := @bindGen Z (scalar_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). -Instance gen_scalar_t : Gen (scalar_t) := Build_Gen scalar_t g_scalar_t. - - -Notation "'g1_t'" := ((fp_t '× fp_t '× bool)) : hacspec_scope. -Instance show_g1_t : Show (g1_t) := -Build_Show g1_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_g1_t : G (g1_t) := -bindGen arbitrary (fun x0 : fp_t => - bindGen arbitrary (fun x1 : fp_t => - bindGen arbitrary (fun x2 : bool => - returnGen (x0,x1,x2)))). -Instance gen_g1_t : Gen (g1_t) := Build_Gen g1_t g_g1_t. - - -Notation "'fp2_t'" := ((fp_t '× fp_t)) : hacspec_scope. -Instance show_fp2_t : Show (fp2_t) := -Build_Show fp2_t (fun x => - let (x, x0) := x in - (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. -Definition g_fp2_t : G (fp2_t) := -bindGen arbitrary (fun x0 : fp_t => - bindGen arbitrary (fun x1 : fp_t => - returnGen (x0,x1))). -Instance gen_fp2_t : Gen (fp2_t) := Build_Gen fp2_t g_fp2_t. - - -Notation "'g2_t'" := ((fp2_t '× fp2_t '× bool)) : hacspec_scope. -Instance show_g2_t : Show (g2_t) := -Build_Show g2_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_g2_t : G (g2_t) := -bindGen arbitrary (fun x0 : fp2_t => - bindGen arbitrary (fun x1 : fp2_t => - bindGen arbitrary (fun x2 : bool => - returnGen (x0,x1,x2)))). -Instance gen_g2_t : Gen (g2_t) := Build_Gen g2_t g_g2_t. - - -Notation "'fp6_t'" := ((fp2_t '× fp2_t '× fp2_t)) : hacspec_scope. -Instance show_fp6_t : Show (fp6_t) := -Build_Show fp6_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_fp6_t : G (fp6_t) := -bindGen arbitrary (fun x0 : fp2_t => - bindGen arbitrary (fun x1 : fp2_t => - bindGen arbitrary (fun x2 : fp2_t => - returnGen (x0,x1,x2)))). -Instance gen_fp6_t : Gen (fp6_t) := Build_Gen fp6_t g_fp6_t. - - -Notation "'fp12_t'" := ((fp6_t '× fp6_t)) : hacspec_scope. -Instance show_fp12_t : Show (fp12_t) := -Build_Show fp12_t (fun x => - let (x, x0) := x in - (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. -Definition g_fp12_t : G (fp12_t) := -bindGen arbitrary (fun x0 : fp6_t => - bindGen arbitrary (fun x1 : fp6_t => - returnGen (x0,x1))). -Instance gen_fp12_t : Gen (fp12_t) := Build_Gen fp12_t g_fp12_t. - - -Definition fp2fromfp (n_1405 : fp_t) : fp2_t := - (n_1405, nat_mod_zero ). - -Definition fp2zero : fp2_t := - fp2fromfp (nat_mod_zero ). - -Definition fp2neg (n_1406 : fp2_t) : fp2_t := - let '(n1_1407, n2_1408) := - n_1406 in - ((nat_mod_zero ) -% (n1_1407), (nat_mod_zero ) -% (n2_1408)). - -Definition fp2add (n_1409 : fp2_t) (m_1410 : fp2_t) : fp2_t := - let '(n1_1411, n2_1412) := - n_1409 in - let '(m1_1413, m2_1414) := - m_1410 in - ((n1_1411) +% (m1_1413), (n2_1412) +% (m2_1414)). - -Definition fp2sub (n_1415 : fp2_t) (m_1416 : fp2_t) : fp2_t := - fp2add (n_1415) (fp2neg (m_1416)). - -Definition fp2mul (n_1417 : fp2_t) (m_1418 : fp2_t) : fp2_t := - let '(n1_1419, n2_1420) := - n_1417 in - let '(m1_1421, m2_1422) := - m_1418 in - let x1_1423 : fp_t := - ((n1_1419) *% (m1_1421)) -% ((n2_1420) *% (m2_1422)) in - let x2_1424 : fp_t := - ((n1_1419) *% (m2_1422)) +% ((n2_1420) *% (m1_1421)) in - (x1_1423, x2_1424). - -Definition fp2inv (n_1425 : fp2_t) : fp2_t := - let '(n1_1426, n2_1427) := - n_1425 in - let t0_1428 : fp_t := - ((n1_1426) *% (n1_1426)) +% ((n2_1427) *% (n2_1427)) in - let t1_1429 : fp_t := - nat_mod_inv (t0_1428) in - let x1_1430 : fp_t := - (n1_1426) *% (t1_1429) in - let x2_1431 : fp_t := - (nat_mod_zero ) -% ((n2_1427) *% (t1_1429)) in - (x1_1430, x2_1431). - -Definition fp2conjugate (n_1432 : fp2_t) : fp2_t := - let '(n1_1433, n2_1434) := - n_1432 in - (n1_1433, (nat_mod_zero ) -% (n2_1434)). - -Definition fp6fromfp2 (n_1435 : fp2_t) : fp6_t := - (n_1435, fp2zero , fp2zero ). - -Definition fp6zero : fp6_t := - fp6fromfp2 (fp2zero ). - -Definition fp6neg (n_1436 : fp6_t) : fp6_t := - let '(n1_1437, n2_1438, n3_1439) := - n_1436 in - ( - fp2sub (fp2zero ) (n1_1437), - fp2sub (fp2zero ) (n2_1438), - fp2sub (fp2zero ) (n3_1439) - ). - -Definition fp6add (n_1440 : fp6_t) (m_1441 : fp6_t) : fp6_t := - let '(n1_1442, n2_1443, n3_1444) := - n_1440 in - let '(m1_1445, m2_1446, m3_1447) := - m_1441 in - ( - fp2add (n1_1442) (m1_1445), - fp2add (n2_1443) (m2_1446), - fp2add (n3_1444) (m3_1447) - ). - -Definition fp6sub (n_1448 : fp6_t) (m_1449 : fp6_t) : fp6_t := - fp6add (n_1448) (fp6neg (m_1449)). - -Definition fp6mul (n_1450 : fp6_t) (m_1451 : fp6_t) : fp6_t := - let '(n1_1452, n2_1453, n3_1454) := - n_1450 in - let '(m1_1455, m2_1456, m3_1457) := - m_1451 in - let eps_1458 : (fp_t '× fp_t) := - (nat_mod_one , nat_mod_one ) in - let t1_1459 : (fp_t '× fp_t) := - fp2mul (n1_1452) (m1_1455) in - let t2_1460 : (fp_t '× fp_t) := - fp2mul (n2_1453) (m2_1456) in - let t3_1461 : (fp_t '× fp_t) := - fp2mul (n3_1454) (m3_1457) in - let t4_1462 : (fp_t '× fp_t) := - fp2mul (fp2add (n2_1453) (n3_1454)) (fp2add (m2_1456) (m3_1457)) in - let t5_1463 : (fp_t '× fp_t) := - fp2sub (fp2sub (t4_1462) (t2_1460)) (t3_1461) in - let x_1464 : (fp_t '× fp_t) := - fp2add (fp2mul (t5_1463) (eps_1458)) (t1_1459) in - let t4_1465 : (fp_t '× fp_t) := - fp2mul (fp2add (n1_1452) (n2_1453)) (fp2add (m1_1455) (m2_1456)) in - let t5_1466 : (fp_t '× fp_t) := - fp2sub (fp2sub (t4_1465) (t1_1459)) (t2_1460) in - let y_1467 : (fp_t '× fp_t) := - fp2add (t5_1466) (fp2mul (eps_1458) (t3_1461)) in - let t4_1468 : (fp_t '× fp_t) := - fp2mul (fp2add (n1_1452) (n3_1454)) (fp2add (m1_1455) (m3_1457)) in - let t5_1469 : (fp_t '× fp_t) := - fp2sub (fp2sub (t4_1468) (t1_1459)) (t3_1461) in - let z_1470 : (fp_t '× fp_t) := - fp2add (t5_1469) (t2_1460) in - (x_1464, y_1467, z_1470). - -Definition fp6inv (n_1471 : fp6_t) : fp6_t := - let '(n1_1472, n2_1473, n3_1474) := - n_1471 in - let eps_1475 : (fp_t '× fp_t) := - (nat_mod_one , nat_mod_one ) in - let t1_1476 : (fp_t '× fp_t) := - fp2mul (n1_1472) (n1_1472) in - let t2_1477 : (fp_t '× fp_t) := - fp2mul (n2_1473) (n2_1473) in - let t3_1478 : (fp_t '× fp_t) := - fp2mul (n3_1474) (n3_1474) in - let t4_1479 : (fp_t '× fp_t) := - fp2mul (n1_1472) (n2_1473) in - let t5_1480 : (fp_t '× fp_t) := - fp2mul (n1_1472) (n3_1474) in - let t6_1481 : (fp_t '× fp_t) := - fp2mul (n2_1473) (n3_1474) in - let x0_1482 : (fp_t '× fp_t) := - fp2sub (t1_1476) (fp2mul (eps_1475) (t6_1481)) in - let y0_1483 : (fp_t '× fp_t) := - fp2sub (fp2mul (eps_1475) (t3_1478)) (t4_1479) in - let z0_1484 : (fp_t '× fp_t) := - fp2sub (t2_1477) (t5_1480) in - let t0_1485 : (fp_t '× fp_t) := - fp2mul (n1_1472) (x0_1482) in - let t0_1486 : (fp_t '× fp_t) := - fp2add (t0_1485) (fp2mul (eps_1475) (fp2mul (n3_1474) (y0_1483))) in - let t0_1487 : (fp_t '× fp_t) := - fp2add (t0_1486) (fp2mul (eps_1475) (fp2mul (n2_1473) (z0_1484))) in - let t0_1488 : (fp_t '× fp_t) := - fp2inv (t0_1487) in - let x_1489 : (fp_t '× fp_t) := - fp2mul (x0_1482) (t0_1488) in - let y_1490 : (fp_t '× fp_t) := - fp2mul (y0_1483) (t0_1488) in - let z_1491 : (fp_t '× fp_t) := - fp2mul (z0_1484) (t0_1488) in - (x_1489, y_1490, z_1491). - -Definition fp12fromfp6 (n_1492 : fp6_t) : fp12_t := - (n_1492, fp6zero ). - -Definition fp12neg (n_1493 : fp12_t) : fp12_t := - let '(n1_1494, n2_1495) := - n_1493 in - (fp6sub (fp6zero ) (n1_1494), fp6sub (fp6zero ) (n2_1495)). - -Definition fp12add (n_1496 : fp12_t) (m_1497 : fp12_t) : fp12_t := - let '(n1_1498, n2_1499) := - n_1496 in - let '(m1_1500, m2_1501) := - m_1497 in - (fp6add (n1_1498) (m1_1500), fp6add (n2_1499) (m2_1501)). - -Definition fp12sub (n_1502 : fp12_t) (m_1503 : fp12_t) : fp12_t := - fp12add (n_1502) (fp12neg (m_1503)). - -Definition fp12mul (n_1504 : fp12_t) (m_1505 : fp12_t) : fp12_t := - let '(n1_1506, n2_1507) := - n_1504 in - let '(m1_1508, m2_1509) := - m_1505 in - let gamma_1510 : (fp2_t '× fp2_t '× fp2_t) := - (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in - let t1_1511 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n1_1506) (m1_1508) in - let t2_1512 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n2_1507) (m2_1509) in - let x_1513 : (fp2_t '× fp2_t '× fp2_t) := - fp6add (t1_1511) (fp6mul (t2_1512) (gamma_1510)) in - let y_1514 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (fp6add (n1_1506) (n2_1507)) (fp6add (m1_1508) (m2_1509)) in - let y_1515 : (fp2_t '× fp2_t '× fp2_t) := - fp6sub (fp6sub (y_1514) (t1_1511)) (t2_1512) in - (x_1513, y_1515). - -Definition fp12inv (n_1516 : fp12_t) : fp12_t := - let '(n1_1517, n2_1518) := - n_1516 in - let gamma_1519 : (fp2_t '× fp2_t '× fp2_t) := - (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in - let t1_1520 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n1_1517) (n1_1517) in - let t2_1521 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n2_1518) (n2_1518) in - let t1_1522 : (fp2_t '× fp2_t '× fp2_t) := - fp6sub (t1_1520) (fp6mul (gamma_1519) (t2_1521)) in - let t2_1523 : (fp2_t '× fp2_t '× fp2_t) := - fp6inv (t1_1522) in - let x_1524 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n1_1517) (t2_1523) in - let y_1525 : (fp2_t '× fp2_t '× fp2_t) := - fp6neg (fp6mul (n2_1518) (t2_1523)) in - (x_1524, y_1525). - -Definition fp12exp (n_1526 : fp12_t) (k_1527 : scalar_t) : fp12_t := - let c_1528 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in - let c_1528 := - foldi (usize 0) (usize 256) (fun i_1529 c_1528 => - let c_1528 := - fp12mul (c_1528) (c_1528) in - let '(c_1528) := - if nat_mod_bit (k_1527) ((usize 255) - (i_1529)):bool then ( - let c_1528 := - fp12mul (c_1528) (n_1526) in - (c_1528)) else ((c_1528)) in - (c_1528)) - c_1528 in - c_1528. - -Definition fp12conjugate (n_1530 : fp12_t) : fp12_t := - let '(n1_1531, n2_1532) := - n_1530 in - (n1_1531, fp6neg (n2_1532)). - -Definition fp12zero : fp12_t := - fp12fromfp6 (fp6zero ). - -Definition g1add_a (p_1533 : g1_t) (q_1534 : g1_t) : g1_t := - let '(x1_1535, y1_1536, _) := - p_1533 in - let '(x2_1537, y2_1538, _) := - q_1534 in - let x_diff_1539 : fp_t := - (x2_1537) -% (x1_1535) in - let y_diff_1540 : fp_t := - (y2_1538) -% (y1_1536) in - let xovery_1541 : fp_t := - (y_diff_1540) *% (nat_mod_inv (x_diff_1539)) in - let x3_1542 : fp_t := - ((nat_mod_exp (xovery_1541) (@repr WORDSIZE32 2)) -% (x1_1535)) -% ( - x2_1537) in - let y3_1543 : fp_t := - ((xovery_1541) *% ((x1_1535) -% (x3_1542))) -% (y1_1536) in - (x3_1542, y3_1543, false). - -Definition g1double_a (p_1544 : g1_t) : g1_t := - let '(x1_1545, y1_1546, _) := - p_1544 in - let x12_1547 : fp_t := - nat_mod_exp (x1_1545) (@repr WORDSIZE32 2) in - let xovery_1548 : fp_t := - ((nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t) *% (x12_1547)) *% (nat_mod_inv (( - nat_mod_two ) *% (y1_1546))) in - let x3_1549 : fp_t := - (nat_mod_exp (xovery_1548) (@repr WORDSIZE32 2)) -% ((nat_mod_two ) *% ( - x1_1545)) in - let y3_1550 : fp_t := - ((xovery_1548) *% ((x1_1545) -% (x3_1549))) -% (y1_1546) in - (x3_1549, y3_1550, false). - -Definition g1double (p_1551 : g1_t) : g1_t := - let '(x1_1552, y1_1553, inf1_1554) := - p_1551 in - (if (((y1_1553) !=.? (nat_mod_zero )) && (negb (inf1_1554))):bool then ( - g1double_a (p_1551)) else ((nat_mod_zero , nat_mod_zero , true))). - -Definition g1add (p_1555 : g1_t) (q_1556 : g1_t) : g1_t := - let '(x1_1557, y1_1558, inf1_1559) := - p_1555 in - let '(x2_1560, y2_1561, inf2_1562) := - q_1556 in - (if (inf1_1559):bool then (q_1556) else ((if (inf2_1562):bool then ( - p_1555) else ((if ((p_1555) =.? (q_1556)):bool then (g1double ( - p_1555)) else ((if (negb (((x1_1557) =.? (x2_1560)) && (( - y1_1558) =.? ((nat_mod_zero ) -% ( - y2_1561))))):bool then (g1add_a (p_1555) ( - q_1556)) else ((nat_mod_zero , nat_mod_zero , true))))))))). - -Definition g1mul (m_1563 : scalar_t) (p_1564 : g1_t) : g1_t := - let t_1565 : (fp_t '× fp_t '× bool) := - (nat_mod_zero , nat_mod_zero , true) in - let t_1565 := - foldi (usize 0) (usize 256) (fun i_1566 t_1565 => - let t_1565 := - g1double (t_1565) in - let '(t_1565) := - if nat_mod_bit (m_1563) ((usize 255) - (i_1566)):bool then ( - let t_1565 := - g1add (t_1565) (p_1564) in - (t_1565)) else ((t_1565)) in - (t_1565)) - t_1565 in - t_1565. - -Definition g1neg (p_1567 : g1_t) : g1_t := - let '(x_1568, y_1569, inf_1570) := - p_1567 in - (x_1568, (nat_mod_zero ) -% (y_1569), inf_1570). - -Definition g2add_a (p_1571 : g2_t) (q_1572 : g2_t) : g2_t := - let '(x1_1573, y1_1574, _) := - p_1571 in - let '(x2_1575, y2_1576, _) := - q_1572 in - let x_diff_1577 : (fp_t '× fp_t) := - fp2sub (x2_1575) (x1_1573) in - let y_diff_1578 : (fp_t '× fp_t) := - fp2sub (y2_1576) (y1_1574) in - let xovery_1579 : (fp_t '× fp_t) := - fp2mul (y_diff_1578) (fp2inv (x_diff_1577)) in - let t1_1580 : (fp_t '× fp_t) := - fp2mul (xovery_1579) (xovery_1579) in - let t2_1581 : (fp_t '× fp_t) := - fp2sub (t1_1580) (x1_1573) in - let x3_1582 : (fp_t '× fp_t) := - fp2sub (t2_1581) (x2_1575) in - let t1_1583 : (fp_t '× fp_t) := - fp2sub (x1_1573) (x3_1582) in - let t2_1584 : (fp_t '× fp_t) := - fp2mul (xovery_1579) (t1_1583) in - let y3_1585 : (fp_t '× fp_t) := - fp2sub (t2_1584) (y1_1574) in - (x3_1582, y3_1585, false). - -Definition g2double_a (p_1586 : g2_t) : g2_t := - let '(x1_1587, y1_1588, _) := - p_1586 in - let x12_1589 : (fp_t '× fp_t) := - fp2mul (x1_1587) (x1_1587) in - let t1_1590 : (fp_t '× fp_t) := - fp2mul (fp2fromfp (nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t)) (x12_1589) in - let t2_1591 : (fp_t '× fp_t) := - fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (y1_1588)) in - let xovery_1592 : (fp_t '× fp_t) := - fp2mul (t1_1590) (t2_1591) in - let t1_1593 : (fp_t '× fp_t) := - fp2mul (xovery_1592) (xovery_1592) in - let t2_1594 : (fp_t '× fp_t) := - fp2mul (fp2fromfp (nat_mod_two )) (x1_1587) in - let x3_1595 : (fp_t '× fp_t) := - fp2sub (t1_1593) (t2_1594) in - let t1_1596 : (fp_t '× fp_t) := - fp2sub (x1_1587) (x3_1595) in - let t2_1597 : (fp_t '× fp_t) := - fp2mul (xovery_1592) (t1_1596) in - let y3_1598 : (fp_t '× fp_t) := - fp2sub (t2_1597) (y1_1588) in - (x3_1595, y3_1598, false). - -Definition g2double (p_1599 : g2_t) : g2_t := - let '(x1_1600, y1_1601, inf1_1602) := - p_1599 in - (if (((y1_1601) !=.? (fp2zero )) && (negb (inf1_1602))):bool then ( - g2double_a (p_1599)) else ((fp2zero , fp2zero , true))). - -Definition g2add (p_1603 : g2_t) (q_1604 : g2_t) : g2_t := - let '(x1_1605, y1_1606, inf1_1607) := - p_1603 in - let '(x2_1608, y2_1609, inf2_1610) := - q_1604 in - (if (inf1_1607):bool then (q_1604) else ((if (inf2_1610):bool then ( - p_1603) else ((if ((p_1603) =.? (q_1604)):bool then (g2double ( - p_1603)) else ((if (negb (((x1_1605) =.? (x2_1608)) && (( - y1_1606) =.? (fp2neg (y2_1609))))):bool then (g2add_a ( - p_1603) (q_1604)) else ((fp2zero , fp2zero , true))))))))). - -Definition g2mul (m_1611 : scalar_t) (p_1612 : g2_t) : g2_t := - let t_1613 : (fp2_t '× fp2_t '× bool) := - (fp2zero , fp2zero , true) in - let t_1613 := - foldi (usize 0) (usize 256) (fun i_1614 t_1613 => - let t_1613 := - g2double (t_1613) in - let '(t_1613) := - if nat_mod_bit (m_1611) ((usize 255) - (i_1614)):bool then ( - let t_1613 := - g2add (t_1613) (p_1612) in - (t_1613)) else ((t_1613)) in - (t_1613)) - t_1613 in - t_1613. - -Definition g2neg (p_1615 : g2_t) : g2_t := - let '(x_1616, y_1617, inf_1618) := - p_1615 in - (x_1616, fp2neg (y_1617), inf_1618). - -Definition twist (p_1619 : g1_t) : (fp12_t '× fp12_t) := - let '(p0_1620, p1_1621, _) := - p_1619 in - let x_1622 : ((fp2_t '× fp2_t '× fp2_t) '× fp6_t) := - ((fp2zero , fp2fromfp (p0_1620), fp2zero ), fp6zero ) in - let y_1623 : (fp6_t '× (fp2_t '× fp2_t '× fp2_t)) := - (fp6zero , (fp2zero , fp2fromfp (p1_1621), fp2zero )) in - (x_1622, y_1623). - -Definition line_double_p (r_1624 : g2_t) (p_1625 : g1_t) : fp12_t := - let '(r0_1626, r1_1627, _) := - r_1624 in - let a_1628 : (fp_t '× fp_t) := - fp2mul (fp2fromfp (nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t)) (fp2mul (r0_1626) (r0_1626)) in - let a_1629 : (fp_t '× fp_t) := - fp2mul (a_1628) (fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (r1_1627))) in - let b_1630 : (fp_t '× fp_t) := - fp2sub (r1_1627) (fp2mul (a_1629) (r0_1626)) in - let a_1631 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (a_1629)) in - let b_1632 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (b_1630)) in - let '(x_1633, y_1634) := - twist (p_1625) in - fp12neg (fp12sub (fp12sub (y_1634) (fp12mul (a_1631) (x_1633))) (b_1632)). - -Definition line_add_p - (r_1635 : g2_t) - (q_1636 : g2_t) - (p_1637 : g1_t) - : fp12_t := - let '(r0_1638, r1_1639, _) := - r_1635 in - let '(q0_1640, q1_1641, _) := - q_1636 in - let a_1642 : (fp_t '× fp_t) := - fp2mul (fp2sub (q1_1641) (r1_1639)) (fp2inv (fp2sub (q0_1640) ( - r0_1638))) in - let b_1643 : (fp_t '× fp_t) := - fp2sub (r1_1639) (fp2mul (a_1642) (r0_1638)) in - let a_1644 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (a_1642)) in - let b_1645 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (b_1643)) in - let '(x_1646, y_1647) := - twist (p_1637) in - fp12neg (fp12sub (fp12sub (y_1647) (fp12mul (a_1644) (x_1646))) (b_1645)). - -Definition frobenius (f_1648 : fp12_t) : fp12_t := - let '((g0_1649, g1_1650, g2_1651), (h0_1652, h1_1653, h2_1654)) := - f_1648 in - let t1_1655 : (fp_t '× fp_t) := - fp2conjugate (g0_1649) in - let t2_1656 : (fp_t '× fp_t) := - fp2conjugate (h0_1652) in - let t3_1657 : (fp_t '× fp_t) := - fp2conjugate (g1_1650) in - let t4_1658 : (fp_t '× fp_t) := - fp2conjugate (h1_1653) in - let t5_1659 : (fp_t '× fp_t) := - fp2conjugate (g2_1651) in - let t6_1660 : (fp_t '× fp_t) := - fp2conjugate (h2_1654) in - let c1_1661 : array_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 10162220747404304312) : int64; - secret (@repr WORDSIZE64 17761815663483519293) : int64; - secret (@repr WORDSIZE64 8873291758750579140) : int64; - secret (@repr WORDSIZE64 1141103941765652303) : int64; - secret (@repr WORDSIZE64 13993175198059990303) : int64; - secret (@repr WORDSIZE64 1802798568193066599) : int64 - ] in l) in - let c1_1662 : seq uint8 := - array_to_le_bytes (c1_1661) in - let c1_1663 : fp_t := - nat_mod_from_byte_seq_le (c1_1662) : fp_t in - let c2_1664 : array_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 3240210268673559283) : int64; - secret (@repr WORDSIZE64 2895069921743240898) : int64; - secret (@repr WORDSIZE64 17009126888523054175) : int64; - secret (@repr WORDSIZE64 6098234018649060207) : int64; - secret (@repr WORDSIZE64 9865672654120263608) : int64; - secret (@repr WORDSIZE64 71000049454473266) : int64 - ] in l) in - let c2_1665 : seq uint8 := - array_to_le_bytes (c2_1664) in - let c2_1666 : fp_t := - nat_mod_from_byte_seq_le (c2_1665) : fp_t in - let gamma11_1667 : (fp_t '× fp_t) := - (c1_1663, c2_1666) in - let gamma12_1668 : (fp_t '× fp_t) := - fp2mul (gamma11_1667) (gamma11_1667) in - let gamma13_1669 : (fp_t '× fp_t) := - fp2mul (gamma12_1668) (gamma11_1667) in - let gamma14_1670 : (fp_t '× fp_t) := - fp2mul (gamma13_1669) (gamma11_1667) in - let gamma15_1671 : (fp_t '× fp_t) := - fp2mul (gamma14_1670) (gamma11_1667) in - let t2_1672 : (fp_t '× fp_t) := - fp2mul (t2_1656) (gamma11_1667) in - let t3_1673 : (fp_t '× fp_t) := - fp2mul (t3_1657) (gamma12_1668) in - let t4_1674 : (fp_t '× fp_t) := - fp2mul (t4_1658) (gamma13_1669) in - let t5_1675 : (fp_t '× fp_t) := - fp2mul (t5_1659) (gamma14_1670) in - let t6_1676 : (fp_t '× fp_t) := - fp2mul (t6_1660) (gamma15_1671) in - ((t1_1655, t3_1673, t5_1675), (t2_1672, t4_1674, t6_1676)). - -Definition final_exponentiation (f_1677 : fp12_t) : fp12_t := - let fp6_1678 : (fp6_t '× fp6_t) := - fp12conjugate (f_1677) in - let finv_1679 : (fp6_t '× fp6_t) := - fp12inv (f_1677) in - let fp6_1_1680 : (fp6_t '× fp6_t) := - fp12mul (fp6_1678) (finv_1679) in - let fp8_1681 : (fp6_t '× fp6_t) := - frobenius (frobenius (fp6_1_1680)) in - let f_1682 : (fp6_t '× fp6_t) := - fp12mul (fp8_1681) (fp6_1_1680) in - let u_1683 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let u_half_1684 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 7566188111470821376) : scalar_t in - let t0_1685 : (fp6_t '× fp6_t) := - fp12mul (f_1682) (f_1682) in - let t1_1686 : (fp6_t '× fp6_t) := - fp12exp (t0_1685) (u_1683) in - let t1_1687 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1686) in - let t2_1688 : (fp6_t '× fp6_t) := - fp12exp (t1_1687) (u_half_1684) in - let t2_1689 : (fp6_t '× fp6_t) := - fp12conjugate (t2_1688) in - let t3_1690 : (fp6_t '× fp6_t) := - fp12conjugate (f_1682) in - let t1_1691 : (fp6_t '× fp6_t) := - fp12mul (t3_1690) (t1_1687) in - let t1_1692 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1691) in - let t1_1693 : (fp6_t '× fp6_t) := - fp12mul (t1_1692) (t2_1689) in - let t2_1694 : (fp6_t '× fp6_t) := - fp12exp (t1_1693) (u_1683) in - let t2_1695 : (fp6_t '× fp6_t) := - fp12conjugate (t2_1694) in - let t3_1696 : (fp6_t '× fp6_t) := - fp12exp (t2_1695) (u_1683) in - let t3_1697 : (fp6_t '× fp6_t) := - fp12conjugate (t3_1696) in - let t1_1698 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1693) in - let t3_1699 : (fp6_t '× fp6_t) := - fp12mul (t1_1698) (t3_1697) in - let t1_1700 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1698) in - let t1_1701 : (fp6_t '× fp6_t) := - frobenius (frobenius (frobenius (t1_1700))) in - let t2_1702 : (fp6_t '× fp6_t) := - frobenius (frobenius (t2_1695)) in - let t1_1703 : (fp6_t '× fp6_t) := - fp12mul (t1_1701) (t2_1702) in - let t2_1704 : (fp6_t '× fp6_t) := - fp12exp (t3_1699) (u_1683) in - let t2_1705 : (fp6_t '× fp6_t) := - fp12conjugate (t2_1704) in - let t2_1706 : (fp6_t '× fp6_t) := - fp12mul (t2_1705) (t0_1685) in - let t2_1707 : (fp6_t '× fp6_t) := - fp12mul (t2_1706) (f_1682) in - let t1_1708 : (fp6_t '× fp6_t) := - fp12mul (t1_1703) (t2_1707) in - let t2_1709 : (fp6_t '× fp6_t) := - frobenius (t3_1699) in - let t1_1710 : (fp6_t '× fp6_t) := - fp12mul (t1_1708) (t2_1709) in - t1_1710. - -Definition pairing (p_1711 : g1_t) (q_1712 : g2_t) : fp12_t := - let t_1713 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let r_1714 : (fp2_t '× fp2_t '× bool) := - q_1712 in - let f_1715 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in - let '(r_1714, f_1715) := - foldi (usize 1) (usize 64) (fun i_1716 '(r_1714, f_1715) => - let lrr_1717 : (fp6_t '× fp6_t) := - line_double_p (r_1714) (p_1711) in - let r_1714 := - g2double (r_1714) in - let f_1715 := - fp12mul (fp12mul (f_1715) (f_1715)) (lrr_1717) in - let '(r_1714, f_1715) := - if nat_mod_bit (t_1713) (((usize 64) - (i_1716)) - ( - usize 1)):bool then (let lrq_1718 : (fp6_t '× fp6_t) := - line_add_p (r_1714) (q_1712) (p_1711) in - let r_1714 := - g2add (r_1714) (q_1712) in - let f_1715 := - fp12mul (f_1715) (lrq_1718) in - (r_1714, f_1715)) else ((r_1714, f_1715)) in - (r_1714, f_1715)) - (r_1714, f_1715) in - final_exponentiation (fp12conjugate (f_1715)). - -Definition test_fp2_prop_add_neg (a_1719 : fp2_t) : bool := - let b_1720 : (fp_t '× fp_t) := - fp2neg (a_1719) in - (fp2fromfp (nat_mod_zero )) =.? (fp2add (a_1719) (b_1720)). -(*QuickChick ( - forAll g_fp2_t (fun a_1719 : fp2_t =>test_fp2_prop_add_neg a_1719)).*) - - -Definition test_fp2_prop_mul_inv (a_1721 : fp2_t) : bool := - let b_1722 : (fp_t '× fp_t) := - fp2inv (a_1721) in - (fp2fromfp (nat_mod_one )) =.? (fp2mul (a_1721) (b_1722)). -(*QuickChick ( - forAll g_fp2_t (fun a_1721 : fp2_t =>test_fp2_prop_mul_inv a_1721)).*) - - -Definition test_extraction_issue : bool := - let b_1723 : (fp_t '× fp_t) := - fp2inv ((nat_mod_one , nat_mod_one )) in - (fp2fromfp (nat_mod_one )) =.? (fp2mul ((nat_mod_one , nat_mod_one )) ( - b_1723)). -(*QuickChick (test_extraction_issue).*) - - -Definition test_fp6_prop_mul_inv (a_1724 : fp6_t) : bool := - let b_1725 : (fp2_t '× fp2_t '× fp2_t) := - fp6inv (a_1724) in - (fp6fromfp2 (fp2fromfp (nat_mod_one ))) =.? (fp6mul (a_1724) (b_1725)). -(*QuickChick ( - forAll g_fp6_t (fun a_1724 : fp6_t =>test_fp6_prop_mul_inv a_1724)).*) - - -Definition test_fp6_prop_add_neg (a_1726 : fp6_t) : bool := - let b_1727 : (fp2_t '× fp2_t '× fp2_t) := - fp6neg (a_1726) in - (fp6fromfp2 (fp2fromfp (nat_mod_zero ))) =.? (fp6add (a_1726) (b_1727)). -(*QuickChick ( - forAll g_fp6_t (fun a_1726 : fp6_t =>test_fp6_prop_add_neg a_1726)).*) - - -Definition test_fp12_prop_add_neg (a_1728 : fp12_t) : bool := - let b_1729 : (fp6_t '× fp6_t) := - fp12neg (a_1728) in - (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_zero )))) =.? (fp12add (a_1728) ( - b_1729)). -(*QuickChick ( - forAll g_fp12_t (fun a_1728 : fp12_t =>test_fp12_prop_add_neg a_1728)).*) - - -Definition test_fp12_prop_mul_inv (a_1730 : fp12_t) : bool := - let b_1731 : (fp6_t '× fp6_t) := - fp12inv (a_1730) in - (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one )))) =.? (fp12mul (a_1730) ( - b_1731)). -(*QuickChick ( - forAll g_fp12_t (fun a_1730 : fp12_t =>test_fp12_prop_mul_inv a_1730)).*) - - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/coq/_vc/Hacspec_Bls12_381_Hash.v deleted file mode 100644 index de305328b..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Bls12_381_Hash.v +++ /dev/null @@ -1,1754 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Bls12_381. - -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition fp_hash_canvas_t := nseq (int8) (64). -Definition fp_hash_t := - nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. - -Definition arr_fp_t := nseq (uint64) (usize 6). - -Definition b_in_bytes_v : uint_size := - usize 32. - -Definition s_in_bytes_v : uint_size := - usize 64. - -Definition l_v : uint_size := - usize 64. - -Definition p_1_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 936899308823769933) : int64; - secret (@repr WORDSIZE64 2706051889235351147) : int64; - secret (@repr WORDSIZE64 12843041017062132063) : int64; - secret (@repr WORDSIZE64 12941209323636816658) : int64; - secret (@repr WORDSIZE64 1105070755758604287) : int64; - secret (@repr WORDSIZE64 15924587544893707605) : int64 - ] in l). - -Definition p_1_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 468449654411884966) : int64; - secret (@repr WORDSIZE64 10576397981472451381) : int64; - secret (@repr WORDSIZE64 15644892545385841839) : int64; - secret (@repr WORDSIZE64 15693976698673184137) : int64; - secret (@repr WORDSIZE64 552535377879302143) : int64; - secret (@repr WORDSIZE64 17185665809301629611) : int64 - ] in l). - -Definition p_3_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 468449654411884966) : int64; - secret (@repr WORDSIZE64 10576397981472451381) : int64; - secret (@repr WORDSIZE64 15644892545385841839) : int64; - secret (@repr WORDSIZE64 15693976698673184137) : int64; - secret (@repr WORDSIZE64 552535377879302143) : int64; - secret (@repr WORDSIZE64 17185665809301629610) : int64 - ] in l). - -Definition expand_message_xmd - (msg_1732 : byte_seq) - (dst_1733 : byte_seq) - (len_in_bytes_1734 : uint_size) - : byte_seq := - let ell_1735 : uint_size := - (((len_in_bytes_1734) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in - let dst_prime_1736 : seq uint8 := - seq_push (dst_1733) (uint8_from_usize (seq_len (dst_1733))) in - let z_pad_1737 : seq uint8 := - seq_new_ (default : uint8) (s_in_bytes_v) in - let l_i_b_str_1738 : seq uint8 := - seq_new_ (default : uint8) (usize 2) in - let l_i_b_str_1738 := - seq_upd l_i_b_str_1738 (usize 0) (uint8_from_usize ((len_in_bytes_1734) / ( - usize 256))) in - let l_i_b_str_1738 := - seq_upd l_i_b_str_1738 (usize 1) (uint8_from_usize (len_in_bytes_1734)) in - let msg_prime_1739 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (z_pad_1737) (msg_1732)) ( - l_i_b_str_1738)) (seq_new_ (default : uint8) (usize 1))) ( - dst_prime_1736) in - let b_0_1740 : seq uint8 := - seq_from_seq (array_to_seq (hash (msg_prime_1739))) in - let b_i_1741 : seq uint8 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_1740) (secret ( - @repr WORDSIZE8 1) : int8)) (dst_prime_1736)))) in - let uniform_bytes_1742 : seq uint8 := - seq_from_seq (b_i_1741) in - let '(b_i_1741, uniform_bytes_1742) := - foldi (usize 2) ((ell_1735) + (usize 1)) (fun i_1743 '( - b_i_1741, - uniform_bytes_1742 - ) => - let t_1744 : seq uint8 := - seq_from_seq (b_0_1740) in - let b_i_1741 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( - t_1744) seq_xor (b_i_1741)) (uint8_from_usize (i_1743))) ( - dst_prime_1736)))) in - let uniform_bytes_1742 := - seq_concat (uniform_bytes_1742) (b_i_1741) in - (b_i_1741, uniform_bytes_1742)) - (b_i_1741, uniform_bytes_1742) in - seq_truncate (uniform_bytes_1742) (len_in_bytes_1734). - -Definition fp_hash_to_field - (msg_1745 : byte_seq) - (dst_1746 : byte_seq) - (count_1747 : uint_size) - : seq fp_t := - let len_in_bytes_1748 : uint_size := - (count_1747) * (l_v) in - let uniform_bytes_1749 : seq uint8 := - expand_message_xmd (msg_1745) (dst_1746) (len_in_bytes_1748) in - let output_1750 : seq fp_t := - seq_new_ (default : fp_t) (count_1747) in - let output_1750 := - foldi (usize 0) (count_1747) (fun i_1751 output_1750 => - let elm_offset_1752 : uint_size := - (l_v) * (i_1751) in - let tv_1753 : seq uint8 := - seq_slice (uniform_bytes_1749) (elm_offset_1752) (l_v) in - let u_i_1754 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1753) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let output_1750 := - seq_upd output_1750 (i_1751) (u_i_1754) in - (output_1750)) - output_1750 in - output_1750. - -Definition fp_sgn0 (x_1755 : fp_t) : bool := - ((x_1755) rem (nat_mod_two )) =.? (nat_mod_one ). - -Definition fp_is_square (x_1756 : fp_t) : bool := - let c1_1757 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let tv_1758 : fp_t := - nat_mod_pow_self (x_1756) (c1_1757) in - ((tv_1758) =.? (nat_mod_zero )) || ((tv_1758) =.? (nat_mod_one )). - -Definition fp_sqrt (x_1759 : fp_t) : fp_t := - let c1_1760 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_4_v)) : fp_t in - nat_mod_pow_self (x_1759) (c1_1760). - -Definition g1_curve_func (x_1761 : fp_t) : fp_t := - (((x_1761) *% (x_1761)) *% (x_1761)) +% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t). - -Definition g1_map_to_curve_svdw (u_1762 : fp_t) : g1_t := - let z_1763 : fp_t := - (nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t) in - let gz_1764 : fp_t := - g1_curve_func (z_1763) in - let tv1_1765 : fp_t := - ((u_1762) *% (u_1762)) *% (gz_1764) in - let tv2_1766 : fp_t := - (nat_mod_one ) +% (tv1_1765) in - let tv1_1767 : fp_t := - (nat_mod_one ) -% (tv1_1765) in - let tv3_1768 : fp_t := - nat_mod_inv ((tv1_1767) *% (tv2_1766)) in - let tv4_1769 : fp_t := - fp_sqrt (((nat_mod_zero ) -% (gz_1764)) *% (((nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t) *% (z_1763)) *% (z_1763))) in - let '(tv4_1769) := - if fp_sgn0 (tv4_1769):bool then (let tv4_1769 := - (nat_mod_zero ) -% (tv4_1769) in - (tv4_1769)) else ((tv4_1769)) in - let tv5_1770 : fp_t := - (((u_1762) *% (tv1_1767)) *% (tv3_1768)) *% (tv4_1769) in - let tv6_1771 : fp_t := - (((nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t)) *% (gz_1764)) *% (nat_mod_inv ((( - nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t) *% ( - z_1763)) *% (z_1763))) in - let x1_1772 : fp_t := - (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) -% ( - tv5_1770) in - let x2_1773 : fp_t := - (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) +% ( - tv5_1770) in - let x3_1774 : fp_t := - (z_1763) +% (((tv6_1771) *% (((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) *% ( - ((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) in - let x_1775 : fp_t := - (if (fp_is_square (g1_curve_func (x1_1772))):bool then (x1_1772) else ((if ( - fp_is_square (g1_curve_func (x2_1773))):bool then (x2_1773) else ( - x3_1774)))) in - let y_1776 : fp_t := - fp_sqrt (g1_curve_func (x_1775)) in - let '(y_1776) := - if (fp_sgn0 (u_1762)) !=.? (fp_sgn0 (y_1776)):bool then (let y_1776 := - (nat_mod_zero ) -% (y_1776) in - (y_1776)) else ((y_1776)) in - (x_1775, y_1776, false). - -Definition g1_clear_cofactor (x_1777 : g1_t) : g1_t := - let h_eff_1778 : scalar_t := - nat_mod_from_literal (_) ( - @repr WORDSIZE128 15132376222941642753) : scalar_t in - g1mul (h_eff_1778) (x_1777). - -Definition g1_hash_to_curve_svdw - (msg_1779 : byte_seq) - (dst_1780 : byte_seq) - : g1_t := - let u_1781 : seq fp_t := - fp_hash_to_field (msg_1779) (dst_1780) (usize 2) in - let q0_1782 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_svdw (seq_index (u_1781) (usize 0)) in - let q1_1783 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_svdw (seq_index (u_1781) (usize 1)) in - let r_1784 : (fp_t '× fp_t '× bool) := - g1add (q0_1782) (q1_1783) in - let p_1785 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (r_1784) in - p_1785. - -Definition g1_encode_to_curve_svdw - (msg_1786 : byte_seq) - (dst_1787 : byte_seq) - : g1_t := - let u_1788 : seq fp_t := - fp_hash_to_field (msg_1786) (dst_1787) (usize 1) in - let q_1789 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_svdw (seq_index (u_1788) (usize 0)) in - let p_1790 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (q_1789) in - p_1790. - -Definition fp2_hash_to_field - (msg_1791 : byte_seq) - (dst_1792 : byte_seq) - (count_1793 : uint_size) - : seq fp2_t := - let len_in_bytes_1794 : uint_size := - ((count_1793) * (usize 2)) * (l_v) in - let uniform_bytes_1795 : seq uint8 := - expand_message_xmd (msg_1791) (dst_1792) (len_in_bytes_1794) in - let output_1796 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (count_1793) in - let output_1796 := - foldi (usize 0) (count_1793) (fun i_1797 output_1796 => - let elm_offset_1798 : uint_size := - ((l_v) * (i_1797)) * (usize 2) in - let tv_1799 : seq uint8 := - seq_slice (uniform_bytes_1795) (elm_offset_1798) (l_v) in - let e_1_1800 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1799) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let elm_offset_1801 : uint_size := - (l_v) * ((usize 1) + ((i_1797) * (usize 2))) in - let tv_1802 : seq uint8 := - seq_slice (uniform_bytes_1795) (elm_offset_1801) (l_v) in - let e_2_1803 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1802) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let output_1796 := - seq_upd output_1796 (i_1797) ((e_1_1800, e_2_1803)) in - (output_1796)) - output_1796 in - output_1796. - -Definition fp2_sgn0 (x_1804 : fp2_t) : bool := - let '(x0_1805, x1_1806) := - x_1804 in - let sign_0_1807 : bool := - fp_sgn0 (x0_1805) in - let zero_0_1808 : bool := - (x0_1805) =.? (nat_mod_zero ) in - let sign_1_1809 : bool := - fp_sgn0 (x1_1806) in - (sign_0_1807) || ((zero_0_1808) && (sign_1_1809)). - -Definition fp2_is_square (x_1810 : fp2_t) : bool := - let c1_1811 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let '(x1_1812, x2_1813) := - x_1810 in - let tv1_1814 : fp_t := - (x1_1812) *% (x1_1812) in - let tv2_1815 : fp_t := - (x2_1813) *% (x2_1813) in - let tv1_1816 : fp_t := - (tv1_1814) +% (tv2_1815) in - let tv1_1817 : fp_t := - nat_mod_pow_self (tv1_1816) (c1_1811) in - let neg1_1818 : fp_t := - (nat_mod_zero ) -% (nat_mod_one ) in - (tv1_1817) !=.? (neg1_1818). - -Definition fp2exp (n_1819 : fp2_t) (k_1820 : fp_t) : fp2_t := - let c_1821 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let c_1821 := - foldi (usize 0) (usize 381) (fun i_1822 c_1821 => - let c_1821 := - fp2mul (c_1821) (c_1821) in - let '(c_1821) := - if nat_mod_bit (k_1820) ((usize 380) - (i_1822)):bool then ( - let c_1821 := - fp2mul (c_1821) (n_1819) in - (c_1821)) else ((c_1821)) in - (c_1821)) - c_1821 in - c_1821. - -Definition fp2_sqrt (a_1823 : fp2_t) : fp2_t := - let c1_1824 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_3_4_v)) : fp_t in - let c2_1825 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let a1_1826 : (fp_t '× fp_t) := - fp2exp (a_1823) (c1_1824) in - let alpha_1827 : (fp_t '× fp_t) := - fp2mul (a1_1826) (fp2mul (a1_1826) (a_1823)) in - let x0_1828 : (fp_t '× fp_t) := - fp2mul (a1_1826) (a_1823) in - let neg1_1829 : (fp_t '× fp_t) := - ((nat_mod_zero ) -% (nat_mod_one ), nat_mod_zero ) in - let b_1830 : (fp_t '× fp_t) := - fp2exp (fp2add (fp2fromfp (nat_mod_one )) (alpha_1827)) (c2_1825) in - (if ((alpha_1827) =.? (neg1_1829)):bool then (fp2mul (( - nat_mod_zero , - nat_mod_one - )) (x0_1828)) else (fp2mul (b_1830) (x0_1828))). - -Definition g2_curve_func (x_1831 : fp2_t) : fp2_t := - fp2add (fp2mul (x_1831) (fp2mul (x_1831) (x_1831))) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t, - nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t - )). - -Definition g2_map_to_curve_svdw (u_1832 : fp2_t) : g2_t := - let z_1833 : (fp_t '× fp_t) := - fp2neg (fp2fromfp (nat_mod_one )) in - let gz_1834 : (fp_t '× fp_t) := - g2_curve_func (z_1833) in - let tv1_1835 : (fp_t '× fp_t) := - fp2mul (fp2mul (u_1832) (u_1832)) (gz_1834) in - let tv2_1836 : (fp_t '× fp_t) := - fp2add (fp2fromfp (nat_mod_one )) (tv1_1835) in - let tv1_1837 : (fp_t '× fp_t) := - fp2sub (fp2fromfp (nat_mod_one )) (tv1_1835) in - let tv3_1838 : (fp_t '× fp_t) := - fp2inv (fp2mul (tv1_1837) (tv2_1836)) in - let tv4_1839 : (fp_t '× fp_t) := - fp2_sqrt (fp2mul (fp2neg (gz_1834)) (fp2mul (fp2fromfp ( - nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) (fp2mul ( - z_1833) (z_1833)))) in - let '(tv4_1839) := - if fp2_sgn0 (tv4_1839):bool then (let tv4_1839 := - fp2neg (tv4_1839) in - (tv4_1839)) else ((tv4_1839)) in - let tv5_1840 : (fp_t '× fp_t) := - fp2mul (fp2mul (fp2mul (u_1832) (tv1_1837)) (tv3_1838)) (tv4_1839) in - let tv6_1841 : (fp_t '× fp_t) := - fp2mul (fp2mul (fp2neg (fp2fromfp (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t))) (gz_1834)) (fp2inv (fp2mul ( - fp2fromfp (nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) ( - fp2mul (z_1833) (z_1833)))) in - let x1_1842 : (fp_t '× fp_t) := - fp2sub (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( - tv5_1840) in - let x2_1843 : (fp_t '× fp_t) := - fp2add (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( - tv5_1840) in - let tv7_1844 : (fp_t '× fp_t) := - fp2mul (fp2mul (tv2_1836) (tv2_1836)) (tv3_1838) in - let x3_1845 : (fp_t '× fp_t) := - fp2add (z_1833) (fp2mul (tv6_1841) (fp2mul (tv7_1844) (tv7_1844))) in - let x_1846 : (fp_t '× fp_t) := - (if (fp2_is_square (g2_curve_func (x1_1842))):bool then (x1_1842) else (( - if (fp2_is_square (g2_curve_func (x2_1843))):bool then ( - x2_1843) else (x3_1845)))) in - let y_1847 : (fp_t '× fp_t) := - fp2_sqrt (g2_curve_func (x_1846)) in - let '(y_1847) := - if (fp2_sgn0 (u_1832)) !=.? (fp2_sgn0 (y_1847)):bool then (let y_1847 := - fp2neg (y_1847) in - (y_1847)) else ((y_1847)) in - (x_1846, y_1847, false). - -Definition psi (p_1848 : g2_t) : g2_t := - let c1_1849 : (fp_t '× fp_t) := - fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( - nat_mod_one )) *% (nat_mod_inv (nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t)))) in - let c2_1850 : (fp_t '× fp_t) := - fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( - nat_mod_one )) *% (nat_mod_inv (nat_mod_two )))) in - let '(x_1851, y_1852, inf_1853) := - p_1848 in - let qx_1854 : (fp_t '× fp_t) := - fp2mul (c1_1849) (fp2conjugate (x_1851)) in - let qy_1855 : (fp_t '× fp_t) := - fp2mul (c2_1850) (fp2conjugate (y_1852)) in - (qx_1854, qy_1855, inf_1853). - -Definition g2_clear_cofactor (p_1856 : g2_t) : g2_t := - let c1_1857 : scalar_t := - nat_mod_from_literal (_) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let t1_1858 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2mul (c1_1857) (p_1856) in - let t1_1859 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2neg (t1_1858) in - let t2_1860 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - psi (p_1856) in - let t3_1861 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2double (p_1856) in - let t3_1862 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - psi (psi (t3_1861)) in - let t3_1863 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1862) (g2neg (t2_1860)) in - let t2_1864 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t1_1859) (t2_1860) in - let t2_1865 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2mul (c1_1857) (t2_1864) in - let t2_1866 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2neg (t2_1865) in - let t3_1867 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1863) (t2_1866) in - let t3_1868 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1867) (g2neg (t1_1859)) in - let q_1869 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1868) (g2neg (p_1856)) in - q_1869. - -Definition g2_hash_to_curve_svdw - (msg_1870 : byte_seq) - (dst_1871 : byte_seq) - : g2_t := - let u_1872 : seq fp2_t := - fp2_hash_to_field (msg_1870) (dst_1871) (usize 2) in - let q0_1873 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_svdw (seq_index (u_1872) (usize 0)) in - let q1_1874 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_svdw (seq_index (u_1872) (usize 1)) in - let r_1875 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (q0_1873) (q1_1874) in - let p_1876 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (r_1875) in - p_1876. - -Definition g2_encode_to_curve_svdw - (msg_1877 : byte_seq) - (dst_1878 : byte_seq) - : g2_t := - let u_1879 : seq fp2_t := - fp2_hash_to_field (msg_1877) (dst_1878) (usize 1) in - let q_1880 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_svdw (seq_index (u_1879) (usize 0)) in - let p_1881 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (q_1880) in - p_1881. - -Definition g1_iso_a_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 5707120929990979) : int64; - secret (@repr WORDSIZE64 4425131892511951234) : int64; - secret (@repr WORDSIZE64 12748169179688756904) : int64; - secret (@repr WORDSIZE64 15629909748249821612) : int64; - secret (@repr WORDSIZE64 10994253769421683071) : int64; - secret (@repr WORDSIZE64 6698022561392380957) : int64 - ] in l). - -Definition g1_iso_b_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1360808972976160816) : int64; - secret (@repr WORDSIZE64 111203405409480251) : int64; - secret (@repr WORDSIZE64 2312248699302920304) : int64; - secret (@repr WORDSIZE64 11581500465278574325) : int64; - secret (@repr WORDSIZE64 6495071758858381989) : int64; - secret (@repr WORDSIZE64 15117538217124375520) : int64 - ] in l). - -Definition g1_xnum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1270119733718627136) : int64; - secret (@repr WORDSIZE64 13261148298159854981) : int64; - secret (@repr WORDSIZE64 7723742117508874335) : int64; - secret (@repr WORDSIZE64 17465657917644792520) : int64; - secret (@repr WORDSIZE64 6201670911048166766) : int64; - secret (@repr WORDSIZE64 12586459670690286007) : int64 - ] in l). - -Definition g1_xnum_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1668951808976071471) : int64; - secret (@repr WORDSIZE64 398773841247578140) : int64; - secret (@repr WORDSIZE64 8941869963990959127) : int64; - secret (@repr WORDSIZE64 17682789360670468203) : int64; - secret (@repr WORDSIZE64 5204176168283587414) : int64; - secret (@repr WORDSIZE64 16732261237459223483) : int64 - ] in l). - -Definition g1_xnum_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 960393023080265964) : int64; - secret (@repr WORDSIZE64 2094253841180170779) : int64; - secret (@repr WORDSIZE64 14844748873776858085) : int64; - secret (@repr WORDSIZE64 7528018573573808732) : int64; - secret (@repr WORDSIZE64 10776056440809943711) : int64; - secret (@repr WORDSIZE64 16147550488514976944) : int64 - ] in l). - -Definition g1_xnum_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1691355743628586423) : int64; - secret (@repr WORDSIZE64 5622191986793862162) : int64; - secret (@repr WORDSIZE64 15561595211679121189) : int64; - secret (@repr WORDSIZE64 17416319752018800771) : int64; - secret (@repr WORDSIZE64 5996228842464768403) : int64; - secret (@repr WORDSIZE64 14245880009877842017) : int64 - ] in l). - -Definition g1_xnum_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1051997788391994435) : int64; - secret (@repr WORDSIZE64 7368650625050054228) : int64; - secret (@repr WORDSIZE64 11086623519836470079) : int64; - secret (@repr WORDSIZE64 607681821319080984) : int64; - secret (@repr WORDSIZE64 10978131499682789316) : int64; - secret (@repr WORDSIZE64 5842660658088809945) : int64 - ] in l). - -Definition g1_xnum_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1598992431623377919) : int64; - secret (@repr WORDSIZE64 130921168661596853) : int64; - secret (@repr WORDSIZE64 15797696746983946651) : int64; - secret (@repr WORDSIZE64 11444679715590672272) : int64; - secret (@repr WORDSIZE64 11567228658253249817) : int64; - secret (@repr WORDSIZE64 14777367860349315459) : int64 - ] in l). - -Definition g1_xnum_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 967946631563726121) : int64; - secret (@repr WORDSIZE64 7653628713030275775) : int64; - secret (@repr WORDSIZE64 12760252618317466849) : int64; - secret (@repr WORDSIZE64 10378793938173061930) : int64; - secret (@repr WORDSIZE64 10205808941053849290) : int64; - secret (@repr WORDSIZE64 15985511645807504772) : int64 - ] in l). - -Definition g1_xnum_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1709149555065084898) : int64; - secret (@repr WORDSIZE64 16750075057192140371) : int64; - secret (@repr WORDSIZE64 3849985779734105521) : int64; - secret (@repr WORDSIZE64 11998370262181639475) : int64; - secret (@repr WORDSIZE64 4159013751748851119) : int64; - secret (@repr WORDSIZE64 11298218755092433038) : int64 - ] in l). - -Definition g1_xnum_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 580186936973955012) : int64; - secret (@repr WORDSIZE64 8903813505199544589) : int64; - secret (@repr WORDSIZE64 14140024565662700916) : int64; - secret (@repr WORDSIZE64 11728946595272970718) : int64; - secret (@repr WORDSIZE64 5738313744366653077) : int64; - secret (@repr WORDSIZE64 7886252005760951063) : int64 - ] in l). - -Definition g1_xnum_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1628930385436977092) : int64; - secret (@repr WORDSIZE64 3318087848058654498) : int64; - secret (@repr WORDSIZE64 15937899882900905113) : int64; - secret (@repr WORDSIZE64 7449821001803307903) : int64; - secret (@repr WORDSIZE64 11752436998487615353) : int64; - secret (@repr WORDSIZE64 9161465579737517214) : int64 - ] in l). - -Definition g1_xnum_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1167027828517898210) : int64; - secret (@repr WORDSIZE64 8275623842221021965) : int64; - secret (@repr WORDSIZE64 18049808134997311382) : int64; - secret (@repr WORDSIZE64 15351349873550116966) : int64; - secret (@repr WORDSIZE64 17769927732099571180) : int64; - secret (@repr WORDSIZE64 14584871380308065147) : int64 - ] in l). - -Definition g1_xnum_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 495550047642324592) : int64; - secret (@repr WORDSIZE64 13627494601717575229) : int64; - secret (@repr WORDSIZE64 3591512392926246844) : int64; - secret (@repr WORDSIZE64 2576269112800734056) : int64; - secret (@repr WORDSIZE64 14000314106239596831) : int64; - secret (@repr WORDSIZE64 12234233096825917993) : int64 - ] in l). - -Definition g1_xden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 633474091881273774) : int64; - secret (@repr WORDSIZE64 1779737893574802031) : int64; - secret (@repr WORDSIZE64 132274872219551930) : int64; - secret (@repr WORDSIZE64 11283074393783708770) : int64; - secret (@repr WORDSIZE64 13067430171545714168) : int64; - secret (@repr WORDSIZE64 11041975239630265116) : int64 - ] in l). - -Definition g1_xden_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1321272531362356291) : int64; - secret (@repr WORDSIZE64 5238936591227237942) : int64; - secret (@repr WORDSIZE64 8089002360232247308) : int64; - secret (@repr WORDSIZE64 82967328719421271) : int64; - secret (@repr WORDSIZE64 1430641118356186857) : int64; - secret (@repr WORDSIZE64 16557527386785790975) : int64 - ] in l). - -Definition g1_xden_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 804282852993868382) : int64; - secret (@repr WORDSIZE64 9311163821600184607) : int64; - secret (@repr WORDSIZE64 8037026956533927121) : int64; - secret (@repr WORDSIZE64 18205324308570099372) : int64; - secret (@repr WORDSIZE64 15466434890074226396) : int64; - secret (@repr WORDSIZE64 18213183315621985817) : int64 - ] in l). - -Definition g1_xden_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 234844145893171966) : int64; - secret (@repr WORDSIZE64 14428037799351479124) : int64; - secret (@repr WORDSIZE64 6559532710647391569) : int64; - secret (@repr WORDSIZE64 6110444250091843536) : int64; - secret (@repr WORDSIZE64 5293652763671852484) : int64; - secret (@repr WORDSIZE64 1373009181854280920) : int64 - ] in l). - -Definition g1_xden_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1416629893867312296) : int64; - secret (@repr WORDSIZE64 751851957792514173) : int64; - secret (@repr WORDSIZE64 18437674587247370939) : int64; - secret (@repr WORDSIZE64 10190314345946351322) : int64; - secret (@repr WORDSIZE64 11228207967368476701) : int64; - secret (@repr WORDSIZE64 6025034940388909598) : int64 - ] in l). - -Definition g1_xden_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1041270466333271993) : int64; - secret (@repr WORDSIZE64 6140956605115975401) : int64; - secret (@repr WORDSIZE64 4131830461445745997) : int64; - secret (@repr WORDSIZE64 739642499118176303) : int64; - secret (@repr WORDSIZE64 8358912131254619921) : int64; - secret (@repr WORDSIZE64 13847998906088228005) : int64 - ] in l). - -Definition g1_xden_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 536714149743900185) : int64; - secret (@repr WORDSIZE64 1098328982230230817) : int64; - secret (@repr WORDSIZE64 6273329123533496713) : int64; - secret (@repr WORDSIZE64 5633448088282521244) : int64; - secret (@repr WORDSIZE64 16894043798660571244) : int64; - secret (@repr WORDSIZE64 17016134625831438906) : int64 - ] in l). - -Definition g1_xden_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1488347500898461874) : int64; - secret (@repr WORDSIZE64 3509418672874520985) : int64; - secret (@repr WORDSIZE64 7962192351555381416) : int64; - secret (@repr WORDSIZE64 1843909372225399896) : int64; - secret (@repr WORDSIZE64 1127511003250156243) : int64; - secret (@repr WORDSIZE64 1294742680819751518) : int64 - ] in l). - -Definition g1_xden_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 725340084226051970) : int64; - secret (@repr WORDSIZE64 6814521545734988748) : int64; - secret (@repr WORDSIZE64 16176803544133875307) : int64; - secret (@repr WORDSIZE64 8363199516777220149) : int64; - secret (@repr WORDSIZE64 252877309218538352) : int64; - secret (@repr WORDSIZE64 5149562959837648449) : int64 - ] in l). - -Definition g1_xden_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 675470927100193492) : int64; - secret (@repr WORDSIZE64 5146891164735334016) : int64; - secret (@repr WORDSIZE64 17762958817130696759) : int64; - secret (@repr WORDSIZE64 8565656522589412373) : int64; - secret (@repr WORDSIZE64 10599026333335446784) : int64; - secret (@repr WORDSIZE64 3270603789344496906) : int64 - ] in l). - -Definition g1_ynum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 652344406751465184) : int64; - secret (@repr WORDSIZE64 2710356675495255290) : int64; - secret (@repr WORDSIZE64 1273695771440998738) : int64; - secret (@repr WORDSIZE64 3121750372618945491) : int64; - secret (@repr WORDSIZE64 14775319642720936898) : int64; - secret (@repr WORDSIZE64 13733803417833814835) : int64 - ] in l). - -Definition g1_ynum_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1389807578337138705) : int64; - secret (@repr WORDSIZE64 15352831428748068483) : int64; - secret (@repr WORDSIZE64 1307144967559264317) : int64; - secret (@repr WORDSIZE64 1121505450578652468) : int64; - secret (@repr WORDSIZE64 15475889019760388287) : int64; - secret (@repr WORDSIZE64 16183658160488302230) : int64 - ] in l). - -Definition g1_ynum_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 57553299067792998) : int64; - secret (@repr WORDSIZE64 17628079362768849300) : int64; - secret (@repr WORDSIZE64 2689461337731570914) : int64; - secret (@repr WORDSIZE64 14070580367580990887) : int64; - secret (@repr WORDSIZE64 15162865775551710499) : int64; - secret (@repr WORDSIZE64 13321614990632673782) : int64 - ] in l). - -Definition g1_ynum_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 141972750621744161) : int64; - secret (@repr WORDSIZE64 8689824239172478807) : int64; - secret (@repr WORDSIZE64 15288216298323671324) : int64; - secret (@repr WORDSIZE64 712874875091754233) : int64; - secret (@repr WORDSIZE64 16014900032503684588) : int64; - secret (@repr WORDSIZE64 11976580453200426187) : int64 - ] in l). - -Definition g1_ynum_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 633886036738506515) : int64; - secret (@repr WORDSIZE64 6678644607214234052) : int64; - secret (@repr WORDSIZE64 1825425679455244472) : int64; - secret (@repr WORDSIZE64 8755912272271186652) : int64; - secret (@repr WORDSIZE64 3379943669301788840) : int64; - secret (@repr WORDSIZE64 4735212769449148123) : int64 - ] in l). - -Definition g1_ynum_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1612358804494830442) : int64; - secret (@repr WORDSIZE64 2454990789666711200) : int64; - secret (@repr WORDSIZE64 8405916841409361853) : int64; - secret (@repr WORDSIZE64 8525415512662168654) : int64; - secret (@repr WORDSIZE64 2323684950984523890) : int64; - secret (@repr WORDSIZE64 11074978966450447856) : int64 - ] in l). - -Definition g1_ynum_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 336375361001233340) : int64; - secret (@repr WORDSIZE64 12882959944969186108) : int64; - secret (@repr WORDSIZE64 16671121624101127371) : int64; - secret (@repr WORDSIZE64 5922586712221110071) : int64; - secret (@repr WORDSIZE64 5163511947597922654) : int64; - secret (@repr WORDSIZE64 14511152726087948018) : int64 - ] in l). - -Definition g1_ynum_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 686738286210365551) : int64; - secret (@repr WORDSIZE64 16039894141796533876) : int64; - secret (@repr WORDSIZE64 1660145734357211167) : int64; - secret (@repr WORDSIZE64 18231571463891878950) : int64; - secret (@repr WORDSIZE64 4825120264949852469) : int64; - secret (@repr WORDSIZE64 11627815551290637097) : int64 - ] in l). - -Definition g1_ynum_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 719520515476580427) : int64; - secret (@repr WORDSIZE64 16756942182913253819) : int64; - secret (@repr WORDSIZE64 10320769399998235244) : int64; - secret (@repr WORDSIZE64 2200974244968450750) : int64; - secret (@repr WORDSIZE64 7626373186594408355) : int64; - secret (@repr WORDSIZE64 6933025920263103879) : int64 - ] in l). - -Definition g1_ynum_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1016611174344998325) : int64; - secret (@repr WORDSIZE64 2466492548686891555) : int64; - secret (@repr WORDSIZE64 14135124294293452542) : int64; - secret (@repr WORDSIZE64 475233659467912251) : int64; - secret (@repr WORDSIZE64 11186783513499056751) : int64; - secret (@repr WORDSIZE64 3147922594245844016) : int64 - ] in l). - -Definition g1_ynum_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1833315000454533566) : int64; - secret (@repr WORDSIZE64 1007974600900082579) : int64; - secret (@repr WORDSIZE64 14785260176242854207) : int64; - secret (@repr WORDSIZE64 15066861003931772432) : int64; - secret (@repr WORDSIZE64 3584647998681889532) : int64; - secret (@repr WORDSIZE64 16722834201330696498) : int64 - ] in l). - -Definition g1_ynum_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1780164921828767454) : int64; - secret (@repr WORDSIZE64 13337622794239929804) : int64; - secret (@repr WORDSIZE64 5923739534552515142) : int64; - secret (@repr WORDSIZE64 3345046972101780530) : int64; - secret (@repr WORDSIZE64 5321510883028162054) : int64; - secret (@repr WORDSIZE64 14846055306840460686) : int64 - ] in l). - -Definition g1_ynum_k_12_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 799438051374502809) : int64; - secret (@repr WORDSIZE64 15083972834952036164) : int64; - secret (@repr WORDSIZE64 8838227588559581326) : int64; - secret (@repr WORDSIZE64 13846054168121598783) : int64; - secret (@repr WORDSIZE64 488730451382505970) : int64; - secret (@repr WORDSIZE64 958146249756188408) : int64 - ] in l). - -Definition g1_ynum_k_13_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 163716820423854747) : int64; - secret (@repr WORDSIZE64 8285498163857659356) : int64; - secret (@repr WORDSIZE64 8465424830341846400) : int64; - secret (@repr WORDSIZE64 1433942577299613084) : int64; - secret (@repr WORDSIZE64 14325828012864645732) : int64; - secret (@repr WORDSIZE64 4817114329354076467) : int64 - ] in l). - -Definition g1_ynum_k_14_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 414658151749832465) : int64; - secret (@repr WORDSIZE64 189531577938912252) : int64; - secret (@repr WORDSIZE64 6802473390048830824) : int64; - secret (@repr WORDSIZE64 15684647020317539556) : int64; - secret (@repr WORDSIZE64 7755485098777620407) : int64; - secret (@repr WORDSIZE64 9685868895687483979) : int64 - ] in l). - -Definition g1_ynum_k_15_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1578157964224562126) : int64; - secret (@repr WORDSIZE64 5666948055268535989) : int64; - secret (@repr WORDSIZE64 14634479491382401593) : int64; - secret (@repr WORDSIZE64 6317940024988860850) : int64; - secret (@repr WORDSIZE64 13142913832013798519) : int64; - secret (@repr WORDSIZE64 338991247778166276) : int64 - ] in l). - -Definition g1_yden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1590100849350973618) : int64; - secret (@repr WORDSIZE64 5915497081334721257) : int64; - secret (@repr WORDSIZE64 6924968209373727718) : int64; - secret (@repr WORDSIZE64 17204633670617869946) : int64; - secret (@repr WORDSIZE64 572916540828819565) : int64; - secret (@repr WORDSIZE64 92203205520679873) : int64 - ] in l). - -Definition g1_yden_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1829261189398470686) : int64; - secret (@repr WORDSIZE64 1877083417397643448) : int64; - secret (@repr WORDSIZE64 9640042925497046428) : int64; - secret (@repr WORDSIZE64 11862766565471805471) : int64; - secret (@repr WORDSIZE64 8693114993904885301) : int64; - secret (@repr WORDSIZE64 3672140328108400701) : int64 - ] in l). - -Definition g1_yden_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 400243331105348135) : int64; - secret (@repr WORDSIZE64 8046435537999802711) : int64; - secret (@repr WORDSIZE64 8702226981475745585) : int64; - secret (@repr WORDSIZE64 879791671491744492) : int64; - secret (@repr WORDSIZE64 11994630442058346377) : int64; - secret (@repr WORDSIZE64 2172204746352322546) : int64 - ] in l). - -Definition g1_yden_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1637008473169220501) : int64; - secret (@repr WORDSIZE64 17441636237435581649) : int64; - secret (@repr WORDSIZE64 15066165676546511630) : int64; - secret (@repr WORDSIZE64 1314387578457599809) : int64; - secret (@repr WORDSIZE64 8247046336453711789) : int64; - secret (@repr WORDSIZE64 12164906044230685718) : int64 - ] in l). - -Definition g1_yden_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 855930740911588324) : int64; - secret (@repr WORDSIZE64 12685735333705453020) : int64; - secret (@repr WORDSIZE64 14326404096614579120) : int64; - secret (@repr WORDSIZE64 6066025509460822294) : int64; - secret (@repr WORDSIZE64 11676450493790612973) : int64; - secret (@repr WORDSIZE64 15724621714793234461) : int64 - ] in l). - -Definition g1_yden_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 637792788410719021) : int64; - secret (@repr WORDSIZE64 11507373155986977154) : int64; - secret (@repr WORDSIZE64 13186912195705886849) : int64; - secret (@repr WORDSIZE64 14262012144631372388) : int64; - secret (@repr WORDSIZE64 5328758613570342114) : int64; - secret (@repr WORDSIZE64 199925847119476652) : int64 - ] in l). - -Definition g1_yden_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1612297190139091759) : int64; - secret (@repr WORDSIZE64 14103733843373163083) : int64; - secret (@repr WORDSIZE64 6840121186619029743) : int64; - secret (@repr WORDSIZE64 6760859324815900753) : int64; - secret (@repr WORDSIZE64 15418807805142572985) : int64; - secret (@repr WORDSIZE64 4402853133867972444) : int64 - ] in l). - -Definition g1_yden_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1631410310868805610) : int64; - secret (@repr WORDSIZE64 269334146695233390) : int64; - secret (@repr WORDSIZE64 16547411811928854487) : int64; - secret (@repr WORDSIZE64 18353100669930795314) : int64; - secret (@repr WORDSIZE64 13339932232668798692) : int64; - secret (@repr WORDSIZE64 6984591927261867737) : int64 - ] in l). - -Definition g1_yden_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1758313625630302499) : int64; - secret (@repr WORDSIZE64 1881349400343039172) : int64; - secret (@repr WORDSIZE64 18013005311323887904) : int64; - secret (@repr WORDSIZE64 12377427846571989832) : int64; - secret (@repr WORDSIZE64 5967237584920922243) : int64; - secret (@repr WORDSIZE64 7720081932193848650) : int64 - ] in l). - -Definition g1_yden_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1619701357752249884) : int64; - secret (@repr WORDSIZE64 16898074901591262352) : int64; - secret (@repr WORDSIZE64 3609344159736760251) : int64; - secret (@repr WORDSIZE64 5983130161189999867) : int64; - secret (@repr WORDSIZE64 14355327869992416094) : int64; - secret (@repr WORDSIZE64 3778226018344582997) : int64 - ] in l). - -Definition g1_yden_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 347606589330687421) : int64; - secret (@repr WORDSIZE64 5255719044972187933) : int64; - secret (@repr WORDSIZE64 11271894388753671721) : int64; - secret (@repr WORDSIZE64 1033887512062764488) : int64; - secret (@repr WORDSIZE64 8189165486932690436) : int64; - secret (@repr WORDSIZE64 70004379462101672) : int64 - ] in l). - -Definition g1_yden_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 778202887894139711) : int64; - secret (@repr WORDSIZE64 17691595219776375879) : int64; - secret (@repr WORDSIZE64 9193253711563866834) : int64; - secret (@repr WORDSIZE64 10092455202333888821) : int64; - secret (@repr WORDSIZE64 1655469341950262250) : int64; - secret (@repr WORDSIZE64 10845992994110574738) : int64 - ] in l). - -Definition g1_yden_k_12_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 781015344221683683) : int64; - secret (@repr WORDSIZE64 14078588081290548374) : int64; - secret (@repr WORDSIZE64 6067271023149908518) : int64; - secret (@repr WORDSIZE64 9033357708497886086) : int64; - secret (@repr WORDSIZE64 10592474449179118273) : int64; - secret (@repr WORDSIZE64 2204988348113831372) : int64 - ] in l). - -Definition g1_yden_k_13_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 172830037692534587) : int64; - secret (@repr WORDSIZE64 7101012286790006514) : int64; - secret (@repr WORDSIZE64 13787308004332873665) : int64; - secret (@repr WORDSIZE64 14660498759553796110) : int64; - secret (@repr WORDSIZE64 4757234684169342080) : int64; - secret (@repr WORDSIZE64 15130647872920159991) : int64 - ] in l). - -Definition g1_yden_k_14_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1013206390650290238) : int64; - secret (@repr WORDSIZE64 7720336747103001025) : int64; - secret (@repr WORDSIZE64 8197694151986493523) : int64; - secret (@repr WORDSIZE64 3625112747029342752) : int64; - secret (@repr WORDSIZE64 6675167463148394368) : int64; - secret (@repr WORDSIZE64 4905905684016745359) : int64 - ] in l). - -Definition g1_simple_swu_iso (u_1882 : fp_t) : (fp_t '× fp_t) := - let z_1883 : fp_t := - nat_mod_from_literal (_) (@repr WORDSIZE128 11) : fp_t in - let a_1884 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_a_v)) : fp_t in - let b_1885 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_b_v)) : fp_t in - let tv1_1886 : fp_t := - nat_mod_inv ((((z_1883) *% (z_1883)) *% (nat_mod_exp (u_1882) ( - @repr WORDSIZE32 4))) +% (((z_1883) *% (u_1882)) *% (u_1882))) in - let x1_1887 : fp_t := - (((nat_mod_zero ) -% (b_1885)) *% (nat_mod_inv (a_1884))) *% (( - nat_mod_one ) +% (tv1_1886)) in - let '(x1_1887) := - if (tv1_1886) =.? (nat_mod_zero ):bool then (let x1_1887 := - (b_1885) *% (nat_mod_inv ((z_1883) *% (a_1884))) in - (x1_1887)) else ((x1_1887)) in - let gx1_1888 : fp_t := - ((nat_mod_exp (x1_1887) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( - x1_1887))) +% (b_1885) in - let x2_1889 : fp_t := - (((z_1883) *% (u_1882)) *% (u_1882)) *% (x1_1887) in - let gx2_1890 : fp_t := - ((nat_mod_exp (x2_1889) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( - x2_1889))) +% (b_1885) in - let '(x_1891, y_1892) := - (if (fp_is_square (gx1_1888)):bool then ((x1_1887, fp_sqrt (gx1_1888) - )) else ((x2_1889, fp_sqrt (gx2_1890)))) in - let '(y_1892) := - if (fp_sgn0 (u_1882)) !=.? (fp_sgn0 (y_1892)):bool then (let y_1892 := - (nat_mod_zero ) -% (y_1892) in - (y_1892)) else ((y_1892)) in - (x_1891, y_1892). - -Definition g1_isogeny_map (x_1893 : fp_t) (y_1894 : fp_t) : g1_t := - let xnum_k_1895 : seq fp_t := - seq_new_ (default : fp_t) (usize 12) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_0_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_1_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_2_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_3_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_4_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_5_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_6_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_7_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_8_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_9_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_xnum_k_10_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_xnum_k_11_v)) : fp_t) in - let xden_k_1896 : seq fp_t := - seq_new_ (default : fp_t) (usize 10) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_0_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_1_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_2_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_3_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_4_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_5_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_6_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_7_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_8_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_9_v)) : fp_t) in - let ynum_k_1897 : seq fp_t := - seq_new_ (default : fp_t) (usize 16) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_0_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_1_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_2_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_3_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_4_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_5_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_6_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_7_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_8_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_9_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_10_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_11_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 12) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_12_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 13) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_13_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 14) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_14_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 15) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_15_v)) : fp_t) in - let yden_k_1898 : seq fp_t := - seq_new_ (default : fp_t) (usize 15) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_0_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_1_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_2_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_3_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_4_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_5_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_6_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_7_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_8_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_9_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_10_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_11_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 12) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_12_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 13) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_13_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 14) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_14_v)) : fp_t) in - let xnum_1899 : fp_t := - nat_mod_zero in - let xx_1900 : fp_t := - nat_mod_one in - let '(xnum_1899, xx_1900) := - foldi (usize 0) (seq_len (xnum_k_1895)) (fun i_1901 '(xnum_1899, xx_1900) => - let xnum_1899 := - (xnum_1899) +% ((xx_1900) *% (seq_index (xnum_k_1895) (i_1901))) in - let xx_1900 := - (xx_1900) *% (x_1893) in - (xnum_1899, xx_1900)) - (xnum_1899, xx_1900) in - let xden_1902 : fp_t := - nat_mod_zero in - let xx_1903 : fp_t := - nat_mod_one in - let '(xden_1902, xx_1903) := - foldi (usize 0) (seq_len (xden_k_1896)) (fun i_1904 '(xden_1902, xx_1903) => - let xden_1902 := - (xden_1902) +% ((xx_1903) *% (seq_index (xden_k_1896) (i_1904))) in - let xx_1903 := - (xx_1903) *% (x_1893) in - (xden_1902, xx_1903)) - (xden_1902, xx_1903) in - let xden_1902 := - (xden_1902) +% (xx_1903) in - let ynum_1905 : fp_t := - nat_mod_zero in - let xx_1906 : fp_t := - nat_mod_one in - let '(ynum_1905, xx_1906) := - foldi (usize 0) (seq_len (ynum_k_1897)) (fun i_1907 '(ynum_1905, xx_1906) => - let ynum_1905 := - (ynum_1905) +% ((xx_1906) *% (seq_index (ynum_k_1897) (i_1907))) in - let xx_1906 := - (xx_1906) *% (x_1893) in - (ynum_1905, xx_1906)) - (ynum_1905, xx_1906) in - let yden_1908 : fp_t := - nat_mod_zero in - let xx_1909 : fp_t := - nat_mod_one in - let '(yden_1908, xx_1909) := - foldi (usize 0) (seq_len (yden_k_1898)) (fun i_1910 '(yden_1908, xx_1909) => - let yden_1908 := - (yden_1908) +% ((xx_1909) *% (seq_index (yden_k_1898) (i_1910))) in - let xx_1909 := - (xx_1909) *% (x_1893) in - (yden_1908, xx_1909)) - (yden_1908, xx_1909) in - let yden_1908 := - (yden_1908) +% (xx_1909) in - let xr_1911 : fp_t := - (xnum_1899) *% (nat_mod_inv (xden_1902)) in - let yr_1912 : fp_t := - ((y_1894) *% (ynum_1905)) *% (nat_mod_inv (yden_1908)) in - let inf_1913 : bool := - false in - let '(inf_1913) := - if ((xden_1902) =.? (nat_mod_zero )) || ((yden_1908) =.? ( - nat_mod_zero )):bool then (let inf_1913 := - true in - (inf_1913)) else ((inf_1913)) in - (xr_1911, yr_1912, inf_1913). - -Definition g1_map_to_curve_sswu (u_1914 : fp_t) : g1_t := - let '(xp_1915, yp_1916) := - g1_simple_swu_iso (u_1914) in - let p_1917 : (fp_t '× fp_t '× bool) := - g1_isogeny_map (xp_1915) (yp_1916) in - p_1917. - -Definition g1_hash_to_curve_sswu - (msg_1918 : byte_seq) - (dst_1919 : byte_seq) - : g1_t := - let u_1920 : seq fp_t := - fp_hash_to_field (msg_1918) (dst_1919) (usize 2) in - let q0_1921 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_sswu (seq_index (u_1920) (usize 0)) in - let q1_1922 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_sswu (seq_index (u_1920) (usize 1)) in - let r_1923 : (fp_t '× fp_t '× bool) := - g1add (q0_1921) (q1_1922) in - let p_1924 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (r_1923) in - p_1924. - -Definition g1_encode_to_curve_sswu - (msg_1925 : byte_seq) - (dst_1926 : byte_seq) - : g1_t := - let u_1927 : seq fp_t := - fp_hash_to_field (msg_1925) (dst_1926) (usize 1) in - let q_1928 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_sswu (seq_index (u_1927) (usize 0)) in - let p_1929 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (q_1928) in - p_1929. - -Definition g2_xnum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 416399692810564414) : int64; - secret (@repr WORDSIZE64 13500519111022079365) : int64; - secret (@repr WORDSIZE64 3658379999393219626) : int64; - secret (@repr WORDSIZE64 9850925049107374429) : int64; - secret (@repr WORDSIZE64 6640057249351452444) : int64; - secret (@repr WORDSIZE64 7077594464397203414) : int64 - ] in l). - -Definition g2_xnum_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058522) : int64 - ] in l). - -Definition g2_xnum_k_2_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058526) : int64 - ] in l). - -Definition g2_xnum_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 624599539215846622) : int64; - secret (@repr WORDSIZE64 1804034592823567431) : int64; - secret (@repr WORDSIZE64 14710942035944605247) : int64; - secret (@repr WORDSIZE64 14776387573661061644) : int64; - secret (@repr WORDSIZE64 736713837172402858) : int64; - secret (@repr WORDSIZE64 10616391696595805069) : int64 - ] in l). - -Definition g2_xnum_k_3_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1665598771242257658) : int64; - secret (@repr WORDSIZE64 17108588296669214228) : int64; - secret (@repr WORDSIZE64 14633519997572878506) : int64; - secret (@repr WORDSIZE64 2510212049010394485) : int64; - secret (@repr WORDSIZE64 8113484923696258161) : int64; - secret (@repr WORDSIZE64 9863633783879261905) : int64 - ] in l). - -Definition g2_xden_k_0_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863523) : int64 - ] in l). - -Definition g2_xden_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863583) : int64 - ] in l). - -Definition g2_ynum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1526798873638736187) : int64; - secret (@repr WORDSIZE64 6459500568425337235) : int64; - secret (@repr WORDSIZE64 1116230615302104219) : int64; - secret (@repr WORDSIZE64 17673314439684154624) : int64; - secret (@repr WORDSIZE64 18197961889718808424) : int64; - secret (@repr WORDSIZE64 1355520937843676934) : int64 - ] in l). - -Definition g2_ynum_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 416399692810564414) : int64; - secret (@repr WORDSIZE64 13500519111022079365) : int64; - secret (@repr WORDSIZE64 3658379999393219626) : int64; - secret (@repr WORDSIZE64 9850925049107374429) : int64; - secret (@repr WORDSIZE64 6640057249351452444) : int64; - secret (@repr WORDSIZE64 7077594464397203390) : int64 - ] in l). - -Definition g2_ynum_k_2_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058524) : int64 - ] in l). - -Definition g2_ynum_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 624599539215846622) : int64; - secret (@repr WORDSIZE64 1804034592823567431) : int64; - secret (@repr WORDSIZE64 14710942035944605247) : int64; - secret (@repr WORDSIZE64 14776387573661061644) : int64; - secret (@repr WORDSIZE64 736713837172402858) : int64; - secret (@repr WORDSIZE64 10616391696595805071) : int64 - ] in l). - -Definition g2_ynum_k_3_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1318599027233453979) : int64; - secret (@repr WORDSIZE64 18155985086623849168) : int64; - secret (@repr WORDSIZE64 8510412652460270214) : int64; - secret (@repr WORDSIZE64 12747851915130467410) : int64; - secret (@repr WORDSIZE64 5654561228188306393) : int64; - secret (@repr WORDSIZE64 16263467779354626832) : int64 - ] in l). - -Definition g2_yden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863163) : int64 - ] in l). - -Definition g2_yden_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863379) : int64 - ] in l). - -Definition g2_yden_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863577) : int64 - ] in l). - -Definition g2_simple_swu_iso (u_1930 : fp2_t) : (fp2_t '× fp2_t) := - let z_1931 : (fp_t '× fp_t) := - fp2neg ((nat_mod_two , nat_mod_one )) in - let a_1932 : (fp_t '× fp_t) := - (nat_mod_zero , nat_mod_from_literal (_) (@repr WORDSIZE128 240) : fp_t) in - let b_1933 : (fp_t '× fp_t) := - ( - nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t, - nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t - ) in - let tv1_1934 : (fp_t '× fp_t) := - fp2inv (fp2add (fp2mul (fp2mul (z_1931) (z_1931)) (fp2mul (fp2mul (u_1930) ( - u_1930)) (fp2mul (u_1930) (u_1930)))) (fp2mul (z_1931) (fp2mul ( - u_1930) (u_1930)))) in - let x1_1935 : (fp_t '× fp_t) := - fp2mul (fp2mul (fp2neg (b_1933)) (fp2inv (a_1932))) (fp2add (fp2fromfp ( - nat_mod_one )) (tv1_1934)) in - let '(x1_1935) := - if (tv1_1934) =.? (fp2zero ):bool then (let x1_1935 := - fp2mul (b_1933) (fp2inv (fp2mul (z_1931) (a_1932))) in - (x1_1935)) else ((x1_1935)) in - let gx1_1936 : (fp_t '× fp_t) := - fp2add (fp2add (fp2mul (fp2mul (x1_1935) (x1_1935)) (x1_1935)) (fp2mul ( - a_1932) (x1_1935))) (b_1933) in - let x2_1937 : (fp_t '× fp_t) := - fp2mul (fp2mul (z_1931) (fp2mul (u_1930) (u_1930))) (x1_1935) in - let gx2_1938 : (fp_t '× fp_t) := - fp2add (fp2add (fp2mul (fp2mul (x2_1937) (x2_1937)) (x2_1937)) (fp2mul ( - a_1932) (x2_1937))) (b_1933) in - let '(x_1939, y_1940) := - (if (fp2_is_square (gx1_1936)):bool then ((x1_1935, fp2_sqrt (gx1_1936) - )) else ((x2_1937, fp2_sqrt (gx2_1938)))) in - let '(y_1940) := - if (fp2_sgn0 (u_1930)) !=.? (fp2_sgn0 (y_1940)):bool then (let y_1940 := - fp2neg (y_1940) in - (y_1940)) else ((y_1940)) in - (x_1939, y_1940). - -Definition g2_isogeny_map (x_1941 : fp2_t) (y_1942 : fp2_t) : g2_t := - let xnum_k_1943 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 4) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t - )) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_1_i_v)) : fp_t - )) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 2) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_r_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_i_v)) : fp_t - )) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 3) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_3_r_v)) : fp_t, - nat_mod_zero - )) in - let xden_k_1944 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 2) in - let xden_k_1944 := - seq_upd xden_k_1944 (usize 0) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_0_i_v)) : fp_t - )) in - let xden_k_1944 := - seq_upd xden_k_1944 (usize 1) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 12) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_1_i_v)) : fp_t - )) in - let ynum_k_1945 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 4) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t - )) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_1_i_v)) : fp_t - )) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 2) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_r_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_i_v)) : fp_t - )) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 3) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_3_r_v)) : fp_t, - nat_mod_zero - )) in - let yden_k_1946 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 3) in - let yden_k_1946 := - seq_upd yden_k_1946 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t - )) in - let yden_k_1946 := - seq_upd yden_k_1946 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_1_i_v)) : fp_t - )) in - let yden_k_1946 := - seq_upd yden_k_1946 (usize 2) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 18) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_2_i_v)) : fp_t - )) in - let xnum_1947 : (fp_t '× fp_t) := - fp2zero in - let xx_1948 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(xnum_1947, xx_1948) := - foldi (usize 0) (seq_len (xnum_k_1943)) (fun i_1949 '(xnum_1947, xx_1948) => - let xnum_1947 := - fp2add (xnum_1947) (fp2mul (xx_1948) (seq_index (xnum_k_1943) ( - i_1949))) in - let xx_1948 := - fp2mul (xx_1948) (x_1941) in - (xnum_1947, xx_1948)) - (xnum_1947, xx_1948) in - let xden_1950 : (fp_t '× fp_t) := - fp2zero in - let xx_1951 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(xden_1950, xx_1951) := - foldi (usize 0) (seq_len (xden_k_1944)) (fun i_1952 '(xden_1950, xx_1951) => - let xden_1950 := - fp2add (xden_1950) (fp2mul (xx_1951) (seq_index (xden_k_1944) ( - i_1952))) in - let xx_1951 := - fp2mul (xx_1951) (x_1941) in - (xden_1950, xx_1951)) - (xden_1950, xx_1951) in - let xden_1950 := - fp2add (xden_1950) (xx_1951) in - let ynum_1953 : (fp_t '× fp_t) := - fp2zero in - let xx_1954 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(ynum_1953, xx_1954) := - foldi (usize 0) (seq_len (ynum_k_1945)) (fun i_1955 '(ynum_1953, xx_1954) => - let ynum_1953 := - fp2add (ynum_1953) (fp2mul (xx_1954) (seq_index (ynum_k_1945) ( - i_1955))) in - let xx_1954 := - fp2mul (xx_1954) (x_1941) in - (ynum_1953, xx_1954)) - (ynum_1953, xx_1954) in - let yden_1956 : (fp_t '× fp_t) := - fp2zero in - let xx_1957 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(yden_1956, xx_1957) := - foldi (usize 0) (seq_len (yden_k_1946)) (fun i_1958 '(yden_1956, xx_1957) => - let yden_1956 := - fp2add (yden_1956) (fp2mul (xx_1957) (seq_index (yden_k_1946) ( - i_1958))) in - let xx_1957 := - fp2mul (xx_1957) (x_1941) in - (yden_1956, xx_1957)) - (yden_1956, xx_1957) in - let yden_1956 := - fp2add (yden_1956) (xx_1957) in - let xr_1959 : (fp_t '× fp_t) := - fp2mul (xnum_1947) (fp2inv (xden_1950)) in - let yr_1960 : (fp_t '× fp_t) := - fp2mul (y_1942) (fp2mul (ynum_1953) (fp2inv (yden_1956))) in - let inf_1961 : bool := - false in - let '(inf_1961) := - if ((xden_1950) =.? (fp2zero )) || ((yden_1956) =.? (fp2zero )):bool then ( - let inf_1961 := - true in - (inf_1961)) else ((inf_1961)) in - (xr_1959, yr_1960, inf_1961). - -Definition g2_map_to_curve_sswu (u_1962 : fp2_t) : g2_t := - let '(xp_1963, yp_1964) := - g2_simple_swu_iso (u_1962) in - let p_1965 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_isogeny_map (xp_1963) (yp_1964) in - p_1965. - -Definition g2_hash_to_curve_sswu - (msg_1966 : byte_seq) - (dst_1967 : byte_seq) - : g2_t := - let u_1968 : seq fp2_t := - fp2_hash_to_field (msg_1966) (dst_1967) (usize 2) in - let q0_1969 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_sswu (seq_index (u_1968) (usize 0)) in - let q1_1970 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_sswu (seq_index (u_1968) (usize 1)) in - let r_1971 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (q0_1969) (q1_1970) in - let p_1972 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (r_1971) in - p_1972. - -Definition g2_encode_to_curve_sswu - (msg_1973 : byte_seq) - (dst_1974 : byte_seq) - : g2_t := - let u_1975 : seq fp2_t := - fp2_hash_to_field (msg_1973) (dst_1974) (usize 1) in - let q_1976 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_sswu (seq_index (u_1975) (usize 0)) in - let p_1977 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (q_1976) in - p_1977. - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Chacha20.v b/proof-libs/coq/coq/_vc/Hacspec_Chacha20.v deleted file mode 100644 index a44b16a43..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Chacha20.v +++ /dev/null @@ -1,223 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition state_t := nseq (uint32) (usize 16). - -Definition state_idx_t := - nat_mod (usize 16). -Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. -Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. - -Definition constants_t := nseq (uint32) (usize 4). - -Definition constants_idx_t := - nat_mod (usize 4). -Definition uint_size_in_constants_idx_t(n : uint_size) : constants_idx_t := int_in_nat_mod n. -Coercion uint_size_in_constants_idx_t : uint_size >-> constants_idx_t. - -Definition block_t := nseq (uint8) (usize 64). - -Definition cha_cha_iv_t := nseq (uint8) (usize 12). - -Definition cha_cha_key_t := nseq (uint8) (usize 32). - -Definition chacha20_line - (a_345 : state_idx_t) - (b_346 : state_idx_t) - (d_347 : state_idx_t) - (s_348 : uint_size) - (m_349 : state_t) - : state_t := - let state_350 : state_t := - m_349 in - let state_350 := - array_upd state_350 (a_345) ((array_index (state_350) (a_345)) .+ ( - array_index (state_350) (b_346))) in - let state_350 := - array_upd state_350 (d_347) ((array_index (state_350) (d_347)) .^ ( - array_index (state_350) (a_345))) in - let state_350 := - array_upd state_350 (d_347) (uint32_rotate_left (array_index (state_350) ( - d_347)) (s_348)) in - state_350. - -Definition chacha20_quarter_round - (a_351 : state_idx_t) - (b_352 : state_idx_t) - (c_353 : state_idx_t) - (d_354 : state_idx_t) - (state_355 : state_t) - : state_t := - let state_356 : state_t := - chacha20_line (a_351) (b_352) (d_354) (usize 16) (state_355) in - let state_357 : state_t := - chacha20_line (c_353) (d_354) (b_352) (usize 12) (state_356) in - let state_358 : state_t := - chacha20_line (a_351) (b_352) (d_354) (usize 8) (state_357) in - chacha20_line (c_353) (d_354) (b_352) (usize 7) (state_358). - -Definition chacha20_double_round (state_359 : state_t) : state_t := - let state_360 : state_t := - chacha20_quarter_round (usize 0) (usize 4) (usize 8) (usize 12) ( - state_359) in - let state_361 : state_t := - chacha20_quarter_round (usize 1) (usize 5) (usize 9) (usize 13) ( - state_360) in - let state_362 : state_t := - chacha20_quarter_round (usize 2) (usize 6) (usize 10) (usize 14) ( - state_361) in - let state_363 : state_t := - chacha20_quarter_round (usize 3) (usize 7) (usize 11) (usize 15) ( - state_362) in - let state_364 : state_t := - chacha20_quarter_round (usize 0) (usize 5) (usize 10) (usize 15) ( - state_363) in - let state_365 : state_t := - chacha20_quarter_round (usize 1) (usize 6) (usize 11) (usize 12) ( - state_364) in - let state_366 : state_t := - chacha20_quarter_round (usize 2) (usize 7) (usize 8) (usize 13) ( - state_365) in - chacha20_quarter_round (usize 3) (usize 4) (usize 9) (usize 14) (state_366). - -Definition chacha20_rounds (state_367 : state_t) : state_t := - let st_368 : state_t := - state_367 in - let st_368 := - foldi (usize 0) (usize 10) (fun i_369 st_368 => - let st_368 := - chacha20_double_round (st_368) in - (st_368)) - st_368 in - st_368. - -Definition chacha20_core (ctr_370 : uint32) (st0_371 : state_t) : state_t := - let state_372 : state_t := - st0_371 in - let state_372 := - array_upd state_372 (usize 12) ((array_index (state_372) (usize 12)) .+ ( - ctr_370)) in - let k_373 : state_t := - chacha20_rounds (state_372) in - (k_373) array_add (state_372). - -Definition chacha20_constants_init : constants_t := - let constants_374 : constants_t := - array_new_ (default : uint32) (4) in - let constants_374 := - array_upd constants_374 (usize 0) (secret ( - @repr WORDSIZE32 1634760805) : int32) in - let constants_374 := - array_upd constants_374 (usize 1) (secret ( - @repr WORDSIZE32 857760878) : int32) in - let constants_374 := - array_upd constants_374 (usize 2) (secret ( - @repr WORDSIZE32 2036477234) : int32) in - let constants_374 := - array_upd constants_374 (usize 3) (secret ( - @repr WORDSIZE32 1797285236) : int32) in - constants_374. - -Definition chacha20_init - (key_375 : cha_cha_key_t) - (iv_376 : cha_cha_iv_t) - (ctr_377 : uint32) - : state_t := - let st_378 : state_t := - array_new_ (default : uint32) (16) in - let st_378 := - array_update (st_378) (usize 0) ( - array_to_seq (chacha20_constants_init )) in - let st_378 := - array_update (st_378) (usize 4) (array_to_le_uint32s (key_375)) in - let st_378 := - array_upd st_378 (usize 12) (ctr_377) in - let st_378 := - array_update (st_378) (usize 13) (array_to_le_uint32s (iv_376)) in - st_378. - -Definition chacha20_key_block (state_379 : state_t) : block_t := - let state_380 : state_t := - chacha20_core (secret (@repr WORDSIZE32 0) : int32) (state_379) in - array_from_seq (64) (array_to_le_bytes (state_380)). - -Definition chacha20_key_block0 - (key_381 : cha_cha_key_t) - (iv_382 : cha_cha_iv_t) - : block_t := - let state_383 : state_t := - chacha20_init (key_381) (iv_382) (secret (@repr WORDSIZE32 0) : int32) in - chacha20_key_block (state_383). - -Definition chacha20_encrypt_block - (st0_384 : state_t) - (ctr_385 : uint32) - (plain_386 : block_t) - : block_t := - let st_387 : state_t := - chacha20_core (ctr_385) (st0_384) in - let pl_388 : state_t := - array_from_seq (16) (array_to_le_uint32s (plain_386)) in - let st_389 : state_t := - (pl_388) array_xor (st_387) in - array_from_seq (64) (array_to_le_bytes (st_389)). - -Definition chacha20_encrypt_last - (st0_390 : state_t) - (ctr_391 : uint32) - (plain_392 : byte_seq) - : byte_seq := - let b_393 : block_t := - array_new_ (default : uint8) (64) in - let b_393 := - array_update (b_393) (usize 0) (plain_392) in - let b_393 := - chacha20_encrypt_block (st0_390) (ctr_391) (b_393) in - array_slice (b_393) (usize 0) (seq_len (plain_392)). - -Definition chacha20_update (st0_394 : state_t) (m_395 : byte_seq) : byte_seq := - let blocks_out_396 : seq uint8 := - seq_new_ (default : uint8) (seq_len (m_395)) in - let n_blocks_397 : uint_size := - seq_num_exact_chunks (m_395) (usize 64) in - let blocks_out_396 := - foldi (usize 0) (n_blocks_397) (fun i_398 blocks_out_396 => - let msg_block_399 : seq uint8 := - seq_get_exact_chunk (m_395) (usize 64) (i_398) in - let b_400 : block_t := - chacha20_encrypt_block (st0_394) (secret (pub_u32 (i_398)) : int32) ( - array_from_seq (64) (msg_block_399)) in - let blocks_out_396 := - seq_set_exact_chunk (blocks_out_396) (usize 64) (i_398) ( - array_to_seq (b_400)) in - (blocks_out_396)) - blocks_out_396 in - let last_block_401 : seq uint8 := - seq_get_remainder_chunk (m_395) (usize 64) in - let '(blocks_out_396) := - if (seq_len (last_block_401)) !=.? (usize 0):bool then ( - let b_402 : seq uint8 := - chacha20_encrypt_last (st0_394) (secret (pub_u32 ( - n_blocks_397)) : int32) (last_block_401) in - let blocks_out_396 := - seq_set_chunk (blocks_out_396) (usize 64) (n_blocks_397) (b_402) in - (blocks_out_396)) else ((blocks_out_396)) in - blocks_out_396. - -Definition chacha20 - (key_403 : cha_cha_key_t) - (iv_404 : cha_cha_iv_t) - (ctr_405 : int32) - (m_406 : byte_seq) - : byte_seq := - let state_407 : state_t := - chacha20_init (key_403) (iv_404) (secret (ctr_405) : int32) in - chacha20_update (state_407) (m_406). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Chacha20poly1305.v b/proof-libs/coq/coq/_vc/Hacspec_Chacha20poly1305.v deleted file mode 100644 index 206ae34b9..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Chacha20poly1305.v +++ /dev/null @@ -1,98 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Chacha20. - -Require Import Hacspec_Poly1305. - -Inductive error_t := -| InvalidTag : error_t. - -Notation "'cha_cha_poly_key_t'" := (cha_cha_key_t) : hacspec_scope. - -Notation "'cha_cha_poly_iv_t'" := (cha_cha_iv_t) : hacspec_scope. - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Definition init - (key_408 : cha_cha_poly_key_t) - (iv_409 : cha_cha_poly_iv_t) - : poly_state_t := - let key_block0_410 : block_t := - chacha20_key_block0 (key_408) (iv_409) in - let poly_key_411 : poly_key_t := - array_from_slice (default : uint8) (32) (array_to_seq (key_block0_410)) ( - usize 0) (usize 32) in - poly1305_init (poly_key_411). - -Definition poly1305_update_padded - (m_412 : byte_seq) - (st_413 : poly_state_t) - : poly_state_t := - let st_414 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_update_blocks (m_412) (st_413) in - let last_415 : seq uint8 := - seq_get_remainder_chunk (m_412) (usize 16) in - poly1305_update_last (usize 16) (last_415) (st_414). - -Definition finish - (aad_len_416 : uint_size) - (cipher_len_417 : uint_size) - (st_418 : poly_state_t) - : poly1305_tag_t := - let last_block_419 : poly_block_t := - array_new_ (default : uint8) (16) in - let last_block_419 := - array_update (last_block_419) (usize 0) (array_to_seq (uint64_to_le_bytes ( - secret (pub_u64 (aad_len_416)) : int64))) in - let last_block_419 := - array_update (last_block_419) (usize 8) (array_to_seq (uint64_to_le_bytes ( - secret (pub_u64 (cipher_len_417)) : int64))) in - let st_420 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_update_block (last_block_419) (st_418) in - poly1305_finish (st_420). - -Definition chacha20_poly1305_encrypt - (key_421 : cha_cha_poly_key_t) - (iv_422 : cha_cha_poly_iv_t) - (aad_423 : byte_seq) - (msg_424 : byte_seq) - : (byte_seq '× poly1305_tag_t) := - let cipher_text_425 : seq uint8 := - chacha20 (key_421) (iv_422) (@repr WORDSIZE32 1) (msg_424) in - let poly_st_426 : (field_element_t '× field_element_t '× poly_key_t) := - init (key_421) (iv_422) in - let poly_st_426 := - poly1305_update_padded (aad_423) (poly_st_426) in - let poly_st_426 := - poly1305_update_padded (cipher_text_425) (poly_st_426) in - let tag_427 : poly1305_tag_t := - finish (seq_len (aad_423)) (seq_len (cipher_text_425)) (poly_st_426) in - (cipher_text_425, tag_427). - -Definition chacha20_poly1305_decrypt - (key_428 : cha_cha_poly_key_t) - (iv_429 : cha_cha_poly_iv_t) - (aad_430 : byte_seq) - (cipher_text_431 : byte_seq) - (tag_432 : poly1305_tag_t) - : byte_seq_result_t := - let poly_st_433 : (field_element_t '× field_element_t '× poly_key_t) := - init (key_428) (iv_429) in - let poly_st_433 := - poly1305_update_padded (aad_430) (poly_st_433) in - let poly_st_433 := - poly1305_update_padded (cipher_text_431) (poly_st_433) in - let my_tag_434 : poly1305_tag_t := - finish (seq_len (aad_430)) (seq_len (cipher_text_431)) (poly_st_433) in - (if (array_declassify_eq (my_tag_434) (tag_432)):bool then ( - @Ok byte_seq error_t (chacha20 (key_428) (iv_429) (@repr WORDSIZE32 1) ( - cipher_text_431))) else (@Err byte_seq error_t (InvalidTag))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Coverage_Test.v b/proof-libs/coq/coq/_vc/Hacspec_Coverage_Test.v deleted file mode 100644 index 5b3b169f5..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Coverage_Test.v +++ /dev/null @@ -1,163 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition big_integer_test : unit := - let _ : big_int_t := - big_int_zero in - let _ : big_int_t := - big_int_one in - let _ : big_int_t := - big_int_two in - let bi_2669 : big_int_t := - big_int_from_literal (@repr WORDSIZE128 1238) in - let bi_2669 := - big_int_get_bit (bi_2669) (usize 3) in - let bi_2669 := - big_int_set_bit (bi_2669) (big_int_one ) (usize 3) in - let bi_2669 := - big_int_set (bi_2669) (usize 4) (big_int_two ) (usize 2) in - let bi_2669 := - big_int_wrap_add (bi_2669) (big_int_two ) in - let bi_2669 := - big_int_wrap_sub (bi_2669) (big_int_two ) in - let bi_2669 := - big_int_wrap_mul (bi_2669) (big_int_two ) in - let _ : bool := - big_int_equal (big_int_one ) (big_int_two ) in - let bi_2669 := - big_int_sub_mod (bi_2669) (big_int_two ) (big_int_from_literal ( - @repr WORDSIZE128 4)) in - let bi_2669 := - big_int_add_mod (bi_2669) (big_int_two ) (big_int_from_literal ( - @repr WORDSIZE128 4)) in - let bi_2669 := - big_int_mul_mod (bi_2669) (big_int_two ) (big_int_from_literal ( - @repr WORDSIZE128 4)) in - let bi_2669 := - big_int_absolute (bi_2669) in - tt. - -Definition machine_integer_test : unit := - let _ : int32 := - pub_uint32_zero in - let _ : int8 := - pub_uint8_one in - let _ : int128 := - pub_uint128_two in - let mi_2670 : int16 := - pub_uint16_from_literal (@repr WORDSIZE128 1238) in - let mi_2670 := - pub_uint16_get_bit (mi_2670) (usize 3) in - let mi_2670 := - pub_uint16_set_bit (mi_2670) (pub_uint16_one ) (usize 3) in - let mi_2670 := - pub_uint16_set (mi_2670) (usize 4) (pub_uint16_two ) (usize 2) in - let mi_2670 := - pub_uint16_rotate_left (mi_2670) (@repr WORDSIZE32 4) in - let mi_2670 := - pub_uint16_rotate_right (mi_2670) (@repr WORDSIZE32 4) in - let _ : int16 := - pub_uint16_max_val in - let mi_2670 := - pub_uint16_wrap_add (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_wrap_sub (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_wrap_mul (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_exp (mi_2670) (@repr WORDSIZE32 2) in - let mi_2670 := - pub_uint16_divide (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_inv (pub_uint16_from_literal (@repr WORDSIZE128 79)) ( - pub_uint16_two ) in - let _ : bool := - pub_uint16_equal (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_greater_than (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_greater_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_less_than (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_less_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_not_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_greater_than_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_greater_than_or_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_less_than_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_less_than_or_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_sub_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( - @repr WORDSIZE128 4)) in - let mi_2670 := - pub_uint16_add_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( - @repr WORDSIZE128 4)) in - let mi_2670 := - pub_uint16_mul_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( - @repr WORDSIZE128 4)) in - let mi_2670 := - pub_uint16_absolute (mi_2670) in - let _ : uint64 := - secret (@repr WORDSIZE64 12) : int64 in - tt. - -Definition seq_test : unit := - let ns_2671 : seq int8 := - seq_with_capacity (usize 5) in - let ns_2671 := - seq_new_ (default : int8) (usize 5) in - let ns_2671 := - seq_reserve (ns_2671) (usize 10) in - let _ : uint_size := - seq_len (ns_2671) in - let ns_2671 := - seq_slice (ns_2671) (usize 0) (usize 5) in - let ns_2671 := - seq_into_slice (ns_2671) (usize 1) (usize 3) in - let ns_2671 := - seq_slice_range (ns_2671) ((usize 0, usize 2)) in - let ns_2671 := - seq_into_slice_range (ns_2671) ((usize 0, usize 1)) in - let '(ns1_2672, ns2_2673) := - seq_split_off (ns_2671) (usize 1) in - let ns1_2672 := - seq_truncate (ns1_2672) (usize 2) in - let ns2_2673 := - seq_from_slice (ns1_2672) (usize 0) (usize 1) in - let ns_2674 : seq int8 := - seq_concat (ns1_2672) (ns2_2673) in - let ns_2674 := - seq_concat_owned (ns1_2672) (ns2_2673) in - let ns_2674 := - seq_push (ns_2674) (@repr WORDSIZE8 2) in - let ns_2674 := - seq_push_owned (ns_2674) (@repr WORDSIZE8 4) in - let ns_2674 := - seq_from_slice_range (ns_2674) ((usize 0, usize 4)) in - let _ : uint_size := - seq_num_chunks (ns_2674) (usize 2) in - let _ : uint_size := - seq_num_exact_chunks (ns_2674) (usize 2) in - tt. - -Definition arr_name_t := nseq (uint64) (usize 8). - -Definition byte_arr_name_t := nseq (uint8) (usize 128). - -Definition array_test : unit := - tt. - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Curve25519.v b/proof-libs/coq/coq/_vc/Hacspec_Curve25519.v deleted file mode 100644 index 4d340a361..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Curve25519.v +++ /dev/null @@ -1,170 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition field_canvas_t := nseq (int8) (32). -Definition x25519_field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. - -Notation "'point_t'" := ((x25519_field_element_t '× x25519_field_element_t -)) : hacspec_scope. - -Definition x25519_serialized_point_t := nseq (uint8) (usize 32). - -Definition x25519_serialized_scalar_t := nseq (uint8) (usize 32). - -Definition mask_scalar - (s_477 : x25519_serialized_scalar_t) - : x25519_serialized_scalar_t := - let k_478 : x25519_serialized_scalar_t := - s_477 in - let k_478 := - array_upd k_478 (usize 0) ((array_index (k_478) (usize 0)) .& (secret ( - @repr WORDSIZE8 248) : int8)) in - let k_478 := - array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let k_478 := - array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .| (secret ( - @repr WORDSIZE8 64) : int8)) in - k_478. - -Definition decode_scalar (s_479 : x25519_serialized_scalar_t) : scalar_t := - let k_480 : x25519_serialized_scalar_t := - mask_scalar (s_479) in - nat_mod_from_byte_seq_le (array_to_seq (k_480)) : scalar_t. - -Definition decode_point (u_481 : x25519_serialized_point_t) : point_t := - let u_482 : x25519_serialized_point_t := - u_481 in - let u_482 := - array_upd u_482 (usize 31) ((array_index (u_482) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - ( - nat_mod_from_byte_seq_le (array_to_seq (u_482)) : x25519_field_element_t, - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 1) : x25519_field_element_t - ). - -Definition encode_point (p_483 : point_t) : x25519_serialized_point_t := - let '(x_484, y_485) := - p_483 in - let b_486 : x25519_field_element_t := - (x_484) *% (nat_mod_inv (y_485)) in - array_update_start (array_new_ (default : uint8) (32)) ( - nat_mod_to_byte_seq_le (b_486)). - -Definition point_add_and_double - (q_487 : point_t) - (np_488 : (point_t '× point_t)) - : (point_t '× point_t) := - let '(nq_489, nqp1_490) := - np_488 in - let '(x_1_491, z_1_492) := - q_487 in - let '(x_2_493, z_2_494) := - nq_489 in - let '(x_3_495, z_3_496) := - nqp1_490 in - let a_497 : x25519_field_element_t := - (x_2_493) +% (z_2_494) in - let aa_498 : x25519_field_element_t := - nat_mod_pow (a_497) (@repr WORDSIZE128 2) in - let b_499 : x25519_field_element_t := - (x_2_493) -% (z_2_494) in - let bb_500 : x25519_field_element_t := - (b_499) *% (b_499) in - let e_501 : x25519_field_element_t := - (aa_498) -% (bb_500) in - let c_502 : x25519_field_element_t := - (x_3_495) +% (z_3_496) in - let d_503 : x25519_field_element_t := - (x_3_495) -% (z_3_496) in - let da_504 : x25519_field_element_t := - (d_503) *% (a_497) in - let cb_505 : x25519_field_element_t := - (c_502) *% (b_499) in - let x_3_506 : x25519_field_element_t := - nat_mod_pow ((da_504) +% (cb_505)) (@repr WORDSIZE128 2) in - let z_3_507 : x25519_field_element_t := - (x_1_491) *% (nat_mod_pow ((da_504) -% (cb_505)) (@repr WORDSIZE128 2)) in - let x_2_508 : x25519_field_element_t := - (aa_498) *% (bb_500) in - let e121665_509 : x25519_field_element_t := - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 121665) : x25519_field_element_t in - let z_2_510 : x25519_field_element_t := - (e_501) *% ((aa_498) +% ((e121665_509) *% (e_501))) in - ((x_2_508, z_2_510), (x_3_506, z_3_507)). - -Definition swap (x_511 : (point_t '× point_t)) : (point_t '× point_t) := - let '(x0_512, x1_513) := - x_511 in - (x1_513, x0_512). - -Definition montgomery_ladder - (k_514 : scalar_t) - (init_515 : point_t) - : point_t := - let inf_516 : (x25519_field_element_t '× x25519_field_element_t) := - ( - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 1) : x25519_field_element_t, - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 0) : x25519_field_element_t - ) in - let acc_517 : (point_t '× point_t) := - (inf_516, init_515) in - let acc_517 := - foldi (usize 0) (usize 256) (fun i_518 acc_517 => - let '(acc_517) := - if nat_mod_bit (k_514) ((usize 255) - (i_518)):bool then (let acc_517 := - swap (acc_517) in - let acc_517 := - point_add_and_double (init_515) (acc_517) in - let acc_517 := - swap (acc_517) in - (acc_517)) else (let acc_517 := - point_add_and_double (init_515) (acc_517) in - (acc_517)) in - (acc_517)) - acc_517 in - let '(out_519, _) := - acc_517 in - out_519. - -Definition x25519_scalarmult - (s_520 : x25519_serialized_scalar_t) - (p_521 : x25519_serialized_point_t) - : x25519_serialized_point_t := - let s_522 : scalar_t := - decode_scalar (s_520) in - let p_523 : (x25519_field_element_t '× x25519_field_element_t) := - decode_point (p_521) in - let r_524 : (x25519_field_element_t '× x25519_field_element_t) := - montgomery_ladder (s_522) (p_523) in - encode_point (r_524). - -Definition x25519_secret_to_public - (s_525 : x25519_serialized_scalar_t) - : x25519_serialized_point_t := - let base_526 : x25519_serialized_point_t := - array_new_ (default : uint8) (32) in - let base_526 := - array_upd base_526 (usize 0) (secret (@repr WORDSIZE8 9) : int8) in - x25519_scalarmult (s_525) (base_526). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v deleted file mode 100644 index 875bc79a9..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Ecdsa_P256_Sha256.v +++ /dev/null @@ -1,128 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_P256. - -Require Import Hacspec_Sha256. - -Inductive error_t := -| InvalidScalar : error_t -| InvalidSignature : error_t. - -Notation "'p256_public_key_t'" := (affine_t) : hacspec_scope. - -Notation "'p256_secret_key_t'" := (p256_scalar_t) : hacspec_scope. - -Notation "'p256_signature_t'" := ((p256_scalar_t '× p256_scalar_t -)) : hacspec_scope. - -Notation "'p256_signature_result_t'" := (( - result p256_signature_t error_t)) : hacspec_scope. - -Notation "'p256_verify_result_t'" := ((result unit error_t)) : hacspec_scope. - -Notation "'check_result_t'" := ((result unit error_t)) : hacspec_scope. - -Notation "'arithmetic_result_t'" := ((result affine_t error_t)) : hacspec_scope. - -Definition check_scalar_zero (r_527 : p256_scalar_t) : check_result_t := - (if (nat_mod_equal (r_527) (nat_mod_zero )):bool then (@Err unit error_t ( - InvalidScalar)) else (@Ok unit error_t (tt))). - -Definition ecdsa_point_mul_base (x_528 : p256_scalar_t) : arithmetic_result_t := - match p256_point_mul_base (x_528) with - | Ok (s_529) => @Ok affine_t error_t (s_529) - | Err (_) => @Err affine_t error_t (InvalidScalar) - end. - -Definition ecdsa_point_mul - (k_530 : p256_scalar_t) - (p_531 : affine_t) - : arithmetic_result_t := - match p256_point_mul (k_530) (p_531) with - | Ok (s_532) => @Ok affine_t error_t (s_532) - | Err (_) => @Err affine_t error_t (InvalidScalar) - end. - -Definition ecdsa_point_add - (p_533 : affine_t) - (q_534 : affine_t) - : arithmetic_result_t := - match point_add (p_533) (q_534) with - | Ok (s_535) => @Ok affine_t error_t (s_535) - | Err (_) => @Err affine_t error_t (InvalidScalar) - end. - -Definition sign - (payload_536 : byte_seq) - (sk_537 : p256_secret_key_t) - (nonce_538 : p256_scalar_t) - : p256_signature_result_t := - bind (check_scalar_zero (nonce_538)) (fun _ => bind (ecdsa_point_mul_base ( - nonce_538)) (fun '(k_x_539, k_y_540) => let r_541 : p256_scalar_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - k_x_539)) : p256_scalar_t in - bind (check_scalar_zero (r_541)) (fun _ => - let payload_hash_542 : sha256_digest_t := - hash (payload_536) in - let payload_hash_543 : p256_scalar_t := - nat_mod_from_byte_seq_be ( - array_to_seq (payload_hash_542)) : p256_scalar_t in - let rsk_544 : p256_scalar_t := - (r_541) *% (sk_537) in - let hash_rsk_545 : p256_scalar_t := - (payload_hash_543) +% (rsk_544) in - let nonce_inv_546 : p256_scalar_t := - nat_mod_inv (nonce_538) in - let s_547 : p256_scalar_t := - (nonce_inv_546) *% (hash_rsk_545) in - @Ok p256_signature_t error_t ((r_541, s_547))))). - -Definition ecdsa_p256_sha256_sign - (payload_548 : byte_seq) - (sk_549 : p256_secret_key_t) - (nonce_550 : p256_scalar_t) - : p256_signature_result_t := - sign (payload_548) (sk_549) (nonce_550). - -Definition verify - (payload_551 : byte_seq) - (pk_552 : p256_public_key_t) - (signature_553 : p256_signature_t) - : p256_verify_result_t := - let '(r_554, s_555) := - signature_553 in - let payload_hash_556 : sha256_digest_t := - hash (payload_551) in - let payload_hash_557 : p256_scalar_t := - nat_mod_from_byte_seq_be ( - array_to_seq (payload_hash_556)) : p256_scalar_t in - let s_inv_558 : p256_scalar_t := - nat_mod_inv (s_555) in - let u1_559 : p256_scalar_t := - (payload_hash_557) *% (s_inv_558) in - bind (ecdsa_point_mul_base (u1_559)) (fun u1_560 => - let u2_561 : p256_scalar_t := - (r_554) *% (s_inv_558) in - bind (ecdsa_point_mul (u2_561) (pk_552)) (fun u2_562 => bind ( - ecdsa_point_add (u1_560) (u2_562)) (fun '(x_563, y_564) => - let x_565 : p256_scalar_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - x_563)) : p256_scalar_t in - (if ((x_565) =.? (r_554)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature)))))). - -Definition ecdsa_p256_sha256_verify - (payload_566 : byte_seq) - (pk_567 : p256_public_key_t) - (signature_568 : p256_signature_t) - : p256_verify_result_t := - verify (payload_566) (pk_567) (signature_568). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Ed25519.v b/proof-libs/coq/coq/_vc/Hacspec_Ed25519.v deleted file mode 100644 index 2f9c9ffb8..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Ed25519.v +++ /dev/null @@ -1,690 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha512. - -Require Import Hacspec_Edwards25519. - -Definition scalar_from_hash (h_1978 : sha512_digest_t) : scalar_t := - let s_1979 : big_scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (h_1978)) : big_scalar_t in - nat_mod_from_byte_seq_le (seq_slice (nat_mod_to_byte_seq_le (s_1979)) ( - usize 0) (usize 32)) : scalar_t. - -Definition sign (sk_1980 : secret_key_t) (msg_1981 : byte_seq) : signature_t := - let '(a_1982, prefix_1983) := - secret_expand (sk_1980) in - let a_1984 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (a_1982)) : scalar_t in - let b_1985 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let a_p_1986 : compressed_ed_point_t := - compress (point_mul (a_1984) (b_1985)) in - let r_1987 : scalar_t := - scalar_from_hash (sha512 (array_concat (prefix_1983) (msg_1981))) in - let r_p_1988 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (r_1987) (b_1985) in - let r_s_1989 : compressed_ed_point_t := - compress (r_p_1988) in - let h_1990 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_s_1989) ( - array_to_seq (a_p_1986))) (msg_1981))) in - let s_1991 : scalar_t := - (r_1987) +% ((h_1990) *% (a_1984)) in - let s_bytes_1992 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_le (s_1991)) (usize 0) (usize 32) in - array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( - array_to_seq (r_s_1989))) (usize 32) (s_bytes_1992). - -Definition zcash_verify - (pk_1993 : public_key_t) - (signature_1994 : signature_t) - (msg_1995 : byte_seq) - : verify_result_t := - let b_1996 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress_non_canonical (base_v)) in - bind (option_ok_or (decompress_non_canonical (pk_1993)) (InvalidPublickey)) ( - fun a_1997 => let r_bytes_1998 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( - usize 0) (usize 32) in - let s_bytes_1999 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1999)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress_non_canonical (r_bytes_1998)) (InvalidR)) ( - fun r_2000 => let s_2001 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1999)) : scalar_t in - let k_2002 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1998) ( - pk_1993)) (msg_1995))) in - let sb_2003 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_2001) (b_1996)) in - let rc_2004 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_2000) in - let ka_2005 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_2002) (a_1997)) in - (if (point_eq (sb_2003) (point_add (rc_2004) (ka_2005))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition ietf_cofactored_verify - (pk_2006 : public_key_t) - (signature_2007 : signature_t) - (msg_2008 : byte_seq) - : verify_result_t := - let b_2009 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_2006)) (InvalidPublickey)) (fun a_2010 => - let r_bytes_2011 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( - usize 0) (usize 32) in - let s_bytes_2012 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2012)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2011)) (InvalidR)) (fun r_2013 => - let s_2014 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2012)) : scalar_t in - let k_2015 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2011) ( - pk_2006)) (msg_2008))) in - let sb_2016 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_2014) (b_2009)) in - let rc_2017 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_2013) in - let ka_2018 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_2015) (a_2010)) in - (if (point_eq (sb_2016) (point_add (rc_2017) (ka_2018))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition ietf_cofactorless_verify - (pk_2019 : public_key_t) - (signature_2020 : signature_t) - (msg_2021 : byte_seq) - : verify_result_t := - let b_2022 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_2019)) (InvalidPublickey)) (fun a_2023 => - let r_bytes_2024 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( - usize 0) (usize 32) in - let s_bytes_2025 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2025)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2024)) (InvalidR)) (fun r_2026 => - let s_2027 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2025)) : scalar_t in - let k_2028 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2024) ( - pk_2019)) (msg_2021))) in - let sb_2029 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_2027) (b_2022) in - let ka_2030 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (k_2028) (a_2023) in - (if (point_eq (sb_2029) (point_add (r_2026) (ka_2030))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition is_identity (p_2031 : ed_point_t) : bool := - point_eq (p_2031) (point_identity ). - -Definition alg2_verify - (pk_2032 : public_key_t) - (signature_2033 : signature_t) - (msg_2034 : byte_seq) - : verify_result_t := - let b_2035 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_2032)) (InvalidPublickey)) (fun a_2036 => - ifbnd is_identity (point_mul_by_cofactor (a_2036)) : bool - thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let r_bytes_2037 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( - usize 0) (usize 32) in - let s_bytes_2038 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2038)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2037)) (InvalidR)) (fun r_2039 => - let s_2040 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2038)) : scalar_t in - let k_2041 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2037) ( - pk_2032)) (msg_2034))) in - let sb_2042 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_2040) (b_2035)) in - let rc_2043 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_2039) in - let ka_2044 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_2041) (a_2036)) in - (if (point_eq (sb_2042) (point_add (rc_2043) (ka_2044))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature))))))). - -Inductive batch_entry_t := -| BatchEntry : (public_key_t '× byte_seq '× signature_t) -> batch_entry_t. - -Definition zcash_batch_verify - (entries_2045 : seq batch_entry_t) - (entropy_2046 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2046)) <.? ((usize 16) * (seq_len ( - entries_2045))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2047 : scalar_t := - nat_mod_zero in - let r_sum_2048 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2049 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2045)) for ( - s_sum_2047, - r_sum_2048, - a_sum_2049 - ) >> (fun i_2050 '(s_sum_2047, r_sum_2048, a_sum_2049) => - let 'BatchEntry ((pk_2051, msg_2052, signature_2053)) := - (seq_index (entries_2045) (i_2050)) in - bind (option_ok_or (decompress_non_canonical (pk_2051)) ( - InvalidPublickey)) (fun a_2054 => - let r_bytes_2055 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2053)) (usize 0) (usize 32) in - let s_bytes_2056 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2053)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2056)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress_non_canonical (r_bytes_2055)) (InvalidR)) ( - fun r_2057 => let s_2058 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2056)) : scalar_t in - let c_2059 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2055) ( - array_to_seq (pk_2051))) (msg_2052))) in - let z_2060 : seq uint8 := - seq_slice (entropy_2046) ((usize 16) * (i_2050)) (usize 16) in - let z_2061 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2060) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2047 := - (s_sum_2047) +% ((s_2058) *% (z_2061)) in - let r_sum_2048 := - point_add (r_sum_2048) (point_mul (z_2061) (r_2057)) in - let a_sum_2049 := - point_add (a_sum_2049) (point_mul ((z_2061) *% (c_2059)) (a_2054)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2047, r_sum_2048, a_sum_2049))))))) (fun '( - s_sum_2047, - r_sum_2048, - a_sum_2049 - ) => let b_2062 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2063 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2047) (b_2062) in - let check_2064 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_2063)) (point_add ( - r_sum_2048) (a_sum_2049))) in - (if (is_identity (check_2064)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition ietf_cofactored_batch_verify - (entries_2065 : seq batch_entry_t) - (entropy_2066 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2066)) <.? ((usize 16) * (seq_len ( - entries_2065))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2067 : scalar_t := - nat_mod_zero in - let r_sum_2068 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2069 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2065)) for ( - s_sum_2067, - r_sum_2068, - a_sum_2069 - ) >> (fun i_2070 '(s_sum_2067, r_sum_2068, a_sum_2069) => - let 'BatchEntry ((pk_2071, msg_2072, signature_2073)) := - (seq_index (entries_2065) (i_2070)) in - bind (option_ok_or (decompress (pk_2071)) (InvalidPublickey)) (fun a_2074 => - let r_bytes_2075 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2073)) (usize 0) (usize 32) in - let s_bytes_2076 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2073)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2076)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2075)) (InvalidR)) (fun r_2077 => - let s_2078 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2076)) : scalar_t in - let c_2079 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2075) ( - array_to_seq (pk_2071))) (msg_2072))) in - let z_2080 : seq uint8 := - seq_slice (entropy_2066) ((usize 16) * (i_2070)) (usize 16) in - let z_2081 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2080) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2067 := - (s_sum_2067) +% ((s_2078) *% (z_2081)) in - let r_sum_2068 := - point_add (r_sum_2068) (point_mul (z_2081) (r_2077)) in - let a_sum_2069 := - point_add (a_sum_2069) (point_mul ((z_2081) *% (c_2079)) (a_2074)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2067, r_sum_2068, a_sum_2069))))))) (fun '( - s_sum_2067, - r_sum_2068, - a_sum_2069 - ) => let b_2082 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2083 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2067) (b_2082) in - let check_2084 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_2083)) (point_add ( - r_sum_2068) (a_sum_2069))) in - (if (is_identity (check_2084)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition ietf_cofactorless_batch_verify - (entries_2085 : seq batch_entry_t) - (entropy_2086 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2086)) <.? ((usize 16) * (seq_len ( - entries_2085))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2087 : scalar_t := - nat_mod_zero in - let r_sum_2088 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2089 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2085)) for ( - s_sum_2087, - r_sum_2088, - a_sum_2089 - ) >> (fun i_2090 '(s_sum_2087, r_sum_2088, a_sum_2089) => - let 'BatchEntry ((pk_2091, msg_2092, signature_2093)) := - (seq_index (entries_2085) (i_2090)) in - bind (option_ok_or (decompress (pk_2091)) (InvalidPublickey)) (fun a_2094 => - let r_bytes_2095 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2093)) (usize 0) (usize 32) in - let s_bytes_2096 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2093)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2096)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2095)) (InvalidR)) (fun r_2097 => - let s_2098 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2096)) : scalar_t in - let c_2099 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2095) ( - array_to_seq (pk_2091))) (msg_2092))) in - let z_2100 : seq uint8 := - seq_slice (entropy_2086) ((usize 16) * (i_2090)) (usize 16) in - let z_2101 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2100) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2087 := - (s_sum_2087) +% ((s_2098) *% (z_2101)) in - let r_sum_2088 := - point_add (r_sum_2088) (point_mul (z_2101) (r_2097)) in - let a_sum_2089 := - point_add (a_sum_2089) (point_mul ((z_2101) *% (c_2099)) (a_2094)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2087, r_sum_2088, a_sum_2089))))))) (fun '( - s_sum_2087, - r_sum_2088, - a_sum_2089 - ) => let b_2102 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2103 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2087) (b_2102) in - let check_2104 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (point_neg (sb_2103)) (point_add (r_sum_2088) (a_sum_2089)) in - (if (is_identity (check_2104)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition alg3_batch_verify - (entries_2105 : seq batch_entry_t) - (entropy_2106 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2106)) <.? ((usize 16) * (seq_len ( - entries_2105))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2107 : scalar_t := - nat_mod_zero in - let r_sum_2108 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2109 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2105)) for ( - s_sum_2107, - r_sum_2108, - a_sum_2109 - ) >> (fun i_2110 '(s_sum_2107, r_sum_2108, a_sum_2109) => - let 'BatchEntry ((pk_2111, msg_2112, signature_2113)) := - (seq_index (entries_2105) (i_2110)) in - bind (option_ok_or (decompress (pk_2111)) (InvalidPublickey)) (fun a_2114 => - ifbnd is_identity (point_mul_by_cofactor (a_2114)) : bool - thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let r_bytes_2115 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2113)) (usize 0) (usize 32) in - let s_bytes_2116 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2113)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2116)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2115)) (InvalidR)) (fun r_2117 => - let s_2118 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2116)) : scalar_t in - let c_2119 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2115) ( - array_to_seq (pk_2111))) (msg_2112))) in - let z_2120 : seq uint8 := - seq_slice (entropy_2106) ((usize 16) * (i_2110)) (usize 16) in - let z_2121 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2120) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2107 := - (s_sum_2107) +% ((s_2118) *% (z_2121)) in - let r_sum_2108 := - point_add (r_sum_2108) (point_mul (z_2121) (r_2117)) in - let a_sum_2109 := - point_add (a_sum_2109) (point_mul ((z_2121) *% (c_2119)) (a_2114)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2107, r_sum_2108, a_sum_2109)))))))) (fun '( - s_sum_2107, - r_sum_2108, - a_sum_2109 - ) => let b_2122 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2123 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2107) (b_2122) in - let check_2124 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_2123)) (point_add ( - r_sum_2108) (a_sum_2109))) in - (if (is_identity (check_2124)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v b/proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v deleted file mode 100644 index 155089746..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Edwards25519.v +++ /dev/null @@ -1,597 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha512. - -Definition field_canvas_t := nseq (int8) (32). -Definition ed25519_field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. - -Definition big_scalar_canvas_t := nseq (int8) (64). -Definition big_scalar_t := - nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. - -Definition big_integer_canvas_t := nseq (int8) (32). -Definition big_integer_t := - nat_mod 0x8000000000000000000000000000000080000000000000000000000000000000. - -Notation "'ed_point_t'" := (( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t -)) : hacspec_scope. - -Definition compressed_ed_point_t := nseq (uint8) (usize 32). - -Definition serialized_scalar_t := nseq (uint8) (usize 32). - -Definition signature_t := nseq (uint8) (usize 64). - -Notation "'public_key_t'" := (compressed_ed_point_t) : hacspec_scope. - -Notation "'secret_key_t'" := (serialized_scalar_t) : hacspec_scope. - -Inductive error_t := -| InvalidPublickey : error_t -| InvalidSignature : error_t -| InvalidS : error_t -| InvalidR : error_t -| SmallOrderPoint : error_t -| NotEnoughRandomness : error_t. - -Notation "'verify_result_t'" := ((result unit error_t)) : hacspec_scope. - -Definition base_v : compressed_ed_point_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8 - ] in l). - -Definition constant_p_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 127) : int8 - ] in l). - -Definition constant_l_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 18) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 214) : int8; - secret (@repr WORDSIZE8 156) : int8; - secret (@repr WORDSIZE8 247) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 249) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 20) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 16) : int8 - ] in l). - -Definition constant_p3_8_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 15) : int8 - ] in l). - -Definition constant_p1_4_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 31) : int8 - ] in l). - -Definition constant_d_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 163) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 82) : int8 - ] in l). - -Definition is_negative (x_2125 : ed25519_field_element_t) : uint8 := - (if (nat_mod_bit (x_2125) (usize 0)):bool then (secret ( - @repr WORDSIZE8 1) : int8) else (secret (@repr WORDSIZE8 0) : int8)). - -Definition compress (p_2126 : ed_point_t) : compressed_ed_point_t := - let '(x_2127, y_2128, z_2129, _) := - p_2126 in - let z_inv_2130 : ed25519_field_element_t := - nat_mod_inv (z_2129) in - let x_2131 : ed25519_field_element_t := - (x_2127) *% (z_inv_2130) in - let y_2132 : ed25519_field_element_t := - (y_2128) *% (z_inv_2130) in - let s_2133 : byte_seq := - nat_mod_to_byte_seq_le (y_2132) in - let s_2133 := - seq_upd s_2133 (usize 31) ((seq_index (s_2133) (usize 31)) .^ (( - is_negative (x_2131)) shift_left (usize 7))) in - array_from_slice (default : uint8) (32) (s_2133) (usize 0) (usize 32). - -Definition sqrt - (a_2134 : ed25519_field_element_t) - : (option ed25519_field_element_t) := - let p3_8_2135 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_p3_8_v)) : ed25519_field_element_t in - let p1_4_2136 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_p1_4_v)) : ed25519_field_element_t in - let x_c_2137 : ed25519_field_element_t := - nat_mod_pow_self (a_2134) (p3_8_2135) in - let result_2138 : (option ed25519_field_element_t) := - @None ed25519_field_element_t in - let '(result_2138) := - if ((x_c_2137) *% (x_c_2137)) =.? (a_2134):bool then (let result_2138 := - some (x_c_2137) in - (result_2138)) else ((result_2138)) in - let '(result_2138) := - if ((x_c_2137) *% (x_c_2137)) =.? ((nat_mod_zero ) -% (a_2134)):bool then ( - let x_2139 : ed25519_field_element_t := - (nat_mod_pow_self (nat_mod_two ) (p1_4_2136)) *% (x_c_2137) in - let result_2138 := - some (x_2139) in - (result_2138)) else ((result_2138)) in - result_2138. - -Definition check_canonical_point (x_2140 : compressed_ed_point_t) : bool := - let x_2140 := - array_upd x_2140 (usize 31) ((array_index (x_2140) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let x_2141 : big_integer_t := - nat_mod_from_byte_seq_le (array_to_seq (x_2140)) : big_integer_t in - (x_2141) <.? (nat_mod_from_byte_seq_le ( - array_to_seq (constant_p_v)) : big_integer_t). - -Definition decompress (q_2142 : compressed_ed_point_t) : (option ed_point_t) := - let d_2143 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_d_v)) : ed25519_field_element_t in - let x_s_2144 : uint8 := - ((array_index (q_2142) (usize 31)) .& (secret ( - @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in - let y_s_2145 : compressed_ed_point_t := - q_2142 in - let y_s_2145 := - array_upd y_s_2145 (usize 31) ((array_index (y_s_2145) (usize 31)) .& ( - secret (@repr WORDSIZE8 127) : int8)) in - ifbnd negb (check_canonical_point (y_s_2145)) : bool - thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) - else (tt) >> (fun 'tt => - let y_2146 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (y_s_2145)) : ed25519_field_element_t in - let z_2147 : ed25519_field_element_t := - nat_mod_one in - let yy_2148 : ed25519_field_element_t := - (y_2146) *% (y_2146) in - let u_2149 : ed25519_field_element_t := - (yy_2148) -% (z_2147) in - let v_2150 : ed25519_field_element_t := - ((d_2143) *% (yy_2148)) +% (z_2147) in - let xx_2151 : ed25519_field_element_t := - (u_2149) *% (nat_mod_inv (v_2150)) in - bind (sqrt (xx_2151)) (fun x_2152 => let x_r_2153 : uint8 := - is_negative (x_2152) in - ifbnd ((x_2152) =.? (nat_mod_zero )) && ((uint8_declassify (x_s_2144)) =.? ( - @repr WORDSIZE8 1)) : bool - thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) - else (tt) >> (fun 'tt => - let '(x_2152) := - if (uint8_declassify (x_r_2153)) !=.? (uint8_declassify ( - x_s_2144)):bool then (let x_2152 := - (nat_mod_zero ) -% (x_2152) in - (x_2152)) else ((x_2152)) in - some ((x_2152, y_2146, z_2147, (x_2152) *% (y_2146)))))). - -Definition decompress_non_canonical - (p_2154 : compressed_ed_point_t) - : (option ed_point_t) := - let d_2155 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_d_v)) : ed25519_field_element_t in - let x_s_2156 : uint8 := - ((array_index (p_2154) (usize 31)) .& (secret ( - @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in - let y_s_2157 : compressed_ed_point_t := - p_2154 in - let y_s_2157 := - array_upd y_s_2157 (usize 31) ((array_index (y_s_2157) (usize 31)) .& ( - secret (@repr WORDSIZE8 127) : int8)) in - let y_2158 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (y_s_2157)) : ed25519_field_element_t in - let z_2159 : ed25519_field_element_t := - nat_mod_one in - let yy_2160 : ed25519_field_element_t := - (y_2158) *% (y_2158) in - let u_2161 : ed25519_field_element_t := - (yy_2160) -% (z_2159) in - let v_2162 : ed25519_field_element_t := - ((d_2155) *% (yy_2160)) +% (z_2159) in - let xx_2163 : ed25519_field_element_t := - (u_2161) *% (nat_mod_inv (v_2162)) in - bind (sqrt (xx_2163)) (fun x_2164 => let x_r_2165 : uint8 := - is_negative (x_2164) in - let '(x_2164) := - if (uint8_declassify (x_r_2165)) !=.? (uint8_declassify ( - x_s_2156)):bool then (let x_2164 := - (nat_mod_zero ) -% (x_2164) in - (x_2164)) else ((x_2164)) in - some ((x_2164, y_2158, z_2159, (x_2164) *% (y_2158)))). - -Definition encode (p_2166 : ed_point_t) : byte_seq := - let '(x_2167, y_2168, z_2169, _) := - p_2166 in - let z_inv_2170 : ed25519_field_element_t := - nat_mod_inv (z_2169) in - let x_2171 : ed25519_field_element_t := - (x_2167) *% (z_inv_2170) in - let y_2172 : ed25519_field_element_t := - (y_2168) *% (z_inv_2170) in - let s_2173 : byte_seq := - nat_mod_to_byte_seq_le (y_2172) in - let s_2173 := - seq_upd s_2173 (usize 31) ((seq_index (s_2173) (usize 31)) .^ (( - is_negative (x_2171)) shift_left (usize 7))) in - s_2173. - -Definition decode (q_s_2174 : byte_seq) : (option ed_point_t) := - let q_2175 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (q_s_2174) (usize 0) (usize 32) in - decompress (q_2175). - -Definition point_add (p_2176 : ed_point_t) (q_2177 : ed_point_t) : ed_point_t := - let d_c_2178 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_d_v)) : ed25519_field_element_t in - let two_2179 : ed25519_field_element_t := - nat_mod_two in - let '(x1_2180, y1_2181, z1_2182, t1_2183) := - p_2176 in - let '(x2_2184, y2_2185, z2_2186, t2_2187) := - q_2177 in - let a_2188 : ed25519_field_element_t := - ((y1_2181) -% (x1_2180)) *% ((y2_2185) -% (x2_2184)) in - let b_2189 : ed25519_field_element_t := - ((y1_2181) +% (x1_2180)) *% ((y2_2185) +% (x2_2184)) in - let c_2190 : ed25519_field_element_t := - (((t1_2183) *% (two_2179)) *% (d_c_2178)) *% (t2_2187) in - let d_2191 : ed25519_field_element_t := - ((z1_2182) *% (two_2179)) *% (z2_2186) in - let e_2192 : ed25519_field_element_t := - (b_2189) -% (a_2188) in - let f_2193 : ed25519_field_element_t := - (d_2191) -% (c_2190) in - let g_2194 : ed25519_field_element_t := - (d_2191) +% (c_2190) in - let h_2195 : ed25519_field_element_t := - (b_2189) +% (a_2188) in - let x3_2196 : ed25519_field_element_t := - (e_2192) *% (f_2193) in - let y3_2197 : ed25519_field_element_t := - (g_2194) *% (h_2195) in - let t3_2198 : ed25519_field_element_t := - (e_2192) *% (h_2195) in - let z3_2199 : ed25519_field_element_t := - (f_2193) *% (g_2194) in - (x3_2196, y3_2197, z3_2199, t3_2198). - -Definition point_identity : ed_point_t := - (nat_mod_zero , nat_mod_one , nat_mod_one , nat_mod_zero ). - -Definition point_mul (s_2200 : scalar_t) (p_2201 : ed_point_t) : ed_point_t := - let p_2202 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - p_2201 in - let q_2203 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let '(p_2202, q_2203) := - foldi (usize 0) (usize 256) (fun i_2204 '(p_2202, q_2203) => - let '(q_2203) := - if nat_mod_bit (s_2200) (i_2204):bool then (let q_2203 := - point_add (q_2203) (p_2202) in - (q_2203)) else ((q_2203)) in - let p_2202 := - point_add (p_2202) (p_2202) in - (p_2202, q_2203)) - (p_2202, q_2203) in - q_2203. - -Definition point_mul_by_cofactor (p_2205 : ed_point_t) : ed_point_t := - let p2_2206 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (p_2205) (p_2205) in - let p4_2207 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (p2_2206) (p2_2206) in - let p8_2208 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (p4_2207) (p4_2207) in - p8_2208. - -Definition point_neg (p_2209 : ed_point_t) : ed_point_t := - let '(x_2210, y_2211, z_2212, t_2213) := - p_2209 in - ((nat_mod_zero ) -% (x_2210), y_2211, z_2212, (nat_mod_zero ) -% (t_2213)). - -Definition point_eq (p_2214 : ed_point_t) (q_2215 : ed_point_t) : bool := - let '(x1_2216, y1_2217, z1_2218, _) := - p_2214 in - let '(x2_2219, y2_2220, z2_2221, _) := - q_2215 in - (((x1_2216) *% (z2_2221)) =.? ((x2_2219) *% (z1_2218))) && (((y1_2217) *% ( - z2_2221)) =.? ((y2_2220) *% (z1_2218))). - -Definition point_normalize (q_2222 : ed_point_t) : ed_point_t := - let '(qx_2223, qy_2224, qz_2225, _) := - q_2222 in - let px_2226 : ed25519_field_element_t := - (qx_2223) *% (nat_mod_inv (qz_2225)) in - let py_2227 : ed25519_field_element_t := - (qy_2224) *% (nat_mod_inv (qz_2225)) in - let pz_2228 : ed25519_field_element_t := - nat_mod_one in - let pt_2229 : ed25519_field_element_t := - (px_2226) *% (py_2227) in - (px_2226, py_2227, pz_2228, pt_2229). - -Definition secret_expand - (sk_2230 : secret_key_t) - : (serialized_scalar_t '× serialized_scalar_t) := - let h_2231 : sha512_digest_t := - sha512 (seq_from_slice (sk_2230) (usize 0) (usize 32)) in - let h_d_2232 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 32) ( - usize 32) in - let s_2233 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 0) ( - usize 32) in - let s_2233 := - array_upd s_2233 (usize 0) ((array_index (s_2233) (usize 0)) .& (secret ( - @repr WORDSIZE8 248) : int8)) in - let s_2233 := - array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let s_2233 := - array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .| (secret ( - @repr WORDSIZE8 64) : int8)) in - (s_2233, h_d_2232). - -Definition secret_to_public (sk_2234 : secret_key_t) : public_key_t := - let '(s_2235, _) := - secret_expand (sk_2234) in - let base_2236 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let ss_2237 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_2235)) : scalar_t in - let a_2238 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (ss_2237) (base_2236) in - compress (a_2238). - -Definition check_canonical_scalar (s_2239 : serialized_scalar_t) : bool := - (if ((uint8_declassify ((array_index (s_2239) (usize 31)) .& (secret ( - @repr WORDSIZE8 224) : int8))) !=.? ( - @repr WORDSIZE8 0)):bool then (false) else ((nat_mod_from_byte_seq_le ( - array_to_seq (s_2239)) : big_integer_t) <.? ( - nat_mod_from_byte_seq_le ( - array_to_seq (constant_l_v)) : big_integer_t))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v b/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v deleted file mode 100644 index 7a3f9305a..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Ecvrf.v +++ /dev/null @@ -1,349 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Edwards25519. - -Require Import Hacspec_Sha512. - -Require Import Hacspec_Edwards25519_Hash. - -Inductive errorec_t := -| FailedVerify : errorec_t -| MessageTooLarge : errorec_t -| InvalidProof : errorec_t -| InvalidPublicKey : errorec_t -| FailedDecompression : errorec_t -| FailedE2C : errorec_t. - -Notation "'byte_seq_result_t'" := ((result byte_seq errorec_t)) : hacspec_scope. - -Notation "'proof_result_t'" := ((result (ed_point_t '× scalar_t '× scalar_t - ) errorec_t)) : hacspec_scope. - -Notation "'ed_point_result_t'" := (( - result ed_point_t errorec_t)) : hacspec_scope. - -Definition large_mod_canvas_t := nseq (int8) (32). -Definition large_mod_t := - nat_mod 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. - -Definition arr_large_mod_t := nseq (uint64) (usize 4). - -Definition q_v : arr_large_mod_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 9223372036854775807) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551597) : int64 - ] in l). - -Definition c_len_v : uint_size := - usize 16. - -Definition pt_len_v : uint_size := - usize 32. - -Definition q_len_v : uint_size := - usize 32. - -Definition int_byte_t := nseq (uint8) (usize 1). - -Definition zero_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 0) : int8] in l). - -Definition one_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). - -Definition two_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). - -Definition three_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 3) : int8] in l). - -Definition four_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 4) : int8] in l). - -Definition suite_string_v : int_byte_t := - four_v. - -Definition dst_t := nseq (uint8) (usize 39). - -Definition h2c_suite_id_string_v : dst_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 86) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 70) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 95) : int8 - ] in l). - -Definition ecvrf_encode_to_curve_try_and_increment - (encode_to_curve_salt_2457 : byte_seq) - (alpha_2458 : byte_seq) - : ed_point_result_t := - let h_2459 : (option ed_point_t) := - @None ed_point_t in - let x_2460 : ed25519_field_element_t := - nat_mod_zero in - let '(h_2459, x_2460) := - foldi (usize 1) (usize 256) (fun ctr_2461 '(h_2459, x_2460) => - let '(h_2459, x_2460) := - if ((h_2459)) =.? (@None ed_point_t):bool then ( - let ctr_string_2462 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_be (x_2460)) (usize 31) (usize 1) in - let hash_string_2463 : sha512_digest_t := - sha512 (seq_concat (seq_concat (seq_concat (seq_concat ( - array_concat (suite_string_v) (array_to_seq (one_v))) ( - encode_to_curve_salt_2457)) (alpha_2458)) ( - ctr_string_2462)) (array_to_seq (zero_v))) in - let h_2459 := - decompress (array_from_slice (default : uint8) (32) ( - array_to_seq (hash_string_2463)) (usize 0) (usize 32)) in - let x_2460 := - (x_2460) +% (nat_mod_one ) in - (h_2459, x_2460)) else ((h_2459, x_2460)) in - (h_2459, x_2460)) - (h_2459, x_2460) in - bind (option_ok_or (h_2459) (FailedE2C)) (fun h_2464 => - @Ok ed_point_t errorec_t (point_mul_by_cofactor (h_2464))). - -Definition ecvrf_encode_to_curve_h2c_suite - (encode_to_curve_salt_2465 : byte_seq) - (alpha_2466 : byte_seq) - : ed_point_result_t := - let string_to_be_hashed_2467 : seq uint8 := - seq_concat (encode_to_curve_salt_2465) (alpha_2466) in - let dst_2468 : seq uint8 := - array_concat (h2c_suite_id_string_v) (array_to_seq (suite_string_v)) in - let h_2469 : (result ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) error_t) := - ed_encode_to_curve (string_to_be_hashed_2467) (dst_2468) in - bind (option_ok_or (result_ok (h_2469)) (FailedE2C)) (fun h_2470 => - @Ok ed_point_t errorec_t (h_2470)). - -Definition ecvrf_nonce_generation - (sk_2471 : secret_key_t) - (h_string_2472 : byte_seq) - : scalar_t := - let hashed_sk_string_2473 : sha512_digest_t := - sha512 (array_to_le_bytes (sk_2471)) in - let truncated_hashed_sk_string_2474 : seq uint8 := - array_slice (hashed_sk_string_2473) (usize 32) (usize 32) in - let k_string_2475 : sha512_digest_t := - sha512 (seq_concat (truncated_hashed_sk_string_2474) (h_string_2472)) in - let nonce_2476 : big_scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (k_string_2475)) : big_scalar_t in - let nonceseq_2477 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_le (nonce_2476)) (usize 0) (usize 32) in - nat_mod_from_byte_seq_le (nonceseq_2477) : scalar_t. - -Definition ecvrf_challenge_generation - (p1_2478 : ed_point_t) - (p2_2479 : ed_point_t) - (p3_2480 : ed_point_t) - (p4_2481 : ed_point_t) - (p5_2482 : ed_point_t) - : scalar_t := - let string_2483 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (seq_concat (seq_concat ( - array_concat (suite_string_v) (array_to_seq (two_v))) (encode ( - p1_2478))) (encode (p2_2479))) (encode (p3_2480))) (encode ( - p4_2481))) (encode (p5_2482))) (array_to_seq (zero_v)) in - let c_string_2484 : sha512_digest_t := - sha512 (string_2483) in - let truncated_c_string_2485 : seq uint8 := - seq_concat (array_slice (c_string_2484) (usize 0) (c_len_v)) (seq_new_ ( - default : uint8) (usize 16)) in - nat_mod_from_byte_seq_le (truncated_c_string_2485) : scalar_t. - -Definition ecvrf_decode_proof (pi_2486 : byte_seq) : proof_result_t := - let gamma_string_2487 : seq uint8 := - seq_slice (pi_2486) (usize 0) (pt_len_v) in - let c_string_2488 : seq uint8 := - seq_slice (pi_2486) (pt_len_v) (c_len_v) in - let s_string_2489 : seq uint8 := - seq_slice (pi_2486) ((pt_len_v) + (c_len_v)) (q_len_v) in - bind (option_ok_or (decompress (array_from_slice (default : uint8) (32) ( - gamma_string_2487) (usize 0) (usize 32))) (InvalidProof)) ( - fun gamma_2490 => let c_2491 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (c_string_2488) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_2492 : scalar_t := - nat_mod_from_byte_seq_le ((s_string_2489)) : scalar_t in - let s_test_2493 : large_mod_t := - nat_mod_from_byte_seq_le (s_string_2489) : large_mod_t in - let q_2494 : large_mod_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (q_v)) : large_mod_t in - (if ((s_test_2493) >=.? (q_2494)):bool then (@Err ( - ed_point_t '× - scalar_t '× - scalar_t - ) errorec_t (InvalidProof)) else (@Ok ( - ed_point_t '× - scalar_t '× - scalar_t - ) errorec_t ((gamma_2490, c_2491, s_2492))))). - -Definition ecvrf_validate_key - (y_2495 : public_key_t) - : (result unit errorec_t) := - bind (option_ok_or (decompress (y_2495)) (InvalidPublicKey)) (fun y_2496 => - let y_prime_2497 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (y_2496) in - (if ((y_prime_2497) =.? (point_identity )):bool then (@Err unit errorec_t ( - InvalidPublicKey)) else (@Ok unit errorec_t (tt)))). - -Definition ecvrf_prove - (sk_2498 : secret_key_t) - (alpha_2499 : byte_seq) - : byte_seq_result_t := - bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2500 => - let '(x_2501, _) := - secret_expand (sk_2498) in - let x_2502 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (x_2501)) : scalar_t in - let y_2503 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (x_2502) (b_2500) in - let pk_2504 : compressed_ed_point_t := - compress (y_2503) in - let encode_to_curve_salt_2505 : seq uint8 := - array_slice (pk_2504) (usize 0) (usize 32) in - bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2505) ( - alpha_2499)) (fun h_2506 => let h_string_2507 : seq uint8 := - encode (h_2506) in - let gamma_2508 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (x_2502) (h_2506) in - let k_2509 : scalar_t := - ecvrf_nonce_generation (sk_2498) (h_string_2507) in - let u_2510 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (k_2509) (b_2500) in - let v_2511 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (k_2509) (h_2506) in - let c_2512 : scalar_t := - ecvrf_challenge_generation (y_2503) (h_2506) (gamma_2508) (u_2510) ( - v_2511) in - let s_2513 : scalar_t := - (k_2509) +% ((c_2512) *% (x_2502)) in - @Ok byte_seq errorec_t (seq_slice (seq_concat (seq_concat (encode ( - gamma_2508)) (seq_slice (nat_mod_to_byte_seq_le (c_2512)) ( - usize 0) (c_len_v))) (seq_slice (nat_mod_to_byte_seq_le ( - s_2513)) (usize 0) (q_len_v))) (usize 0) (((c_len_v) + ( - q_len_v)) + (pt_len_v))))). - -Definition ecvrf_proof_to_hash (pi_2514 : byte_seq) : byte_seq_result_t := - bind (ecvrf_decode_proof (pi_2514)) (fun '(gamma_2515, _, _) => - @Ok byte_seq errorec_t (array_slice (sha512 (seq_concat (seq_concat ( - array_concat (suite_string_v) (array_to_seq (three_v))) (encode ( - point_mul_by_cofactor (gamma_2515)))) ( - array_to_seq (zero_v)))) (usize 0) (usize 64))). - -Definition ecvrf_verify - (pk_2516 : public_key_t) - (alpha_2517 : byte_seq) - (pi_2518 : byte_seq) - (validate_key_2519 : bool) - : byte_seq_result_t := - bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2520 => - bind (option_ok_or (decompress (pk_2516)) (InvalidPublicKey)) (fun y_2521 => - ifbnd validate_key_2519 : bool - thenbnd (bind (ecvrf_validate_key (pk_2516)) (fun _ => - @Ok unit errorec_t (tt))) - else (tt) >> (fun 'tt => - bind (ecvrf_decode_proof (pi_2518)) (fun '(gamma_2522, c_2523, s_2524) => - let encode_to_curve_salt_2525 : seq uint8 := - array_slice (pk_2516) (usize 0) (usize 32) in - bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2525) ( - alpha_2517)) (fun h_2526 => let u_2527 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (point_mul (s_2524) (b_2520)) (point_neg (point_mul ( - c_2523) (y_2521))) in - let v_2528 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (point_mul (s_2524) (h_2526)) (point_neg (point_mul ( - c_2523) (gamma_2522))) in - let c_prime_2529 : scalar_t := - ecvrf_challenge_generation (y_2521) (h_2526) (gamma_2522) (u_2527) ( - v_2528) in - (if ((c_2523) =.? (c_prime_2529)):bool then (ecvrf_proof_to_hash ( - pi_2518)) else (@Err byte_seq errorec_t (FailedVerify)))))))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Hash.v b/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Hash.v deleted file mode 100644 index 0017ba372..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Edwards25519_Hash.v +++ /dev/null @@ -1,504 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Edwards25519. - -Require Import Hacspec_Sha512. - -Definition b_in_bytes_v : uint_size := - usize 64. - -Definition s_in_bytes_v : uint_size := - usize 128. - -Definition l_v : uint_size := - usize 48. - -Definition j_v : int128 := - @repr WORDSIZE128 486662. - -Definition z_v : int128 := - @repr WORDSIZE128 2. - -Definition arr_ed25519_field_element_t := nseq (uint64) (usize 4). - -Definition ed_field_hash_canvas_t := nseq (int8) (64). -Definition ed_field_hash_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Inductive error_t := -| ExpandMessageAbort : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | ExpandMessageAbort => match y with | ExpandMessageAbort=> true end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Notation "'seq_ed_result_t'" := (( - result seq ed25519_field_element_t error_t)) : hacspec_scope. - -Notation "'ed_point_result_t'" := ((result ed_point_t error_t)) : hacspec_scope. - -Definition p_1_2_v : arr_ed25519_field_element_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 4611686018427387903) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551606) : int64 - ] in l). - -Definition p_3_8_v : arr_ed25519_field_element_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1152921504606846975) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551614) : int64 - ] in l). - -Definition p_5_8_v : arr_ed25519_field_element_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1152921504606846975) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551613) : int64 - ] in l). - -Definition expand_message_xmd - (msg_2290 : byte_seq) - (dst_2291 : byte_seq) - (len_in_bytes_2292 : uint_size) - : byte_seq_result_t := - let ell_2293 : uint_size := - (((len_in_bytes_2292) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in - let result_2294 : (result byte_seq error_t) := - @Err byte_seq error_t (ExpandMessageAbort) in - let '(result_2294) := - if negb ((((ell_2293) >.? (usize 255)) || ((len_in_bytes_2292) >.? ( - usize 65535))) || ((seq_len (dst_2291)) >.? ( - usize 255))):bool then (let dst_prime_2295 : seq uint8 := - seq_push (dst_2291) (uint8_from_usize (seq_len (dst_2291))) in - let z_pad_2296 : seq uint8 := - seq_new_ (default : uint8) (s_in_bytes_v) in - let l_i_b_str_2297 : seq uint8 := - seq_new_ (default : uint8) (usize 2) in - let l_i_b_str_2297 := - seq_upd l_i_b_str_2297 (usize 0) (uint8_from_usize (( - len_in_bytes_2292) / (usize 256))) in - let l_i_b_str_2297 := - seq_upd l_i_b_str_2297 (usize 1) (uint8_from_usize ( - len_in_bytes_2292)) in - let msg_prime_2298 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (z_pad_2296) ( - msg_2290)) (l_i_b_str_2297)) (seq_new_ (default : uint8) ( - usize 1))) (dst_prime_2295) in - let b_0_2299 : seq uint8 := - seq_from_seq (array_to_seq (hash (msg_prime_2298))) in - let b_i_2300 : seq uint8 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_2299) ( - secret (@repr WORDSIZE8 1) : int8)) (dst_prime_2295)))) in - let uniform_bytes_2301 : seq uint8 := - seq_from_seq (b_i_2300) in - let '(b_i_2300, uniform_bytes_2301) := - foldi (usize 2) ((ell_2293) + (usize 1)) (fun i_2302 '( - b_i_2300, - uniform_bytes_2301 - ) => - let t_2303 : seq uint8 := - seq_from_seq (b_0_2299) in - let b_i_2300 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( - t_2303) seq_xor (b_i_2300)) (uint8_from_usize (i_2302))) ( - dst_prime_2295)))) in - let uniform_bytes_2301 := - seq_concat (uniform_bytes_2301) (b_i_2300) in - (b_i_2300, uniform_bytes_2301)) - (b_i_2300, uniform_bytes_2301) in - let result_2294 := - @Ok byte_seq error_t (seq_truncate (uniform_bytes_2301) ( - len_in_bytes_2292)) in - (result_2294)) else ((result_2294)) in - result_2294. - -Definition ed_hash_to_field - (msg_2304 : byte_seq) - (dst_2305 : byte_seq) - (count_2306 : uint_size) - : seq_ed_result_t := - let len_in_bytes_2307 : uint_size := - (count_2306) * (l_v) in - bind (expand_message_xmd (msg_2304) (dst_2305) (len_in_bytes_2307)) ( - fun uniform_bytes_2308 => let output_2309 : seq ed25519_field_element_t := - seq_new_ (default : ed25519_field_element_t) (count_2306) in - let output_2309 := - foldi (usize 0) (count_2306) (fun i_2310 output_2309 => - let elm_offset_2311 : uint_size := - (l_v) * (i_2310) in - let tv_2312 : seq uint8 := - seq_slice (uniform_bytes_2308) (elm_offset_2311) (l_v) in - let u_i_2313 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_2312) : ed_field_hash_t)) ( - usize 32) (usize 32)) : ed25519_field_element_t in - let output_2309 := - seq_upd output_2309 (i_2310) (u_i_2313) in - (output_2309)) - output_2309 in - @Ok seq ed25519_field_element_t error_t (output_2309)). - -Definition ed_is_square (x_2314 : ed25519_field_element_t) : bool := - let c1_2315 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (array_to_be_bytes ( - p_1_2_v)) : ed25519_field_element_t in - let tv_2316 : ed25519_field_element_t := - nat_mod_pow_self (x_2314) (c1_2315) in - ((tv_2316) =.? (nat_mod_zero )) || ((tv_2316) =.? (nat_mod_one )). - -Definition sgn0_m_eq_1 (x_2317 : ed25519_field_element_t) : bool := - ((x_2317) rem (nat_mod_two )) =.? (nat_mod_one ). - -Definition ed_clear_cofactor (x_2318 : ed_point_t) : ed_point_t := - point_mul_by_cofactor (x_2318). - -Definition cmov - (a_2319 : ed25519_field_element_t) - (b_2320 : ed25519_field_element_t) - (c_2321 : bool) - : ed25519_field_element_t := - (if (c_2321):bool then (b_2320) else (a_2319)). - -Definition xor (a_2322 : bool) (b_2323 : bool) : bool := - (if (a_2322):bool then ((if (b_2323):bool then (false) else (true))) else (( - if (b_2323):bool then (true) else (false)))). - -Definition curve25519_to_edwards25519 (p_2324 : ed_point_t) : ed_point_t := - let '(s_2325, t_2326, _, _) := - point_normalize (p_2324) in - let one_2327 : ed25519_field_element_t := - nat_mod_one in - let zero_2328 : ed25519_field_element_t := - nat_mod_zero in - let tv1_2329 : ed25519_field_element_t := - (s_2325) +% (one_2327) in - let tv2_2330 : ed25519_field_element_t := - (tv1_2329) *% (t_2326) in - let tv2_2331 : ed25519_field_element_t := - nat_mod_inv (tv2_2330) in - let v_2332 : ed25519_field_element_t := - (tv2_2331) *% (tv1_2329) in - let v_2333 : ed25519_field_element_t := - (v_2332) *% (s_2325) in - let w_2334 : ed25519_field_element_t := - (tv2_2331) *% (t_2326) in - let tv1_2335 : ed25519_field_element_t := - (s_2325) -% (one_2327) in - let w_2336 : ed25519_field_element_t := - (w_2334) *% (tv1_2335) in - let e_2337 : bool := - (tv2_2331) =.? (zero_2328) in - let w_2338 : ed25519_field_element_t := - cmov (w_2336) (one_2327) (e_2337) in - let c_2339 : ed25519_field_element_t := - (nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 486664) : ed25519_field_element_t) in - let sq_2340 : (option ed25519_field_element_t) := - sqrt (c_2339) in - let v_2341 : ed25519_field_element_t := - (v_2333) *% (option_unwrap (sq_2340)) in - (v_2341, w_2338, one_2327, (v_2341) *% (w_2338)). - -Definition map_to_curve_elligator2 - (u_2342 : ed25519_field_element_t) - : ed_point_t := - let j_2343 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let z_2344 : ed25519_field_element_t := - nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in - let one_2345 : ed25519_field_element_t := - nat_mod_one in - let zero_2346 : ed25519_field_element_t := - nat_mod_zero in - let x1_2347 : ed25519_field_element_t := - ((zero_2346) -% (j_2343)) *% (nat_mod_inv ((one_2345) +% (((z_2344) *% ( - u_2342)) *% (u_2342)))) in - let '(x1_2347) := - if (x1_2347) =.? (zero_2346):bool then (let x1_2347 := - (zero_2346) -% (j_2343) in - (x1_2347)) else ((x1_2347)) in - let gx1_2348 : ed25519_field_element_t := - ((((x1_2347) *% (x1_2347)) *% (x1_2347)) +% (((j_2343) *% (x1_2347)) *% ( - x1_2347))) +% (x1_2347) in - let x2_2349 : ed25519_field_element_t := - ((zero_2346) -% (x1_2347)) -% (j_2343) in - let gx2_2350 : ed25519_field_element_t := - ((((x2_2349) *% (x2_2349)) *% (x2_2349)) +% ((j_2343) *% ((x2_2349) *% ( - x2_2349)))) +% (x2_2349) in - let x_2351 : ed25519_field_element_t := - zero_2346 in - let y_2352 : ed25519_field_element_t := - zero_2346 in - let '(x_2351, y_2352) := - if ed_is_square (gx1_2348):bool then (let x_2351 := - x1_2347 in - let y_2352 := - option_unwrap (sqrt (gx1_2348)) in - let '(y_2352) := - if negb (sgn0_m_eq_1 (y_2352)):bool then (let y_2352 := - (zero_2346) -% (y_2352) in - (y_2352)) else ((y_2352)) in - (x_2351, y_2352)) else (let x_2351 := - x2_2349 in - let y_2352 := - option_unwrap (sqrt (gx2_2350)) in - let '(y_2352) := - if sgn0_m_eq_1 (y_2352):bool then (let y_2352 := - (zero_2346) -% (y_2352) in - (y_2352)) else ((y_2352)) in - (x_2351, y_2352)) in - let s_2353 : ed25519_field_element_t := - x_2351 in - let t_2354 : ed25519_field_element_t := - y_2352 in - (s_2353, t_2354, one_2345, (s_2353) *% (t_2354)). - -Definition map_to_curve_elligator2_straight - (u_2355 : ed25519_field_element_t) - : ed_point_t := - let j_2356 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let z_2357 : ed25519_field_element_t := - nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in - let one_2358 : ed25519_field_element_t := - nat_mod_one in - let zero_2359 : ed25519_field_element_t := - nat_mod_zero in - let tv1_2360 : ed25519_field_element_t := - (u_2355) *% (u_2355) in - let tv1_2361 : ed25519_field_element_t := - (z_2357) *% (tv1_2360) in - let e1_2362 : bool := - (tv1_2361) =.? ((zero_2359) -% (one_2358)) in - let tv1_2363 : ed25519_field_element_t := - cmov (tv1_2361) (zero_2359) (e1_2362) in - let x1_2364 : ed25519_field_element_t := - (tv1_2363) +% (one_2358) in - let x1_2365 : ed25519_field_element_t := - nat_mod_inv (x1_2364) in - let x1_2366 : ed25519_field_element_t := - ((zero_2359) -% (j_2356)) *% (x1_2365) in - let gx1_2367 : ed25519_field_element_t := - (x1_2366) +% (j_2356) in - let gx1_2368 : ed25519_field_element_t := - (gx1_2367) *% (x1_2366) in - let gx1_2369 : ed25519_field_element_t := - (gx1_2368) +% (one_2358) in - let gx1_2370 : ed25519_field_element_t := - (gx1_2369) *% (x1_2366) in - let x2_2371 : ed25519_field_element_t := - ((zero_2359) -% (x1_2366)) -% (j_2356) in - let gx2_2372 : ed25519_field_element_t := - (tv1_2363) *% (gx1_2370) in - let e2_2373 : bool := - ed_is_square (gx1_2370) in - let x_2374 : ed25519_field_element_t := - cmov (x2_2371) (x1_2366) (e2_2373) in - let y2_2375 : ed25519_field_element_t := - cmov (gx2_2372) (gx1_2370) (e2_2373) in - let y_2376 : ed25519_field_element_t := - option_unwrap (sqrt (y2_2375)) in - let e3_2377 : bool := - sgn0_m_eq_1 (y_2376) in - let y_2378 : ed25519_field_element_t := - cmov (y_2376) ((zero_2359) -% (y_2376)) (xor (e2_2373) (e3_2377)) in - let s_2379 : ed25519_field_element_t := - x_2374 in - let t_2380 : ed25519_field_element_t := - y_2378 in - (s_2379, t_2380, one_2358, (s_2379) *% (t_2380)). - -Definition map_to_curve_elligator2_curve25519 - (u_2381 : ed25519_field_element_t) - : ed_point_t := - let j_2382 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let zero_2383 : ed25519_field_element_t := - nat_mod_zero in - let one_2384 : ed25519_field_element_t := - nat_mod_one in - let two_2385 : ed25519_field_element_t := - nat_mod_two in - let c1_2386 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (array_to_be_bytes ( - p_3_8_v)) : ed25519_field_element_t in - let c2_2387 : ed25519_field_element_t := - nat_mod_pow_self (two_2385) (c1_2386) in - let c3_2388 : ed25519_field_element_t := - option_unwrap (sqrt ((zero_2383) -% (one_2384))) in - let c4_2389 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (array_to_be_bytes ( - p_5_8_v)) : ed25519_field_element_t in - let tv1_2390 : ed25519_field_element_t := - (u_2381) *% (u_2381) in - let tv1_2391 : ed25519_field_element_t := - (two_2385) *% (tv1_2390) in - let xd_2392 : ed25519_field_element_t := - (tv1_2391) +% (one_2384) in - let x1n_2393 : ed25519_field_element_t := - (zero_2383) -% (j_2382) in - let tv2_2394 : ed25519_field_element_t := - (xd_2392) *% (xd_2392) in - let gxd_2395 : ed25519_field_element_t := - (tv2_2394) *% (xd_2392) in - let gx1_2396 : ed25519_field_element_t := - (j_2382) *% (tv1_2391) in - let gx1_2397 : ed25519_field_element_t := - (gx1_2396) *% (x1n_2393) in - let gx1_2398 : ed25519_field_element_t := - (gx1_2397) +% (tv2_2394) in - let gx1_2399 : ed25519_field_element_t := - (gx1_2398) *% (x1n_2393) in - let tv3_2400 : ed25519_field_element_t := - (gxd_2395) *% (gxd_2395) in - let tv2_2401 : ed25519_field_element_t := - (tv3_2400) *% (tv3_2400) in - let tv3_2402 : ed25519_field_element_t := - (tv3_2400) *% (gxd_2395) in - let tv3_2403 : ed25519_field_element_t := - (tv3_2402) *% (gx1_2399) in - let tv2_2404 : ed25519_field_element_t := - (tv2_2401) *% (tv3_2403) in - let y11_2405 : ed25519_field_element_t := - nat_mod_pow_self (tv2_2404) (c4_2389) in - let y11_2406 : ed25519_field_element_t := - (y11_2405) *% (tv3_2403) in - let y12_2407 : ed25519_field_element_t := - (y11_2406) *% (c3_2388) in - let tv2_2408 : ed25519_field_element_t := - (y11_2406) *% (y11_2406) in - let tv2_2409 : ed25519_field_element_t := - (tv2_2408) *% (gxd_2395) in - let e1_2410 : bool := - (tv2_2409) =.? (gx1_2399) in - let y1_2411 : ed25519_field_element_t := - cmov (y12_2407) (y11_2406) (e1_2410) in - let x2n_2412 : ed25519_field_element_t := - (x1n_2393) *% (tv1_2391) in - let y21_2413 : ed25519_field_element_t := - (y11_2406) *% (u_2381) in - let y21_2414 : ed25519_field_element_t := - (y21_2413) *% (c2_2387) in - let y22_2415 : ed25519_field_element_t := - (y21_2414) *% (c3_2388) in - let gx2_2416 : ed25519_field_element_t := - (gx1_2399) *% (tv1_2391) in - let tv2_2417 : ed25519_field_element_t := - (y21_2414) *% (y21_2414) in - let tv2_2418 : ed25519_field_element_t := - (tv2_2417) *% (gxd_2395) in - let e2_2419 : bool := - (tv2_2418) =.? (gx2_2416) in - let y2_2420 : ed25519_field_element_t := - cmov (y22_2415) (y21_2414) (e2_2419) in - let tv2_2421 : ed25519_field_element_t := - (y1_2411) *% (y1_2411) in - let tv2_2422 : ed25519_field_element_t := - (tv2_2421) *% (gxd_2395) in - let e3_2423 : bool := - (tv2_2422) =.? (gx1_2399) in - let xn_2424 : ed25519_field_element_t := - cmov (x2n_2412) (x1n_2393) (e3_2423) in - let y_2425 : ed25519_field_element_t := - cmov (y2_2420) (y1_2411) (e3_2423) in - let e4_2426 : bool := - sgn0_m_eq_1 (y_2425) in - let y_2427 : ed25519_field_element_t := - cmov (y_2425) ((zero_2383) -% (y_2425)) (xor (e3_2423) (e4_2426)) in - (xn_2424, xd_2392, y_2427, one_2384). - -Definition map_to_curve_elligator2_edwards25519 - (u_2428 : ed25519_field_element_t) - : ed_point_t := - let j_2429 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let zero_2430 : ed25519_field_element_t := - nat_mod_zero in - let one_2431 : ed25519_field_element_t := - nat_mod_one in - let two_2432 : ed25519_field_element_t := - nat_mod_two in - let c1_2433 : ed25519_field_element_t := - option_unwrap (sqrt ((zero_2430) -% ((j_2429) +% (two_2432)))) in - let '(xmn_2434, xmd_2435, ymn_2436, ymd_2437) := - map_to_curve_elligator2_curve25519 (u_2428) in - let xn_2438 : ed25519_field_element_t := - (xmn_2434) *% (ymd_2437) in - let xn_2439 : ed25519_field_element_t := - (xn_2438) *% (c1_2433) in - let xd_2440 : ed25519_field_element_t := - (xmd_2435) *% (ymn_2436) in - let yn_2441 : ed25519_field_element_t := - (xmn_2434) -% (xmd_2435) in - let yd_2442 : ed25519_field_element_t := - (xmn_2434) +% (xmd_2435) in - let tv1_2443 : ed25519_field_element_t := - (xd_2440) *% (yd_2442) in - let e_2444 : bool := - (tv1_2443) =.? (zero_2430) in - let xn_2445 : ed25519_field_element_t := - cmov (xn_2439) (zero_2430) (e_2444) in - let xd_2446 : ed25519_field_element_t := - cmov (xd_2440) (one_2431) (e_2444) in - let yn_2447 : ed25519_field_element_t := - cmov (yn_2441) (one_2431) (e_2444) in - let yd_2448 : ed25519_field_element_t := - cmov (yd_2442) (one_2431) (e_2444) in - let x_2449 : ed25519_field_element_t := - (xn_2445) *% (nat_mod_inv (xd_2446)) in - let y_2450 : ed25519_field_element_t := - (yn_2447) *% (nat_mod_inv (yd_2448)) in - (x_2449, y_2450, one_2431, (x_2449) *% (y_2450)). - -Definition map_to_curve_elligator2_edwards - (u_2451 : ed25519_field_element_t) - : ed_point_t := - let st_2452 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - map_to_curve_elligator2 (u_2451) in - curve25519_to_edwards25519 (st_2452). - -Definition ed_encode_to_curve - (msg_2453 : byte_seq) - (dst_2454 : byte_seq) - : ed_point_result_t := - bind (ed_hash_to_field (msg_2453) (dst_2454) (usize 1)) (fun u_2455 => - let q_2456 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - map_to_curve_elligator2_edwards (seq_index (u_2455) (usize 0)) in - @Ok ed_point_t error_t (ed_clear_cofactor (q_2456))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Gf128.v b/proof-libs/coq/coq/_vc/Hacspec_Gf128.v deleted file mode 100644 index c606e1b76..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Gf128.v +++ /dev/null @@ -1,113 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition blocksize_v : uint_size := - usize 16. - -Definition gf128_block_t := nseq (uint8) (blocksize_v). - -Definition gf128_key_t := nseq (uint8) (blocksize_v). - -Definition gf128_tag_t := nseq (uint8) (blocksize_v). - -Notation "'element_t'" := (uint128) : hacspec_scope. - -Definition irred_v : element_t := - secret (@repr WORDSIZE128 299076299051606071403356588563077529600) : int128. - -Definition fadd (x_317 : element_t) (y_318 : element_t) : element_t := - (x_317) .^ (y_318). - -Definition fmul (x_319 : element_t) (y_320 : element_t) : element_t := - let res_321 : element_t := - secret (@repr WORDSIZE128 0) : int128 in - let sh_322 : uint128 := - x_319 in - let '(res_321, sh_322) := - foldi (usize 0) (usize 128) (fun i_323 '(res_321, sh_322) => - let '(res_321) := - if (uint128_declassify ((y_320) .& ((secret ( - @repr WORDSIZE128 1) : int128) shift_left ((usize 127) - ( - i_323))))) !=.? (uint128_declassify (secret ( - @repr WORDSIZE128 0) : int128)):bool then (let res_321 := - (res_321) .^ (sh_322) in - (res_321)) else ((res_321)) in - let '(sh_322) := - if (uint128_declassify ((sh_322) .& (secret ( - @repr WORDSIZE128 1) : int128))) !=.? (uint128_declassify ( - secret (@repr WORDSIZE128 0) : int128)):bool then (let sh_322 := - ((sh_322) shift_right (usize 1)) .^ (irred_v) in - (sh_322)) else (let sh_322 := - (sh_322) shift_right (usize 1) in - (sh_322)) in - (res_321, sh_322)) - (res_321, sh_322) in - res_321. - -Definition encode (block_324 : gf128_block_t) : element_t := - uint128_from_be_bytes (array_from_seq (16) (array_to_seq (block_324))). - -Definition decode (e_325 : element_t) : gf128_block_t := - array_from_seq (blocksize_v) (array_to_seq (uint128_to_be_bytes (e_325))). - -Definition update - (r_326 : element_t) - (block_327 : gf128_block_t) - (acc_328 : element_t) - : element_t := - fmul (fadd (encode (block_327)) (acc_328)) (r_326). - -Definition poly (msg_329 : byte_seq) (r_330 : element_t) : element_t := - let l_331 : uint_size := - seq_len (msg_329) in - let n_blocks_332 : uint_size := - (l_331) / (blocksize_v) in - let rem_333 : uint_size := - (l_331) %% (blocksize_v) in - let acc_334 : uint128 := - secret (@repr WORDSIZE128 0) : int128 in - let acc_334 := - foldi (usize 0) (n_blocks_332) (fun i_335 acc_334 => - let k_336 : uint_size := - (i_335) * (blocksize_v) in - let block_337 : gf128_block_t := - array_new_ (default : uint8) (blocksize_v) in - let block_337 := - array_update_start (block_337) (seq_slice_range (msg_329) (( - k_336, - (k_336) + (blocksize_v) - ))) in - let acc_334 := - update (r_330) (block_337) (acc_334) in - (acc_334)) - acc_334 in - let '(acc_334) := - if (rem_333) !=.? (usize 0):bool then (let k_338 : uint_size := - (n_blocks_332) * (blocksize_v) in - let last_block_339 : gf128_block_t := - array_new_ (default : uint8) (blocksize_v) in - let last_block_339 := - array_update_slice (last_block_339) (usize 0) (msg_329) (k_338) ( - rem_333) in - let acc_334 := - update (r_330) (last_block_339) (acc_334) in - (acc_334)) else ((acc_334)) in - acc_334. - -Definition gmac (text_340 : byte_seq) (k_341 : gf128_key_t) : gf128_tag_t := - let s_342 : gf128_block_t := - array_new_ (default : uint8) (blocksize_v) in - let r_343 : uint128 := - encode (array_from_seq (blocksize_v) (array_to_seq (k_341))) in - let a_344 : uint128 := - poly (text_340) (r_343) in - array_from_seq (blocksize_v) (array_to_seq (decode (fadd (a_344) (encode ( - s_342))))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Gimli.v b/proof-libs/coq/coq/_vc/Hacspec_Gimli.v deleted file mode 100644 index 9ab5c8d93..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Gimli.v +++ /dev/null @@ -1,406 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition state_t := nseq (uint32) (usize 12). - -Definition state_idx_t := - nat_mod (usize 12). -Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. -Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. - -Definition swap - (s_1127 : state_t) - (i_1128 : state_idx_t) - (j_1129 : state_idx_t) - : state_t := - let tmp_1130 : uint32 := - array_index (s_1127) (i_1128) in - let s_1127 := - array_upd s_1127 (i_1128) (array_index (s_1127) (j_1129)) in - let s_1127 := - array_upd s_1127 (j_1129) (tmp_1130) in - s_1127. - -Definition gimli_round (s_1131 : state_t) (r_1132 : int32) : state_t := - let s_1131 := - foldi (usize 0) (usize 4) (fun col_1133 s_1131 => - let x_1134 : uint32 := - uint32_rotate_left (array_index (s_1131) (col_1133)) (usize 24) in - let y_1135 : uint32 := - uint32_rotate_left (array_index (s_1131) ((col_1133) + (usize 4))) ( - usize 9) in - let z_1136 : uint32 := - array_index (s_1131) ((col_1133) + (usize 8)) in - let s_1131 := - array_upd s_1131 ((col_1133) + (usize 8)) (((x_1134) .^ (( - z_1136) shift_left (usize 1))) .^ (((y_1135) .& ( - z_1136)) shift_left (usize 2))) in - let s_1131 := - array_upd s_1131 ((col_1133) + (usize 4)) (((y_1135) .^ (x_1134)) .^ ((( - x_1134) .| (z_1136)) shift_left (usize 1))) in - let s_1131 := - array_upd s_1131 (col_1133) (((z_1136) .^ (y_1135)) .^ (((x_1134) .& ( - y_1135)) shift_left (usize 3))) in - (s_1131)) - s_1131 in - let '(s_1131) := - if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( - let s_1131 := - swap (s_1131) (usize 0) (usize 1) in - let s_1131 := - swap (s_1131) (usize 2) (usize 3) in - (s_1131)) else ((s_1131)) in - let '(s_1131) := - if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 2):bool then ( - let s_1131 := - swap (s_1131) (usize 0) (usize 2) in - let s_1131 := - swap (s_1131) (usize 1) (usize 3) in - (s_1131)) else ((s_1131)) in - let '(s_1131) := - if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( - let s_1131 := - array_upd s_1131 (usize 0) ((array_index (s_1131) (usize 0)) .^ (( - secret (@repr WORDSIZE32 2654435584) : int32) .| (secret ( - r_1132) : int32))) in - (s_1131)) else ((s_1131)) in - s_1131. - -Definition gimli (s_1137 : state_t) : state_t := - let s_1137 := - foldi (usize 0) (usize 24) (fun rnd_1138 s_1137 => - let rnd_1139 : int32 := - pub_u32 ((usize 24) - (rnd_1138)) in - let s_1137 := - gimli_round (s_1137) (rnd_1139) in - (s_1137)) - s_1137 in - s_1137. - -Definition block_t := nseq (uint8) (usize 16). - -Definition digest_t := nseq (uint8) (usize 32). - -Definition absorb_block - (input_block_1140 : block_t) - (s_1141 : state_t) - : state_t := - let input_bytes_1142 : seq uint32 := - array_to_le_uint32s (input_block_1140) in - let s_1141 := - array_upd s_1141 (usize 0) ((array_index (s_1141) (usize 0)) .^ (seq_index ( - input_bytes_1142) (usize 0))) in - let s_1141 := - array_upd s_1141 (usize 1) ((array_index (s_1141) (usize 1)) .^ (seq_index ( - input_bytes_1142) (usize 1))) in - let s_1141 := - array_upd s_1141 (usize 2) ((array_index (s_1141) (usize 2)) .^ (seq_index ( - input_bytes_1142) (usize 2))) in - let s_1141 := - array_upd s_1141 (usize 3) ((array_index (s_1141) (usize 3)) .^ (seq_index ( - input_bytes_1142) (usize 3))) in - gimli (s_1141). - -Definition squeeze_block (s_1143 : state_t) : block_t := - let block_1144 : block_t := - array_new_ (default : uint8) (16) in - let block_1144 := - foldi (usize 0) (usize 4) (fun i_1145 block_1144 => - let s_i_1146 : uint32 := - array_index (s_1143) (i_1145) in - let s_i_bytes_1147 : seq uint8 := - uint32_to_le_bytes (s_i_1146) in - let block_1144 := - array_upd block_1144 ((usize 4) * (i_1145)) (seq_index ( - s_i_bytes_1147) (usize 0)) in - let block_1144 := - array_upd block_1144 (((usize 4) * (i_1145)) + (usize 1)) (seq_index ( - s_i_bytes_1147) (usize 1)) in - let block_1144 := - array_upd block_1144 (((usize 4) * (i_1145)) + (usize 2)) (seq_index ( - s_i_bytes_1147) (usize 2)) in - let block_1144 := - array_upd block_1144 (((usize 4) * (i_1145)) + (usize 3)) (seq_index ( - s_i_bytes_1147) (usize 3)) in - (block_1144)) - block_1144 in - block_1144. - -Definition gimli_hash_state - (input_1148 : byte_seq) - (s_1149 : state_t) - : state_t := - let rate_1150 : uint_size := - array_length in - let chunks_1151 : uint_size := - seq_num_exact_chunks (input_1148) (rate_1150) in - let s_1149 := - foldi (usize 0) (chunks_1151) (fun i_1152 s_1149 => - let input_block_1153 : seq uint8 := - seq_get_exact_chunk (input_1148) (rate_1150) (i_1152) in - let full_block_1154 : block_t := - array_from_seq (16) (input_block_1153) in - let s_1149 := - absorb_block (full_block_1154) (s_1149) in - (s_1149)) - s_1149 in - let input_block_1155 : seq uint8 := - seq_get_remainder_chunk (input_1148) (rate_1150) in - let input_block_padded_1156 : block_t := - array_new_ (default : uint8) (16) in - let input_block_padded_1157 : block_t := - array_update_start (input_block_padded_1156) (input_block_1155) in - let input_block_padded_1157 := - array_upd input_block_padded_1157 (seq_len (input_block_1155)) (secret ( - @repr WORDSIZE8 1) : int8) in - let s_1149 := - array_upd s_1149 (usize 11) ((array_index (s_1149) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_1149 := - absorb_block (input_block_padded_1157) (s_1149) in - s_1149. - -Definition gimli_hash (input_bytes_1158 : byte_seq) : digest_t := - let s_1159 : state_t := - array_new_ (default : uint32) (12) in - let s_1160 : state_t := - gimli_hash_state (input_bytes_1158) (s_1159) in - let output_1161 : digest_t := - array_new_ (default : uint8) (32) in - let output_1162 : digest_t := - array_update_start (output_1161) (array_to_seq (squeeze_block (s_1160))) in - let s_1163 : state_t := - gimli (s_1160) in - array_update (output_1162) (array_length ) (array_to_seq (squeeze_block ( - s_1163))). - -Definition nonce_t := nseq (uint8) (usize 16). - -Definition key_t := nseq (uint8) (usize 32). - -Definition tag_t := nseq (uint8) (usize 16). - -Definition process_ad (ad_1164 : byte_seq) (s_1165 : state_t) : state_t := - gimli_hash_state (ad_1164) (s_1165). - -Definition process_msg - (message_1166 : byte_seq) - (s_1167 : state_t) - : (state_t '× byte_seq) := - let ciphertext_1168 : seq uint8 := - seq_new_ (default : uint8) (seq_len (message_1166)) in - let rate_1169 : uint_size := - array_length in - let num_chunks_1170 : uint_size := - seq_num_exact_chunks (message_1166) (rate_1169) in - let '(s_1167, ciphertext_1168) := - foldi (usize 0) (num_chunks_1170) (fun i_1171 '(s_1167, ciphertext_1168) => - let key_block_1172 : block_t := - squeeze_block (s_1167) in - let msg_block_1173 : seq uint8 := - seq_get_exact_chunk (message_1166) (rate_1169) (i_1171) in - let msg_block_1174 : block_t := - array_from_seq (16) (msg_block_1173) in - let ciphertext_1168 := - seq_set_exact_chunk (ciphertext_1168) (rate_1169) (i_1171) ( - array_to_seq ((msg_block_1174) array_xor (key_block_1172))) in - let s_1167 := - absorb_block (msg_block_1174) (s_1167) in - (s_1167, ciphertext_1168)) - (s_1167, ciphertext_1168) in - let key_block_1175 : block_t := - squeeze_block (s_1167) in - let last_block_1176 : seq uint8 := - seq_get_remainder_chunk (message_1166) (rate_1169) in - let block_len_1177 : uint_size := - seq_len (last_block_1176) in - let msg_block_padded_1178 : block_t := - array_new_ (default : uint8) (16) in - let msg_block_padded_1179 : block_t := - array_update_start (msg_block_padded_1178) (last_block_1176) in - let ciphertext_1168 := - seq_set_chunk (ciphertext_1168) (rate_1169) (num_chunks_1170) ( - array_slice_range ((msg_block_padded_1179) array_xor (key_block_1175)) (( - usize 0, - block_len_1177 - ))) in - let msg_block_padded_1179 := - array_upd msg_block_padded_1179 (block_len_1177) ((array_index ( - msg_block_padded_1179) (block_len_1177)) .^ (secret ( - @repr WORDSIZE8 1) : int8)) in - let s_1167 := - array_upd s_1167 (usize 11) ((array_index (s_1167) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_1167 := - absorb_block (msg_block_padded_1179) (s_1167) in - (s_1167, ciphertext_1168). - -Definition process_ct - (ciphertext_1180 : byte_seq) - (s_1181 : state_t) - : (state_t '× byte_seq) := - let message_1182 : seq uint8 := - seq_new_ (default : uint8) (seq_len (ciphertext_1180)) in - let rate_1183 : uint_size := - array_length in - let num_chunks_1184 : uint_size := - seq_num_exact_chunks (ciphertext_1180) (rate_1183) in - let '(s_1181, message_1182) := - foldi (usize 0) (num_chunks_1184) (fun i_1185 '(s_1181, message_1182) => - let key_block_1186 : block_t := - squeeze_block (s_1181) in - let ct_block_1187 : seq uint8 := - seq_get_exact_chunk (ciphertext_1180) (rate_1183) (i_1185) in - let ct_block_1188 : block_t := - array_from_seq (16) (ct_block_1187) in - let msg_block_1189 : block_t := - (ct_block_1188) array_xor (key_block_1186) in - let message_1182 := - seq_set_exact_chunk (message_1182) (rate_1183) (i_1185) (array_to_seq (( - ct_block_1188) array_xor (key_block_1186))) in - let s_1181 := - absorb_block (msg_block_1189) (s_1181) in - (s_1181, message_1182)) - (s_1181, message_1182) in - let key_block_1190 : block_t := - squeeze_block (s_1181) in - let ct_final_1191 : seq uint8 := - seq_get_remainder_chunk (ciphertext_1180) (rate_1183) in - let block_len_1192 : uint_size := - seq_len (ct_final_1191) in - let ct_block_padded_1193 : block_t := - array_new_ (default : uint8) (16) in - let ct_block_padded_1194 : block_t := - array_update_start (ct_block_padded_1193) (ct_final_1191) in - let msg_block_1195 : block_t := - (ct_block_padded_1194) array_xor (key_block_1190) in - let message_1182 := - seq_set_chunk (message_1182) (rate_1183) (num_chunks_1184) ( - array_slice_range (msg_block_1195) ((usize 0, block_len_1192))) in - let msg_block_1196 : block_t := - array_from_slice_range (default : uint8) (16) ( - array_to_seq (msg_block_1195)) ((usize 0, block_len_1192)) in - let msg_block_1196 := - array_upd msg_block_1196 (block_len_1192) ((array_index (msg_block_1196) ( - block_len_1192)) .^ (secret (@repr WORDSIZE8 1) : int8)) in - let s_1181 := - array_upd s_1181 (usize 11) ((array_index (s_1181) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_1181 := - absorb_block (msg_block_1196) (s_1181) in - (s_1181, message_1182). - -Definition nonce_to_u32s (nonce_1197 : nonce_t) : seq uint32 := - let uints_1198 : seq uint32 := - seq_new_ (default : uint32) (usize 4) in - let uints_1198 := - seq_upd uints_1198 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 0, usize 4 - )))) in - let uints_1198 := - seq_upd uints_1198 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 4, usize 8 - )))) in - let uints_1198 := - seq_upd uints_1198 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 8, usize 12 - )))) in - let uints_1198 := - seq_upd uints_1198 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 12, usize 16 - )))) in - uints_1198. - -Definition key_to_u32s (key_1199 : key_t) : seq uint32 := - let uints_1200 : seq uint32 := - seq_new_ (default : uint32) (usize 8) in - let uints_1200 := - seq_upd uints_1200 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 0, usize 4 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 4, usize 8 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 8, usize 12 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 12, usize 16 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 4) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 16, usize 20 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 5) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 20, usize 24 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 6) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 24, usize 28 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 7) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 28, usize 32 - )))) in - uints_1200. - -Definition gimli_aead_encrypt - (message_1201 : byte_seq) - (ad_1202 : byte_seq) - (nonce_1203 : nonce_t) - (key_1204 : key_t) - : (byte_seq '× tag_t) := - let s_1205 : state_t := - array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1203)) (key_to_u32s ( - key_1204))) in - let s_1206 : state_t := - gimli (s_1205) in - let s_1207 : state_t := - process_ad (ad_1202) (s_1206) in - let '(s_1208, ciphertext_1209) := - process_msg (message_1201) (s_1207) in - let tag_1210 : block_t := - squeeze_block (s_1208) in - let tag_1211 : tag_t := - array_from_seq (16) (array_to_seq (tag_1210)) in - (ciphertext_1209, tag_1211). - -Definition gimli_aead_decrypt - (ciphertext_1212 : byte_seq) - (ad_1213 : byte_seq) - (tag_1214 : tag_t) - (nonce_1215 : nonce_t) - (key_1216 : key_t) - : byte_seq := - let s_1217 : state_t := - array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1215)) (key_to_u32s ( - key_1216))) in - let s_1218 : state_t := - gimli (s_1217) in - let s_1219 : state_t := - process_ad (ad_1213) (s_1218) in - let '(s_1220, message_1221) := - process_ct (ciphertext_1212) (s_1219) in - let my_tag_1222 : block_t := - squeeze_block (s_1220) in - let my_tag_1223 : tag_t := - array_from_seq (16) (array_to_seq (my_tag_1222)) in - let out_1224 : seq uint8 := - seq_new_ (default : uint8) (usize 0) in - let '(out_1224) := - if array_equal (my_tag_1223) (tag_1214):bool then (let out_1224 := - message_1221 in - (out_1224)) else ((out_1224)) in - out_1224. - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Hkdf.v b/proof-libs/coq/coq/_vc/Hacspec_Hkdf.v deleted file mode 100644 index c92018f05..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Hkdf.v +++ /dev/null @@ -1,93 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Hmac. - -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition hash_len_v : uint_size := - (usize 256) / (usize 8). - -Inductive hkdf_error_t := -| InvalidOutputLength : hkdf_error_t. - -Notation "'hkdf_byte_seq_result_t'" := (( - result byte_seq hkdf_error_t)) : hacspec_scope. - -Definition extract (salt_713 : byte_seq) (ikm_714 : byte_seq) : prk_t := - let salt_or_zero_715 : seq uint8 := - seq_new_ (default : uint8) (hash_len_v) in - let '(salt_or_zero_715) := - if (seq_len (salt_713)) >.? (usize 0):bool then (let salt_or_zero_715 := - seq_from_seq (salt_713) in - (salt_or_zero_715)) else ((salt_or_zero_715)) in - array_from_seq (_) (array_to_seq (hmac (salt_or_zero_715) (ikm_714))). - -Definition build_hmac_txt - (t_716 : byte_seq) - (info_717 : byte_seq) - (iteration_718 : uint8) - : byte_seq := - let out_719 : seq uint8 := - seq_new_ (default : uint8) (((seq_len (t_716)) + (seq_len (info_717))) + ( - usize 1)) in - let out_719 := - seq_update (out_719) (usize 0) (t_716) in - let out_719 := - seq_update (out_719) (seq_len (t_716)) (info_717) in - let out_719 := - seq_upd out_719 ((seq_len (t_716)) + (seq_len (info_717))) ( - iteration_718) in - out_719. - -Definition div_ceil (a_720 : uint_size) (b_721 : uint_size) : uint_size := - let q_722 : uint_size := - (a_720) / (b_721) in - let '(q_722) := - if ((a_720) %% (b_721)) !=.? (usize 0):bool then (let q_722 := - (q_722) + (usize 1) in - (q_722)) else ((q_722)) in - q_722. - -Definition check_output_limit - (l_723 : uint_size) - : (result uint_size hkdf_error_t) := - let n_724 : uint_size := - div_ceil (l_723) (hash_len_v) in - (if ((n_724) <=.? (usize 255)):bool then (@Ok uint_size hkdf_error_t ( - n_724)) else (@Err uint_size hkdf_error_t (InvalidOutputLength))). - -Definition expand - (prk_725 : byte_seq) - (info_726 : byte_seq) - (l_727 : uint_size) - : hkdf_byte_seq_result_t := - bind (check_output_limit (l_727)) (fun n_728 => let t_i_729 : prk_t := - array_new_ (default : uint8) (_) in - let t_730 : seq uint8 := - seq_new_ (default : uint8) ((n_728) * (hash_size_v)) in - let '(t_i_729, t_730) := - foldi (usize 0) (n_728) (fun i_731 '(t_i_729, t_730) => - let hmac_txt_in_732 : seq uint8 := - (if ((i_731) =.? (usize 0)):bool then (build_hmac_txt (seq_new_ ( - default : uint8) (usize 0)) (info_726) (secret ((pub_u8 ( - i_731)) .+ (@repr WORDSIZE8 1)) : int8)) else ( - build_hmac_txt (seq_from_seq (array_to_seq (t_i_729))) ( - info_726) (secret ((pub_u8 (i_731)) .+ ( - @repr WORDSIZE8 1)) : int8))) in - let t_i_729 := - hmac (prk_725) (hmac_txt_in_732) in - let t_730 := - seq_update (t_730) ((i_731) * (array_len (t_i_729))) ( - array_to_seq (t_i_729)) in - (t_i_729, t_730)) - (t_i_729, t_730) in - @Ok byte_seq hkdf_error_t (seq_slice (t_730) (usize 0) (l_727))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Hmac.v b/proof-libs/coq/coq/_vc/Hacspec_Hmac.v deleted file mode 100644 index 3c50a5a70..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Hmac.v +++ /dev/null @@ -1,178 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition block_len_v : uint_size := - k_size_v. - -Definition prk_t := nseq (uint8) (hash_size_v). - -Definition block_t := nseq (uint8) (block_len_v). - -Definition i_pad_v : block_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8 - ] in l). - -Definition o_pad_v : block_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8 - ] in l). - -Definition k_block (k_733 : byte_seq) : block_t := - (if ((seq_len (k_733)) >.? (block_len_v)):bool then (array_update_start ( - array_new_ (default : uint8) (block_len_v)) (array_to_seq (hash ( - k_733)))) else (array_update_start (array_new_ (default : uint8) ( - block_len_v)) (k_733))). - -Definition hmac (k_734 : byte_seq) (txt_735 : byte_seq) : prk_t := - let k_block_736 : block_t := - k_block (k_734) in - let h_in_737 : seq uint8 := - seq_from_seq (array_to_seq ((k_block_736) array_xor (i_pad_v))) in - let h_in_737 := - seq_concat (h_in_737) (txt_735) in - let h_inner_738 : sha256_digest_t := - hash (h_in_737) in - let h_in_739 : seq uint8 := - seq_from_seq (array_to_seq ((k_block_736) array_xor (o_pad_v))) in - let h_in_739 := - seq_concat (h_in_739) (array_to_seq (h_inner_738)) in - array_from_seq (hash_size_v) (array_to_seq (hash (h_in_739))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Linalg.v b/proof-libs/coq/coq/_vc/Hacspec_Linalg.v deleted file mode 100644 index 0dcee9a83..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Linalg.v +++ /dev/null @@ -1,296 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Notation "'dim_type_t'" := (uint_size) : hacspec_scope. - -Notation "'scalar_t'" := (int128) : hacspec_scope. - -Notation "'dims_t'" := ((dim_type_t '× dim_type_t)) : hacspec_scope. - -Notation "'matrix_t'" := ((dims_t '× seq scalar_t)) : hacspec_scope. - -Notation "'mat_res_t'" := ((result matrix_t int8)) : hacspec_scope. - -Notation "'scal_res_t'" := ((result scalar_t int8)) : hacspec_scope. - -Definition dimension_sequence_length_mismatch_v : int8 := - @repr WORDSIZE8 10. - -Definition index_out_of_bounds_v : int8 := - @repr WORDSIZE8 11. - -Definition slice_out_of_bounds_v : int8 := - @repr WORDSIZE8 12. - -Definition dimension_mismatch_v : int8 := - @repr WORDSIZE8 13. - -Definition new_ - (rows_881 : dim_type_t) - (cols_882 : dim_type_t) - (seq_883 : seq scalar_t) - : mat_res_t := - (if (((seq_len (seq_883)) >.? (usize 0)) && (((rows_881) * (cols_882)) =.? ( - seq_len (seq_883)))):bool then (@Ok matrix_t int8 (( - (rows_881, cols_882), - seq_883 - ))) else (@Err matrix_t int8 (dimension_sequence_length_mismatch_v))). - -Definition repeat - (n_884 : dim_type_t) - (m_885 : dim_type_t) - (scalar_886 : scalar_t) - : matrix_t := - let ret_887 : seq int128 := - seq_new_ (default : scalar_t) ((n_884) * (m_885)) in - let ret_887 := - foldi (usize 0) ((n_884) * (m_885)) (fun i_888 ret_887 => - let ret_887 := - seq_upd ret_887 (i_888) (scalar_886) in - (ret_887)) - ret_887 in - ((n_884, m_885), ret_887). - -Definition zeros (n_889 : dim_type_t) (m_890 : dim_type_t) : matrix_t := - repeat (n_889) (m_890) (pub_int128_zero ). - -Definition ones (n_891 : dim_type_t) (m_892 : dim_type_t) : matrix_t := - repeat (n_891) (m_892) (pub_int128_one ). - -Definition identity (n_893 : dim_type_t) (m_894 : dim_type_t) : matrix_t := - let ret_895 : seq int128 := - seq_new_ (default : scalar_t) ((n_893) * (m_894)) in - let ret_895 := - foldi (usize 0) (min (n_893) (m_894)) (fun i_896 ret_895 => - let index_897 : uint_size := - ((i_896) * (min (n_893) (m_894))) + (i_896) in - let ret_895 := - seq_upd ret_895 (index_897) (pub_int128_one ) in - (ret_895)) - ret_895 in - ((n_893, m_894), ret_895). - -Definition index - (m_898 : matrix_t) - (i_899 : dim_type_t) - (j_900 : dim_type_t) - : scal_res_t := - let '(dim_901, seq_902) := - m_898 in - let '(rows_903, cols_904) := - dim_901 in - let index_905 : uint_size := - ((i_899) * (cols_904)) + (j_900) in - (if ((index_905) >=.? ((rows_903) * (cols_904))):bool then ( - @Err scalar_t int8 (index_out_of_bounds_v)) else (@Ok scalar_t int8 ( - seq_index (seq_902) (index_905)))). - -Definition transpose (matrix_906 : matrix_t) : matrix_t := - let '(dim_907, seq_908) := - matrix_906 in - let '(rows_909, cols_910) := - dim_907 in - let ret_911 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (seq_908)) in - let ret_911 := - foldi (usize 0) (rows_909) (fun i_912 ret_911 => - let ret_911 := - foldi (usize 0) (cols_910) (fun j_913 ret_911 => - let seq_index_914 : uint_size := - ((i_912) * (cols_910)) + (j_913) in - let ret_index_915 : uint_size := - ((j_913) * (rows_909)) + (i_912) in - let ret_911 := - seq_upd ret_911 (ret_index_915) (seq_index (seq_908) ( - seq_index_914)) in - (ret_911)) - ret_911 in - (ret_911)) - ret_911 in - ((cols_910, rows_909), ret_911). - -Definition slice - (matrix_916 : matrix_t) - (start_917 : dims_t) - (len_918 : dims_t) - : mat_res_t := - let '(dim_919, seq_920) := - matrix_916 in - let '(rows_921, cols_922) := - dim_919 in - let '(start_row_923, start_col_924) := - start_917 in - let '(len_rows_925, len_cols_926) := - len_918 in - let start_index_927 : uint_size := - ((start_row_923) * (cols_922)) + (start_col_924) in - let ret_928 : seq int128 := - seq_new_ (default : scalar_t) ((len_rows_925) * (len_cols_926)) in - let res_929 : (result matrix_t int8) := - @Err matrix_t int8 (slice_out_of_bounds_v) in - let '(ret_928, res_929) := - if ((start_index_927) + ((len_rows_925) * (len_cols_926))) <=.? (( - rows_921) * (cols_922)):bool then (let ret_928 := - foldi (usize 0) (len_rows_925) (fun i_930 ret_928 => - let ret_928 := - foldi (usize 0) (len_cols_926) (fun j_931 ret_928 => - let ret_index_932 : uint_size := - ((i_930) * (len_cols_926)) + (j_931) in - let seq_index_933 : uint_size := - (((start_row_923) + (i_930)) * (cols_922)) + (( - start_col_924) + (j_931)) in - let ret_928 := - seq_upd ret_928 (ret_index_932) (seq_index (seq_920) ( - seq_index_933)) in - (ret_928)) - ret_928 in - (ret_928)) - ret_928 in - let res_929 := - new_ (len_rows_925) (len_cols_926) (ret_928) in - (ret_928, res_929)) else ((ret_928, res_929)) in - res_929. - -Definition scale (matrix_934 : matrix_t) (scalar_935 : scalar_t) : matrix_t := - let '(dim_936, seq_937) := - matrix_934 in - let ret_938 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (seq_937)) in - let ret_938 := - foldi (usize 0) (seq_len (seq_937)) (fun i_939 ret_938 => - let ret_938 := - seq_upd ret_938 (i_939) ((scalar_935) .* (seq_index (seq_937) ( - i_939))) in - (ret_938)) - ret_938 in - (dim_936, ret_938). - -Definition add - (matrix_1_940 : matrix_t) - (matrix_2_941 : matrix_t) - : mat_res_t := - let '(m1_dim_942, m1_s_943) := - matrix_1_940 in - let '(m2_dim_944, m2_s_945) := - matrix_2_941 in - let ret_946 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (m1_s_943)) in - let res_947 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_946, res_947) := - if (m1_dim_942) =.? (m2_dim_944):bool then (let ret_946 := - foldi (usize 0) (seq_len (m1_s_943)) (fun i_948 ret_946 => - let ret_946 := - seq_upd ret_946 (i_948) ((seq_index (m1_s_943) (i_948)) .+ ( - seq_index (m2_s_945) (i_948))) in - (ret_946)) - ret_946 in - let res_947 := - @Ok matrix_t int8 ((m1_dim_942, ret_946)) in - (ret_946, res_947)) else ((ret_946, res_947)) in - res_947. - -Definition sub - (matrix_1_949 : matrix_t) - (matrix_2_950 : matrix_t) - : mat_res_t := - let '(m1_dim_951, m1_s_952) := - matrix_1_949 in - let '(m2_dim_953, m2_s_954) := - matrix_2_950 in - let ret_955 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (m1_s_952)) in - let res_956 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_955, res_956) := - if (m1_dim_951) =.? (m2_dim_953):bool then (let ret_955 := - foldi (usize 0) (seq_len (m1_s_952)) (fun i_957 ret_955 => - let ret_955 := - seq_upd ret_955 (i_957) ((seq_index (m1_s_952) (i_957)) .- ( - seq_index (m2_s_954) (i_957))) in - (ret_955)) - ret_955 in - let res_956 := - @Ok matrix_t int8 ((m1_dim_951, ret_955)) in - (ret_955, res_956)) else ((ret_955, res_956)) in - res_956. - -Definition component_mul - (matrix_1_958 : matrix_t) - (matrix_2_959 : matrix_t) - : mat_res_t := - let '(m1_dim_960, m1_s_961) := - matrix_1_958 in - let '(m2_dim_962, m2_s_963) := - matrix_2_959 in - let ret_964 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (m1_s_961)) in - let res_965 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_964, res_965) := - if (m1_dim_960) =.? (m2_dim_962):bool then (let ret_964 := - foldi (usize 0) (seq_len (m1_s_961)) (fun i_966 ret_964 => - let ret_964 := - seq_upd ret_964 (i_966) ((seq_index (m1_s_961) (i_966)) .* ( - seq_index (m2_s_963) (i_966))) in - (ret_964)) - ret_964 in - let res_965 := - @Ok matrix_t int8 ((m1_dim_960, ret_964)) in - (ret_964, res_965)) else ((ret_964, res_965)) in - res_965. - -Definition mul - (matrix_1_967 : matrix_t) - (matrix_2_968 : matrix_t) - : mat_res_t := - let '(dim_1_969, seq_1_970) := - matrix_1_967 in - let '(dim_2_971, seq_2_972) := - matrix_2_968 in - let '(l_973, m_974) := - dim_1_969 in - let '(m_975, n_976) := - dim_2_971 in - let ret_977 : seq int128 := - seq_new_ (default : scalar_t) ((l_973) * (n_976)) in - let res_978 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_977, res_978) := - if (m_974) =.? (m_975):bool then (let ret_977 := - foldi (usize 0) (l_973) (fun i_979 ret_977 => - let ret_977 := - foldi (usize 0) (n_976) (fun j_980 ret_977 => - let acc_981 : int128 := - pub_int128_zero in - let index_982 : uint_size := - ((i_979) * (n_976)) + (j_980) in - let acc_981 := - foldi (usize 0) (m_974) (fun k_983 acc_981 => - let index_1_984 : uint_size := - ((i_979) * (m_974)) + (k_983) in - let index_2_985 : uint_size := - ((k_983) * (n_976)) + (j_980) in - let acc_981 := - (acc_981) .+ ((seq_index (seq_1_970) (index_1_984)) .* ( - seq_index (seq_2_972) (index_2_985))) in - (acc_981)) - acc_981 in - let ret_977 := - seq_upd ret_977 (index_982) (acc_981) in - (ret_977)) - ret_977 in - (ret_977)) - ret_977 in - let res_978 := - new_ (l_973) (n_976) (ret_977) in - (ret_977, res_978)) else ((ret_977, res_978)) in - res_978. - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Merlin.v b/proof-libs/coq/coq/_vc/Hacspec_Merlin.v deleted file mode 100644 index 15f1316b7..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Merlin.v +++ /dev/null @@ -1,88 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Strobe. - -Notation "'transcript_t'" := (strobe_t) : hacspec_scope. - -Definition merlin_protocol_label : seq uint8 := - [ - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 110) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 48) : int8 - ]. - -Definition encode_uint64 (x_1051 : uint64) : seq uint8 := - array_to_le_bytes (uint64_to_le_bytes (x_1051)). - -Definition encode_usize_as_u32 (x_1052 : uint_size) : seq uint8 := - let x_uint32_1053 : uint32 := - uint32_classify (pub_u32 (x_1052)) in - array_to_le_bytes (uint32_to_le_bytes (x_uint32_1053)). - -Definition new_ (label_1054 : seq uint8) : transcript_t := - let transcript_1055 : (state_uint8_t '× int8 '× int8 '× int8) := - new_strobe (merlin_protocol_label ) in - let dom_sep_1056 : seq uint8 := - [ - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 109) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 112) : int8 - ] in - append_message (transcript_1055) (dom_sep_1056) (label_1054). - -Definition append_message - (transcript_1057 : transcript_t) - (label_1058 : seq uint8) - (message_1059 : seq uint8) - : transcript_t := - let data_len_1060 : seq uint8 := - array_to_be_bytes (uint32_to_le_bytes (uint32_classify (pub_u32 (seq_len ( - message_1059))))) in - let transcript_1057 := - meta_ad (transcript_1057) (label_1058) (false) in - let transcript_1057 := - meta_ad (transcript_1057) (data_len_1060) (true) in - let transcript_1057 := - ad (transcript_1057) (message_1059) (false) in - transcript_1057. - -Definition challenge_bytes - (transcript_1061 : transcript_t) - (label_1062 : seq uint8) - (dest_1063 : seq uint8) - : (transcript_t '× seq uint8) := - let data_len_1064 : seq uint8 := - encode_usize_as_u32 (seq_len (dest_1063)) in - let transcript_1061 := - meta_ad (transcript_1061) (label_1062) (false) in - let transcript_1061 := - meta_ad (transcript_1061) (data_len_1064) (true) in - prf (transcript_1061) (dest_1063) (false). - -Definition append_uint64 - (transcript_1065 : transcript_t) - (label_1066 : seq uint8) - (x_1067 : uint64) - : transcript_t := - append_message (transcript_1065) (label_1066) (encode_uint64 (x_1067)). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v b/proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v deleted file mode 100644 index b40600184..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Ntru_Prime.v +++ /dev/null @@ -1,138 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition build_irreducible (p_1256 : uint_size) : seq int128 := - let irr_1257 : seq int128 := - seq_new_ (default : int128) ((p_1256) + (usize 1)) in - let irr_1257 := - seq_upd irr_1257 (usize 0) (- (@repr WORDSIZE128 1)) in - let irr_1257 := - seq_upd irr_1257 (usize 1) (- (@repr WORDSIZE128 1)) in - let irr_1257 := - seq_upd irr_1257 (p_1256) (@repr WORDSIZE128 1) in - irr_1257. - -Definition round_to_3 (poly_1258 : seq int128) (q_1259 : int128) : seq int128 := - let result_1260 : seq int128 := - (poly_1258) in - let q_12_1261 : int128 := - ((q_1259) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in - let result_1260 := - foldi (usize 0) (seq_len (poly_1258)) (fun i_1262 result_1260 => - let '(result_1260) := - if (seq_index (poly_1258) (i_1262)) >.? (q_12_1261):bool then ( - let result_1260 := - seq_upd result_1260 (i_1262) ((seq_index (poly_1258) (i_1262)) .- ( - q_1259)) in - (result_1260)) else ((result_1260)) in - (result_1260)) - result_1260 in - let result_1260 := - foldi (usize 0) (seq_len (result_1260)) (fun i_1263 result_1260 => - let '(result_1260) := - if ((seq_index (result_1260) (i_1263)) .% (@repr WORDSIZE128 3)) !=.? ( - @repr WORDSIZE128 0):bool then (let result_1260 := - seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( - i_1263)) .- (@repr WORDSIZE128 1)) in - let '(result_1260) := - if ((seq_index (result_1260) (i_1263)) .% ( - @repr WORDSIZE128 3)) !=.? (@repr WORDSIZE128 0):bool then ( - let result_1260 := - seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( - i_1263)) .+ (@repr WORDSIZE128 2)) in - (result_1260)) else ((result_1260)) in - (result_1260)) else ((result_1260)) in - (result_1260)) - result_1260 in - result_1260. - -Definition encrypt - (r_1264 : seq int128) - (h_1265 : seq int128) - (q_1266 : int128) - (irreducible_1267 : seq int128) - : seq int128 := - let pre_1268 : seq int128 := - mul_poly_irr (r_1264) (h_1265) (irreducible_1267) (q_1266) in - round_to_3 (pre_1268) (q_1266). - -Definition ntru_prime_653_encrypt - (r_1269 : seq int128) - (h_1270 : seq int128) - : seq int128 := - let p_1271 : uint_size := - usize 653 in - let q_1272 : int128 := - @repr WORDSIZE128 4621 in - let w_1273 : uint_size := - usize 288 in - let irreducible_1274 : seq int128 := - build_irreducible (p_1271) in - encrypt (r_1269) (h_1270) (q_1272) (irreducible_1274). - -Definition ntru_prime_653_decrypt - (c_1275 : seq int128) - (key_f_1276 : seq int128) - (key_v_1277 : seq int128) - : (seq int128 '× bool) := - let p_1278 : uint_size := - usize 653 in - let q_1279 : int128 := - @repr WORDSIZE128 4621 in - let w_1280 : uint_size := - usize 288 in - let irreducible_1281 : seq int128 := - build_irreducible (p_1278) in - let f_c_1282 : seq int128 := - mul_poly_irr (key_f_1276) (c_1275) (irreducible_1281) (q_1279) in - let f_3_c_and_decryption_ok_1283 : (seq int128 '× bool) := - poly_to_ring (irreducible_1281) (add_poly (f_c_1282) (add_poly (f_c_1282) ( - f_c_1282) (q_1279)) (q_1279)) (q_1279) in - let '(f_3_c_1284, ok_decrypt_1285) := - f_3_c_and_decryption_ok_1283 in - let f_3_c_1286 : seq int128 := - f_3_c_1284 in - let q_12_1287 : int128 := - ((q_1279) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in - let f_3_c_1286 := - foldi (usize 0) (seq_len (f_3_c_1286)) (fun i_1288 f_3_c_1286 => - let '(f_3_c_1286) := - if (seq_index (f_3_c_1286) (i_1288)) >.? (q_12_1287):bool then ( - let f_3_c_1286 := - seq_upd f_3_c_1286 (i_1288) ((seq_index (f_3_c_1286) (i_1288)) .- ( - q_1279)) in - (f_3_c_1286)) else ((f_3_c_1286)) in - (f_3_c_1286)) - f_3_c_1286 in - let e_1289 : seq int128 := - seq_new_ (default : int128) (seq_len (f_3_c_1286)) in - let e_1289 := - foldi (usize 0) (seq_len (e_1289)) (fun i_1290 e_1289 => - let e_1289 := - seq_upd e_1289 (i_1290) ((seq_index (f_3_c_1286) (i_1290)) .% ( - @repr WORDSIZE128 3)) in - (e_1289)) - e_1289 in - let e_1289 := - make_positive (e_1289) (@repr WORDSIZE128 3) in - let r_1291 : seq int128 := - mul_poly_irr (e_1289) (key_v_1277) (irreducible_1281) ( - @repr WORDSIZE128 3) in - let r_1291 := - foldi (usize 0) (seq_len (r_1291)) (fun i_1292 r_1291 => - let '(r_1291) := - if (seq_index (r_1291) (i_1292)) =.? (@repr WORDSIZE128 2):bool then ( - let r_1291 := - seq_upd r_1291 (i_1292) (- (@repr WORDSIZE128 1)) in - (r_1291)) else ((r_1291)) in - (r_1291)) - r_1291 in - (r_1291, ok_decrypt_1285). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_P256.v b/proof-libs/coq/coq/_vc/Hacspec_P256.v deleted file mode 100644 index 676c262d4..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_P256.v +++ /dev/null @@ -1,494 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Inductive error_t := -| InvalidAddition : error_t. - -Definition bits_v : uint_size := - usize 256. - -Definition field_canvas_t := nseq (int8) (32). -Definition p256_field_element_t := - nat_mod 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition p256_scalar_t := - nat_mod 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551. - -Notation "'affine_t'" := ((p256_field_element_t '× p256_field_element_t -)) : hacspec_scope. - -Notation "'affine_result_t'" := ((result affine_t error_t)) : hacspec_scope. - -Notation "'p256_jacobian_t'" := (( - p256_field_element_t '× - p256_field_element_t '× - p256_field_element_t -)) : hacspec_scope. - -Notation "'jacobian_result_t'" := (( - result p256_jacobian_t error_t)) : hacspec_scope. - -Definition element_t := nseq (uint8) (usize 32). - -Definition jacobian_to_affine (p_569 : p256_jacobian_t) : affine_t := - let '(x_570, y_571, z_572) := - p_569 in - let z2_573 : p256_field_element_t := - nat_mod_exp (z_572) (@repr WORDSIZE32 2) in - let z2i_574 : p256_field_element_t := - nat_mod_inv (z2_573) in - let z3_575 : p256_field_element_t := - (z_572) *% (z2_573) in - let z3i_576 : p256_field_element_t := - nat_mod_inv (z3_575) in - let x_577 : p256_field_element_t := - (x_570) *% (z2i_574) in - let y_578 : p256_field_element_t := - (y_571) *% (z3i_576) in - (x_577, y_578). - -Definition affine_to_jacobian (p_579 : affine_t) : p256_jacobian_t := - let '(x_580, y_581) := - p_579 in - ( - x_580, - y_581, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t - ). - -Definition point_double (p_582 : p256_jacobian_t) : p256_jacobian_t := - let '(x1_583, y1_584, z1_585) := - p_582 in - let delta_586 : p256_field_element_t := - nat_mod_exp (z1_585) (@repr WORDSIZE32 2) in - let gamma_587 : p256_field_element_t := - nat_mod_exp (y1_584) (@repr WORDSIZE32 2) in - let beta_588 : p256_field_element_t := - (x1_583) *% (gamma_587) in - let alpha_1_589 : p256_field_element_t := - (x1_583) -% (delta_586) in - let alpha_2_590 : p256_field_element_t := - (x1_583) +% (delta_586) in - let alpha_591 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% ((alpha_1_589) *% ( - alpha_2_590)) in - let x3_592 : p256_field_element_t := - (nat_mod_exp (alpha_591) (@repr WORDSIZE32 2)) -% ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 8) : p256_field_element_t) *% (beta_588)) in - let z3_593 : p256_field_element_t := - nat_mod_exp ((y1_584) +% (z1_585)) (@repr WORDSIZE32 2) in - let z3_594 : p256_field_element_t := - (z3_593) -% ((gamma_587) +% (delta_586)) in - let y3_1_595 : p256_field_element_t := - ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 4) : p256_field_element_t) *% (beta_588)) -% ( - x3_592) in - let y3_2_596 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 8) : p256_field_element_t) *% ((gamma_587) *% ( - gamma_587)) in - let y3_597 : p256_field_element_t := - ((alpha_591) *% (y3_1_595)) -% (y3_2_596) in - (x3_592, y3_597, z3_594). - -Definition is_point_at_infinity (p_598 : p256_jacobian_t) : bool := - let '(x_599, y_600, z_601) := - p_598 in - nat_mod_equal (z_601) (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t). - -Definition s1_equal_s2 - (s1_602 : p256_field_element_t) - (s2_603 : p256_field_element_t) - : jacobian_result_t := - (if (nat_mod_equal (s1_602) (s2_603)):bool then ( - @Err p256_jacobian_t error_t (InvalidAddition)) else ( - @Ok p256_jacobian_t error_t (( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t - )))). - -Definition point_add_jacob - (p_604 : p256_jacobian_t) - (q_605 : p256_jacobian_t) - : jacobian_result_t := - let result_606 : (result p256_jacobian_t error_t) := - @Ok p256_jacobian_t error_t (q_605) in - let '(result_606) := - if negb (is_point_at_infinity (p_604)):bool then (let '(result_606) := - if is_point_at_infinity (q_605):bool then (let result_606 := - @Ok p256_jacobian_t error_t (p_604) in - (result_606)) else (let '(x1_607, y1_608, z1_609) := - p_604 in - let '(x2_610, y2_611, z2_612) := - q_605 in - let z1z1_613 : p256_field_element_t := - nat_mod_exp (z1_609) (@repr WORDSIZE32 2) in - let z2z2_614 : p256_field_element_t := - nat_mod_exp (z2_612) (@repr WORDSIZE32 2) in - let u1_615 : p256_field_element_t := - (x1_607) *% (z2z2_614) in - let u2_616 : p256_field_element_t := - (x2_610) *% (z1z1_613) in - let s1_617 : p256_field_element_t := - ((y1_608) *% (z2_612)) *% (z2z2_614) in - let s2_618 : p256_field_element_t := - ((y2_611) *% (z1_609)) *% (z1z1_613) in - let '(result_606) := - if nat_mod_equal (u1_615) (u2_616):bool then (let result_606 := - s1_equal_s2 (s1_617) (s2_618) in - (result_606)) else (let h_619 : p256_field_element_t := - (u2_616) -% (u1_615) in - let i_620 : p256_field_element_t := - nat_mod_exp ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (h_619)) ( - @repr WORDSIZE32 2) in - let j_621 : p256_field_element_t := - (h_619) *% (i_620) in - let r_622 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (( - s2_618) -% (s1_617)) in - let v_623 : p256_field_element_t := - (u1_615) *% (i_620) in - let x3_1_624 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (v_623) in - let x3_2_625 : p256_field_element_t := - (nat_mod_exp (r_622) (@repr WORDSIZE32 2)) -% (j_621) in - let x3_626 : p256_field_element_t := - (x3_2_625) -% (x3_1_624) in - let y3_1_627 : p256_field_element_t := - ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% ( - s1_617)) *% (j_621) in - let y3_2_628 : p256_field_element_t := - (r_622) *% ((v_623) -% (x3_626)) in - let y3_629 : p256_field_element_t := - (y3_2_628) -% (y3_1_627) in - let z3_630 : p256_field_element_t := - nat_mod_exp ((z1_609) +% (z2_612)) (@repr WORDSIZE32 2) in - let z3_631 : p256_field_element_t := - ((z3_630) -% ((z1z1_613) +% (z2z2_614))) *% (h_619) in - let result_606 := - @Ok p256_jacobian_t error_t ((x3_626, y3_629, z3_631)) in - (result_606)) in - (result_606)) in - (result_606)) else ((result_606)) in - result_606. - -Definition ltr_mul - (k_632 : p256_scalar_t) - (p_633 : p256_jacobian_t) - : jacobian_result_t := - let q_634 : ( - p256_field_element_t '× - p256_field_element_t '× - p256_field_element_t - ) := - ( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t - ) in - bind (foldibnd (usize 0) to (bits_v) for q_634 >> (fun i_635 q_634 => - let q_634 := - point_double (q_634) in - ifbnd nat_mod_equal (nat_mod_get_bit (k_632) (((bits_v) - (usize 1)) - ( - i_635))) (nat_mod_one ) : bool - thenbnd (bind (point_add_jacob (q_634) (p_633)) (fun q_634 => @Ok ( - ( - p256_field_element_t '× - p256_field_element_t '× - p256_field_element_t - ) - ) error_t ((q_634)))) - else ((q_634)) >> (fun '(q_634) => - @Ok ( - (p256_field_element_t '× p256_field_element_t '× p256_field_element_t) - ) error_t ((q_634))))) (fun q_634 => @Ok p256_jacobian_t error_t (q_634)). - -Definition p256_point_mul - (k_636 : p256_scalar_t) - (p_637 : affine_t) - : affine_result_t := - bind (ltr_mul (k_636) (affine_to_jacobian (p_637))) (fun jac_638 => - @Ok affine_t error_t (jacobian_to_affine (jac_638))). - -Definition p256_point_mul_base (k_639 : p256_scalar_t) : affine_result_t := - let base_point_640 : (p256_field_element_t '× p256_field_element_t) := - ( - nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 225) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 71) : int8; - secret (@repr WORDSIZE8 248) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 230) : int8; - secret (@repr WORDSIZE8 229) : int8; - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 164) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 125) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 244) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 150) : int8 - ] in l))) : p256_field_element_t, - nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 87) : int8; - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 203) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 245) : int8 - ] in l))) : p256_field_element_t - ) in - p256_point_mul (k_639) (base_point_640). - -Definition point_add_distinct - (p_641 : affine_t) - (q_642 : affine_t) - : affine_result_t := - bind (point_add_jacob (affine_to_jacobian (p_641)) (affine_to_jacobian ( - q_642))) (fun r_643 => @Ok affine_t error_t (jacobian_to_affine ( - r_643))). - -Definition point_add (p_644 : affine_t) (q_645 : affine_t) : affine_result_t := - (if ((p_644) !=.? (q_645)):bool then (point_add_distinct (p_644) ( - q_645)) else (@Ok affine_t error_t (jacobian_to_affine (point_double ( - affine_to_jacobian (p_644)))))). - -Definition p256_validate_private_key (k_646 : byte_seq) : bool := - let valid_647 : bool := - true in - let k_element_648 : p256_scalar_t := - nat_mod_from_byte_seq_be (k_646) : p256_scalar_t in - let k_element_bytes_649 : seq uint8 := - nat_mod_to_byte_seq_be (k_element_648) in - let all_zero_650 : bool := - true in - let '(valid_647, all_zero_650) := - foldi (usize 0) (seq_len (k_646)) (fun i_651 '(valid_647, all_zero_650) => - let '(all_zero_650) := - if negb (uint8_equal (seq_index (k_646) (i_651)) (secret ( - @repr WORDSIZE8 0) : int8)):bool then (let all_zero_650 := - false in - (all_zero_650)) else ((all_zero_650)) in - let '(valid_647) := - if negb (uint8_equal (seq_index (k_element_bytes_649) (i_651)) ( - seq_index (k_646) (i_651))):bool then (let valid_647 := - false in - (valid_647)) else ((valid_647)) in - (valid_647, all_zero_650)) - (valid_647, all_zero_650) in - (valid_647) && (negb (all_zero_650)). - -Definition p256_validate_public_key (p_652 : affine_t) : bool := - let b_653 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 75) : int8 - ]) : p256_field_element_t in - let point_at_infinity_654 : bool := - is_point_at_infinity (affine_to_jacobian (p_652)) in - let '(x_655, y_656) := - p_652 in - let on_curve_657 : bool := - ((y_656) *% (y_656)) =.? (((((x_655) *% (x_655)) *% (x_655)) -% (( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% (x_655))) +% ( - b_653)) in - (negb (point_at_infinity_654)) && (on_curve_657). - -Definition p256_calculate_w - (x_658 : p256_field_element_t) - : p256_field_element_t := - let b_659 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 75) : int8 - ]) : p256_field_element_t in - let exp_660 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 63) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 192) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8 - ]) : p256_field_element_t in - let z_661 : p256_field_element_t := - ((((x_658) *% (x_658)) *% (x_658)) -% ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% (x_658))) +% ( - b_659) in - let w_662 : p256_field_element_t := - nat_mod_pow_felem (z_661) (exp_660) in - w_662. - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Poly1305.v b/proof-libs/coq/coq/_vc/Hacspec_Poly1305.v deleted file mode 100644 index 745854dec..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Poly1305.v +++ /dev/null @@ -1,147 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition poly_key_t := nseq (uint8) (usize 32). - -Definition blocksize_v : uint_size := - usize 16. - -Definition poly_block_t := nseq (uint8) (usize 16). - -Definition poly1305_tag_t := nseq (uint8) (usize 16). - -Notation "'sub_block_t'" := (byte_seq) : hacspec_scope. - -Notation "'block_index_t'" := (uint_size) : hacspec_scope. - -Definition field_canvas_t := nseq (int8) (17). -Definition field_element_t := nat_mod 0x03fffffffffffffffffffffffffffffffb. - -Notation "'poly_state_t'" := (( - field_element_t '× - field_element_t '× - poly_key_t -)) : hacspec_scope. - -Definition poly1305_encode_r (b_435 : poly_block_t) : field_element_t := - let n_436 : uint128 := - uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_435))) in - let n_436 := - (n_436) .& (secret ( - @repr WORDSIZE128 21267647620597763993911028882763415551) : int128) in - nat_mod_from_secret_literal (n_436). - -Definition poly1305_encode_block (b_437 : poly_block_t) : field_element_t := - let n_438 : uint128 := - uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_437))) in - let f_439 : field_element_t := - nat_mod_from_secret_literal (n_438) in - (f_439) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ( - usize 128) : field_element_t). - -Definition poly1305_encode_last - (pad_len_440 : block_index_t) - (b_441 : sub_block_t) - : field_element_t := - let n_442 : uint128 := - uint128_from_le_bytes (array_from_slice (default : uint8) (16) (b_441) ( - usize 0) (seq_len (b_441))) in - let f_443 : field_element_t := - nat_mod_from_secret_literal (n_442) in - (f_443) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ((usize 8) * ( - pad_len_440)) : field_element_t). - -Definition poly1305_init (k_444 : poly_key_t) : poly_state_t := - let r_445 : field_element_t := - poly1305_encode_r (array_from_slice (default : uint8) (16) ( - array_to_seq (k_444)) (usize 0) (usize 16)) in - (nat_mod_zero , r_445, k_444). - -Definition poly1305_update_block - (b_446 : poly_block_t) - (st_447 : poly_state_t) - : poly_state_t := - let '(acc_448, r_449, k_450) := - st_447 in - (((poly1305_encode_block (b_446)) +% (acc_448)) *% (r_449), r_449, k_450). - -Definition poly1305_update_blocks - (m_451 : byte_seq) - (st_452 : poly_state_t) - : poly_state_t := - let st_453 : (field_element_t '× field_element_t '× poly_key_t) := - st_452 in - let n_blocks_454 : uint_size := - (seq_len (m_451)) / (blocksize_v) in - let st_453 := - foldi (usize 0) (n_blocks_454) (fun i_455 st_453 => - let block_456 : poly_block_t := - array_from_seq (16) (seq_get_exact_chunk (m_451) (blocksize_v) ( - i_455)) in - let st_453 := - poly1305_update_block (block_456) (st_453) in - (st_453)) - st_453 in - st_453. - -Definition poly1305_update_last - (pad_len_457 : uint_size) - (b_458 : sub_block_t) - (st_459 : poly_state_t) - : poly_state_t := - let st_460 : (field_element_t '× field_element_t '× poly_key_t) := - st_459 in - let '(st_460) := - if (seq_len (b_458)) !=.? (usize 0):bool then (let '(acc_461, r_462, k_463 - ) := - st_460 in - let st_460 := - ( - ((poly1305_encode_last (pad_len_457) (b_458)) +% (acc_461)) *% ( - r_462), - r_462, - k_463 - ) in - (st_460)) else ((st_460)) in - st_460. - -Definition poly1305_update - (m_464 : byte_seq) - (st_465 : poly_state_t) - : poly_state_t := - let st_466 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_update_blocks (m_464) (st_465) in - let last_467 : seq uint8 := - seq_get_remainder_chunk (m_464) (blocksize_v) in - poly1305_update_last (seq_len (last_467)) (last_467) (st_466). - -Definition poly1305_finish (st_468 : poly_state_t) : poly1305_tag_t := - let '(acc_469, _, k_470) := - st_468 in - let n_471 : uint128 := - uint128_from_le_bytes (array_from_slice (default : uint8) (16) ( - array_to_seq (k_470)) (usize 16) (usize 16)) in - let aby_472 : seq uint8 := - nat_mod_to_byte_seq_le (acc_469) in - let a_473 : uint128 := - uint128_from_le_bytes (array_from_slice (default : uint8) (16) (aby_472) ( - usize 0) (usize 16)) in - array_from_seq (16) (array_to_seq (uint128_to_le_bytes ((a_473) .+ (n_471)))). - -Definition poly1305 - (m_474 : byte_seq) - (key_475 : poly_key_t) - : poly1305_tag_t := - let st_476 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_init (key_475) in - let st_476 := - poly1305_update (m_474) (st_476) in - poly1305_finish (st_476). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Riot_Bootloader.v b/proof-libs/coq/coq/_vc/Hacspec_Riot_Bootloader.v deleted file mode 100644 index 32f8905cf..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Riot_Bootloader.v +++ /dev/null @@ -1,184 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition riotboot_magic_v : int32 := - @repr WORDSIZE32 1414482258. - -Notation "'fletcher_t'" := ((int32 '× int32)) : hacspec_scope. - -Definition new_fletcher : fletcher_t := - (@repr WORDSIZE32 65535, @repr WORDSIZE32 65535). - -Definition max_chunk_size : uint_size := - usize 360. - -Definition reduce_u32 (x_1293 : int32) : int32 := - ((x_1293) .& (@repr WORDSIZE32 65535)) .+ ((x_1293) shift_right ( - @repr WORDSIZE32 16)). - -Definition combine (lower_1294 : int32) (upper_1295 : int32) : int32 := - (lower_1294) .| ((upper_1295) shift_left (@repr WORDSIZE32 16)). - -Definition update_fletcher - (f_1296 : fletcher_t) - (data_1297 : seq int16) - : fletcher_t := - let max_chunk_size_1298 : uint_size := - max_chunk_size in - let '(a_1299, b_1300) := - f_1296 in - let '(a_1299, b_1300) := - foldi (usize 0) (seq_num_chunks (data_1297) ( - max_chunk_size_1298)) (fun i_1301 '(a_1299, b_1300) => - let '(chunk_len_1302, chunk_1303) := - seq_get_chunk (data_1297) (max_chunk_size_1298) (i_1301) in - let intermediate_a_1304 : int32 := - a_1299 in - let intermediate_b_1305 : int32 := - b_1300 in - let '(intermediate_a_1304, intermediate_b_1305) := - foldi (usize 0) (chunk_len_1302) (fun j_1306 '( - intermediate_a_1304, - intermediate_b_1305 - ) => - let intermediate_a_1304 := - (intermediate_a_1304) .+ (@cast _ uint32 _ (seq_index (chunk_1303) ( - j_1306))) in - let intermediate_b_1305 := - (intermediate_b_1305) .+ (intermediate_a_1304) in - (intermediate_a_1304, intermediate_b_1305)) - (intermediate_a_1304, intermediate_b_1305) in - let a_1299 := - reduce_u32 (intermediate_a_1304) in - let b_1300 := - reduce_u32 (intermediate_b_1305) in - (a_1299, b_1300)) - (a_1299, b_1300) in - let a_1299 := - reduce_u32 (a_1299) in - let b_1300 := - reduce_u32 (b_1300) in - (a_1299, b_1300). - -Definition value (x_1307 : fletcher_t) : int32 := - let '(a_1308, b_1309) := - x_1307 in - combine (a_1308) (b_1309). - -Notation "'header_t'" := ((int32 '× int32 '× int32 '× int32 -)) : hacspec_scope. - -Definition header_as_u16_slice (h_1310 : header_t) : seq int16 := - let '(magic_1311, seq_number_1312, start_addr_1313, _) := - h_1310 in - let magic_1314 : u32_word_t := - u32_to_be_bytes (magic_1311) in - let seq_number_1315 : u32_word_t := - u32_to_be_bytes (seq_number_1312) in - let start_addr_1316 : u32_word_t := - u32_to_be_bytes (start_addr_1313) in - let u8_seq_1317 : seq int8 := - seq_new_ (default : int8) (usize 12) in - let u8_seq_1318 : seq int8 := - seq_update_slice (u8_seq_1317) (usize 0) (array_to_seq (magic_1314)) ( - usize 0) (usize 4) in - let u8_seq_1319 : seq int8 := - seq_update_slice (u8_seq_1318) (usize 4) (array_to_seq (seq_number_1315)) ( - usize 0) (usize 4) in - let u8_seq_1320 : seq int8 := - seq_update_slice (u8_seq_1319) (usize 8) (array_to_seq (start_addr_1316)) ( - usize 0) (usize 4) in - let u16_seq_1321 : seq int16 := - seq_new_ (default : int16) (usize 6) in - let u16_seq_1321 := - foldi (usize 0) (usize 3) (fun i_1322 u16_seq_1321 => - let u16_word_1323 : u16_word_t := - array_from_seq (2) (seq_slice (u8_seq_1320) ((i_1322) * (usize 4)) ( - usize 2)) in - let u16_value_1324 : int16 := - u16_from_be_bytes (u16_word_1323) in - let u16_seq_1321 := - seq_upd u16_seq_1321 (((usize 2) * (i_1322)) + (usize 1)) ( - u16_value_1324) in - let u16_word_1325 : u16_word_t := - array_from_seq (2) (seq_slice (u8_seq_1320) (((i_1322) * (usize 4)) + ( - usize 2)) (usize 2)) in - let u16_value_1326 : int16 := - u16_from_be_bytes (u16_word_1325) in - let u16_seq_1321 := - seq_upd u16_seq_1321 ((usize 2) * (i_1322)) (u16_value_1326) in - (u16_seq_1321)) - u16_seq_1321 in - u16_seq_1321. - -Definition is_valid_header (h_1327 : header_t) : bool := - let '(magic_number_1328, seq_number_1329, start_addr_1330, checksum_1331) := - h_1327 in - let slice_1332 : seq int16 := - header_as_u16_slice (( - magic_number_1328, - seq_number_1329, - start_addr_1330, - checksum_1331 - )) in - let result_1333 : bool := - false in - let '(result_1333) := - if (magic_number_1328) =.? (riotboot_magic_v):bool then ( - let fletcher_1334 : (int32 '× int32) := - new_fletcher in - let fletcher_1335 : (int32 '× int32) := - update_fletcher (fletcher_1334) (slice_1332) in - let sum_1336 : int32 := - value (fletcher_1335) in - let result_1333 := - (sum_1336) =.? (checksum_1331) in - (result_1333)) else ((result_1333)) in - result_1333. - -Definition choose_image (images_1337 : seq header_t) : (bool '× int32) := - let image_1338 : int32 := - @repr WORDSIZE32 0 in - let image_found_1339 : bool := - false in - let '(image_1338, image_found_1339) := - foldi (usize 0) (seq_len (images_1337)) (fun i_1340 '( - image_1338, - image_found_1339 - ) => - let header_1341 : (int32 '× int32 '× int32 '× int32) := - seq_index (images_1337) (i_1340) in - let '(magic_number_1342, seq_number_1343, start_addr_1344, checksum_1345 - ) := - header_1341 in - let '(image_1338, image_found_1339) := - if is_valid_header (( - magic_number_1342, - seq_number_1343, - start_addr_1344, - checksum_1345 - )):bool then (let change_image_1346 : bool := - negb ((image_found_1339) && ((seq_number_1343) <=.? ( - image_1338))) in - let '(image_1338, image_found_1339) := - if change_image_1346:bool then (let image_1338 := - start_addr_1344 in - let image_found_1339 := - true in - (image_1338, image_found_1339)) else (( - image_1338, - image_found_1339 - )) in - (image_1338, image_found_1339)) else ((image_1338, image_found_1339 - )) in - (image_1338, image_found_1339)) - (image_1338, image_found_1339) in - (image_found_1339, image_1338). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Riot_Runqueue.v b/proof-libs/coq/coq/_vc/Hacspec_Riot_Runqueue.v deleted file mode 100644 index 31ad634c8..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Riot_Runqueue.v +++ /dev/null @@ -1,224 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition uint32_bits_v : uint_size := - (usize 4) * (usize 8). - -Definition n_queues_v : uint_size := - usize 20. - -Definition n_threads_v : uint_size := - usize 30. - -Definition sentinel_v : int8 := - @repr WORDSIZE8 255. - -Inductive runqueue_id_t := -| RunqueueId : int8 -> runqueue_id_t. - -Inductive thread_id_t := -| ThreadId : int8 -> thread_id_t. - -Definition tail_t := nseq (int8) (n_queues_v). - -Definition next_ids_t := nseq (int8) (n_threads_v). - -Inductive clist_t := -| Clist : (tail_t '× next_ids_t) -> clist_t. - -Definition clist_new : clist_t := - let tail_1347 : tail_t := - array_new_ (default : int8) (n_queues_v) in - let tail_1347 := - foldi (usize 0) (array_len (tail_1347)) (fun i_1348 tail_1347 => - let tail_1347 := - array_upd tail_1347 (i_1348) (sentinel_v) in - (tail_1347)) - tail_1347 in - let next_idxs_1349 : next_ids_t := - array_new_ (default : int8) (n_threads_v) in - let next_idxs_1349 := - foldi (usize 0) (array_len (next_idxs_1349)) (fun i_1350 next_idxs_1349 => - let next_idxs_1349 := - array_upd next_idxs_1349 (i_1350) (sentinel_v) in - (next_idxs_1349)) - next_idxs_1349 in - Clist ((tail_1347, next_idxs_1349)). - -Definition clist_is_empty (x_1351 : clist_t) (rq_1352 : runqueue_id_t) : bool := - let 'RunqueueId (rq_1353) := - rq_1352 in - let 'Clist ((tail_1354, next_ids_1355)) := - x_1351 in - (array_index (tail_1354) (@cast _ uint32 _ (rq_1353))) =.? (sentinel_v). - -Definition clist_push - (x_1356 : clist_t) - (n_1357 : thread_id_t) - (rq_1358 : runqueue_id_t) - : clist_t := - let 'RunqueueId (rq_1359) := - rq_1358 in - let 'ThreadId (n_1360) := - n_1357 in - let 'Clist ((tail_1361, next_idxs_1362)) := - x_1356 in - let '(tail_1361, next_idxs_1362) := - if (array_index (next_idxs_1362) (@cast _ uint32 _ (n_1360))) =.? ( - sentinel_v):bool then (let '(tail_1361, next_idxs_1362) := - if (array_index (tail_1361) (@cast _ uint32 _ (rq_1359))) =.? ( - sentinel_v):bool then (let tail_1361 := - array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in - let next_idxs_1362 := - array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (n_1360) in - (tail_1361, next_idxs_1362)) else (let next_idxs_1362 := - array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (array_index ( - next_idxs_1362) (@cast _ uint32 _ (array_index (tail_1361) ( - @cast _ uint32 _ (rq_1359))))) in - let next_idxs_1362 := - array_upd next_idxs_1362 (@cast _ uint32 _ (array_index ( - tail_1361) (@cast _ uint32 _ (rq_1359)))) (n_1360) in - let tail_1361 := - array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in - (tail_1361, next_idxs_1362)) in - (tail_1361, next_idxs_1362)) else ((tail_1361, next_idxs_1362)) in - Clist ((tail_1361, next_idxs_1362)). - -Definition clist_pop_head - (x_1363 : clist_t) - (rq_1364 : runqueue_id_t) - : (clist_t '× (option int8)) := - let 'RunqueueId (rq_1365) := - rq_1364 in - let 'Clist ((tail_1366, next_idxs_1367)) := - x_1363 in - let out_1368 : (option int8) := - @None int8 in - let '(tail_1366, next_idxs_1367, out_1368) := - if (array_index (tail_1366) (@cast _ uint32 _ (rq_1365))) =.? ( - sentinel_v):bool then ((tail_1366, next_idxs_1367, out_1368)) else ( - let head_1369 : int8 := - array_index (next_idxs_1367) (@cast _ uint32 _ (array_index ( - tail_1366) (@cast _ uint32 _ (rq_1365)))) in - let '(tail_1366, next_idxs_1367) := - if (head_1369) =.? (array_index (tail_1366) (@cast _ uint32 _ ( - rq_1365))):bool then (let tail_1366 := - array_upd tail_1366 (@cast _ uint32 _ (rq_1365)) (sentinel_v) in - (tail_1366, next_idxs_1367)) else (let next_idxs_1367 := - array_upd next_idxs_1367 (@cast _ uint32 _ (array_index ( - tail_1366) (@cast _ uint32 _ (rq_1365)))) (array_index ( - next_idxs_1367) (@cast _ uint32 _ (head_1369))) in - (tail_1366, next_idxs_1367)) in - let next_idxs_1367 := - array_upd next_idxs_1367 (@cast _ uint32 _ (head_1369)) (sentinel_v) in - let out_1368 := - @Some int8 (head_1369) in - (tail_1366, next_idxs_1367, out_1368)) in - (Clist ((tail_1366, next_idxs_1367)), out_1368). - -Definition clist_peek_head - (x_1370 : clist_t) - (rq_1371 : runqueue_id_t) - : (option int8) := - let 'RunqueueId (rq_1372) := - rq_1371 in - let 'Clist ((tail_1373, next_idxs_1374)) := - x_1370 in - (if ((array_index (tail_1373) (@cast _ uint32 _ (rq_1372))) =.? ( - sentinel_v)):bool then (@None int8) else (@Some int8 (array_index ( - next_idxs_1374) (@cast _ uint32 _ (array_index (tail_1373) ( - @cast _ uint32 _ (rq_1372))))))). - -Definition clist_advance - (x_1375 : clist_t) - (rq_1376 : runqueue_id_t) - : clist_t := - let 'RunqueueId (rq_1377) := - rq_1376 in - let 'Clist ((tail_1378, next_idxs_1379)) := - x_1375 in - let '(tail_1378) := - if (array_index (tail_1378) (@cast _ uint32 _ (rq_1377))) !=.? ( - sentinel_v):bool then (let tail_1378 := - array_upd tail_1378 (@cast _ uint32 _ (rq_1377)) (array_index ( - next_idxs_1379) (@cast _ uint32 _ (array_index (tail_1378) ( - @cast _ uint32 _ (rq_1377))))) in - (tail_1378)) else ((tail_1378)) in - Clist ((tail_1378, next_idxs_1379)). - -Inductive run_queue_t := -| RunQueue : (int32 '× clist_t) -> run_queue_t. - -Definition runqueue_new : run_queue_t := - RunQueue ((@repr WORDSIZE32 0, clist_new )). - -Definition runqueue_add - (y_1380 : run_queue_t) - (n_1381 : thread_id_t) - (rq_1382 : runqueue_id_t) - : run_queue_t := - let 'RunqueueId (rq_u8_1383) := - rq_1382 in - let 'RunQueue ((bitcache_1384, queues_1385)) := - y_1380 in - let bitcache_1384 := - (bitcache_1384) .| ((@repr WORDSIZE32 1) shift_left (@cast _ uint32 _ ( - rq_u8_1383))) in - let queues_1385 := - clist_push (queues_1385) (n_1381) (rq_1382) in - RunQueue ((bitcache_1384, queues_1385)). - -Definition runqueue_del - (y_1386 : run_queue_t) - (n_1387 : thread_id_t) - (rq_1388 : runqueue_id_t) - : run_queue_t := - let 'RunqueueId (rq_u8_1389) := - rq_1388 in - let 'RunQueue ((bitcache_1390, queues_1391)) := - y_1386 in - let '(queues_1392, popped_1393) := - clist_pop_head (queues_1391) (rq_1388) in - let '(bitcache_1390) := - if clist_is_empty (queues_1392) (rq_1388):bool then (let bitcache_1390 := - (bitcache_1390) .& (not ((@repr WORDSIZE32 1) shift_left ( - @cast _ uint32 _ (rq_u8_1389)))) in - (bitcache_1390)) else ((bitcache_1390)) in - RunQueue ((bitcache_1390, queues_1392)). - -Definition runqueue_ffs (val_1394 : int32) : int32 := - (pub_u32 (uint32_bits_v)) .- (pub_uint32_leading_zeros (val_1394)). - -Definition runqueue_get_next (y_1395 : run_queue_t) : (option int8) := - let 'RunQueue ((bitcache_1396, queues_1397)) := - y_1395 in - let rq_ffs_1398 : int32 := - runqueue_ffs ((bitcache_1396)) in - let out_1399 : (option int8) := - @None int8 in - let '(out_1399) := - if (rq_ffs_1398) >.? (@repr WORDSIZE32 0):bool then ( - let rq_1400 : runqueue_id_t := - RunqueueId (@cast _ uint8 _ ((rq_ffs_1398) .- (@repr WORDSIZE32 1))) in - let out_1399 := - clist_peek_head (queues_1397) (rq_1400) in - (out_1399)) else ((out_1399)) in - out_1399. - -Definition runqueue_advance - (y_1401 : run_queue_t) - (rq_1402 : runqueue_id_t) - : run_queue_t := - let 'RunQueue ((bitcache_1403, queues_1404)) := - y_1401 in - let queues_1404 := - clist_advance (queues_1404) (rq_1402) in - RunQueue ((bitcache_1403, queues_1404)). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Ristretto.v b/proof-libs/coq/coq/_vc/Hacspec_Ristretto.v deleted file mode 100644 index 9672ef470..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Ristretto.v +++ /dev/null @@ -1,700 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Notation "'ristretto_point_t'" := (( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t -)) : hacspec_scope. - -Notation "'decode_result_t'" := (( - result ristretto_point_t int8)) : hacspec_scope. - -Definition ristretto_point_encoded_t := nseq (uint8) (usize 32). - -Definition byte_string_t := nseq (uint8) (usize 64). - -Definition field_canvas_t := nseq (int8) (32). -Definition field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. - -Definition decoding_error_v : int8 := - @repr WORDSIZE8 20. - -Definition p : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 237) : int8 - ]) : field_element_t. - -Definition d : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 163) : int8 - ]) : field_element_t. - -Definition sqrt_m1 : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 36) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 167) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 24) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 196) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 14) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 176) : int8 - ]) : field_element_t. - -Definition invsqrt_a_minus_d : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 137) : int8; - secret (@repr WORDSIZE8 5) : int8; - secret (@repr WORDSIZE8 207) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 145) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 200) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 93) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 234) : int8 - ]) : field_element_t. - -Definition sqrt_ad_minus_one : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 172) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 201) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 12) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 126) : int8; - secret (@repr WORDSIZE8 151) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 73) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 27) : int8 - ]) : field_element_t. - -Definition one_minus_d_sq : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 144) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 178) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 56) : int8; - secret (@repr WORDSIZE8 205) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 9) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 118) : int8 - ]) : field_element_t. - -Definition d_minus_one_sq : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 122) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 34) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 220) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 30) : int8; - secret (@repr WORDSIZE8 25) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 32) : int8 - ]) : field_element_t. - -Definition base_point_encoded : ristretto_point_encoded_t := - array_from_seq (32) ([ - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 174) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 113) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 132) : int8; - secret (@repr WORDSIZE8 169) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 197) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 165) : int8; - secret (@repr WORDSIZE8 130) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 166) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 118) : int8 - ]). - -Definition base_point : ristretto_point_t := - result_unwrap (decode (base_point_encoded )). - -Definition identity_point : ristretto_point_t := - (fe (usize 0), fe (usize 1), fe (usize 1), fe (usize 0)). - -Definition fe (x_740 : uint_size) : field_element_t := - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - pub_u128 (x_740)) : field_element_t. - -Definition geq_p (x_741 : seq uint8) : bool := - let p_seq_742 : seq uint8 := - [ - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 127) : int8 - ] in - let res_743 : bool := - true in - let res_743 := - foldi (usize 0) (seq_len (p_seq_742)) (fun index_744 res_743 => - let x_index_745 : int8 := - uint8_declassify (seq_index (x_741) (index_744)) in - let p_index_746 : int8 := - uint8_declassify (seq_index (p_seq_742) (index_744)) in - let '(res_743) := - if (x_index_745) !=.? (p_index_746):bool then (let res_743 := - (x_index_745) >.? (p_index_746) in - (res_743)) else ((res_743)) in - (res_743)) - res_743 in - res_743. - -Definition is_negative (e_747 : field_element_t) : bool := - ((e_747) rem (fe (usize 2))) =.? (fe (usize 1)). - -Definition eq (u_748 : field_element_t) (v_749 : field_element_t) : bool := - (u_748) =.? (v_749). - -Definition select - (u_750 : field_element_t) - (cond_751 : bool) - (v_752 : field_element_t) - : field_element_t := - (if (cond_751):bool then (u_750) else (v_752)). - -Definition neg_fe (u_753 : field_element_t) : field_element_t := - (fe (usize 0)) -% (u_753). - -Definition abs (u_754 : field_element_t) : field_element_t := - select (neg_fe (u_754)) (is_negative (u_754)) (u_754). - -Definition sqrt_ratio_m1 - (u_755 : field_element_t) - (v_756 : field_element_t) - : (bool '× field_element_t) := - let v3_757 : field_element_t := - (nat_mod_pow (v_756) (@repr WORDSIZE128 2)) *% (v_756) in - let v7_758 : field_element_t := - (nat_mod_pow (v3_757) (@repr WORDSIZE128 2)) *% (v_756) in - let r_759 : field_element_t := - ((u_755) *% (v3_757)) *% (nat_mod_pow_felem ((u_755) *% (v7_758)) ((( - p ) -% (fe (usize 5))) /% (fe (usize 8)))) in - let check_760 : field_element_t := - (v_756) *% (nat_mod_pow (r_759) (@repr WORDSIZE128 2)) in - let correct_sign_sqrt_761 : bool := - eq (check_760) (u_755) in - let flipped_sign_sqrt_762 : bool := - eq (check_760) (neg_fe (u_755)) in - let flipped_sign_sqrt_i_763 : bool := - eq (check_760) ((neg_fe (u_755)) *% (sqrt_m1 )) in - let r_prime_764 : field_element_t := - (sqrt_m1 ) *% (r_759) in - let r_759 := - select (r_prime_764) ((flipped_sign_sqrt_762) || ( - flipped_sign_sqrt_i_763)) (r_759) in - let r_759 := - abs (r_759) in - let was_square_765 : bool := - (correct_sign_sqrt_761) || (flipped_sign_sqrt_762) in - (was_square_765, r_759). - -Definition map (t_766 : field_element_t) : ristretto_point_t := - let one_767 : field_element_t := - fe (usize 1) in - let minus_one_768 : field_element_t := - neg_fe (one_767) in - let r_769 : field_element_t := - (sqrt_m1 ) *% (nat_mod_pow (t_766) (@repr WORDSIZE128 2)) in - let u_770 : field_element_t := - ((r_769) +% (one_767)) *% (one_minus_d_sq ) in - let v_771 : field_element_t := - ((minus_one_768) -% ((r_769) *% (d ))) *% ((r_769) +% (d )) in - let '(was_square_772, s_773) := - sqrt_ratio_m1 (u_770) (v_771) in - let s_prime_774 : field_element_t := - neg_fe (abs ((s_773) *% (t_766))) in - let s_773 := - select (s_773) (was_square_772) (s_prime_774) in - let c_775 : field_element_t := - select (minus_one_768) (was_square_772) (r_769) in - let n_776 : field_element_t := - (((c_775) *% ((r_769) -% (one_767))) *% (d_minus_one_sq )) -% (v_771) in - let w0_777 : field_element_t := - ((fe (usize 2)) *% (s_773)) *% (v_771) in - let w1_778 : field_element_t := - (n_776) *% (sqrt_ad_minus_one ) in - let w2_779 : field_element_t := - (one_767) -% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in - let w3_780 : field_element_t := - (one_767) +% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in - ( - (w0_777) *% (w3_780), - (w2_779) *% (w1_778), - (w1_778) *% (w3_780), - (w0_777) *% (w2_779) - ). - -Definition one_way_map (b_781 : byte_string_t) : ristretto_point_t := - let r0_bytes_782 : seq uint8 := - array_slice (b_781) (usize 0) (usize 32) in - let r1_bytes_783 : seq uint8 := - array_slice (b_781) (usize 32) (usize 32) in - let r0_bytes_784 : seq int8 := - seq_declassify (r0_bytes_782) in - let r1_bytes_785 : seq int8 := - seq_declassify (r1_bytes_783) in - let r0_bytes_784 := - seq_upd r0_bytes_784 (usize 31) ((seq_index (r0_bytes_784) (usize 31)) .% ( - @repr WORDSIZE8 128)) in - let r1_bytes_785 := - seq_upd r1_bytes_785 (usize 31) ((seq_index (r1_bytes_785) (usize 31)) .% ( - @repr WORDSIZE8 128)) in - let r0_786 : field_element_t := - nat_mod_from_public_byte_seq_le (r0_bytes_784) in - let r1_787 : field_element_t := - nat_mod_from_public_byte_seq_le (r1_bytes_785) in - let p1_788 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - map (r0_786) in - let p2_789 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - map (r1_787) in - add (p1_788) (p2_789). - -Definition encode (u_790 : ristretto_point_t) : ristretto_point_encoded_t := - let '(x0_791, y0_792, z0_793, t0_794) := - u_790 in - let u1_795 : field_element_t := - ((z0_793) +% (y0_792)) *% ((z0_793) -% (y0_792)) in - let u2_796 : field_element_t := - (x0_791) *% (y0_792) in - let '(_, invsqrt_797) := - sqrt_ratio_m1 (fe (usize 1)) ((u1_795) *% (nat_mod_pow (u2_796) ( - @repr WORDSIZE128 2))) in - let den1_798 : field_element_t := - (invsqrt_797) *% (u1_795) in - let den2_799 : field_element_t := - (invsqrt_797) *% (u2_796) in - let z_inv_800 : field_element_t := - ((den1_798) *% (den2_799)) *% (t0_794) in - let ix0_801 : field_element_t := - (x0_791) *% (sqrt_m1 ) in - let iy0_802 : field_element_t := - (y0_792) *% (sqrt_m1 ) in - let enchanted_denominator_803 : field_element_t := - (den1_798) *% (invsqrt_a_minus_d ) in - let rotate_804 : bool := - is_negative ((t0_794) *% (z_inv_800)) in - let x_805 : field_element_t := - select (iy0_802) (rotate_804) (x0_791) in - let y_806 : field_element_t := - select (ix0_801) (rotate_804) (y0_792) in - let z_807 : field_element_t := - z0_793 in - let den_inv_808 : field_element_t := - select (enchanted_denominator_803) (rotate_804) (den2_799) in - let y_806 := - select (neg_fe (y_806)) (is_negative ((x_805) *% (z_inv_800))) (y_806) in - let s_809 : field_element_t := - abs ((den_inv_808) *% ((z_807) -% (y_806))) in - array_update_start (array_new_ (default : uint8) (32)) ( - nat_mod_to_byte_seq_le (s_809)). - -Definition decode (u_810 : ristretto_point_encoded_t) : decode_result_t := - let ret_811 : (result ristretto_point_t int8) := - @Err ristretto_point_t int8 (decoding_error_v) in - let s_812 : field_element_t := - nat_mod_from_byte_seq_le (array_to_seq (u_810)) : field_element_t in - let '(ret_811) := - if (negb (geq_p (array_to_le_bytes (u_810)))) && (negb (is_negative ( - s_812))):bool then (let one_813 : field_element_t := - fe (usize 1) in - let ss_814 : field_element_t := - nat_mod_pow (s_812) (@repr WORDSIZE128 2) in - let u1_815 : field_element_t := - (one_813) -% (ss_814) in - let u2_816 : field_element_t := - (one_813) +% (ss_814) in - let u2_sqr_817 : field_element_t := - nat_mod_pow (u2_816) (@repr WORDSIZE128 2) in - let v_818 : field_element_t := - (neg_fe ((d ) *% (nat_mod_pow (u1_815) (@repr WORDSIZE128 2)))) -% ( - u2_sqr_817) in - let '(was_square_819, invsqrt_820) := - sqrt_ratio_m1 (one_813) ((v_818) *% (u2_sqr_817)) in - let den_x_821 : field_element_t := - (invsqrt_820) *% (u2_816) in - let den_y_822 : field_element_t := - ((invsqrt_820) *% (den_x_821)) *% (v_818) in - let x_823 : field_element_t := - abs (((s_812) +% (s_812)) *% (den_x_821)) in - let y_824 : field_element_t := - (u1_815) *% (den_y_822) in - let t_825 : field_element_t := - (x_823) *% (y_824) in - let '(ret_811) := - if negb (((negb (was_square_819)) || (is_negative (t_825))) || (( - y_824) =.? (fe (usize 0)))):bool then (let ret_811 := - @Ok ristretto_point_t int8 ((x_823, y_824, one_813, t_825)) in - (ret_811)) else ((ret_811)) in - (ret_811)) else ((ret_811)) in - ret_811. - -Definition equals - (u_826 : ristretto_point_t) - (v_827 : ristretto_point_t) - : bool := - let '(x1_828, y1_829, _, _) := - u_826 in - let '(x2_830, y2_831, _, _) := - v_827 in - (((x1_828) *% (y2_831)) =.? ((x2_830) *% (y1_829))) || (((y1_829) *% ( - y2_831)) =.? ((x1_828) *% (x2_830))). - -Definition add - (u_832 : ristretto_point_t) - (v_833 : ristretto_point_t) - : ristretto_point_t := - let '(x1_834, y1_835, z1_836, t1_837) := - u_832 in - let '(x2_838, y2_839, z2_840, t2_841) := - v_833 in - let a_842 : field_element_t := - ((y1_835) -% (x1_834)) *% ((y2_839) +% (x2_838)) in - let b_843 : field_element_t := - ((y1_835) +% (x1_834)) *% ((y2_839) -% (x2_838)) in - let c_844 : field_element_t := - ((fe (usize 2)) *% (z1_836)) *% (t2_841) in - let d_845 : field_element_t := - ((fe (usize 2)) *% (t1_837)) *% (z2_840) in - let e_846 : field_element_t := - (d_845) +% (c_844) in - let f_847 : field_element_t := - (b_843) -% (a_842) in - let g_848 : field_element_t := - (b_843) +% (a_842) in - let h_849 : field_element_t := - (d_845) -% (c_844) in - let x3_850 : field_element_t := - (e_846) *% (f_847) in - let y3_851 : field_element_t := - (g_848) *% (h_849) in - let t3_852 : field_element_t := - (e_846) *% (h_849) in - let z3_853 : field_element_t := - (f_847) *% (g_848) in - (x3_850, y3_851, z3_853, t3_852). - -Definition neg (u_854 : ristretto_point_t) : ristretto_point_t := - let '(x1_855, y1_856, z1_857, t1_858) := - u_854 in - (neg_fe (x1_855), y1_856, neg_fe (z1_857), t1_858). - -Definition sub - (u_859 : ristretto_point_t) - (v_860 : ristretto_point_t) - : ristretto_point_t := - add (u_859) (neg (v_860)). - -Definition double (u_861 : ristretto_point_t) : ristretto_point_t := - let '(x1_862, y1_863, z1_864, _) := - u_861 in - let a_865 : field_element_t := - nat_mod_pow (x1_862) (@repr WORDSIZE128 2) in - let b_866 : field_element_t := - nat_mod_pow (y1_863) (@repr WORDSIZE128 2) in - let c_867 : field_element_t := - (fe (usize 2)) *% (nat_mod_pow (z1_864) (@repr WORDSIZE128 2)) in - let h_868 : field_element_t := - (a_865) +% (b_866) in - let e_869 : field_element_t := - (h_868) -% (nat_mod_pow ((x1_862) +% (y1_863)) (@repr WORDSIZE128 2)) in - let g_870 : field_element_t := - (a_865) -% (b_866) in - let f_871 : field_element_t := - (c_867) +% (g_870) in - let x2_872 : field_element_t := - (e_869) *% (f_871) in - let y2_873 : field_element_t := - (g_870) *% (h_868) in - let t2_874 : field_element_t := - (e_869) *% (h_868) in - let z2_875 : field_element_t := - (f_871) *% (g_870) in - (x2_872, y2_873, z2_875, t2_874). - -Definition mul - (k_876 : scalar_t) - (p_877 : ristretto_point_t) - : ristretto_point_t := - let res_878 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - identity_point in - let temp_879 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - p_877 in - let '(res_878, temp_879) := - foldi (usize 0) (usize 256) (fun i_880 '(res_878, temp_879) => - let '(res_878) := - if (nat_mod_get_bit (k_876) (i_880)) =.? (nat_mod_from_literal ( - 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed) ( - @repr WORDSIZE128 1) : scalar_t):bool then (let res_878 := - add (res_878) (temp_879) in - (res_878)) else ((res_878)) in - let temp_879 := - double (temp_879) in - (res_878, temp_879)) - (res_878, temp_879) in - res_878. - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v b/proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v deleted file mode 100644 index 1e62ce5df..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Rsa_Fdh_Vrf.v +++ /dev/null @@ -1,70 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Require Import Hacspec_Rsa_Pkcs1. - -Definition int_byte_t := nseq (uint8) (usize 1). - -Definition one_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). - -Definition two_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). - -Definition suite_string_v : int_byte_t := - one_v. - -Definition vrf_mgf1 - (n_2644 : rsa_int_t) - (alpha_2645 : byte_seq) - : byte_seq_result_t := - bind (i2osp (rsa_int_from_literal (@cast _ uint128 _ (byte_size_v))) ( - @repr WORDSIZE32 4)) (fun mgf_salt1_2646 => bind (i2osp (n_2644) ( - byte_size_v)) (fun mgf_salt2_2647 => let mgf_salt_2648 : seq uint8 := - seq_concat (mgf_salt1_2646) (mgf_salt2_2647) in - let mgf_string_2649 : seq uint8 := - seq_concat (seq_concat (array_concat (suite_string_v) ( - array_to_seq (one_v))) (mgf_salt_2648)) (alpha_2645) in - bind (mgf1 (mgf_string_2649) ((@cast _ uint32 _ (byte_size_v)) - ( - usize 1))) (fun mgf_2650 => @Ok seq uint8 error_t (mgf_2650)))). - -Definition prove (sk_2651 : sk_t) (alpha_2652 : byte_seq) : byte_seq_result_t := - let '(n_2653, d_2654) := - (sk_2651) in - bind (vrf_mgf1 (n_2653) (alpha_2652)) (fun em_2655 => - let m_2656 : rsa_int_t := - os2ip (em_2655) in - bind (rsasp1 (sk_2651) (m_2656)) (fun s_2657 => i2osp (s_2657) ( - byte_size_v))). - -Definition proof_to_hash (pi_string_2658 : byte_seq) : byte_seq_result_t := - let hash_string_2659 : seq uint8 := - array_concat (suite_string_v) (array_concat (two_v) (pi_string_2658)) in - @Ok seq uint8 error_t (array_slice (sha256 (hash_string_2659)) (usize 0) ( - usize 32)). - -Definition verify - (pk_2660 : pk_t) - (alpha_2661 : byte_seq) - (pi_string_2662 : byte_seq) - : byte_seq_result_t := - let '(n_2663, e_2664) := - (pk_2660) in - let s_2665 : rsa_int_t := - os2ip (pi_string_2662) in - bind (rsavp1 (pk_2660) (s_2665)) (fun m_2666 => bind (vrf_mgf1 (n_2663) ( - alpha_2661)) (fun em_prime_2667 => let m_prime_2668 : rsa_int_t := - os2ip (em_prime_2667) in - (if ((m_2666) =.? (m_prime_2668)):bool then (proof_to_hash ( - pi_string_2662)) else (@Err seq uint8 error_t ( - VerificationFailed))))). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v deleted file mode 100644 index 150f38634..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Rsa_Pkcs1.v +++ /dev/null @@ -1,121 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition bit_size_v : int32 := - @repr WORDSIZE32 2048. - -Definition byte_size_v : int32 := - (@repr WORDSIZE32 2048) ./ (@repr WORDSIZE32 8). - -Definition hlen_v : uint_size := - usize 32. - -Definition rsa_int_t := nat_mod pow2 2048. - -Inductive error_t := -| InvalidLength : error_t -| MessageTooLarge : error_t -| DecryptionFailed : error_t -| VerificationFailed : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | InvalidLength => match y with | InvalidLength=> true | _ => false end - | MessageTooLarge => match y with | MessageTooLarge=> true | _ => false end - | DecryptionFailed => match y with | DecryptionFailed=> true | _ => false end - | VerificationFailed => - match y with - | VerificationFailed=> true - | _ => false - end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Notation "'pk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. - -Notation "'sk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. - -Notation "'key_pair_t'" := ((pk_t '× sk_t)) : hacspec_scope. - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Notation "'rsa_int_result_t'" := ((result rsa_int_t error_t)) : hacspec_scope. - -Definition rsaep (pk_2530 : pk_t) (m_2531 : rsa_int_t) : rsa_int_result_t := - let '(n_2532, e_2533) := - pk_2530 in - (if ((m_2531) >.? ((n_2532) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (m_2531) (e_2533) (n_2532)))). - -Definition rsadp (sk_2534 : sk_t) (c_2535 : rsa_int_t) : rsa_int_result_t := - let '(n_2536, d_2537) := - sk_2534 in - (if ((c_2535) >.? ((n_2536) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (c_2535) (d_2537) (n_2536)))). - -Definition rsasp1 (sk_2538 : sk_t) (m_2539 : rsa_int_t) : rsa_int_result_t := - let '(n_2540, d_2541) := - sk_2538 in - (if ((m_2539) >.? ((n_2540) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (m_2539) (d_2541) (n_2540)))). - -Definition rsavp1 (pk_2542 : pk_t) (s_2543 : rsa_int_t) : rsa_int_result_t := - let '(n_2544, e_2545) := - pk_2542 in - (if ((s_2543) >.? ((n_2544) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (s_2543) (e_2545) (n_2544)))). - -Definition i2osp - (x_2546 : rsa_int_t) - (x_len_2547 : int32) - : byte_seq_result_t := - (if (((x_2546) >=.? (nat_mod_exp (nat_mod_from_literal (0x) ( - @repr WORDSIZE128 256) : rsa_int_t) (x_len_2547))) && (( - x_len_2547) !=.? (byte_size_v))):bool then (@Err byte_seq error_t ( - InvalidLength)) else (@Ok byte_seq error_t (seq_slice ( - nat_mod_to_byte_seq_be (x_2546)) (@cast _ uint32 _ ((byte_size_v) .- ( - x_len_2547))) (@cast _ uint32 _ (x_len_2547))))). - -Definition os2ip (x_2548 : byte_seq) : rsa_int_t := - nat_mod_from_byte_seq_be (x_2548) : rsa_int_t. - -Definition mgf1 - (mgf_seed_2549 : byte_seq) - (mask_len_2550 : uint_size) - : byte_seq_result_t := - let result_2551 : (result byte_seq error_t) := - @Err byte_seq error_t (InvalidLength) in - ifbnd (mask_len_2550) <.? ((usize 2) .^ ((usize 32) * (hlen_v))) : bool - thenbnd (let t_2552 : seq uint8 := - seq_new_ (default : uint8) (usize 0) in - bind (foldibnd (usize 0) to (((mask_len_2550) + (usize 32)) / ( - usize 32)) for t_2552 >> (fun i_2553 t_2552 => - bind (i2osp (nat_mod_from_literal (0x) (pub_u128 (i_2553)) : rsa_int_t) ( - @repr WORDSIZE32 4)) (fun x_2554 => let t_2552 := - seq_concat (t_2552) (array_to_seq (sha256 (seq_concat ( - mgf_seed_2549) (x_2554)))) in - @Ok (seq uint8) error_t ((t_2552))))) (fun t_2552 => let result_2551 := - @Ok byte_seq error_t (seq_slice (t_2552) (usize 0) (mask_len_2550)) in - @Ok ((result byte_seq error_t)) error_t ((result_2551)))) - else ((result_2551)) >> (fun '(result_2551) => - result_2551). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Sha1.v b/proof-libs/coq/coq/_vc/Hacspec_Sha1.v deleted file mode 100644 index f633b67ac..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Sha1.v +++ /dev/null @@ -1,205 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition schedule_t := nseq (uint32) (usize 80). - -Definition block_words_v : uint_size := - (usize 512) / (usize 32). - -Definition hash_words_v : uint_size := - (usize 160) / (usize 32). - -Definition block_t := nseq (uint32) (block_words_v). - -Definition hash_t := nseq (uint32) (hash_words_v). - -Definition block_bytes_v : uint_size := - (usize 512) / (usize 8). - -Definition hash_bytes_v : uint_size := - (usize 160) / (usize 8). - -Definition block_bytes_t := nseq (uint8) (block_bytes_v). - -Definition sha1_digest_t := nseq (uint8) (hash_bytes_v). - -Definition bitlength_bytes_v : uint_size := - (usize 64) / (usize 8). - -Definition ch (x_1225 : uint32) (y_1226 : uint32) (z_1227 : uint32) : uint32 := - ((x_1225) .& (y_1226)) .^ ((not (x_1225)) .& (z_1227)). - -Definition parity - (x_1228 : uint32) - (y_1229 : uint32) - (z_1230 : uint32) - : uint32 := - ((x_1228) .^ (y_1229)) .^ (z_1230). - -Definition maj (x_1231 : uint32) (y_1232 : uint32) (z_1233 : uint32) : uint32 := - (((x_1231) .& (y_1232)) .^ ((x_1231) .& (z_1233))) .^ ((y_1232) .& (z_1233)). - -Definition hash_init_v : hash_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1732584193) : int32; - secret (@repr WORDSIZE32 4023233417) : int32; - secret (@repr WORDSIZE32 2562383102) : int32; - secret (@repr WORDSIZE32 271733878) : int32; - secret (@repr WORDSIZE32 3285377520) : int32 - ] in l). - -Definition compress (m_bytes_1234 : block_bytes_t) (h_1235 : hash_t) : hash_t := - let m_1236 : seq uint32 := - array_to_be_uint32s (m_bytes_1234) in - let w_1237 : schedule_t := - array_new_ (default : uint32) (80) in - let w_1237 := - foldi (usize 0) (usize 80) (fun t_1238 w_1237 => - let '(w_1237) := - if (t_1238) <.? (usize 16):bool then (let w_1237 := - array_upd w_1237 (t_1238) (seq_index (m_1236) (t_1238)) in - (w_1237)) else (let w_1237 := - array_upd w_1237 (t_1238) (uint32_rotate_left ((((array_index ( - w_1237) ((t_1238) - (usize 3))) .^ (array_index ( - w_1237) ((t_1238) - (usize 8)))) .^ (array_index ( - w_1237) ((t_1238) - (usize 14)))) .^ (array_index ( - w_1237) ((t_1238) - (usize 16)))) (usize 1)) in - (w_1237)) in - (w_1237)) - w_1237 in - let a_1239 : uint32 := - array_index (h_1235) (usize 0) in - let b_1240 : uint32 := - array_index (h_1235) (usize 1) in - let c_1241 : uint32 := - array_index (h_1235) (usize 2) in - let d_1242 : uint32 := - array_index (h_1235) (usize 3) in - let e_1243 : uint32 := - array_index (h_1235) (usize 4) in - let '(a_1239, b_1240, c_1241, d_1242, e_1243) := - foldi (usize 0) (usize 80) (fun t_1244 '( - a_1239, - b_1240, - c_1241, - d_1242, - e_1243 - ) => - let t_1245 : uint32 := - uint32_zero in - let '(t_1245) := - if ((usize 0) <=.? (t_1244)) && ((t_1244) <.? (usize 20)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (ch (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 1518500249) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let '(t_1245) := - if ((usize 20) <=.? (t_1244)) && ((t_1244) <.? (usize 40)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 1859775393) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let '(t_1245) := - if ((usize 40) <=.? (t_1244)) && ((t_1244) <.? (usize 60)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (maj (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 2400959708) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let '(t_1245) := - if ((usize 60) <=.? (t_1244)) && ((t_1244) <.? (usize 80)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 3395469782) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let e_1243 := - d_1242 in - let d_1242 := - c_1241 in - let c_1241 := - uint32_rotate_left (b_1240) (usize 30) in - let b_1240 := - a_1239 in - let a_1239 := - t_1245 in - (a_1239, b_1240, c_1241, d_1242, e_1243)) - (a_1239, b_1240, c_1241, d_1242, e_1243) in - let h_1235 := - array_upd h_1235 (usize 0) ((a_1239) .+ (array_index (h_1235) ( - usize 0))) in - let h_1235 := - array_upd h_1235 (usize 1) ((b_1240) .+ (array_index (h_1235) ( - usize 1))) in - let h_1235 := - array_upd h_1235 (usize 2) ((c_1241) .+ (array_index (h_1235) ( - usize 2))) in - let h_1235 := - array_upd h_1235 (usize 3) ((d_1242) .+ (array_index (h_1235) ( - usize 3))) in - let h_1235 := - array_upd h_1235 (usize 4) ((e_1243) .+ (array_index (h_1235) ( - usize 4))) in - h_1235. - -Definition hash (msg_1246 : byte_seq) : sha1_digest_t := - let h_1247 : hash_t := - hash_init_v in - let h_1247 := - foldi (usize 0) (seq_num_exact_chunks (msg_1246) ( - block_bytes_v)) (fun i_1248 h_1247 => - let raw_bytes_1249 : seq uint8 := - seq_get_exact_chunk (msg_1246) (block_bytes_v) (i_1248) in - let block_bytes_1250 : block_bytes_t := - array_from_seq (block_bytes_v) (raw_bytes_1249) in - let h_1247 := - compress (block_bytes_1250) (h_1247) in - (h_1247)) - h_1247 in - let raw_bytes_1251 : seq uint8 := - seq_get_remainder_chunk (msg_1246) (block_bytes_v) in - let block_bytes_1252 : block_bytes_t := - array_update_start (array_new_ (default : uint8) (block_bytes_v)) ( - raw_bytes_1251) in - let block_bytes_1252 := - array_upd block_bytes_1252 (seq_len (raw_bytes_1251)) (secret ( - @repr WORDSIZE8 128) : int8) in - let message_bitlength_1253 : uint64 := - secret (pub_u64 ((seq_len (msg_1246)) * (usize 8))) : int64 in - let '(h_1247, block_bytes_1252) := - if (seq_len (raw_bytes_1251)) <.? ((block_bytes_v) - ( - bitlength_bytes_v)):bool then (let block_bytes_1252 := - array_update (block_bytes_1252) ((block_bytes_v) - ( - bitlength_bytes_v)) (array_to_seq (uint64_to_be_bytes ( - message_bitlength_1253))) in - let h_1247 := - compress (block_bytes_1252) (h_1247) in - (h_1247, block_bytes_1252)) else (let h_1247 := - compress (block_bytes_1252) (h_1247) in - let pad_block_1254 : block_bytes_t := - array_new_ (default : uint8) (block_bytes_v) in - let pad_block_1254 := - array_update (pad_block_1254) ((block_bytes_v) - (bitlength_bytes_v)) ( - array_to_seq (uint64_to_be_bytes (message_bitlength_1253))) in - let h_1247 := - compress (pad_block_1254) (h_1247) in - (h_1247, block_bytes_1252)) in - array_from_seq (hash_bytes_v) (array_to_be_bytes (h_1247)). - -Definition sha1 (msg_1255 : byte_seq) : sha1_digest_t := - hash (msg_1255). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Sha256.v b/proof-libs/coq/coq/_vc/Hacspec_Sha256.v deleted file mode 100644 index 782c6f634..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Sha256.v +++ /dev/null @@ -1,305 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition block_size_v : uint_size := - usize 64. - -Definition len_size_v : uint_size := - usize 8. - -Definition k_size_v : uint_size := - usize 64. - -Definition hash_size_v : uint_size := - (usize 256) / (usize 8). - -Definition block_t := nseq (uint8) (block_size_v). - -Definition op_table_type_t := nseq (uint_size) (usize 12). - -Definition sha256_digest_t := nseq (uint8) (hash_size_v). - -Definition round_constants_table_t := nseq (uint32) (k_size_v). - -Definition hash_t := nseq (uint32) (usize 8). - -Definition ch (x_663 : uint32) (y_664 : uint32) (z_665 : uint32) : uint32 := - ((x_663) .& (y_664)) .^ ((not (x_663)) .& (z_665)). - -Definition maj (x_666 : uint32) (y_667 : uint32) (z_668 : uint32) : uint32 := - ((x_666) .& (y_667)) .^ (((x_666) .& (z_668)) .^ ((y_667) .& (z_668))). - -Definition op_table_v : op_table_type_t := - array_from_list uint_size (let l := - [ - usize 2; - usize 13; - usize 22; - usize 6; - usize 11; - usize 25; - usize 7; - usize 18; - usize 3; - usize 17; - usize 19; - usize 10 - ] in l). - -Definition k_table_v : round_constants_table_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1116352408) : int32; - secret (@repr WORDSIZE32 1899447441) : int32; - secret (@repr WORDSIZE32 3049323471) : int32; - secret (@repr WORDSIZE32 3921009573) : int32; - secret (@repr WORDSIZE32 961987163) : int32; - secret (@repr WORDSIZE32 1508970993) : int32; - secret (@repr WORDSIZE32 2453635748) : int32; - secret (@repr WORDSIZE32 2870763221) : int32; - secret (@repr WORDSIZE32 3624381080) : int32; - secret (@repr WORDSIZE32 310598401) : int32; - secret (@repr WORDSIZE32 607225278) : int32; - secret (@repr WORDSIZE32 1426881987) : int32; - secret (@repr WORDSIZE32 1925078388) : int32; - secret (@repr WORDSIZE32 2162078206) : int32; - secret (@repr WORDSIZE32 2614888103) : int32; - secret (@repr WORDSIZE32 3248222580) : int32; - secret (@repr WORDSIZE32 3835390401) : int32; - secret (@repr WORDSIZE32 4022224774) : int32; - secret (@repr WORDSIZE32 264347078) : int32; - secret (@repr WORDSIZE32 604807628) : int32; - secret (@repr WORDSIZE32 770255983) : int32; - secret (@repr WORDSIZE32 1249150122) : int32; - secret (@repr WORDSIZE32 1555081692) : int32; - secret (@repr WORDSIZE32 1996064986) : int32; - secret (@repr WORDSIZE32 2554220882) : int32; - secret (@repr WORDSIZE32 2821834349) : int32; - secret (@repr WORDSIZE32 2952996808) : int32; - secret (@repr WORDSIZE32 3210313671) : int32; - secret (@repr WORDSIZE32 3336571891) : int32; - secret (@repr WORDSIZE32 3584528711) : int32; - secret (@repr WORDSIZE32 113926993) : int32; - secret (@repr WORDSIZE32 338241895) : int32; - secret (@repr WORDSIZE32 666307205) : int32; - secret (@repr WORDSIZE32 773529912) : int32; - secret (@repr WORDSIZE32 1294757372) : int32; - secret (@repr WORDSIZE32 1396182291) : int32; - secret (@repr WORDSIZE32 1695183700) : int32; - secret (@repr WORDSIZE32 1986661051) : int32; - secret (@repr WORDSIZE32 2177026350) : int32; - secret (@repr WORDSIZE32 2456956037) : int32; - secret (@repr WORDSIZE32 2730485921) : int32; - secret (@repr WORDSIZE32 2820302411) : int32; - secret (@repr WORDSIZE32 3259730800) : int32; - secret (@repr WORDSIZE32 3345764771) : int32; - secret (@repr WORDSIZE32 3516065817) : int32; - secret (@repr WORDSIZE32 3600352804) : int32; - secret (@repr WORDSIZE32 4094571909) : int32; - secret (@repr WORDSIZE32 275423344) : int32; - secret (@repr WORDSIZE32 430227734) : int32; - secret (@repr WORDSIZE32 506948616) : int32; - secret (@repr WORDSIZE32 659060556) : int32; - secret (@repr WORDSIZE32 883997877) : int32; - secret (@repr WORDSIZE32 958139571) : int32; - secret (@repr WORDSIZE32 1322822218) : int32; - secret (@repr WORDSIZE32 1537002063) : int32; - secret (@repr WORDSIZE32 1747873779) : int32; - secret (@repr WORDSIZE32 1955562222) : int32; - secret (@repr WORDSIZE32 2024104815) : int32; - secret (@repr WORDSIZE32 2227730452) : int32; - secret (@repr WORDSIZE32 2361852424) : int32; - secret (@repr WORDSIZE32 2428436474) : int32; - secret (@repr WORDSIZE32 2756734187) : int32; - secret (@repr WORDSIZE32 3204031479) : int32; - secret (@repr WORDSIZE32 3329325298) : int32 - ] in l). - -Definition hash_init_v : hash_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1779033703) : int32; - secret (@repr WORDSIZE32 3144134277) : int32; - secret (@repr WORDSIZE32 1013904242) : int32; - secret (@repr WORDSIZE32 2773480762) : int32; - secret (@repr WORDSIZE32 1359893119) : int32; - secret (@repr WORDSIZE32 2600822924) : int32; - secret (@repr WORDSIZE32 528734635) : int32; - secret (@repr WORDSIZE32 1541459225) : int32 - ] in l). - -Definition sigma - (x_669 : uint32) - (i_670 : uint_size) - (op_671 : uint_size) - : uint32 := - let tmp_672 : uint32 := - uint32_rotate_right (x_669) (array_index (op_table_v) (((usize 3) * ( - i_670)) + (usize 2))) in - let '(tmp_672) := - if (op_671) =.? (usize 0):bool then (let tmp_672 := - (x_669) shift_right (array_index (op_table_v) (((usize 3) * (i_670)) + ( - usize 2))) in - (tmp_672)) else ((tmp_672)) in - ((uint32_rotate_right (x_669) (array_index (op_table_v) ((usize 3) * ( - i_670)))) .^ (uint32_rotate_right (x_669) (array_index ( - op_table_v) (((usize 3) * (i_670)) + (usize 1))))) .^ (tmp_672). - -Definition schedule (block_673 : block_t) : round_constants_table_t := - let b_674 : seq uint32 := - array_to_be_uint32s (block_673) in - let s_675 : round_constants_table_t := - array_new_ (default : uint32) (k_size_v) in - let s_675 := - foldi (usize 0) (k_size_v) (fun i_676 s_675 => - let '(s_675) := - if (i_676) <.? (usize 16):bool then (let s_675 := - array_upd s_675 (i_676) (seq_index (b_674) (i_676)) in - (s_675)) else (let t16_677 : uint32 := - array_index (s_675) ((i_676) - (usize 16)) in - let t15_678 : uint32 := - array_index (s_675) ((i_676) - (usize 15)) in - let t7_679 : uint32 := - array_index (s_675) ((i_676) - (usize 7)) in - let t2_680 : uint32 := - array_index (s_675) ((i_676) - (usize 2)) in - let s1_681 : uint32 := - sigma (t2_680) (usize 3) (usize 0) in - let s0_682 : uint32 := - sigma (t15_678) (usize 2) (usize 0) in - let s_675 := - array_upd s_675 (i_676) ((((s1_681) .+ (t7_679)) .+ (s0_682)) .+ ( - t16_677)) in - (s_675)) in - (s_675)) - s_675 in - s_675. - -Definition shuffle - (ws_683 : round_constants_table_t) - (hashi_684 : hash_t) - : hash_t := - let h_685 : hash_t := - hashi_684 in - let h_685 := - foldi (usize 0) (k_size_v) (fun i_686 h_685 => - let a0_687 : uint32 := - array_index (h_685) (usize 0) in - let b0_688 : uint32 := - array_index (h_685) (usize 1) in - let c0_689 : uint32 := - array_index (h_685) (usize 2) in - let d0_690 : uint32 := - array_index (h_685) (usize 3) in - let e0_691 : uint32 := - array_index (h_685) (usize 4) in - let f0_692 : uint32 := - array_index (h_685) (usize 5) in - let g0_693 : uint32 := - array_index (h_685) (usize 6) in - let h0_694 : uint32 := - array_index (h_685) (usize 7) in - let t1_695 : uint32 := - ((((h0_694) .+ (sigma (e0_691) (usize 1) (usize 1))) .+ (ch (e0_691) ( - f0_692) (g0_693))) .+ (array_index (k_table_v) (i_686))) .+ ( - array_index (ws_683) (i_686)) in - let t2_696 : uint32 := - (sigma (a0_687) (usize 0) (usize 1)) .+ (maj (a0_687) (b0_688) ( - c0_689)) in - let h_685 := - array_upd h_685 (usize 0) ((t1_695) .+ (t2_696)) in - let h_685 := - array_upd h_685 (usize 1) (a0_687) in - let h_685 := - array_upd h_685 (usize 2) (b0_688) in - let h_685 := - array_upd h_685 (usize 3) (c0_689) in - let h_685 := - array_upd h_685 (usize 4) ((d0_690) .+ (t1_695)) in - let h_685 := - array_upd h_685 (usize 5) (e0_691) in - let h_685 := - array_upd h_685 (usize 6) (f0_692) in - let h_685 := - array_upd h_685 (usize 7) (g0_693) in - (h_685)) - h_685 in - h_685. - -Definition compress (block_697 : block_t) (h_in_698 : hash_t) : hash_t := - let s_699 : round_constants_table_t := - schedule (block_697) in - let h_700 : hash_t := - shuffle (s_699) (h_in_698) in - let h_700 := - foldi (usize 0) (usize 8) (fun i_701 h_700 => - let h_700 := - array_upd h_700 (i_701) ((array_index (h_700) (i_701)) .+ (array_index ( - h_in_698) (i_701))) in - (h_700)) - h_700 in - h_700. - -Definition hash (msg_702 : byte_seq) : sha256_digest_t := - let h_703 : hash_t := - hash_init_v in - let last_block_704 : block_t := - array_new_ (default : uint8) (block_size_v) in - let last_block_len_705 : uint_size := - usize 0 in - let '(h_703, last_block_704, last_block_len_705) := - foldi (usize 0) (seq_num_chunks (msg_702) (block_size_v)) (fun i_706 '( - h_703, - last_block_704, - last_block_len_705 - ) => - let '(block_len_707, block_708) := - seq_get_chunk (msg_702) (block_size_v) (i_706) in - let '(h_703, last_block_704, last_block_len_705) := - if (block_len_707) <.? (block_size_v):bool then (let last_block_704 := - array_update_start (array_new_ (default : uint8) (block_size_v)) ( - block_708) in - let last_block_len_705 := - block_len_707 in - (h_703, last_block_704, last_block_len_705)) else ( - let compress_input_709 : block_t := - array_from_seq (block_size_v) (block_708) in - let h_703 := - compress (compress_input_709) (h_703) in - (h_703, last_block_704, last_block_len_705)) in - (h_703, last_block_704, last_block_len_705)) - (h_703, last_block_704, last_block_len_705) in - let last_block_704 := - array_upd last_block_704 (last_block_len_705) (secret ( - @repr WORDSIZE8 128) : int8) in - let len_bist_710 : uint64 := - secret (pub_u64 ((seq_len (msg_702)) * (usize 8))) : int64 in - let '(h_703, last_block_704) := - if (last_block_len_705) <.? ((block_size_v) - (len_size_v)):bool then ( - let last_block_704 := - array_update (last_block_704) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint64_to_be_bytes (len_bist_710))) in - let h_703 := - compress (last_block_704) (h_703) in - (h_703, last_block_704)) else (let pad_block_711 : block_t := - array_new_ (default : uint8) (block_size_v) in - let pad_block_711 := - array_update (pad_block_711) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint64_to_be_bytes (len_bist_710))) in - let h_703 := - compress (last_block_704) (h_703) in - let h_703 := - compress (pad_block_711) (h_703) in - (h_703, last_block_704)) in - array_from_seq (hash_size_v) (array_to_be_bytes (h_703)). - -Definition sha256 (msg_712 : byte_seq) : sha256_digest_t := - hash (msg_712). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Sha3.v b/proof-libs/coq/coq/_vc/Hacspec_Sha3.v deleted file mode 100644 index 91088d815..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Sha3.v +++ /dev/null @@ -1,357 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition rounds_v : uint_size := - usize 24. - -Definition sha3224_rate_v : uint_size := - usize 144. - -Definition sha3256_rate_v : uint_size := - usize 136. - -Definition sha3384_rate_v : uint_size := - usize 104. - -Definition sha3512_rate_v : uint_size := - usize 72. - -Definition shake128_rate_v : uint_size := - usize 168. - -Definition shake256_rate_v : uint_size := - usize 136. - -Definition state_t := nseq (uint64) (usize 25). - -Definition row_t := nseq (uint64) (usize 5). - -Definition digest224_t := nseq (uint8) (usize 28). - -Definition digest256_t := nseq (uint8) (usize 32). - -Definition digest384_t := nseq (uint8) (usize 48). - -Definition digest512_t := nseq (uint8) (usize 64). - -Definition round_constants_t := nseq (int64) (rounds_v). - -Definition rotation_constants_t := nseq (uint_size) (usize 25). - -Definition roundconstants_v : round_constants_t := - array_from_list int64 (let l := - [ - @repr WORDSIZE64 1; - @repr WORDSIZE64 32898; - @repr WORDSIZE64 9223372036854808714; - @repr WORDSIZE64 9223372039002292224; - @repr WORDSIZE64 32907; - @repr WORDSIZE64 2147483649; - @repr WORDSIZE64 9223372039002292353; - @repr WORDSIZE64 9223372036854808585; - @repr WORDSIZE64 138; - @repr WORDSIZE64 136; - @repr WORDSIZE64 2147516425; - @repr WORDSIZE64 2147483658; - @repr WORDSIZE64 2147516555; - @repr WORDSIZE64 9223372036854775947; - @repr WORDSIZE64 9223372036854808713; - @repr WORDSIZE64 9223372036854808579; - @repr WORDSIZE64 9223372036854808578; - @repr WORDSIZE64 9223372036854775936; - @repr WORDSIZE64 32778; - @repr WORDSIZE64 9223372039002259466; - @repr WORDSIZE64 9223372039002292353; - @repr WORDSIZE64 9223372036854808704; - @repr WORDSIZE64 2147483649; - @repr WORDSIZE64 9223372039002292232 - ] in l). - -Definition rotc_v : rotation_constants_t := - array_from_list uint_size (let l := - [ - usize 0; - usize 1; - usize 62; - usize 28; - usize 27; - usize 36; - usize 44; - usize 6; - usize 55; - usize 20; - usize 3; - usize 10; - usize 43; - usize 25; - usize 39; - usize 41; - usize 45; - usize 15; - usize 21; - usize 8; - usize 18; - usize 2; - usize 61; - usize 56; - usize 14 - ] in l). - -Definition pi_v : rotation_constants_t := - array_from_list uint_size (let l := - [ - usize 0; - usize 6; - usize 12; - usize 18; - usize 24; - usize 3; - usize 9; - usize 10; - usize 16; - usize 22; - usize 1; - usize 7; - usize 13; - usize 19; - usize 20; - usize 4; - usize 5; - usize 11; - usize 17; - usize 23; - usize 2; - usize 8; - usize 14; - usize 15; - usize 21 - ] in l). - -Definition theta (s_1068 : state_t) : state_t := - let b_1069 : row_t := - array_new_ (default : uint64) (5) in - let b_1069 := - foldi (usize 0) (usize 5) (fun i_1070 b_1069 => - let b_1069 := - array_upd b_1069 (i_1070) (((((array_index (s_1068) (i_1070)) .^ ( - array_index (s_1068) ((i_1070) + (usize 5)))) .^ ( - array_index (s_1068) ((i_1070) + (usize 10)))) .^ (array_index ( - s_1068) ((i_1070) + (usize 15)))) .^ (array_index (s_1068) (( - i_1070) + (usize 20)))) in - (b_1069)) - b_1069 in - let s_1068 := - foldi (usize 0) (usize 5) (fun i_1071 s_1068 => - let u_1072 : uint64 := - array_index (b_1069) (((i_1071) + (usize 1)) %% (usize 5)) in - let t_1073 : uint64 := - (array_index (b_1069) (((i_1071) + (usize 4)) %% (usize 5))) .^ ( - uint64_rotate_left (u_1072) (usize 1)) in - let s_1068 := - foldi (usize 0) (usize 5) (fun j_1074 s_1068 => - let s_1068 := - array_upd s_1068 (((usize 5) * (j_1074)) + (i_1071)) ((array_index ( - s_1068) (((usize 5) * (j_1074)) + (i_1071))) .^ (t_1073)) in - (s_1068)) - s_1068 in - (s_1068)) - s_1068 in - s_1068. - -Definition rho (s_1075 : state_t) : state_t := - let s_1075 := - foldi (usize 0) (usize 25) (fun i_1076 s_1075 => - let u_1077 : uint64 := - array_index (s_1075) (i_1076) in - let s_1075 := - array_upd s_1075 (i_1076) (uint64_rotate_left (u_1077) (array_index ( - rotc_v) (i_1076))) in - (s_1075)) - s_1075 in - s_1075. - -Definition pi (s_1078 : state_t) : state_t := - let v_1079 : state_t := - array_new_ (default : uint64) (25) in - let v_1079 := - foldi (usize 0) (usize 25) (fun i_1080 v_1079 => - let v_1079 := - array_upd v_1079 (i_1080) (array_index (s_1078) (array_index (pi_v) ( - i_1080))) in - (v_1079)) - v_1079 in - v_1079. - -Definition chi (s_1081 : state_t) : state_t := - let b_1082 : row_t := - array_new_ (default : uint64) (5) in - let '(s_1081, b_1082) := - foldi (usize 0) (usize 5) (fun i_1083 '(s_1081, b_1082) => - let b_1082 := - foldi (usize 0) (usize 5) (fun j_1084 b_1082 => - let b_1082 := - array_upd b_1082 (j_1084) (array_index (s_1081) (((usize 5) * ( - i_1083)) + (j_1084))) in - (b_1082)) - b_1082 in - let s_1081 := - foldi (usize 0) (usize 5) (fun j_1085 s_1081 => - let u_1086 : uint64 := - array_index (b_1082) (((j_1085) + (usize 1)) %% (usize 5)) in - let s_1081 := - array_upd s_1081 (((usize 5) * (i_1083)) + (j_1085)) ((array_index ( - s_1081) (((usize 5) * (i_1083)) + (j_1085))) .^ ((not ( - u_1086)) .& (array_index (b_1082) (((j_1085) + ( - usize 2)) %% (usize 5))))) in - (s_1081)) - s_1081 in - (s_1081, b_1082)) - (s_1081, b_1082) in - s_1081. - -Definition iota (s_1087 : state_t) (rndconst_1088 : int64) : state_t := - let s_1087 := - array_upd s_1087 (usize 0) ((array_index (s_1087) (usize 0)) .^ ( - uint64_classify (rndconst_1088))) in - s_1087. - -Definition keccakf1600 (s_1089 : state_t) : state_t := - let s_1089 := - foldi (usize 0) (rounds_v) (fun i_1090 s_1089 => - let s_1089 := - theta (s_1089) in - let s_1089 := - rho (s_1089) in - let s_1089 := - pi (s_1089) in - let s_1089 := - chi (s_1089) in - let s_1089 := - iota (s_1089) (array_index (roundconstants_v) (i_1090)) in - (s_1089)) - s_1089 in - s_1089. - -Definition absorb_block (s_1091 : state_t) (block_1092 : byte_seq) : state_t := - let s_1091 := - foldi (usize 0) (seq_len (block_1092)) (fun i_1093 s_1091 => - let w_1094 : uint_size := - (i_1093) usize_shift_right (@repr WORDSIZE32 3) in - let o_1095 : uint_size := - (usize 8) * ((i_1093) .& (usize 7)) in - let s_1091 := - array_upd s_1091 (w_1094) ((array_index (s_1091) (w_1094)) .^ (( - uint64_from_uint8 (seq_index (block_1092) (i_1093))) shift_left ( - o_1095))) in - (s_1091)) - s_1091 in - keccakf1600 (s_1091). - -Definition squeeze - (s_1096 : state_t) - (nbytes_1097 : uint_size) - (rate_1098 : uint_size) - : byte_seq := - let out_1099 : seq uint8 := - seq_new_ (default : uint8) (nbytes_1097) in - let '(s_1096, out_1099) := - foldi (usize 0) (nbytes_1097) (fun i_1100 '(s_1096, out_1099) => - let pos_1101 : uint_size := - (i_1100) %% (rate_1098) in - let w_1102 : uint_size := - (pos_1101) usize_shift_right (@repr WORDSIZE32 3) in - let o_1103 : uint_size := - (usize 8) * ((pos_1101) .& (usize 7)) in - let b_1104 : uint64 := - ((array_index (s_1096) (w_1102)) shift_right (o_1103)) .& ( - uint64_classify (@repr WORDSIZE64 255)) in - let out_1099 := - seq_upd out_1099 (i_1100) (uint8_from_uint64 (b_1104)) in - let '(s_1096) := - if (((i_1100) + (usize 1)) %% (rate_1098)) =.? (usize 0):bool then ( - let s_1096 := - keccakf1600 (s_1096) in - (s_1096)) else ((s_1096)) in - (s_1096, out_1099)) - (s_1096, out_1099) in - out_1099. - -Definition keccak - (rate_1105 : uint_size) - (data_1106 : byte_seq) - (p_1107 : int8) - (outbytes_1108 : uint_size) - : byte_seq := - let buf_1109 : seq uint8 := - seq_new_ (default : uint8) (rate_1105) in - let last_block_len_1110 : uint_size := - usize 0 in - let s_1111 : state_t := - array_new_ (default : uint64) (25) in - let '(buf_1109, last_block_len_1110, s_1111) := - foldi (usize 0) (seq_num_chunks (data_1106) (rate_1105)) (fun i_1112 '( - buf_1109, - last_block_len_1110, - s_1111 - ) => - let '(block_len_1113, block_1114) := - seq_get_chunk (data_1106) (rate_1105) (i_1112) in - let '(buf_1109, last_block_len_1110, s_1111) := - if (block_len_1113) =.? (rate_1105):bool then (let s_1111 := - absorb_block (s_1111) (block_1114) in - (buf_1109, last_block_len_1110, s_1111)) else (let buf_1109 := - seq_update_start (buf_1109) (block_1114) in - let last_block_len_1110 := - block_len_1113 in - (buf_1109, last_block_len_1110, s_1111)) in - (buf_1109, last_block_len_1110, s_1111)) - (buf_1109, last_block_len_1110, s_1111) in - let buf_1109 := - seq_upd buf_1109 (last_block_len_1110) (secret (p_1107) : int8) in - let buf_1109 := - seq_upd buf_1109 ((rate_1105) - (usize 1)) ((seq_index (buf_1109) (( - rate_1105) - (usize 1))) .| (secret ( - @repr WORDSIZE8 128) : int8)) in - let s_1111 := - absorb_block (s_1111) (buf_1109) in - squeeze (s_1111) (outbytes_1108) (rate_1105). - -Definition sha3224 (data_1115 : byte_seq) : digest224_t := - let t_1116 : seq uint8 := - keccak (sha3224_rate_v) (data_1115) (@repr WORDSIZE8 6) (usize 28) in - array_from_seq (28) (t_1116). - -Definition sha3256 (data_1117 : byte_seq) : digest256_t := - let t_1118 : seq uint8 := - keccak (sha3256_rate_v) (data_1117) (@repr WORDSIZE8 6) (usize 32) in - array_from_seq (32) (t_1118). - -Definition sha3384 (data_1119 : byte_seq) : digest384_t := - let t_1120 : seq uint8 := - keccak (sha3384_rate_v) (data_1119) (@repr WORDSIZE8 6) (usize 48) in - array_from_seq (48) (t_1120). - -Definition sha3512 (data_1121 : byte_seq) : digest512_t := - let t_1122 : seq uint8 := - keccak (sha3512_rate_v) (data_1121) (@repr WORDSIZE8 6) (usize 64) in - array_from_seq (64) (t_1122). - -Definition shake128 - (data_1123 : byte_seq) - (outlen_1124 : uint_size) - : byte_seq := - keccak (shake128_rate_v) (data_1123) (@repr WORDSIZE8 31) (outlen_1124). - -Definition shake256 - (data_1125 : byte_seq) - (outlen_1126 : uint_size) - : byte_seq := - keccak (shake256_rate_v) (data_1125) (@repr WORDSIZE8 31) (outlen_1126). - diff --git a/proof-libs/coq/coq/_vc/Hacspec_Sha512.v b/proof-libs/coq/coq/_vc/Hacspec_Sha512.v deleted file mode 100644 index 9e24e3f00..000000000 --- a/proof-libs/coq/coq/_vc/Hacspec_Sha512.v +++ /dev/null @@ -1,321 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition block_size_v : uint_size := - usize 128. - -Definition len_size_v : uint_size := - usize 16. - -Definition k_size_v : uint_size := - usize 80. - -Definition hash_size_v : uint_size := - (usize 512) / (usize 8). - -Definition block_t := nseq (uint8) (block_size_v). - -Definition op_table_type_t := nseq (uint_size) (usize 12). - -Definition sha512_digest_t := nseq (uint8) (hash_size_v). - -Definition round_constants_table_t := nseq (uint64) (k_size_v). - -Definition hash_t := nseq (uint64) (usize 8). - -Definition ch (x_2240 : uint64) (y_2241 : uint64) (z_2242 : uint64) : uint64 := - ((x_2240) .& (y_2241)) .^ ((not (x_2240)) .& (z_2242)). - -Definition maj (x_2243 : uint64) (y_2244 : uint64) (z_2245 : uint64) : uint64 := - ((x_2243) .& (y_2244)) .^ (((x_2243) .& (z_2245)) .^ ((y_2244) .& (z_2245))). - -Definition op_table_v : op_table_type_t := - array_from_list uint_size (let l := - [ - usize 28; - usize 34; - usize 39; - usize 14; - usize 18; - usize 41; - usize 1; - usize 8; - usize 7; - usize 19; - usize 61; - usize 6 - ] in l). - -Definition k_table_v : round_constants_table_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 4794697086780616226) : int64; - secret (@repr WORDSIZE64 8158064640168781261) : int64; - secret (@repr WORDSIZE64 13096744586834688815) : int64; - secret (@repr WORDSIZE64 16840607885511220156) : int64; - secret (@repr WORDSIZE64 4131703408338449720) : int64; - secret (@repr WORDSIZE64 6480981068601479193) : int64; - secret (@repr WORDSIZE64 10538285296894168987) : int64; - secret (@repr WORDSIZE64 12329834152419229976) : int64; - secret (@repr WORDSIZE64 15566598209576043074) : int64; - secret (@repr WORDSIZE64 1334009975649890238) : int64; - secret (@repr WORDSIZE64 2608012711638119052) : int64; - secret (@repr WORDSIZE64 6128411473006802146) : int64; - secret (@repr WORDSIZE64 8268148722764581231) : int64; - secret (@repr WORDSIZE64 9286055187155687089) : int64; - secret (@repr WORDSIZE64 11230858885718282805) : int64; - secret (@repr WORDSIZE64 13951009754708518548) : int64; - secret (@repr WORDSIZE64 16472876342353939154) : int64; - secret (@repr WORDSIZE64 17275323862435702243) : int64; - secret (@repr WORDSIZE64 1135362057144423861) : int64; - secret (@repr WORDSIZE64 2597628984639134821) : int64; - secret (@repr WORDSIZE64 3308224258029322869) : int64; - secret (@repr WORDSIZE64 5365058923640841347) : int64; - secret (@repr WORDSIZE64 6679025012923562964) : int64; - secret (@repr WORDSIZE64 8573033837759648693) : int64; - secret (@repr WORDSIZE64 10970295158949994411) : int64; - secret (@repr WORDSIZE64 12119686244451234320) : int64; - secret (@repr WORDSIZE64 12683024718118986047) : int64; - secret (@repr WORDSIZE64 13788192230050041572) : int64; - secret (@repr WORDSIZE64 14330467153632333762) : int64; - secret (@repr WORDSIZE64 15395433587784984357) : int64; - secret (@repr WORDSIZE64 489312712824947311) : int64; - secret (@repr WORDSIZE64 1452737877330783856) : int64; - secret (@repr WORDSIZE64 2861767655752347644) : int64; - secret (@repr WORDSIZE64 3322285676063803686) : int64; - secret (@repr WORDSIZE64 5560940570517711597) : int64; - secret (@repr WORDSIZE64 5996557281743188959) : int64; - secret (@repr WORDSIZE64 7280758554555802590) : int64; - secret (@repr WORDSIZE64 8532644243296465576) : int64; - secret (@repr WORDSIZE64 9350256976987008742) : int64; - secret (@repr WORDSIZE64 10552545826968843579) : int64; - secret (@repr WORDSIZE64 11727347734174303076) : int64; - secret (@repr WORDSIZE64 12113106623233404929) : int64; - secret (@repr WORDSIZE64 14000437183269869457) : int64; - secret (@repr WORDSIZE64 14369950271660146224) : int64; - secret (@repr WORDSIZE64 15101387698204529176) : int64; - secret (@repr WORDSIZE64 15463397548674623760) : int64; - secret (@repr WORDSIZE64 17586052441742319658) : int64; - secret (@repr WORDSIZE64 1182934255886127544) : int64; - secret (@repr WORDSIZE64 1847814050463011016) : int64; - secret (@repr WORDSIZE64 2177327727835720531) : int64; - secret (@repr WORDSIZE64 2830643537854262169) : int64; - secret (@repr WORDSIZE64 3796741975233480872) : int64; - secret (@repr WORDSIZE64 4115178125766777443) : int64; - secret (@repr WORDSIZE64 5681478168544905931) : int64; - secret (@repr WORDSIZE64 6601373596472566643) : int64; - secret (@repr WORDSIZE64 7507060721942968483) : int64; - secret (@repr WORDSIZE64 8399075790359081724) : int64; - secret (@repr WORDSIZE64 8693463985226723168) : int64; - secret (@repr WORDSIZE64 9568029438360202098) : int64; - secret (@repr WORDSIZE64 10144078919501101548) : int64; - secret (@repr WORDSIZE64 10430055236837252648) : int64; - secret (@repr WORDSIZE64 11840083180663258601) : int64; - secret (@repr WORDSIZE64 13761210420658862357) : int64; - secret (@repr WORDSIZE64 14299343276471374635) : int64; - secret (@repr WORDSIZE64 14566680578165727644) : int64; - secret (@repr WORDSIZE64 15097957966210449927) : int64; - secret (@repr WORDSIZE64 16922976911328602910) : int64; - secret (@repr WORDSIZE64 17689382322260857208) : int64; - secret (@repr WORDSIZE64 500013540394364858) : int64; - secret (@repr WORDSIZE64 748580250866718886) : int64; - secret (@repr WORDSIZE64 1242879168328830382) : int64; - secret (@repr WORDSIZE64 1977374033974150939) : int64; - secret (@repr WORDSIZE64 2944078676154940804) : int64; - secret (@repr WORDSIZE64 3659926193048069267) : int64; - secret (@repr WORDSIZE64 4368137639120453308) : int64; - secret (@repr WORDSIZE64 4836135668995329356) : int64; - secret (@repr WORDSIZE64 5532061633213252278) : int64; - secret (@repr WORDSIZE64 6448918945643986474) : int64; - secret (@repr WORDSIZE64 6902733635092675308) : int64; - secret (@repr WORDSIZE64 7801388544844847127) : int64 - ] in l). - -Definition hash_init_v : hash_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 7640891576956012808) : int64; - secret (@repr WORDSIZE64 13503953896175478587) : int64; - secret (@repr WORDSIZE64 4354685564936845355) : int64; - secret (@repr WORDSIZE64 11912009170470909681) : int64; - secret (@repr WORDSIZE64 5840696475078001361) : int64; - secret (@repr WORDSIZE64 11170449401992604703) : int64; - secret (@repr WORDSIZE64 2270897969802886507) : int64; - secret (@repr WORDSIZE64 6620516959819538809) : int64 - ] in l). - -Definition sigma - (x_2246 : uint64) - (i_2247 : uint_size) - (op_2248 : uint_size) - : uint64 := - let tmp_2249 : uint64 := - uint64_rotate_right (x_2246) (array_index (op_table_v) (((usize 3) * ( - i_2247)) + (usize 2))) in - let '(tmp_2249) := - if (op_2248) =.? (usize 0):bool then (let tmp_2249 := - (x_2246) shift_right (array_index (op_table_v) (((usize 3) * ( - i_2247)) + (usize 2))) in - (tmp_2249)) else ((tmp_2249)) in - ((uint64_rotate_right (x_2246) (array_index (op_table_v) ((usize 3) * ( - i_2247)))) .^ (uint64_rotate_right (x_2246) (array_index ( - op_table_v) (((usize 3) * (i_2247)) + (usize 1))))) .^ (tmp_2249). - -Definition schedule (block_2250 : block_t) : round_constants_table_t := - let b_2251 : seq uint64 := - array_to_be_uint64s (block_2250) in - let s_2252 : round_constants_table_t := - array_new_ (default : uint64) (k_size_v) in - let s_2252 := - foldi (usize 0) (k_size_v) (fun i_2253 s_2252 => - let '(s_2252) := - if (i_2253) <.? (usize 16):bool then (let s_2252 := - array_upd s_2252 (i_2253) (seq_index (b_2251) (i_2253)) in - (s_2252)) else (let t16_2254 : uint64 := - array_index (s_2252) ((i_2253) - (usize 16)) in - let t15_2255 : uint64 := - array_index (s_2252) ((i_2253) - (usize 15)) in - let t7_2256 : uint64 := - array_index (s_2252) ((i_2253) - (usize 7)) in - let t2_2257 : uint64 := - array_index (s_2252) ((i_2253) - (usize 2)) in - let s1_2258 : uint64 := - sigma (t2_2257) (usize 3) (usize 0) in - let s0_2259 : uint64 := - sigma (t15_2255) (usize 2) (usize 0) in - let s_2252 := - array_upd s_2252 (i_2253) ((((s1_2258) .+ (t7_2256)) .+ ( - s0_2259)) .+ (t16_2254)) in - (s_2252)) in - (s_2252)) - s_2252 in - s_2252. - -Definition shuffle - (ws_2260 : round_constants_table_t) - (hashi_2261 : hash_t) - : hash_t := - let h_2262 : hash_t := - hashi_2261 in - let h_2262 := - foldi (usize 0) (k_size_v) (fun i_2263 h_2262 => - let a0_2264 : uint64 := - array_index (h_2262) (usize 0) in - let b0_2265 : uint64 := - array_index (h_2262) (usize 1) in - let c0_2266 : uint64 := - array_index (h_2262) (usize 2) in - let d0_2267 : uint64 := - array_index (h_2262) (usize 3) in - let e0_2268 : uint64 := - array_index (h_2262) (usize 4) in - let f0_2269 : uint64 := - array_index (h_2262) (usize 5) in - let g0_2270 : uint64 := - array_index (h_2262) (usize 6) in - let h0_2271 : uint64 := - array_index (h_2262) (usize 7) in - let t1_2272 : uint64 := - ((((h0_2271) .+ (sigma (e0_2268) (usize 1) (usize 1))) .+ (ch ( - e0_2268) (f0_2269) (g0_2270))) .+ (array_index (k_table_v) ( - i_2263))) .+ (array_index (ws_2260) (i_2263)) in - let t2_2273 : uint64 := - (sigma (a0_2264) (usize 0) (usize 1)) .+ (maj (a0_2264) (b0_2265) ( - c0_2266)) in - let h_2262 := - array_upd h_2262 (usize 0) ((t1_2272) .+ (t2_2273)) in - let h_2262 := - array_upd h_2262 (usize 1) (a0_2264) in - let h_2262 := - array_upd h_2262 (usize 2) (b0_2265) in - let h_2262 := - array_upd h_2262 (usize 3) (c0_2266) in - let h_2262 := - array_upd h_2262 (usize 4) ((d0_2267) .+ (t1_2272)) in - let h_2262 := - array_upd h_2262 (usize 5) (e0_2268) in - let h_2262 := - array_upd h_2262 (usize 6) (f0_2269) in - let h_2262 := - array_upd h_2262 (usize 7) (g0_2270) in - (h_2262)) - h_2262 in - h_2262. - -Definition compress (block_2274 : block_t) (h_in_2275 : hash_t) : hash_t := - let s_2276 : round_constants_table_t := - schedule (block_2274) in - let h_2277 : hash_t := - shuffle (s_2276) (h_in_2275) in - let h_2277 := - foldi (usize 0) (usize 8) (fun i_2278 h_2277 => - let h_2277 := - array_upd h_2277 (i_2278) ((array_index (h_2277) (i_2278)) .+ ( - array_index (h_in_2275) (i_2278))) in - (h_2277)) - h_2277 in - h_2277. - -Definition hash (msg_2279 : byte_seq) : sha512_digest_t := - let h_2280 : hash_t := - hash_init_v in - let last_block_2281 : block_t := - array_new_ (default : uint8) (block_size_v) in - let last_block_len_2282 : uint_size := - usize 0 in - let '(h_2280, last_block_2281, last_block_len_2282) := - foldi (usize 0) (seq_num_chunks (msg_2279) (block_size_v)) (fun i_2283 '( - h_2280, - last_block_2281, - last_block_len_2282 - ) => - let '(block_len_2284, block_2285) := - seq_get_chunk (msg_2279) (block_size_v) (i_2283) in - let '(h_2280, last_block_2281, last_block_len_2282) := - if (block_len_2284) <.? (block_size_v):bool then (let last_block_2281 := - array_update_start (array_new_ (default : uint8) (block_size_v)) ( - block_2285) in - let last_block_len_2282 := - block_len_2284 in - (h_2280, last_block_2281, last_block_len_2282)) else ( - let compress_input_2286 : block_t := - array_from_seq (block_size_v) (block_2285) in - let h_2280 := - compress (compress_input_2286) (h_2280) in - (h_2280, last_block_2281, last_block_len_2282)) in - (h_2280, last_block_2281, last_block_len_2282)) - (h_2280, last_block_2281, last_block_len_2282) in - let last_block_2281 := - array_upd last_block_2281 (last_block_len_2282) (secret ( - @repr WORDSIZE8 128) : int8) in - let len_bist_2287 : uint128 := - secret (pub_u128 ((seq_len (msg_2279)) * (usize 8))) : int128 in - let '(h_2280, last_block_2281) := - if (last_block_len_2282) <.? ((block_size_v) - (len_size_v)):bool then ( - let last_block_2281 := - array_update (last_block_2281) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint128_to_be_bytes (len_bist_2287))) in - let h_2280 := - compress (last_block_2281) (h_2280) in - (h_2280, last_block_2281)) else (let pad_block_2288 : block_t := - array_new_ (default : uint8) (block_size_v) in - let pad_block_2288 := - array_update (pad_block_2288) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint128_to_be_bytes (len_bist_2287))) in - let h_2280 := - compress (last_block_2281) (h_2280) in - let h_2280 := - compress (pad_block_2288) (h_2280) in - (h_2280, last_block_2281)) in - array_from_seq (hash_size_v) (array_to_be_bytes (h_2280)). - -Definition sha512 (msg_2289 : byte_seq) : sha512_digest_t := - hash (msg_2289). - diff --git a/proof-libs/coq/coq/_vc/Pearlite_Example.v b/proof-libs/coq/coq/_vc/Pearlite_Example.v deleted file mode 100644 index 993993b23..000000000 --- a/proof-libs/coq/coq/_vc/Pearlite_Example.v +++ /dev/null @@ -1,19 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition ensure_something (x_0 : int8) (y_1 : int8) `{x_0 = y_1} : bool := - (x_0) =.? (y_1). - -Theorem ensures_ensure_something : forall result_2 (x_0 : int8) (y_1 : int8), - forall {H_0 : x_0 = y_1}, - @ensure_something x_0 y_1 H_0 = result_2 -> - ~ (result_2 = false). - Proof. Admitted. - diff --git a/proof-libs/coq/coq/_vc/Strobe.v b/proof-libs/coq/coq/_vc/Strobe.v deleted file mode 100644 index 62958a562..000000000 --- a/proof-libs/coq/coq/_vc/Strobe.v +++ /dev/null @@ -1,305 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha3. - -Definition strobe_r_v : int8 := - @repr WORDSIZE8 166. - -Definition flag_i_v : int8 := - @repr WORDSIZE8 1. - -Definition flag_a_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 1). - -Definition flag_c_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 2). - -Definition flag_m_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 4). - -Definition flag_k_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 5). - -Notation "'state_uint64_t'" := (state_t) : hacspec_scope. - -Definition state_uint8_t := nseq (uint8) (usize 200). - -Notation "'strobe_t'" := ((state_uint8_t '× int8 '× int8 '× int8 -)) : hacspec_scope. - -Definition transmute_state_to_u64 - (state_986 : state_uint8_t) - : state_uint64_t := - let new_state_987 : state_t := - array_new_ (default : uint64) (25) in - let new_state_987 := - foldi (usize 0) (array_len (new_state_987)) (fun i_988 new_state_987 => - let word_989 : uint64_word_t := - array_new_ (default : uint8) (8) in - let word_989 := - foldi (usize 0) (array_len (word_989)) (fun j_990 word_989 => - let word_989 := - array_upd word_989 (j_990) (array_index (state_986) (((i_988) * ( - usize 8)) + (j_990))) in - (word_989)) - word_989 in - let new_state_987 := - array_upd new_state_987 (i_988) (uint64_from_le_bytes (word_989)) in - (new_state_987)) - new_state_987 in - new_state_987. - -Definition transmute_state_to_u8 (state_991 : state_uint64_t) : state_uint8_t := - let new_state_992 : state_uint8_t := - array_new_ (default : uint8) (200) in - let new_state_992 := - foldi (usize 0) (array_len (state_991)) (fun i_993 new_state_992 => - let bytes_994 : seq uint8 := - uint64_to_le_bytes (array_index (state_991) (i_993)) in - let new_state_992 := - foldi (usize 0) (seq_len (bytes_994)) (fun j_995 new_state_992 => - let new_state_992 := - array_upd new_state_992 (((i_993) * (usize 8)) + (j_995)) ( - seq_index (bytes_994) (j_995)) in - (new_state_992)) - new_state_992 in - (new_state_992)) - new_state_992 in - new_state_992. - -Definition run_f (strobe_996 : strobe_t) : strobe_t := - let '(state_997, pos_998, pos_begin_999, cur_fl_1000) := - strobe_996 in - let state_997 := - array_upd state_997 (pos_998) ((array_index (state_997) (pos_998)) .^ ( - secret (pos_begin_999) : int8)) in - let state_997 := - array_upd state_997 ((pos_998) .+ (@repr WORDSIZE8 1)) ((array_index ( - state_997) ((pos_998) .+ (@repr WORDSIZE8 1))) .^ (secret ( - @repr WORDSIZE8 4) : int8)) in - let state_997 := - array_upd state_997 ((strobe_r_v) .+ (@repr WORDSIZE8 1)) ((array_index ( - state_997) ((strobe_r_v) .+ (@repr WORDSIZE8 1))) .^ (secret ( - @repr WORDSIZE8 128) : int8)) in - let state_uint64_1001 : state_t := - transmute_state_to_u64 (state_997) in - let state_997 := - transmute_state_to_u8 (keccakf1600 (state_uint64_1001)) in - let pos_998 := - @repr WORDSIZE8 0 in - let pos_begin_999 := - @repr WORDSIZE8 0 in - (state_997, pos_998, pos_begin_999, cur_fl_1000). - -Definition absorb (strobe_1002 : strobe_t) (data_1003 : seq uint8) : strobe_t := - let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := - strobe_1002 in - let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := - foldi (usize 0) (seq_len (data_1003)) (fun i_1008 '( - state_1004, - pos_1005, - pos_begin_1006, - cur_fl_1007 - ) => - let state_1004 := - array_upd state_1004 (pos_1005) ((array_index (state_1004) ( - pos_1005)) .^ (seq_index (data_1003) (i_1008))) in - let pos_1005 := - (pos_1005) .+ (@repr WORDSIZE8 1) in - let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := - if (pos_1005) =.? (strobe_r_v):bool then (let '( - s_1009, - p_1010, - pb_1011, - cf_1012 - ) := - run_f ((state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) in - let state_1004 := - s_1009 in - let pos_1005 := - p_1010 in - let pos_begin_1006 := - pb_1011 in - let cur_fl_1007 := - cf_1012 in - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) else (( - state_1004, - pos_1005, - pos_begin_1006, - cur_fl_1007 - )) in - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007) in - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007). - -Definition squeeze - (strobe_1013 : strobe_t) - (data_1014 : seq uint8) - : (strobe_t '× seq uint8) := - let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := - strobe_1013 in - let '(data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := - foldi (usize 0) (seq_len (data_1014)) (fun i_1019 '( - data_1014, - state_1015, - pos_1016, - pos_begin_1017, - cur_fl_1018 - ) => - let data_1014 := - seq_upd data_1014 (i_1019) (array_index (state_1015) (pos_1016)) in - let state_1015 := - array_upd state_1015 (pos_1016) (uint8_classify (@repr WORDSIZE8 0)) in - let pos_1016 := - (pos_1016) .+ (@repr WORDSIZE8 1) in - let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := - if (pos_1016) =.? (strobe_r_v):bool then (let '( - s_1020, - p_1021, - pb_1022, - cf_1023 - ) := - run_f (((state_1015), pos_1016, pos_begin_1017, cur_fl_1018)) in - let state_1015 := - s_1020 in - let pos_1016 := - p_1021 in - let pos_begin_1017 := - pb_1022 in - let cur_fl_1018 := - cf_1023 in - (state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) else (( - state_1015, - pos_1016, - pos_begin_1017, - cur_fl_1018 - )) in - (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) - (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) in - ((state_1015, pos_1016, pos_begin_1017, cur_fl_1018), data_1014). - -Definition begin_op - (strobe_1024 : strobe_t) - (flags_1025 : int8) - (more_1026 : bool) - : strobe_t := - let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030) := - strobe_1024 in - let ret_1031 : (state_uint8_t '× int8 '× int8 '× int8) := - (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in - let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031) := - if negb (more_1026):bool then (let old_begin_1032 : int8 := - pos_begin_1029 in - let pos_begin_1029 := - (pos_1028) .+ (@repr WORDSIZE8 1) in - let cur_fl_1030 := - flags_1025 in - let data_1033 : seq uint8 := - seq_new_ (default : uint8) (usize 2) in - let data_1033 := - seq_upd data_1033 (usize 0) (secret (old_begin_1032) : int8) in - let data_1033 := - seq_upd data_1033 (usize 1) (secret (flags_1025) : int8) in - let '(s_1034, p_1035, pb_1036, cf_1037) := - absorb ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) ( - data_1033) in - let state_1027 := - s_1034 in - let pos_1028 := - p_1035 in - let pos_begin_1029 := - pb_1036 in - let cur_fl_1030 := - cf_1037 in - let force_f_1038 : bool := - (@repr WORDSIZE8 0) !=.? ((flags_1025) .& ((flag_c_v) .| ( - flag_k_v))) in - let '(ret_1031) := - if (force_f_1038) && ((pos_1028) !=.? (@repr WORDSIZE8 0)):bool then ( - let ret_1031 := - run_f ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) in - (ret_1031)) else (let ret_1031 := - (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in - (ret_1031)) in - (state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031)) else (( - state_1027, - pos_1028, - pos_begin_1029, - cur_fl_1030, - ret_1031 - )) in - ret_1031. - -Definition new_strobe (protocol_label_1039 : seq uint8) : strobe_t := - let st_1040 : state_uint8_t := - array_new_ (default : uint8) (200) in - let st_1040 := - array_set_chunk (st_1040) (usize 6) (usize 0) ([ - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 96) : int8 - ]) in - let st_1040 := - array_set_chunk (st_1040) (usize 6) (usize 1) ([ - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 69) : int8 - ]) in - let st_1040 := - array_set_chunk (st_1040) (usize 6) (usize 2) ([ - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 48) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 50) : int8 - ]) in - let st_uint64_1041 : state_t := - transmute_state_to_u64 (st_1040) in - let st_1040 := - transmute_state_to_u8 (keccakf1600 (st_uint64_1041)) in - meta_ad ((st_1040, @repr WORDSIZE8 0, @repr WORDSIZE8 0, @repr WORDSIZE8 0)) ( - protocol_label_1039) (false). - -Definition meta_ad - (strobe_1042 : strobe_t) - (data_1043 : seq uint8) - (more_1044 : bool) - : strobe_t := - let strobe_1042 := - begin_op (strobe_1042) ((flag_m_v) .| (flag_a_v)) (more_1044) in - absorb (strobe_1042) (data_1043). - -Definition ad - (strobe_1045 : strobe_t) - (data_1046 : seq uint8) - (more_1047 : bool) - : strobe_t := - let strobe_1045 := - begin_op (strobe_1045) (flag_a_v) (more_1047) in - absorb (strobe_1045) (data_1046). - -Definition prf - (strobe_1048 : strobe_t) - (data_1049 : seq uint8) - (more_1050 : bool) - : (strobe_t '× seq uint8) := - let strobe_1048 := - begin_op (strobe_1048) (((flag_i_v) .| (flag_a_v)) .| (flag_c_v)) ( - more_1050) in - squeeze (strobe_1048) (data_1049). - diff --git a/proof-libs/coq/coq/_vc/Tls_Cryptolib.v b/proof-libs/coq/coq/_vc/Tls_Cryptolib.v deleted file mode 100644 index 0f2e2125a..000000000 --- a/proof-libs/coq/coq/_vc/Tls_Cryptolib.v +++ /dev/null @@ -1,673 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Aes. - -Require Import Hacspec_Aes128_Gcm. - -Require Import Hacspec_Chacha20. - -Require Import Hacspec_Chacha20poly1305. - -Require Import Hacspec_Curve25519. - -Require Import Hacspec_Ecdsa_P256_Sha256. - -Require Import Hacspec_Gf128. - -Require Import Hacspec_Hkdf. - -Require Import Hacspec_Hmac. - -Require Import Hacspec_P256. - -Require Import Hacspec_Poly1305. - -Require Import Hacspec_Sha256. - -Inductive crypto_error_t := -| CryptoError : crypto_error_t -| HkdfError : crypto_error_t -| InsufficientEntropy : crypto_error_t -| InvalidCert : crypto_error_t -| MacFailed : crypto_error_t -| UnsupportedAlgorithm : crypto_error_t -| VerifyFailed : crypto_error_t. - -Definition empty : byte_seq := - seq_new_ (default : uint8) (usize 0). - -Definition zeros (u_0 : uint_size) : byte_seq := - seq_new_ (default : uint8) (u_0). - -Notation "'entropy_t'" := (byte_seq) : hacspec_scope. - -Definition random_t := nseq (uint8) (usize 32). - -Notation "'dh_sk_t'" := (byte_seq) : hacspec_scope. - -Notation "'dh_pk_t'" := (byte_seq) : hacspec_scope. - -Notation "'signature_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'verification_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'mac_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'key_t'" := (byte_seq) : hacspec_scope. - -Notation "'psk_t'" := (key_t) : hacspec_scope. - -Notation "'digest_t'" := (byte_seq) : hacspec_scope. - -Notation "'hmac_t'" := (byte_seq) : hacspec_scope. - -Notation "'signature_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_iv_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_key_iv_t'" := ((aead_key_t '× aead_iv_t)) : hacspec_scope. - -Inductive named_group_t := -| X25519 : named_group_t -| Secp256r1 : named_group_t. - -Definition eqb_named_group_t (x y : named_group_t) : bool := -match x with - | X25519 => match y with | X25519=> true | _ => false end - | Secp256r1 => match y with | Secp256r1=> true | _ => false end - end. - -Definition eqb_leibniz_named_group_t (x y : named_group_t) : eqb_named_group_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_named_group_t : EqDec (named_group_t) := -Build_EqDec (named_group_t) (eqb_named_group_t) (eqb_leibniz_named_group_t). - - -Inductive hash_algorithm_t := -| SHA256 : hash_algorithm_t -| SHA384 : hash_algorithm_t. - -Definition eqb_hash_algorithm_t (x y : hash_algorithm_t) : bool := -match x with - | SHA256 => match y with | SHA256=> true | _ => false end - | SHA384 => match y with | SHA384=> true | _ => false end - end. - -Definition eqb_leibniz_hash_algorithm_t (x y : hash_algorithm_t) : eqb_hash_algorithm_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_hash_algorithm_t : EqDec (hash_algorithm_t) := -Build_EqDec (hash_algorithm_t) (eqb_hash_algorithm_t) (eqb_leibniz_hash_algorithm_t). - - -Inductive aead_algorithm_t := -| Chacha20Poly1305 : aead_algorithm_t -| Aes128Gcm : aead_algorithm_t -| Aes256Gcm : aead_algorithm_t. - -Definition eqb_aead_algorithm_t (x y : aead_algorithm_t) : bool := -match x with - | Chacha20Poly1305 => match y with | Chacha20Poly1305=> true | _ => false end - | Aes128Gcm => match y with | Aes128Gcm=> true | _ => false end - | Aes256Gcm => match y with | Aes256Gcm=> true | _ => false end - end. - -Definition eqb_leibniz_aead_algorithm_t (x y : aead_algorithm_t) : eqb_aead_algorithm_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_aead_algorithm_t : EqDec (aead_algorithm_t) := -Build_EqDec (aead_algorithm_t) (eqb_aead_algorithm_t) (eqb_leibniz_aead_algorithm_t). - - -Inductive signature_scheme_t := -| ED25519 : signature_scheme_t -| EcdsaSecp256r1Sha256 : signature_scheme_t -| RsaPssRsaSha256 : signature_scheme_t. - -Definition eqb_signature_scheme_t (x y : signature_scheme_t) : bool := -match x with - | ED25519 => match y with | ED25519=> true | _ => false end - | EcdsaSecp256r1Sha256 => - match y with - | EcdsaSecp256r1Sha256=> true - | _ => false - end - | RsaPssRsaSha256 => match y with | RsaPssRsaSha256=> true | _ => false end - end. - -Definition eqb_leibniz_signature_scheme_t (x y : signature_scheme_t) : eqb_signature_scheme_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_signature_scheme_t : EqDec (signature_scheme_t) := -Build_EqDec (signature_scheme_t) (eqb_signature_scheme_t) (eqb_leibniz_signature_scheme_t). - - -Definition hash_len (ha_1 : hash_algorithm_t) : uint_size := - match ha_1 with | SHA256 => usize 32 | SHA384 => usize 48 end. - -Definition hmac_key_len (ha_2 : hash_algorithm_t) : uint_size := - match ha_2 with | SHA256 => usize 32 | SHA384 => usize 48 end. - -Definition ae_key_len (ae_3 : aead_algorithm_t) : uint_size := - match ae_3 with - | Chacha20Poly1305 => usize 32 - | Aes128Gcm => usize 16 - | Aes256Gcm => usize 16 - end. - -Definition ae_iv_len (ae_4 : aead_algorithm_t) : uint_size := - match ae_4 with - | Chacha20Poly1305 => usize 12 - | Aes128Gcm => usize 12 - | Aes256Gcm => usize 12 - end. - -Definition dh_priv_len (gn_5 : named_group_t) : uint_size := - match gn_5 with | X25519 => usize 32 | Secp256r1 => usize 32 end. - -Definition dh_pub_len (gn_6 : named_group_t) : uint_size := - match gn_6 with | X25519 => usize 32 | Secp256r1 => usize 64 end. - -Definition zero_key (ha_7 : hash_algorithm_t) : key_t := - seq_new_ (default : uint8) (usize (hash_len (ha_7))). - -Definition secret_to_public - (group_name_8 : named_group_t) - (x_9 : dh_sk_t) - : (result dh_pk_t crypto_error_t) := - match group_name_8 with - | Secp256r1 => match p256_point_mul_base (nat_mod_from_byte_seq_be ( - x_9) : p256_scalar_t) with - | Ok ((x_10, y_11)) => @Ok dh_pk_t crypto_error_t (seq_concat ( - nat_mod_to_byte_seq_be (x_10)) (nat_mod_to_byte_seq_be (y_11))) - | Err (_) => @Err dh_pk_t crypto_error_t (CryptoError) - end - | X25519 => @Ok dh_pk_t crypto_error_t (seq_from_seq ( - array_to_seq (x25519_secret_to_public (array_from_seq (32) (x_9))))) - end. - -Definition p256_check_point_len - (p_12 : dh_pk_t) - : (result unit crypto_error_t) := - (if ((seq_len (p_12)) !=.? (usize 64)):bool then (@Err unit crypto_error_t ( - CryptoError)) else (@Ok unit crypto_error_t (tt))). - -Definition p256_ecdh - (x_13 : dh_sk_t) - (y_14 : dh_pk_t) - : (result key_t crypto_error_t) := - bind (p256_check_point_len (y_14)) (fun _ => let pk_15 : ( - p256_field_element_t '× - p256_field_element_t - ) := - ( - nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 0, usize 32 - ))) : p256_field_element_t, - nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 32, usize 64 - ))) : p256_field_element_t - ) in - match p256_point_mul (nat_mod_from_byte_seq_be (x_13) : p256_scalar_t) ( - pk_15) with - | Ok ((x_16, y_17)) => @Ok key_t crypto_error_t (seq_concat ( - nat_mod_to_byte_seq_be (x_16)) (nat_mod_to_byte_seq_be (y_17))) - | Err (_) => @Err key_t crypto_error_t (CryptoError) - end). - -Definition ecdh - (group_name_18 : named_group_t) - (x_19 : dh_sk_t) - (y_20 : dh_pk_t) - : (result key_t crypto_error_t) := - match group_name_18 with - | Secp256r1 => p256_ecdh (x_19) (y_20) - | X25519 => @Ok key_t crypto_error_t (seq_from_seq ( - array_to_seq (x25519_scalarmult (array_from_seq (32) (x_19)) ( - array_from_seq (32) (y_20))))) - end. - -Notation "'kem_scheme_t'" := (named_group_t) : hacspec_scope. - -Notation "'kem_sk_t'" := (byte_seq) : hacspec_scope. - -Notation "'kem_pk_t'" := (byte_seq) : hacspec_scope. - -Definition kem_priv_len (ks_21 : kem_scheme_t) : uint_size := - dh_priv_len (ks_21). - -Definition kem_pub_len (ks_22 : kem_scheme_t) : uint_size := - dh_pub_len (ks_22). - -Definition kem_priv_to_pub - (ks_23 : kem_scheme_t) - (sk_24 : kem_sk_t) - : (result kem_pk_t crypto_error_t) := - secret_to_public (ks_23) (sk_24). - -Definition kem_keygen_inner - (ks_25 : kem_scheme_t) - (ent_26 : entropy_t) - : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := - let sk_27 : seq uint8 := - seq_from_seq (seq_slice_range (ent_26) ((usize 0, dh_priv_len (ks_25)))) in - bind (kem_priv_to_pub (ks_25) (sk_27)) (fun pk_28 => @Ok ( - kem_sk_t '× - kem_pk_t - ) crypto_error_t ((sk_27, pk_28))). - -Definition kem_keygen - (ks_29 : kem_scheme_t) - (ent_30 : entropy_t) - : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := - (if ((seq_len (ent_30)) <.? (dh_priv_len (ks_29))):bool then (@Err ( - kem_sk_t '× - kem_pk_t - ) crypto_error_t (InsufficientEntropy)) else (kem_keygen_inner (ks_29) ( - ent_30))). - -Definition kem_encap - (ks_31 : kem_scheme_t) - (pk_32 : kem_pk_t) - (ent_33 : entropy_t) - : (result (key_t '× byte_seq) crypto_error_t) := - bind (kem_keygen (ks_31) (ent_33)) (fun '(x_34, gx_35) => bind (ecdh (ks_31) ( - x_34) (pk_32)) (fun gxy_36 => @Ok (key_t '× byte_seq) crypto_error_t (( - gxy_36, - gx_35 - )))). - -Definition kem_decap - (ks_37 : kem_scheme_t) - (ct_38 : byte_seq) - (sk_39 : kem_sk_t) - : (result key_t crypto_error_t) := - bind (ecdh (ks_37) (sk_39) (ct_38)) (fun gxy_40 => @Ok key_t crypto_error_t ( - gxy_40)). - -Definition hash - (ha_41 : hash_algorithm_t) - (payload_42 : byte_seq) - : (result digest_t crypto_error_t) := - match ha_41 with - | SHA256 => @Ok digest_t crypto_error_t (seq_from_seq (array_to_seq (sha256 ( - payload_42)))) - | SHA384 => @Err digest_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hmac_tag - (ha_43 : hash_algorithm_t) - (mk_44 : mac_key_t) - (payload_45 : byte_seq) - : (result hmac_t crypto_error_t) := - match ha_43 with - | SHA256 => @Ok hmac_t crypto_error_t (seq_from_seq (array_to_seq (hmac ( - mk_44) (payload_45)))) - | SHA384 => @Err hmac_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition check_tag_len - (a_46 : hmac_t) - (b_47 : hmac_t) - : (result unit crypto_error_t) := - (if ((seq_len (a_46)) =.? (seq_len (b_47))):bool then ( - @Ok unit crypto_error_t (tt)) else (@Err unit crypto_error_t ( - MacFailed))). - -Definition check_bytes - (a_48 : uint8) - (b_49 : uint8) - : (result unit crypto_error_t) := - (if (negb (uint8_equal (a_48) (b_49))):bool then (@Err unit crypto_error_t ( - MacFailed)) else (@Ok unit crypto_error_t (tt))). - -Definition hmac_verify - (ha_50 : hash_algorithm_t) - (mk_51 : mac_key_t) - (payload_52 : byte_seq) - (m_53 : hmac_t) - : (result unit crypto_error_t) := - bind (hmac_tag (ha_50) (mk_51) (payload_52)) (fun my_hmac_54 => bind ( - check_tag_len (m_53) (my_hmac_54)) (fun _ => bind (foldibnd (usize 0) to ( - seq_len (m_53)) for tt >> (fun i_55 'tt => - bind (check_bytes (seq_index (my_hmac_54) (i_55)) (seq_index (m_53) ( - i_55))) (fun _ => @Ok unit crypto_error_t (tt)))) (fun _ => - @Ok unit crypto_error_t (tt)))). - -Definition ec_oid_tag_t := nseq (uint8) (usize 9). - -Definition get_length_length (b_56 : byte_seq) : uint_size := - (if (((uint8_declassify (seq_index (b_56) (usize 0))) shift_right ( - usize 7)) =.? (@repr WORDSIZE8 1)):bool then ( - declassify_usize_from_uint8 ((seq_index (b_56) (usize 0)) .& (secret ( - @repr WORDSIZE8 127) : int8))) else (usize 0)). - -Definition get_length (b_57 : byte_seq) (len_58 : uint_size) : uint_size := - (@cast _ uint32 _ (declassify_u32_from_uint32 (uint32_from_be_bytes ( - array_from_slice (default : uint8) (4) (b_57) (usize 0) ( - len_58))))) usize_shift_right (((usize 4) - (len_58)) * (usize 8)). - -Definition get_short_length (b_59 : byte_seq) : uint_size := - declassify_usize_from_uint8 ((seq_index (b_59) (usize 0)) .& (secret ( - @repr WORDSIZE8 127) : int8)). - -Definition verification_key_from_cert - (cert_60 : byte_seq) - : (result verification_key_t crypto_error_t) := - let skip_61 : uint_size := - ((usize 2) + (get_length_length (seq_slice_range (cert_60) (( - usize 1, - seq_len (cert_60) - ))))) + (usize 1) in - let seq1_len_len_62 : uint_size := - get_length_length (seq_slice_range (cert_60) ((skip_61, seq_len (cert_60) - ))) in - let skip_63 : uint_size := - (skip_61) + (usize 1) in - let seq1_len_64 : uint_size := - get_length (seq_slice (cert_60) (skip_63) ((seq_len (cert_60)) - ( - skip_63))) (seq1_len_len_62) in - let seq1_65 : seq uint8 := - seq_slice_range (cert_60) (( - (skip_63) + (seq1_len_len_62), - ((skip_63) + (seq1_len_len_62)) + (seq1_len_64) - )) in - let pk_66 : seq uint8 := - seq_new_ (default : uint8) (usize 0) in - let '(seq1_65, pk_66) := - foldi (usize 0) (seq_len (seq1_65)) (fun i_67 '(seq1_65, pk_66) => - let '(seq1_65, pk_66) := - if (seq_len (seq1_65)) >.? (usize 0):bool then ( - let element_type_68 : int8 := - uint8_declassify (seq_index (seq1_65) (usize 0)) in - let seq1_65 := - seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in - let len_len_69 : uint_size := - get_length_length (seq1_65) in - let len_70 : uint_size := - get_short_length (seq1_65) in - let seq1_65 := - seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in - let '(len_70) := - if (len_len_69) !=.? (usize 0):bool then (let len_70 := - (get_length (seq1_65) (len_len_69)) + (len_len_69) in - (len_70)) else ((len_70)) in - let '(pk_66) := - if ((element_type_68) =.? (@repr WORDSIZE8 48)) && ((seq_len ( - pk_66)) =.? (usize 0)):bool then (let seq2_71 : seq uint8 := - seq_slice (seq1_65) (len_len_69) (len_70) in - let element_type_72 : int8 := - uint8_declassify (seq_index (seq2_71) (usize 0)) in - let seq2_73 : seq uint8 := - seq_slice (seq2_71) (usize 1) ((seq_len (seq2_71)) - ( - usize 1)) in - let '(pk_66) := - if (element_type_72) =.? (@repr WORDSIZE8 48):bool then ( - let len_len_74 : uint_size := - get_length_length (seq2_73) in - let '(pk_66) := - if (len_len_74) =.? (usize 0):bool then ( - let oid_len_75 : uint_size := - get_short_length (seq2_73) in - let '(pk_66) := - if (oid_len_75) >=.? (usize 9):bool then ( - let expected_76 : seq uint8 := - seq_from_seq (array_to_seq (array_from_list uint8 ( - let l := - [ - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 7) : int8; - secret (@repr WORDSIZE8 42) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 1) : int8 - ] in l))) in - let oid_77 : seq uint8 := - seq_slice (seq2_73) (usize 1) (usize 9) in - let ec_pk_oid_78 : bool := - true in - let ec_pk_oid_78 := - foldi (usize 0) (usize 9) (fun i_79 ec_pk_oid_78 => - let oid_byte_equal_80 : bool := - (uint8_declassify (seq_index (oid_77) ( - i_79))) =.? (uint8_declassify (seq_index ( - expected_76) (i_79))) in - let ec_pk_oid_78 := - (ec_pk_oid_78) && (oid_byte_equal_80) in - (ec_pk_oid_78)) - ec_pk_oid_78 in - let '(pk_66) := - if ec_pk_oid_78:bool then ( - let bit_string_81 : seq uint8 := - seq_slice (seq2_73) ((oid_len_75) + (usize 1)) ( - ((seq_len (seq2_73)) - (oid_len_75)) - ( - usize 1)) in - let '(pk_66) := - if (uint8_declassify (seq_index ( - bit_string_81) (usize 0))) =.? ( - @repr WORDSIZE8 3):bool then ( - let pk_len_82 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 1)) in - let zeroes_83 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 2)) in - let uncompressed_84 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 3)) in - let pk_66 := - seq_slice (bit_string_81) (usize 4) (( - pk_len_82) - (usize 2)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - let seq1_65 := - seq_slice (seq1_65) (len_70) ((seq_len (seq1_65)) - (len_70)) in - (seq1_65, pk_66)) else ((seq1_65, pk_66)) in - (seq1_65, pk_66)) - (seq1_65, pk_66) in - (if ((seq_len (pk_66)) =.? (usize 0)):bool then ( - @Err verification_key_t crypto_error_t (InvalidCert)) else ( - @Ok verification_key_t crypto_error_t (pk_66))). - -Definition concat_signature - (r_85 : p256_scalar_t) - (s_86 : p256_scalar_t) - : (result signature_t crypto_error_t) := - let signature_87 : seq uint8 := - seq_concat (seq_concat (seq_new_ (default : uint8) (usize 0)) ( - nat_mod_to_byte_seq_be (r_85))) (nat_mod_to_byte_seq_be (s_86)) in - @Ok signature_t crypto_error_t (signature_87). - -Definition p256_sign - (ps_88 : signature_key_t) - (payload_89 : byte_seq) - (ent_90 : entropy_t) - : (result signature_t crypto_error_t) := - let random_91 : random_t := - array_from_seq (32) (seq_slice_range (ent_90) ((usize 0, usize 32))) in - let nonce_92 : p256_scalar_t := - nat_mod_from_byte_seq_be (array_to_seq (random_91)) : p256_scalar_t in - match ecdsa_p256_sha256_sign (payload_89) (nat_mod_from_byte_seq_be ( - ps_88) : p256_scalar_t) (nonce_92) with - | Ok ((r_93, s_94)) => concat_signature (r_93) (s_94) - | Err (_) => @Err signature_t crypto_error_t (CryptoError) - end. - -Definition sign - (sa_95 : signature_scheme_t) - (ps_96 : signature_key_t) - (payload_97 : byte_seq) - (ent_98 : entropy_t) - : (result signature_t crypto_error_t) := - match sa_95 with - | EcdsaSecp256r1Sha256 => p256_sign (ps_96) (payload_97) (ent_98) - | ED25519 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) - | RsaPssRsaSha256 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition p256_verify - (pk_99 : verification_key_t) - (payload_100 : byte_seq) - (sig_101 : byte_seq) - : (result unit crypto_error_t) := - let '(pk_x_102, pk_y_103) := - ( - nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 0) ( - usize 32)) : p256_field_element_t, - nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 32) ( - usize 32)) : p256_field_element_t - ) in - let '(r_104, s_105) := - ( - nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 0) ( - usize 32)) : p256_scalar_t, - nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 32) ( - usize 32)) : p256_scalar_t - ) in - match ecdsa_p256_sha256_verify (payload_100) ((pk_x_102, pk_y_103)) (( - r_104, - s_105 - )) with - | Ok (tt) => @Ok unit crypto_error_t (tt) - | Err (_) => @Err unit crypto_error_t (VerifyFailed) - end. - -Definition verify - (sa_106 : signature_scheme_t) - (pk_107 : verification_key_t) - (payload_108 : byte_seq) - (sig_109 : byte_seq) - : (result unit crypto_error_t) := - match sa_106 with - | EcdsaSecp256r1Sha256 => p256_verify (pk_107) (payload_108) (sig_109) - | ED25519 => @Err unit crypto_error_t (UnsupportedAlgorithm) - | RsaPssRsaSha256 => @Err unit crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hkdf_extract - (ha_110 : hash_algorithm_t) - (k_111 : key_t) - (salt_112 : key_t) - : (result key_t crypto_error_t) := - match ha_110 with - | SHA256 => @Ok key_t crypto_error_t (seq_from_seq (array_to_seq (extract ( - salt_112) (k_111)))) - | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hkdf_expand - (ha_113 : hash_algorithm_t) - (k_114 : key_t) - (info_115 : byte_seq) - (len_116 : uint_size) - : (result key_t crypto_error_t) := - match ha_113 with - | SHA256 => match expand (k_114) (info_115) (len_116) with - | Ok (b_117) => @Ok key_t crypto_error_t (seq_from_seq (b_117)) - | Err (_) => @Err key_t crypto_error_t (HkdfError) - end - | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition aes128_encrypt - (k_118 : aead_key_t) - (iv_119 : aead_iv_t) - (payload_120 : byte_seq) - (ad_121 : byte_seq) - : (result byte_seq crypto_error_t) := - let '(ctxt_122, tag_123) := - encrypt_aes128 (array_from_seq (_) (k_118)) (array_from_seq (_) (iv_119)) ( - ad_121) (payload_120) in - @Ok byte_seq crypto_error_t (seq_concat (ctxt_122) (seq_from_seq ( - array_to_seq (tag_123)))). - -Definition chacha_encrypt - (k_124 : aead_key_t) - (iv_125 : aead_iv_t) - (payload_126 : byte_seq) - (ad_127 : byte_seq) - : (result byte_seq crypto_error_t) := - let '(ctxt_128, tag_129) := - chacha20_poly1305_encrypt (array_from_seq (32) (k_124)) (array_from_seq ( - 12) (iv_125)) (ad_127) (payload_126) in - @Ok byte_seq crypto_error_t (seq_concat (ctxt_128) (array_to_seq (tag_129))). - -Definition aead_encrypt - (a_130 : aead_algorithm_t) - (k_131 : aead_key_t) - (iv_132 : aead_iv_t) - (payload_133 : byte_seq) - (ad_134 : byte_seq) - : (result byte_seq crypto_error_t) := - match a_130 with - | Aes128Gcm => aes128_encrypt (k_131) (iv_132) (payload_133) (ad_134) - | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) - | Chacha20Poly1305 => chacha_encrypt (k_131) (iv_132) (payload_133) (ad_134) - end. - -Definition aes128_decrypt - (k_135 : aead_key_t) - (iv_136 : aead_iv_t) - (ciphertext_137 : byte_seq) - (ad_138 : byte_seq) - : (result byte_seq crypto_error_t) := - match decrypt_aes128 (array_from_seq (_) (k_135)) (array_from_seq (_) ( - iv_136)) (ad_138) (seq_slice_range (ciphertext_137) (( - usize 0, - (seq_len (ciphertext_137)) - (usize 16) - ))) (array_from_seq (_) (seq_slice_range (ciphertext_137) (( - (seq_len (ciphertext_137)) - (usize 16), - seq_len (ciphertext_137) - )))) with - | Ok (m_139) => @Ok byte_seq crypto_error_t (m_139) - | Err (_) => @Err byte_seq crypto_error_t (MacFailed) - end. - -Definition chacha_decrypt - (k_140 : aead_key_t) - (iv_141 : aead_iv_t) - (ciphertext_142 : byte_seq) - (ad_143 : byte_seq) - : (result byte_seq crypto_error_t) := - match chacha20_poly1305_decrypt (array_from_seq (32) (k_140)) ( - array_from_seq (12) (iv_141)) (ad_143) (seq_slice_range (ciphertext_142) (( - usize 0, - (seq_len (ciphertext_142)) - (usize 16) - ))) (array_from_seq (16) (seq_slice_range (ciphertext_142) (( - (seq_len (ciphertext_142)) - (usize 16), - seq_len (ciphertext_142) - )))) with - | Ok (ptxt_144) => @Ok byte_seq crypto_error_t (ptxt_144) - | Err (_) => @Err byte_seq crypto_error_t (MacFailed) - end. - -Definition aead_decrypt - (a_145 : aead_algorithm_t) - (k_146 : aead_key_t) - (iv_147 : aead_iv_t) - (ciphertext_148 : byte_seq) - (ad_149 : byte_seq) - : (result byte_seq crypto_error_t) := - match a_145 with - | Aes128Gcm => aes128_decrypt (k_146) (iv_147) (ciphertext_148) (ad_149) - | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) - | Chacha20Poly1305 => chacha_decrypt (k_146) (iv_147) (ciphertext_148) ( - ad_149) - end. - diff --git a/proof-libs/coq/coq/src/Hacspec_Aes.v b/proof-libs/coq/coq/src/Hacspec_Aes.v deleted file mode 100644 index b87f94a3d..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Aes.v +++ /dev/null @@ -1,720 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition blocksize_v : uint_size := - usize 16. - -Definition ivsize_v : uint_size := - usize 12. - -Definition key_length_v : uint_size := - usize 4. - -Definition rounds_v : uint_size := - usize 10. - -Definition key_schedule_length_v : uint_size := - usize 176. - -Definition iterations_v : uint_size := - usize 40. - -Definition invalid_key_expansion_index_v : int8 := - @repr WORDSIZE8 1. - -Definition block_t := nseq (uint8) (blocksize_v). - -Definition word_t := nseq (uint8) (key_length_v). - -Definition round_key_t := nseq (uint8) (blocksize_v). - -Definition aes_nonce_t := nseq (uint8) (ivsize_v). - -Definition s_box_t := nseq (uint8) (usize 256). - -Definition r_con_t := nseq (uint8) (usize 15). - -Definition bytes144_t := nseq (uint8) (usize 144). - -Definition bytes176_t := nseq (uint8) (key_schedule_length_v). - -Definition key128_t := nseq (uint8) (blocksize_v). - -Notation "'byte_seq_result_t'" := ((result byte_seq int8)) : hacspec_scope. - -Notation "'block_result_t'" := ((result block_t int8)) : hacspec_scope. - -Notation "'word_result_t'" := ((result word_t int8)) : hacspec_scope. - -Definition sbox_v : s_box_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 197) : int8; - secret (@repr WORDSIZE8 48) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 103) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 130) : int8; - secret (@repr WORDSIZE8 201) : int8; - secret (@repr WORDSIZE8 125) : int8; - secret (@repr WORDSIZE8 250) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 71) : int8; - secret (@repr WORDSIZE8 240) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 212) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 156) : int8; - secret (@repr WORDSIZE8 164) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 192) : int8; - secret (@repr WORDSIZE8 183) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 38) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 63) : int8; - secret (@repr WORDSIZE8 247) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 52) : int8; - secret (@repr WORDSIZE8 165) : int8; - secret (@repr WORDSIZE8 229) : int8; - secret (@repr WORDSIZE8 241) : int8; - secret (@repr WORDSIZE8 113) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 21) : int8; - secret (@repr WORDSIZE8 4) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 35) : int8; - secret (@repr WORDSIZE8 195) : int8; - secret (@repr WORDSIZE8 24) : int8; - secret (@repr WORDSIZE8 150) : int8; - secret (@repr WORDSIZE8 5) : int8; - secret (@repr WORDSIZE8 154) : int8; - secret (@repr WORDSIZE8 7) : int8; - secret (@repr WORDSIZE8 18) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 178) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 9) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 110) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 214) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 41) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 132) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 177) : int8; - secret (@repr WORDSIZE8 91) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 203) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 207) : int8; - secret (@repr WORDSIZE8 208) : int8; - secret (@repr WORDSIZE8 239) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 133) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 249) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 80) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 159) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 163) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 143) : int8; - secret (@repr WORDSIZE8 146) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 56) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 218) : int8; - secret (@repr WORDSIZE8 33) : int8; - secret (@repr WORDSIZE8 16) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 243) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 205) : int8; - secret (@repr WORDSIZE8 12) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 236) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 151) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 196) : int8; - secret (@repr WORDSIZE8 167) : int8; - secret (@repr WORDSIZE8 126) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 93) : int8; - secret (@repr WORDSIZE8 25) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 220) : int8; - secret (@repr WORDSIZE8 34) : int8; - secret (@repr WORDSIZE8 42) : int8; - secret (@repr WORDSIZE8 144) : int8; - secret (@repr WORDSIZE8 136) : int8; - secret (@repr WORDSIZE8 70) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 184) : int8; - secret (@repr WORDSIZE8 20) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 219) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 73) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 36) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 172) : int8; - secret (@repr WORDSIZE8 98) : int8; - secret (@repr WORDSIZE8 145) : int8; - secret (@repr WORDSIZE8 149) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 200) : int8; - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 109) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 213) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 169) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 86) : int8; - secret (@repr WORDSIZE8 244) : int8; - secret (@repr WORDSIZE8 234) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 122) : int8; - secret (@repr WORDSIZE8 174) : int8; - secret (@repr WORDSIZE8 8) : int8; - secret (@repr WORDSIZE8 186) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 37) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 28) : int8; - secret (@repr WORDSIZE8 166) : int8; - secret (@repr WORDSIZE8 180) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 116) : int8; - secret (@repr WORDSIZE8 31) : int8; - secret (@repr WORDSIZE8 75) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 139) : int8; - secret (@repr WORDSIZE8 138) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 181) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 14) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 87) : int8; - secret (@repr WORDSIZE8 185) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 225) : int8; - secret (@repr WORDSIZE8 248) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 17) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 217) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 30) : int8; - secret (@repr WORDSIZE8 135) : int8; - secret (@repr WORDSIZE8 233) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 40) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 137) : int8; - secret (@repr WORDSIZE8 13) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 230) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 187) : int8; - secret (@repr WORDSIZE8 22) : int8 - ] in l). - -Definition rcon_v : r_con_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 4) : int8; - secret (@repr WORDSIZE8 8) : int8; - secret (@repr WORDSIZE8 16) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 77) : int8 - ] in l). - -Definition sub_bytes (state_150 : block_t) : block_t := - let st_151 : block_t := - state_150 in - let st_151 := - foldi (usize 0) (blocksize_v) (fun i_152 st_151 => - let st_151 := - array_upd st_151 (i_152) (array_index (sbox_v) (uint8_declassify ( - array_index (state_150) (i_152)))) in - (st_151)) - st_151 in - st_151. - -Definition shift_row - (i_153 : uint_size) - (shift_154 : uint_size) - (state_155 : block_t) - : block_t := - let out_156 : block_t := - state_155 in - let out_156 := - array_upd out_156 (i_153) (array_index (state_155) ((i_153) + ((usize 4) * ( - (shift_154) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 4)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 1)) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 8)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 2)) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 12)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 3)) %% (usize 4))))) in - out_156. - -Definition shift_rows (state_157 : block_t) : block_t := - let state_158 : block_t := - shift_row (usize 1) (usize 1) (state_157) in - let state_159 : block_t := - shift_row (usize 2) (usize 2) (state_158) in - shift_row (usize 3) (usize 3) (state_159). - -Definition xtime (x_160 : uint8) : uint8 := - let x1_161 : uint8 := - (x_160) shift_left (usize 1) in - let x7_162 : uint8 := - (x_160) shift_right (usize 7) in - let x71_163 : uint8 := - (x7_162) .& (secret (@repr WORDSIZE8 1) : int8) in - let x711b_164 : uint8 := - (x71_163) .* (secret (@repr WORDSIZE8 27) : int8) in - (x1_161) .^ (x711b_164). - -Definition mix_column (c_165 : uint_size) (state_166 : block_t) : block_t := - let i0_167 : uint_size := - (usize 4) * (c_165) in - let s0_168 : uint8 := - array_index (state_166) (i0_167) in - let s1_169 : uint8 := - array_index (state_166) ((i0_167) + (usize 1)) in - let s2_170 : uint8 := - array_index (state_166) ((i0_167) + (usize 2)) in - let s3_171 : uint8 := - array_index (state_166) ((i0_167) + (usize 3)) in - let st_172 : block_t := - state_166 in - let tmp_173 : uint8 := - (((s0_168) .^ (s1_169)) .^ (s2_170)) .^ (s3_171) in - let st_172 := - array_upd st_172 (i0_167) (((s0_168) .^ (tmp_173)) .^ (xtime ((s0_168) .^ ( - s1_169)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 1)) (((s1_169) .^ (tmp_173)) .^ (xtime ( - (s1_169) .^ (s2_170)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 2)) (((s2_170) .^ (tmp_173)) .^ (xtime ( - (s2_170) .^ (s3_171)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 3)) (((s3_171) .^ (tmp_173)) .^ (xtime ( - (s3_171) .^ (s0_168)))) in - st_172. - -Definition mix_columns (state_174 : block_t) : block_t := - let state_175 : block_t := - mix_column (usize 0) (state_174) in - let state_176 : block_t := - mix_column (usize 1) (state_175) in - let state_177 : block_t := - mix_column (usize 2) (state_176) in - mix_column (usize 3) (state_177). - -Definition add_round_key - (state_178 : block_t) - (key_179 : round_key_t) - : block_t := - let out_180 : block_t := - state_178 in - let out_180 := - foldi (usize 0) (blocksize_v) (fun i_181 out_180 => - let out_180 := - array_upd out_180 (i_181) ((array_index (out_180) (i_181)) .^ ( - array_index (key_179) (i_181))) in - (out_180)) - out_180 in - out_180. - -Definition aes_enc - (state_182 : block_t) - (round_key_183 : round_key_t) - : block_t := - let state_184 : block_t := - sub_bytes (state_182) in - let state_185 : block_t := - shift_rows (state_184) in - let state_186 : block_t := - mix_columns (state_185) in - add_round_key (state_186) (round_key_183). - -Definition aes_enc_last - (state_187 : block_t) - (round_key_188 : round_key_t) - : block_t := - let state_189 : block_t := - sub_bytes (state_187) in - let state_190 : block_t := - shift_rows (state_189) in - add_round_key (state_190) (round_key_188). - -Definition rounds_aes (state_191 : block_t) (key_192 : byte_seq) : block_t := - let out_193 : block_t := - state_191 in - let out_193 := - foldi (usize 0) (seq_num_chunks (key_192) ( - blocksize_v)) (fun i_194 out_193 => - let '(_, key_block_195) := - seq_get_chunk (key_192) (blocksize_v) (i_194) in - let out_193 := - aes_enc (out_193) (array_from_seq (blocksize_v) (key_block_195)) in - (out_193)) - out_193 in - out_193. - -Definition block_cipher_aes - (input_196 : block_t) - (key_197 : byte_seq) - (nr_198 : uint_size) - : block_t := - let k0_199 : round_key_t := - array_from_slice_range (default : uint8) (blocksize_v) (key_197) (( - usize 0, - usize 16 - )) in - let k_200 : seq uint8 := - seq_from_slice_range (key_197) ((usize 16, (nr_198) * (usize 16))) in - let kn_201 : round_key_t := - array_from_slice (default : uint8) (blocksize_v) (key_197) ((nr_198) * ( - usize 16)) (usize 16) in - let state_202 : block_t := - add_round_key (input_196) (k0_199) in - let state_203 : block_t := - rounds_aes (state_202) (k_200) in - aes_enc_last (state_203) (kn_201). - -Definition rotate_word (w_204 : word_t) : word_t := - array_from_list uint8 (let l := - [ - array_index (w_204) (usize 1); - array_index (w_204) (usize 2); - array_index (w_204) (usize 3); - array_index (w_204) (usize 0) - ] in l). - -Definition slice_word (w_205 : word_t) : word_t := - array_from_list uint8 (let l := - [ - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 0))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 1))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 2))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 3))) - ] in l). - -Definition aes_keygen_assist (w_206 : word_t) (rcon_207 : uint8) : word_t := - let k_208 : word_t := - rotate_word (w_206) in - let k_208 := - slice_word (k_208) in - let k_208 := - array_upd k_208 (usize 0) ((array_index (k_208) (usize 0)) .^ ( - rcon_207)) in - k_208. - -Definition key_expansion_word - (w0_209 : word_t) - (w1_210 : word_t) - (i_211 : uint_size) - (nk_212 : uint_size) - (nr_213 : uint_size) - : word_result_t := - let k_214 : word_t := - w1_210 in - let result_215 : (result word_t int8) := - @Err word_t int8 (invalid_key_expansion_index_v) in - let '(k_214, result_215) := - if (i_211) <.? ((usize 4) * ((nr_213) + (usize 1))):bool then (let '(k_214 - ) := - if ((i_211) %% (nk_212)) =.? (usize 0):bool then (let k_214 := - aes_keygen_assist (k_214) (array_index (rcon_v) ((i_211) / ( - nk_212))) in - (k_214)) else (let '(k_214) := - if ((nk_212) >.? (usize 6)) && (((i_211) %% (nk_212)) =.? ( - usize 4)):bool then (let k_214 := - slice_word (k_214) in - (k_214)) else ((k_214)) in - (k_214)) in - let k_214 := - foldi (usize 0) (usize 4) (fun i_216 k_214 => - let k_214 := - array_upd k_214 (i_216) ((array_index (k_214) (i_216)) .^ ( - array_index (w0_209) (i_216))) in - (k_214)) - k_214 in - let result_215 := - @Ok word_t int8 (k_214) in - (k_214, result_215)) else ((k_214, result_215)) in - result_215. - -Definition key_expansion_aes - (key_217 : byte_seq) - (nk_218 : uint_size) - (nr_219 : uint_size) - (key_schedule_length_220 : uint_size) - (key_length_221 : uint_size) - (iterations_222 : uint_size) - : byte_seq_result_t := - let key_ex_223 : seq uint8 := - seq_new_ (default : uint8) (key_schedule_length_220) in - let key_ex_223 := - seq_update_start (key_ex_223) (key_217) in - let word_size_224 : uint_size := - key_length_221 in - bind (foldibnd (usize 0) to ( - iterations_222) for key_ex_223 >> (fun j_225 key_ex_223 => - let i_226 : uint_size := - (j_225) + (word_size_224) in - bind (key_expansion_word (array_from_slice (default : uint8) ( - key_length_v) (key_ex_223) ((usize 4) * ((i_226) - (word_size_224))) ( - usize 4)) (array_from_slice (default : uint8) (key_length_v) ( - key_ex_223) (((usize 4) * (i_226)) - (usize 4)) (usize 4)) (i_226) ( - nk_218) (nr_219)) (fun word_227 => let key_ex_223 := - seq_update (key_ex_223) ((usize 4) * (i_226)) ( - array_to_seq (word_227)) in - @Ok (seq uint8) int8 ((key_ex_223))))) (fun key_ex_223 => - @Ok byte_seq int8 (key_ex_223)). - -Definition aes_encrypt_block - (k_228 : byte_seq) - (input_229 : block_t) - (nk_230 : uint_size) - (nr_231 : uint_size) - (key_schedule_length_232 : uint_size) - (key_length_233 : uint_size) - (iterations_234 : uint_size) - : block_result_t := - bind (key_expansion_aes (k_228) (nk_230) (nr_231) (key_schedule_length_232) ( - key_length_233) (iterations_234)) (fun key_ex_235 => @Ok block_t int8 ( - block_cipher_aes (input_229) (key_ex_235) (nr_231))). - -Definition aes128_encrypt_block - (k_236 : key128_t) - (input_237 : block_t) - : block_t := - result_unwrap (aes_encrypt_block (seq_from_seq (array_to_seq (k_236))) ( - input_237) (key_length_v) (rounds_v) (key_schedule_length_v) ( - key_length_v) (iterations_v)). - -Definition aes_ctr_key_block - (k_238 : byte_seq) - (n_239 : aes_nonce_t) - (c_240 : uint32) - (nk_241 : uint_size) - (nr_242 : uint_size) - (key_schedule_length_243 : uint_size) - (key_length_244 : uint_size) - (iterations_245 : uint_size) - : block_result_t := - let input_246 : block_t := - array_new_ (default : uint8) (blocksize_v) in - let input_246 := - array_update (input_246) (usize 0) (array_to_seq (n_239)) in - let input_246 := - array_update (input_246) (usize 12) (array_to_seq (uint32_to_be_bytes ( - c_240))) in - aes_encrypt_block (k_238) (input_246) (nk_241) (nr_242) ( - key_schedule_length_243) (key_length_244) (iterations_245). - -Definition xor_block - (block_247 : block_t) - (key_block_248 : block_t) - : block_t := - let out_249 : block_t := - block_247 in - let out_249 := - foldi (usize 0) (blocksize_v) (fun i_250 out_249 => - let out_249 := - array_upd out_249 (i_250) ((array_index (out_249) (i_250)) .^ ( - array_index (key_block_248) (i_250))) in - (out_249)) - out_249 in - out_249. - -Definition aes_counter_mode - (key_251 : byte_seq) - (nonce_252 : aes_nonce_t) - (counter_253 : uint32) - (msg_254 : byte_seq) - (nk_255 : uint_size) - (nr_256 : uint_size) - (key_schedule_length_257 : uint_size) - (key_length_258 : uint_size) - (iterations_259 : uint_size) - : byte_seq_result_t := - let ctr_260 : uint32 := - counter_253 in - let blocks_out_261 : seq uint8 := - seq_new_ (default : uint8) (seq_len (msg_254)) in - let n_blocks_262 : uint_size := - seq_num_exact_chunks (msg_254) (blocksize_v) in - bind (foldibnd (usize 0) to (n_blocks_262) for (ctr_260, blocks_out_261 - ) >> (fun i_263 '(ctr_260, blocks_out_261) => - let msg_block_264 : seq uint8 := - seq_get_exact_chunk (msg_254) (blocksize_v) (i_263) in - bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) (nr_256) ( - key_schedule_length_257) (key_length_258) (iterations_259)) ( - fun key_block_265 => let blocks_out_261 := - seq_set_chunk (blocks_out_261) (blocksize_v) (i_263) ( - array_to_seq (xor_block (array_from_seq (blocksize_v) ( - msg_block_264)) (key_block_265))) in - let ctr_260 := - (ctr_260) .+ (secret (@repr WORDSIZE32 1) : int32) in - @Ok (uint32 '× seq uint8) int8 ((ctr_260, blocks_out_261))))) (fun '( - ctr_260, - blocks_out_261 - ) => let last_block_266 : seq uint8 := - seq_get_remainder_chunk (msg_254) (blocksize_v) in - let last_block_len_267 : uint_size := - seq_len (last_block_266) in - ifbnd (last_block_len_267) !=.? (usize 0) : bool - thenbnd (let last_block_268 : block_t := - array_update_start (array_new_ (default : uint8) (blocksize_v)) ( - last_block_266) in - bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) ( - nr_256) (key_schedule_length_257) (key_length_258) (iterations_259)) ( - fun key_block_269 => let blocks_out_261 := - seq_set_chunk (blocks_out_261) (blocksize_v) (n_blocks_262) ( - array_slice_range (xor_block (last_block_268) (key_block_269)) (( - usize 0, - last_block_len_267 - ))) in - @Ok (seq uint8) int8 ((blocks_out_261)))) - else ((blocks_out_261)) >> (fun '(blocks_out_261) => - @Ok byte_seq int8 (blocks_out_261))). - -Definition aes128_encrypt - (key_270 : key128_t) - (nonce_271 : aes_nonce_t) - (counter_272 : uint32) - (msg_273 : byte_seq) - : byte_seq := - result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_270))) ( - nonce_271) (counter_272) (msg_273) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)). - -Definition aes128_decrypt - (key_274 : key128_t) - (nonce_275 : aes_nonce_t) - (counter_276 : uint32) - (ctxt_277 : byte_seq) - : byte_seq := - result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_274))) ( - nonce_275) (counter_276) (ctxt_277) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)). - diff --git a/proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v b/proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v deleted file mode 100644 index 0d6395bc6..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Aes128_Gcm.v +++ /dev/null @@ -1,126 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Aes. - -Require Import Hacspec_Gf128. - -Notation "'aes_gcm_byte_seq_result_t'" := (( - result byte_seq int8)) : hacspec_scope. - -Definition invalid_tag_v : int8 := - @repr WORDSIZE8 1. - -Definition pad_aad_msg (aad_278 : byte_seq) (msg_279 : byte_seq) : byte_seq := - let laad_280 : uint_size := - seq_len (aad_278) in - let lmsg_281 : uint_size := - seq_len (msg_279) in - let pad_aad_282 : uint_size := - (if (((laad_280) %% (usize 16)) =.? (usize 0)):bool then (laad_280) else (( - laad_280) + ((usize 16) - ((laad_280) %% (usize 16))))) in - let pad_msg_283 : uint_size := - (if (((lmsg_281) %% (usize 16)) =.? (usize 0)):bool then (lmsg_281) else (( - lmsg_281) + ((usize 16) - ((lmsg_281) %% (usize 16))))) in - let padded_msg_284 : seq uint8 := - seq_new_ (default : uint8) (((pad_aad_282) + (pad_msg_283)) + ( - usize 16)) in - let padded_msg_284 := - seq_update (padded_msg_284) (usize 0) (aad_278) in - let padded_msg_284 := - seq_update (padded_msg_284) (pad_aad_282) (msg_279) in - let padded_msg_284 := - seq_update (padded_msg_284) ((pad_aad_282) + (pad_msg_283)) ( - array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( - laad_280)) : int64) .* (secret ( - @repr WORDSIZE64 8) : int64)))) in - let padded_msg_284 := - seq_update (padded_msg_284) (((pad_aad_282) + (pad_msg_283)) + (usize 8)) ( - array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( - lmsg_281)) : int64) .* (secret ( - @repr WORDSIZE64 8) : int64)))) in - padded_msg_284. - -Definition encrypt_aes - (key_285 : byte_seq) - (iv_286 : aes_nonce_t) - (aad_287 : byte_seq) - (msg_288 : byte_seq) - : (byte_seq '× gf128_tag_t) := - let iv0_289 : aes_nonce_t := - array_new_ (default : uint8) (_) in - let mac_key_290 : block_t := - result_unwrap (aes_ctr_key_block (key_285) (iv0_289) (secret ( - @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) in - let tag_mix_291 : block_t := - result_unwrap (aes_ctr_key_block (key_285) ((iv_286)) (secret ( - @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) in - let cipher_text_292 : seq uint8 := - aes128_encrypt (array_from_seq (_) (key_285)) (iv_286) (secret ( - @repr WORDSIZE32 2) : int32) (msg_288) in - let padded_msg_293 : seq uint8 := - pad_aad_msg (aad_287) (cipher_text_292) in - let tag_294 : gf128_tag_t := - gmac (padded_msg_293) (array_from_seq (_) (array_to_seq (mac_key_290))) in - let tag_295 : block_t := - xor_block (array_from_seq (_) (array_to_seq (tag_294))) (tag_mix_291) in - (cipher_text_292, array_from_seq (_) (array_to_seq (tag_295))). - -Definition encrypt_aes128 - (key_296 : key128_t) - (iv_297 : aes_nonce_t) - (aad_298 : byte_seq) - (msg_299 : byte_seq) - : (byte_seq '× gf128_tag_t) := - encrypt_aes (seq_from_seq (array_to_seq (key_296))) (iv_297) (aad_298) ( - msg_299). - -Definition decrypt_aes - (key_300 : byte_seq) - (iv_301 : aes_nonce_t) - (aad_302 : byte_seq) - (cipher_text_303 : byte_seq) - (tag_304 : gf128_tag_t) - : aes_gcm_byte_seq_result_t := - let iv0_305 : aes_nonce_t := - array_new_ (default : uint8) (_) in - bind (aes_ctr_key_block (key_300) (iv0_305) (secret ( - @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) (fun mac_key_306 => - bind (aes_ctr_key_block (key_300) ((iv_301)) (secret ( - @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) ( - fun tag_mix_307 => let padded_msg_308 : seq uint8 := - pad_aad_msg (aad_302) (cipher_text_303) in - let my_tag_309 : gf128_tag_t := - gmac (padded_msg_308) (array_from_seq (_) ( - array_to_seq (mac_key_306))) in - let my_tag_310 : block_t := - xor_block (array_from_seq (_) (array_to_seq (my_tag_309))) ( - tag_mix_307) in - let ptxt_311 : seq uint8 := - aes128_decrypt (array_from_seq (_) (key_300)) (iv_301) (secret ( - @repr WORDSIZE32 2) : int32) (cipher_text_303) in - (if (array_declassify_eq (my_tag_310) (array_from_seq (_) ( - array_to_seq (tag_304)))):bool then (@Ok byte_seq int8 ( - ptxt_311)) else (@Err byte_seq int8 (invalid_tag_v))))). - -Definition decrypt_aes128 - (key_312 : key128_t) - (iv_313 : aes_nonce_t) - (aad_314 : byte_seq) - (cipher_text_315 : byte_seq) - (tag_316 : gf128_tag_t) - : aes_gcm_byte_seq_result_t := - decrypt_aes (seq_from_seq (array_to_seq (key_312))) (iv_313) (aad_314) ( - cipher_text_315) (tag_316). - diff --git a/proof-libs/coq/coq/src/Hacspec_Bip_340.v b/proof-libs/coq/coq/src/Hacspec_Bip_340.v deleted file mode 100644 index 461143d44..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Bip_340.v +++ /dev/null @@ -1,530 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Inductive error_t := -| InvalidSecretKey : error_t -| InvalidNonceGenerated : error_t -| InvalidPublicKey : error_t -| InvalidXCoordinate : error_t -| InvalidSignature : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | InvalidSecretKey => match y with | InvalidSecretKey=> true | _ => false end - | InvalidNonceGenerated => - match y with - | InvalidNonceGenerated=> true - | _ => false - end - | InvalidPublicKey => match y with | InvalidPublicKey=> true | _ => false end - | InvalidXCoordinate => - match y with - | InvalidXCoordinate=> true - | _ => false - end - | InvalidSignature => match y with | InvalidSignature=> true | _ => false end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Definition field_canvas_t := nseq (int8) (32). -Definition field_element_t := - nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141. - -Definition big_integer_t := nat_mod pow2 256. - -Notation "'affine_point_t'" := ((field_element_t '× field_element_t -)) : hacspec_scope. - -Definition p_bytes32_t := nseq (int8) (usize 32). - -Inductive point_t := -| Affine : affine_point_t -> point_t -| AtInfinity : point_t. - -Definition finite (p_2555 : point_t) : (option affine_point_t) := - match p_2555 with - | Affine (p_2556) => some (p_2556) - | AtInfinity => @None affine_point_t - end. - -Definition x (p_2557 : affine_point_t) : field_element_t := - let '(x_2558, _) := - p_2557 in - x_2558. - -Definition y (p_2559 : affine_point_t) : field_element_t := - let '(_, y_2560) := - p_2559 in - y_2560. - -Definition has_even_y (p_2561 : affine_point_t) : bool := - ((y (p_2561)) rem (nat_mod_two )) =.? (nat_mod_zero ). - -Definition sqrt (y_2562 : field_element_t) : (option field_element_t) := - let p1_4_2563 : field_element_t := - nat_mod_from_public_byte_seq_be (array_from_list int8 (let l := - [ - @repr WORDSIZE8 63; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 191; - @repr WORDSIZE8 255; - @repr WORDSIZE8 255; - @repr WORDSIZE8 12 - ] in l)) in - let x_2564 : field_element_t := - nat_mod_pow_self (y_2562) (p1_4_2563) in - (if ((nat_mod_pow_self (x_2564) (nat_mod_two )) =.? (y_2562)):bool then ( - some (x_2564)) else (@None field_element_t)). - -Definition lift_x - (x_2565 : field_element_t) - : (result affine_point_t error_t) := - let one_2566 : field_element_t := - nat_mod_one in - let two_2567 : field_element_t := - nat_mod_two in - let three_2568 : field_element_t := - nat_mod_from_literal ( - 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( - @repr WORDSIZE128 3) : field_element_t in - let seven_2569 : field_element_t := - nat_mod_from_literal ( - 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( - @repr WORDSIZE128 7) : field_element_t in - let y_sq_2570 : field_element_t := - (nat_mod_pow_self (x_2565) (three_2568)) +% (seven_2569) in - bind (option_ok_or (sqrt (y_sq_2570)) (InvalidXCoordinate)) (fun y_2571 => - let '(y_2571) := - if ((y_2571) rem (two_2567)) =.? (one_2566):bool then (let y_2571 := - (nat_mod_zero ) -% (y_2571) in - (y_2571)) else ((y_2571)) in - @Ok affine_point_t error_t ((x_2565, y_2571))). - -Definition compute_lam - (p1_2572 : affine_point_t) - (p2_2573 : affine_point_t) - : field_element_t := - let three_2574 : field_element_t := - nat_mod_from_literal ( - 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F) ( - @repr WORDSIZE128 3) : field_element_t in - (if ((p1_2572) !=.? (p2_2573)):bool then (((y (p2_2573)) -% (y ( - p1_2572))) *% (nat_mod_pow_self ((x (p2_2573)) -% (x (p1_2572))) (( - nat_mod_zero ) -% (nat_mod_two )))) else ((((three_2574) *% (x ( - p1_2572))) *% (x (p1_2572))) *% (nat_mod_pow_self (( - nat_mod_two ) *% (y (p1_2572))) ((nat_mod_zero ) -% ( - nat_mod_two ))))). - -Definition point_add (p1_2575 : point_t) (p2_2576 : point_t) : point_t := - let result_2577 : point_t := - AtInfinity in - let '(result_2577) := - if option_is_none (finite (p1_2575)):bool then (let result_2577 := - p2_2576 in - (result_2577)) else (let '(result_2577) := - if option_is_none (finite (p2_2576)):bool then (let result_2577 := - p1_2575 in - (result_2577)) else (let p1_2578 : ( - field_element_t '× - field_element_t - ) := - option_unwrap (finite (p1_2575)) in - let p2_2579 : (field_element_t '× field_element_t) := - option_unwrap (finite (p2_2576)) in - let '(result_2577) := - if negb (((x (p1_2578)) =.? (x (p2_2579))) && ((y (p1_2578)) !=.? ( - y (p2_2579)))):bool then (let lam_2580 : field_element_t := - compute_lam (p1_2578) (p2_2579) in - let x3_2581 : field_element_t := - (((lam_2580) *% (lam_2580)) -% (x (p1_2578))) -% (x ( - p2_2579)) in - let result_2577 := - Affine (( - x3_2581, - ((lam_2580) *% ((x (p1_2578)) -% (x3_2581))) -% (y ( - p1_2578)) - )) in - (result_2577)) else ((result_2577)) in - (result_2577)) in - (result_2577)) in - result_2577. - -Definition point_mul (s_2582 : scalar_t) (p_2583 : point_t) : point_t := - let p_2584 : point_t := - p_2583 in - let q_2585 : point_t := - AtInfinity in - let '(p_2584, q_2585) := - foldi (usize 0) (usize 256) (fun i_2586 '(p_2584, q_2585) => - let '(q_2585) := - if nat_mod_bit (s_2582) (i_2586):bool then (let q_2585 := - point_add (q_2585) (p_2584) in - (q_2585)) else ((q_2585)) in - let p_2584 := - point_add (p_2584) (p_2584) in - (p_2584, q_2585)) - (p_2584, q_2585) in - q_2585. - -Definition point_mul_base (s_2587 : scalar_t) : point_t := - let gx_2588 : p_bytes32_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 121; - @repr WORDSIZE8 190; - @repr WORDSIZE8 102; - @repr WORDSIZE8 126; - @repr WORDSIZE8 249; - @repr WORDSIZE8 220; - @repr WORDSIZE8 187; - @repr WORDSIZE8 172; - @repr WORDSIZE8 85; - @repr WORDSIZE8 160; - @repr WORDSIZE8 98; - @repr WORDSIZE8 149; - @repr WORDSIZE8 206; - @repr WORDSIZE8 135; - @repr WORDSIZE8 11; - @repr WORDSIZE8 7; - @repr WORDSIZE8 2; - @repr WORDSIZE8 155; - @repr WORDSIZE8 252; - @repr WORDSIZE8 219; - @repr WORDSIZE8 45; - @repr WORDSIZE8 206; - @repr WORDSIZE8 40; - @repr WORDSIZE8 217; - @repr WORDSIZE8 89; - @repr WORDSIZE8 242; - @repr WORDSIZE8 129; - @repr WORDSIZE8 91; - @repr WORDSIZE8 22; - @repr WORDSIZE8 248; - @repr WORDSIZE8 23; - @repr WORDSIZE8 152 - ] in l) in - let gy_2589 : p_bytes32_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 72; - @repr WORDSIZE8 58; - @repr WORDSIZE8 218; - @repr WORDSIZE8 119; - @repr WORDSIZE8 38; - @repr WORDSIZE8 163; - @repr WORDSIZE8 196; - @repr WORDSIZE8 101; - @repr WORDSIZE8 93; - @repr WORDSIZE8 164; - @repr WORDSIZE8 251; - @repr WORDSIZE8 252; - @repr WORDSIZE8 14; - @repr WORDSIZE8 17; - @repr WORDSIZE8 8; - @repr WORDSIZE8 168; - @repr WORDSIZE8 253; - @repr WORDSIZE8 23; - @repr WORDSIZE8 180; - @repr WORDSIZE8 72; - @repr WORDSIZE8 166; - @repr WORDSIZE8 133; - @repr WORDSIZE8 84; - @repr WORDSIZE8 25; - @repr WORDSIZE8 156; - @repr WORDSIZE8 71; - @repr WORDSIZE8 208; - @repr WORDSIZE8 143; - @repr WORDSIZE8 251; - @repr WORDSIZE8 16; - @repr WORDSIZE8 212; - @repr WORDSIZE8 184 - ] in l) in - let g_2590 : point_t := - Affine (( - nat_mod_from_public_byte_seq_be (gx_2588), - nat_mod_from_public_byte_seq_be (gy_2589) - )) in - point_mul (s_2587) (g_2590). - -Definition bytes32_t := nseq (uint8) (usize 32). - -Notation "'secret_key_t'" := (bytes32_t) : hacspec_scope. - -Notation "'public_key_t'" := (bytes32_t) : hacspec_scope. - -Notation "'message_t'" := (bytes32_t) : hacspec_scope. - -Notation "'aux_rand_t'" := (bytes32_t) : hacspec_scope. - -Definition signature_t := nseq (uint8) (usize 64). - -Definition tagged_hash - (tag_2591 : public_byte_seq) - (msg_2592 : byte_seq) - : bytes32_t := - let tag_hash_2593 : seq uint8 := - array_to_be_bytes (sha256 (seq_from_public_seq (tag_2591))) in - let hash_2594 : sha256_digest_t := - sha256 (seq_concat (seq_concat (tag_hash_2593) (tag_hash_2593)) ( - msg_2592)) in - array_from_seq (32) (array_to_seq (hash_2594)). - -Definition tagged_hash_aux_prefix_t := nseq (int8) (usize 11). - -Definition bip0340_aux_v : tagged_hash_aux_prefix_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 66; - @repr WORDSIZE8 73; - @repr WORDSIZE8 80; - @repr WORDSIZE8 48; - @repr WORDSIZE8 51; - @repr WORDSIZE8 52; - @repr WORDSIZE8 48; - @repr WORDSIZE8 47; - @repr WORDSIZE8 97; - @repr WORDSIZE8 117; - @repr WORDSIZE8 120 - ] in l). - -Definition hash_aux (aux_rand_2595 : aux_rand_t) : bytes32_t := - tagged_hash (seq_from_seq (array_to_seq (bip0340_aux_v))) (seq_from_seq ( - aux_rand_2595)). - -Definition tagged_hash_nonce_prefix_t := nseq (int8) (usize 13). - -Definition bip0340_nonce_v : tagged_hash_nonce_prefix_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 66; - @repr WORDSIZE8 73; - @repr WORDSIZE8 80; - @repr WORDSIZE8 48; - @repr WORDSIZE8 51; - @repr WORDSIZE8 52; - @repr WORDSIZE8 48; - @repr WORDSIZE8 47; - @repr WORDSIZE8 110; - @repr WORDSIZE8 111; - @repr WORDSIZE8 110; - @repr WORDSIZE8 99; - @repr WORDSIZE8 101 - ] in l). - -Definition hash_nonce - (rand_2596 : bytes32_t) - (pubkey_2597 : bytes32_t) - (msg_2598 : message_t) - : bytes32_t := - let c_2599 : byte_seq := - seq_concat (seq_concat (seq_from_seq (array_to_seq (rand_2596))) ( - array_to_seq (pubkey_2597))) (msg_2598) in - tagged_hash (seq_from_seq (array_to_seq (bip0340_nonce_v))) (c_2599). - -Definition tagged_hash_challenge_prefix_t := nseq (int8) (usize 17). - -Definition bip0340_challenge_v : tagged_hash_challenge_prefix_t := - array_from_list int8 (let l := - [ - @repr WORDSIZE8 66; - @repr WORDSIZE8 73; - @repr WORDSIZE8 80; - @repr WORDSIZE8 48; - @repr WORDSIZE8 51; - @repr WORDSIZE8 52; - @repr WORDSIZE8 48; - @repr WORDSIZE8 47; - @repr WORDSIZE8 99; - @repr WORDSIZE8 104; - @repr WORDSIZE8 97; - @repr WORDSIZE8 108; - @repr WORDSIZE8 108; - @repr WORDSIZE8 101; - @repr WORDSIZE8 110; - @repr WORDSIZE8 103; - @repr WORDSIZE8 101 - ] in l). - -Definition hash_challenge - (rx_2600 : bytes32_t) - (pubkey_2601 : bytes32_t) - (msg_2602 : bytes32_t) - : bytes32_t := - let c_2603 : byte_seq := - seq_concat (seq_concat (seq_from_seq (array_to_seq (rx_2600))) ( - array_to_seq (pubkey_2601))) (array_to_seq (msg_2602)) in - tagged_hash (seq_from_seq (array_to_seq (bip0340_challenge_v))) (c_2603). - -Definition bytes_from_point (p_2604 : affine_point_t) : bytes32_t := - let '(x_2605, _) := - p_2604 in - array_from_seq (32) (nat_mod_to_byte_seq_be (x_2605)). - -Definition bytes_from_scalar (x_2606 : scalar_t) : bytes32_t := - array_from_seq (32) (nat_mod_to_byte_seq_be (x_2606)). - -Definition scalar_from_bytes (b_2607 : bytes32_t) : scalar_t := - nat_mod_from_byte_seq_be (array_to_seq (b_2607)) : scalar_t. - -Definition scalar_from_bytes_strict (b_2608 : bytes32_t) : (option scalar_t) := - let s_2609 : big_integer_t := - nat_mod_from_byte_seq_be (array_to_seq (b_2608)) : big_integer_t in - let max_scalar_2610 : big_integer_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - nat_mod_max_val )) : big_integer_t in - (if ((s_2609) >.? (max_scalar_2610)):bool then (@None scalar_t) else ( - @Some scalar_t (nat_mod_from_byte_seq_be ( - array_to_seq (b_2608)) : scalar_t))). - -Definition seckey_scalar_from_bytes (b_2611 : bytes32_t) : (option scalar_t) := - bind (scalar_from_bytes_strict (b_2611)) (fun s_2612 => (if ((s_2612) =.? ( - nat_mod_zero )):bool then (@None scalar_t) else (@Some scalar_t ( - s_2612)))). - -Definition fieldelem_from_bytes - (b_2613 : public_key_t) - : (option field_element_t) := - let s_2614 : big_integer_t := - nat_mod_from_byte_seq_be (b_2613) : big_integer_t in - let max_fe_2615 : big_integer_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - nat_mod_max_val )) : big_integer_t in - (if ((s_2614) >.? (max_fe_2615)):bool then (@None field_element_t) else ( - @Some field_element_t (nat_mod_from_byte_seq_be ( - b_2613) : field_element_t))). - -Definition xor_bytes (b0_2616 : bytes32_t) (b1_2617 : bytes32_t) : bytes32_t := - let b_2618 : seq uint8 := - seq_new_ (default : uint8) (array_len (b0_2616)) in - let b_2618 := - foldi (usize 0) (array_len (b0_2616)) (fun i_2619 b_2618 => - let b_2618 := - seq_upd b_2618 (i_2619) ((array_index (b0_2616) (i_2619)) .^ ( - array_index (b1_2617) (i_2619))) in - (b_2618)) - b_2618 in - array_from_seq (32) (b_2618). - -Notation "'pubkey_gen_result_t'" := (( - result public_key_t error_t)) : hacspec_scope. - -Definition pubkey_gen (seckey_2620 : secret_key_t) : pubkey_gen_result_t := - bind (option_ok_or (seckey_scalar_from_bytes (seckey_2620)) ( - InvalidSecretKey)) (fun d0_2621 => let p_2622 : ( - field_element_t '× - field_element_t - ) := - option_unwrap (finite (point_mul_base (d0_2621))) in - @Ok public_key_t error_t (bytes_from_point (p_2622))). - -Notation "'sign_result_t'" := ((result signature_t error_t)) : hacspec_scope. - -Definition sign - (msg_2623 : message_t) - (seckey_2624 : secret_key_t) - (aux_rand_2625 : aux_rand_t) - : sign_result_t := - bind (option_ok_or (seckey_scalar_from_bytes (seckey_2624)) ( - InvalidSecretKey)) (fun d0_2626 => let p_2627 : ( - field_element_t '× - field_element_t - ) := - option_unwrap (finite (point_mul_base (d0_2626))) in - let d_2628 : scalar_t := - (if (has_even_y (p_2627)):bool then (d0_2626) else ((nat_mod_zero ) -% ( - d0_2626))) in - let t_2629 : bytes32_t := - xor_bytes (bytes_from_scalar (d_2628)) (hash_aux (aux_rand_2625)) in - let k0_2630 : scalar_t := - scalar_from_bytes (hash_nonce (t_2629) (bytes_from_point (p_2627)) ( - msg_2623)) in - ifbnd (k0_2630) =.? (nat_mod_zero ) : bool - thenbnd (bind (@Err signature_t error_t (InvalidNonceGenerated)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let r_2631 : (field_element_t '× field_element_t) := - option_unwrap (finite (point_mul_base (k0_2630))) in - let k_2632 : scalar_t := - (if (has_even_y (r_2631)):bool then (k0_2630) else ((nat_mod_zero ) -% ( - k0_2630))) in - let e_2633 : scalar_t := - scalar_from_bytes (hash_challenge (bytes_from_point (r_2631)) ( - bytes_from_point (p_2627)) (msg_2623)) in - let sig_2634 : signature_t := - array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( - array_to_seq (bytes_from_point (r_2631)))) (usize 32) ( - array_to_seq (bytes_from_scalar ((k_2632) +% ((e_2633) *% ( - d_2628))))) in - bind (verify (msg_2623) (bytes_from_point (p_2627)) (sig_2634)) (fun _ => - @Ok signature_t error_t (sig_2634)))). - -Notation "'verification_result_t'" := ((result unit error_t)) : hacspec_scope. - -Definition verify - (msg_2635 : message_t) - (pubkey_2636 : public_key_t) - (sig_2637 : signature_t) - : verification_result_t := - bind (option_ok_or (fieldelem_from_bytes (pubkey_2636)) (InvalidPublicKey)) ( - fun p_x_2638 => bind (lift_x (p_x_2638)) (fun p_2639 => bind (option_ok_or ( - fieldelem_from_bytes (array_from_slice (default : uint8) (32) ( - array_to_seq (sig_2637)) (usize 0) (usize 32))) ( - InvalidSignature)) (fun r_2640 => bind (option_ok_or ( - scalar_from_bytes_strict (array_from_slice (default : uint8) (32) ( - array_to_seq (sig_2637)) (usize 32) (usize 32))) ( - InvalidSignature)) (fun s_2641 => let e_2642 : scalar_t := - scalar_from_bytes (hash_challenge (array_from_slice ( - default : uint8) (32) (array_to_seq (sig_2637)) (usize 0) ( - usize 32)) (bytes_from_point (p_2639)) (msg_2635)) in - bind (option_ok_or (finite (point_add (point_mul_base (s_2641)) ( - point_mul ((nat_mod_zero ) -% (e_2642)) (Affine (p_2639))))) ( - InvalidSignature)) (fun r_p_2643 => (if ((negb (has_even_y ( - r_p_2643))) || ((x (r_p_2643)) !=.? (r_2640))):bool then ( - @Err unit error_t (InvalidSignature)) else (@Ok unit error_t ( - tt)))))))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Bls12_381.v b/proof-libs/coq/coq/src/Hacspec_Bls12_381.v deleted file mode 100644 index 93170a691..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Bls12_381.v +++ /dev/null @@ -1,772 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -From QuickChick Require Import QuickChick. -Require Import QuickChickLib. -Require Import Hacspec_Lib. - -Definition fp_canvas_t := nseq (int8) (48). -Definition fp_t := - nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. -Instance show_fp_t : Show (fp_t) := Build_Show (fp_t) (fun x => show (GZnZ.val _ x)). -Definition g_fp_t : G (fp_t) := @bindGen Z (fp_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). -Instance gen_fp_t : Gen (fp_t) := Build_Gen fp_t g_fp_t. - - -Definition serialized_fp_t := nseq (uint8) (usize 48). - -Definition array_fp_t := nseq (uint64) (usize 6). - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. -Instance show_scalar_t : Show (scalar_t) := Build_Show (scalar_t) (fun x => show (GZnZ.val _ x)). -Definition g_scalar_t : G (scalar_t) := @bindGen Z (scalar_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). -Instance gen_scalar_t : Gen (scalar_t) := Build_Gen scalar_t g_scalar_t. - - -Notation "'g1_t'" := ((fp_t '× fp_t '× bool)) : hacspec_scope. -Instance show_g1_t : Show (g1_t) := -Build_Show g1_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_g1_t : G (g1_t) := -bindGen arbitrary (fun x0 : fp_t => - bindGen arbitrary (fun x1 : fp_t => - bindGen arbitrary (fun x2 : bool => - returnGen (x0,x1,x2)))). -Instance gen_g1_t : Gen (g1_t) := Build_Gen g1_t g_g1_t. - - -Notation "'fp2_t'" := ((fp_t '× fp_t)) : hacspec_scope. -Instance show_fp2_t : Show (fp2_t) := -Build_Show fp2_t (fun x => - let (x, x0) := x in - (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. -Definition g_fp2_t : G (fp2_t) := -bindGen arbitrary (fun x0 : fp_t => - bindGen arbitrary (fun x1 : fp_t => - returnGen (x0,x1))). -Instance gen_fp2_t : Gen (fp2_t) := Build_Gen fp2_t g_fp2_t. - - -Notation "'g2_t'" := ((fp2_t '× fp2_t '× bool)) : hacspec_scope. -Instance show_g2_t : Show (g2_t) := -Build_Show g2_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_g2_t : G (g2_t) := -bindGen arbitrary (fun x0 : fp2_t => - bindGen arbitrary (fun x1 : fp2_t => - bindGen arbitrary (fun x2 : bool => - returnGen (x0,x1,x2)))). -Instance gen_g2_t : Gen (g2_t) := Build_Gen g2_t g_g2_t. - - -Notation "'fp6_t'" := ((fp2_t '× fp2_t '× fp2_t)) : hacspec_scope. -Instance show_fp6_t : Show (fp6_t) := -Build_Show fp6_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_fp6_t : G (fp6_t) := -bindGen arbitrary (fun x0 : fp2_t => - bindGen arbitrary (fun x1 : fp2_t => - bindGen arbitrary (fun x2 : fp2_t => - returnGen (x0,x1,x2)))). -Instance gen_fp6_t : Gen (fp6_t) := Build_Gen fp6_t g_fp6_t. - - -Notation "'fp12_t'" := ((fp6_t '× fp6_t)) : hacspec_scope. -Instance show_fp12_t : Show (fp12_t) := -Build_Show fp12_t (fun x => - let (x, x0) := x in - (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. -Definition g_fp12_t : G (fp12_t) := -bindGen arbitrary (fun x0 : fp6_t => - bindGen arbitrary (fun x1 : fp6_t => - returnGen (x0,x1))). -Instance gen_fp12_t : Gen (fp12_t) := Build_Gen fp12_t g_fp12_t. - - -Definition fp2fromfp (n_1405 : fp_t) : fp2_t := - (n_1405, nat_mod_zero ). - -Definition fp2zero : fp2_t := - fp2fromfp (nat_mod_zero ). - -Definition fp2neg (n_1406 : fp2_t) : fp2_t := - let '(n1_1407, n2_1408) := - n_1406 in - ((nat_mod_zero ) -% (n1_1407), (nat_mod_zero ) -% (n2_1408)). - -Definition fp2add (n_1409 : fp2_t) (m_1410 : fp2_t) : fp2_t := - let '(n1_1411, n2_1412) := - n_1409 in - let '(m1_1413, m2_1414) := - m_1410 in - ((n1_1411) +% (m1_1413), (n2_1412) +% (m2_1414)). - -Definition fp2sub (n_1415 : fp2_t) (m_1416 : fp2_t) : fp2_t := - fp2add (n_1415) (fp2neg (m_1416)). - -Definition fp2mul (n_1417 : fp2_t) (m_1418 : fp2_t) : fp2_t := - let '(n1_1419, n2_1420) := - n_1417 in - let '(m1_1421, m2_1422) := - m_1418 in - let x1_1423 : fp_t := - ((n1_1419) *% (m1_1421)) -% ((n2_1420) *% (m2_1422)) in - let x2_1424 : fp_t := - ((n1_1419) *% (m2_1422)) +% ((n2_1420) *% (m1_1421)) in - (x1_1423, x2_1424). - -Definition fp2inv (n_1425 : fp2_t) : fp2_t := - let '(n1_1426, n2_1427) := - n_1425 in - let t0_1428 : fp_t := - ((n1_1426) *% (n1_1426)) +% ((n2_1427) *% (n2_1427)) in - let t1_1429 : fp_t := - nat_mod_inv (t0_1428) in - let x1_1430 : fp_t := - (n1_1426) *% (t1_1429) in - let x2_1431 : fp_t := - (nat_mod_zero ) -% ((n2_1427) *% (t1_1429)) in - (x1_1430, x2_1431). - -Definition fp2conjugate (n_1432 : fp2_t) : fp2_t := - let '(n1_1433, n2_1434) := - n_1432 in - (n1_1433, (nat_mod_zero ) -% (n2_1434)). - -Definition fp6fromfp2 (n_1435 : fp2_t) : fp6_t := - (n_1435, fp2zero , fp2zero ). - -Definition fp6zero : fp6_t := - fp6fromfp2 (fp2zero ). - -Definition fp6neg (n_1436 : fp6_t) : fp6_t := - let '(n1_1437, n2_1438, n3_1439) := - n_1436 in - ( - fp2sub (fp2zero ) (n1_1437), - fp2sub (fp2zero ) (n2_1438), - fp2sub (fp2zero ) (n3_1439) - ). - -Definition fp6add (n_1440 : fp6_t) (m_1441 : fp6_t) : fp6_t := - let '(n1_1442, n2_1443, n3_1444) := - n_1440 in - let '(m1_1445, m2_1446, m3_1447) := - m_1441 in - ( - fp2add (n1_1442) (m1_1445), - fp2add (n2_1443) (m2_1446), - fp2add (n3_1444) (m3_1447) - ). - -Definition fp6sub (n_1448 : fp6_t) (m_1449 : fp6_t) : fp6_t := - fp6add (n_1448) (fp6neg (m_1449)). - -Definition fp6mul (n_1450 : fp6_t) (m_1451 : fp6_t) : fp6_t := - let '(n1_1452, n2_1453, n3_1454) := - n_1450 in - let '(m1_1455, m2_1456, m3_1457) := - m_1451 in - let eps_1458 : (fp_t '× fp_t) := - (nat_mod_one , nat_mod_one ) in - let t1_1459 : (fp_t '× fp_t) := - fp2mul (n1_1452) (m1_1455) in - let t2_1460 : (fp_t '× fp_t) := - fp2mul (n2_1453) (m2_1456) in - let t3_1461 : (fp_t '× fp_t) := - fp2mul (n3_1454) (m3_1457) in - let t4_1462 : (fp_t '× fp_t) := - fp2mul (fp2add (n2_1453) (n3_1454)) (fp2add (m2_1456) (m3_1457)) in - let t5_1463 : (fp_t '× fp_t) := - fp2sub (fp2sub (t4_1462) (t2_1460)) (t3_1461) in - let x_1464 : (fp_t '× fp_t) := - fp2add (fp2mul (t5_1463) (eps_1458)) (t1_1459) in - let t4_1465 : (fp_t '× fp_t) := - fp2mul (fp2add (n1_1452) (n2_1453)) (fp2add (m1_1455) (m2_1456)) in - let t5_1466 : (fp_t '× fp_t) := - fp2sub (fp2sub (t4_1465) (t1_1459)) (t2_1460) in - let y_1467 : (fp_t '× fp_t) := - fp2add (t5_1466) (fp2mul (eps_1458) (t3_1461)) in - let t4_1468 : (fp_t '× fp_t) := - fp2mul (fp2add (n1_1452) (n3_1454)) (fp2add (m1_1455) (m3_1457)) in - let t5_1469 : (fp_t '× fp_t) := - fp2sub (fp2sub (t4_1468) (t1_1459)) (t3_1461) in - let z_1470 : (fp_t '× fp_t) := - fp2add (t5_1469) (t2_1460) in - (x_1464, y_1467, z_1470). - -Definition fp6inv (n_1471 : fp6_t) : fp6_t := - let '(n1_1472, n2_1473, n3_1474) := - n_1471 in - let eps_1475 : (fp_t '× fp_t) := - (nat_mod_one , nat_mod_one ) in - let t1_1476 : (fp_t '× fp_t) := - fp2mul (n1_1472) (n1_1472) in - let t2_1477 : (fp_t '× fp_t) := - fp2mul (n2_1473) (n2_1473) in - let t3_1478 : (fp_t '× fp_t) := - fp2mul (n3_1474) (n3_1474) in - let t4_1479 : (fp_t '× fp_t) := - fp2mul (n1_1472) (n2_1473) in - let t5_1480 : (fp_t '× fp_t) := - fp2mul (n1_1472) (n3_1474) in - let t6_1481 : (fp_t '× fp_t) := - fp2mul (n2_1473) (n3_1474) in - let x0_1482 : (fp_t '× fp_t) := - fp2sub (t1_1476) (fp2mul (eps_1475) (t6_1481)) in - let y0_1483 : (fp_t '× fp_t) := - fp2sub (fp2mul (eps_1475) (t3_1478)) (t4_1479) in - let z0_1484 : (fp_t '× fp_t) := - fp2sub (t2_1477) (t5_1480) in - let t0_1485 : (fp_t '× fp_t) := - fp2mul (n1_1472) (x0_1482) in - let t0_1486 : (fp_t '× fp_t) := - fp2add (t0_1485) (fp2mul (eps_1475) (fp2mul (n3_1474) (y0_1483))) in - let t0_1487 : (fp_t '× fp_t) := - fp2add (t0_1486) (fp2mul (eps_1475) (fp2mul (n2_1473) (z0_1484))) in - let t0_1488 : (fp_t '× fp_t) := - fp2inv (t0_1487) in - let x_1489 : (fp_t '× fp_t) := - fp2mul (x0_1482) (t0_1488) in - let y_1490 : (fp_t '× fp_t) := - fp2mul (y0_1483) (t0_1488) in - let z_1491 : (fp_t '× fp_t) := - fp2mul (z0_1484) (t0_1488) in - (x_1489, y_1490, z_1491). - -Definition fp12fromfp6 (n_1492 : fp6_t) : fp12_t := - (n_1492, fp6zero ). - -Definition fp12neg (n_1493 : fp12_t) : fp12_t := - let '(n1_1494, n2_1495) := - n_1493 in - (fp6sub (fp6zero ) (n1_1494), fp6sub (fp6zero ) (n2_1495)). - -Definition fp12add (n_1496 : fp12_t) (m_1497 : fp12_t) : fp12_t := - let '(n1_1498, n2_1499) := - n_1496 in - let '(m1_1500, m2_1501) := - m_1497 in - (fp6add (n1_1498) (m1_1500), fp6add (n2_1499) (m2_1501)). - -Definition fp12sub (n_1502 : fp12_t) (m_1503 : fp12_t) : fp12_t := - fp12add (n_1502) (fp12neg (m_1503)). - -Definition fp12mul (n_1504 : fp12_t) (m_1505 : fp12_t) : fp12_t := - let '(n1_1506, n2_1507) := - n_1504 in - let '(m1_1508, m2_1509) := - m_1505 in - let gamma_1510 : (fp2_t '× fp2_t '× fp2_t) := - (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in - let t1_1511 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n1_1506) (m1_1508) in - let t2_1512 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n2_1507) (m2_1509) in - let x_1513 : (fp2_t '× fp2_t '× fp2_t) := - fp6add (t1_1511) (fp6mul (t2_1512) (gamma_1510)) in - let y_1514 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (fp6add (n1_1506) (n2_1507)) (fp6add (m1_1508) (m2_1509)) in - let y_1515 : (fp2_t '× fp2_t '× fp2_t) := - fp6sub (fp6sub (y_1514) (t1_1511)) (t2_1512) in - (x_1513, y_1515). - -Definition fp12inv (n_1516 : fp12_t) : fp12_t := - let '(n1_1517, n2_1518) := - n_1516 in - let gamma_1519 : (fp2_t '× fp2_t '× fp2_t) := - (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in - let t1_1520 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n1_1517) (n1_1517) in - let t2_1521 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n2_1518) (n2_1518) in - let t1_1522 : (fp2_t '× fp2_t '× fp2_t) := - fp6sub (t1_1520) (fp6mul (gamma_1519) (t2_1521)) in - let t2_1523 : (fp2_t '× fp2_t '× fp2_t) := - fp6inv (t1_1522) in - let x_1524 : (fp2_t '× fp2_t '× fp2_t) := - fp6mul (n1_1517) (t2_1523) in - let y_1525 : (fp2_t '× fp2_t '× fp2_t) := - fp6neg (fp6mul (n2_1518) (t2_1523)) in - (x_1524, y_1525). - -Definition fp12exp (n_1526 : fp12_t) (k_1527 : scalar_t) : fp12_t := - let c_1528 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in - let c_1528 := - foldi (usize 0) (usize 256) (fun i_1529 c_1528 => - let c_1528 := - fp12mul (c_1528) (c_1528) in - let '(c_1528) := - if nat_mod_bit (k_1527) ((usize 255) - (i_1529)):bool then ( - let c_1528 := - fp12mul (c_1528) (n_1526) in - (c_1528)) else ((c_1528)) in - (c_1528)) - c_1528 in - c_1528. - -Definition fp12conjugate (n_1530 : fp12_t) : fp12_t := - let '(n1_1531, n2_1532) := - n_1530 in - (n1_1531, fp6neg (n2_1532)). - -Definition fp12zero : fp12_t := - fp12fromfp6 (fp6zero ). - -Definition g1add_a (p_1533 : g1_t) (q_1534 : g1_t) : g1_t := - let '(x1_1535, y1_1536, _) := - p_1533 in - let '(x2_1537, y2_1538, _) := - q_1534 in - let x_diff_1539 : fp_t := - (x2_1537) -% (x1_1535) in - let y_diff_1540 : fp_t := - (y2_1538) -% (y1_1536) in - let xovery_1541 : fp_t := - (y_diff_1540) *% (nat_mod_inv (x_diff_1539)) in - let x3_1542 : fp_t := - ((nat_mod_exp (xovery_1541) (@repr WORDSIZE32 2)) -% (x1_1535)) -% ( - x2_1537) in - let y3_1543 : fp_t := - ((xovery_1541) *% ((x1_1535) -% (x3_1542))) -% (y1_1536) in - (x3_1542, y3_1543, false). - -Definition g1double_a (p_1544 : g1_t) : g1_t := - let '(x1_1545, y1_1546, _) := - p_1544 in - let x12_1547 : fp_t := - nat_mod_exp (x1_1545) (@repr WORDSIZE32 2) in - let xovery_1548 : fp_t := - ((nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t) *% (x12_1547)) *% (nat_mod_inv (( - nat_mod_two ) *% (y1_1546))) in - let x3_1549 : fp_t := - (nat_mod_exp (xovery_1548) (@repr WORDSIZE32 2)) -% ((nat_mod_two ) *% ( - x1_1545)) in - let y3_1550 : fp_t := - ((xovery_1548) *% ((x1_1545) -% (x3_1549))) -% (y1_1546) in - (x3_1549, y3_1550, false). - -Definition g1double (p_1551 : g1_t) : g1_t := - let '(x1_1552, y1_1553, inf1_1554) := - p_1551 in - (if (((y1_1553) !=.? (nat_mod_zero )) && (negb (inf1_1554))):bool then ( - g1double_a (p_1551)) else ((nat_mod_zero , nat_mod_zero , true))). - -Definition g1add (p_1555 : g1_t) (q_1556 : g1_t) : g1_t := - let '(x1_1557, y1_1558, inf1_1559) := - p_1555 in - let '(x2_1560, y2_1561, inf2_1562) := - q_1556 in - (if (inf1_1559):bool then (q_1556) else ((if (inf2_1562):bool then ( - p_1555) else ((if ((p_1555) =.? (q_1556)):bool then (g1double ( - p_1555)) else ((if (negb (((x1_1557) =.? (x2_1560)) && (( - y1_1558) =.? ((nat_mod_zero ) -% ( - y2_1561))))):bool then (g1add_a (p_1555) ( - q_1556)) else ((nat_mod_zero , nat_mod_zero , true))))))))). - -Definition g1mul (m_1563 : scalar_t) (p_1564 : g1_t) : g1_t := - let t_1565 : (fp_t '× fp_t '× bool) := - (nat_mod_zero , nat_mod_zero , true) in - let t_1565 := - foldi (usize 0) (usize 256) (fun i_1566 t_1565 => - let t_1565 := - g1double (t_1565) in - let '(t_1565) := - if nat_mod_bit (m_1563) ((usize 255) - (i_1566)):bool then ( - let t_1565 := - g1add (t_1565) (p_1564) in - (t_1565)) else ((t_1565)) in - (t_1565)) - t_1565 in - t_1565. - -Definition g1neg (p_1567 : g1_t) : g1_t := - let '(x_1568, y_1569, inf_1570) := - p_1567 in - (x_1568, (nat_mod_zero ) -% (y_1569), inf_1570). - -Definition g2add_a (p_1571 : g2_t) (q_1572 : g2_t) : g2_t := - let '(x1_1573, y1_1574, _) := - p_1571 in - let '(x2_1575, y2_1576, _) := - q_1572 in - let x_diff_1577 : (fp_t '× fp_t) := - fp2sub (x2_1575) (x1_1573) in - let y_diff_1578 : (fp_t '× fp_t) := - fp2sub (y2_1576) (y1_1574) in - let xovery_1579 : (fp_t '× fp_t) := - fp2mul (y_diff_1578) (fp2inv (x_diff_1577)) in - let t1_1580 : (fp_t '× fp_t) := - fp2mul (xovery_1579) (xovery_1579) in - let t2_1581 : (fp_t '× fp_t) := - fp2sub (t1_1580) (x1_1573) in - let x3_1582 : (fp_t '× fp_t) := - fp2sub (t2_1581) (x2_1575) in - let t1_1583 : (fp_t '× fp_t) := - fp2sub (x1_1573) (x3_1582) in - let t2_1584 : (fp_t '× fp_t) := - fp2mul (xovery_1579) (t1_1583) in - let y3_1585 : (fp_t '× fp_t) := - fp2sub (t2_1584) (y1_1574) in - (x3_1582, y3_1585, false). - -Definition g2double_a (p_1586 : g2_t) : g2_t := - let '(x1_1587, y1_1588, _) := - p_1586 in - let x12_1589 : (fp_t '× fp_t) := - fp2mul (x1_1587) (x1_1587) in - let t1_1590 : (fp_t '× fp_t) := - fp2mul (fp2fromfp (nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t)) (x12_1589) in - let t2_1591 : (fp_t '× fp_t) := - fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (y1_1588)) in - let xovery_1592 : (fp_t '× fp_t) := - fp2mul (t1_1590) (t2_1591) in - let t1_1593 : (fp_t '× fp_t) := - fp2mul (xovery_1592) (xovery_1592) in - let t2_1594 : (fp_t '× fp_t) := - fp2mul (fp2fromfp (nat_mod_two )) (x1_1587) in - let x3_1595 : (fp_t '× fp_t) := - fp2sub (t1_1593) (t2_1594) in - let t1_1596 : (fp_t '× fp_t) := - fp2sub (x1_1587) (x3_1595) in - let t2_1597 : (fp_t '× fp_t) := - fp2mul (xovery_1592) (t1_1596) in - let y3_1598 : (fp_t '× fp_t) := - fp2sub (t2_1597) (y1_1588) in - (x3_1595, y3_1598, false). - -Definition g2double (p_1599 : g2_t) : g2_t := - let '(x1_1600, y1_1601, inf1_1602) := - p_1599 in - (if (((y1_1601) !=.? (fp2zero )) && (negb (inf1_1602))):bool then ( - g2double_a (p_1599)) else ((fp2zero , fp2zero , true))). - -Definition g2add (p_1603 : g2_t) (q_1604 : g2_t) : g2_t := - let '(x1_1605, y1_1606, inf1_1607) := - p_1603 in - let '(x2_1608, y2_1609, inf2_1610) := - q_1604 in - (if (inf1_1607):bool then (q_1604) else ((if (inf2_1610):bool then ( - p_1603) else ((if ((p_1603) =.? (q_1604)):bool then (g2double ( - p_1603)) else ((if (negb (((x1_1605) =.? (x2_1608)) && (( - y1_1606) =.? (fp2neg (y2_1609))))):bool then (g2add_a ( - p_1603) (q_1604)) else ((fp2zero , fp2zero , true))))))))). - -Definition g2mul (m_1611 : scalar_t) (p_1612 : g2_t) : g2_t := - let t_1613 : (fp2_t '× fp2_t '× bool) := - (fp2zero , fp2zero , true) in - let t_1613 := - foldi (usize 0) (usize 256) (fun i_1614 t_1613 => - let t_1613 := - g2double (t_1613) in - let '(t_1613) := - if nat_mod_bit (m_1611) ((usize 255) - (i_1614)):bool then ( - let t_1613 := - g2add (t_1613) (p_1612) in - (t_1613)) else ((t_1613)) in - (t_1613)) - t_1613 in - t_1613. - -Definition g2neg (p_1615 : g2_t) : g2_t := - let '(x_1616, y_1617, inf_1618) := - p_1615 in - (x_1616, fp2neg (y_1617), inf_1618). - -Definition twist (p_1619 : g1_t) : (fp12_t '× fp12_t) := - let '(p0_1620, p1_1621, _) := - p_1619 in - let x_1622 : ((fp2_t '× fp2_t '× fp2_t) '× fp6_t) := - ((fp2zero , fp2fromfp (p0_1620), fp2zero ), fp6zero ) in - let y_1623 : (fp6_t '× (fp2_t '× fp2_t '× fp2_t)) := - (fp6zero , (fp2zero , fp2fromfp (p1_1621), fp2zero )) in - (x_1622, y_1623). - -Definition line_double_p (r_1624 : g2_t) (p_1625 : g1_t) : fp12_t := - let '(r0_1626, r1_1627, _) := - r_1624 in - let a_1628 : (fp_t '× fp_t) := - fp2mul (fp2fromfp (nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t)) (fp2mul (r0_1626) (r0_1626)) in - let a_1629 : (fp_t '× fp_t) := - fp2mul (a_1628) (fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (r1_1627))) in - let b_1630 : (fp_t '× fp_t) := - fp2sub (r1_1627) (fp2mul (a_1629) (r0_1626)) in - let a_1631 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (a_1629)) in - let b_1632 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (b_1630)) in - let '(x_1633, y_1634) := - twist (p_1625) in - fp12neg (fp12sub (fp12sub (y_1634) (fp12mul (a_1631) (x_1633))) (b_1632)). - -Definition line_add_p - (r_1635 : g2_t) - (q_1636 : g2_t) - (p_1637 : g1_t) - : fp12_t := - let '(r0_1638, r1_1639, _) := - r_1635 in - let '(q0_1640, q1_1641, _) := - q_1636 in - let a_1642 : (fp_t '× fp_t) := - fp2mul (fp2sub (q1_1641) (r1_1639)) (fp2inv (fp2sub (q0_1640) ( - r0_1638))) in - let b_1643 : (fp_t '× fp_t) := - fp2sub (r1_1639) (fp2mul (a_1642) (r0_1638)) in - let a_1644 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (a_1642)) in - let b_1645 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (b_1643)) in - let '(x_1646, y_1647) := - twist (p_1637) in - fp12neg (fp12sub (fp12sub (y_1647) (fp12mul (a_1644) (x_1646))) (b_1645)). - -Definition frobenius (f_1648 : fp12_t) : fp12_t := - let '((g0_1649, g1_1650, g2_1651), (h0_1652, h1_1653, h2_1654)) := - f_1648 in - let t1_1655 : (fp_t '× fp_t) := - fp2conjugate (g0_1649) in - let t2_1656 : (fp_t '× fp_t) := - fp2conjugate (h0_1652) in - let t3_1657 : (fp_t '× fp_t) := - fp2conjugate (g1_1650) in - let t4_1658 : (fp_t '× fp_t) := - fp2conjugate (h1_1653) in - let t5_1659 : (fp_t '× fp_t) := - fp2conjugate (g2_1651) in - let t6_1660 : (fp_t '× fp_t) := - fp2conjugate (h2_1654) in - let c1_1661 : array_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 10162220747404304312) : int64; - secret (@repr WORDSIZE64 17761815663483519293) : int64; - secret (@repr WORDSIZE64 8873291758750579140) : int64; - secret (@repr WORDSIZE64 1141103941765652303) : int64; - secret (@repr WORDSIZE64 13993175198059990303) : int64; - secret (@repr WORDSIZE64 1802798568193066599) : int64 - ] in l) in - let c1_1662 : seq uint8 := - array_to_le_bytes (c1_1661) in - let c1_1663 : fp_t := - nat_mod_from_byte_seq_le (c1_1662) : fp_t in - let c2_1664 : array_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 3240210268673559283) : int64; - secret (@repr WORDSIZE64 2895069921743240898) : int64; - secret (@repr WORDSIZE64 17009126888523054175) : int64; - secret (@repr WORDSIZE64 6098234018649060207) : int64; - secret (@repr WORDSIZE64 9865672654120263608) : int64; - secret (@repr WORDSIZE64 71000049454473266) : int64 - ] in l) in - let c2_1665 : seq uint8 := - array_to_le_bytes (c2_1664) in - let c2_1666 : fp_t := - nat_mod_from_byte_seq_le (c2_1665) : fp_t in - let gamma11_1667 : (fp_t '× fp_t) := - (c1_1663, c2_1666) in - let gamma12_1668 : (fp_t '× fp_t) := - fp2mul (gamma11_1667) (gamma11_1667) in - let gamma13_1669 : (fp_t '× fp_t) := - fp2mul (gamma12_1668) (gamma11_1667) in - let gamma14_1670 : (fp_t '× fp_t) := - fp2mul (gamma13_1669) (gamma11_1667) in - let gamma15_1671 : (fp_t '× fp_t) := - fp2mul (gamma14_1670) (gamma11_1667) in - let t2_1672 : (fp_t '× fp_t) := - fp2mul (t2_1656) (gamma11_1667) in - let t3_1673 : (fp_t '× fp_t) := - fp2mul (t3_1657) (gamma12_1668) in - let t4_1674 : (fp_t '× fp_t) := - fp2mul (t4_1658) (gamma13_1669) in - let t5_1675 : (fp_t '× fp_t) := - fp2mul (t5_1659) (gamma14_1670) in - let t6_1676 : (fp_t '× fp_t) := - fp2mul (t6_1660) (gamma15_1671) in - ((t1_1655, t3_1673, t5_1675), (t2_1672, t4_1674, t6_1676)). - -Definition final_exponentiation (f_1677 : fp12_t) : fp12_t := - let fp6_1678 : (fp6_t '× fp6_t) := - fp12conjugate (f_1677) in - let finv_1679 : (fp6_t '× fp6_t) := - fp12inv (f_1677) in - let fp6_1_1680 : (fp6_t '× fp6_t) := - fp12mul (fp6_1678) (finv_1679) in - let fp8_1681 : (fp6_t '× fp6_t) := - frobenius (frobenius (fp6_1_1680)) in - let f_1682 : (fp6_t '× fp6_t) := - fp12mul (fp8_1681) (fp6_1_1680) in - let u_1683 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let u_half_1684 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 7566188111470821376) : scalar_t in - let t0_1685 : (fp6_t '× fp6_t) := - fp12mul (f_1682) (f_1682) in - let t1_1686 : (fp6_t '× fp6_t) := - fp12exp (t0_1685) (u_1683) in - let t1_1687 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1686) in - let t2_1688 : (fp6_t '× fp6_t) := - fp12exp (t1_1687) (u_half_1684) in - let t2_1689 : (fp6_t '× fp6_t) := - fp12conjugate (t2_1688) in - let t3_1690 : (fp6_t '× fp6_t) := - fp12conjugate (f_1682) in - let t1_1691 : (fp6_t '× fp6_t) := - fp12mul (t3_1690) (t1_1687) in - let t1_1692 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1691) in - let t1_1693 : (fp6_t '× fp6_t) := - fp12mul (t1_1692) (t2_1689) in - let t2_1694 : (fp6_t '× fp6_t) := - fp12exp (t1_1693) (u_1683) in - let t2_1695 : (fp6_t '× fp6_t) := - fp12conjugate (t2_1694) in - let t3_1696 : (fp6_t '× fp6_t) := - fp12exp (t2_1695) (u_1683) in - let t3_1697 : (fp6_t '× fp6_t) := - fp12conjugate (t3_1696) in - let t1_1698 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1693) in - let t3_1699 : (fp6_t '× fp6_t) := - fp12mul (t1_1698) (t3_1697) in - let t1_1700 : (fp6_t '× fp6_t) := - fp12conjugate (t1_1698) in - let t1_1701 : (fp6_t '× fp6_t) := - frobenius (frobenius (frobenius (t1_1700))) in - let t2_1702 : (fp6_t '× fp6_t) := - frobenius (frobenius (t2_1695)) in - let t1_1703 : (fp6_t '× fp6_t) := - fp12mul (t1_1701) (t2_1702) in - let t2_1704 : (fp6_t '× fp6_t) := - fp12exp (t3_1699) (u_1683) in - let t2_1705 : (fp6_t '× fp6_t) := - fp12conjugate (t2_1704) in - let t2_1706 : (fp6_t '× fp6_t) := - fp12mul (t2_1705) (t0_1685) in - let t2_1707 : (fp6_t '× fp6_t) := - fp12mul (t2_1706) (f_1682) in - let t1_1708 : (fp6_t '× fp6_t) := - fp12mul (t1_1703) (t2_1707) in - let t2_1709 : (fp6_t '× fp6_t) := - frobenius (t3_1699) in - let t1_1710 : (fp6_t '× fp6_t) := - fp12mul (t1_1708) (t2_1709) in - t1_1710. - -Definition pairing (p_1711 : g1_t) (q_1712 : g2_t) : fp12_t := - let t_1713 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let r_1714 : (fp2_t '× fp2_t '× bool) := - q_1712 in - let f_1715 : (fp6_t '× fp6_t) := - fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in - let '(r_1714, f_1715) := - foldi (usize 1) (usize 64) (fun i_1716 '(r_1714, f_1715) => - let lrr_1717 : (fp6_t '× fp6_t) := - line_double_p (r_1714) (p_1711) in - let r_1714 := - g2double (r_1714) in - let f_1715 := - fp12mul (fp12mul (f_1715) (f_1715)) (lrr_1717) in - let '(r_1714, f_1715) := - if nat_mod_bit (t_1713) (((usize 64) - (i_1716)) - ( - usize 1)):bool then (let lrq_1718 : (fp6_t '× fp6_t) := - line_add_p (r_1714) (q_1712) (p_1711) in - let r_1714 := - g2add (r_1714) (q_1712) in - let f_1715 := - fp12mul (f_1715) (lrq_1718) in - (r_1714, f_1715)) else ((r_1714, f_1715)) in - (r_1714, f_1715)) - (r_1714, f_1715) in - final_exponentiation (fp12conjugate (f_1715)). - -Definition test_fp2_prop_add_neg (a_1719 : fp2_t) : bool := - let b_1720 : (fp_t '× fp_t) := - fp2neg (a_1719) in - (fp2fromfp (nat_mod_zero )) =.? (fp2add (a_1719) (b_1720)). -(*QuickChick ( - forAll g_fp2_t (fun a_1719 : fp2_t =>test_fp2_prop_add_neg a_1719)).*) - - -Definition test_fp2_prop_mul_inv (a_1721 : fp2_t) : bool := - let b_1722 : (fp_t '× fp_t) := - fp2inv (a_1721) in - (fp2fromfp (nat_mod_one )) =.? (fp2mul (a_1721) (b_1722)). -(*QuickChick ( - forAll g_fp2_t (fun a_1721 : fp2_t =>test_fp2_prop_mul_inv a_1721)).*) - - -Definition test_extraction_issue : bool := - let b_1723 : (fp_t '× fp_t) := - fp2inv ((nat_mod_one , nat_mod_one )) in - (fp2fromfp (nat_mod_one )) =.? (fp2mul ((nat_mod_one , nat_mod_one )) ( - b_1723)). -(*QuickChick (test_extraction_issue).*) - - -Definition test_fp6_prop_mul_inv (a_1724 : fp6_t) : bool := - let b_1725 : (fp2_t '× fp2_t '× fp2_t) := - fp6inv (a_1724) in - (fp6fromfp2 (fp2fromfp (nat_mod_one ))) =.? (fp6mul (a_1724) (b_1725)). -(*QuickChick ( - forAll g_fp6_t (fun a_1724 : fp6_t =>test_fp6_prop_mul_inv a_1724)).*) - - -Definition test_fp6_prop_add_neg (a_1726 : fp6_t) : bool := - let b_1727 : (fp2_t '× fp2_t '× fp2_t) := - fp6neg (a_1726) in - (fp6fromfp2 (fp2fromfp (nat_mod_zero ))) =.? (fp6add (a_1726) (b_1727)). -(*QuickChick ( - forAll g_fp6_t (fun a_1726 : fp6_t =>test_fp6_prop_add_neg a_1726)).*) - - -Definition test_fp12_prop_add_neg (a_1728 : fp12_t) : bool := - let b_1729 : (fp6_t '× fp6_t) := - fp12neg (a_1728) in - (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_zero )))) =.? (fp12add (a_1728) ( - b_1729)). -(*QuickChick ( - forAll g_fp12_t (fun a_1728 : fp12_t =>test_fp12_prop_add_neg a_1728)).*) - - -Definition test_fp12_prop_mul_inv (a_1730 : fp12_t) : bool := - let b_1731 : (fp6_t '× fp6_t) := - fp12inv (a_1730) in - (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one )))) =.? (fp12mul (a_1730) ( - b_1731)). -(*QuickChick ( - forAll g_fp12_t (fun a_1730 : fp12_t =>test_fp12_prop_mul_inv a_1730)).*) - - diff --git a/proof-libs/coq/coq/src/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/coq/src/Hacspec_Bls12_381_Hash.v deleted file mode 100644 index de305328b..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Bls12_381_Hash.v +++ /dev/null @@ -1,1754 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Bls12_381. - -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition fp_hash_canvas_t := nseq (int8) (64). -Definition fp_hash_t := - nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. - -Definition arr_fp_t := nseq (uint64) (usize 6). - -Definition b_in_bytes_v : uint_size := - usize 32. - -Definition s_in_bytes_v : uint_size := - usize 64. - -Definition l_v : uint_size := - usize 64. - -Definition p_1_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 936899308823769933) : int64; - secret (@repr WORDSIZE64 2706051889235351147) : int64; - secret (@repr WORDSIZE64 12843041017062132063) : int64; - secret (@repr WORDSIZE64 12941209323636816658) : int64; - secret (@repr WORDSIZE64 1105070755758604287) : int64; - secret (@repr WORDSIZE64 15924587544893707605) : int64 - ] in l). - -Definition p_1_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 468449654411884966) : int64; - secret (@repr WORDSIZE64 10576397981472451381) : int64; - secret (@repr WORDSIZE64 15644892545385841839) : int64; - secret (@repr WORDSIZE64 15693976698673184137) : int64; - secret (@repr WORDSIZE64 552535377879302143) : int64; - secret (@repr WORDSIZE64 17185665809301629611) : int64 - ] in l). - -Definition p_3_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 468449654411884966) : int64; - secret (@repr WORDSIZE64 10576397981472451381) : int64; - secret (@repr WORDSIZE64 15644892545385841839) : int64; - secret (@repr WORDSIZE64 15693976698673184137) : int64; - secret (@repr WORDSIZE64 552535377879302143) : int64; - secret (@repr WORDSIZE64 17185665809301629610) : int64 - ] in l). - -Definition expand_message_xmd - (msg_1732 : byte_seq) - (dst_1733 : byte_seq) - (len_in_bytes_1734 : uint_size) - : byte_seq := - let ell_1735 : uint_size := - (((len_in_bytes_1734) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in - let dst_prime_1736 : seq uint8 := - seq_push (dst_1733) (uint8_from_usize (seq_len (dst_1733))) in - let z_pad_1737 : seq uint8 := - seq_new_ (default : uint8) (s_in_bytes_v) in - let l_i_b_str_1738 : seq uint8 := - seq_new_ (default : uint8) (usize 2) in - let l_i_b_str_1738 := - seq_upd l_i_b_str_1738 (usize 0) (uint8_from_usize ((len_in_bytes_1734) / ( - usize 256))) in - let l_i_b_str_1738 := - seq_upd l_i_b_str_1738 (usize 1) (uint8_from_usize (len_in_bytes_1734)) in - let msg_prime_1739 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (z_pad_1737) (msg_1732)) ( - l_i_b_str_1738)) (seq_new_ (default : uint8) (usize 1))) ( - dst_prime_1736) in - let b_0_1740 : seq uint8 := - seq_from_seq (array_to_seq (hash (msg_prime_1739))) in - let b_i_1741 : seq uint8 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_1740) (secret ( - @repr WORDSIZE8 1) : int8)) (dst_prime_1736)))) in - let uniform_bytes_1742 : seq uint8 := - seq_from_seq (b_i_1741) in - let '(b_i_1741, uniform_bytes_1742) := - foldi (usize 2) ((ell_1735) + (usize 1)) (fun i_1743 '( - b_i_1741, - uniform_bytes_1742 - ) => - let t_1744 : seq uint8 := - seq_from_seq (b_0_1740) in - let b_i_1741 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( - t_1744) seq_xor (b_i_1741)) (uint8_from_usize (i_1743))) ( - dst_prime_1736)))) in - let uniform_bytes_1742 := - seq_concat (uniform_bytes_1742) (b_i_1741) in - (b_i_1741, uniform_bytes_1742)) - (b_i_1741, uniform_bytes_1742) in - seq_truncate (uniform_bytes_1742) (len_in_bytes_1734). - -Definition fp_hash_to_field - (msg_1745 : byte_seq) - (dst_1746 : byte_seq) - (count_1747 : uint_size) - : seq fp_t := - let len_in_bytes_1748 : uint_size := - (count_1747) * (l_v) in - let uniform_bytes_1749 : seq uint8 := - expand_message_xmd (msg_1745) (dst_1746) (len_in_bytes_1748) in - let output_1750 : seq fp_t := - seq_new_ (default : fp_t) (count_1747) in - let output_1750 := - foldi (usize 0) (count_1747) (fun i_1751 output_1750 => - let elm_offset_1752 : uint_size := - (l_v) * (i_1751) in - let tv_1753 : seq uint8 := - seq_slice (uniform_bytes_1749) (elm_offset_1752) (l_v) in - let u_i_1754 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1753) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let output_1750 := - seq_upd output_1750 (i_1751) (u_i_1754) in - (output_1750)) - output_1750 in - output_1750. - -Definition fp_sgn0 (x_1755 : fp_t) : bool := - ((x_1755) rem (nat_mod_two )) =.? (nat_mod_one ). - -Definition fp_is_square (x_1756 : fp_t) : bool := - let c1_1757 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let tv_1758 : fp_t := - nat_mod_pow_self (x_1756) (c1_1757) in - ((tv_1758) =.? (nat_mod_zero )) || ((tv_1758) =.? (nat_mod_one )). - -Definition fp_sqrt (x_1759 : fp_t) : fp_t := - let c1_1760 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_4_v)) : fp_t in - nat_mod_pow_self (x_1759) (c1_1760). - -Definition g1_curve_func (x_1761 : fp_t) : fp_t := - (((x_1761) *% (x_1761)) *% (x_1761)) +% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t). - -Definition g1_map_to_curve_svdw (u_1762 : fp_t) : g1_t := - let z_1763 : fp_t := - (nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t) in - let gz_1764 : fp_t := - g1_curve_func (z_1763) in - let tv1_1765 : fp_t := - ((u_1762) *% (u_1762)) *% (gz_1764) in - let tv2_1766 : fp_t := - (nat_mod_one ) +% (tv1_1765) in - let tv1_1767 : fp_t := - (nat_mod_one ) -% (tv1_1765) in - let tv3_1768 : fp_t := - nat_mod_inv ((tv1_1767) *% (tv2_1766)) in - let tv4_1769 : fp_t := - fp_sqrt (((nat_mod_zero ) -% (gz_1764)) *% (((nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t) *% (z_1763)) *% (z_1763))) in - let '(tv4_1769) := - if fp_sgn0 (tv4_1769):bool then (let tv4_1769 := - (nat_mod_zero ) -% (tv4_1769) in - (tv4_1769)) else ((tv4_1769)) in - let tv5_1770 : fp_t := - (((u_1762) *% (tv1_1767)) *% (tv3_1768)) *% (tv4_1769) in - let tv6_1771 : fp_t := - (((nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t)) *% (gz_1764)) *% (nat_mod_inv ((( - nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t) *% ( - z_1763)) *% (z_1763))) in - let x1_1772 : fp_t := - (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) -% ( - tv5_1770) in - let x2_1773 : fp_t := - (((nat_mod_zero ) -% (z_1763)) *% (nat_mod_inv (nat_mod_two ))) +% ( - tv5_1770) in - let x3_1774 : fp_t := - (z_1763) +% (((tv6_1771) *% (((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) *% ( - ((tv2_1766) *% (tv2_1766)) *% (tv3_1768))) in - let x_1775 : fp_t := - (if (fp_is_square (g1_curve_func (x1_1772))):bool then (x1_1772) else ((if ( - fp_is_square (g1_curve_func (x2_1773))):bool then (x2_1773) else ( - x3_1774)))) in - let y_1776 : fp_t := - fp_sqrt (g1_curve_func (x_1775)) in - let '(y_1776) := - if (fp_sgn0 (u_1762)) !=.? (fp_sgn0 (y_1776)):bool then (let y_1776 := - (nat_mod_zero ) -% (y_1776) in - (y_1776)) else ((y_1776)) in - (x_1775, y_1776, false). - -Definition g1_clear_cofactor (x_1777 : g1_t) : g1_t := - let h_eff_1778 : scalar_t := - nat_mod_from_literal (_) ( - @repr WORDSIZE128 15132376222941642753) : scalar_t in - g1mul (h_eff_1778) (x_1777). - -Definition g1_hash_to_curve_svdw - (msg_1779 : byte_seq) - (dst_1780 : byte_seq) - : g1_t := - let u_1781 : seq fp_t := - fp_hash_to_field (msg_1779) (dst_1780) (usize 2) in - let q0_1782 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_svdw (seq_index (u_1781) (usize 0)) in - let q1_1783 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_svdw (seq_index (u_1781) (usize 1)) in - let r_1784 : (fp_t '× fp_t '× bool) := - g1add (q0_1782) (q1_1783) in - let p_1785 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (r_1784) in - p_1785. - -Definition g1_encode_to_curve_svdw - (msg_1786 : byte_seq) - (dst_1787 : byte_seq) - : g1_t := - let u_1788 : seq fp_t := - fp_hash_to_field (msg_1786) (dst_1787) (usize 1) in - let q_1789 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_svdw (seq_index (u_1788) (usize 0)) in - let p_1790 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (q_1789) in - p_1790. - -Definition fp2_hash_to_field - (msg_1791 : byte_seq) - (dst_1792 : byte_seq) - (count_1793 : uint_size) - : seq fp2_t := - let len_in_bytes_1794 : uint_size := - ((count_1793) * (usize 2)) * (l_v) in - let uniform_bytes_1795 : seq uint8 := - expand_message_xmd (msg_1791) (dst_1792) (len_in_bytes_1794) in - let output_1796 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (count_1793) in - let output_1796 := - foldi (usize 0) (count_1793) (fun i_1797 output_1796 => - let elm_offset_1798 : uint_size := - ((l_v) * (i_1797)) * (usize 2) in - let tv_1799 : seq uint8 := - seq_slice (uniform_bytes_1795) (elm_offset_1798) (l_v) in - let e_1_1800 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1799) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let elm_offset_1801 : uint_size := - (l_v) * ((usize 1) + ((i_1797) * (usize 2))) in - let tv_1802 : seq uint8 := - seq_slice (uniform_bytes_1795) (elm_offset_1801) (l_v) in - let e_2_1803 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1802) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let output_1796 := - seq_upd output_1796 (i_1797) ((e_1_1800, e_2_1803)) in - (output_1796)) - output_1796 in - output_1796. - -Definition fp2_sgn0 (x_1804 : fp2_t) : bool := - let '(x0_1805, x1_1806) := - x_1804 in - let sign_0_1807 : bool := - fp_sgn0 (x0_1805) in - let zero_0_1808 : bool := - (x0_1805) =.? (nat_mod_zero ) in - let sign_1_1809 : bool := - fp_sgn0 (x1_1806) in - (sign_0_1807) || ((zero_0_1808) && (sign_1_1809)). - -Definition fp2_is_square (x_1810 : fp2_t) : bool := - let c1_1811 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let '(x1_1812, x2_1813) := - x_1810 in - let tv1_1814 : fp_t := - (x1_1812) *% (x1_1812) in - let tv2_1815 : fp_t := - (x2_1813) *% (x2_1813) in - let tv1_1816 : fp_t := - (tv1_1814) +% (tv2_1815) in - let tv1_1817 : fp_t := - nat_mod_pow_self (tv1_1816) (c1_1811) in - let neg1_1818 : fp_t := - (nat_mod_zero ) -% (nat_mod_one ) in - (tv1_1817) !=.? (neg1_1818). - -Definition fp2exp (n_1819 : fp2_t) (k_1820 : fp_t) : fp2_t := - let c_1821 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let c_1821 := - foldi (usize 0) (usize 381) (fun i_1822 c_1821 => - let c_1821 := - fp2mul (c_1821) (c_1821) in - let '(c_1821) := - if nat_mod_bit (k_1820) ((usize 380) - (i_1822)):bool then ( - let c_1821 := - fp2mul (c_1821) (n_1819) in - (c_1821)) else ((c_1821)) in - (c_1821)) - c_1821 in - c_1821. - -Definition fp2_sqrt (a_1823 : fp2_t) : fp2_t := - let c1_1824 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_3_4_v)) : fp_t in - let c2_1825 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let a1_1826 : (fp_t '× fp_t) := - fp2exp (a_1823) (c1_1824) in - let alpha_1827 : (fp_t '× fp_t) := - fp2mul (a1_1826) (fp2mul (a1_1826) (a_1823)) in - let x0_1828 : (fp_t '× fp_t) := - fp2mul (a1_1826) (a_1823) in - let neg1_1829 : (fp_t '× fp_t) := - ((nat_mod_zero ) -% (nat_mod_one ), nat_mod_zero ) in - let b_1830 : (fp_t '× fp_t) := - fp2exp (fp2add (fp2fromfp (nat_mod_one )) (alpha_1827)) (c2_1825) in - (if ((alpha_1827) =.? (neg1_1829)):bool then (fp2mul (( - nat_mod_zero , - nat_mod_one - )) (x0_1828)) else (fp2mul (b_1830) (x0_1828))). - -Definition g2_curve_func (x_1831 : fp2_t) : fp2_t := - fp2add (fp2mul (x_1831) (fp2mul (x_1831) (x_1831))) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t, - nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t - )). - -Definition g2_map_to_curve_svdw (u_1832 : fp2_t) : g2_t := - let z_1833 : (fp_t '× fp_t) := - fp2neg (fp2fromfp (nat_mod_one )) in - let gz_1834 : (fp_t '× fp_t) := - g2_curve_func (z_1833) in - let tv1_1835 : (fp_t '× fp_t) := - fp2mul (fp2mul (u_1832) (u_1832)) (gz_1834) in - let tv2_1836 : (fp_t '× fp_t) := - fp2add (fp2fromfp (nat_mod_one )) (tv1_1835) in - let tv1_1837 : (fp_t '× fp_t) := - fp2sub (fp2fromfp (nat_mod_one )) (tv1_1835) in - let tv3_1838 : (fp_t '× fp_t) := - fp2inv (fp2mul (tv1_1837) (tv2_1836)) in - let tv4_1839 : (fp_t '× fp_t) := - fp2_sqrt (fp2mul (fp2neg (gz_1834)) (fp2mul (fp2fromfp ( - nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) (fp2mul ( - z_1833) (z_1833)))) in - let '(tv4_1839) := - if fp2_sgn0 (tv4_1839):bool then (let tv4_1839 := - fp2neg (tv4_1839) in - (tv4_1839)) else ((tv4_1839)) in - let tv5_1840 : (fp_t '× fp_t) := - fp2mul (fp2mul (fp2mul (u_1832) (tv1_1837)) (tv3_1838)) (tv4_1839) in - let tv6_1841 : (fp_t '× fp_t) := - fp2mul (fp2mul (fp2neg (fp2fromfp (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t))) (gz_1834)) (fp2inv (fp2mul ( - fp2fromfp (nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) ( - fp2mul (z_1833) (z_1833)))) in - let x1_1842 : (fp_t '× fp_t) := - fp2sub (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( - tv5_1840) in - let x2_1843 : (fp_t '× fp_t) := - fp2add (fp2mul (fp2neg (z_1833)) (fp2inv (fp2fromfp (nat_mod_two )))) ( - tv5_1840) in - let tv7_1844 : (fp_t '× fp_t) := - fp2mul (fp2mul (tv2_1836) (tv2_1836)) (tv3_1838) in - let x3_1845 : (fp_t '× fp_t) := - fp2add (z_1833) (fp2mul (tv6_1841) (fp2mul (tv7_1844) (tv7_1844))) in - let x_1846 : (fp_t '× fp_t) := - (if (fp2_is_square (g2_curve_func (x1_1842))):bool then (x1_1842) else (( - if (fp2_is_square (g2_curve_func (x2_1843))):bool then ( - x2_1843) else (x3_1845)))) in - let y_1847 : (fp_t '× fp_t) := - fp2_sqrt (g2_curve_func (x_1846)) in - let '(y_1847) := - if (fp2_sgn0 (u_1832)) !=.? (fp2_sgn0 (y_1847)):bool then (let y_1847 := - fp2neg (y_1847) in - (y_1847)) else ((y_1847)) in - (x_1846, y_1847, false). - -Definition psi (p_1848 : g2_t) : g2_t := - let c1_1849 : (fp_t '× fp_t) := - fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( - nat_mod_one )) *% (nat_mod_inv (nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t)))) in - let c2_1850 : (fp_t '× fp_t) := - fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( - nat_mod_one )) *% (nat_mod_inv (nat_mod_two )))) in - let '(x_1851, y_1852, inf_1853) := - p_1848 in - let qx_1854 : (fp_t '× fp_t) := - fp2mul (c1_1849) (fp2conjugate (x_1851)) in - let qy_1855 : (fp_t '× fp_t) := - fp2mul (c2_1850) (fp2conjugate (y_1852)) in - (qx_1854, qy_1855, inf_1853). - -Definition g2_clear_cofactor (p_1856 : g2_t) : g2_t := - let c1_1857 : scalar_t := - nat_mod_from_literal (_) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let t1_1858 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2mul (c1_1857) (p_1856) in - let t1_1859 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2neg (t1_1858) in - let t2_1860 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - psi (p_1856) in - let t3_1861 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2double (p_1856) in - let t3_1862 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - psi (psi (t3_1861)) in - let t3_1863 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1862) (g2neg (t2_1860)) in - let t2_1864 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t1_1859) (t2_1860) in - let t2_1865 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2mul (c1_1857) (t2_1864) in - let t2_1866 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2neg (t2_1865) in - let t3_1867 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1863) (t2_1866) in - let t3_1868 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1867) (g2neg (t1_1859)) in - let q_1869 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (t3_1868) (g2neg (p_1856)) in - q_1869. - -Definition g2_hash_to_curve_svdw - (msg_1870 : byte_seq) - (dst_1871 : byte_seq) - : g2_t := - let u_1872 : seq fp2_t := - fp2_hash_to_field (msg_1870) (dst_1871) (usize 2) in - let q0_1873 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_svdw (seq_index (u_1872) (usize 0)) in - let q1_1874 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_svdw (seq_index (u_1872) (usize 1)) in - let r_1875 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (q0_1873) (q1_1874) in - let p_1876 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (r_1875) in - p_1876. - -Definition g2_encode_to_curve_svdw - (msg_1877 : byte_seq) - (dst_1878 : byte_seq) - : g2_t := - let u_1879 : seq fp2_t := - fp2_hash_to_field (msg_1877) (dst_1878) (usize 1) in - let q_1880 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_svdw (seq_index (u_1879) (usize 0)) in - let p_1881 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (q_1880) in - p_1881. - -Definition g1_iso_a_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 5707120929990979) : int64; - secret (@repr WORDSIZE64 4425131892511951234) : int64; - secret (@repr WORDSIZE64 12748169179688756904) : int64; - secret (@repr WORDSIZE64 15629909748249821612) : int64; - secret (@repr WORDSIZE64 10994253769421683071) : int64; - secret (@repr WORDSIZE64 6698022561392380957) : int64 - ] in l). - -Definition g1_iso_b_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1360808972976160816) : int64; - secret (@repr WORDSIZE64 111203405409480251) : int64; - secret (@repr WORDSIZE64 2312248699302920304) : int64; - secret (@repr WORDSIZE64 11581500465278574325) : int64; - secret (@repr WORDSIZE64 6495071758858381989) : int64; - secret (@repr WORDSIZE64 15117538217124375520) : int64 - ] in l). - -Definition g1_xnum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1270119733718627136) : int64; - secret (@repr WORDSIZE64 13261148298159854981) : int64; - secret (@repr WORDSIZE64 7723742117508874335) : int64; - secret (@repr WORDSIZE64 17465657917644792520) : int64; - secret (@repr WORDSIZE64 6201670911048166766) : int64; - secret (@repr WORDSIZE64 12586459670690286007) : int64 - ] in l). - -Definition g1_xnum_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1668951808976071471) : int64; - secret (@repr WORDSIZE64 398773841247578140) : int64; - secret (@repr WORDSIZE64 8941869963990959127) : int64; - secret (@repr WORDSIZE64 17682789360670468203) : int64; - secret (@repr WORDSIZE64 5204176168283587414) : int64; - secret (@repr WORDSIZE64 16732261237459223483) : int64 - ] in l). - -Definition g1_xnum_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 960393023080265964) : int64; - secret (@repr WORDSIZE64 2094253841180170779) : int64; - secret (@repr WORDSIZE64 14844748873776858085) : int64; - secret (@repr WORDSIZE64 7528018573573808732) : int64; - secret (@repr WORDSIZE64 10776056440809943711) : int64; - secret (@repr WORDSIZE64 16147550488514976944) : int64 - ] in l). - -Definition g1_xnum_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1691355743628586423) : int64; - secret (@repr WORDSIZE64 5622191986793862162) : int64; - secret (@repr WORDSIZE64 15561595211679121189) : int64; - secret (@repr WORDSIZE64 17416319752018800771) : int64; - secret (@repr WORDSIZE64 5996228842464768403) : int64; - secret (@repr WORDSIZE64 14245880009877842017) : int64 - ] in l). - -Definition g1_xnum_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1051997788391994435) : int64; - secret (@repr WORDSIZE64 7368650625050054228) : int64; - secret (@repr WORDSIZE64 11086623519836470079) : int64; - secret (@repr WORDSIZE64 607681821319080984) : int64; - secret (@repr WORDSIZE64 10978131499682789316) : int64; - secret (@repr WORDSIZE64 5842660658088809945) : int64 - ] in l). - -Definition g1_xnum_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1598992431623377919) : int64; - secret (@repr WORDSIZE64 130921168661596853) : int64; - secret (@repr WORDSIZE64 15797696746983946651) : int64; - secret (@repr WORDSIZE64 11444679715590672272) : int64; - secret (@repr WORDSIZE64 11567228658253249817) : int64; - secret (@repr WORDSIZE64 14777367860349315459) : int64 - ] in l). - -Definition g1_xnum_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 967946631563726121) : int64; - secret (@repr WORDSIZE64 7653628713030275775) : int64; - secret (@repr WORDSIZE64 12760252618317466849) : int64; - secret (@repr WORDSIZE64 10378793938173061930) : int64; - secret (@repr WORDSIZE64 10205808941053849290) : int64; - secret (@repr WORDSIZE64 15985511645807504772) : int64 - ] in l). - -Definition g1_xnum_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1709149555065084898) : int64; - secret (@repr WORDSIZE64 16750075057192140371) : int64; - secret (@repr WORDSIZE64 3849985779734105521) : int64; - secret (@repr WORDSIZE64 11998370262181639475) : int64; - secret (@repr WORDSIZE64 4159013751748851119) : int64; - secret (@repr WORDSIZE64 11298218755092433038) : int64 - ] in l). - -Definition g1_xnum_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 580186936973955012) : int64; - secret (@repr WORDSIZE64 8903813505199544589) : int64; - secret (@repr WORDSIZE64 14140024565662700916) : int64; - secret (@repr WORDSIZE64 11728946595272970718) : int64; - secret (@repr WORDSIZE64 5738313744366653077) : int64; - secret (@repr WORDSIZE64 7886252005760951063) : int64 - ] in l). - -Definition g1_xnum_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1628930385436977092) : int64; - secret (@repr WORDSIZE64 3318087848058654498) : int64; - secret (@repr WORDSIZE64 15937899882900905113) : int64; - secret (@repr WORDSIZE64 7449821001803307903) : int64; - secret (@repr WORDSIZE64 11752436998487615353) : int64; - secret (@repr WORDSIZE64 9161465579737517214) : int64 - ] in l). - -Definition g1_xnum_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1167027828517898210) : int64; - secret (@repr WORDSIZE64 8275623842221021965) : int64; - secret (@repr WORDSIZE64 18049808134997311382) : int64; - secret (@repr WORDSIZE64 15351349873550116966) : int64; - secret (@repr WORDSIZE64 17769927732099571180) : int64; - secret (@repr WORDSIZE64 14584871380308065147) : int64 - ] in l). - -Definition g1_xnum_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 495550047642324592) : int64; - secret (@repr WORDSIZE64 13627494601717575229) : int64; - secret (@repr WORDSIZE64 3591512392926246844) : int64; - secret (@repr WORDSIZE64 2576269112800734056) : int64; - secret (@repr WORDSIZE64 14000314106239596831) : int64; - secret (@repr WORDSIZE64 12234233096825917993) : int64 - ] in l). - -Definition g1_xden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 633474091881273774) : int64; - secret (@repr WORDSIZE64 1779737893574802031) : int64; - secret (@repr WORDSIZE64 132274872219551930) : int64; - secret (@repr WORDSIZE64 11283074393783708770) : int64; - secret (@repr WORDSIZE64 13067430171545714168) : int64; - secret (@repr WORDSIZE64 11041975239630265116) : int64 - ] in l). - -Definition g1_xden_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1321272531362356291) : int64; - secret (@repr WORDSIZE64 5238936591227237942) : int64; - secret (@repr WORDSIZE64 8089002360232247308) : int64; - secret (@repr WORDSIZE64 82967328719421271) : int64; - secret (@repr WORDSIZE64 1430641118356186857) : int64; - secret (@repr WORDSIZE64 16557527386785790975) : int64 - ] in l). - -Definition g1_xden_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 804282852993868382) : int64; - secret (@repr WORDSIZE64 9311163821600184607) : int64; - secret (@repr WORDSIZE64 8037026956533927121) : int64; - secret (@repr WORDSIZE64 18205324308570099372) : int64; - secret (@repr WORDSIZE64 15466434890074226396) : int64; - secret (@repr WORDSIZE64 18213183315621985817) : int64 - ] in l). - -Definition g1_xden_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 234844145893171966) : int64; - secret (@repr WORDSIZE64 14428037799351479124) : int64; - secret (@repr WORDSIZE64 6559532710647391569) : int64; - secret (@repr WORDSIZE64 6110444250091843536) : int64; - secret (@repr WORDSIZE64 5293652763671852484) : int64; - secret (@repr WORDSIZE64 1373009181854280920) : int64 - ] in l). - -Definition g1_xden_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1416629893867312296) : int64; - secret (@repr WORDSIZE64 751851957792514173) : int64; - secret (@repr WORDSIZE64 18437674587247370939) : int64; - secret (@repr WORDSIZE64 10190314345946351322) : int64; - secret (@repr WORDSIZE64 11228207967368476701) : int64; - secret (@repr WORDSIZE64 6025034940388909598) : int64 - ] in l). - -Definition g1_xden_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1041270466333271993) : int64; - secret (@repr WORDSIZE64 6140956605115975401) : int64; - secret (@repr WORDSIZE64 4131830461445745997) : int64; - secret (@repr WORDSIZE64 739642499118176303) : int64; - secret (@repr WORDSIZE64 8358912131254619921) : int64; - secret (@repr WORDSIZE64 13847998906088228005) : int64 - ] in l). - -Definition g1_xden_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 536714149743900185) : int64; - secret (@repr WORDSIZE64 1098328982230230817) : int64; - secret (@repr WORDSIZE64 6273329123533496713) : int64; - secret (@repr WORDSIZE64 5633448088282521244) : int64; - secret (@repr WORDSIZE64 16894043798660571244) : int64; - secret (@repr WORDSIZE64 17016134625831438906) : int64 - ] in l). - -Definition g1_xden_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1488347500898461874) : int64; - secret (@repr WORDSIZE64 3509418672874520985) : int64; - secret (@repr WORDSIZE64 7962192351555381416) : int64; - secret (@repr WORDSIZE64 1843909372225399896) : int64; - secret (@repr WORDSIZE64 1127511003250156243) : int64; - secret (@repr WORDSIZE64 1294742680819751518) : int64 - ] in l). - -Definition g1_xden_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 725340084226051970) : int64; - secret (@repr WORDSIZE64 6814521545734988748) : int64; - secret (@repr WORDSIZE64 16176803544133875307) : int64; - secret (@repr WORDSIZE64 8363199516777220149) : int64; - secret (@repr WORDSIZE64 252877309218538352) : int64; - secret (@repr WORDSIZE64 5149562959837648449) : int64 - ] in l). - -Definition g1_xden_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 675470927100193492) : int64; - secret (@repr WORDSIZE64 5146891164735334016) : int64; - secret (@repr WORDSIZE64 17762958817130696759) : int64; - secret (@repr WORDSIZE64 8565656522589412373) : int64; - secret (@repr WORDSIZE64 10599026333335446784) : int64; - secret (@repr WORDSIZE64 3270603789344496906) : int64 - ] in l). - -Definition g1_ynum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 652344406751465184) : int64; - secret (@repr WORDSIZE64 2710356675495255290) : int64; - secret (@repr WORDSIZE64 1273695771440998738) : int64; - secret (@repr WORDSIZE64 3121750372618945491) : int64; - secret (@repr WORDSIZE64 14775319642720936898) : int64; - secret (@repr WORDSIZE64 13733803417833814835) : int64 - ] in l). - -Definition g1_ynum_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1389807578337138705) : int64; - secret (@repr WORDSIZE64 15352831428748068483) : int64; - secret (@repr WORDSIZE64 1307144967559264317) : int64; - secret (@repr WORDSIZE64 1121505450578652468) : int64; - secret (@repr WORDSIZE64 15475889019760388287) : int64; - secret (@repr WORDSIZE64 16183658160488302230) : int64 - ] in l). - -Definition g1_ynum_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 57553299067792998) : int64; - secret (@repr WORDSIZE64 17628079362768849300) : int64; - secret (@repr WORDSIZE64 2689461337731570914) : int64; - secret (@repr WORDSIZE64 14070580367580990887) : int64; - secret (@repr WORDSIZE64 15162865775551710499) : int64; - secret (@repr WORDSIZE64 13321614990632673782) : int64 - ] in l). - -Definition g1_ynum_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 141972750621744161) : int64; - secret (@repr WORDSIZE64 8689824239172478807) : int64; - secret (@repr WORDSIZE64 15288216298323671324) : int64; - secret (@repr WORDSIZE64 712874875091754233) : int64; - secret (@repr WORDSIZE64 16014900032503684588) : int64; - secret (@repr WORDSIZE64 11976580453200426187) : int64 - ] in l). - -Definition g1_ynum_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 633886036738506515) : int64; - secret (@repr WORDSIZE64 6678644607214234052) : int64; - secret (@repr WORDSIZE64 1825425679455244472) : int64; - secret (@repr WORDSIZE64 8755912272271186652) : int64; - secret (@repr WORDSIZE64 3379943669301788840) : int64; - secret (@repr WORDSIZE64 4735212769449148123) : int64 - ] in l). - -Definition g1_ynum_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1612358804494830442) : int64; - secret (@repr WORDSIZE64 2454990789666711200) : int64; - secret (@repr WORDSIZE64 8405916841409361853) : int64; - secret (@repr WORDSIZE64 8525415512662168654) : int64; - secret (@repr WORDSIZE64 2323684950984523890) : int64; - secret (@repr WORDSIZE64 11074978966450447856) : int64 - ] in l). - -Definition g1_ynum_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 336375361001233340) : int64; - secret (@repr WORDSIZE64 12882959944969186108) : int64; - secret (@repr WORDSIZE64 16671121624101127371) : int64; - secret (@repr WORDSIZE64 5922586712221110071) : int64; - secret (@repr WORDSIZE64 5163511947597922654) : int64; - secret (@repr WORDSIZE64 14511152726087948018) : int64 - ] in l). - -Definition g1_ynum_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 686738286210365551) : int64; - secret (@repr WORDSIZE64 16039894141796533876) : int64; - secret (@repr WORDSIZE64 1660145734357211167) : int64; - secret (@repr WORDSIZE64 18231571463891878950) : int64; - secret (@repr WORDSIZE64 4825120264949852469) : int64; - secret (@repr WORDSIZE64 11627815551290637097) : int64 - ] in l). - -Definition g1_ynum_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 719520515476580427) : int64; - secret (@repr WORDSIZE64 16756942182913253819) : int64; - secret (@repr WORDSIZE64 10320769399998235244) : int64; - secret (@repr WORDSIZE64 2200974244968450750) : int64; - secret (@repr WORDSIZE64 7626373186594408355) : int64; - secret (@repr WORDSIZE64 6933025920263103879) : int64 - ] in l). - -Definition g1_ynum_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1016611174344998325) : int64; - secret (@repr WORDSIZE64 2466492548686891555) : int64; - secret (@repr WORDSIZE64 14135124294293452542) : int64; - secret (@repr WORDSIZE64 475233659467912251) : int64; - secret (@repr WORDSIZE64 11186783513499056751) : int64; - secret (@repr WORDSIZE64 3147922594245844016) : int64 - ] in l). - -Definition g1_ynum_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1833315000454533566) : int64; - secret (@repr WORDSIZE64 1007974600900082579) : int64; - secret (@repr WORDSIZE64 14785260176242854207) : int64; - secret (@repr WORDSIZE64 15066861003931772432) : int64; - secret (@repr WORDSIZE64 3584647998681889532) : int64; - secret (@repr WORDSIZE64 16722834201330696498) : int64 - ] in l). - -Definition g1_ynum_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1780164921828767454) : int64; - secret (@repr WORDSIZE64 13337622794239929804) : int64; - secret (@repr WORDSIZE64 5923739534552515142) : int64; - secret (@repr WORDSIZE64 3345046972101780530) : int64; - secret (@repr WORDSIZE64 5321510883028162054) : int64; - secret (@repr WORDSIZE64 14846055306840460686) : int64 - ] in l). - -Definition g1_ynum_k_12_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 799438051374502809) : int64; - secret (@repr WORDSIZE64 15083972834952036164) : int64; - secret (@repr WORDSIZE64 8838227588559581326) : int64; - secret (@repr WORDSIZE64 13846054168121598783) : int64; - secret (@repr WORDSIZE64 488730451382505970) : int64; - secret (@repr WORDSIZE64 958146249756188408) : int64 - ] in l). - -Definition g1_ynum_k_13_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 163716820423854747) : int64; - secret (@repr WORDSIZE64 8285498163857659356) : int64; - secret (@repr WORDSIZE64 8465424830341846400) : int64; - secret (@repr WORDSIZE64 1433942577299613084) : int64; - secret (@repr WORDSIZE64 14325828012864645732) : int64; - secret (@repr WORDSIZE64 4817114329354076467) : int64 - ] in l). - -Definition g1_ynum_k_14_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 414658151749832465) : int64; - secret (@repr WORDSIZE64 189531577938912252) : int64; - secret (@repr WORDSIZE64 6802473390048830824) : int64; - secret (@repr WORDSIZE64 15684647020317539556) : int64; - secret (@repr WORDSIZE64 7755485098777620407) : int64; - secret (@repr WORDSIZE64 9685868895687483979) : int64 - ] in l). - -Definition g1_ynum_k_15_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1578157964224562126) : int64; - secret (@repr WORDSIZE64 5666948055268535989) : int64; - secret (@repr WORDSIZE64 14634479491382401593) : int64; - secret (@repr WORDSIZE64 6317940024988860850) : int64; - secret (@repr WORDSIZE64 13142913832013798519) : int64; - secret (@repr WORDSIZE64 338991247778166276) : int64 - ] in l). - -Definition g1_yden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1590100849350973618) : int64; - secret (@repr WORDSIZE64 5915497081334721257) : int64; - secret (@repr WORDSIZE64 6924968209373727718) : int64; - secret (@repr WORDSIZE64 17204633670617869946) : int64; - secret (@repr WORDSIZE64 572916540828819565) : int64; - secret (@repr WORDSIZE64 92203205520679873) : int64 - ] in l). - -Definition g1_yden_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1829261189398470686) : int64; - secret (@repr WORDSIZE64 1877083417397643448) : int64; - secret (@repr WORDSIZE64 9640042925497046428) : int64; - secret (@repr WORDSIZE64 11862766565471805471) : int64; - secret (@repr WORDSIZE64 8693114993904885301) : int64; - secret (@repr WORDSIZE64 3672140328108400701) : int64 - ] in l). - -Definition g1_yden_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 400243331105348135) : int64; - secret (@repr WORDSIZE64 8046435537999802711) : int64; - secret (@repr WORDSIZE64 8702226981475745585) : int64; - secret (@repr WORDSIZE64 879791671491744492) : int64; - secret (@repr WORDSIZE64 11994630442058346377) : int64; - secret (@repr WORDSIZE64 2172204746352322546) : int64 - ] in l). - -Definition g1_yden_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1637008473169220501) : int64; - secret (@repr WORDSIZE64 17441636237435581649) : int64; - secret (@repr WORDSIZE64 15066165676546511630) : int64; - secret (@repr WORDSIZE64 1314387578457599809) : int64; - secret (@repr WORDSIZE64 8247046336453711789) : int64; - secret (@repr WORDSIZE64 12164906044230685718) : int64 - ] in l). - -Definition g1_yden_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 855930740911588324) : int64; - secret (@repr WORDSIZE64 12685735333705453020) : int64; - secret (@repr WORDSIZE64 14326404096614579120) : int64; - secret (@repr WORDSIZE64 6066025509460822294) : int64; - secret (@repr WORDSIZE64 11676450493790612973) : int64; - secret (@repr WORDSIZE64 15724621714793234461) : int64 - ] in l). - -Definition g1_yden_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 637792788410719021) : int64; - secret (@repr WORDSIZE64 11507373155986977154) : int64; - secret (@repr WORDSIZE64 13186912195705886849) : int64; - secret (@repr WORDSIZE64 14262012144631372388) : int64; - secret (@repr WORDSIZE64 5328758613570342114) : int64; - secret (@repr WORDSIZE64 199925847119476652) : int64 - ] in l). - -Definition g1_yden_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1612297190139091759) : int64; - secret (@repr WORDSIZE64 14103733843373163083) : int64; - secret (@repr WORDSIZE64 6840121186619029743) : int64; - secret (@repr WORDSIZE64 6760859324815900753) : int64; - secret (@repr WORDSIZE64 15418807805142572985) : int64; - secret (@repr WORDSIZE64 4402853133867972444) : int64 - ] in l). - -Definition g1_yden_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1631410310868805610) : int64; - secret (@repr WORDSIZE64 269334146695233390) : int64; - secret (@repr WORDSIZE64 16547411811928854487) : int64; - secret (@repr WORDSIZE64 18353100669930795314) : int64; - secret (@repr WORDSIZE64 13339932232668798692) : int64; - secret (@repr WORDSIZE64 6984591927261867737) : int64 - ] in l). - -Definition g1_yden_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1758313625630302499) : int64; - secret (@repr WORDSIZE64 1881349400343039172) : int64; - secret (@repr WORDSIZE64 18013005311323887904) : int64; - secret (@repr WORDSIZE64 12377427846571989832) : int64; - secret (@repr WORDSIZE64 5967237584920922243) : int64; - secret (@repr WORDSIZE64 7720081932193848650) : int64 - ] in l). - -Definition g1_yden_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1619701357752249884) : int64; - secret (@repr WORDSIZE64 16898074901591262352) : int64; - secret (@repr WORDSIZE64 3609344159736760251) : int64; - secret (@repr WORDSIZE64 5983130161189999867) : int64; - secret (@repr WORDSIZE64 14355327869992416094) : int64; - secret (@repr WORDSIZE64 3778226018344582997) : int64 - ] in l). - -Definition g1_yden_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 347606589330687421) : int64; - secret (@repr WORDSIZE64 5255719044972187933) : int64; - secret (@repr WORDSIZE64 11271894388753671721) : int64; - secret (@repr WORDSIZE64 1033887512062764488) : int64; - secret (@repr WORDSIZE64 8189165486932690436) : int64; - secret (@repr WORDSIZE64 70004379462101672) : int64 - ] in l). - -Definition g1_yden_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 778202887894139711) : int64; - secret (@repr WORDSIZE64 17691595219776375879) : int64; - secret (@repr WORDSIZE64 9193253711563866834) : int64; - secret (@repr WORDSIZE64 10092455202333888821) : int64; - secret (@repr WORDSIZE64 1655469341950262250) : int64; - secret (@repr WORDSIZE64 10845992994110574738) : int64 - ] in l). - -Definition g1_yden_k_12_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 781015344221683683) : int64; - secret (@repr WORDSIZE64 14078588081290548374) : int64; - secret (@repr WORDSIZE64 6067271023149908518) : int64; - secret (@repr WORDSIZE64 9033357708497886086) : int64; - secret (@repr WORDSIZE64 10592474449179118273) : int64; - secret (@repr WORDSIZE64 2204988348113831372) : int64 - ] in l). - -Definition g1_yden_k_13_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 172830037692534587) : int64; - secret (@repr WORDSIZE64 7101012286790006514) : int64; - secret (@repr WORDSIZE64 13787308004332873665) : int64; - secret (@repr WORDSIZE64 14660498759553796110) : int64; - secret (@repr WORDSIZE64 4757234684169342080) : int64; - secret (@repr WORDSIZE64 15130647872920159991) : int64 - ] in l). - -Definition g1_yden_k_14_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1013206390650290238) : int64; - secret (@repr WORDSIZE64 7720336747103001025) : int64; - secret (@repr WORDSIZE64 8197694151986493523) : int64; - secret (@repr WORDSIZE64 3625112747029342752) : int64; - secret (@repr WORDSIZE64 6675167463148394368) : int64; - secret (@repr WORDSIZE64 4905905684016745359) : int64 - ] in l). - -Definition g1_simple_swu_iso (u_1882 : fp_t) : (fp_t '× fp_t) := - let z_1883 : fp_t := - nat_mod_from_literal (_) (@repr WORDSIZE128 11) : fp_t in - let a_1884 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_a_v)) : fp_t in - let b_1885 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_b_v)) : fp_t in - let tv1_1886 : fp_t := - nat_mod_inv ((((z_1883) *% (z_1883)) *% (nat_mod_exp (u_1882) ( - @repr WORDSIZE32 4))) +% (((z_1883) *% (u_1882)) *% (u_1882))) in - let x1_1887 : fp_t := - (((nat_mod_zero ) -% (b_1885)) *% (nat_mod_inv (a_1884))) *% (( - nat_mod_one ) +% (tv1_1886)) in - let '(x1_1887) := - if (tv1_1886) =.? (nat_mod_zero ):bool then (let x1_1887 := - (b_1885) *% (nat_mod_inv ((z_1883) *% (a_1884))) in - (x1_1887)) else ((x1_1887)) in - let gx1_1888 : fp_t := - ((nat_mod_exp (x1_1887) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( - x1_1887))) +% (b_1885) in - let x2_1889 : fp_t := - (((z_1883) *% (u_1882)) *% (u_1882)) *% (x1_1887) in - let gx2_1890 : fp_t := - ((nat_mod_exp (x2_1889) (@repr WORDSIZE32 3)) +% ((a_1884) *% ( - x2_1889))) +% (b_1885) in - let '(x_1891, y_1892) := - (if (fp_is_square (gx1_1888)):bool then ((x1_1887, fp_sqrt (gx1_1888) - )) else ((x2_1889, fp_sqrt (gx2_1890)))) in - let '(y_1892) := - if (fp_sgn0 (u_1882)) !=.? (fp_sgn0 (y_1892)):bool then (let y_1892 := - (nat_mod_zero ) -% (y_1892) in - (y_1892)) else ((y_1892)) in - (x_1891, y_1892). - -Definition g1_isogeny_map (x_1893 : fp_t) (y_1894 : fp_t) : g1_t := - let xnum_k_1895 : seq fp_t := - seq_new_ (default : fp_t) (usize 12) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_0_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_1_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_2_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_3_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_4_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_5_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_6_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_7_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_8_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_9_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_xnum_k_10_v)) : fp_t) in - let xnum_k_1895 := - seq_upd xnum_k_1895 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_xnum_k_11_v)) : fp_t) in - let xden_k_1896 : seq fp_t := - seq_new_ (default : fp_t) (usize 10) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_0_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_1_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_2_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_3_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_4_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_5_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_6_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_7_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_8_v)) : fp_t) in - let xden_k_1896 := - seq_upd xden_k_1896 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_9_v)) : fp_t) in - let ynum_k_1897 : seq fp_t := - seq_new_ (default : fp_t) (usize 16) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_0_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_1_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_2_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_3_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_4_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_5_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_6_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_7_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_8_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_9_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_10_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_11_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 12) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_12_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 13) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_13_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 14) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_14_v)) : fp_t) in - let ynum_k_1897 := - seq_upd ynum_k_1897 (usize 15) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_15_v)) : fp_t) in - let yden_k_1898 : seq fp_t := - seq_new_ (default : fp_t) (usize 15) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_0_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_1_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_2_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_3_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_4_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_5_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_6_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_7_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_8_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_9_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_10_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_11_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 12) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_12_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 13) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_13_v)) : fp_t) in - let yden_k_1898 := - seq_upd yden_k_1898 (usize 14) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_14_v)) : fp_t) in - let xnum_1899 : fp_t := - nat_mod_zero in - let xx_1900 : fp_t := - nat_mod_one in - let '(xnum_1899, xx_1900) := - foldi (usize 0) (seq_len (xnum_k_1895)) (fun i_1901 '(xnum_1899, xx_1900) => - let xnum_1899 := - (xnum_1899) +% ((xx_1900) *% (seq_index (xnum_k_1895) (i_1901))) in - let xx_1900 := - (xx_1900) *% (x_1893) in - (xnum_1899, xx_1900)) - (xnum_1899, xx_1900) in - let xden_1902 : fp_t := - nat_mod_zero in - let xx_1903 : fp_t := - nat_mod_one in - let '(xden_1902, xx_1903) := - foldi (usize 0) (seq_len (xden_k_1896)) (fun i_1904 '(xden_1902, xx_1903) => - let xden_1902 := - (xden_1902) +% ((xx_1903) *% (seq_index (xden_k_1896) (i_1904))) in - let xx_1903 := - (xx_1903) *% (x_1893) in - (xden_1902, xx_1903)) - (xden_1902, xx_1903) in - let xden_1902 := - (xden_1902) +% (xx_1903) in - let ynum_1905 : fp_t := - nat_mod_zero in - let xx_1906 : fp_t := - nat_mod_one in - let '(ynum_1905, xx_1906) := - foldi (usize 0) (seq_len (ynum_k_1897)) (fun i_1907 '(ynum_1905, xx_1906) => - let ynum_1905 := - (ynum_1905) +% ((xx_1906) *% (seq_index (ynum_k_1897) (i_1907))) in - let xx_1906 := - (xx_1906) *% (x_1893) in - (ynum_1905, xx_1906)) - (ynum_1905, xx_1906) in - let yden_1908 : fp_t := - nat_mod_zero in - let xx_1909 : fp_t := - nat_mod_one in - let '(yden_1908, xx_1909) := - foldi (usize 0) (seq_len (yden_k_1898)) (fun i_1910 '(yden_1908, xx_1909) => - let yden_1908 := - (yden_1908) +% ((xx_1909) *% (seq_index (yden_k_1898) (i_1910))) in - let xx_1909 := - (xx_1909) *% (x_1893) in - (yden_1908, xx_1909)) - (yden_1908, xx_1909) in - let yden_1908 := - (yden_1908) +% (xx_1909) in - let xr_1911 : fp_t := - (xnum_1899) *% (nat_mod_inv (xden_1902)) in - let yr_1912 : fp_t := - ((y_1894) *% (ynum_1905)) *% (nat_mod_inv (yden_1908)) in - let inf_1913 : bool := - false in - let '(inf_1913) := - if ((xden_1902) =.? (nat_mod_zero )) || ((yden_1908) =.? ( - nat_mod_zero )):bool then (let inf_1913 := - true in - (inf_1913)) else ((inf_1913)) in - (xr_1911, yr_1912, inf_1913). - -Definition g1_map_to_curve_sswu (u_1914 : fp_t) : g1_t := - let '(xp_1915, yp_1916) := - g1_simple_swu_iso (u_1914) in - let p_1917 : (fp_t '× fp_t '× bool) := - g1_isogeny_map (xp_1915) (yp_1916) in - p_1917. - -Definition g1_hash_to_curve_sswu - (msg_1918 : byte_seq) - (dst_1919 : byte_seq) - : g1_t := - let u_1920 : seq fp_t := - fp_hash_to_field (msg_1918) (dst_1919) (usize 2) in - let q0_1921 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_sswu (seq_index (u_1920) (usize 0)) in - let q1_1922 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_sswu (seq_index (u_1920) (usize 1)) in - let r_1923 : (fp_t '× fp_t '× bool) := - g1add (q0_1921) (q1_1922) in - let p_1924 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (r_1923) in - p_1924. - -Definition g1_encode_to_curve_sswu - (msg_1925 : byte_seq) - (dst_1926 : byte_seq) - : g1_t := - let u_1927 : seq fp_t := - fp_hash_to_field (msg_1925) (dst_1926) (usize 1) in - let q_1928 : (fp_t '× fp_t '× bool) := - g1_map_to_curve_sswu (seq_index (u_1927) (usize 0)) in - let p_1929 : (fp_t '× fp_t '× bool) := - g1_clear_cofactor (q_1928) in - p_1929. - -Definition g2_xnum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 416399692810564414) : int64; - secret (@repr WORDSIZE64 13500519111022079365) : int64; - secret (@repr WORDSIZE64 3658379999393219626) : int64; - secret (@repr WORDSIZE64 9850925049107374429) : int64; - secret (@repr WORDSIZE64 6640057249351452444) : int64; - secret (@repr WORDSIZE64 7077594464397203414) : int64 - ] in l). - -Definition g2_xnum_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058522) : int64 - ] in l). - -Definition g2_xnum_k_2_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058526) : int64 - ] in l). - -Definition g2_xnum_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 624599539215846622) : int64; - secret (@repr WORDSIZE64 1804034592823567431) : int64; - secret (@repr WORDSIZE64 14710942035944605247) : int64; - secret (@repr WORDSIZE64 14776387573661061644) : int64; - secret (@repr WORDSIZE64 736713837172402858) : int64; - secret (@repr WORDSIZE64 10616391696595805069) : int64 - ] in l). - -Definition g2_xnum_k_3_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1665598771242257658) : int64; - secret (@repr WORDSIZE64 17108588296669214228) : int64; - secret (@repr WORDSIZE64 14633519997572878506) : int64; - secret (@repr WORDSIZE64 2510212049010394485) : int64; - secret (@repr WORDSIZE64 8113484923696258161) : int64; - secret (@repr WORDSIZE64 9863633783879261905) : int64 - ] in l). - -Definition g2_xden_k_0_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863523) : int64 - ] in l). - -Definition g2_xden_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863583) : int64 - ] in l). - -Definition g2_ynum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1526798873638736187) : int64; - secret (@repr WORDSIZE64 6459500568425337235) : int64; - secret (@repr WORDSIZE64 1116230615302104219) : int64; - secret (@repr WORDSIZE64 17673314439684154624) : int64; - secret (@repr WORDSIZE64 18197961889718808424) : int64; - secret (@repr WORDSIZE64 1355520937843676934) : int64 - ] in l). - -Definition g2_ynum_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 416399692810564414) : int64; - secret (@repr WORDSIZE64 13500519111022079365) : int64; - secret (@repr WORDSIZE64 3658379999393219626) : int64; - secret (@repr WORDSIZE64 9850925049107374429) : int64; - secret (@repr WORDSIZE64 6640057249351452444) : int64; - secret (@repr WORDSIZE64 7077594464397203390) : int64 - ] in l). - -Definition g2_ynum_k_2_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058524) : int64 - ] in l). - -Definition g2_ynum_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 624599539215846622) : int64; - secret (@repr WORDSIZE64 1804034592823567431) : int64; - secret (@repr WORDSIZE64 14710942035944605247) : int64; - secret (@repr WORDSIZE64 14776387573661061644) : int64; - secret (@repr WORDSIZE64 736713837172402858) : int64; - secret (@repr WORDSIZE64 10616391696595805071) : int64 - ] in l). - -Definition g2_ynum_k_3_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1318599027233453979) : int64; - secret (@repr WORDSIZE64 18155985086623849168) : int64; - secret (@repr WORDSIZE64 8510412652460270214) : int64; - secret (@repr WORDSIZE64 12747851915130467410) : int64; - secret (@repr WORDSIZE64 5654561228188306393) : int64; - secret (@repr WORDSIZE64 16263467779354626832) : int64 - ] in l). - -Definition g2_yden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863163) : int64 - ] in l). - -Definition g2_yden_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863379) : int64 - ] in l). - -Definition g2_yden_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863577) : int64 - ] in l). - -Definition g2_simple_swu_iso (u_1930 : fp2_t) : (fp2_t '× fp2_t) := - let z_1931 : (fp_t '× fp_t) := - fp2neg ((nat_mod_two , nat_mod_one )) in - let a_1932 : (fp_t '× fp_t) := - (nat_mod_zero , nat_mod_from_literal (_) (@repr WORDSIZE128 240) : fp_t) in - let b_1933 : (fp_t '× fp_t) := - ( - nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t, - nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t - ) in - let tv1_1934 : (fp_t '× fp_t) := - fp2inv (fp2add (fp2mul (fp2mul (z_1931) (z_1931)) (fp2mul (fp2mul (u_1930) ( - u_1930)) (fp2mul (u_1930) (u_1930)))) (fp2mul (z_1931) (fp2mul ( - u_1930) (u_1930)))) in - let x1_1935 : (fp_t '× fp_t) := - fp2mul (fp2mul (fp2neg (b_1933)) (fp2inv (a_1932))) (fp2add (fp2fromfp ( - nat_mod_one )) (tv1_1934)) in - let '(x1_1935) := - if (tv1_1934) =.? (fp2zero ):bool then (let x1_1935 := - fp2mul (b_1933) (fp2inv (fp2mul (z_1931) (a_1932))) in - (x1_1935)) else ((x1_1935)) in - let gx1_1936 : (fp_t '× fp_t) := - fp2add (fp2add (fp2mul (fp2mul (x1_1935) (x1_1935)) (x1_1935)) (fp2mul ( - a_1932) (x1_1935))) (b_1933) in - let x2_1937 : (fp_t '× fp_t) := - fp2mul (fp2mul (z_1931) (fp2mul (u_1930) (u_1930))) (x1_1935) in - let gx2_1938 : (fp_t '× fp_t) := - fp2add (fp2add (fp2mul (fp2mul (x2_1937) (x2_1937)) (x2_1937)) (fp2mul ( - a_1932) (x2_1937))) (b_1933) in - let '(x_1939, y_1940) := - (if (fp2_is_square (gx1_1936)):bool then ((x1_1935, fp2_sqrt (gx1_1936) - )) else ((x2_1937, fp2_sqrt (gx2_1938)))) in - let '(y_1940) := - if (fp2_sgn0 (u_1930)) !=.? (fp2_sgn0 (y_1940)):bool then (let y_1940 := - fp2neg (y_1940) in - (y_1940)) else ((y_1940)) in - (x_1939, y_1940). - -Definition g2_isogeny_map (x_1941 : fp2_t) (y_1942 : fp2_t) : g2_t := - let xnum_k_1943 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 4) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t - )) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_1_i_v)) : fp_t - )) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 2) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_r_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_i_v)) : fp_t - )) in - let xnum_k_1943 := - seq_upd xnum_k_1943 (usize 3) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_3_r_v)) : fp_t, - nat_mod_zero - )) in - let xden_k_1944 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 2) in - let xden_k_1944 := - seq_upd xden_k_1944 (usize 0) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_0_i_v)) : fp_t - )) in - let xden_k_1944 := - seq_upd xden_k_1944 (usize 1) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 12) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_1_i_v)) : fp_t - )) in - let ynum_k_1945 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 4) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t - )) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_1_i_v)) : fp_t - )) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 2) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_r_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_i_v)) : fp_t - )) in - let ynum_k_1945 := - seq_upd ynum_k_1945 (usize 3) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_3_r_v)) : fp_t, - nat_mod_zero - )) in - let yden_k_1946 : seq (fp_t '× fp_t) := - seq_new_ (default : fp2_t) (usize 3) in - let yden_k_1946 := - seq_upd yden_k_1946 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t - )) in - let yden_k_1946 := - seq_upd yden_k_1946 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_1_i_v)) : fp_t - )) in - let yden_k_1946 := - seq_upd yden_k_1946 (usize 2) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 18) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_2_i_v)) : fp_t - )) in - let xnum_1947 : (fp_t '× fp_t) := - fp2zero in - let xx_1948 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(xnum_1947, xx_1948) := - foldi (usize 0) (seq_len (xnum_k_1943)) (fun i_1949 '(xnum_1947, xx_1948) => - let xnum_1947 := - fp2add (xnum_1947) (fp2mul (xx_1948) (seq_index (xnum_k_1943) ( - i_1949))) in - let xx_1948 := - fp2mul (xx_1948) (x_1941) in - (xnum_1947, xx_1948)) - (xnum_1947, xx_1948) in - let xden_1950 : (fp_t '× fp_t) := - fp2zero in - let xx_1951 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(xden_1950, xx_1951) := - foldi (usize 0) (seq_len (xden_k_1944)) (fun i_1952 '(xden_1950, xx_1951) => - let xden_1950 := - fp2add (xden_1950) (fp2mul (xx_1951) (seq_index (xden_k_1944) ( - i_1952))) in - let xx_1951 := - fp2mul (xx_1951) (x_1941) in - (xden_1950, xx_1951)) - (xden_1950, xx_1951) in - let xden_1950 := - fp2add (xden_1950) (xx_1951) in - let ynum_1953 : (fp_t '× fp_t) := - fp2zero in - let xx_1954 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(ynum_1953, xx_1954) := - foldi (usize 0) (seq_len (ynum_k_1945)) (fun i_1955 '(ynum_1953, xx_1954) => - let ynum_1953 := - fp2add (ynum_1953) (fp2mul (xx_1954) (seq_index (ynum_k_1945) ( - i_1955))) in - let xx_1954 := - fp2mul (xx_1954) (x_1941) in - (ynum_1953, xx_1954)) - (ynum_1953, xx_1954) in - let yden_1956 : (fp_t '× fp_t) := - fp2zero in - let xx_1957 : (fp_t '× fp_t) := - fp2fromfp (nat_mod_one ) in - let '(yden_1956, xx_1957) := - foldi (usize 0) (seq_len (yden_k_1946)) (fun i_1958 '(yden_1956, xx_1957) => - let yden_1956 := - fp2add (yden_1956) (fp2mul (xx_1957) (seq_index (yden_k_1946) ( - i_1958))) in - let xx_1957 := - fp2mul (xx_1957) (x_1941) in - (yden_1956, xx_1957)) - (yden_1956, xx_1957) in - let yden_1956 := - fp2add (yden_1956) (xx_1957) in - let xr_1959 : (fp_t '× fp_t) := - fp2mul (xnum_1947) (fp2inv (xden_1950)) in - let yr_1960 : (fp_t '× fp_t) := - fp2mul (y_1942) (fp2mul (ynum_1953) (fp2inv (yden_1956))) in - let inf_1961 : bool := - false in - let '(inf_1961) := - if ((xden_1950) =.? (fp2zero )) || ((yden_1956) =.? (fp2zero )):bool then ( - let inf_1961 := - true in - (inf_1961)) else ((inf_1961)) in - (xr_1959, yr_1960, inf_1961). - -Definition g2_map_to_curve_sswu (u_1962 : fp2_t) : g2_t := - let '(xp_1963, yp_1964) := - g2_simple_swu_iso (u_1962) in - let p_1965 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_isogeny_map (xp_1963) (yp_1964) in - p_1965. - -Definition g2_hash_to_curve_sswu - (msg_1966 : byte_seq) - (dst_1967 : byte_seq) - : g2_t := - let u_1968 : seq fp2_t := - fp2_hash_to_field (msg_1966) (dst_1967) (usize 2) in - let q0_1969 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_sswu (seq_index (u_1968) (usize 0)) in - let q1_1970 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_sswu (seq_index (u_1968) (usize 1)) in - let r_1971 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2add (q0_1969) (q1_1970) in - let p_1972 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (r_1971) in - p_1972. - -Definition g2_encode_to_curve_sswu - (msg_1973 : byte_seq) - (dst_1974 : byte_seq) - : g2_t := - let u_1975 : seq fp2_t := - fp2_hash_to_field (msg_1973) (dst_1974) (usize 1) in - let q_1976 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_map_to_curve_sswu (seq_index (u_1975) (usize 0)) in - let p_1977 : ((fp_t '× fp_t) '× (fp_t '× fp_t) '× bool) := - g2_clear_cofactor (q_1976) in - p_1977. - diff --git a/proof-libs/coq/coq/src/Hacspec_Chacha20.v b/proof-libs/coq/coq/src/Hacspec_Chacha20.v deleted file mode 100644 index a44b16a43..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Chacha20.v +++ /dev/null @@ -1,223 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition state_t := nseq (uint32) (usize 16). - -Definition state_idx_t := - nat_mod (usize 16). -Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. -Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. - -Definition constants_t := nseq (uint32) (usize 4). - -Definition constants_idx_t := - nat_mod (usize 4). -Definition uint_size_in_constants_idx_t(n : uint_size) : constants_idx_t := int_in_nat_mod n. -Coercion uint_size_in_constants_idx_t : uint_size >-> constants_idx_t. - -Definition block_t := nseq (uint8) (usize 64). - -Definition cha_cha_iv_t := nseq (uint8) (usize 12). - -Definition cha_cha_key_t := nseq (uint8) (usize 32). - -Definition chacha20_line - (a_345 : state_idx_t) - (b_346 : state_idx_t) - (d_347 : state_idx_t) - (s_348 : uint_size) - (m_349 : state_t) - : state_t := - let state_350 : state_t := - m_349 in - let state_350 := - array_upd state_350 (a_345) ((array_index (state_350) (a_345)) .+ ( - array_index (state_350) (b_346))) in - let state_350 := - array_upd state_350 (d_347) ((array_index (state_350) (d_347)) .^ ( - array_index (state_350) (a_345))) in - let state_350 := - array_upd state_350 (d_347) (uint32_rotate_left (array_index (state_350) ( - d_347)) (s_348)) in - state_350. - -Definition chacha20_quarter_round - (a_351 : state_idx_t) - (b_352 : state_idx_t) - (c_353 : state_idx_t) - (d_354 : state_idx_t) - (state_355 : state_t) - : state_t := - let state_356 : state_t := - chacha20_line (a_351) (b_352) (d_354) (usize 16) (state_355) in - let state_357 : state_t := - chacha20_line (c_353) (d_354) (b_352) (usize 12) (state_356) in - let state_358 : state_t := - chacha20_line (a_351) (b_352) (d_354) (usize 8) (state_357) in - chacha20_line (c_353) (d_354) (b_352) (usize 7) (state_358). - -Definition chacha20_double_round (state_359 : state_t) : state_t := - let state_360 : state_t := - chacha20_quarter_round (usize 0) (usize 4) (usize 8) (usize 12) ( - state_359) in - let state_361 : state_t := - chacha20_quarter_round (usize 1) (usize 5) (usize 9) (usize 13) ( - state_360) in - let state_362 : state_t := - chacha20_quarter_round (usize 2) (usize 6) (usize 10) (usize 14) ( - state_361) in - let state_363 : state_t := - chacha20_quarter_round (usize 3) (usize 7) (usize 11) (usize 15) ( - state_362) in - let state_364 : state_t := - chacha20_quarter_round (usize 0) (usize 5) (usize 10) (usize 15) ( - state_363) in - let state_365 : state_t := - chacha20_quarter_round (usize 1) (usize 6) (usize 11) (usize 12) ( - state_364) in - let state_366 : state_t := - chacha20_quarter_round (usize 2) (usize 7) (usize 8) (usize 13) ( - state_365) in - chacha20_quarter_round (usize 3) (usize 4) (usize 9) (usize 14) (state_366). - -Definition chacha20_rounds (state_367 : state_t) : state_t := - let st_368 : state_t := - state_367 in - let st_368 := - foldi (usize 0) (usize 10) (fun i_369 st_368 => - let st_368 := - chacha20_double_round (st_368) in - (st_368)) - st_368 in - st_368. - -Definition chacha20_core (ctr_370 : uint32) (st0_371 : state_t) : state_t := - let state_372 : state_t := - st0_371 in - let state_372 := - array_upd state_372 (usize 12) ((array_index (state_372) (usize 12)) .+ ( - ctr_370)) in - let k_373 : state_t := - chacha20_rounds (state_372) in - (k_373) array_add (state_372). - -Definition chacha20_constants_init : constants_t := - let constants_374 : constants_t := - array_new_ (default : uint32) (4) in - let constants_374 := - array_upd constants_374 (usize 0) (secret ( - @repr WORDSIZE32 1634760805) : int32) in - let constants_374 := - array_upd constants_374 (usize 1) (secret ( - @repr WORDSIZE32 857760878) : int32) in - let constants_374 := - array_upd constants_374 (usize 2) (secret ( - @repr WORDSIZE32 2036477234) : int32) in - let constants_374 := - array_upd constants_374 (usize 3) (secret ( - @repr WORDSIZE32 1797285236) : int32) in - constants_374. - -Definition chacha20_init - (key_375 : cha_cha_key_t) - (iv_376 : cha_cha_iv_t) - (ctr_377 : uint32) - : state_t := - let st_378 : state_t := - array_new_ (default : uint32) (16) in - let st_378 := - array_update (st_378) (usize 0) ( - array_to_seq (chacha20_constants_init )) in - let st_378 := - array_update (st_378) (usize 4) (array_to_le_uint32s (key_375)) in - let st_378 := - array_upd st_378 (usize 12) (ctr_377) in - let st_378 := - array_update (st_378) (usize 13) (array_to_le_uint32s (iv_376)) in - st_378. - -Definition chacha20_key_block (state_379 : state_t) : block_t := - let state_380 : state_t := - chacha20_core (secret (@repr WORDSIZE32 0) : int32) (state_379) in - array_from_seq (64) (array_to_le_bytes (state_380)). - -Definition chacha20_key_block0 - (key_381 : cha_cha_key_t) - (iv_382 : cha_cha_iv_t) - : block_t := - let state_383 : state_t := - chacha20_init (key_381) (iv_382) (secret (@repr WORDSIZE32 0) : int32) in - chacha20_key_block (state_383). - -Definition chacha20_encrypt_block - (st0_384 : state_t) - (ctr_385 : uint32) - (plain_386 : block_t) - : block_t := - let st_387 : state_t := - chacha20_core (ctr_385) (st0_384) in - let pl_388 : state_t := - array_from_seq (16) (array_to_le_uint32s (plain_386)) in - let st_389 : state_t := - (pl_388) array_xor (st_387) in - array_from_seq (64) (array_to_le_bytes (st_389)). - -Definition chacha20_encrypt_last - (st0_390 : state_t) - (ctr_391 : uint32) - (plain_392 : byte_seq) - : byte_seq := - let b_393 : block_t := - array_new_ (default : uint8) (64) in - let b_393 := - array_update (b_393) (usize 0) (plain_392) in - let b_393 := - chacha20_encrypt_block (st0_390) (ctr_391) (b_393) in - array_slice (b_393) (usize 0) (seq_len (plain_392)). - -Definition chacha20_update (st0_394 : state_t) (m_395 : byte_seq) : byte_seq := - let blocks_out_396 : seq uint8 := - seq_new_ (default : uint8) (seq_len (m_395)) in - let n_blocks_397 : uint_size := - seq_num_exact_chunks (m_395) (usize 64) in - let blocks_out_396 := - foldi (usize 0) (n_blocks_397) (fun i_398 blocks_out_396 => - let msg_block_399 : seq uint8 := - seq_get_exact_chunk (m_395) (usize 64) (i_398) in - let b_400 : block_t := - chacha20_encrypt_block (st0_394) (secret (pub_u32 (i_398)) : int32) ( - array_from_seq (64) (msg_block_399)) in - let blocks_out_396 := - seq_set_exact_chunk (blocks_out_396) (usize 64) (i_398) ( - array_to_seq (b_400)) in - (blocks_out_396)) - blocks_out_396 in - let last_block_401 : seq uint8 := - seq_get_remainder_chunk (m_395) (usize 64) in - let '(blocks_out_396) := - if (seq_len (last_block_401)) !=.? (usize 0):bool then ( - let b_402 : seq uint8 := - chacha20_encrypt_last (st0_394) (secret (pub_u32 ( - n_blocks_397)) : int32) (last_block_401) in - let blocks_out_396 := - seq_set_chunk (blocks_out_396) (usize 64) (n_blocks_397) (b_402) in - (blocks_out_396)) else ((blocks_out_396)) in - blocks_out_396. - -Definition chacha20 - (key_403 : cha_cha_key_t) - (iv_404 : cha_cha_iv_t) - (ctr_405 : int32) - (m_406 : byte_seq) - : byte_seq := - let state_407 : state_t := - chacha20_init (key_403) (iv_404) (secret (ctr_405) : int32) in - chacha20_update (state_407) (m_406). - diff --git a/proof-libs/coq/coq/src/Hacspec_Chacha20poly1305.v b/proof-libs/coq/coq/src/Hacspec_Chacha20poly1305.v deleted file mode 100644 index 206ae34b9..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Chacha20poly1305.v +++ /dev/null @@ -1,98 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Chacha20. - -Require Import Hacspec_Poly1305. - -Inductive error_t := -| InvalidTag : error_t. - -Notation "'cha_cha_poly_key_t'" := (cha_cha_key_t) : hacspec_scope. - -Notation "'cha_cha_poly_iv_t'" := (cha_cha_iv_t) : hacspec_scope. - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Definition init - (key_408 : cha_cha_poly_key_t) - (iv_409 : cha_cha_poly_iv_t) - : poly_state_t := - let key_block0_410 : block_t := - chacha20_key_block0 (key_408) (iv_409) in - let poly_key_411 : poly_key_t := - array_from_slice (default : uint8) (32) (array_to_seq (key_block0_410)) ( - usize 0) (usize 32) in - poly1305_init (poly_key_411). - -Definition poly1305_update_padded - (m_412 : byte_seq) - (st_413 : poly_state_t) - : poly_state_t := - let st_414 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_update_blocks (m_412) (st_413) in - let last_415 : seq uint8 := - seq_get_remainder_chunk (m_412) (usize 16) in - poly1305_update_last (usize 16) (last_415) (st_414). - -Definition finish - (aad_len_416 : uint_size) - (cipher_len_417 : uint_size) - (st_418 : poly_state_t) - : poly1305_tag_t := - let last_block_419 : poly_block_t := - array_new_ (default : uint8) (16) in - let last_block_419 := - array_update (last_block_419) (usize 0) (array_to_seq (uint64_to_le_bytes ( - secret (pub_u64 (aad_len_416)) : int64))) in - let last_block_419 := - array_update (last_block_419) (usize 8) (array_to_seq (uint64_to_le_bytes ( - secret (pub_u64 (cipher_len_417)) : int64))) in - let st_420 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_update_block (last_block_419) (st_418) in - poly1305_finish (st_420). - -Definition chacha20_poly1305_encrypt - (key_421 : cha_cha_poly_key_t) - (iv_422 : cha_cha_poly_iv_t) - (aad_423 : byte_seq) - (msg_424 : byte_seq) - : (byte_seq '× poly1305_tag_t) := - let cipher_text_425 : seq uint8 := - chacha20 (key_421) (iv_422) (@repr WORDSIZE32 1) (msg_424) in - let poly_st_426 : (field_element_t '× field_element_t '× poly_key_t) := - init (key_421) (iv_422) in - let poly_st_426 := - poly1305_update_padded (aad_423) (poly_st_426) in - let poly_st_426 := - poly1305_update_padded (cipher_text_425) (poly_st_426) in - let tag_427 : poly1305_tag_t := - finish (seq_len (aad_423)) (seq_len (cipher_text_425)) (poly_st_426) in - (cipher_text_425, tag_427). - -Definition chacha20_poly1305_decrypt - (key_428 : cha_cha_poly_key_t) - (iv_429 : cha_cha_poly_iv_t) - (aad_430 : byte_seq) - (cipher_text_431 : byte_seq) - (tag_432 : poly1305_tag_t) - : byte_seq_result_t := - let poly_st_433 : (field_element_t '× field_element_t '× poly_key_t) := - init (key_428) (iv_429) in - let poly_st_433 := - poly1305_update_padded (aad_430) (poly_st_433) in - let poly_st_433 := - poly1305_update_padded (cipher_text_431) (poly_st_433) in - let my_tag_434 : poly1305_tag_t := - finish (seq_len (aad_430)) (seq_len (cipher_text_431)) (poly_st_433) in - (if (array_declassify_eq (my_tag_434) (tag_432)):bool then ( - @Ok byte_seq error_t (chacha20 (key_428) (iv_429) (@repr WORDSIZE32 1) ( - cipher_text_431))) else (@Err byte_seq error_t (InvalidTag))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Curve25519.v b/proof-libs/coq/coq/src/Hacspec_Curve25519.v deleted file mode 100644 index 4d340a361..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Curve25519.v +++ /dev/null @@ -1,170 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition field_canvas_t := nseq (int8) (32). -Definition x25519_field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. - -Notation "'point_t'" := ((x25519_field_element_t '× x25519_field_element_t -)) : hacspec_scope. - -Definition x25519_serialized_point_t := nseq (uint8) (usize 32). - -Definition x25519_serialized_scalar_t := nseq (uint8) (usize 32). - -Definition mask_scalar - (s_477 : x25519_serialized_scalar_t) - : x25519_serialized_scalar_t := - let k_478 : x25519_serialized_scalar_t := - s_477 in - let k_478 := - array_upd k_478 (usize 0) ((array_index (k_478) (usize 0)) .& (secret ( - @repr WORDSIZE8 248) : int8)) in - let k_478 := - array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let k_478 := - array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .| (secret ( - @repr WORDSIZE8 64) : int8)) in - k_478. - -Definition decode_scalar (s_479 : x25519_serialized_scalar_t) : scalar_t := - let k_480 : x25519_serialized_scalar_t := - mask_scalar (s_479) in - nat_mod_from_byte_seq_le (array_to_seq (k_480)) : scalar_t. - -Definition decode_point (u_481 : x25519_serialized_point_t) : point_t := - let u_482 : x25519_serialized_point_t := - u_481 in - let u_482 := - array_upd u_482 (usize 31) ((array_index (u_482) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - ( - nat_mod_from_byte_seq_le (array_to_seq (u_482)) : x25519_field_element_t, - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 1) : x25519_field_element_t - ). - -Definition encode_point (p_483 : point_t) : x25519_serialized_point_t := - let '(x_484, y_485) := - p_483 in - let b_486 : x25519_field_element_t := - (x_484) *% (nat_mod_inv (y_485)) in - array_update_start (array_new_ (default : uint8) (32)) ( - nat_mod_to_byte_seq_le (b_486)). - -Definition point_add_and_double - (q_487 : point_t) - (np_488 : (point_t '× point_t)) - : (point_t '× point_t) := - let '(nq_489, nqp1_490) := - np_488 in - let '(x_1_491, z_1_492) := - q_487 in - let '(x_2_493, z_2_494) := - nq_489 in - let '(x_3_495, z_3_496) := - nqp1_490 in - let a_497 : x25519_field_element_t := - (x_2_493) +% (z_2_494) in - let aa_498 : x25519_field_element_t := - nat_mod_pow (a_497) (@repr WORDSIZE128 2) in - let b_499 : x25519_field_element_t := - (x_2_493) -% (z_2_494) in - let bb_500 : x25519_field_element_t := - (b_499) *% (b_499) in - let e_501 : x25519_field_element_t := - (aa_498) -% (bb_500) in - let c_502 : x25519_field_element_t := - (x_3_495) +% (z_3_496) in - let d_503 : x25519_field_element_t := - (x_3_495) -% (z_3_496) in - let da_504 : x25519_field_element_t := - (d_503) *% (a_497) in - let cb_505 : x25519_field_element_t := - (c_502) *% (b_499) in - let x_3_506 : x25519_field_element_t := - nat_mod_pow ((da_504) +% (cb_505)) (@repr WORDSIZE128 2) in - let z_3_507 : x25519_field_element_t := - (x_1_491) *% (nat_mod_pow ((da_504) -% (cb_505)) (@repr WORDSIZE128 2)) in - let x_2_508 : x25519_field_element_t := - (aa_498) *% (bb_500) in - let e121665_509 : x25519_field_element_t := - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 121665) : x25519_field_element_t in - let z_2_510 : x25519_field_element_t := - (e_501) *% ((aa_498) +% ((e121665_509) *% (e_501))) in - ((x_2_508, z_2_510), (x_3_506, z_3_507)). - -Definition swap (x_511 : (point_t '× point_t)) : (point_t '× point_t) := - let '(x0_512, x1_513) := - x_511 in - (x1_513, x0_512). - -Definition montgomery_ladder - (k_514 : scalar_t) - (init_515 : point_t) - : point_t := - let inf_516 : (x25519_field_element_t '× x25519_field_element_t) := - ( - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 1) : x25519_field_element_t, - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 0) : x25519_field_element_t - ) in - let acc_517 : (point_t '× point_t) := - (inf_516, init_515) in - let acc_517 := - foldi (usize 0) (usize 256) (fun i_518 acc_517 => - let '(acc_517) := - if nat_mod_bit (k_514) ((usize 255) - (i_518)):bool then (let acc_517 := - swap (acc_517) in - let acc_517 := - point_add_and_double (init_515) (acc_517) in - let acc_517 := - swap (acc_517) in - (acc_517)) else (let acc_517 := - point_add_and_double (init_515) (acc_517) in - (acc_517)) in - (acc_517)) - acc_517 in - let '(out_519, _) := - acc_517 in - out_519. - -Definition x25519_scalarmult - (s_520 : x25519_serialized_scalar_t) - (p_521 : x25519_serialized_point_t) - : x25519_serialized_point_t := - let s_522 : scalar_t := - decode_scalar (s_520) in - let p_523 : (x25519_field_element_t '× x25519_field_element_t) := - decode_point (p_521) in - let r_524 : (x25519_field_element_t '× x25519_field_element_t) := - montgomery_ladder (s_522) (p_523) in - encode_point (r_524). - -Definition x25519_secret_to_public - (s_525 : x25519_serialized_scalar_t) - : x25519_serialized_point_t := - let base_526 : x25519_serialized_point_t := - array_new_ (default : uint8) (32) in - let base_526 := - array_upd base_526 (usize 0) (secret (@repr WORDSIZE8 9) : int8) in - x25519_scalarmult (s_525) (base_526). - diff --git a/proof-libs/coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v deleted file mode 100644 index 875bc79a9..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Ecdsa_P256_Sha256.v +++ /dev/null @@ -1,128 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_P256. - -Require Import Hacspec_Sha256. - -Inductive error_t := -| InvalidScalar : error_t -| InvalidSignature : error_t. - -Notation "'p256_public_key_t'" := (affine_t) : hacspec_scope. - -Notation "'p256_secret_key_t'" := (p256_scalar_t) : hacspec_scope. - -Notation "'p256_signature_t'" := ((p256_scalar_t '× p256_scalar_t -)) : hacspec_scope. - -Notation "'p256_signature_result_t'" := (( - result p256_signature_t error_t)) : hacspec_scope. - -Notation "'p256_verify_result_t'" := ((result unit error_t)) : hacspec_scope. - -Notation "'check_result_t'" := ((result unit error_t)) : hacspec_scope. - -Notation "'arithmetic_result_t'" := ((result affine_t error_t)) : hacspec_scope. - -Definition check_scalar_zero (r_527 : p256_scalar_t) : check_result_t := - (if (nat_mod_equal (r_527) (nat_mod_zero )):bool then (@Err unit error_t ( - InvalidScalar)) else (@Ok unit error_t (tt))). - -Definition ecdsa_point_mul_base (x_528 : p256_scalar_t) : arithmetic_result_t := - match p256_point_mul_base (x_528) with - | Ok (s_529) => @Ok affine_t error_t (s_529) - | Err (_) => @Err affine_t error_t (InvalidScalar) - end. - -Definition ecdsa_point_mul - (k_530 : p256_scalar_t) - (p_531 : affine_t) - : arithmetic_result_t := - match p256_point_mul (k_530) (p_531) with - | Ok (s_532) => @Ok affine_t error_t (s_532) - | Err (_) => @Err affine_t error_t (InvalidScalar) - end. - -Definition ecdsa_point_add - (p_533 : affine_t) - (q_534 : affine_t) - : arithmetic_result_t := - match point_add (p_533) (q_534) with - | Ok (s_535) => @Ok affine_t error_t (s_535) - | Err (_) => @Err affine_t error_t (InvalidScalar) - end. - -Definition sign - (payload_536 : byte_seq) - (sk_537 : p256_secret_key_t) - (nonce_538 : p256_scalar_t) - : p256_signature_result_t := - bind (check_scalar_zero (nonce_538)) (fun _ => bind (ecdsa_point_mul_base ( - nonce_538)) (fun '(k_x_539, k_y_540) => let r_541 : p256_scalar_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - k_x_539)) : p256_scalar_t in - bind (check_scalar_zero (r_541)) (fun _ => - let payload_hash_542 : sha256_digest_t := - hash (payload_536) in - let payload_hash_543 : p256_scalar_t := - nat_mod_from_byte_seq_be ( - array_to_seq (payload_hash_542)) : p256_scalar_t in - let rsk_544 : p256_scalar_t := - (r_541) *% (sk_537) in - let hash_rsk_545 : p256_scalar_t := - (payload_hash_543) +% (rsk_544) in - let nonce_inv_546 : p256_scalar_t := - nat_mod_inv (nonce_538) in - let s_547 : p256_scalar_t := - (nonce_inv_546) *% (hash_rsk_545) in - @Ok p256_signature_t error_t ((r_541, s_547))))). - -Definition ecdsa_p256_sha256_sign - (payload_548 : byte_seq) - (sk_549 : p256_secret_key_t) - (nonce_550 : p256_scalar_t) - : p256_signature_result_t := - sign (payload_548) (sk_549) (nonce_550). - -Definition verify - (payload_551 : byte_seq) - (pk_552 : p256_public_key_t) - (signature_553 : p256_signature_t) - : p256_verify_result_t := - let '(r_554, s_555) := - signature_553 in - let payload_hash_556 : sha256_digest_t := - hash (payload_551) in - let payload_hash_557 : p256_scalar_t := - nat_mod_from_byte_seq_be ( - array_to_seq (payload_hash_556)) : p256_scalar_t in - let s_inv_558 : p256_scalar_t := - nat_mod_inv (s_555) in - let u1_559 : p256_scalar_t := - (payload_hash_557) *% (s_inv_558) in - bind (ecdsa_point_mul_base (u1_559)) (fun u1_560 => - let u2_561 : p256_scalar_t := - (r_554) *% (s_inv_558) in - bind (ecdsa_point_mul (u2_561) (pk_552)) (fun u2_562 => bind ( - ecdsa_point_add (u1_560) (u2_562)) (fun '(x_563, y_564) => - let x_565 : p256_scalar_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - x_563)) : p256_scalar_t in - (if ((x_565) =.? (r_554)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature)))))). - -Definition ecdsa_p256_sha256_verify - (payload_566 : byte_seq) - (pk_567 : p256_public_key_t) - (signature_568 : p256_signature_t) - : p256_verify_result_t := - verify (payload_566) (pk_567) (signature_568). - diff --git a/proof-libs/coq/coq/src/Hacspec_Ed25519.v b/proof-libs/coq/coq/src/Hacspec_Ed25519.v deleted file mode 100644 index 2f9c9ffb8..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Ed25519.v +++ /dev/null @@ -1,690 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha512. - -Require Import Hacspec_Edwards25519. - -Definition scalar_from_hash (h_1978 : sha512_digest_t) : scalar_t := - let s_1979 : big_scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (h_1978)) : big_scalar_t in - nat_mod_from_byte_seq_le (seq_slice (nat_mod_to_byte_seq_le (s_1979)) ( - usize 0) (usize 32)) : scalar_t. - -Definition sign (sk_1980 : secret_key_t) (msg_1981 : byte_seq) : signature_t := - let '(a_1982, prefix_1983) := - secret_expand (sk_1980) in - let a_1984 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (a_1982)) : scalar_t in - let b_1985 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let a_p_1986 : compressed_ed_point_t := - compress (point_mul (a_1984) (b_1985)) in - let r_1987 : scalar_t := - scalar_from_hash (sha512 (array_concat (prefix_1983) (msg_1981))) in - let r_p_1988 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (r_1987) (b_1985) in - let r_s_1989 : compressed_ed_point_t := - compress (r_p_1988) in - let h_1990 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_s_1989) ( - array_to_seq (a_p_1986))) (msg_1981))) in - let s_1991 : scalar_t := - (r_1987) +% ((h_1990) *% (a_1984)) in - let s_bytes_1992 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_le (s_1991)) (usize 0) (usize 32) in - array_update (array_update (array_new_ (default : uint8) (64)) (usize 0) ( - array_to_seq (r_s_1989))) (usize 32) (s_bytes_1992). - -Definition zcash_verify - (pk_1993 : public_key_t) - (signature_1994 : signature_t) - (msg_1995 : byte_seq) - : verify_result_t := - let b_1996 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress_non_canonical (base_v)) in - bind (option_ok_or (decompress_non_canonical (pk_1993)) (InvalidPublickey)) ( - fun a_1997 => let r_bytes_1998 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( - usize 0) (usize 32) in - let s_bytes_1999 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_1994)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1999)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress_non_canonical (r_bytes_1998)) (InvalidR)) ( - fun r_2000 => let s_2001 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1999)) : scalar_t in - let k_2002 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1998) ( - pk_1993)) (msg_1995))) in - let sb_2003 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_2001) (b_1996)) in - let rc_2004 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_2000) in - let ka_2005 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_2002) (a_1997)) in - (if (point_eq (sb_2003) (point_add (rc_2004) (ka_2005))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition ietf_cofactored_verify - (pk_2006 : public_key_t) - (signature_2007 : signature_t) - (msg_2008 : byte_seq) - : verify_result_t := - let b_2009 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_2006)) (InvalidPublickey)) (fun a_2010 => - let r_bytes_2011 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( - usize 0) (usize 32) in - let s_bytes_2012 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2007)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2012)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2011)) (InvalidR)) (fun r_2013 => - let s_2014 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2012)) : scalar_t in - let k_2015 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2011) ( - pk_2006)) (msg_2008))) in - let sb_2016 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_2014) (b_2009)) in - let rc_2017 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_2013) in - let ka_2018 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_2015) (a_2010)) in - (if (point_eq (sb_2016) (point_add (rc_2017) (ka_2018))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition ietf_cofactorless_verify - (pk_2019 : public_key_t) - (signature_2020 : signature_t) - (msg_2021 : byte_seq) - : verify_result_t := - let b_2022 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_2019)) (InvalidPublickey)) (fun a_2023 => - let r_bytes_2024 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( - usize 0) (usize 32) in - let s_bytes_2025 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2020)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2025)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2024)) (InvalidR)) (fun r_2026 => - let s_2027 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2025)) : scalar_t in - let k_2028 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2024) ( - pk_2019)) (msg_2021))) in - let sb_2029 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_2027) (b_2022) in - let ka_2030 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (k_2028) (a_2023) in - (if (point_eq (sb_2029) (point_add (r_2026) (ka_2030))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition is_identity (p_2031 : ed_point_t) : bool := - point_eq (p_2031) (point_identity ). - -Definition alg2_verify - (pk_2032 : public_key_t) - (signature_2033 : signature_t) - (msg_2034 : byte_seq) - : verify_result_t := - let b_2035 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_2032)) (InvalidPublickey)) (fun a_2036 => - ifbnd is_identity (point_mul_by_cofactor (a_2036)) : bool - thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let r_bytes_2037 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( - usize 0) (usize 32) in - let s_bytes_2038 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (signature_2033)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2038)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2037)) (InvalidR)) (fun r_2039 => - let s_2040 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2038)) : scalar_t in - let k_2041 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2037) ( - pk_2032)) (msg_2034))) in - let sb_2042 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_2040) (b_2035)) in - let rc_2043 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_2039) in - let ka_2044 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_2041) (a_2036)) in - (if (point_eq (sb_2042) (point_add (rc_2043) (ka_2044))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature))))))). - -Inductive batch_entry_t := -| BatchEntry : (public_key_t '× byte_seq '× signature_t) -> batch_entry_t. - -Definition zcash_batch_verify - (entries_2045 : seq batch_entry_t) - (entropy_2046 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2046)) <.? ((usize 16) * (seq_len ( - entries_2045))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2047 : scalar_t := - nat_mod_zero in - let r_sum_2048 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2049 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2045)) for ( - s_sum_2047, - r_sum_2048, - a_sum_2049 - ) >> (fun i_2050 '(s_sum_2047, r_sum_2048, a_sum_2049) => - let 'BatchEntry ((pk_2051, msg_2052, signature_2053)) := - (seq_index (entries_2045) (i_2050)) in - bind (option_ok_or (decompress_non_canonical (pk_2051)) ( - InvalidPublickey)) (fun a_2054 => - let r_bytes_2055 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2053)) (usize 0) (usize 32) in - let s_bytes_2056 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2053)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2056)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress_non_canonical (r_bytes_2055)) (InvalidR)) ( - fun r_2057 => let s_2058 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2056)) : scalar_t in - let c_2059 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2055) ( - array_to_seq (pk_2051))) (msg_2052))) in - let z_2060 : seq uint8 := - seq_slice (entropy_2046) ((usize 16) * (i_2050)) (usize 16) in - let z_2061 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2060) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2047 := - (s_sum_2047) +% ((s_2058) *% (z_2061)) in - let r_sum_2048 := - point_add (r_sum_2048) (point_mul (z_2061) (r_2057)) in - let a_sum_2049 := - point_add (a_sum_2049) (point_mul ((z_2061) *% (c_2059)) (a_2054)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2047, r_sum_2048, a_sum_2049))))))) (fun '( - s_sum_2047, - r_sum_2048, - a_sum_2049 - ) => let b_2062 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2063 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2047) (b_2062) in - let check_2064 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_2063)) (point_add ( - r_sum_2048) (a_sum_2049))) in - (if (is_identity (check_2064)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition ietf_cofactored_batch_verify - (entries_2065 : seq batch_entry_t) - (entropy_2066 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2066)) <.? ((usize 16) * (seq_len ( - entries_2065))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2067 : scalar_t := - nat_mod_zero in - let r_sum_2068 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2069 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2065)) for ( - s_sum_2067, - r_sum_2068, - a_sum_2069 - ) >> (fun i_2070 '(s_sum_2067, r_sum_2068, a_sum_2069) => - let 'BatchEntry ((pk_2071, msg_2072, signature_2073)) := - (seq_index (entries_2065) (i_2070)) in - bind (option_ok_or (decompress (pk_2071)) (InvalidPublickey)) (fun a_2074 => - let r_bytes_2075 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2073)) (usize 0) (usize 32) in - let s_bytes_2076 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2073)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2076)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2075)) (InvalidR)) (fun r_2077 => - let s_2078 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2076)) : scalar_t in - let c_2079 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2075) ( - array_to_seq (pk_2071))) (msg_2072))) in - let z_2080 : seq uint8 := - seq_slice (entropy_2066) ((usize 16) * (i_2070)) (usize 16) in - let z_2081 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2080) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2067 := - (s_sum_2067) +% ((s_2078) *% (z_2081)) in - let r_sum_2068 := - point_add (r_sum_2068) (point_mul (z_2081) (r_2077)) in - let a_sum_2069 := - point_add (a_sum_2069) (point_mul ((z_2081) *% (c_2079)) (a_2074)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2067, r_sum_2068, a_sum_2069))))))) (fun '( - s_sum_2067, - r_sum_2068, - a_sum_2069 - ) => let b_2082 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2083 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2067) (b_2082) in - let check_2084 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_2083)) (point_add ( - r_sum_2068) (a_sum_2069))) in - (if (is_identity (check_2084)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition ietf_cofactorless_batch_verify - (entries_2085 : seq batch_entry_t) - (entropy_2086 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2086)) <.? ((usize 16) * (seq_len ( - entries_2085))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2087 : scalar_t := - nat_mod_zero in - let r_sum_2088 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2089 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2085)) for ( - s_sum_2087, - r_sum_2088, - a_sum_2089 - ) >> (fun i_2090 '(s_sum_2087, r_sum_2088, a_sum_2089) => - let 'BatchEntry ((pk_2091, msg_2092, signature_2093)) := - (seq_index (entries_2085) (i_2090)) in - bind (option_ok_or (decompress (pk_2091)) (InvalidPublickey)) (fun a_2094 => - let r_bytes_2095 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2093)) (usize 0) (usize 32) in - let s_bytes_2096 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2093)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2096)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2095)) (InvalidR)) (fun r_2097 => - let s_2098 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2096)) : scalar_t in - let c_2099 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2095) ( - array_to_seq (pk_2091))) (msg_2092))) in - let z_2100 : seq uint8 := - seq_slice (entropy_2086) ((usize 16) * (i_2090)) (usize 16) in - let z_2101 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2100) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2087 := - (s_sum_2087) +% ((s_2098) *% (z_2101)) in - let r_sum_2088 := - point_add (r_sum_2088) (point_mul (z_2101) (r_2097)) in - let a_sum_2089 := - point_add (a_sum_2089) (point_mul ((z_2101) *% (c_2099)) (a_2094)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2087, r_sum_2088, a_sum_2089))))))) (fun '( - s_sum_2087, - r_sum_2088, - a_sum_2089 - ) => let b_2102 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2103 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2087) (b_2102) in - let check_2104 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (point_neg (sb_2103)) (point_add (r_sum_2088) (a_sum_2089)) in - (if (is_identity (check_2104)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition alg3_batch_verify - (entries_2105 : seq batch_entry_t) - (entropy_2106 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_2106)) <.? ((usize 16) * (seq_len ( - entries_2105))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let s_sum_2107 : scalar_t := - nat_mod_zero in - let r_sum_2108 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let a_sum_2109 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_2105)) for ( - s_sum_2107, - r_sum_2108, - a_sum_2109 - ) >> (fun i_2110 '(s_sum_2107, r_sum_2108, a_sum_2109) => - let 'BatchEntry ((pk_2111, msg_2112, signature_2113)) := - (seq_index (entries_2105) (i_2110)) in - bind (option_ok_or (decompress (pk_2111)) (InvalidPublickey)) (fun a_2114 => - ifbnd is_identity (point_mul_by_cofactor (a_2114)) : bool - thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => - @Ok unit error_t (tt))) - else (tt) >> (fun 'tt => - let r_bytes_2115 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2113)) (usize 0) (usize 32) in - let s_bytes_2116 : serialized_scalar_t := - array_from_slice (default : uint8) (32) ( - array_to_seq (signature_2113)) (usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_2116)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => @Ok unit error_t ( - tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_2115)) (InvalidR)) (fun r_2117 => - let s_2118 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_2116)) : scalar_t in - let c_2119 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_2115) ( - array_to_seq (pk_2111))) (msg_2112))) in - let z_2120 : seq uint8 := - seq_slice (entropy_2106) ((usize 16) * (i_2110)) (usize 16) in - let z_2121 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_2120) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_sum_2107 := - (s_sum_2107) +% ((s_2118) *% (z_2121)) in - let r_sum_2108 := - point_add (r_sum_2108) (point_mul (z_2121) (r_2117)) in - let a_sum_2109 := - point_add (a_sum_2109) (point_mul ((z_2121) *% (c_2119)) (a_2114)) in - @Ok ( - scalar_t '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) '× - ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) - ) error_t ((s_sum_2107, r_sum_2108, a_sum_2109)))))))) (fun '( - s_sum_2107, - r_sum_2108, - a_sum_2109 - ) => let b_2122 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_2123 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (s_sum_2107) (b_2122) in - let check_2124 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_2123)) (point_add ( - r_sum_2108) (a_sum_2109))) in - (if (is_identity (check_2124)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Edwards25519.v b/proof-libs/coq/coq/src/Hacspec_Edwards25519.v deleted file mode 100644 index 155089746..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Edwards25519.v +++ /dev/null @@ -1,597 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha512. - -Definition field_canvas_t := nseq (int8) (32). -Definition ed25519_field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. - -Definition big_scalar_canvas_t := nseq (int8) (64). -Definition big_scalar_t := - nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. - -Definition big_integer_canvas_t := nseq (int8) (32). -Definition big_integer_t := - nat_mod 0x8000000000000000000000000000000080000000000000000000000000000000. - -Notation "'ed_point_t'" := (( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t -)) : hacspec_scope. - -Definition compressed_ed_point_t := nseq (uint8) (usize 32). - -Definition serialized_scalar_t := nseq (uint8) (usize 32). - -Definition signature_t := nseq (uint8) (usize 64). - -Notation "'public_key_t'" := (compressed_ed_point_t) : hacspec_scope. - -Notation "'secret_key_t'" := (serialized_scalar_t) : hacspec_scope. - -Inductive error_t := -| InvalidPublickey : error_t -| InvalidSignature : error_t -| InvalidS : error_t -| InvalidR : error_t -| SmallOrderPoint : error_t -| NotEnoughRandomness : error_t. - -Notation "'verify_result_t'" := ((result unit error_t)) : hacspec_scope. - -Definition base_v : compressed_ed_point_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 102) : int8 - ] in l). - -Definition constant_p_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 127) : int8 - ] in l). - -Definition constant_l_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 18) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 214) : int8; - secret (@repr WORDSIZE8 156) : int8; - secret (@repr WORDSIZE8 247) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 249) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 20) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 16) : int8 - ] in l). - -Definition constant_p3_8_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 15) : int8 - ] in l). - -Definition constant_p1_4_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 31) : int8 - ] in l). - -Definition constant_d_v : serialized_scalar_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 163) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 82) : int8 - ] in l). - -Definition is_negative (x_2125 : ed25519_field_element_t) : uint8 := - (if (nat_mod_bit (x_2125) (usize 0)):bool then (secret ( - @repr WORDSIZE8 1) : int8) else (secret (@repr WORDSIZE8 0) : int8)). - -Definition compress (p_2126 : ed_point_t) : compressed_ed_point_t := - let '(x_2127, y_2128, z_2129, _) := - p_2126 in - let z_inv_2130 : ed25519_field_element_t := - nat_mod_inv (z_2129) in - let x_2131 : ed25519_field_element_t := - (x_2127) *% (z_inv_2130) in - let y_2132 : ed25519_field_element_t := - (y_2128) *% (z_inv_2130) in - let s_2133 : byte_seq := - nat_mod_to_byte_seq_le (y_2132) in - let s_2133 := - seq_upd s_2133 (usize 31) ((seq_index (s_2133) (usize 31)) .^ (( - is_negative (x_2131)) shift_left (usize 7))) in - array_from_slice (default : uint8) (32) (s_2133) (usize 0) (usize 32). - -Definition sqrt - (a_2134 : ed25519_field_element_t) - : (option ed25519_field_element_t) := - let p3_8_2135 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_p3_8_v)) : ed25519_field_element_t in - let p1_4_2136 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_p1_4_v)) : ed25519_field_element_t in - let x_c_2137 : ed25519_field_element_t := - nat_mod_pow_self (a_2134) (p3_8_2135) in - let result_2138 : (option ed25519_field_element_t) := - @None ed25519_field_element_t in - let '(result_2138) := - if ((x_c_2137) *% (x_c_2137)) =.? (a_2134):bool then (let result_2138 := - some (x_c_2137) in - (result_2138)) else ((result_2138)) in - let '(result_2138) := - if ((x_c_2137) *% (x_c_2137)) =.? ((nat_mod_zero ) -% (a_2134)):bool then ( - let x_2139 : ed25519_field_element_t := - (nat_mod_pow_self (nat_mod_two ) (p1_4_2136)) *% (x_c_2137) in - let result_2138 := - some (x_2139) in - (result_2138)) else ((result_2138)) in - result_2138. - -Definition check_canonical_point (x_2140 : compressed_ed_point_t) : bool := - let x_2140 := - array_upd x_2140 (usize 31) ((array_index (x_2140) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let x_2141 : big_integer_t := - nat_mod_from_byte_seq_le (array_to_seq (x_2140)) : big_integer_t in - (x_2141) <.? (nat_mod_from_byte_seq_le ( - array_to_seq (constant_p_v)) : big_integer_t). - -Definition decompress (q_2142 : compressed_ed_point_t) : (option ed_point_t) := - let d_2143 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_d_v)) : ed25519_field_element_t in - let x_s_2144 : uint8 := - ((array_index (q_2142) (usize 31)) .& (secret ( - @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in - let y_s_2145 : compressed_ed_point_t := - q_2142 in - let y_s_2145 := - array_upd y_s_2145 (usize 31) ((array_index (y_s_2145) (usize 31)) .& ( - secret (@repr WORDSIZE8 127) : int8)) in - ifbnd negb (check_canonical_point (y_s_2145)) : bool - thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) - else (tt) >> (fun 'tt => - let y_2146 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (y_s_2145)) : ed25519_field_element_t in - let z_2147 : ed25519_field_element_t := - nat_mod_one in - let yy_2148 : ed25519_field_element_t := - (y_2146) *% (y_2146) in - let u_2149 : ed25519_field_element_t := - (yy_2148) -% (z_2147) in - let v_2150 : ed25519_field_element_t := - ((d_2143) *% (yy_2148)) +% (z_2147) in - let xx_2151 : ed25519_field_element_t := - (u_2149) *% (nat_mod_inv (v_2150)) in - bind (sqrt (xx_2151)) (fun x_2152 => let x_r_2153 : uint8 := - is_negative (x_2152) in - ifbnd ((x_2152) =.? (nat_mod_zero )) && ((uint8_declassify (x_s_2144)) =.? ( - @repr WORDSIZE8 1)) : bool - thenbnd (bind (@None ed_point_t) (fun _ => @Some unit (tt))) - else (tt) >> (fun 'tt => - let '(x_2152) := - if (uint8_declassify (x_r_2153)) !=.? (uint8_declassify ( - x_s_2144)):bool then (let x_2152 := - (nat_mod_zero ) -% (x_2152) in - (x_2152)) else ((x_2152)) in - some ((x_2152, y_2146, z_2147, (x_2152) *% (y_2146)))))). - -Definition decompress_non_canonical - (p_2154 : compressed_ed_point_t) - : (option ed_point_t) := - let d_2155 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_d_v)) : ed25519_field_element_t in - let x_s_2156 : uint8 := - ((array_index (p_2154) (usize 31)) .& (secret ( - @repr WORDSIZE8 128) : int8)) shift_right (usize 7) in - let y_s_2157 : compressed_ed_point_t := - p_2154 in - let y_s_2157 := - array_upd y_s_2157 (usize 31) ((array_index (y_s_2157) (usize 31)) .& ( - secret (@repr WORDSIZE8 127) : int8)) in - let y_2158 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (y_s_2157)) : ed25519_field_element_t in - let z_2159 : ed25519_field_element_t := - nat_mod_one in - let yy_2160 : ed25519_field_element_t := - (y_2158) *% (y_2158) in - let u_2161 : ed25519_field_element_t := - (yy_2160) -% (z_2159) in - let v_2162 : ed25519_field_element_t := - ((d_2155) *% (yy_2160)) +% (z_2159) in - let xx_2163 : ed25519_field_element_t := - (u_2161) *% (nat_mod_inv (v_2162)) in - bind (sqrt (xx_2163)) (fun x_2164 => let x_r_2165 : uint8 := - is_negative (x_2164) in - let '(x_2164) := - if (uint8_declassify (x_r_2165)) !=.? (uint8_declassify ( - x_s_2156)):bool then (let x_2164 := - (nat_mod_zero ) -% (x_2164) in - (x_2164)) else ((x_2164)) in - some ((x_2164, y_2158, z_2159, (x_2164) *% (y_2158)))). - -Definition encode (p_2166 : ed_point_t) : byte_seq := - let '(x_2167, y_2168, z_2169, _) := - p_2166 in - let z_inv_2170 : ed25519_field_element_t := - nat_mod_inv (z_2169) in - let x_2171 : ed25519_field_element_t := - (x_2167) *% (z_inv_2170) in - let y_2172 : ed25519_field_element_t := - (y_2168) *% (z_inv_2170) in - let s_2173 : byte_seq := - nat_mod_to_byte_seq_le (y_2172) in - let s_2173 := - seq_upd s_2173 (usize 31) ((seq_index (s_2173) (usize 31)) .^ (( - is_negative (x_2171)) shift_left (usize 7))) in - s_2173. - -Definition decode (q_s_2174 : byte_seq) : (option ed_point_t) := - let q_2175 : compressed_ed_point_t := - array_from_slice (default : uint8) (32) (q_s_2174) (usize 0) (usize 32) in - decompress (q_2175). - -Definition point_add (p_2176 : ed_point_t) (q_2177 : ed_point_t) : ed_point_t := - let d_c_2178 : ed25519_field_element_t := - nat_mod_from_byte_seq_le ( - array_to_seq (constant_d_v)) : ed25519_field_element_t in - let two_2179 : ed25519_field_element_t := - nat_mod_two in - let '(x1_2180, y1_2181, z1_2182, t1_2183) := - p_2176 in - let '(x2_2184, y2_2185, z2_2186, t2_2187) := - q_2177 in - let a_2188 : ed25519_field_element_t := - ((y1_2181) -% (x1_2180)) *% ((y2_2185) -% (x2_2184)) in - let b_2189 : ed25519_field_element_t := - ((y1_2181) +% (x1_2180)) *% ((y2_2185) +% (x2_2184)) in - let c_2190 : ed25519_field_element_t := - (((t1_2183) *% (two_2179)) *% (d_c_2178)) *% (t2_2187) in - let d_2191 : ed25519_field_element_t := - ((z1_2182) *% (two_2179)) *% (z2_2186) in - let e_2192 : ed25519_field_element_t := - (b_2189) -% (a_2188) in - let f_2193 : ed25519_field_element_t := - (d_2191) -% (c_2190) in - let g_2194 : ed25519_field_element_t := - (d_2191) +% (c_2190) in - let h_2195 : ed25519_field_element_t := - (b_2189) +% (a_2188) in - let x3_2196 : ed25519_field_element_t := - (e_2192) *% (f_2193) in - let y3_2197 : ed25519_field_element_t := - (g_2194) *% (h_2195) in - let t3_2198 : ed25519_field_element_t := - (e_2192) *% (h_2195) in - let z3_2199 : ed25519_field_element_t := - (f_2193) *% (g_2194) in - (x3_2196, y3_2197, z3_2199, t3_2198). - -Definition point_identity : ed_point_t := - (nat_mod_zero , nat_mod_one , nat_mod_one , nat_mod_zero ). - -Definition point_mul (s_2200 : scalar_t) (p_2201 : ed_point_t) : ed_point_t := - let p_2202 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - p_2201 in - let q_2203 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_identity in - let '(p_2202, q_2203) := - foldi (usize 0) (usize 256) (fun i_2204 '(p_2202, q_2203) => - let '(q_2203) := - if nat_mod_bit (s_2200) (i_2204):bool then (let q_2203 := - point_add (q_2203) (p_2202) in - (q_2203)) else ((q_2203)) in - let p_2202 := - point_add (p_2202) (p_2202) in - (p_2202, q_2203)) - (p_2202, q_2203) in - q_2203. - -Definition point_mul_by_cofactor (p_2205 : ed_point_t) : ed_point_t := - let p2_2206 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (p_2205) (p_2205) in - let p4_2207 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (p2_2206) (p2_2206) in - let p8_2208 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (p4_2207) (p4_2207) in - p8_2208. - -Definition point_neg (p_2209 : ed_point_t) : ed_point_t := - let '(x_2210, y_2211, z_2212, t_2213) := - p_2209 in - ((nat_mod_zero ) -% (x_2210), y_2211, z_2212, (nat_mod_zero ) -% (t_2213)). - -Definition point_eq (p_2214 : ed_point_t) (q_2215 : ed_point_t) : bool := - let '(x1_2216, y1_2217, z1_2218, _) := - p_2214 in - let '(x2_2219, y2_2220, z2_2221, _) := - q_2215 in - (((x1_2216) *% (z2_2221)) =.? ((x2_2219) *% (z1_2218))) && (((y1_2217) *% ( - z2_2221)) =.? ((y2_2220) *% (z1_2218))). - -Definition point_normalize (q_2222 : ed_point_t) : ed_point_t := - let '(qx_2223, qy_2224, qz_2225, _) := - q_2222 in - let px_2226 : ed25519_field_element_t := - (qx_2223) *% (nat_mod_inv (qz_2225)) in - let py_2227 : ed25519_field_element_t := - (qy_2224) *% (nat_mod_inv (qz_2225)) in - let pz_2228 : ed25519_field_element_t := - nat_mod_one in - let pt_2229 : ed25519_field_element_t := - (px_2226) *% (py_2227) in - (px_2226, py_2227, pz_2228, pt_2229). - -Definition secret_expand - (sk_2230 : secret_key_t) - : (serialized_scalar_t '× serialized_scalar_t) := - let h_2231 : sha512_digest_t := - sha512 (seq_from_slice (sk_2230) (usize 0) (usize 32)) in - let h_d_2232 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 32) ( - usize 32) in - let s_2233 : serialized_scalar_t := - array_from_slice (default : uint8) (32) (array_to_seq (h_2231)) (usize 0) ( - usize 32) in - let s_2233 := - array_upd s_2233 (usize 0) ((array_index (s_2233) (usize 0)) .& (secret ( - @repr WORDSIZE8 248) : int8)) in - let s_2233 := - array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let s_2233 := - array_upd s_2233 (usize 31) ((array_index (s_2233) (usize 31)) .| (secret ( - @repr WORDSIZE8 64) : int8)) in - (s_2233, h_d_2232). - -Definition secret_to_public (sk_2234 : secret_key_t) : public_key_t := - let '(s_2235, _) := - secret_expand (sk_2234) in - let base_2236 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let ss_2237 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_2235)) : scalar_t in - let a_2238 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (ss_2237) (base_2236) in - compress (a_2238). - -Definition check_canonical_scalar (s_2239 : serialized_scalar_t) : bool := - (if ((uint8_declassify ((array_index (s_2239) (usize 31)) .& (secret ( - @repr WORDSIZE8 224) : int8))) !=.? ( - @repr WORDSIZE8 0)):bool then (false) else ((nat_mod_from_byte_seq_le ( - array_to_seq (s_2239)) : big_integer_t) <.? ( - nat_mod_from_byte_seq_le ( - array_to_seq (constant_l_v)) : big_integer_t))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Edwards25519_Ecvrf.v b/proof-libs/coq/coq/src/Hacspec_Edwards25519_Ecvrf.v deleted file mode 100644 index 7a3f9305a..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Edwards25519_Ecvrf.v +++ /dev/null @@ -1,349 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Edwards25519. - -Require Import Hacspec_Sha512. - -Require Import Hacspec_Edwards25519_Hash. - -Inductive errorec_t := -| FailedVerify : errorec_t -| MessageTooLarge : errorec_t -| InvalidProof : errorec_t -| InvalidPublicKey : errorec_t -| FailedDecompression : errorec_t -| FailedE2C : errorec_t. - -Notation "'byte_seq_result_t'" := ((result byte_seq errorec_t)) : hacspec_scope. - -Notation "'proof_result_t'" := ((result (ed_point_t '× scalar_t '× scalar_t - ) errorec_t)) : hacspec_scope. - -Notation "'ed_point_result_t'" := (( - result ed_point_t errorec_t)) : hacspec_scope. - -Definition large_mod_canvas_t := nseq (int8) (32). -Definition large_mod_t := - nat_mod 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. - -Definition arr_large_mod_t := nseq (uint64) (usize 4). - -Definition q_v : arr_large_mod_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 9223372036854775807) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551597) : int64 - ] in l). - -Definition c_len_v : uint_size := - usize 16. - -Definition pt_len_v : uint_size := - usize 32. - -Definition q_len_v : uint_size := - usize 32. - -Definition int_byte_t := nseq (uint8) (usize 1). - -Definition zero_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 0) : int8] in l). - -Definition one_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). - -Definition two_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). - -Definition three_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 3) : int8] in l). - -Definition four_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 4) : int8] in l). - -Definition suite_string_v : int_byte_t := - four_v. - -Definition dst_t := nseq (uint8) (usize 39). - -Definition h2c_suite_id_string_v : dst_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 86) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 70) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 95) : int8 - ] in l). - -Definition ecvrf_encode_to_curve_try_and_increment - (encode_to_curve_salt_2457 : byte_seq) - (alpha_2458 : byte_seq) - : ed_point_result_t := - let h_2459 : (option ed_point_t) := - @None ed_point_t in - let x_2460 : ed25519_field_element_t := - nat_mod_zero in - let '(h_2459, x_2460) := - foldi (usize 1) (usize 256) (fun ctr_2461 '(h_2459, x_2460) => - let '(h_2459, x_2460) := - if ((h_2459)) =.? (@None ed_point_t):bool then ( - let ctr_string_2462 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_be (x_2460)) (usize 31) (usize 1) in - let hash_string_2463 : sha512_digest_t := - sha512 (seq_concat (seq_concat (seq_concat (seq_concat ( - array_concat (suite_string_v) (array_to_seq (one_v))) ( - encode_to_curve_salt_2457)) (alpha_2458)) ( - ctr_string_2462)) (array_to_seq (zero_v))) in - let h_2459 := - decompress (array_from_slice (default : uint8) (32) ( - array_to_seq (hash_string_2463)) (usize 0) (usize 32)) in - let x_2460 := - (x_2460) +% (nat_mod_one ) in - (h_2459, x_2460)) else ((h_2459, x_2460)) in - (h_2459, x_2460)) - (h_2459, x_2460) in - bind (option_ok_or (h_2459) (FailedE2C)) (fun h_2464 => - @Ok ed_point_t errorec_t (point_mul_by_cofactor (h_2464))). - -Definition ecvrf_encode_to_curve_h2c_suite - (encode_to_curve_salt_2465 : byte_seq) - (alpha_2466 : byte_seq) - : ed_point_result_t := - let string_to_be_hashed_2467 : seq uint8 := - seq_concat (encode_to_curve_salt_2465) (alpha_2466) in - let dst_2468 : seq uint8 := - array_concat (h2c_suite_id_string_v) (array_to_seq (suite_string_v)) in - let h_2469 : (result ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) error_t) := - ed_encode_to_curve (string_to_be_hashed_2467) (dst_2468) in - bind (option_ok_or (result_ok (h_2469)) (FailedE2C)) (fun h_2470 => - @Ok ed_point_t errorec_t (h_2470)). - -Definition ecvrf_nonce_generation - (sk_2471 : secret_key_t) - (h_string_2472 : byte_seq) - : scalar_t := - let hashed_sk_string_2473 : sha512_digest_t := - sha512 (array_to_le_bytes (sk_2471)) in - let truncated_hashed_sk_string_2474 : seq uint8 := - array_slice (hashed_sk_string_2473) (usize 32) (usize 32) in - let k_string_2475 : sha512_digest_t := - sha512 (seq_concat (truncated_hashed_sk_string_2474) (h_string_2472)) in - let nonce_2476 : big_scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (k_string_2475)) : big_scalar_t in - let nonceseq_2477 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_le (nonce_2476)) (usize 0) (usize 32) in - nat_mod_from_byte_seq_le (nonceseq_2477) : scalar_t. - -Definition ecvrf_challenge_generation - (p1_2478 : ed_point_t) - (p2_2479 : ed_point_t) - (p3_2480 : ed_point_t) - (p4_2481 : ed_point_t) - (p5_2482 : ed_point_t) - : scalar_t := - let string_2483 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (seq_concat (seq_concat ( - array_concat (suite_string_v) (array_to_seq (two_v))) (encode ( - p1_2478))) (encode (p2_2479))) (encode (p3_2480))) (encode ( - p4_2481))) (encode (p5_2482))) (array_to_seq (zero_v)) in - let c_string_2484 : sha512_digest_t := - sha512 (string_2483) in - let truncated_c_string_2485 : seq uint8 := - seq_concat (array_slice (c_string_2484) (usize 0) (c_len_v)) (seq_new_ ( - default : uint8) (usize 16)) in - nat_mod_from_byte_seq_le (truncated_c_string_2485) : scalar_t. - -Definition ecvrf_decode_proof (pi_2486 : byte_seq) : proof_result_t := - let gamma_string_2487 : seq uint8 := - seq_slice (pi_2486) (usize 0) (pt_len_v) in - let c_string_2488 : seq uint8 := - seq_slice (pi_2486) (pt_len_v) (c_len_v) in - let s_string_2489 : seq uint8 := - seq_slice (pi_2486) ((pt_len_v) + (c_len_v)) (q_len_v) in - bind (option_ok_or (decompress (array_from_slice (default : uint8) (32) ( - gamma_string_2487) (usize 0) (usize 32))) (InvalidProof)) ( - fun gamma_2490 => let c_2491 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (c_string_2488) (seq_new_ ( - default : uint8) (usize 16))) : scalar_t in - let s_2492 : scalar_t := - nat_mod_from_byte_seq_le ((s_string_2489)) : scalar_t in - let s_test_2493 : large_mod_t := - nat_mod_from_byte_seq_le (s_string_2489) : large_mod_t in - let q_2494 : large_mod_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (q_v)) : large_mod_t in - (if ((s_test_2493) >=.? (q_2494)):bool then (@Err ( - ed_point_t '× - scalar_t '× - scalar_t - ) errorec_t (InvalidProof)) else (@Ok ( - ed_point_t '× - scalar_t '× - scalar_t - ) errorec_t ((gamma_2490, c_2491, s_2492))))). - -Definition ecvrf_validate_key - (y_2495 : public_key_t) - : (result unit errorec_t) := - bind (option_ok_or (decompress (y_2495)) (InvalidPublicKey)) (fun y_2496 => - let y_prime_2497 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul_by_cofactor (y_2496) in - (if ((y_prime_2497) =.? (point_identity )):bool then (@Err unit errorec_t ( - InvalidPublicKey)) else (@Ok unit errorec_t (tt)))). - -Definition ecvrf_prove - (sk_2498 : secret_key_t) - (alpha_2499 : byte_seq) - : byte_seq_result_t := - bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2500 => - let '(x_2501, _) := - secret_expand (sk_2498) in - let x_2502 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (x_2501)) : scalar_t in - let y_2503 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (x_2502) (b_2500) in - let pk_2504 : compressed_ed_point_t := - compress (y_2503) in - let encode_to_curve_salt_2505 : seq uint8 := - array_slice (pk_2504) (usize 0) (usize 32) in - bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2505) ( - alpha_2499)) (fun h_2506 => let h_string_2507 : seq uint8 := - encode (h_2506) in - let gamma_2508 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (x_2502) (h_2506) in - let k_2509 : scalar_t := - ecvrf_nonce_generation (sk_2498) (h_string_2507) in - let u_2510 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (k_2509) (b_2500) in - let v_2511 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_mul (k_2509) (h_2506) in - let c_2512 : scalar_t := - ecvrf_challenge_generation (y_2503) (h_2506) (gamma_2508) (u_2510) ( - v_2511) in - let s_2513 : scalar_t := - (k_2509) +% ((c_2512) *% (x_2502)) in - @Ok byte_seq errorec_t (seq_slice (seq_concat (seq_concat (encode ( - gamma_2508)) (seq_slice (nat_mod_to_byte_seq_le (c_2512)) ( - usize 0) (c_len_v))) (seq_slice (nat_mod_to_byte_seq_le ( - s_2513)) (usize 0) (q_len_v))) (usize 0) (((c_len_v) + ( - q_len_v)) + (pt_len_v))))). - -Definition ecvrf_proof_to_hash (pi_2514 : byte_seq) : byte_seq_result_t := - bind (ecvrf_decode_proof (pi_2514)) (fun '(gamma_2515, _, _) => - @Ok byte_seq errorec_t (array_slice (sha512 (seq_concat (seq_concat ( - array_concat (suite_string_v) (array_to_seq (three_v))) (encode ( - point_mul_by_cofactor (gamma_2515)))) ( - array_to_seq (zero_v)))) (usize 0) (usize 64))). - -Definition ecvrf_verify - (pk_2516 : public_key_t) - (alpha_2517 : byte_seq) - (pi_2518 : byte_seq) - (validate_key_2519 : bool) - : byte_seq_result_t := - bind (option_ok_or (decompress (base_v)) (FailedDecompression)) (fun b_2520 => - bind (option_ok_or (decompress (pk_2516)) (InvalidPublicKey)) (fun y_2521 => - ifbnd validate_key_2519 : bool - thenbnd (bind (ecvrf_validate_key (pk_2516)) (fun _ => - @Ok unit errorec_t (tt))) - else (tt) >> (fun 'tt => - bind (ecvrf_decode_proof (pi_2518)) (fun '(gamma_2522, c_2523, s_2524) => - let encode_to_curve_salt_2525 : seq uint8 := - array_slice (pk_2516) (usize 0) (usize 32) in - bind (ecvrf_encode_to_curve_h2c_suite (encode_to_curve_salt_2525) ( - alpha_2517)) (fun h_2526 => let u_2527 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (point_mul (s_2524) (b_2520)) (point_neg (point_mul ( - c_2523) (y_2521))) in - let v_2528 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - point_add (point_mul (s_2524) (h_2526)) (point_neg (point_mul ( - c_2523) (gamma_2522))) in - let c_prime_2529 : scalar_t := - ecvrf_challenge_generation (y_2521) (h_2526) (gamma_2522) (u_2527) ( - v_2528) in - (if ((c_2523) =.? (c_prime_2529)):bool then (ecvrf_proof_to_hash ( - pi_2518)) else (@Err byte_seq errorec_t (FailedVerify)))))))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Edwards25519_Hash.v b/proof-libs/coq/coq/src/Hacspec_Edwards25519_Hash.v deleted file mode 100644 index 0017ba372..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Edwards25519_Hash.v +++ /dev/null @@ -1,504 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Edwards25519. - -Require Import Hacspec_Sha512. - -Definition b_in_bytes_v : uint_size := - usize 64. - -Definition s_in_bytes_v : uint_size := - usize 128. - -Definition l_v : uint_size := - usize 48. - -Definition j_v : int128 := - @repr WORDSIZE128 486662. - -Definition z_v : int128 := - @repr WORDSIZE128 2. - -Definition arr_ed25519_field_element_t := nseq (uint64) (usize 4). - -Definition ed_field_hash_canvas_t := nseq (int8) (64). -Definition ed_field_hash_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Inductive error_t := -| ExpandMessageAbort : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | ExpandMessageAbort => match y with | ExpandMessageAbort=> true end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Notation "'seq_ed_result_t'" := (( - result seq ed25519_field_element_t error_t)) : hacspec_scope. - -Notation "'ed_point_result_t'" := ((result ed_point_t error_t)) : hacspec_scope. - -Definition p_1_2_v : arr_ed25519_field_element_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 4611686018427387903) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551606) : int64 - ] in l). - -Definition p_3_8_v : arr_ed25519_field_element_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1152921504606846975) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551614) : int64 - ] in l). - -Definition p_5_8_v : arr_ed25519_field_element_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1152921504606846975) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551615) : int64; - secret (@repr WORDSIZE64 18446744073709551613) : int64 - ] in l). - -Definition expand_message_xmd - (msg_2290 : byte_seq) - (dst_2291 : byte_seq) - (len_in_bytes_2292 : uint_size) - : byte_seq_result_t := - let ell_2293 : uint_size := - (((len_in_bytes_2292) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in - let result_2294 : (result byte_seq error_t) := - @Err byte_seq error_t (ExpandMessageAbort) in - let '(result_2294) := - if negb ((((ell_2293) >.? (usize 255)) || ((len_in_bytes_2292) >.? ( - usize 65535))) || ((seq_len (dst_2291)) >.? ( - usize 255))):bool then (let dst_prime_2295 : seq uint8 := - seq_push (dst_2291) (uint8_from_usize (seq_len (dst_2291))) in - let z_pad_2296 : seq uint8 := - seq_new_ (default : uint8) (s_in_bytes_v) in - let l_i_b_str_2297 : seq uint8 := - seq_new_ (default : uint8) (usize 2) in - let l_i_b_str_2297 := - seq_upd l_i_b_str_2297 (usize 0) (uint8_from_usize (( - len_in_bytes_2292) / (usize 256))) in - let l_i_b_str_2297 := - seq_upd l_i_b_str_2297 (usize 1) (uint8_from_usize ( - len_in_bytes_2292)) in - let msg_prime_2298 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (z_pad_2296) ( - msg_2290)) (l_i_b_str_2297)) (seq_new_ (default : uint8) ( - usize 1))) (dst_prime_2295) in - let b_0_2299 : seq uint8 := - seq_from_seq (array_to_seq (hash (msg_prime_2298))) in - let b_i_2300 : seq uint8 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_2299) ( - secret (@repr WORDSIZE8 1) : int8)) (dst_prime_2295)))) in - let uniform_bytes_2301 : seq uint8 := - seq_from_seq (b_i_2300) in - let '(b_i_2300, uniform_bytes_2301) := - foldi (usize 2) ((ell_2293) + (usize 1)) (fun i_2302 '( - b_i_2300, - uniform_bytes_2301 - ) => - let t_2303 : seq uint8 := - seq_from_seq (b_0_2299) in - let b_i_2300 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( - t_2303) seq_xor (b_i_2300)) (uint8_from_usize (i_2302))) ( - dst_prime_2295)))) in - let uniform_bytes_2301 := - seq_concat (uniform_bytes_2301) (b_i_2300) in - (b_i_2300, uniform_bytes_2301)) - (b_i_2300, uniform_bytes_2301) in - let result_2294 := - @Ok byte_seq error_t (seq_truncate (uniform_bytes_2301) ( - len_in_bytes_2292)) in - (result_2294)) else ((result_2294)) in - result_2294. - -Definition ed_hash_to_field - (msg_2304 : byte_seq) - (dst_2305 : byte_seq) - (count_2306 : uint_size) - : seq_ed_result_t := - let len_in_bytes_2307 : uint_size := - (count_2306) * (l_v) in - bind (expand_message_xmd (msg_2304) (dst_2305) (len_in_bytes_2307)) ( - fun uniform_bytes_2308 => let output_2309 : seq ed25519_field_element_t := - seq_new_ (default : ed25519_field_element_t) (count_2306) in - let output_2309 := - foldi (usize 0) (count_2306) (fun i_2310 output_2309 => - let elm_offset_2311 : uint_size := - (l_v) * (i_2310) in - let tv_2312 : seq uint8 := - seq_slice (uniform_bytes_2308) (elm_offset_2311) (l_v) in - let u_i_2313 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_2312) : ed_field_hash_t)) ( - usize 32) (usize 32)) : ed25519_field_element_t in - let output_2309 := - seq_upd output_2309 (i_2310) (u_i_2313) in - (output_2309)) - output_2309 in - @Ok seq ed25519_field_element_t error_t (output_2309)). - -Definition ed_is_square (x_2314 : ed25519_field_element_t) : bool := - let c1_2315 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (array_to_be_bytes ( - p_1_2_v)) : ed25519_field_element_t in - let tv_2316 : ed25519_field_element_t := - nat_mod_pow_self (x_2314) (c1_2315) in - ((tv_2316) =.? (nat_mod_zero )) || ((tv_2316) =.? (nat_mod_one )). - -Definition sgn0_m_eq_1 (x_2317 : ed25519_field_element_t) : bool := - ((x_2317) rem (nat_mod_two )) =.? (nat_mod_one ). - -Definition ed_clear_cofactor (x_2318 : ed_point_t) : ed_point_t := - point_mul_by_cofactor (x_2318). - -Definition cmov - (a_2319 : ed25519_field_element_t) - (b_2320 : ed25519_field_element_t) - (c_2321 : bool) - : ed25519_field_element_t := - (if (c_2321):bool then (b_2320) else (a_2319)). - -Definition xor (a_2322 : bool) (b_2323 : bool) : bool := - (if (a_2322):bool then ((if (b_2323):bool then (false) else (true))) else (( - if (b_2323):bool then (true) else (false)))). - -Definition curve25519_to_edwards25519 (p_2324 : ed_point_t) : ed_point_t := - let '(s_2325, t_2326, _, _) := - point_normalize (p_2324) in - let one_2327 : ed25519_field_element_t := - nat_mod_one in - let zero_2328 : ed25519_field_element_t := - nat_mod_zero in - let tv1_2329 : ed25519_field_element_t := - (s_2325) +% (one_2327) in - let tv2_2330 : ed25519_field_element_t := - (tv1_2329) *% (t_2326) in - let tv2_2331 : ed25519_field_element_t := - nat_mod_inv (tv2_2330) in - let v_2332 : ed25519_field_element_t := - (tv2_2331) *% (tv1_2329) in - let v_2333 : ed25519_field_element_t := - (v_2332) *% (s_2325) in - let w_2334 : ed25519_field_element_t := - (tv2_2331) *% (t_2326) in - let tv1_2335 : ed25519_field_element_t := - (s_2325) -% (one_2327) in - let w_2336 : ed25519_field_element_t := - (w_2334) *% (tv1_2335) in - let e_2337 : bool := - (tv2_2331) =.? (zero_2328) in - let w_2338 : ed25519_field_element_t := - cmov (w_2336) (one_2327) (e_2337) in - let c_2339 : ed25519_field_element_t := - (nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 486664) : ed25519_field_element_t) in - let sq_2340 : (option ed25519_field_element_t) := - sqrt (c_2339) in - let v_2341 : ed25519_field_element_t := - (v_2333) *% (option_unwrap (sq_2340)) in - (v_2341, w_2338, one_2327, (v_2341) *% (w_2338)). - -Definition map_to_curve_elligator2 - (u_2342 : ed25519_field_element_t) - : ed_point_t := - let j_2343 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let z_2344 : ed25519_field_element_t := - nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in - let one_2345 : ed25519_field_element_t := - nat_mod_one in - let zero_2346 : ed25519_field_element_t := - nat_mod_zero in - let x1_2347 : ed25519_field_element_t := - ((zero_2346) -% (j_2343)) *% (nat_mod_inv ((one_2345) +% (((z_2344) *% ( - u_2342)) *% (u_2342)))) in - let '(x1_2347) := - if (x1_2347) =.? (zero_2346):bool then (let x1_2347 := - (zero_2346) -% (j_2343) in - (x1_2347)) else ((x1_2347)) in - let gx1_2348 : ed25519_field_element_t := - ((((x1_2347) *% (x1_2347)) *% (x1_2347)) +% (((j_2343) *% (x1_2347)) *% ( - x1_2347))) +% (x1_2347) in - let x2_2349 : ed25519_field_element_t := - ((zero_2346) -% (x1_2347)) -% (j_2343) in - let gx2_2350 : ed25519_field_element_t := - ((((x2_2349) *% (x2_2349)) *% (x2_2349)) +% ((j_2343) *% ((x2_2349) *% ( - x2_2349)))) +% (x2_2349) in - let x_2351 : ed25519_field_element_t := - zero_2346 in - let y_2352 : ed25519_field_element_t := - zero_2346 in - let '(x_2351, y_2352) := - if ed_is_square (gx1_2348):bool then (let x_2351 := - x1_2347 in - let y_2352 := - option_unwrap (sqrt (gx1_2348)) in - let '(y_2352) := - if negb (sgn0_m_eq_1 (y_2352)):bool then (let y_2352 := - (zero_2346) -% (y_2352) in - (y_2352)) else ((y_2352)) in - (x_2351, y_2352)) else (let x_2351 := - x2_2349 in - let y_2352 := - option_unwrap (sqrt (gx2_2350)) in - let '(y_2352) := - if sgn0_m_eq_1 (y_2352):bool then (let y_2352 := - (zero_2346) -% (y_2352) in - (y_2352)) else ((y_2352)) in - (x_2351, y_2352)) in - let s_2353 : ed25519_field_element_t := - x_2351 in - let t_2354 : ed25519_field_element_t := - y_2352 in - (s_2353, t_2354, one_2345, (s_2353) *% (t_2354)). - -Definition map_to_curve_elligator2_straight - (u_2355 : ed25519_field_element_t) - : ed_point_t := - let j_2356 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let z_2357 : ed25519_field_element_t := - nat_mod_from_literal (_) (z_v) : ed25519_field_element_t in - let one_2358 : ed25519_field_element_t := - nat_mod_one in - let zero_2359 : ed25519_field_element_t := - nat_mod_zero in - let tv1_2360 : ed25519_field_element_t := - (u_2355) *% (u_2355) in - let tv1_2361 : ed25519_field_element_t := - (z_2357) *% (tv1_2360) in - let e1_2362 : bool := - (tv1_2361) =.? ((zero_2359) -% (one_2358)) in - let tv1_2363 : ed25519_field_element_t := - cmov (tv1_2361) (zero_2359) (e1_2362) in - let x1_2364 : ed25519_field_element_t := - (tv1_2363) +% (one_2358) in - let x1_2365 : ed25519_field_element_t := - nat_mod_inv (x1_2364) in - let x1_2366 : ed25519_field_element_t := - ((zero_2359) -% (j_2356)) *% (x1_2365) in - let gx1_2367 : ed25519_field_element_t := - (x1_2366) +% (j_2356) in - let gx1_2368 : ed25519_field_element_t := - (gx1_2367) *% (x1_2366) in - let gx1_2369 : ed25519_field_element_t := - (gx1_2368) +% (one_2358) in - let gx1_2370 : ed25519_field_element_t := - (gx1_2369) *% (x1_2366) in - let x2_2371 : ed25519_field_element_t := - ((zero_2359) -% (x1_2366)) -% (j_2356) in - let gx2_2372 : ed25519_field_element_t := - (tv1_2363) *% (gx1_2370) in - let e2_2373 : bool := - ed_is_square (gx1_2370) in - let x_2374 : ed25519_field_element_t := - cmov (x2_2371) (x1_2366) (e2_2373) in - let y2_2375 : ed25519_field_element_t := - cmov (gx2_2372) (gx1_2370) (e2_2373) in - let y_2376 : ed25519_field_element_t := - option_unwrap (sqrt (y2_2375)) in - let e3_2377 : bool := - sgn0_m_eq_1 (y_2376) in - let y_2378 : ed25519_field_element_t := - cmov (y_2376) ((zero_2359) -% (y_2376)) (xor (e2_2373) (e3_2377)) in - let s_2379 : ed25519_field_element_t := - x_2374 in - let t_2380 : ed25519_field_element_t := - y_2378 in - (s_2379, t_2380, one_2358, (s_2379) *% (t_2380)). - -Definition map_to_curve_elligator2_curve25519 - (u_2381 : ed25519_field_element_t) - : ed_point_t := - let j_2382 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let zero_2383 : ed25519_field_element_t := - nat_mod_zero in - let one_2384 : ed25519_field_element_t := - nat_mod_one in - let two_2385 : ed25519_field_element_t := - nat_mod_two in - let c1_2386 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (array_to_be_bytes ( - p_3_8_v)) : ed25519_field_element_t in - let c2_2387 : ed25519_field_element_t := - nat_mod_pow_self (two_2385) (c1_2386) in - let c3_2388 : ed25519_field_element_t := - option_unwrap (sqrt ((zero_2383) -% (one_2384))) in - let c4_2389 : ed25519_field_element_t := - nat_mod_from_byte_seq_be (array_to_be_bytes ( - p_5_8_v)) : ed25519_field_element_t in - let tv1_2390 : ed25519_field_element_t := - (u_2381) *% (u_2381) in - let tv1_2391 : ed25519_field_element_t := - (two_2385) *% (tv1_2390) in - let xd_2392 : ed25519_field_element_t := - (tv1_2391) +% (one_2384) in - let x1n_2393 : ed25519_field_element_t := - (zero_2383) -% (j_2382) in - let tv2_2394 : ed25519_field_element_t := - (xd_2392) *% (xd_2392) in - let gxd_2395 : ed25519_field_element_t := - (tv2_2394) *% (xd_2392) in - let gx1_2396 : ed25519_field_element_t := - (j_2382) *% (tv1_2391) in - let gx1_2397 : ed25519_field_element_t := - (gx1_2396) *% (x1n_2393) in - let gx1_2398 : ed25519_field_element_t := - (gx1_2397) +% (tv2_2394) in - let gx1_2399 : ed25519_field_element_t := - (gx1_2398) *% (x1n_2393) in - let tv3_2400 : ed25519_field_element_t := - (gxd_2395) *% (gxd_2395) in - let tv2_2401 : ed25519_field_element_t := - (tv3_2400) *% (tv3_2400) in - let tv3_2402 : ed25519_field_element_t := - (tv3_2400) *% (gxd_2395) in - let tv3_2403 : ed25519_field_element_t := - (tv3_2402) *% (gx1_2399) in - let tv2_2404 : ed25519_field_element_t := - (tv2_2401) *% (tv3_2403) in - let y11_2405 : ed25519_field_element_t := - nat_mod_pow_self (tv2_2404) (c4_2389) in - let y11_2406 : ed25519_field_element_t := - (y11_2405) *% (tv3_2403) in - let y12_2407 : ed25519_field_element_t := - (y11_2406) *% (c3_2388) in - let tv2_2408 : ed25519_field_element_t := - (y11_2406) *% (y11_2406) in - let tv2_2409 : ed25519_field_element_t := - (tv2_2408) *% (gxd_2395) in - let e1_2410 : bool := - (tv2_2409) =.? (gx1_2399) in - let y1_2411 : ed25519_field_element_t := - cmov (y12_2407) (y11_2406) (e1_2410) in - let x2n_2412 : ed25519_field_element_t := - (x1n_2393) *% (tv1_2391) in - let y21_2413 : ed25519_field_element_t := - (y11_2406) *% (u_2381) in - let y21_2414 : ed25519_field_element_t := - (y21_2413) *% (c2_2387) in - let y22_2415 : ed25519_field_element_t := - (y21_2414) *% (c3_2388) in - let gx2_2416 : ed25519_field_element_t := - (gx1_2399) *% (tv1_2391) in - let tv2_2417 : ed25519_field_element_t := - (y21_2414) *% (y21_2414) in - let tv2_2418 : ed25519_field_element_t := - (tv2_2417) *% (gxd_2395) in - let e2_2419 : bool := - (tv2_2418) =.? (gx2_2416) in - let y2_2420 : ed25519_field_element_t := - cmov (y22_2415) (y21_2414) (e2_2419) in - let tv2_2421 : ed25519_field_element_t := - (y1_2411) *% (y1_2411) in - let tv2_2422 : ed25519_field_element_t := - (tv2_2421) *% (gxd_2395) in - let e3_2423 : bool := - (tv2_2422) =.? (gx1_2399) in - let xn_2424 : ed25519_field_element_t := - cmov (x2n_2412) (x1n_2393) (e3_2423) in - let y_2425 : ed25519_field_element_t := - cmov (y2_2420) (y1_2411) (e3_2423) in - let e4_2426 : bool := - sgn0_m_eq_1 (y_2425) in - let y_2427 : ed25519_field_element_t := - cmov (y_2425) ((zero_2383) -% (y_2425)) (xor (e3_2423) (e4_2426)) in - (xn_2424, xd_2392, y_2427, one_2384). - -Definition map_to_curve_elligator2_edwards25519 - (u_2428 : ed25519_field_element_t) - : ed_point_t := - let j_2429 : ed25519_field_element_t := - nat_mod_from_literal (_) (j_v) : ed25519_field_element_t in - let zero_2430 : ed25519_field_element_t := - nat_mod_zero in - let one_2431 : ed25519_field_element_t := - nat_mod_one in - let two_2432 : ed25519_field_element_t := - nat_mod_two in - let c1_2433 : ed25519_field_element_t := - option_unwrap (sqrt ((zero_2430) -% ((j_2429) +% (two_2432)))) in - let '(xmn_2434, xmd_2435, ymn_2436, ymd_2437) := - map_to_curve_elligator2_curve25519 (u_2428) in - let xn_2438 : ed25519_field_element_t := - (xmn_2434) *% (ymd_2437) in - let xn_2439 : ed25519_field_element_t := - (xn_2438) *% (c1_2433) in - let xd_2440 : ed25519_field_element_t := - (xmd_2435) *% (ymn_2436) in - let yn_2441 : ed25519_field_element_t := - (xmn_2434) -% (xmd_2435) in - let yd_2442 : ed25519_field_element_t := - (xmn_2434) +% (xmd_2435) in - let tv1_2443 : ed25519_field_element_t := - (xd_2440) *% (yd_2442) in - let e_2444 : bool := - (tv1_2443) =.? (zero_2430) in - let xn_2445 : ed25519_field_element_t := - cmov (xn_2439) (zero_2430) (e_2444) in - let xd_2446 : ed25519_field_element_t := - cmov (xd_2440) (one_2431) (e_2444) in - let yn_2447 : ed25519_field_element_t := - cmov (yn_2441) (one_2431) (e_2444) in - let yd_2448 : ed25519_field_element_t := - cmov (yd_2442) (one_2431) (e_2444) in - let x_2449 : ed25519_field_element_t := - (xn_2445) *% (nat_mod_inv (xd_2446)) in - let y_2450 : ed25519_field_element_t := - (yn_2447) *% (nat_mod_inv (yd_2448)) in - (x_2449, y_2450, one_2431, (x_2449) *% (y_2450)). - -Definition map_to_curve_elligator2_edwards - (u_2451 : ed25519_field_element_t) - : ed_point_t := - let st_2452 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - map_to_curve_elligator2 (u_2451) in - curve25519_to_edwards25519 (st_2452). - -Definition ed_encode_to_curve - (msg_2453 : byte_seq) - (dst_2454 : byte_seq) - : ed_point_result_t := - bind (ed_hash_to_field (msg_2453) (dst_2454) (usize 1)) (fun u_2455 => - let q_2456 : ( - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t '× - ed25519_field_element_t - ) := - map_to_curve_elligator2_edwards (seq_index (u_2455) (usize 0)) in - @Ok ed_point_t error_t (ed_clear_cofactor (q_2456))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Gf128.v b/proof-libs/coq/coq/src/Hacspec_Gf128.v deleted file mode 100644 index c606e1b76..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Gf128.v +++ /dev/null @@ -1,113 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition blocksize_v : uint_size := - usize 16. - -Definition gf128_block_t := nseq (uint8) (blocksize_v). - -Definition gf128_key_t := nseq (uint8) (blocksize_v). - -Definition gf128_tag_t := nseq (uint8) (blocksize_v). - -Notation "'element_t'" := (uint128) : hacspec_scope. - -Definition irred_v : element_t := - secret (@repr WORDSIZE128 299076299051606071403356588563077529600) : int128. - -Definition fadd (x_317 : element_t) (y_318 : element_t) : element_t := - (x_317) .^ (y_318). - -Definition fmul (x_319 : element_t) (y_320 : element_t) : element_t := - let res_321 : element_t := - secret (@repr WORDSIZE128 0) : int128 in - let sh_322 : uint128 := - x_319 in - let '(res_321, sh_322) := - foldi (usize 0) (usize 128) (fun i_323 '(res_321, sh_322) => - let '(res_321) := - if (uint128_declassify ((y_320) .& ((secret ( - @repr WORDSIZE128 1) : int128) shift_left ((usize 127) - ( - i_323))))) !=.? (uint128_declassify (secret ( - @repr WORDSIZE128 0) : int128)):bool then (let res_321 := - (res_321) .^ (sh_322) in - (res_321)) else ((res_321)) in - let '(sh_322) := - if (uint128_declassify ((sh_322) .& (secret ( - @repr WORDSIZE128 1) : int128))) !=.? (uint128_declassify ( - secret (@repr WORDSIZE128 0) : int128)):bool then (let sh_322 := - ((sh_322) shift_right (usize 1)) .^ (irred_v) in - (sh_322)) else (let sh_322 := - (sh_322) shift_right (usize 1) in - (sh_322)) in - (res_321, sh_322)) - (res_321, sh_322) in - res_321. - -Definition encode (block_324 : gf128_block_t) : element_t := - uint128_from_be_bytes (array_from_seq (16) (array_to_seq (block_324))). - -Definition decode (e_325 : element_t) : gf128_block_t := - array_from_seq (blocksize_v) (array_to_seq (uint128_to_be_bytes (e_325))). - -Definition update - (r_326 : element_t) - (block_327 : gf128_block_t) - (acc_328 : element_t) - : element_t := - fmul (fadd (encode (block_327)) (acc_328)) (r_326). - -Definition poly (msg_329 : byte_seq) (r_330 : element_t) : element_t := - let l_331 : uint_size := - seq_len (msg_329) in - let n_blocks_332 : uint_size := - (l_331) / (blocksize_v) in - let rem_333 : uint_size := - (l_331) %% (blocksize_v) in - let acc_334 : uint128 := - secret (@repr WORDSIZE128 0) : int128 in - let acc_334 := - foldi (usize 0) (n_blocks_332) (fun i_335 acc_334 => - let k_336 : uint_size := - (i_335) * (blocksize_v) in - let block_337 : gf128_block_t := - array_new_ (default : uint8) (blocksize_v) in - let block_337 := - array_update_start (block_337) (seq_slice_range (msg_329) (( - k_336, - (k_336) + (blocksize_v) - ))) in - let acc_334 := - update (r_330) (block_337) (acc_334) in - (acc_334)) - acc_334 in - let '(acc_334) := - if (rem_333) !=.? (usize 0):bool then (let k_338 : uint_size := - (n_blocks_332) * (blocksize_v) in - let last_block_339 : gf128_block_t := - array_new_ (default : uint8) (blocksize_v) in - let last_block_339 := - array_update_slice (last_block_339) (usize 0) (msg_329) (k_338) ( - rem_333) in - let acc_334 := - update (r_330) (last_block_339) (acc_334) in - (acc_334)) else ((acc_334)) in - acc_334. - -Definition gmac (text_340 : byte_seq) (k_341 : gf128_key_t) : gf128_tag_t := - let s_342 : gf128_block_t := - array_new_ (default : uint8) (blocksize_v) in - let r_343 : uint128 := - encode (array_from_seq (blocksize_v) (array_to_seq (k_341))) in - let a_344 : uint128 := - poly (text_340) (r_343) in - array_from_seq (blocksize_v) (array_to_seq (decode (fadd (a_344) (encode ( - s_342))))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Gimli.v b/proof-libs/coq/coq/src/Hacspec_Gimli.v deleted file mode 100644 index 9ab5c8d93..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Gimli.v +++ /dev/null @@ -1,406 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition state_t := nseq (uint32) (usize 12). - -Definition state_idx_t := - nat_mod (usize 12). -Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. -Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. - -Definition swap - (s_1127 : state_t) - (i_1128 : state_idx_t) - (j_1129 : state_idx_t) - : state_t := - let tmp_1130 : uint32 := - array_index (s_1127) (i_1128) in - let s_1127 := - array_upd s_1127 (i_1128) (array_index (s_1127) (j_1129)) in - let s_1127 := - array_upd s_1127 (j_1129) (tmp_1130) in - s_1127. - -Definition gimli_round (s_1131 : state_t) (r_1132 : int32) : state_t := - let s_1131 := - foldi (usize 0) (usize 4) (fun col_1133 s_1131 => - let x_1134 : uint32 := - uint32_rotate_left (array_index (s_1131) (col_1133)) (usize 24) in - let y_1135 : uint32 := - uint32_rotate_left (array_index (s_1131) ((col_1133) + (usize 4))) ( - usize 9) in - let z_1136 : uint32 := - array_index (s_1131) ((col_1133) + (usize 8)) in - let s_1131 := - array_upd s_1131 ((col_1133) + (usize 8)) (((x_1134) .^ (( - z_1136) shift_left (usize 1))) .^ (((y_1135) .& ( - z_1136)) shift_left (usize 2))) in - let s_1131 := - array_upd s_1131 ((col_1133) + (usize 4)) (((y_1135) .^ (x_1134)) .^ ((( - x_1134) .| (z_1136)) shift_left (usize 1))) in - let s_1131 := - array_upd s_1131 (col_1133) (((z_1136) .^ (y_1135)) .^ (((x_1134) .& ( - y_1135)) shift_left (usize 3))) in - (s_1131)) - s_1131 in - let '(s_1131) := - if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( - let s_1131 := - swap (s_1131) (usize 0) (usize 1) in - let s_1131 := - swap (s_1131) (usize 2) (usize 3) in - (s_1131)) else ((s_1131)) in - let '(s_1131) := - if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 2):bool then ( - let s_1131 := - swap (s_1131) (usize 0) (usize 2) in - let s_1131 := - swap (s_1131) (usize 1) (usize 3) in - (s_1131)) else ((s_1131)) in - let '(s_1131) := - if ((r_1132) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( - let s_1131 := - array_upd s_1131 (usize 0) ((array_index (s_1131) (usize 0)) .^ (( - secret (@repr WORDSIZE32 2654435584) : int32) .| (secret ( - r_1132) : int32))) in - (s_1131)) else ((s_1131)) in - s_1131. - -Definition gimli (s_1137 : state_t) : state_t := - let s_1137 := - foldi (usize 0) (usize 24) (fun rnd_1138 s_1137 => - let rnd_1139 : int32 := - pub_u32 ((usize 24) - (rnd_1138)) in - let s_1137 := - gimli_round (s_1137) (rnd_1139) in - (s_1137)) - s_1137 in - s_1137. - -Definition block_t := nseq (uint8) (usize 16). - -Definition digest_t := nseq (uint8) (usize 32). - -Definition absorb_block - (input_block_1140 : block_t) - (s_1141 : state_t) - : state_t := - let input_bytes_1142 : seq uint32 := - array_to_le_uint32s (input_block_1140) in - let s_1141 := - array_upd s_1141 (usize 0) ((array_index (s_1141) (usize 0)) .^ (seq_index ( - input_bytes_1142) (usize 0))) in - let s_1141 := - array_upd s_1141 (usize 1) ((array_index (s_1141) (usize 1)) .^ (seq_index ( - input_bytes_1142) (usize 1))) in - let s_1141 := - array_upd s_1141 (usize 2) ((array_index (s_1141) (usize 2)) .^ (seq_index ( - input_bytes_1142) (usize 2))) in - let s_1141 := - array_upd s_1141 (usize 3) ((array_index (s_1141) (usize 3)) .^ (seq_index ( - input_bytes_1142) (usize 3))) in - gimli (s_1141). - -Definition squeeze_block (s_1143 : state_t) : block_t := - let block_1144 : block_t := - array_new_ (default : uint8) (16) in - let block_1144 := - foldi (usize 0) (usize 4) (fun i_1145 block_1144 => - let s_i_1146 : uint32 := - array_index (s_1143) (i_1145) in - let s_i_bytes_1147 : seq uint8 := - uint32_to_le_bytes (s_i_1146) in - let block_1144 := - array_upd block_1144 ((usize 4) * (i_1145)) (seq_index ( - s_i_bytes_1147) (usize 0)) in - let block_1144 := - array_upd block_1144 (((usize 4) * (i_1145)) + (usize 1)) (seq_index ( - s_i_bytes_1147) (usize 1)) in - let block_1144 := - array_upd block_1144 (((usize 4) * (i_1145)) + (usize 2)) (seq_index ( - s_i_bytes_1147) (usize 2)) in - let block_1144 := - array_upd block_1144 (((usize 4) * (i_1145)) + (usize 3)) (seq_index ( - s_i_bytes_1147) (usize 3)) in - (block_1144)) - block_1144 in - block_1144. - -Definition gimli_hash_state - (input_1148 : byte_seq) - (s_1149 : state_t) - : state_t := - let rate_1150 : uint_size := - array_length in - let chunks_1151 : uint_size := - seq_num_exact_chunks (input_1148) (rate_1150) in - let s_1149 := - foldi (usize 0) (chunks_1151) (fun i_1152 s_1149 => - let input_block_1153 : seq uint8 := - seq_get_exact_chunk (input_1148) (rate_1150) (i_1152) in - let full_block_1154 : block_t := - array_from_seq (16) (input_block_1153) in - let s_1149 := - absorb_block (full_block_1154) (s_1149) in - (s_1149)) - s_1149 in - let input_block_1155 : seq uint8 := - seq_get_remainder_chunk (input_1148) (rate_1150) in - let input_block_padded_1156 : block_t := - array_new_ (default : uint8) (16) in - let input_block_padded_1157 : block_t := - array_update_start (input_block_padded_1156) (input_block_1155) in - let input_block_padded_1157 := - array_upd input_block_padded_1157 (seq_len (input_block_1155)) (secret ( - @repr WORDSIZE8 1) : int8) in - let s_1149 := - array_upd s_1149 (usize 11) ((array_index (s_1149) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_1149 := - absorb_block (input_block_padded_1157) (s_1149) in - s_1149. - -Definition gimli_hash (input_bytes_1158 : byte_seq) : digest_t := - let s_1159 : state_t := - array_new_ (default : uint32) (12) in - let s_1160 : state_t := - gimli_hash_state (input_bytes_1158) (s_1159) in - let output_1161 : digest_t := - array_new_ (default : uint8) (32) in - let output_1162 : digest_t := - array_update_start (output_1161) (array_to_seq (squeeze_block (s_1160))) in - let s_1163 : state_t := - gimli (s_1160) in - array_update (output_1162) (array_length ) (array_to_seq (squeeze_block ( - s_1163))). - -Definition nonce_t := nseq (uint8) (usize 16). - -Definition key_t := nseq (uint8) (usize 32). - -Definition tag_t := nseq (uint8) (usize 16). - -Definition process_ad (ad_1164 : byte_seq) (s_1165 : state_t) : state_t := - gimli_hash_state (ad_1164) (s_1165). - -Definition process_msg - (message_1166 : byte_seq) - (s_1167 : state_t) - : (state_t '× byte_seq) := - let ciphertext_1168 : seq uint8 := - seq_new_ (default : uint8) (seq_len (message_1166)) in - let rate_1169 : uint_size := - array_length in - let num_chunks_1170 : uint_size := - seq_num_exact_chunks (message_1166) (rate_1169) in - let '(s_1167, ciphertext_1168) := - foldi (usize 0) (num_chunks_1170) (fun i_1171 '(s_1167, ciphertext_1168) => - let key_block_1172 : block_t := - squeeze_block (s_1167) in - let msg_block_1173 : seq uint8 := - seq_get_exact_chunk (message_1166) (rate_1169) (i_1171) in - let msg_block_1174 : block_t := - array_from_seq (16) (msg_block_1173) in - let ciphertext_1168 := - seq_set_exact_chunk (ciphertext_1168) (rate_1169) (i_1171) ( - array_to_seq ((msg_block_1174) array_xor (key_block_1172))) in - let s_1167 := - absorb_block (msg_block_1174) (s_1167) in - (s_1167, ciphertext_1168)) - (s_1167, ciphertext_1168) in - let key_block_1175 : block_t := - squeeze_block (s_1167) in - let last_block_1176 : seq uint8 := - seq_get_remainder_chunk (message_1166) (rate_1169) in - let block_len_1177 : uint_size := - seq_len (last_block_1176) in - let msg_block_padded_1178 : block_t := - array_new_ (default : uint8) (16) in - let msg_block_padded_1179 : block_t := - array_update_start (msg_block_padded_1178) (last_block_1176) in - let ciphertext_1168 := - seq_set_chunk (ciphertext_1168) (rate_1169) (num_chunks_1170) ( - array_slice_range ((msg_block_padded_1179) array_xor (key_block_1175)) (( - usize 0, - block_len_1177 - ))) in - let msg_block_padded_1179 := - array_upd msg_block_padded_1179 (block_len_1177) ((array_index ( - msg_block_padded_1179) (block_len_1177)) .^ (secret ( - @repr WORDSIZE8 1) : int8)) in - let s_1167 := - array_upd s_1167 (usize 11) ((array_index (s_1167) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_1167 := - absorb_block (msg_block_padded_1179) (s_1167) in - (s_1167, ciphertext_1168). - -Definition process_ct - (ciphertext_1180 : byte_seq) - (s_1181 : state_t) - : (state_t '× byte_seq) := - let message_1182 : seq uint8 := - seq_new_ (default : uint8) (seq_len (ciphertext_1180)) in - let rate_1183 : uint_size := - array_length in - let num_chunks_1184 : uint_size := - seq_num_exact_chunks (ciphertext_1180) (rate_1183) in - let '(s_1181, message_1182) := - foldi (usize 0) (num_chunks_1184) (fun i_1185 '(s_1181, message_1182) => - let key_block_1186 : block_t := - squeeze_block (s_1181) in - let ct_block_1187 : seq uint8 := - seq_get_exact_chunk (ciphertext_1180) (rate_1183) (i_1185) in - let ct_block_1188 : block_t := - array_from_seq (16) (ct_block_1187) in - let msg_block_1189 : block_t := - (ct_block_1188) array_xor (key_block_1186) in - let message_1182 := - seq_set_exact_chunk (message_1182) (rate_1183) (i_1185) (array_to_seq (( - ct_block_1188) array_xor (key_block_1186))) in - let s_1181 := - absorb_block (msg_block_1189) (s_1181) in - (s_1181, message_1182)) - (s_1181, message_1182) in - let key_block_1190 : block_t := - squeeze_block (s_1181) in - let ct_final_1191 : seq uint8 := - seq_get_remainder_chunk (ciphertext_1180) (rate_1183) in - let block_len_1192 : uint_size := - seq_len (ct_final_1191) in - let ct_block_padded_1193 : block_t := - array_new_ (default : uint8) (16) in - let ct_block_padded_1194 : block_t := - array_update_start (ct_block_padded_1193) (ct_final_1191) in - let msg_block_1195 : block_t := - (ct_block_padded_1194) array_xor (key_block_1190) in - let message_1182 := - seq_set_chunk (message_1182) (rate_1183) (num_chunks_1184) ( - array_slice_range (msg_block_1195) ((usize 0, block_len_1192))) in - let msg_block_1196 : block_t := - array_from_slice_range (default : uint8) (16) ( - array_to_seq (msg_block_1195)) ((usize 0, block_len_1192)) in - let msg_block_1196 := - array_upd msg_block_1196 (block_len_1192) ((array_index (msg_block_1196) ( - block_len_1192)) .^ (secret (@repr WORDSIZE8 1) : int8)) in - let s_1181 := - array_upd s_1181 (usize 11) ((array_index (s_1181) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_1181 := - absorb_block (msg_block_1196) (s_1181) in - (s_1181, message_1182). - -Definition nonce_to_u32s (nonce_1197 : nonce_t) : seq uint32 := - let uints_1198 : seq uint32 := - seq_new_ (default : uint32) (usize 4) in - let uints_1198 := - seq_upd uints_1198 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 0, usize 4 - )))) in - let uints_1198 := - seq_upd uints_1198 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 4, usize 8 - )))) in - let uints_1198 := - seq_upd uints_1198 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 8, usize 12 - )))) in - let uints_1198 := - seq_upd uints_1198 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (nonce_1197)) ((usize 12, usize 16 - )))) in - uints_1198. - -Definition key_to_u32s (key_1199 : key_t) : seq uint32 := - let uints_1200 : seq uint32 := - seq_new_ (default : uint32) (usize 8) in - let uints_1200 := - seq_upd uints_1200 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 0, usize 4 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 4, usize 8 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 8, usize 12 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 12, usize 16 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 4) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 16, usize 20 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 5) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 20, usize 24 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 6) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 24, usize 28 - )))) in - let uints_1200 := - seq_upd uints_1200 (usize 7) (uint32_from_le_bytes (array_from_slice_range ( - default : uint8) (4) (array_to_seq (key_1199)) ((usize 28, usize 32 - )))) in - uints_1200. - -Definition gimli_aead_encrypt - (message_1201 : byte_seq) - (ad_1202 : byte_seq) - (nonce_1203 : nonce_t) - (key_1204 : key_t) - : (byte_seq '× tag_t) := - let s_1205 : state_t := - array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1203)) (key_to_u32s ( - key_1204))) in - let s_1206 : state_t := - gimli (s_1205) in - let s_1207 : state_t := - process_ad (ad_1202) (s_1206) in - let '(s_1208, ciphertext_1209) := - process_msg (message_1201) (s_1207) in - let tag_1210 : block_t := - squeeze_block (s_1208) in - let tag_1211 : tag_t := - array_from_seq (16) (array_to_seq (tag_1210)) in - (ciphertext_1209, tag_1211). - -Definition gimli_aead_decrypt - (ciphertext_1212 : byte_seq) - (ad_1213 : byte_seq) - (tag_1214 : tag_t) - (nonce_1215 : nonce_t) - (key_1216 : key_t) - : byte_seq := - let s_1217 : state_t := - array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_1215)) (key_to_u32s ( - key_1216))) in - let s_1218 : state_t := - gimli (s_1217) in - let s_1219 : state_t := - process_ad (ad_1213) (s_1218) in - let '(s_1220, message_1221) := - process_ct (ciphertext_1212) (s_1219) in - let my_tag_1222 : block_t := - squeeze_block (s_1220) in - let my_tag_1223 : tag_t := - array_from_seq (16) (array_to_seq (my_tag_1222)) in - let out_1224 : seq uint8 := - seq_new_ (default : uint8) (usize 0) in - let '(out_1224) := - if array_equal (my_tag_1223) (tag_1214):bool then (let out_1224 := - message_1221 in - (out_1224)) else ((out_1224)) in - out_1224. - diff --git a/proof-libs/coq/coq/src/Hacspec_Hkdf.v b/proof-libs/coq/coq/src/Hacspec_Hkdf.v deleted file mode 100644 index c92018f05..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Hkdf.v +++ /dev/null @@ -1,93 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Hmac. - -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition hash_len_v : uint_size := - (usize 256) / (usize 8). - -Inductive hkdf_error_t := -| InvalidOutputLength : hkdf_error_t. - -Notation "'hkdf_byte_seq_result_t'" := (( - result byte_seq hkdf_error_t)) : hacspec_scope. - -Definition extract (salt_713 : byte_seq) (ikm_714 : byte_seq) : prk_t := - let salt_or_zero_715 : seq uint8 := - seq_new_ (default : uint8) (hash_len_v) in - let '(salt_or_zero_715) := - if (seq_len (salt_713)) >.? (usize 0):bool then (let salt_or_zero_715 := - seq_from_seq (salt_713) in - (salt_or_zero_715)) else ((salt_or_zero_715)) in - array_from_seq (_) (array_to_seq (hmac (salt_or_zero_715) (ikm_714))). - -Definition build_hmac_txt - (t_716 : byte_seq) - (info_717 : byte_seq) - (iteration_718 : uint8) - : byte_seq := - let out_719 : seq uint8 := - seq_new_ (default : uint8) (((seq_len (t_716)) + (seq_len (info_717))) + ( - usize 1)) in - let out_719 := - seq_update (out_719) (usize 0) (t_716) in - let out_719 := - seq_update (out_719) (seq_len (t_716)) (info_717) in - let out_719 := - seq_upd out_719 ((seq_len (t_716)) + (seq_len (info_717))) ( - iteration_718) in - out_719. - -Definition div_ceil (a_720 : uint_size) (b_721 : uint_size) : uint_size := - let q_722 : uint_size := - (a_720) / (b_721) in - let '(q_722) := - if ((a_720) %% (b_721)) !=.? (usize 0):bool then (let q_722 := - (q_722) + (usize 1) in - (q_722)) else ((q_722)) in - q_722. - -Definition check_output_limit - (l_723 : uint_size) - : (result uint_size hkdf_error_t) := - let n_724 : uint_size := - div_ceil (l_723) (hash_len_v) in - (if ((n_724) <=.? (usize 255)):bool then (@Ok uint_size hkdf_error_t ( - n_724)) else (@Err uint_size hkdf_error_t (InvalidOutputLength))). - -Definition expand - (prk_725 : byte_seq) - (info_726 : byte_seq) - (l_727 : uint_size) - : hkdf_byte_seq_result_t := - bind (check_output_limit (l_727)) (fun n_728 => let t_i_729 : prk_t := - array_new_ (default : uint8) (_) in - let t_730 : seq uint8 := - seq_new_ (default : uint8) ((n_728) * (hash_size_v)) in - let '(t_i_729, t_730) := - foldi (usize 0) (n_728) (fun i_731 '(t_i_729, t_730) => - let hmac_txt_in_732 : seq uint8 := - (if ((i_731) =.? (usize 0)):bool then (build_hmac_txt (seq_new_ ( - default : uint8) (usize 0)) (info_726) (secret ((pub_u8 ( - i_731)) .+ (@repr WORDSIZE8 1)) : int8)) else ( - build_hmac_txt (seq_from_seq (array_to_seq (t_i_729))) ( - info_726) (secret ((pub_u8 (i_731)) .+ ( - @repr WORDSIZE8 1)) : int8))) in - let t_i_729 := - hmac (prk_725) (hmac_txt_in_732) in - let t_730 := - seq_update (t_730) ((i_731) * (array_len (t_i_729))) ( - array_to_seq (t_i_729)) in - (t_i_729, t_730)) - (t_i_729, t_730) in - @Ok byte_seq hkdf_error_t (seq_slice (t_730) (usize 0) (l_727))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Hmac.v b/proof-libs/coq/coq/src/Hacspec_Hmac.v deleted file mode 100644 index 3c50a5a70..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Hmac.v +++ /dev/null @@ -1,178 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition block_len_v : uint_size := - k_size_v. - -Definition prk_t := nseq (uint8) (hash_size_v). - -Definition block_t := nseq (uint8) (block_len_v). - -Definition i_pad_v : block_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8 - ] in l). - -Definition o_pad_v : block_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8 - ] in l). - -Definition k_block (k_733 : byte_seq) : block_t := - (if ((seq_len (k_733)) >.? (block_len_v)):bool then (array_update_start ( - array_new_ (default : uint8) (block_len_v)) (array_to_seq (hash ( - k_733)))) else (array_update_start (array_new_ (default : uint8) ( - block_len_v)) (k_733))). - -Definition hmac (k_734 : byte_seq) (txt_735 : byte_seq) : prk_t := - let k_block_736 : block_t := - k_block (k_734) in - let h_in_737 : seq uint8 := - seq_from_seq (array_to_seq ((k_block_736) array_xor (i_pad_v))) in - let h_in_737 := - seq_concat (h_in_737) (txt_735) in - let h_inner_738 : sha256_digest_t := - hash (h_in_737) in - let h_in_739 : seq uint8 := - seq_from_seq (array_to_seq ((k_block_736) array_xor (o_pad_v))) in - let h_in_739 := - seq_concat (h_in_739) (array_to_seq (h_inner_738)) in - array_from_seq (hash_size_v) (array_to_seq (hash (h_in_739))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Lib.v b/proof-libs/coq/coq/src/Hacspec_Lib.v deleted file mode 100644 index db9798fa4..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Lib.v +++ /dev/null @@ -1,1783 +0,0 @@ -Global Set Warnings "-ambiguous-paths". -Global Set Warnings "-uniform-inheritance". -Global Set Warnings "-auto-template". -Global Set Warnings "-disj-pattern-notation". -(*** Integers *) -From Coq Require Import ZArith List. -Import ListNotations. -(* Require Import IntTypes. *) - -Require Import MachineIntegers. -From Coqprime Require GZnZ. - -Require Import Lia. - -Declare Scope hacspec_scope. - -Axiom secret : forall {WS : WORDSIZE}, (@int WS) -> (@int WS). - -Axiom uint8_declassify : int8 -> int8. -Axiom int8_declassify : int8 -> int8. -Axiom uint16_declassify : int16 -> int16. -Axiom int16_declassify : int16 -> int16. -Axiom uint32_declassify : int32 -> int32. -Axiom int32_declassify : int32 -> int32. -Axiom uint64_declassify : int64 -> int64. -Axiom int64_declassify : int64 -> int64. -Axiom uint128_declassify : int128 -> int128. -Axiom int128_declassify : int128 -> int128. - -Axiom uint8_classify : int8 -> int8. -Axiom int8_classify : int8 -> int8. -Axiom uint16_classify : int16 -> int16. -Axiom int16_classify : int16 -> int16. -Axiom uint32_classify : int32 -> int32. -Axiom int32_classify : int32 -> int32. -Axiom uint64_classify : int64 -> int64. -Axiom int64_classify : int64 -> int64. -Axiom uint128_classify : int128 -> int128. -Axiom int128_classify : int128 -> int128. - - -(* CompCert integers' signedness is only interpreted through 'signed' and 'unsigned', - and not in the representation. Therefore, uints are just names for their respective ints. -*) -Definition uint8 := int8. -Definition uint16 := int16. -Definition uint32 := int32. -Definition uint64 := int64. -Definition uint128 := int128. - -Definition uint_size := int32. -Definition int_size := int32. - -Axiom declassify_usize_from_uint8 : uint8 -> uint_size. - -(* Represents any type that can be converted to uint_size and back *) -Class UInt_sizable (A : Type) := { - usize : A -> uint_size; - from_uint_size : uint_size -> A; -}. -Arguments usize {_} {_}. -Arguments from_uint_size {_} {_}. - -Global Instance nat_uint_sizable : UInt_sizable nat := { - usize n := repr (Z.of_nat n); - from_uint_size n := Z.to_nat (unsigned n); -}. - -Global Instance N_uint_sizable : UInt_sizable N := { - usize n := repr (Z.of_N n); - from_uint_size n := Z.to_N (unsigned n); -}. - -Global Instance Z_uint_sizable : UInt_sizable Z := { - usize n := repr n; - from_uint_size n := unsigned n; -}. - - -(* Same, but for int_size *) -Class Int_sizable (A : Type) := { - isize : A -> int_size; - from_int_size : int_size -> A; -}. - -Arguments isize {_} {_}. -Arguments from_int_size {_} {_}. - -Global Instance nat_Int_sizable : Int_sizable nat := { - isize n := repr (Z.of_nat n); - from_int_size n := Z.to_nat (signed n); -}. - -Global Instance N_Int_sizable : Int_sizable N := { - isize n := repr (Z.of_N n); - from_int_size n := Z.to_N (signed n); -}. - -Global Instance Z_Int_sizable : Int_sizable Z := { - isize n := repr n; - from_int_size n := signed n; -}. - - -(**** Public integers *) - -Definition pub_u8 (n : Z) : int8 := repr n. -Definition pub_i8 (n : Z) : int8 := repr n. -Definition pub_u16 (n : Z) : int16 := repr n. -Definition pub_i16 (n : Z) : int16 := repr n. -Definition pub_u32 (n : Z) : int32 := repr n. -Definition pub_i32 (n : Z) : int32 := repr n. -Definition pub_u64 (n : Z) : int64 := repr n. -Definition pub_i64 (n : Z) : int64 := repr n. -Definition pub_u128 (n : Z) : int128 := repr n. -Definition pub_i128 (n : Z) : int128 := repr n. - -(**** Operations *) - -(* Should maybe use size of s instead? *) -Definition uint8_rotate_left (u: int8) (s: int8) : int8 := rol u s. -Definition uint8_rotate_right (u: int8) (s: int8) : int8 := ror u s. - -Definition uint16_rotate_left (u: int16) (s: int16) : int16 := rol u s. -Definition uint16_rotate_right (u: int16) (s: int16) : int16 := ror u s. - -Definition uint32_rotate_left (u: int32) (s: int32) : int32 := rol u s. -Definition uint32_rotate_right (u: int32) (s: int32) : int32 := ror u s. - -Definition uint64_rotate_left (u: int64) (s: int64) : int64 := rol u s. -Definition uint64_rotate_right (u: int64) (s: int64) : int64 := ror u s. - -Definition uint128_rotate_left (u: int128) (s: int128) : int128 := rol u s. -Definition uint128_rotate_right (u: int128) (s: int128) : int128 := ror u s. - -(* should use size u instead of u? *) -Definition usize_shift_right (u: uint_size) (s: int32) : uint_size := ror u s. -Infix "usize_shift_right" := (usize_shift_right) (at level 77) : hacspec_scope. - -(* should use size u instead of u? *) -Definition usize_shift_left (u: uint_size) (s: int32) : uint_size := rol u s. -Infix "usize_shift_left" := (usize_shift_left) (at level 77) : hacspec_scope. - -Definition pub_uint128_wrapping_add (x y: int128) : int128 := add x y. - -Definition shift_left_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := - MachineIntegers.shl i (repr (from_uint_size j)). - -Definition shift_right_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := - MachineIntegers.shr i (repr (from_uint_size j)) . - -Infix "shift_left" := (shift_left_) (at level 77) : hacspec_scope. -Infix "shift_right" := (shift_right_) (at level 77) : hacspec_scope. - -Infix "%%" := Z.rem (at level 40, left associativity) : Z_scope. -Infix ".+" := (MachineIntegers.add) (at level 77) : hacspec_scope. -Infix ".-" := (MachineIntegers.sub) (at level 77) : hacspec_scope. -Notation "-" := (MachineIntegers.neg) (at level 77) : hacspec_scope. -Infix ".*" := (MachineIntegers.mul) (at level 77) : hacspec_scope. -Infix "./" := (MachineIntegers.divs) (at level 77) : hacspec_scope. -Infix ".%" := (MachineIntegers.mods) (at level 77) : hacspec_scope. -Infix ".^" := (MachineIntegers.xor) (at level 77) : hacspec_scope. -Infix ".&" := (MachineIntegers.and) (at level 77) : hacspec_scope. -Infix ".|" := (MachineIntegers.or) (at level 77) : hacspec_scope. -Infix "==" := (MachineIntegers.eq) (at level 32) : hacspec_scope. -(* Definition one := (@one WORDSIZE32). *) -(* Definition zero := (@zero WORDSIZE32). *) -Notation "A × B" := (prod A B) (at level 79, left associativity) : hacspec_scope. - -(*** Positive util *) - -Fixpoint binary_representation_pre (n : nat) {struct n}: positive := - match n with - | O => 1 - | S O => 1 - | S n => Pos.succ (binary_representation_pre n) - end%positive. -Definition binary_representation (n : nat) `(n <> O) := binary_representation_pre n. - -Theorem positive_is_succs : forall n, forall (H : n <> O) (K : S n <> O), - @binary_representation (S n) K = Pos.succ (@binary_representation n H). -Proof. induction n ; [contradiction | reflexivity]. Qed. - -(* Conversion of positive to binary representation *) -Theorem positive_to_positive_succs : forall p, binary_representation (Pos.to_nat p) (Nat.neq_sym _ _ (Nat.lt_neq _ _ (Pos2Nat.is_pos p))) = p. -Proof. - intros p. - generalize dependent (Nat.neq_sym 0 (Pos.to_nat p) (Nat.lt_neq 0 (Pos.to_nat p) (Pos2Nat.is_pos p))). - - destruct Pos.to_nat eqn:ptno. - - contradiction. - - generalize dependent p. - induction n ; intros. - + cbn. - apply Pos2Nat.inj. - symmetry. - apply ptno. - + rewrite positive_is_succs with (H := Nat.neq_succ_0 n). - rewrite IHn with (p := Pos.of_nat (S n)). - * rewrite <- Nat2Pos.inj_succ by apply Nat.neq_succ_0. - rewrite <- ptno. - apply Pos2Nat.id. - * apply Nat2Pos.id. - apply Nat.neq_succ_0. -Qed. - -(*** Uint size util *) - -(* If a natural number is in bound then a smaller natural number is still in bound *) -Lemma range_of_nat_succ : - forall {WS : WORDSIZE}, - forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. -Proof. lia. Qed. - -(* Conversion to equivalent bound *) -Lemma modulus_range_helper : - forall {WS : WORDSIZE}, - forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. -Proof. unfold max_unsigned. lia. Qed. - -Definition unsigned_repr_alt {WS : WORDSIZE} (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := - unsigned_repr a (modulus_range_helper a H). - -Theorem zero_always_modulus {WS : WORDSIZE} : (Z.pred 0 < 0 < modulus)%Z. -Proof. easy. Qed. - -(* any uint_size can be represented as a natural number and a bound *) -(* this is easier for proofs, however less efficient for computation *) -(* as Z uses a binary representation *) -Theorem uint_size_as_nat : - forall (us: uint_size), - { n : nat | - us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z}. -Proof. - destruct us. - exists (Z.to_nat intval). - rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). - - split. - - apply mkint_eq. - rewrite Z_mod_modulus_eq. - rewrite Z.mod_small. - + reflexivity. - + lia. - - apply intrange. -Qed. - -(* destruct uint_size as you would a natural number *) -Definition destruct_uint_size_as_nat (a : uint_size) : forall (P : uint_size -> Prop), - forall (zero_case : P (repr 0)), - forall (succ_case : forall (n : nat), (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z -> P (repr (Z.of_nat n))), - P a. -Proof. - intros. - destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. - destruct n. - - apply zero_case. - - apply succ_case. - apply yb. -Qed. - -Ltac destruct_uint_size_as_nat a := - generalize dependent a ; - intros a ; - apply (destruct_uint_size_as_nat a) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt WORDSIZE32 _ H)] ; intros. - -(* induction for uint_size as you would do for a natural number *) -Definition induction_uint_size_as_nat : - forall (P : uint_size -> Prop), - (P (repr 0)) -> - (forall n, - (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus WORDSIZE32)%Z -> - P (repr (Z.of_nat n)) -> - P (repr (Z.succ (Z.of_nat n)))) -> - forall (a : uint_size), P a. -Proof. - intros P H_zero H_ind a. - destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. - induction n. - - apply H_zero. - - rewrite Nat2Z.inj_succ. - apply H_ind. - + rewrite <- Nat2Z.inj_succ. - apply yb. - + apply IHn. - lia. -Qed. - -Ltac induction_uint_size_as_nat var := - generalize dependent var ; - intros var ; - apply induction_uint_size_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt WORDSIZE32 _ IH)] ; intros. - -(* conversion of usize to positive or zero and the respective bound *) -Theorem uint_size_as_positive : - forall (us: uint_size), - { pu : unit + positive | - match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus WORDSIZE32)%Z end - }. -Proof. - destruct us. - destruct intval. - - exists (inl tt). apply mkint_eq. reflexivity. - - exists (inr p). - split. - + apply mkint_eq. - rewrite Z_mod_modulus_eq. - symmetry. - apply Zmod_small. - lia. - + apply intrange. - - exfalso. - lia. -Defined. - -(* destruction of uint_size as positive *) -Definition destruct_uint_size_as_positive (a : uint_size) : forall (P : uint_size -> Prop), - (P (repr 0)) -> - (forall b, (Z.pred 0 < Z.pos b < @modulus WORDSIZE32)%Z -> P (repr (Z.pos b))) -> - P a. -Proof. - intros P H_zero H_succ. - destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. - - apply H_zero. - - apply H_succ. - apply yb. -Qed. - -Ltac destruct_uint_size_as_positive a := - generalize dependent a ; - intros a ; - apply (destruct_uint_size_as_positive a) ; intros. - -(* induction of uint_size as positive *) -Definition induction_uint_size_as_positive : - forall (P : uint_size -> Prop), - (P (repr 0)) -> - (P (repr 1)) -> - (forall b, - (Z.pred 0 < Z.succ (Z.pos b) < @modulus WORDSIZE32)%Z -> - P (repr (Z.pos b)) -> - P (repr (Z.succ (Z.pos b)))) -> - forall (a : uint_size), P a. -Proof. - intros P H_zero H_one H_ind a. - - destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. - - apply H_zero. - - pose proof (pos_succ_b := positive_to_positive_succs b) - ; symmetry in pos_succ_b - ; rewrite pos_succ_b in * - ; clear pos_succ_b. - - generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). - - induction (Pos.to_nat b). - + contradiction. - + intros n_neq yb. - destruct n. - * apply H_one. - * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. - rewrite Pos2Z.inj_succ in *. - apply H_ind. - -- apply yb. - -- apply IHn. - lia. -Qed. - -Ltac induction_uint_size_as_positive var := - generalize dependent var ; - intros var ; - apply induction_uint_size_as_positive with (a := var) ; intros ; [ | | ]. - -(*** Loops *) - -Open Scope nat_scope. -Fixpoint foldi_ - {acc : Type} - (fuel : nat) - (i : uint_size) - (f : uint_size -> acc -> acc) - (cur : acc) : acc := - match fuel with - | 0 => cur - | S n' => foldi_ n' (add i one) f (f i cur) - end. -Close Scope nat_scope. -Definition foldi - {acc: Type} - (lo: uint_size) - (hi: uint_size) (* {lo <= hi} *) - (f: (uint_size) -> acc -> acc) (* {i < hi} *) - (init: acc) : acc := - match Z.sub (unsigned hi) (unsigned lo) with - | Z0 => init - | Zneg p => init - | Zpos p => foldi_ (Pos.to_nat p) lo f init - end. - -(* Fold done using natural numbers for bounds *) -Fixpoint foldi_nat_ - {acc : Type} - (fuel : nat) - (i : nat) - (f : nat -> acc -> acc) - (cur : acc) : acc := - match fuel with - | O => cur - | S n' => foldi_nat_ n' (S i) f (f i cur) - end. -Definition foldi_nat - {acc: Type} - (lo: nat) - (hi: nat) (* {lo <= hi} *) - (f: nat -> acc -> acc) (* {i < hi} *) - (init: acc) : acc := - match Nat.sub hi lo with - | O => init - | S n' => foldi_nat_ (S n') lo f init - end. - -Lemma foldi__move_S : - forall {acc: Type} - (fuel : nat) - (i : uint_size) - (f : uint_size -> acc -> acc) - (cur : acc), - foldi_ fuel (add i one) f (f i cur) = foldi_ (S fuel) i f cur. -Proof. reflexivity. Qed. - -Lemma foldi__nat_move_S : - forall {acc: Type} - (fuel : nat) - (i : nat) - (f : nat -> acc -> acc) - (cur : acc), - foldi_nat_ fuel (S i) f (f i cur) = foldi_nat_ (S fuel) i f cur. -Proof. reflexivity. Qed. - -(* You can do one iteration of the fold by burning a unit of fuel *) -Lemma foldi__move_S_fuel : - forall {acc: Type} - (fuel : nat) - (i : uint_size) - (f : uint_size -> acc -> acc) - (cur : acc), - (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> - f (add (repr (Z.of_nat fuel)) i) (foldi_ (fuel) i f cur) = foldi_ (S (fuel)) i f cur. -Proof. - intros acc fuel. - induction fuel ; intros. - - cbn. - replace (repr 0) with (@zero WORDSIZE32) by reflexivity. - rewrite add_zero_l. - reflexivity. - - do 2 rewrite <- foldi__move_S. - replace (add (repr (Z.of_nat (S fuel))) i) - with (add (repr (Z.of_nat fuel)) (add i one)). - 2 : { - rewrite <- (add_commut one). - rewrite <- add_assoc. - f_equal. - unfold add. - f_equal. - rewrite unsigned_one. - rewrite Z.add_1_r. - rewrite Nat2Z.inj_succ. - f_equal. - apply unsigned_repr. - lia. - } - rewrite IHfuel. - reflexivity. - lia. -Qed. - -(* You can do one iteration of the fold by burning a unit of fuel *) -Lemma foldi__nat_move_S_fuel : - forall {acc: Type} - (fuel : nat) - (i : nat) - (f : nat -> acc -> acc) - (cur : acc), - (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> - f (fuel + i)%nat (foldi_nat_ fuel i f cur) = foldi_nat_ (S fuel) i f cur. -Proof. - induction fuel ; intros. - - reflexivity. - - do 2 rewrite <- foldi__nat_move_S. - replace (S fuel + i)%nat with (fuel + (S i))%nat by (symmetry ; apply plus_Snm_nSm). - rewrite IHfuel. - + reflexivity. - + lia. -Qed. - -(* folds and natural number folds compute the same thing *) -Lemma foldi_to_foldi_nat : - forall {acc: Type} - (lo: uint_size) (* {lo <= hi} *) - (hi: uint_size) (* {lo <= hi} *) - (f: (uint_size) -> acc -> acc) (* {i < hi} *) - (init: acc), - (unsigned lo <= unsigned hi)%Z -> - foldi lo hi f init = foldi_nat (Z.to_nat (unsigned lo)) (Z.to_nat (unsigned hi)) (fun x => f (repr (Z.of_nat x))) init. -Proof. - intros. - - unfold foldi. - unfold foldi_nat. - - destruct (uint_size_as_nat hi) as [ hi_n [ hi_eq hi_H ] ] ; subst. - rewrite (@unsigned_repr_alt WORDSIZE32 _ hi_H) in *. - rewrite Nat2Z.id. - - destruct (uint_size_as_nat lo) as [ lo_n [ lo_eq lo_H ] ] ; subst. - rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. - rewrite Nat2Z.id. - - remember (hi_n - lo_n)%nat as n. - apply f_equal with (f := Z.of_nat) in Heqn. - rewrite (Nat2Z.inj_sub) in Heqn by (apply Nat2Z.inj_le ; apply H). - rewrite <- Heqn. - - assert (H_bound : (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z) by lia. - - clear Heqn. - induction n. - - reflexivity. - - pose proof (H_max_bound := modulus_range_helper _ (range_of_nat_succ _ H_bound)). - rewrite <- foldi__nat_move_S_fuel by apply H_max_bound. - cbn. - rewrite SuccNat2Pos.id_succ. - rewrite <- foldi__move_S_fuel by apply H_max_bound. - - destruct n. - + cbn. - replace (repr 0) with (@zero WORDSIZE32) by reflexivity. - rewrite add_zero_l. - reflexivity. - + cbn in *. - assert (H_bound_pred: (Z.pred 0 < Z.pos (Pos.of_succ_nat n) < @modulus WORDSIZE32)%Z) by lia. - rewrite <- (IHn H_bound_pred) ; clear IHn. - f_equal. - * unfold add. - f_equal. - rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. - rewrite (unsigned_repr_alt _ H_bound_pred). - do 2 rewrite Zpos_P_of_succ_nat. - rewrite Z.add_succ_l. - f_equal. - rewrite Nat2Z.inj_add. - reflexivity. - * rewrite SuccNat2Pos.id_succ. - rewrite foldi__move_S. - reflexivity. -Qed. - -(* folds can be computed by doing one iteration and incrementing the lower bound *) -Lemma foldi_nat_split_S : - forall {acc: Type} - (lo: nat) - (hi: nat) (* {lo <= hi} *) - (f: nat -> acc -> acc) (* {i < hi} *) - (init: acc), - (lo < hi)%nat -> - foldi_nat lo hi f init = foldi_nat (S lo) hi f (foldi_nat lo (S lo) f init). -Proof. - unfold foldi_nat. - intros. - - assert (succ_sub_diag : forall n, (S n - n = 1)%nat) by lia. - rewrite (succ_sub_diag lo). - - induction hi ; [ lia | ]. - destruct (S hi =? S lo)%nat eqn:hi_eq_lo. - - apply Nat.eqb_eq in hi_eq_lo ; rewrite hi_eq_lo in *. - rewrite (succ_sub_diag lo). - rewrite Nat.sub_diag. - reflexivity. - - apply Nat.eqb_neq in hi_eq_lo. - apply Nat.lt_gt_cases in hi_eq_lo. - destruct hi_eq_lo. - + lia. - + rewrite (Nat.sub_succ_l (S lo)) by apply (Nat.lt_le_pred _ _ H0). - rewrite Nat.sub_succ_l by apply (Nat.lt_le_pred _ _ H). - replace ((S (hi - S lo))) with (hi - lo)%nat by lia. - reflexivity. -Qed. - -(* folds can be split at some valid offset from lower bound *) -Lemma foldi_nat_split_add : - forall (k : nat), - forall {acc: Type} - (lo: nat) - (hi: nat) (* {lo <= hi} *) - (f: nat -> acc -> acc) (* {i < hi} *) - (init: acc), - forall {guarantee: (lo + k <= hi)%nat}, - foldi_nat lo hi f init = foldi_nat (k + lo) hi f (foldi_nat lo (k + lo) f init). -Proof. - induction k ; intros. - - cbn. - unfold foldi_nat. - rewrite Nat.sub_diag. - reflexivity. - - rewrite foldi_nat_split_S by lia. - replace (S k + lo)%nat with (k + S lo)%nat by lia. - specialize (IHk acc (S lo) hi f (foldi_nat lo (S lo) f init)). - rewrite IHk by lia. - f_equal. - rewrite <- foldi_nat_split_S by lia. - reflexivity. -Qed. - -(* folds can be split at some midpoint *) -Lemma foldi_nat_split : - forall (mid : nat), (* {lo <= mid <= hi} *) - forall {acc: Type} - (lo: nat) - (hi: nat) (* {lo <= hi} *) - (f: nat -> acc -> acc) (* {i < hi} *) - (init: acc), - forall {guarantee: (lo <= mid <= hi)%nat}, - foldi_nat lo hi f init = foldi_nat mid hi f (foldi_nat lo mid f init). -Proof. - intros. - assert (mid_is_low_plus_constant : {k : nat | (mid = lo + k)%nat}) by (exists (mid - lo)%nat ; lia). - destruct mid_is_low_plus_constant ; subst. - rewrite Nat.add_comm. - apply foldi_nat_split_add. - apply guarantee. -Qed. - -(* folds can be split at some midpoint *) -Lemma foldi_split : - forall (mid : uint_size), (* {lo <= mid <= hi} *) - forall {acc: Type} - (lo: uint_size) - (hi: uint_size) (* {lo <= hi} *) - (f: uint_size -> acc -> acc) (* {i < hi} *) - (init: acc), - forall {guarantee: (unsigned lo <= unsigned mid <= unsigned hi)%Z}, - foldi lo hi f init = foldi mid hi f (foldi lo mid f init). -Proof. - intros. - do 3 rewrite foldi_to_foldi_nat by lia. - apply foldi_nat_split ; lia. -Qed. - -(*** Default *) - -(* Typeclass handling of default elements, for use in sequences/arrays. - We provide instances for the library integer types *) -Class Default (A : Type) := { - default : A -}. -Global Arguments default {_} {_}. - -(*** Seq *) - -Definition nseq := VectorDef.t. - -Definition seq (A : Type) := list A. - -(* Automatic conversion from nseq/vector/array to seq/list *) -(* Global Coercion VectorDef.to_list : VectorDef.t >-> list. *) - -Definition public_byte_seq := seq int8. -Definition byte_seq := seq int8. -Definition list_len := length. - -Definition seq_index {A: Type} `{Default A} (s: seq A) (i : nat) := - List.nth i s default. - -Definition seq_len {A: Type} (s: seq A) : N := N.of_nat (length s). - -Definition seq_new_ {A: Type} (init : A) (len: nat) : seq A := - Vector.to_list (VectorDef.const init len). - -Definition seq_new {A: Type} `{Default A} (len: nat) : seq A := - seq_new_ default len. - -Fixpoint array_from_list (A: Type) (l: list A) : nseq A (length l) := - match l return (nseq A (length l)) with - | [] => VectorDef.nil A - | x :: xs => VectorDef.cons A x (length xs) (array_from_list A xs) - end. - - (* match l, length l with *) -(* | [], O => VectorDef.nil A *) -(* | (x :: xs), S n => VectorDef.cons A x (length xs) (array_from_list A xs) *) -(* end. *) -(* - apply (VectorDef.cons A a (length l) (array_from_list A l)). *) -(* Defined. *) - - (* match l with *) - (* | [] => VectorDef.nil *) - (* | (x :: xs) => VectorDef.cons A x (length xs) (array_from_list xs) *) - (* end. *) - -(* Definition array_from_list (A: Type) (l: list A) : nseq A (length l) := *) - (* VectorDef.of_list l. *) -(* Proof. *) -(* induction l. *) -(* - apply (VectorDef.nil A). *) -(* - apply (VectorDef.cons A a (length l) IHl). *) -(* Defined. *) - -(* automatic conversion from list to array *) -(* Global Coercion array_from_list : list >-> nseq. *) - - -(**** Array manipulation *) - - -Definition array_new_ {A: Type} (init:A) (len: nat) : nseq A len := - VectorDef.const init len. - -Open Scope nat_scope. -Definition array_index {A: Type} `{Default A} {len : nat} (s: nseq A len) (i: nat) : A. -Proof. - destruct (i nat -> nat -> seq A -> t A len. *) -Definition update_sub {A len slen} `{Default A} (v : nseq A len) (i : nat) (n : nat) (sub : nseq A slen) : nseq A len := - let fix rec x acc := - match x with - | 0 => acc - (* | 0 => array_upd acc 0 (array_index sub 0) *) - | S x => rec x (array_upd acc (i+x) (array_index sub x)) - end in - rec (n - i + 1) v. - -(* Sanity check *) -(* Compute (to_list (update_sub [1;2;3;4;5] 0 4 (of_list [9;8;7;6;12]))). *) - -Definition array_to_seq - {a: Type} - {out_len:nat} - (input: nseq a out_len) - (* {H : List.length input = out_len} *) - : seq a := VectorDef.to_list input. - -Definition array_from_seq - {a: Type} - `{Default a} - (out_len:nat) - (input: seq a) - : nseq a out_len := - let out := VectorDef.const default out_len in - update_sub out 0 (out_len - 1) (Vector.of_list input). - -(* Global Coercion array_from_seq : seq >-> nseq. *) - -Definition slice {A} (l : seq A) (i j : nat) : seq A := - if j <=? i then [] else firstn (j-i+1) (skipn i l). - -Definition lseq_slice {A n} (l : nseq A n) (i j : nat) : nseq A _ := - VectorDef.of_list (slice (VectorDef.to_list l) i j). - -Definition array_from_slice - {a: Type} - `{Default a} - (default_value: a) - (out_len: nat) - (input: seq a) - (start: nat) - (slice_len: nat) - : nseq a out_len := - let out := VectorDef.const default_value out_len in - update_sub out 0 slice_len (lseq_slice (VectorDef.of_list input) start (start + slice_len)). - - -Definition array_slice - {a: Type} - `{Default a} - {len : nat} - (input: nseq a len) - (start: nat) - (slice_len: nat) - : seq a := - slice (array_to_seq input) start (start + slice_len). - - -Definition array_from_slice_range - {a: Type} - `{Default a} - (default_value: a) - (out_len: nat) - (input: seq a) - (start_fin: (uint_size * uint_size)) - : nseq a out_len := - let out := array_new_ default_value out_len in - let (start, fin) := start_fin in - update_sub out 0 ((from_uint_size fin) - (from_uint_size start)) (VectorDef.of_list (slice input (from_uint_size start) (from_uint_size fin))). - - -Definition array_slice_range - {a: Type} - {len : nat} - (input: nseq a len) - (start_fin:(uint_size * uint_size)) - : nseq a _ := - lseq_slice input (from_uint_size (fst start_fin)) (from_uint_size (snd start_fin)). - -Definition array_update - {a: Type} - `{Default a} - {len: nat} - (s: nseq a len) - (start : nat) - (start_s: seq a) - : nseq a len := - update_sub (s) start (length start_s) (VectorDef.of_list start_s). - -Definition array_update_start - {a: Type} - `{Default a} - {len: nat} - (s: nseq a len) - (start_s: seq a) - : nseq a len := - update_sub (s) 0 (length start_s) (VectorDef.of_list start_s). - -Definition array_len {a: Type} {len: nat} (s: nseq a len) := len. -(* May also come up as 'length' instead of 'len' *) -Definition array_length {a: Type} {len: nat} (s: nseq a len) := len. - -(**** Seq manipulation *) - -Definition seq_slice - {a: Type} - `{Default a} - (s: seq a) - (start: nat) - (len: nat) - : seq a := - (slice s start (start + len)). - -Definition seq_slice_range - {a: Type} - `{Default a} - (input: seq a) - (start_fin:(uint_size * uint_size)) - : seq a := - seq_slice input (from_uint_size (fst start_fin)) (from_uint_size (snd start_fin)). - -(* updating a subsequence in a sequence *) -Definition seq_update - {a: Type} - `{Default a} - (s: seq a) - (start: nat) - (input: seq a) - : seq a := - array_to_seq (update_sub (VectorDef.of_list s) start (length input) (VectorDef.of_list input)). - -(* updating only a single value in a sequence*) -Definition seq_upd - {a: Type} - `{Default a} - (s: seq a) - (start: nat) - (v: a) - : seq a := - array_to_seq (update_sub (VectorDef.of_list s) start 1 (VectorDef.of_list [v])). - -Definition sub {a} (s : list a) start n := - slice s start (start + n). - -Definition seq_update_start - {a: Type} - `{Default a} - (s: seq a) - (start_s: seq a) - : seq a := - array_to_seq (update_sub (VectorDef.of_list s) 0 (length start_s) (VectorDef.of_list start_s)). - -Definition array_update_slice - {a : Type} - `{Default a} - {l : nat} - (out: nseq a l) - (start_out: nat) - (input: seq a) - (start_in: nat) - (len: nat) - : nseq a (array_length out) - := - update_sub (out) start_out len - (VectorDef.of_list (sub input start_in len)). - -Definition seq_update_slice - {a : Type} - `{Default a} - (out: seq a) - (start_out: nat) - (input: seq a) - (start_in: nat) - (len: nat) - : nseq a (length out) - := - update_sub (VectorDef.of_list out) start_out len - (VectorDef.of_list (sub input start_in len)). - -Definition seq_concat - {a : Type} - (s1 :seq a) - (s2: seq a) - : seq a := - (s1 ++ s2). - -Definition seq_push - {a : Type} - (s1 :seq a) - (s2: a) - : seq a := - (s1 ++ [s2]). - -Definition seq_from_slice_range - {a: Type} - `{Default a} - (input: seq a) - (start_fin: (uint_size * uint_size)) - : seq a := - let out := array_new_ (default) (length input) in - let (start, fin) := start_fin in - array_to_seq (update_sub out 0 ((from_uint_size fin) - (from_uint_size start)) (VectorDef.of_list (slice input (from_uint_size start) (from_uint_size fin)))). - -Definition seq_from_seq {A} (l : seq A) := l. - - -(**** Chunking *) - -Definition seq_num_chunks {a: Type} (s: seq a) (chunk_len: nat) : nat := - ((length s) + chunk_len - 1) / chunk_len. - -Definition seq_chunk_len - {a: Type} - (s: seq a) - (chunk_len: nat) - (chunk_num: nat) - : nat := - let idx_start := chunk_len * chunk_num in - if (length s) - out_len := seq_chunk_len s chunk_len chunk_num /\ LSeq.length chunk := out_len - )) *) - := - let idx_start := chunk_len * chunk_num in - let out_len := seq_chunk_len s chunk_len chunk_num in - (usize out_len, slice - s idx_start (idx_start + seq_chunk_len s chunk_len chunk_num)). - -Definition seq_set_chunk - {a: Type} - `{Default a} - (s: seq a) - (chunk_len: nat) - (chunk_num: nat) - (chunk: seq a ) : seq a := - let idx_start := chunk_len * chunk_num in - let out_len := seq_chunk_len s chunk_len chunk_num in - VectorDef.to_list (update_sub (VectorDef.of_list s) idx_start out_len (VectorDef.of_list chunk)). - - -Definition seq_num_exact_chunks {a} (l : seq a) (chunk_size : uint_size) : uint_size := - divs (repr (Z.of_nat (length l))) chunk_size. - -(* Until #84 is fixed this returns an empty sequence if not enough *) -Definition seq_get_exact_chunk {a} (l : seq a) (chunk_size chunk_num: uint_size) : seq a := - let '(len, chunk) := seq_get_chunk l (from_uint_size chunk_size) (from_uint_size chunk_num) in - if eq len chunk_size then [] else chunk. - -Definition seq_set_exact_chunk {a} `{H : Default a} := @seq_set_chunk a H. - -Definition seq_get_remainder_chunk : forall {a}, seq a -> uint_size -> seq a := - fun _ l chunk_size => - let chunks := seq_num_chunks l (from_uint_size chunk_size) in - let last_chunk := if 0 @MachineIntegers.xor WS x y :: (seq_xor_ xs ys) - | [], y => y - | x, [] => x - end. -Infix "seq_xor" := seq_xor_ (at level 33) : hacspec_scope. - -Fixpoint seq_truncate {a} (x : seq a) (n : nat) : seq a := (* uint_size *) - match x, n with - | _, 0 => [] - | [], _ => [] - | (x :: xs), S n' => x :: (seq_truncate xs n') - end. - -(**** Numeric operations *) - -(* takes two nseq's and joins them using a function op : a -> a -> a *) -Definition array_join_map - {a: Type} - `{Default a} - {len: nat} - (op: a -> a -> a) - (s1: nseq a len) - (s2 : nseq a len) := - let out := s1 in - foldi (usize 0) (usize len) (fun i out => - let i := from_uint_size i in - array_upd out i (op (array_index s1 i) (array_index s2 i)) - ) out. - -Infix "array_xor" := (array_join_map xor) (at level 33) : hacspec_scope. -Infix "array_add" := (array_join_map add) (at level 33) : hacspec_scope. -Infix "array_minus" := (array_join_map sub) (at level 33) : hacspec_scope. -Infix "array_mul" := (array_join_map mul) (at level 33) : hacspec_scope. -Infix "array_div" := (array_join_map divs) (at level 33) : hacspec_scope. -Infix "array_or" := (array_join_map or) (at level 33) : hacspec_scope. -Infix "array_and" := (array_join_map and) (at level 33) : hacspec_scope. - -Definition array_eq_ - {a: Type} - {len: nat} - (eq: a -> a -> bool) - (s1: nseq a len) - (s2 : nseq a len) - : bool := Vector.eqb _ eq s1 s2. - -Infix "array_eq" := (array_eq_ eq) (at level 33) : hacspec_scope. -Infix "array_neq" := (fun s1 s2 => negb (array_eq_ eq s1 s2)) (at level 33) : hacspec_scope. - - -(**** Integers to arrays *) -Axiom uint32_to_le_bytes : int32 -> nseq int8 4. -Axiom uint32_to_be_bytes : int32 -> nseq int8 4. -Axiom uint32_from_le_bytes : nseq int8 4 -> int32. -Axiom uint32_from_be_bytes : nseq int8 4 -> int32. -Axiom uint64_to_le_bytes : int64 -> nseq int8 8. -Axiom uint64_to_be_bytes : int64 -> nseq int8 8. -Axiom uint64_from_le_bytes : nseq int8 8 -> int64. -Axiom uint64_from_be_bytes : nseq int8 8 -> int64. -Axiom uint128_to_le_bytes : int128 -> nseq int8 16. -Axiom uint128_to_be_bytes : int128 -> nseq int8 16. -Axiom uint128_from_le_bytes : nseq int8 16 -> int128. -Axiom uint128_from_be_bytes : nseq int8 16 -> int128. -Axiom u32_to_le_bytes : int32 -> nseq int8 4. -Axiom u32_to_be_bytes : int32 -> nseq int8 4. -Axiom u32_from_le_bytes : nseq int8 4 -> int32. -Axiom u32_from_be_bytes : nseq int8 4 -> int32. -Axiom u64_to_le_bytes : int64 -> nseq int8 8. -Axiom u64_from_le_bytes : nseq int8 8 -> int64. -Axiom u128_to_le_bytes : int128 -> nseq int8 16. -Axiom u128_to_be_bytes : int128 -> nseq int8 16. -Axiom u128_from_le_bytes : nseq int8 16 -> int128. -Axiom u128_from_be_bytes : nseq int8 16 -> int128. - -(*** Nats *) - - -Definition nat_mod (p : Z) : Set := GZnZ.znz p. - - -Definition nat_mod_equal {p} (a b : nat_mod p) : bool := - Z.eqb (GZnZ.val p a) (GZnZ.val p b). - -Definition nat_mod_zero {p} : nat_mod p := GZnZ.zero p. -Definition nat_mod_one {p} : nat_mod p := GZnZ.one p. -Definition nat_mod_two {p} : nat_mod p := GZnZ.mkznz p _ (GZnZ.modz p 2). - - -(* convenience coercions from nat_mod to Z and N *) -(* Coercion Z.of_N : N >-> Z. *) - -Definition nat_mod_add {n : Z} (a : nat_mod n) (b : nat_mod n) : nat_mod n := GZnZ.add n a b. - -Infix "+%" := nat_mod_add (at level 33) : hacspec_scope. - -Definition nat_mod_mul {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.mul n a b. -Infix "*%" := nat_mod_mul (at level 33) : hacspec_scope. - -Definition nat_mod_sub {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.sub n a b. -Infix "-%" := nat_mod_sub (at level 33) : hacspec_scope. - -Definition nat_mod_div {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.div n a b. -Infix "/%" := nat_mod_div (at level 33) : hacspec_scope. - -(* A % B = (a * B + r) *) - -Definition nat_mod_neg {n : Z} (a:nat_mod n) : nat_mod n := GZnZ.opp n a. - -Definition nat_mod_inv {n : Z} (a:nat_mod n) : nat_mod n := GZnZ.inv n a. - -Definition nat_mod_exp_def {p : Z} (a:nat_mod p) (n : nat) : nat_mod p := - let fix exp_ (e : nat_mod p) (n : nat) := - match n with - | 0%nat => nat_mod_one - | S n => nat_mod_mul a (exp_ a n) - end in - exp_ a n. - -Definition nat_mod_exp {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). -Definition nat_mod_pow {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). -Definition nat_mod_pow_self {p} a n := @nat_mod_exp_def p a (Z.to_nat (from_uint_size n)). - -Close Scope nat_scope. -Open Scope Z_scope. - -(* We assume x < m *) -Definition nat_mod_from_secret_literal {m : Z} (x:int128) : nat_mod m. -Proof. - unfold nat_mod. - (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) - remember ((unsigned x) mod m) as zmodm. - apply (GZnZ.mkznz m zmodm). - rewrite Heqzmodm. - rewrite Zmod_mod. - reflexivity. -Defined. - -Definition nat_mod_from_literal (m : Z) (x:int128) : nat_mod m := nat_mod_from_secret_literal x. - -Axiom nat_mod_to_byte_seq_le : forall {n : Z}, nat_mod n -> seq int8. -Axiom nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8. -Axiom nat_mod_to_public_byte_seq_le : forall (n : Z), nat_mod n -> seq int8. -Axiom nat_mod_to_public_byte_seq_be : forall (n : Z), nat_mod n -> seq int8. - -Definition nat_mod_bit {n : Z} (a : nat_mod n) (i : uint_size) := - Z.testbit (GZnZ.val n a) (from_uint_size i). - -(* Alias for nat_mod_bit *) -Definition nat_get_mod_bit {p} (a : nat_mod p) := nat_mod_bit a. -Definition nat_mod_get_bit {p} (a : nat_mod p) n := - if (nat_mod_bit a n) - then @nat_mod_one p - else @nat_mod_zero p. - -(* -Definition nat_mod_to_public_byte_seq_le (n: pos) (len: uint_size) (x: nat_mod_mod n) : lseq pub_uint8 len = - Definition n' := n % (pow2 (8 * len)) in - Lib.ByteSequence.nat_mod_to_bytes_le len n'*) - -(* Definition nat_to_public_byte_seq_be (n: pos) (len: uint_size) (x: nat_mod n) : lseq pub_uint8 len = - Definition n' := n % (pow2 (8 * len)) in - Lib.ByteSequence.nat_to_bytes_be len n' *) - -Axiom array_declassify_eq : forall {A l}, nseq A l -> nseq A l -> bool. -Axiom array_to_le_uint32s : forall {A l}, nseq A l -> seq uint32. -Axiom array_to_be_uint32s : forall {A l}, nseq A l -> seq uint32. (* nseq uint32 (l/4) *) -Axiom array_to_le_bytes : forall {A l}, nseq A l -> seq uint8. -Axiom array_to_be_bytes : forall {A l}, nseq A l -> seq uint8. -Axiom nat_mod_from_byte_seq_le : forall {A n}, seq A -> nat_mod n. -Axiom nat_mod_from_byte_seq_be : forall {A n}, seq A -> nat_mod n. -Axiom nat_mod_from_public_byte_seq_le : forall {A n}, seq A -> nat_mod n. -Axiom nat_mod_from_public_byte_seq_be : forall {A n}, seq A -> nat_mod n. -Axiom most_significant_bit : forall {m}, nat_mod m -> uint_size -> uint_size. - - -(* We assume 2^x < m *) -Definition nat_mod_pow2 (m : Z) (x : N) : nat_mod m. -Proof. - remember (Z.pow 2 (Z.of_N x) mod m) as y. - apply (GZnZ.mkznz m y). - rewrite Heqy. - rewrite Zmod_mod. - reflexivity. -Defined. - - -Section Casting. - - (* Type casts, as defined in Section 4.5 in https://arxiv.org/pdf/1106.3448.pdf *) - Class Cast A B := cast : A -> B. - - Arguments cast {_} _ {_}. - - Notation "' x" := (cast _ x) (at level 20) : hacspec_scope. - Open Scope hacspec_scope. - - (* Casting to self is always possible *) - Global Instance cast_self {A} : Cast A A := { - cast a := a - }. - - Global Instance cast_transitive {A B C} `{Hab: Cast A B} `{Hbc: Cast B C} : Cast A C := { - cast a := Hbc (Hab a) - }. - - Global Instance cast_prod {A B C D} `{Cast A B} `{Cast C D} : Cast (A * C) (B * D) := { - cast '(a, c) := ('a, 'c) - }. - - Global Instance cast_option {A B} `{Cast A B} : Cast (option A) (option B) := { - cast a := match a with Some a => Some ('a) | None => None end - }. - - Global Instance cast_option_b {A B} `{Cast A B} : Cast A (option B) := { - cast a := Some ('a) - }. - - (* Global Instances for common types *) - - Global Instance cast_nat_to_N : Cast nat N := { - cast := N.of_nat - }. - - Global Instance cast_N_to_Z : Cast N Z := { - cast := Z.of_N - }. - - Global Instance cast_Z_to_int {WORDSIZE} : Cast Z (@int WORDSIZE) := { - cast n := repr n - }. - - Global Instance cast_natmod_to_Z {p} : Cast (nat_mod p) Z := { - cast n := GZnZ.val p n - }. - - (* Note: should be aware of typeclass resolution with int/uint since they are just aliases of each other currently *) - Global Instance cast_int8_to_uint32 : Cast int8 uint32 := { - cast n := repr (unsigned n) - }. - Global Instance cast_int8_to_int32 : Cast int8 int32 := { - cast n := repr (signed n) - }. - - Global Instance cast_uint8_to_uint32 : Cast uint8 uint32 := { - cast n := repr (unsigned n) - }. - - Global Instance cast_int_to_nat `{WORDSIZE} : Cast int nat := { - cast n := Z.to_nat (signed n) - }. - - Close Scope hacspec_scope. -End Casting. - - -Global Arguments pair {_ _} & _ _. -Global Arguments id {_} & _. -Section Coercions. - (* First, in order to have automatic coercions for tuples, we add bidirectionality hints: *) - - (* Integer coercions *) - (* We have nat >-> N >-> Z >-> int/int32 *) - (* and uint >-> Z *) - (* and N >-> nat *) - - Global Coercion N.to_nat : N >-> nat. - Global Coercion Z.of_N : N >-> Z. - - Global Coercion repr : Z >-> int. - - Definition Z_to_int `{WORDSIZE} (n : Z) : int := repr n. - Global Coercion Z_to_int : Z >-> int. - - Definition Z_to_uint_size (n : Z) : uint_size := repr n. - Global Coercion Z_to_uint_size : Z >-> uint_size. - Definition Z_to_int_size (n : Z) : int_size := repr n. - Global Coercion Z_to_int_size : Z >-> int_size. - - Definition N_to_int `{WORDSIZE} (n : N) : int := repr (Z.of_N n). - Global Coercion N.of_nat : nat >-> N. - Global Coercion N_to_int : N >-> int. - Definition N_to_uint_size (n : Z) : uint_size := repr n. - Global Coercion N_to_uint_size : Z >-> uint_size. - Definition nat_to_int `{WORDSIZE} (n : nat) := repr (Z.of_nat n). - Global Coercion nat_to_int : nat >-> int. - - Definition uint_size_to_nat (n : uint_size) : nat := from_uint_size n. - Global Coercion uint_size_to_nat : uint_size >-> nat. - - Definition uint_size_to_Z (n : uint_size) : Z := from_uint_size n. - Global Coercion uint_size_to_Z : uint_size >-> Z. - - Definition uint32_to_nat (n : uint32) : nat := unsigned n. - Global Coercion uint32_to_nat : uint32 >-> nat. - - - Global Coercion GZnZ.val : GZnZ.znz >-> Z. - - Definition int8_to_nat (n : int8) : nat := unsigned n. - Global Coercion int8_to_nat : int8 >-> nat. - Definition int16_to_nat (n : int16) : nat := unsigned n. - Global Coercion int16_to_nat : int16 >-> nat. - Definition int32_to_nat (n : int32) : nat := unsigned n. - Global Coercion int32_to_nat : int32 >-> nat. - Definition int64_to_nat (n : int64) : nat := unsigned n. - Global Coercion int64_to_nat : int64 >-> nat. - Definition int128_to_nat (n : int128) : nat := unsigned n. - Global Coercion int128_to_nat : int128 >-> nat. - - (* coercions int8 >-> int16 >-> ... int128 *) - - Definition int8_to_int16 (n : int8) : int16 := repr n. - Global Coercion int8_to_int16 : int8 >-> int16. - - Definition int8_to_int32 (n : int8) : int32 := repr n. - Global Coercion int8_to_int32 : int8 >-> int32. - - Definition int16_to_int32 (n : int16) : int32 := repr n. - Global Coercion int16_to_int32 : int16 >-> int32. - - Definition int32_to_int64 (n : int32) : int64 := repr n. - Global Coercion int32_to_int64 : int32 >-> int64. - - Definition int64_to_int128 (n : int64) : int128 := repr n. - Global Coercion int64_to_int128 : int64 >-> int128. - - Definition int32_to_int128 (n : int32) : int128 := repr n. - Global Coercion int32_to_int128 : int32 >-> int128. - - Definition uint_size_to_int64 (n : uint_size) : int64 := repr n. - Global Coercion uint_size_to_int64 : uint_size >-> int64. - - - (* coercions into nat_mod *) - Definition Z_in_nat_mod {m : Z} (x:Z) : nat_mod m. - Proof. - unfold nat_mod. - remember ((x) mod m) as zmodm. - apply (GZnZ.mkznz m zmodm). - rewrite Heqzmodm. - rewrite Zmod_mod. - reflexivity. - Defined. - (* Global Coercion Z_in_nat_mod : Z >-> nat_mod. *) - - Definition int_in_nat_mod {m : Z} `{WORDSIZE} (x:int) : nat_mod m. - Proof. - unfold nat_mod. - (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) - remember ((unsigned x) mod m) as zmodm. - apply (GZnZ.mkznz m zmodm). - rewrite Heqzmodm. - rewrite Zmod_mod. - reflexivity. - Show Proof. - Defined. - Global Coercion int_in_nat_mod : int >-> nat_mod. - - Definition uint_size_in_nat_mod (n : uint_size) : nat_mod 16 := int_in_nat_mod n. - Global Coercion uint_size_in_nat_mod : uint_size >-> nat_mod. - -End Coercions. - - -(*** Casting *) - -Definition uint128_from_usize (n : uint_size) : int128 := repr n. -Definition uint64_from_usize (n : uint_size) : int64 := repr n. -Definition uint32_from_usize (n : uint_size) : int32 := repr n. -Definition uint16_from_usize (n : uint_size) : int16 := repr n. -Definition uint8_from_usize (n : uint_size) : int8 := repr n. - -Definition uint128_from_uint8 (n : int8) : int128 := repr n. -Definition uint64_from_uint8 (n : int8) : int64 := repr n. -Definition uint32_from_uint8 (n : int8) : int32 := repr n. -Definition uint16_from_uint8 (n : int8) : int16 := repr n. -Definition usize_from_uint8 (n : int8) : uint_size := repr n. - -Definition uint128_from_uint16 (n : int16) : int128 := repr n. -Definition uint64_from_uint16 (n : int16) : int64 := repr n. -Definition uint32_from_uint16 (n : int16) : int32 := repr n. -Definition uint8_from_uint16 (n : int16) : int8 := repr n. -Definition usize_from_uint16 (n : int16) : uint_size := repr n. - -Definition uint128_from_uint32 (n : int32) : int128 := repr n. -Definition uint64_from_uint32 (n : int32) : int64 := repr n. -Definition uint16_from_uint32 (n : int32) : int16 := repr n. -Definition uint8_from_uint32 (n : int32) : int8 := repr n. -Definition usize_from_uint32 (n : int32) : uint_size := repr n. - -Definition uint128_from_uint64 (n : int64) : int128 := repr n. -Definition uint32_from_uint64 (n : int64) : int32 := repr n. -Definition uint16_from_uint64 (n : int64) : int16 := repr n. -Definition uint8_from_uint64 (n : int64) : int8 := repr n. -Definition usize_from_uint64 (n : int64) : uint_size := repr n. - -Definition uint64_from_uint128 (n : int128) : int64 := repr n. -Definition uint32_from_uint128 (n : int128) : int32 := repr n. -Definition uint16_from_uint128 (n : int128) : int16 := repr n. -Definition uint8_from_uint128 (n : int128) : int8 := repr n. -Definition usize_from_uint128 (n : int128) : uint_size := repr n. - - -(* Comparisons, boolean equality, and notation *) - -Class EqDec (A : Type) := - { eqb : A -> A -> bool ; - eqb_leibniz : forall x y, eqb x y = true <-> x = y }. - -Infix "=.?" := eqb (at level 40) : hacspec_scope. -Infix "!=.?" := (fun a b => negb (eqb a b)) (at level 40) : hacspec_scope. - -Class Comparable (A : Type) := { - ltb : A -> A -> bool; - leb : A -> A -> bool; - gtb : A -> A -> bool; - geb : A -> A -> bool; -}. -Infix "<.?" := ltb (at level 42) : hacspec_scope. -Infix "<=.?" := leb (at level 42) : hacspec_scope. -Infix ">.?" := gtb (at level 42) : hacspec_scope. -Infix ">=.?" := geb (at level 42) : hacspec_scope. - -Theorem eqb_refl : forall {A} {H : EqDec A} (x : A), @eqb A H x x = true. -Proof. - intros. - now rewrite eqb_leibniz. -Qed. - -Global Program Instance nat_eqdec : EqDec nat := { - eqb := Nat.eqb; - eqb_leibniz := Nat.eqb_eq ; -}. - -Global Instance nat_comparable : Comparable nat := { - ltb := Nat.ltb; - leb := Nat.leb; - gtb a b := Nat.ltb b a; - geb a b := Nat.leb b a; -}. - -Global Instance N_eqdec : EqDec N := { - eqb := N.eqb; - eqb_leibniz := N.eqb_eq ; -}. - -Global Instance N_comparable : Comparable N := { - ltb := N.ltb; - leb := N.leb; - gtb a b := N.ltb b a; - geb a b := N.leb b a; -}. - -Global Instance Z_eqdec : EqDec Z := { - eqb := Z.eqb; - eqb_leibniz := Z.eqb_eq ; -}. - -Global Instance Z_comparable : Comparable Z := { - ltb := Z.ltb; - leb := Z.leb; - gtb a b := Z.ltb b a; - geb a b := Z.leb b a; -}. - -Lemma int_eqb_eq : forall {WS : WORDSIZE} (a b : int), eq a b = true <-> a = b. -Proof. - intros. split. - - apply same_if_eq. - - intros. rewrite H. apply eq_true. -Qed. - -Global Instance int_eqdec `{WORDSIZE}: EqDec int := { - eqb := eq; - eqb_leibniz := int_eqb_eq ; -}. - -Global Instance int_comparable `{WORDSIZE} : Comparable int := { - ltb := lt; - leb a b := if eq a b then true else lt a b ; - gtb a b := lt b a; - geb a b := if eq a b then true else lt b a; -}. - -Definition uint8_equal : int8 -> int8 -> bool := eqb. - -Definition nat_mod_val (p : Z) (a : nat_mod p) : Z := GZnZ.val p a. - -Theorem nat_mod_eqb_spec : forall {p} (a b : nat_mod p), Z.eqb (nat_mod_val p a) (nat_mod_val p b) = true <-> a = b. -Proof. - split ; intros. - - apply Z.eqb_eq in H. - destruct a, b. - cbn in H. - apply (GZnZ.zirr p val val0 inZnZ inZnZ0 H). - - subst. - apply Z.eqb_eq. - reflexivity. -Qed. - -Global Instance nat_mod_eqdec {p} : EqDec (nat_mod p) := { - eqb a b := Z.eqb (nat_mod_val p a) (nat_mod_val p b); - eqb_leibniz := nat_mod_eqb_spec; -}. - -Global Instance nat_mod_comparable `{p : Z} : Comparable (nat_mod p) := { - ltb a b := Z.ltb (nat_mod_val p a) (nat_mod_val p b); - leb a b := if Zeq_bool a b then true else Z.ltb (nat_mod_val p a) (nat_mod_val p b) ; - gtb a b := Z.ltb (nat_mod_val p b) (nat_mod_val p a); - geb a b := if Zeq_bool b a then true else Z.ltb (nat_mod_val p b) (nat_mod_val p a) ; -}. - -Fixpoint nat_mod_rem_aux {n : Z} (a:nat_mod n) (b:nat_mod n) (f : nat) {struct f} : nat_mod n := - match f with - | O => a - | S f' => - if geb a b - then nat_mod_rem_aux (nat_mod_sub a b) b f' - else a - end. - -Definition nat_mod_rem {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := - if nat_mod_equal b nat_mod_zero - then nat_mod_one - else nat_mod_rem_aux a b (S (nat_mod_div a b)). - -Infix "rem" := nat_mod_rem (at level 33) : hacspec_scope. - -Global Instance bool_eqdec : EqDec bool := { - eqb := Bool.eqb; - eqb_leibniz := Bool.eqb_true_iff; -}. - -Global Instance string_eqdec : EqDec String.string := { - eqb := String.eqb; - eqb_leibniz := String.eqb_eq ; -}. - -Global Instance unit_eqdec : EqDec unit := { - eqb := fun _ _ => true ; - eqb_leibniz := fun 'tt 'tt => (conj (fun _ => eq_refl) (fun _ => eq_refl)) ; -}. - -Require Import Sumbool. -Open Scope list_scope. - -Fixpoint list_eqdec {A} `{EqDec A} (l1 l2 : list A) : bool := - match l1, l2 with - | x::xs, y::ys => if eqb x y then list_eqdec xs ys else false - | [], [] => true - | _,_ => false - end. - -Lemma list_eqdec_refl : forall {A} `{EqDec A} (l1 : list A), list_eqdec l1 l1 = true. -Proof. - intros ; induction l1 ; cbn ; try rewrite eqb_refl ; easy. -Qed. - -Lemma list_eqdec_sound : forall {A} `{EqDec A} (l1 l2 : list A), list_eqdec l1 l2 = true <-> l1 = l2. -Proof. - intros A H l1. - induction l1 ; induction l2 ; split ; intros ; simpl in * ; try easy ; try inversion H0. - - (* inductive case *) - apply Field_theory.if_true in H0; destruct H0. - f_equal. - (* show heads are equal *) - + apply (proj1 (eqb_leibniz a a0) H0). - (* show tails are equal using induction hypothesis *) - + apply IHl1. assumption. - - rewrite eqb_refl. - apply list_eqdec_refl. -Qed. - -Global Instance List_eqdec {A} `{EqDec A} : EqDec (list A) := { - eqb := list_eqdec; - eqb_leibniz := list_eqdec_sound; -}. - -Lemma vector_eqb_sound : forall {A : Type} {n : nat} `{EqDec A} (v1 v2 : VectorDef.t A n), Vector.eqb _ eqb v1 v2 = true <-> v1 = v2. -Proof. - intros. - apply Vector.eqb_eq. - intros. - apply eqb_leibniz. -Qed. - -Global Program Instance Vector_eqdec {A n} `{EqDec A}: EqDec (VectorDef.t A n) := { - eqb := Vector.eqb _ eqb; - eqb_leibniz := vector_eqb_sound; -}. - -Global Program Instance Dec_eq_prod (A B : Type) `{EqDec A} `{EqDec B} : EqDec (A * B) := { - eqb '(a0, b0) '(a1, b1) := andb (eqb a0 a1) (eqb b0 b1) -}. -Next Obligation. - split ; intros. - - symmetry in H1. - apply Bool.andb_true_eq in H1. destruct H1. - symmetry in H1. apply (eqb_leibniz a0 a) in H1. - symmetry in H2. apply (eqb_leibniz b0 b) in H2. - rewrite H1, H2. reflexivity. - - inversion_clear H1. now do 2 rewrite eqb_refl. -Defined. - -(*** Result *) - -Inductive result (a: Type) (b: Type) := - | Ok : a -> result a b - | Err : b -> result a b. - -Arguments Ok {_ _}. -Arguments Err {_ _}. - -(*** Be Bytes *) - - -Fixpoint nat_be_range_at_position (k : nat) (z : Z) (n : Z) : list bool := - match k with - | O => [] - | S k' => Z.testbit z (n + k') :: nat_be_range_at_position k' z n - end. - -Fixpoint nat_be_range_to_position_ (z : list bool) (val : Z) : Z := - match z with - | [] => val - | x :: xs => nat_be_range_to_position_ xs ((if x then 2 ^ List.length xs else 0) + val) - end. - -Definition nat_be_range_to_position (k : nat) (z : list bool) (n : Z) : Z := - (nat_be_range_to_position_ z 0 * 2^(k * n)). - -Definition nat_be_range (k : nat) (z : Z) (n : nat) : Z := - nat_be_range_to_position_ (nat_be_range_at_position k z (n * k)) 0. (* * 2^(k * n) *) - -Compute nat_be_range 4 0 300. - -Definition u64_to_be_bytes' : int64 -> nseq int8 8 := - fun k => array_from_list (int8) [@nat_to_int WORDSIZE8 (nat_be_range 4 k 7) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 6) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 5) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 4) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 3) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 2) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 1) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 0)]. - -Open Scope hacspec_scope. - -Definition u64_from_be_bytes_fold_fun (i : int8) (s : nat × int64) : nat × int64 := - let (n,v) := s in - (S n, v .+ (@repr WORDSIZE64 ((int8_to_nat i) * 2 ^ (4 * n)))). - -Definition u64_from_be_bytes' : nseq int8 8 -> int64 := - (fun v => snd (VectorDef.fold_right u64_from_be_bytes_fold_fun v (0, @repr WORDSIZE64 0))). - -Definition u64_to_be_bytes : int64 -> nseq int8 8 := u64_to_be_bytes'. -Definition u64_from_be_bytes : nseq int8 8 -> int64 := u64_from_be_bytes'. - -(* Definition nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8 := *) -(* fun k => VectorDef.of_list . *) - -(*** Monad / Bind *) - -Class Monad (M : Type -> Type) := - { bind {A B} (x : M A) (f : A -> M B) : M B ; - ret {A} (x : A) : M A ; - }. - -Definition result2 (b: Type) (a: Type) := result a b. - -Definition result_bind {A B C} (r : result2 C A) (f : A -> result2 C B) : result2 C B := - match r with - Ok a => f a - | Err e => Err e - end. - -Definition result_ret {A C} (a : A) : result2 C A := Ok a. - -Global Instance result_monad {C} : Monad (result2 C) := - Build_Monad (result2 C) (fun A B => @result_bind A B C) (fun A => @result_ret A C). - -Definition option_bind {A B} (r : option A) (f : A -> option B) : option B := - match r with - Some (a) => f a - | None => None - end. - - - -Definition option_ret {A} (a : A) : option A := Some a. - -Global Instance option_monad : Monad option := - Build_Monad option (@option_bind) (@option_ret). - -Definition option_is_none {A} (x : option A) : bool := - match x with - | None => true - | _ => false - end. - -Definition foldi_bind {A : Type} {M : Type -> Type} `{Monad M} (a : uint_size) (b : uint_size) (f : uint_size -> A -> M A) (init : M A) : M A := - @foldi (M A) a b (fun x y => bind y (f x)) init. - -Definition lift_to_result {A B C} (r : result A C) (f : A -> B) : result B C := - result_bind r (fun x => result_ret (f x)). - -Definition result_uint_size_to_result_int64 {C} (r : result uint_size C) := lift_to_result r uint_size_to_int64. - -Definition result_uint_size_unit := (result uint_size unit). -Definition result_int64_unit := (result int64 unit). - -Definition result_uint_size_unit_to_result_int64_unit (r : result_uint_size_unit) : result_int64_unit := result_uint_size_to_result_int64 r. - -Global Coercion lift_to_result_coerce {A B C} (f : A -> B) := (fun (r : result A C) => lift_to_result r f). - -Global Coercion result_uint_size_unit_to_result_int64_unit : result_uint_size_unit >-> result_int64_unit. - -(*** Notation *) - -Notation "'ifbnd' b 'then' x 'else' y '>>' f" := (if b then f x else f y) (at level 200). -Notation "'ifbnd' b 'thenbnd' x 'else' y '>>' f" := (if b then (bind x) f else f y) (at level 200). -Notation "'ifbnd' b 'then' x 'elsebnd' y '>>' f" := (if b then f x else (bind y) f) (at level 200). -Notation "'ifbnd' b 'thenbnd' x 'elsebnd' y '>>' f" := (if b then bind x f else bind y f) (at level 200). - -Notation "'foldibnd' s 'to' e 'for' z '>>' f" := (foldi s e (fun x y => bind y (f x)) (Ok z)) (at level 50). - - -(*** Default *) - -(* Default instances for common types *) -Global Instance nat_default : Default nat := { - default := 0%nat -}. -Global Instance N_default : Default N := { - default := 0%N -}. -Global Instance Z_default : Default Z := { - default := 0%Z -}. -Global Instance uint_size_default : Default uint_size := { - default := zero -}. -Global Instance int_size_default : Default int_size := { - default := zero -}. -Global Instance int_default {WS : WORDSIZE} : Default int := { - default := repr 0 -}. -Global Instance uint8_default : Default uint8 := _. -Global Instance nat_mod_default {p : Z} : Default (nat_mod p) := { - default := nat_mod_zero -}. -Global Instance prod_default {A B} `{Default A} `{Default B} : Default (A × B) := { - default := (default, default) -}. diff --git a/proof-libs/coq/coq/src/Hacspec_Linalg.v b/proof-libs/coq/coq/src/Hacspec_Linalg.v deleted file mode 100644 index 0dcee9a83..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Linalg.v +++ /dev/null @@ -1,296 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Notation "'dim_type_t'" := (uint_size) : hacspec_scope. - -Notation "'scalar_t'" := (int128) : hacspec_scope. - -Notation "'dims_t'" := ((dim_type_t '× dim_type_t)) : hacspec_scope. - -Notation "'matrix_t'" := ((dims_t '× seq scalar_t)) : hacspec_scope. - -Notation "'mat_res_t'" := ((result matrix_t int8)) : hacspec_scope. - -Notation "'scal_res_t'" := ((result scalar_t int8)) : hacspec_scope. - -Definition dimension_sequence_length_mismatch_v : int8 := - @repr WORDSIZE8 10. - -Definition index_out_of_bounds_v : int8 := - @repr WORDSIZE8 11. - -Definition slice_out_of_bounds_v : int8 := - @repr WORDSIZE8 12. - -Definition dimension_mismatch_v : int8 := - @repr WORDSIZE8 13. - -Definition new_ - (rows_881 : dim_type_t) - (cols_882 : dim_type_t) - (seq_883 : seq scalar_t) - : mat_res_t := - (if (((seq_len (seq_883)) >.? (usize 0)) && (((rows_881) * (cols_882)) =.? ( - seq_len (seq_883)))):bool then (@Ok matrix_t int8 (( - (rows_881, cols_882), - seq_883 - ))) else (@Err matrix_t int8 (dimension_sequence_length_mismatch_v))). - -Definition repeat - (n_884 : dim_type_t) - (m_885 : dim_type_t) - (scalar_886 : scalar_t) - : matrix_t := - let ret_887 : seq int128 := - seq_new_ (default : scalar_t) ((n_884) * (m_885)) in - let ret_887 := - foldi (usize 0) ((n_884) * (m_885)) (fun i_888 ret_887 => - let ret_887 := - seq_upd ret_887 (i_888) (scalar_886) in - (ret_887)) - ret_887 in - ((n_884, m_885), ret_887). - -Definition zeros (n_889 : dim_type_t) (m_890 : dim_type_t) : matrix_t := - repeat (n_889) (m_890) (pub_int128_zero ). - -Definition ones (n_891 : dim_type_t) (m_892 : dim_type_t) : matrix_t := - repeat (n_891) (m_892) (pub_int128_one ). - -Definition identity (n_893 : dim_type_t) (m_894 : dim_type_t) : matrix_t := - let ret_895 : seq int128 := - seq_new_ (default : scalar_t) ((n_893) * (m_894)) in - let ret_895 := - foldi (usize 0) (min (n_893) (m_894)) (fun i_896 ret_895 => - let index_897 : uint_size := - ((i_896) * (min (n_893) (m_894))) + (i_896) in - let ret_895 := - seq_upd ret_895 (index_897) (pub_int128_one ) in - (ret_895)) - ret_895 in - ((n_893, m_894), ret_895). - -Definition index - (m_898 : matrix_t) - (i_899 : dim_type_t) - (j_900 : dim_type_t) - : scal_res_t := - let '(dim_901, seq_902) := - m_898 in - let '(rows_903, cols_904) := - dim_901 in - let index_905 : uint_size := - ((i_899) * (cols_904)) + (j_900) in - (if ((index_905) >=.? ((rows_903) * (cols_904))):bool then ( - @Err scalar_t int8 (index_out_of_bounds_v)) else (@Ok scalar_t int8 ( - seq_index (seq_902) (index_905)))). - -Definition transpose (matrix_906 : matrix_t) : matrix_t := - let '(dim_907, seq_908) := - matrix_906 in - let '(rows_909, cols_910) := - dim_907 in - let ret_911 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (seq_908)) in - let ret_911 := - foldi (usize 0) (rows_909) (fun i_912 ret_911 => - let ret_911 := - foldi (usize 0) (cols_910) (fun j_913 ret_911 => - let seq_index_914 : uint_size := - ((i_912) * (cols_910)) + (j_913) in - let ret_index_915 : uint_size := - ((j_913) * (rows_909)) + (i_912) in - let ret_911 := - seq_upd ret_911 (ret_index_915) (seq_index (seq_908) ( - seq_index_914)) in - (ret_911)) - ret_911 in - (ret_911)) - ret_911 in - ((cols_910, rows_909), ret_911). - -Definition slice - (matrix_916 : matrix_t) - (start_917 : dims_t) - (len_918 : dims_t) - : mat_res_t := - let '(dim_919, seq_920) := - matrix_916 in - let '(rows_921, cols_922) := - dim_919 in - let '(start_row_923, start_col_924) := - start_917 in - let '(len_rows_925, len_cols_926) := - len_918 in - let start_index_927 : uint_size := - ((start_row_923) * (cols_922)) + (start_col_924) in - let ret_928 : seq int128 := - seq_new_ (default : scalar_t) ((len_rows_925) * (len_cols_926)) in - let res_929 : (result matrix_t int8) := - @Err matrix_t int8 (slice_out_of_bounds_v) in - let '(ret_928, res_929) := - if ((start_index_927) + ((len_rows_925) * (len_cols_926))) <=.? (( - rows_921) * (cols_922)):bool then (let ret_928 := - foldi (usize 0) (len_rows_925) (fun i_930 ret_928 => - let ret_928 := - foldi (usize 0) (len_cols_926) (fun j_931 ret_928 => - let ret_index_932 : uint_size := - ((i_930) * (len_cols_926)) + (j_931) in - let seq_index_933 : uint_size := - (((start_row_923) + (i_930)) * (cols_922)) + (( - start_col_924) + (j_931)) in - let ret_928 := - seq_upd ret_928 (ret_index_932) (seq_index (seq_920) ( - seq_index_933)) in - (ret_928)) - ret_928 in - (ret_928)) - ret_928 in - let res_929 := - new_ (len_rows_925) (len_cols_926) (ret_928) in - (ret_928, res_929)) else ((ret_928, res_929)) in - res_929. - -Definition scale (matrix_934 : matrix_t) (scalar_935 : scalar_t) : matrix_t := - let '(dim_936, seq_937) := - matrix_934 in - let ret_938 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (seq_937)) in - let ret_938 := - foldi (usize 0) (seq_len (seq_937)) (fun i_939 ret_938 => - let ret_938 := - seq_upd ret_938 (i_939) ((scalar_935) .* (seq_index (seq_937) ( - i_939))) in - (ret_938)) - ret_938 in - (dim_936, ret_938). - -Definition add - (matrix_1_940 : matrix_t) - (matrix_2_941 : matrix_t) - : mat_res_t := - let '(m1_dim_942, m1_s_943) := - matrix_1_940 in - let '(m2_dim_944, m2_s_945) := - matrix_2_941 in - let ret_946 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (m1_s_943)) in - let res_947 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_946, res_947) := - if (m1_dim_942) =.? (m2_dim_944):bool then (let ret_946 := - foldi (usize 0) (seq_len (m1_s_943)) (fun i_948 ret_946 => - let ret_946 := - seq_upd ret_946 (i_948) ((seq_index (m1_s_943) (i_948)) .+ ( - seq_index (m2_s_945) (i_948))) in - (ret_946)) - ret_946 in - let res_947 := - @Ok matrix_t int8 ((m1_dim_942, ret_946)) in - (ret_946, res_947)) else ((ret_946, res_947)) in - res_947. - -Definition sub - (matrix_1_949 : matrix_t) - (matrix_2_950 : matrix_t) - : mat_res_t := - let '(m1_dim_951, m1_s_952) := - matrix_1_949 in - let '(m2_dim_953, m2_s_954) := - matrix_2_950 in - let ret_955 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (m1_s_952)) in - let res_956 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_955, res_956) := - if (m1_dim_951) =.? (m2_dim_953):bool then (let ret_955 := - foldi (usize 0) (seq_len (m1_s_952)) (fun i_957 ret_955 => - let ret_955 := - seq_upd ret_955 (i_957) ((seq_index (m1_s_952) (i_957)) .- ( - seq_index (m2_s_954) (i_957))) in - (ret_955)) - ret_955 in - let res_956 := - @Ok matrix_t int8 ((m1_dim_951, ret_955)) in - (ret_955, res_956)) else ((ret_955, res_956)) in - res_956. - -Definition component_mul - (matrix_1_958 : matrix_t) - (matrix_2_959 : matrix_t) - : mat_res_t := - let '(m1_dim_960, m1_s_961) := - matrix_1_958 in - let '(m2_dim_962, m2_s_963) := - matrix_2_959 in - let ret_964 : seq int128 := - seq_new_ (default : scalar_t) (seq_len (m1_s_961)) in - let res_965 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_964, res_965) := - if (m1_dim_960) =.? (m2_dim_962):bool then (let ret_964 := - foldi (usize 0) (seq_len (m1_s_961)) (fun i_966 ret_964 => - let ret_964 := - seq_upd ret_964 (i_966) ((seq_index (m1_s_961) (i_966)) .* ( - seq_index (m2_s_963) (i_966))) in - (ret_964)) - ret_964 in - let res_965 := - @Ok matrix_t int8 ((m1_dim_960, ret_964)) in - (ret_964, res_965)) else ((ret_964, res_965)) in - res_965. - -Definition mul - (matrix_1_967 : matrix_t) - (matrix_2_968 : matrix_t) - : mat_res_t := - let '(dim_1_969, seq_1_970) := - matrix_1_967 in - let '(dim_2_971, seq_2_972) := - matrix_2_968 in - let '(l_973, m_974) := - dim_1_969 in - let '(m_975, n_976) := - dim_2_971 in - let ret_977 : seq int128 := - seq_new_ (default : scalar_t) ((l_973) * (n_976)) in - let res_978 : (result matrix_t int8) := - @Err matrix_t int8 (dimension_mismatch_v) in - let '(ret_977, res_978) := - if (m_974) =.? (m_975):bool then (let ret_977 := - foldi (usize 0) (l_973) (fun i_979 ret_977 => - let ret_977 := - foldi (usize 0) (n_976) (fun j_980 ret_977 => - let acc_981 : int128 := - pub_int128_zero in - let index_982 : uint_size := - ((i_979) * (n_976)) + (j_980) in - let acc_981 := - foldi (usize 0) (m_974) (fun k_983 acc_981 => - let index_1_984 : uint_size := - ((i_979) * (m_974)) + (k_983) in - let index_2_985 : uint_size := - ((k_983) * (n_976)) + (j_980) in - let acc_981 := - (acc_981) .+ ((seq_index (seq_1_970) (index_1_984)) .* ( - seq_index (seq_2_972) (index_2_985))) in - (acc_981)) - acc_981 in - let ret_977 := - seq_upd ret_977 (index_982) (acc_981) in - (ret_977)) - ret_977 in - (ret_977)) - ret_977 in - let res_978 := - new_ (l_973) (n_976) (ret_977) in - (ret_977, res_978)) else ((ret_977, res_978)) in - res_978. - diff --git a/proof-libs/coq/coq/src/Hacspec_Merlin.v b/proof-libs/coq/coq/src/Hacspec_Merlin.v deleted file mode 100644 index 15f1316b7..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Merlin.v +++ /dev/null @@ -1,88 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Strobe. - -Notation "'transcript_t'" := (strobe_t) : hacspec_scope. - -Definition merlin_protocol_label : seq uint8 := - [ - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 110) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 48) : int8 - ]. - -Definition encode_uint64 (x_1051 : uint64) : seq uint8 := - array_to_le_bytes (uint64_to_le_bytes (x_1051)). - -Definition encode_usize_as_u32 (x_1052 : uint_size) : seq uint8 := - let x_uint32_1053 : uint32 := - uint32_classify (pub_u32 (x_1052)) in - array_to_le_bytes (uint32_to_le_bytes (x_uint32_1053)). - -Definition new_ (label_1054 : seq uint8) : transcript_t := - let transcript_1055 : (state_uint8_t '× int8 '× int8 '× int8) := - new_strobe (merlin_protocol_label ) in - let dom_sep_1056 : seq uint8 := - [ - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 109) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 112) : int8 - ] in - append_message (transcript_1055) (dom_sep_1056) (label_1054). - -Definition append_message - (transcript_1057 : transcript_t) - (label_1058 : seq uint8) - (message_1059 : seq uint8) - : transcript_t := - let data_len_1060 : seq uint8 := - array_to_be_bytes (uint32_to_le_bytes (uint32_classify (pub_u32 (seq_len ( - message_1059))))) in - let transcript_1057 := - meta_ad (transcript_1057) (label_1058) (false) in - let transcript_1057 := - meta_ad (transcript_1057) (data_len_1060) (true) in - let transcript_1057 := - ad (transcript_1057) (message_1059) (false) in - transcript_1057. - -Definition challenge_bytes - (transcript_1061 : transcript_t) - (label_1062 : seq uint8) - (dest_1063 : seq uint8) - : (transcript_t '× seq uint8) := - let data_len_1064 : seq uint8 := - encode_usize_as_u32 (seq_len (dest_1063)) in - let transcript_1061 := - meta_ad (transcript_1061) (label_1062) (false) in - let transcript_1061 := - meta_ad (transcript_1061) (data_len_1064) (true) in - prf (transcript_1061) (dest_1063) (false). - -Definition append_uint64 - (transcript_1065 : transcript_t) - (label_1066 : seq uint8) - (x_1067 : uint64) - : transcript_t := - append_message (transcript_1065) (label_1066) (encode_uint64 (x_1067)). - diff --git a/proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v b/proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v deleted file mode 100644 index b40600184..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Ntru_Prime.v +++ /dev/null @@ -1,138 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition build_irreducible (p_1256 : uint_size) : seq int128 := - let irr_1257 : seq int128 := - seq_new_ (default : int128) ((p_1256) + (usize 1)) in - let irr_1257 := - seq_upd irr_1257 (usize 0) (- (@repr WORDSIZE128 1)) in - let irr_1257 := - seq_upd irr_1257 (usize 1) (- (@repr WORDSIZE128 1)) in - let irr_1257 := - seq_upd irr_1257 (p_1256) (@repr WORDSIZE128 1) in - irr_1257. - -Definition round_to_3 (poly_1258 : seq int128) (q_1259 : int128) : seq int128 := - let result_1260 : seq int128 := - (poly_1258) in - let q_12_1261 : int128 := - ((q_1259) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in - let result_1260 := - foldi (usize 0) (seq_len (poly_1258)) (fun i_1262 result_1260 => - let '(result_1260) := - if (seq_index (poly_1258) (i_1262)) >.? (q_12_1261):bool then ( - let result_1260 := - seq_upd result_1260 (i_1262) ((seq_index (poly_1258) (i_1262)) .- ( - q_1259)) in - (result_1260)) else ((result_1260)) in - (result_1260)) - result_1260 in - let result_1260 := - foldi (usize 0) (seq_len (result_1260)) (fun i_1263 result_1260 => - let '(result_1260) := - if ((seq_index (result_1260) (i_1263)) .% (@repr WORDSIZE128 3)) !=.? ( - @repr WORDSIZE128 0):bool then (let result_1260 := - seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( - i_1263)) .- (@repr WORDSIZE128 1)) in - let '(result_1260) := - if ((seq_index (result_1260) (i_1263)) .% ( - @repr WORDSIZE128 3)) !=.? (@repr WORDSIZE128 0):bool then ( - let result_1260 := - seq_upd result_1260 (i_1263) ((seq_index (result_1260) ( - i_1263)) .+ (@repr WORDSIZE128 2)) in - (result_1260)) else ((result_1260)) in - (result_1260)) else ((result_1260)) in - (result_1260)) - result_1260 in - result_1260. - -Definition encrypt - (r_1264 : seq int128) - (h_1265 : seq int128) - (q_1266 : int128) - (irreducible_1267 : seq int128) - : seq int128 := - let pre_1268 : seq int128 := - mul_poly_irr (r_1264) (h_1265) (irreducible_1267) (q_1266) in - round_to_3 (pre_1268) (q_1266). - -Definition ntru_prime_653_encrypt - (r_1269 : seq int128) - (h_1270 : seq int128) - : seq int128 := - let p_1271 : uint_size := - usize 653 in - let q_1272 : int128 := - @repr WORDSIZE128 4621 in - let w_1273 : uint_size := - usize 288 in - let irreducible_1274 : seq int128 := - build_irreducible (p_1271) in - encrypt (r_1269) (h_1270) (q_1272) (irreducible_1274). - -Definition ntru_prime_653_decrypt - (c_1275 : seq int128) - (key_f_1276 : seq int128) - (key_v_1277 : seq int128) - : (seq int128 '× bool) := - let p_1278 : uint_size := - usize 653 in - let q_1279 : int128 := - @repr WORDSIZE128 4621 in - let w_1280 : uint_size := - usize 288 in - let irreducible_1281 : seq int128 := - build_irreducible (p_1278) in - let f_c_1282 : seq int128 := - mul_poly_irr (key_f_1276) (c_1275) (irreducible_1281) (q_1279) in - let f_3_c_and_decryption_ok_1283 : (seq int128 '× bool) := - poly_to_ring (irreducible_1281) (add_poly (f_c_1282) (add_poly (f_c_1282) ( - f_c_1282) (q_1279)) (q_1279)) (q_1279) in - let '(f_3_c_1284, ok_decrypt_1285) := - f_3_c_and_decryption_ok_1283 in - let f_3_c_1286 : seq int128 := - f_3_c_1284 in - let q_12_1287 : int128 := - ((q_1279) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in - let f_3_c_1286 := - foldi (usize 0) (seq_len (f_3_c_1286)) (fun i_1288 f_3_c_1286 => - let '(f_3_c_1286) := - if (seq_index (f_3_c_1286) (i_1288)) >.? (q_12_1287):bool then ( - let f_3_c_1286 := - seq_upd f_3_c_1286 (i_1288) ((seq_index (f_3_c_1286) (i_1288)) .- ( - q_1279)) in - (f_3_c_1286)) else ((f_3_c_1286)) in - (f_3_c_1286)) - f_3_c_1286 in - let e_1289 : seq int128 := - seq_new_ (default : int128) (seq_len (f_3_c_1286)) in - let e_1289 := - foldi (usize 0) (seq_len (e_1289)) (fun i_1290 e_1289 => - let e_1289 := - seq_upd e_1289 (i_1290) ((seq_index (f_3_c_1286) (i_1290)) .% ( - @repr WORDSIZE128 3)) in - (e_1289)) - e_1289 in - let e_1289 := - make_positive (e_1289) (@repr WORDSIZE128 3) in - let r_1291 : seq int128 := - mul_poly_irr (e_1289) (key_v_1277) (irreducible_1281) ( - @repr WORDSIZE128 3) in - let r_1291 := - foldi (usize 0) (seq_len (r_1291)) (fun i_1292 r_1291 => - let '(r_1291) := - if (seq_index (r_1291) (i_1292)) =.? (@repr WORDSIZE128 2):bool then ( - let r_1291 := - seq_upd r_1291 (i_1292) (- (@repr WORDSIZE128 1)) in - (r_1291)) else ((r_1291)) in - (r_1291)) - r_1291 in - (r_1291, ok_decrypt_1285). - diff --git a/proof-libs/coq/coq/src/Hacspec_P256.v b/proof-libs/coq/coq/src/Hacspec_P256.v deleted file mode 100644 index 676c262d4..000000000 --- a/proof-libs/coq/coq/src/Hacspec_P256.v +++ /dev/null @@ -1,494 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Inductive error_t := -| InvalidAddition : error_t. - -Definition bits_v : uint_size := - usize 256. - -Definition field_canvas_t := nseq (int8) (32). -Definition p256_field_element_t := - nat_mod 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition p256_scalar_t := - nat_mod 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551. - -Notation "'affine_t'" := ((p256_field_element_t '× p256_field_element_t -)) : hacspec_scope. - -Notation "'affine_result_t'" := ((result affine_t error_t)) : hacspec_scope. - -Notation "'p256_jacobian_t'" := (( - p256_field_element_t '× - p256_field_element_t '× - p256_field_element_t -)) : hacspec_scope. - -Notation "'jacobian_result_t'" := (( - result p256_jacobian_t error_t)) : hacspec_scope. - -Definition element_t := nseq (uint8) (usize 32). - -Definition jacobian_to_affine (p_569 : p256_jacobian_t) : affine_t := - let '(x_570, y_571, z_572) := - p_569 in - let z2_573 : p256_field_element_t := - nat_mod_exp (z_572) (@repr WORDSIZE32 2) in - let z2i_574 : p256_field_element_t := - nat_mod_inv (z2_573) in - let z3_575 : p256_field_element_t := - (z_572) *% (z2_573) in - let z3i_576 : p256_field_element_t := - nat_mod_inv (z3_575) in - let x_577 : p256_field_element_t := - (x_570) *% (z2i_574) in - let y_578 : p256_field_element_t := - (y_571) *% (z3i_576) in - (x_577, y_578). - -Definition affine_to_jacobian (p_579 : affine_t) : p256_jacobian_t := - let '(x_580, y_581) := - p_579 in - ( - x_580, - y_581, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t - ). - -Definition point_double (p_582 : p256_jacobian_t) : p256_jacobian_t := - let '(x1_583, y1_584, z1_585) := - p_582 in - let delta_586 : p256_field_element_t := - nat_mod_exp (z1_585) (@repr WORDSIZE32 2) in - let gamma_587 : p256_field_element_t := - nat_mod_exp (y1_584) (@repr WORDSIZE32 2) in - let beta_588 : p256_field_element_t := - (x1_583) *% (gamma_587) in - let alpha_1_589 : p256_field_element_t := - (x1_583) -% (delta_586) in - let alpha_2_590 : p256_field_element_t := - (x1_583) +% (delta_586) in - let alpha_591 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% ((alpha_1_589) *% ( - alpha_2_590)) in - let x3_592 : p256_field_element_t := - (nat_mod_exp (alpha_591) (@repr WORDSIZE32 2)) -% ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 8) : p256_field_element_t) *% (beta_588)) in - let z3_593 : p256_field_element_t := - nat_mod_exp ((y1_584) +% (z1_585)) (@repr WORDSIZE32 2) in - let z3_594 : p256_field_element_t := - (z3_593) -% ((gamma_587) +% (delta_586)) in - let y3_1_595 : p256_field_element_t := - ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 4) : p256_field_element_t) *% (beta_588)) -% ( - x3_592) in - let y3_2_596 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 8) : p256_field_element_t) *% ((gamma_587) *% ( - gamma_587)) in - let y3_597 : p256_field_element_t := - ((alpha_591) *% (y3_1_595)) -% (y3_2_596) in - (x3_592, y3_597, z3_594). - -Definition is_point_at_infinity (p_598 : p256_jacobian_t) : bool := - let '(x_599, y_600, z_601) := - p_598 in - nat_mod_equal (z_601) (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t). - -Definition s1_equal_s2 - (s1_602 : p256_field_element_t) - (s2_603 : p256_field_element_t) - : jacobian_result_t := - (if (nat_mod_equal (s1_602) (s2_603)):bool then ( - @Err p256_jacobian_t error_t (InvalidAddition)) else ( - @Ok p256_jacobian_t error_t (( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t - )))). - -Definition point_add_jacob - (p_604 : p256_jacobian_t) - (q_605 : p256_jacobian_t) - : jacobian_result_t := - let result_606 : (result p256_jacobian_t error_t) := - @Ok p256_jacobian_t error_t (q_605) in - let '(result_606) := - if negb (is_point_at_infinity (p_604)):bool then (let '(result_606) := - if is_point_at_infinity (q_605):bool then (let result_606 := - @Ok p256_jacobian_t error_t (p_604) in - (result_606)) else (let '(x1_607, y1_608, z1_609) := - p_604 in - let '(x2_610, y2_611, z2_612) := - q_605 in - let z1z1_613 : p256_field_element_t := - nat_mod_exp (z1_609) (@repr WORDSIZE32 2) in - let z2z2_614 : p256_field_element_t := - nat_mod_exp (z2_612) (@repr WORDSIZE32 2) in - let u1_615 : p256_field_element_t := - (x1_607) *% (z2z2_614) in - let u2_616 : p256_field_element_t := - (x2_610) *% (z1z1_613) in - let s1_617 : p256_field_element_t := - ((y1_608) *% (z2_612)) *% (z2z2_614) in - let s2_618 : p256_field_element_t := - ((y2_611) *% (z1_609)) *% (z1z1_613) in - let '(result_606) := - if nat_mod_equal (u1_615) (u2_616):bool then (let result_606 := - s1_equal_s2 (s1_617) (s2_618) in - (result_606)) else (let h_619 : p256_field_element_t := - (u2_616) -% (u1_615) in - let i_620 : p256_field_element_t := - nat_mod_exp ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (h_619)) ( - @repr WORDSIZE32 2) in - let j_621 : p256_field_element_t := - (h_619) *% (i_620) in - let r_622 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (( - s2_618) -% (s1_617)) in - let v_623 : p256_field_element_t := - (u1_615) *% (i_620) in - let x3_1_624 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (v_623) in - let x3_2_625 : p256_field_element_t := - (nat_mod_exp (r_622) (@repr WORDSIZE32 2)) -% (j_621) in - let x3_626 : p256_field_element_t := - (x3_2_625) -% (x3_1_624) in - let y3_1_627 : p256_field_element_t := - ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% ( - s1_617)) *% (j_621) in - let y3_2_628 : p256_field_element_t := - (r_622) *% ((v_623) -% (x3_626)) in - let y3_629 : p256_field_element_t := - (y3_2_628) -% (y3_1_627) in - let z3_630 : p256_field_element_t := - nat_mod_exp ((z1_609) +% (z2_612)) (@repr WORDSIZE32 2) in - let z3_631 : p256_field_element_t := - ((z3_630) -% ((z1z1_613) +% (z2z2_614))) *% (h_619) in - let result_606 := - @Ok p256_jacobian_t error_t ((x3_626, y3_629, z3_631)) in - (result_606)) in - (result_606)) in - (result_606)) else ((result_606)) in - result_606. - -Definition ltr_mul - (k_632 : p256_scalar_t) - (p_633 : p256_jacobian_t) - : jacobian_result_t := - let q_634 : ( - p256_field_element_t '× - p256_field_element_t '× - p256_field_element_t - ) := - ( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t - ) in - bind (foldibnd (usize 0) to (bits_v) for q_634 >> (fun i_635 q_634 => - let q_634 := - point_double (q_634) in - ifbnd nat_mod_equal (nat_mod_get_bit (k_632) (((bits_v) - (usize 1)) - ( - i_635))) (nat_mod_one ) : bool - thenbnd (bind (point_add_jacob (q_634) (p_633)) (fun q_634 => @Ok ( - ( - p256_field_element_t '× - p256_field_element_t '× - p256_field_element_t - ) - ) error_t ((q_634)))) - else ((q_634)) >> (fun '(q_634) => - @Ok ( - (p256_field_element_t '× p256_field_element_t '× p256_field_element_t) - ) error_t ((q_634))))) (fun q_634 => @Ok p256_jacobian_t error_t (q_634)). - -Definition p256_point_mul - (k_636 : p256_scalar_t) - (p_637 : affine_t) - : affine_result_t := - bind (ltr_mul (k_636) (affine_to_jacobian (p_637))) (fun jac_638 => - @Ok affine_t error_t (jacobian_to_affine (jac_638))). - -Definition p256_point_mul_base (k_639 : p256_scalar_t) : affine_result_t := - let base_point_640 : (p256_field_element_t '× p256_field_element_t) := - ( - nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 225) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 71) : int8; - secret (@repr WORDSIZE8 248) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 230) : int8; - secret (@repr WORDSIZE8 229) : int8; - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 164) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 125) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 244) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 150) : int8 - ] in l))) : p256_field_element_t, - nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 87) : int8; - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 203) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 245) : int8 - ] in l))) : p256_field_element_t - ) in - p256_point_mul (k_639) (base_point_640). - -Definition point_add_distinct - (p_641 : affine_t) - (q_642 : affine_t) - : affine_result_t := - bind (point_add_jacob (affine_to_jacobian (p_641)) (affine_to_jacobian ( - q_642))) (fun r_643 => @Ok affine_t error_t (jacobian_to_affine ( - r_643))). - -Definition point_add (p_644 : affine_t) (q_645 : affine_t) : affine_result_t := - (if ((p_644) !=.? (q_645)):bool then (point_add_distinct (p_644) ( - q_645)) else (@Ok affine_t error_t (jacobian_to_affine (point_double ( - affine_to_jacobian (p_644)))))). - -Definition p256_validate_private_key (k_646 : byte_seq) : bool := - let valid_647 : bool := - true in - let k_element_648 : p256_scalar_t := - nat_mod_from_byte_seq_be (k_646) : p256_scalar_t in - let k_element_bytes_649 : seq uint8 := - nat_mod_to_byte_seq_be (k_element_648) in - let all_zero_650 : bool := - true in - let '(valid_647, all_zero_650) := - foldi (usize 0) (seq_len (k_646)) (fun i_651 '(valid_647, all_zero_650) => - let '(all_zero_650) := - if negb (uint8_equal (seq_index (k_646) (i_651)) (secret ( - @repr WORDSIZE8 0) : int8)):bool then (let all_zero_650 := - false in - (all_zero_650)) else ((all_zero_650)) in - let '(valid_647) := - if negb (uint8_equal (seq_index (k_element_bytes_649) (i_651)) ( - seq_index (k_646) (i_651))):bool then (let valid_647 := - false in - (valid_647)) else ((valid_647)) in - (valid_647, all_zero_650)) - (valid_647, all_zero_650) in - (valid_647) && (negb (all_zero_650)). - -Definition p256_validate_public_key (p_652 : affine_t) : bool := - let b_653 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 75) : int8 - ]) : p256_field_element_t in - let point_at_infinity_654 : bool := - is_point_at_infinity (affine_to_jacobian (p_652)) in - let '(x_655, y_656) := - p_652 in - let on_curve_657 : bool := - ((y_656) *% (y_656)) =.? (((((x_655) *% (x_655)) *% (x_655)) -% (( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% (x_655))) +% ( - b_653)) in - (negb (point_at_infinity_654)) && (on_curve_657). - -Definition p256_calculate_w - (x_658 : p256_field_element_t) - : p256_field_element_t := - let b_659 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 75) : int8 - ]) : p256_field_element_t in - let exp_660 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 63) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 192) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8 - ]) : p256_field_element_t in - let z_661 : p256_field_element_t := - ((((x_658) *% (x_658)) *% (x_658)) -% ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% (x_658))) +% ( - b_659) in - let w_662 : p256_field_element_t := - nat_mod_pow_felem (z_661) (exp_660) in - w_662. - diff --git a/proof-libs/coq/coq/src/Hacspec_Poly1305.v b/proof-libs/coq/coq/src/Hacspec_Poly1305.v deleted file mode 100644 index 745854dec..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Poly1305.v +++ /dev/null @@ -1,147 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition poly_key_t := nseq (uint8) (usize 32). - -Definition blocksize_v : uint_size := - usize 16. - -Definition poly_block_t := nseq (uint8) (usize 16). - -Definition poly1305_tag_t := nseq (uint8) (usize 16). - -Notation "'sub_block_t'" := (byte_seq) : hacspec_scope. - -Notation "'block_index_t'" := (uint_size) : hacspec_scope. - -Definition field_canvas_t := nseq (int8) (17). -Definition field_element_t := nat_mod 0x03fffffffffffffffffffffffffffffffb. - -Notation "'poly_state_t'" := (( - field_element_t '× - field_element_t '× - poly_key_t -)) : hacspec_scope. - -Definition poly1305_encode_r (b_435 : poly_block_t) : field_element_t := - let n_436 : uint128 := - uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_435))) in - let n_436 := - (n_436) .& (secret ( - @repr WORDSIZE128 21267647620597763993911028882763415551) : int128) in - nat_mod_from_secret_literal (n_436). - -Definition poly1305_encode_block (b_437 : poly_block_t) : field_element_t := - let n_438 : uint128 := - uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_437))) in - let f_439 : field_element_t := - nat_mod_from_secret_literal (n_438) in - (f_439) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ( - usize 128) : field_element_t). - -Definition poly1305_encode_last - (pad_len_440 : block_index_t) - (b_441 : sub_block_t) - : field_element_t := - let n_442 : uint128 := - uint128_from_le_bytes (array_from_slice (default : uint8) (16) (b_441) ( - usize 0) (seq_len (b_441))) in - let f_443 : field_element_t := - nat_mod_from_secret_literal (n_442) in - (f_443) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ((usize 8) * ( - pad_len_440)) : field_element_t). - -Definition poly1305_init (k_444 : poly_key_t) : poly_state_t := - let r_445 : field_element_t := - poly1305_encode_r (array_from_slice (default : uint8) (16) ( - array_to_seq (k_444)) (usize 0) (usize 16)) in - (nat_mod_zero , r_445, k_444). - -Definition poly1305_update_block - (b_446 : poly_block_t) - (st_447 : poly_state_t) - : poly_state_t := - let '(acc_448, r_449, k_450) := - st_447 in - (((poly1305_encode_block (b_446)) +% (acc_448)) *% (r_449), r_449, k_450). - -Definition poly1305_update_blocks - (m_451 : byte_seq) - (st_452 : poly_state_t) - : poly_state_t := - let st_453 : (field_element_t '× field_element_t '× poly_key_t) := - st_452 in - let n_blocks_454 : uint_size := - (seq_len (m_451)) / (blocksize_v) in - let st_453 := - foldi (usize 0) (n_blocks_454) (fun i_455 st_453 => - let block_456 : poly_block_t := - array_from_seq (16) (seq_get_exact_chunk (m_451) (blocksize_v) ( - i_455)) in - let st_453 := - poly1305_update_block (block_456) (st_453) in - (st_453)) - st_453 in - st_453. - -Definition poly1305_update_last - (pad_len_457 : uint_size) - (b_458 : sub_block_t) - (st_459 : poly_state_t) - : poly_state_t := - let st_460 : (field_element_t '× field_element_t '× poly_key_t) := - st_459 in - let '(st_460) := - if (seq_len (b_458)) !=.? (usize 0):bool then (let '(acc_461, r_462, k_463 - ) := - st_460 in - let st_460 := - ( - ((poly1305_encode_last (pad_len_457) (b_458)) +% (acc_461)) *% ( - r_462), - r_462, - k_463 - ) in - (st_460)) else ((st_460)) in - st_460. - -Definition poly1305_update - (m_464 : byte_seq) - (st_465 : poly_state_t) - : poly_state_t := - let st_466 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_update_blocks (m_464) (st_465) in - let last_467 : seq uint8 := - seq_get_remainder_chunk (m_464) (blocksize_v) in - poly1305_update_last (seq_len (last_467)) (last_467) (st_466). - -Definition poly1305_finish (st_468 : poly_state_t) : poly1305_tag_t := - let '(acc_469, _, k_470) := - st_468 in - let n_471 : uint128 := - uint128_from_le_bytes (array_from_slice (default : uint8) (16) ( - array_to_seq (k_470)) (usize 16) (usize 16)) in - let aby_472 : seq uint8 := - nat_mod_to_byte_seq_le (acc_469) in - let a_473 : uint128 := - uint128_from_le_bytes (array_from_slice (default : uint8) (16) (aby_472) ( - usize 0) (usize 16)) in - array_from_seq (16) (array_to_seq (uint128_to_le_bytes ((a_473) .+ (n_471)))). - -Definition poly1305 - (m_474 : byte_seq) - (key_475 : poly_key_t) - : poly1305_tag_t := - let st_476 : (field_element_t '× field_element_t '× poly_key_t) := - poly1305_init (key_475) in - let st_476 := - poly1305_update (m_474) (st_476) in - poly1305_finish (st_476). - diff --git a/proof-libs/coq/coq/src/Hacspec_Riot_Bootloader.v b/proof-libs/coq/coq/src/Hacspec_Riot_Bootloader.v deleted file mode 100644 index 32f8905cf..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Riot_Bootloader.v +++ /dev/null @@ -1,184 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition riotboot_magic_v : int32 := - @repr WORDSIZE32 1414482258. - -Notation "'fletcher_t'" := ((int32 '× int32)) : hacspec_scope. - -Definition new_fletcher : fletcher_t := - (@repr WORDSIZE32 65535, @repr WORDSIZE32 65535). - -Definition max_chunk_size : uint_size := - usize 360. - -Definition reduce_u32 (x_1293 : int32) : int32 := - ((x_1293) .& (@repr WORDSIZE32 65535)) .+ ((x_1293) shift_right ( - @repr WORDSIZE32 16)). - -Definition combine (lower_1294 : int32) (upper_1295 : int32) : int32 := - (lower_1294) .| ((upper_1295) shift_left (@repr WORDSIZE32 16)). - -Definition update_fletcher - (f_1296 : fletcher_t) - (data_1297 : seq int16) - : fletcher_t := - let max_chunk_size_1298 : uint_size := - max_chunk_size in - let '(a_1299, b_1300) := - f_1296 in - let '(a_1299, b_1300) := - foldi (usize 0) (seq_num_chunks (data_1297) ( - max_chunk_size_1298)) (fun i_1301 '(a_1299, b_1300) => - let '(chunk_len_1302, chunk_1303) := - seq_get_chunk (data_1297) (max_chunk_size_1298) (i_1301) in - let intermediate_a_1304 : int32 := - a_1299 in - let intermediate_b_1305 : int32 := - b_1300 in - let '(intermediate_a_1304, intermediate_b_1305) := - foldi (usize 0) (chunk_len_1302) (fun j_1306 '( - intermediate_a_1304, - intermediate_b_1305 - ) => - let intermediate_a_1304 := - (intermediate_a_1304) .+ (@cast _ uint32 _ (seq_index (chunk_1303) ( - j_1306))) in - let intermediate_b_1305 := - (intermediate_b_1305) .+ (intermediate_a_1304) in - (intermediate_a_1304, intermediate_b_1305)) - (intermediate_a_1304, intermediate_b_1305) in - let a_1299 := - reduce_u32 (intermediate_a_1304) in - let b_1300 := - reduce_u32 (intermediate_b_1305) in - (a_1299, b_1300)) - (a_1299, b_1300) in - let a_1299 := - reduce_u32 (a_1299) in - let b_1300 := - reduce_u32 (b_1300) in - (a_1299, b_1300). - -Definition value (x_1307 : fletcher_t) : int32 := - let '(a_1308, b_1309) := - x_1307 in - combine (a_1308) (b_1309). - -Notation "'header_t'" := ((int32 '× int32 '× int32 '× int32 -)) : hacspec_scope. - -Definition header_as_u16_slice (h_1310 : header_t) : seq int16 := - let '(magic_1311, seq_number_1312, start_addr_1313, _) := - h_1310 in - let magic_1314 : u32_word_t := - u32_to_be_bytes (magic_1311) in - let seq_number_1315 : u32_word_t := - u32_to_be_bytes (seq_number_1312) in - let start_addr_1316 : u32_word_t := - u32_to_be_bytes (start_addr_1313) in - let u8_seq_1317 : seq int8 := - seq_new_ (default : int8) (usize 12) in - let u8_seq_1318 : seq int8 := - seq_update_slice (u8_seq_1317) (usize 0) (array_to_seq (magic_1314)) ( - usize 0) (usize 4) in - let u8_seq_1319 : seq int8 := - seq_update_slice (u8_seq_1318) (usize 4) (array_to_seq (seq_number_1315)) ( - usize 0) (usize 4) in - let u8_seq_1320 : seq int8 := - seq_update_slice (u8_seq_1319) (usize 8) (array_to_seq (start_addr_1316)) ( - usize 0) (usize 4) in - let u16_seq_1321 : seq int16 := - seq_new_ (default : int16) (usize 6) in - let u16_seq_1321 := - foldi (usize 0) (usize 3) (fun i_1322 u16_seq_1321 => - let u16_word_1323 : u16_word_t := - array_from_seq (2) (seq_slice (u8_seq_1320) ((i_1322) * (usize 4)) ( - usize 2)) in - let u16_value_1324 : int16 := - u16_from_be_bytes (u16_word_1323) in - let u16_seq_1321 := - seq_upd u16_seq_1321 (((usize 2) * (i_1322)) + (usize 1)) ( - u16_value_1324) in - let u16_word_1325 : u16_word_t := - array_from_seq (2) (seq_slice (u8_seq_1320) (((i_1322) * (usize 4)) + ( - usize 2)) (usize 2)) in - let u16_value_1326 : int16 := - u16_from_be_bytes (u16_word_1325) in - let u16_seq_1321 := - seq_upd u16_seq_1321 ((usize 2) * (i_1322)) (u16_value_1326) in - (u16_seq_1321)) - u16_seq_1321 in - u16_seq_1321. - -Definition is_valid_header (h_1327 : header_t) : bool := - let '(magic_number_1328, seq_number_1329, start_addr_1330, checksum_1331) := - h_1327 in - let slice_1332 : seq int16 := - header_as_u16_slice (( - magic_number_1328, - seq_number_1329, - start_addr_1330, - checksum_1331 - )) in - let result_1333 : bool := - false in - let '(result_1333) := - if (magic_number_1328) =.? (riotboot_magic_v):bool then ( - let fletcher_1334 : (int32 '× int32) := - new_fletcher in - let fletcher_1335 : (int32 '× int32) := - update_fletcher (fletcher_1334) (slice_1332) in - let sum_1336 : int32 := - value (fletcher_1335) in - let result_1333 := - (sum_1336) =.? (checksum_1331) in - (result_1333)) else ((result_1333)) in - result_1333. - -Definition choose_image (images_1337 : seq header_t) : (bool '× int32) := - let image_1338 : int32 := - @repr WORDSIZE32 0 in - let image_found_1339 : bool := - false in - let '(image_1338, image_found_1339) := - foldi (usize 0) (seq_len (images_1337)) (fun i_1340 '( - image_1338, - image_found_1339 - ) => - let header_1341 : (int32 '× int32 '× int32 '× int32) := - seq_index (images_1337) (i_1340) in - let '(magic_number_1342, seq_number_1343, start_addr_1344, checksum_1345 - ) := - header_1341 in - let '(image_1338, image_found_1339) := - if is_valid_header (( - magic_number_1342, - seq_number_1343, - start_addr_1344, - checksum_1345 - )):bool then (let change_image_1346 : bool := - negb ((image_found_1339) && ((seq_number_1343) <=.? ( - image_1338))) in - let '(image_1338, image_found_1339) := - if change_image_1346:bool then (let image_1338 := - start_addr_1344 in - let image_found_1339 := - true in - (image_1338, image_found_1339)) else (( - image_1338, - image_found_1339 - )) in - (image_1338, image_found_1339)) else ((image_1338, image_found_1339 - )) in - (image_1338, image_found_1339)) - (image_1338, image_found_1339) in - (image_found_1339, image_1338). - diff --git a/proof-libs/coq/coq/src/Hacspec_Riot_Runqueue.v b/proof-libs/coq/coq/src/Hacspec_Riot_Runqueue.v deleted file mode 100644 index 31ad634c8..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Riot_Runqueue.v +++ /dev/null @@ -1,224 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition uint32_bits_v : uint_size := - (usize 4) * (usize 8). - -Definition n_queues_v : uint_size := - usize 20. - -Definition n_threads_v : uint_size := - usize 30. - -Definition sentinel_v : int8 := - @repr WORDSIZE8 255. - -Inductive runqueue_id_t := -| RunqueueId : int8 -> runqueue_id_t. - -Inductive thread_id_t := -| ThreadId : int8 -> thread_id_t. - -Definition tail_t := nseq (int8) (n_queues_v). - -Definition next_ids_t := nseq (int8) (n_threads_v). - -Inductive clist_t := -| Clist : (tail_t '× next_ids_t) -> clist_t. - -Definition clist_new : clist_t := - let tail_1347 : tail_t := - array_new_ (default : int8) (n_queues_v) in - let tail_1347 := - foldi (usize 0) (array_len (tail_1347)) (fun i_1348 tail_1347 => - let tail_1347 := - array_upd tail_1347 (i_1348) (sentinel_v) in - (tail_1347)) - tail_1347 in - let next_idxs_1349 : next_ids_t := - array_new_ (default : int8) (n_threads_v) in - let next_idxs_1349 := - foldi (usize 0) (array_len (next_idxs_1349)) (fun i_1350 next_idxs_1349 => - let next_idxs_1349 := - array_upd next_idxs_1349 (i_1350) (sentinel_v) in - (next_idxs_1349)) - next_idxs_1349 in - Clist ((tail_1347, next_idxs_1349)). - -Definition clist_is_empty (x_1351 : clist_t) (rq_1352 : runqueue_id_t) : bool := - let 'RunqueueId (rq_1353) := - rq_1352 in - let 'Clist ((tail_1354, next_ids_1355)) := - x_1351 in - (array_index (tail_1354) (@cast _ uint32 _ (rq_1353))) =.? (sentinel_v). - -Definition clist_push - (x_1356 : clist_t) - (n_1357 : thread_id_t) - (rq_1358 : runqueue_id_t) - : clist_t := - let 'RunqueueId (rq_1359) := - rq_1358 in - let 'ThreadId (n_1360) := - n_1357 in - let 'Clist ((tail_1361, next_idxs_1362)) := - x_1356 in - let '(tail_1361, next_idxs_1362) := - if (array_index (next_idxs_1362) (@cast _ uint32 _ (n_1360))) =.? ( - sentinel_v):bool then (let '(tail_1361, next_idxs_1362) := - if (array_index (tail_1361) (@cast _ uint32 _ (rq_1359))) =.? ( - sentinel_v):bool then (let tail_1361 := - array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in - let next_idxs_1362 := - array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (n_1360) in - (tail_1361, next_idxs_1362)) else (let next_idxs_1362 := - array_upd next_idxs_1362 (@cast _ uint32 _ (n_1360)) (array_index ( - next_idxs_1362) (@cast _ uint32 _ (array_index (tail_1361) ( - @cast _ uint32 _ (rq_1359))))) in - let next_idxs_1362 := - array_upd next_idxs_1362 (@cast _ uint32 _ (array_index ( - tail_1361) (@cast _ uint32 _ (rq_1359)))) (n_1360) in - let tail_1361 := - array_upd tail_1361 (@cast _ uint32 _ (rq_1359)) (n_1360) in - (tail_1361, next_idxs_1362)) in - (tail_1361, next_idxs_1362)) else ((tail_1361, next_idxs_1362)) in - Clist ((tail_1361, next_idxs_1362)). - -Definition clist_pop_head - (x_1363 : clist_t) - (rq_1364 : runqueue_id_t) - : (clist_t '× (option int8)) := - let 'RunqueueId (rq_1365) := - rq_1364 in - let 'Clist ((tail_1366, next_idxs_1367)) := - x_1363 in - let out_1368 : (option int8) := - @None int8 in - let '(tail_1366, next_idxs_1367, out_1368) := - if (array_index (tail_1366) (@cast _ uint32 _ (rq_1365))) =.? ( - sentinel_v):bool then ((tail_1366, next_idxs_1367, out_1368)) else ( - let head_1369 : int8 := - array_index (next_idxs_1367) (@cast _ uint32 _ (array_index ( - tail_1366) (@cast _ uint32 _ (rq_1365)))) in - let '(tail_1366, next_idxs_1367) := - if (head_1369) =.? (array_index (tail_1366) (@cast _ uint32 _ ( - rq_1365))):bool then (let tail_1366 := - array_upd tail_1366 (@cast _ uint32 _ (rq_1365)) (sentinel_v) in - (tail_1366, next_idxs_1367)) else (let next_idxs_1367 := - array_upd next_idxs_1367 (@cast _ uint32 _ (array_index ( - tail_1366) (@cast _ uint32 _ (rq_1365)))) (array_index ( - next_idxs_1367) (@cast _ uint32 _ (head_1369))) in - (tail_1366, next_idxs_1367)) in - let next_idxs_1367 := - array_upd next_idxs_1367 (@cast _ uint32 _ (head_1369)) (sentinel_v) in - let out_1368 := - @Some int8 (head_1369) in - (tail_1366, next_idxs_1367, out_1368)) in - (Clist ((tail_1366, next_idxs_1367)), out_1368). - -Definition clist_peek_head - (x_1370 : clist_t) - (rq_1371 : runqueue_id_t) - : (option int8) := - let 'RunqueueId (rq_1372) := - rq_1371 in - let 'Clist ((tail_1373, next_idxs_1374)) := - x_1370 in - (if ((array_index (tail_1373) (@cast _ uint32 _ (rq_1372))) =.? ( - sentinel_v)):bool then (@None int8) else (@Some int8 (array_index ( - next_idxs_1374) (@cast _ uint32 _ (array_index (tail_1373) ( - @cast _ uint32 _ (rq_1372))))))). - -Definition clist_advance - (x_1375 : clist_t) - (rq_1376 : runqueue_id_t) - : clist_t := - let 'RunqueueId (rq_1377) := - rq_1376 in - let 'Clist ((tail_1378, next_idxs_1379)) := - x_1375 in - let '(tail_1378) := - if (array_index (tail_1378) (@cast _ uint32 _ (rq_1377))) !=.? ( - sentinel_v):bool then (let tail_1378 := - array_upd tail_1378 (@cast _ uint32 _ (rq_1377)) (array_index ( - next_idxs_1379) (@cast _ uint32 _ (array_index (tail_1378) ( - @cast _ uint32 _ (rq_1377))))) in - (tail_1378)) else ((tail_1378)) in - Clist ((tail_1378, next_idxs_1379)). - -Inductive run_queue_t := -| RunQueue : (int32 '× clist_t) -> run_queue_t. - -Definition runqueue_new : run_queue_t := - RunQueue ((@repr WORDSIZE32 0, clist_new )). - -Definition runqueue_add - (y_1380 : run_queue_t) - (n_1381 : thread_id_t) - (rq_1382 : runqueue_id_t) - : run_queue_t := - let 'RunqueueId (rq_u8_1383) := - rq_1382 in - let 'RunQueue ((bitcache_1384, queues_1385)) := - y_1380 in - let bitcache_1384 := - (bitcache_1384) .| ((@repr WORDSIZE32 1) shift_left (@cast _ uint32 _ ( - rq_u8_1383))) in - let queues_1385 := - clist_push (queues_1385) (n_1381) (rq_1382) in - RunQueue ((bitcache_1384, queues_1385)). - -Definition runqueue_del - (y_1386 : run_queue_t) - (n_1387 : thread_id_t) - (rq_1388 : runqueue_id_t) - : run_queue_t := - let 'RunqueueId (rq_u8_1389) := - rq_1388 in - let 'RunQueue ((bitcache_1390, queues_1391)) := - y_1386 in - let '(queues_1392, popped_1393) := - clist_pop_head (queues_1391) (rq_1388) in - let '(bitcache_1390) := - if clist_is_empty (queues_1392) (rq_1388):bool then (let bitcache_1390 := - (bitcache_1390) .& (not ((@repr WORDSIZE32 1) shift_left ( - @cast _ uint32 _ (rq_u8_1389)))) in - (bitcache_1390)) else ((bitcache_1390)) in - RunQueue ((bitcache_1390, queues_1392)). - -Definition runqueue_ffs (val_1394 : int32) : int32 := - (pub_u32 (uint32_bits_v)) .- (pub_uint32_leading_zeros (val_1394)). - -Definition runqueue_get_next (y_1395 : run_queue_t) : (option int8) := - let 'RunQueue ((bitcache_1396, queues_1397)) := - y_1395 in - let rq_ffs_1398 : int32 := - runqueue_ffs ((bitcache_1396)) in - let out_1399 : (option int8) := - @None int8 in - let '(out_1399) := - if (rq_ffs_1398) >.? (@repr WORDSIZE32 0):bool then ( - let rq_1400 : runqueue_id_t := - RunqueueId (@cast _ uint8 _ ((rq_ffs_1398) .- (@repr WORDSIZE32 1))) in - let out_1399 := - clist_peek_head (queues_1397) (rq_1400) in - (out_1399)) else ((out_1399)) in - out_1399. - -Definition runqueue_advance - (y_1401 : run_queue_t) - (rq_1402 : runqueue_id_t) - : run_queue_t := - let 'RunQueue ((bitcache_1403, queues_1404)) := - y_1401 in - let queues_1404 := - clist_advance (queues_1404) (rq_1402) in - RunQueue ((bitcache_1403, queues_1404)). - diff --git a/proof-libs/coq/coq/src/Hacspec_Ristretto.v b/proof-libs/coq/coq/src/Hacspec_Ristretto.v deleted file mode 100644 index 9672ef470..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Ristretto.v +++ /dev/null @@ -1,700 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Notation "'ristretto_point_t'" := (( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t -)) : hacspec_scope. - -Notation "'decode_result_t'" := (( - result ristretto_point_t int8)) : hacspec_scope. - -Definition ristretto_point_encoded_t := nseq (uint8) (usize 32). - -Definition byte_string_t := nseq (uint8) (usize 64). - -Definition field_canvas_t := nseq (int8) (32). -Definition field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. - -Definition decoding_error_v : int8 := - @repr WORDSIZE8 20. - -Definition p : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 237) : int8 - ]) : field_element_t. - -Definition d : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 163) : int8 - ]) : field_element_t. - -Definition sqrt_m1 : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 36) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 167) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 24) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 196) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 14) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 176) : int8 - ]) : field_element_t. - -Definition invsqrt_a_minus_d : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 137) : int8; - secret (@repr WORDSIZE8 5) : int8; - secret (@repr WORDSIZE8 207) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 145) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 200) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 93) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 234) : int8 - ]) : field_element_t. - -Definition sqrt_ad_minus_one : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 172) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 201) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 12) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 126) : int8; - secret (@repr WORDSIZE8 151) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 73) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 27) : int8 - ]) : field_element_t. - -Definition one_minus_d_sq : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 144) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 178) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 56) : int8; - secret (@repr WORDSIZE8 205) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 9) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 118) : int8 - ]) : field_element_t. - -Definition d_minus_one_sq : field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 122) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 34) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 220) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 30) : int8; - secret (@repr WORDSIZE8 25) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 32) : int8 - ]) : field_element_t. - -Definition base_point_encoded : ristretto_point_encoded_t := - array_from_seq (32) ([ - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 174) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 113) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 132) : int8; - secret (@repr WORDSIZE8 169) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 197) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 165) : int8; - secret (@repr WORDSIZE8 130) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 166) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 118) : int8 - ]). - -Definition base_point : ristretto_point_t := - result_unwrap (decode (base_point_encoded )). - -Definition identity_point : ristretto_point_t := - (fe (usize 0), fe (usize 1), fe (usize 1), fe (usize 0)). - -Definition fe (x_740 : uint_size) : field_element_t := - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - pub_u128 (x_740)) : field_element_t. - -Definition geq_p (x_741 : seq uint8) : bool := - let p_seq_742 : seq uint8 := - [ - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 127) : int8 - ] in - let res_743 : bool := - true in - let res_743 := - foldi (usize 0) (seq_len (p_seq_742)) (fun index_744 res_743 => - let x_index_745 : int8 := - uint8_declassify (seq_index (x_741) (index_744)) in - let p_index_746 : int8 := - uint8_declassify (seq_index (p_seq_742) (index_744)) in - let '(res_743) := - if (x_index_745) !=.? (p_index_746):bool then (let res_743 := - (x_index_745) >.? (p_index_746) in - (res_743)) else ((res_743)) in - (res_743)) - res_743 in - res_743. - -Definition is_negative (e_747 : field_element_t) : bool := - ((e_747) rem (fe (usize 2))) =.? (fe (usize 1)). - -Definition eq (u_748 : field_element_t) (v_749 : field_element_t) : bool := - (u_748) =.? (v_749). - -Definition select - (u_750 : field_element_t) - (cond_751 : bool) - (v_752 : field_element_t) - : field_element_t := - (if (cond_751):bool then (u_750) else (v_752)). - -Definition neg_fe (u_753 : field_element_t) : field_element_t := - (fe (usize 0)) -% (u_753). - -Definition abs (u_754 : field_element_t) : field_element_t := - select (neg_fe (u_754)) (is_negative (u_754)) (u_754). - -Definition sqrt_ratio_m1 - (u_755 : field_element_t) - (v_756 : field_element_t) - : (bool '× field_element_t) := - let v3_757 : field_element_t := - (nat_mod_pow (v_756) (@repr WORDSIZE128 2)) *% (v_756) in - let v7_758 : field_element_t := - (nat_mod_pow (v3_757) (@repr WORDSIZE128 2)) *% (v_756) in - let r_759 : field_element_t := - ((u_755) *% (v3_757)) *% (nat_mod_pow_felem ((u_755) *% (v7_758)) ((( - p ) -% (fe (usize 5))) /% (fe (usize 8)))) in - let check_760 : field_element_t := - (v_756) *% (nat_mod_pow (r_759) (@repr WORDSIZE128 2)) in - let correct_sign_sqrt_761 : bool := - eq (check_760) (u_755) in - let flipped_sign_sqrt_762 : bool := - eq (check_760) (neg_fe (u_755)) in - let flipped_sign_sqrt_i_763 : bool := - eq (check_760) ((neg_fe (u_755)) *% (sqrt_m1 )) in - let r_prime_764 : field_element_t := - (sqrt_m1 ) *% (r_759) in - let r_759 := - select (r_prime_764) ((flipped_sign_sqrt_762) || ( - flipped_sign_sqrt_i_763)) (r_759) in - let r_759 := - abs (r_759) in - let was_square_765 : bool := - (correct_sign_sqrt_761) || (flipped_sign_sqrt_762) in - (was_square_765, r_759). - -Definition map (t_766 : field_element_t) : ristretto_point_t := - let one_767 : field_element_t := - fe (usize 1) in - let minus_one_768 : field_element_t := - neg_fe (one_767) in - let r_769 : field_element_t := - (sqrt_m1 ) *% (nat_mod_pow (t_766) (@repr WORDSIZE128 2)) in - let u_770 : field_element_t := - ((r_769) +% (one_767)) *% (one_minus_d_sq ) in - let v_771 : field_element_t := - ((minus_one_768) -% ((r_769) *% (d ))) *% ((r_769) +% (d )) in - let '(was_square_772, s_773) := - sqrt_ratio_m1 (u_770) (v_771) in - let s_prime_774 : field_element_t := - neg_fe (abs ((s_773) *% (t_766))) in - let s_773 := - select (s_773) (was_square_772) (s_prime_774) in - let c_775 : field_element_t := - select (minus_one_768) (was_square_772) (r_769) in - let n_776 : field_element_t := - (((c_775) *% ((r_769) -% (one_767))) *% (d_minus_one_sq )) -% (v_771) in - let w0_777 : field_element_t := - ((fe (usize 2)) *% (s_773)) *% (v_771) in - let w1_778 : field_element_t := - (n_776) *% (sqrt_ad_minus_one ) in - let w2_779 : field_element_t := - (one_767) -% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in - let w3_780 : field_element_t := - (one_767) +% (nat_mod_pow (s_773) (@repr WORDSIZE128 2)) in - ( - (w0_777) *% (w3_780), - (w2_779) *% (w1_778), - (w1_778) *% (w3_780), - (w0_777) *% (w2_779) - ). - -Definition one_way_map (b_781 : byte_string_t) : ristretto_point_t := - let r0_bytes_782 : seq uint8 := - array_slice (b_781) (usize 0) (usize 32) in - let r1_bytes_783 : seq uint8 := - array_slice (b_781) (usize 32) (usize 32) in - let r0_bytes_784 : seq int8 := - seq_declassify (r0_bytes_782) in - let r1_bytes_785 : seq int8 := - seq_declassify (r1_bytes_783) in - let r0_bytes_784 := - seq_upd r0_bytes_784 (usize 31) ((seq_index (r0_bytes_784) (usize 31)) .% ( - @repr WORDSIZE8 128)) in - let r1_bytes_785 := - seq_upd r1_bytes_785 (usize 31) ((seq_index (r1_bytes_785) (usize 31)) .% ( - @repr WORDSIZE8 128)) in - let r0_786 : field_element_t := - nat_mod_from_public_byte_seq_le (r0_bytes_784) in - let r1_787 : field_element_t := - nat_mod_from_public_byte_seq_le (r1_bytes_785) in - let p1_788 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - map (r0_786) in - let p2_789 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - map (r1_787) in - add (p1_788) (p2_789). - -Definition encode (u_790 : ristretto_point_t) : ristretto_point_encoded_t := - let '(x0_791, y0_792, z0_793, t0_794) := - u_790 in - let u1_795 : field_element_t := - ((z0_793) +% (y0_792)) *% ((z0_793) -% (y0_792)) in - let u2_796 : field_element_t := - (x0_791) *% (y0_792) in - let '(_, invsqrt_797) := - sqrt_ratio_m1 (fe (usize 1)) ((u1_795) *% (nat_mod_pow (u2_796) ( - @repr WORDSIZE128 2))) in - let den1_798 : field_element_t := - (invsqrt_797) *% (u1_795) in - let den2_799 : field_element_t := - (invsqrt_797) *% (u2_796) in - let z_inv_800 : field_element_t := - ((den1_798) *% (den2_799)) *% (t0_794) in - let ix0_801 : field_element_t := - (x0_791) *% (sqrt_m1 ) in - let iy0_802 : field_element_t := - (y0_792) *% (sqrt_m1 ) in - let enchanted_denominator_803 : field_element_t := - (den1_798) *% (invsqrt_a_minus_d ) in - let rotate_804 : bool := - is_negative ((t0_794) *% (z_inv_800)) in - let x_805 : field_element_t := - select (iy0_802) (rotate_804) (x0_791) in - let y_806 : field_element_t := - select (ix0_801) (rotate_804) (y0_792) in - let z_807 : field_element_t := - z0_793 in - let den_inv_808 : field_element_t := - select (enchanted_denominator_803) (rotate_804) (den2_799) in - let y_806 := - select (neg_fe (y_806)) (is_negative ((x_805) *% (z_inv_800))) (y_806) in - let s_809 : field_element_t := - abs ((den_inv_808) *% ((z_807) -% (y_806))) in - array_update_start (array_new_ (default : uint8) (32)) ( - nat_mod_to_byte_seq_le (s_809)). - -Definition decode (u_810 : ristretto_point_encoded_t) : decode_result_t := - let ret_811 : (result ristretto_point_t int8) := - @Err ristretto_point_t int8 (decoding_error_v) in - let s_812 : field_element_t := - nat_mod_from_byte_seq_le (array_to_seq (u_810)) : field_element_t in - let '(ret_811) := - if (negb (geq_p (array_to_le_bytes (u_810)))) && (negb (is_negative ( - s_812))):bool then (let one_813 : field_element_t := - fe (usize 1) in - let ss_814 : field_element_t := - nat_mod_pow (s_812) (@repr WORDSIZE128 2) in - let u1_815 : field_element_t := - (one_813) -% (ss_814) in - let u2_816 : field_element_t := - (one_813) +% (ss_814) in - let u2_sqr_817 : field_element_t := - nat_mod_pow (u2_816) (@repr WORDSIZE128 2) in - let v_818 : field_element_t := - (neg_fe ((d ) *% (nat_mod_pow (u1_815) (@repr WORDSIZE128 2)))) -% ( - u2_sqr_817) in - let '(was_square_819, invsqrt_820) := - sqrt_ratio_m1 (one_813) ((v_818) *% (u2_sqr_817)) in - let den_x_821 : field_element_t := - (invsqrt_820) *% (u2_816) in - let den_y_822 : field_element_t := - ((invsqrt_820) *% (den_x_821)) *% (v_818) in - let x_823 : field_element_t := - abs (((s_812) +% (s_812)) *% (den_x_821)) in - let y_824 : field_element_t := - (u1_815) *% (den_y_822) in - let t_825 : field_element_t := - (x_823) *% (y_824) in - let '(ret_811) := - if negb (((negb (was_square_819)) || (is_negative (t_825))) || (( - y_824) =.? (fe (usize 0)))):bool then (let ret_811 := - @Ok ristretto_point_t int8 ((x_823, y_824, one_813, t_825)) in - (ret_811)) else ((ret_811)) in - (ret_811)) else ((ret_811)) in - ret_811. - -Definition equals - (u_826 : ristretto_point_t) - (v_827 : ristretto_point_t) - : bool := - let '(x1_828, y1_829, _, _) := - u_826 in - let '(x2_830, y2_831, _, _) := - v_827 in - (((x1_828) *% (y2_831)) =.? ((x2_830) *% (y1_829))) || (((y1_829) *% ( - y2_831)) =.? ((x1_828) *% (x2_830))). - -Definition add - (u_832 : ristretto_point_t) - (v_833 : ristretto_point_t) - : ristretto_point_t := - let '(x1_834, y1_835, z1_836, t1_837) := - u_832 in - let '(x2_838, y2_839, z2_840, t2_841) := - v_833 in - let a_842 : field_element_t := - ((y1_835) -% (x1_834)) *% ((y2_839) +% (x2_838)) in - let b_843 : field_element_t := - ((y1_835) +% (x1_834)) *% ((y2_839) -% (x2_838)) in - let c_844 : field_element_t := - ((fe (usize 2)) *% (z1_836)) *% (t2_841) in - let d_845 : field_element_t := - ((fe (usize 2)) *% (t1_837)) *% (z2_840) in - let e_846 : field_element_t := - (d_845) +% (c_844) in - let f_847 : field_element_t := - (b_843) -% (a_842) in - let g_848 : field_element_t := - (b_843) +% (a_842) in - let h_849 : field_element_t := - (d_845) -% (c_844) in - let x3_850 : field_element_t := - (e_846) *% (f_847) in - let y3_851 : field_element_t := - (g_848) *% (h_849) in - let t3_852 : field_element_t := - (e_846) *% (h_849) in - let z3_853 : field_element_t := - (f_847) *% (g_848) in - (x3_850, y3_851, z3_853, t3_852). - -Definition neg (u_854 : ristretto_point_t) : ristretto_point_t := - let '(x1_855, y1_856, z1_857, t1_858) := - u_854 in - (neg_fe (x1_855), y1_856, neg_fe (z1_857), t1_858). - -Definition sub - (u_859 : ristretto_point_t) - (v_860 : ristretto_point_t) - : ristretto_point_t := - add (u_859) (neg (v_860)). - -Definition double (u_861 : ristretto_point_t) : ristretto_point_t := - let '(x1_862, y1_863, z1_864, _) := - u_861 in - let a_865 : field_element_t := - nat_mod_pow (x1_862) (@repr WORDSIZE128 2) in - let b_866 : field_element_t := - nat_mod_pow (y1_863) (@repr WORDSIZE128 2) in - let c_867 : field_element_t := - (fe (usize 2)) *% (nat_mod_pow (z1_864) (@repr WORDSIZE128 2)) in - let h_868 : field_element_t := - (a_865) +% (b_866) in - let e_869 : field_element_t := - (h_868) -% (nat_mod_pow ((x1_862) +% (y1_863)) (@repr WORDSIZE128 2)) in - let g_870 : field_element_t := - (a_865) -% (b_866) in - let f_871 : field_element_t := - (c_867) +% (g_870) in - let x2_872 : field_element_t := - (e_869) *% (f_871) in - let y2_873 : field_element_t := - (g_870) *% (h_868) in - let t2_874 : field_element_t := - (e_869) *% (h_868) in - let z2_875 : field_element_t := - (f_871) *% (g_870) in - (x2_872, y2_873, z2_875, t2_874). - -Definition mul - (k_876 : scalar_t) - (p_877 : ristretto_point_t) - : ristretto_point_t := - let res_878 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - identity_point in - let temp_879 : ( - field_element_t '× - field_element_t '× - field_element_t '× - field_element_t - ) := - p_877 in - let '(res_878, temp_879) := - foldi (usize 0) (usize 256) (fun i_880 '(res_878, temp_879) => - let '(res_878) := - if (nat_mod_get_bit (k_876) (i_880)) =.? (nat_mod_from_literal ( - 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed) ( - @repr WORDSIZE128 1) : scalar_t):bool then (let res_878 := - add (res_878) (temp_879) in - (res_878)) else ((res_878)) in - let temp_879 := - double (temp_879) in - (res_878, temp_879)) - (res_878, temp_879) in - res_878. - diff --git a/proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v b/proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v deleted file mode 100644 index 1e62ce5df..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Rsa_Fdh_Vrf.v +++ /dev/null @@ -1,70 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Require Import Hacspec_Rsa_Pkcs1. - -Definition int_byte_t := nseq (uint8) (usize 1). - -Definition one_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 1) : int8] in l). - -Definition two_v : int_byte_t := - array_from_list uint8 (let l := [secret (@repr WORDSIZE8 2) : int8] in l). - -Definition suite_string_v : int_byte_t := - one_v. - -Definition vrf_mgf1 - (n_2644 : rsa_int_t) - (alpha_2645 : byte_seq) - : byte_seq_result_t := - bind (i2osp (rsa_int_from_literal (@cast _ uint128 _ (byte_size_v))) ( - @repr WORDSIZE32 4)) (fun mgf_salt1_2646 => bind (i2osp (n_2644) ( - byte_size_v)) (fun mgf_salt2_2647 => let mgf_salt_2648 : seq uint8 := - seq_concat (mgf_salt1_2646) (mgf_salt2_2647) in - let mgf_string_2649 : seq uint8 := - seq_concat (seq_concat (array_concat (suite_string_v) ( - array_to_seq (one_v))) (mgf_salt_2648)) (alpha_2645) in - bind (mgf1 (mgf_string_2649) ((@cast _ uint32 _ (byte_size_v)) - ( - usize 1))) (fun mgf_2650 => @Ok seq uint8 error_t (mgf_2650)))). - -Definition prove (sk_2651 : sk_t) (alpha_2652 : byte_seq) : byte_seq_result_t := - let '(n_2653, d_2654) := - (sk_2651) in - bind (vrf_mgf1 (n_2653) (alpha_2652)) (fun em_2655 => - let m_2656 : rsa_int_t := - os2ip (em_2655) in - bind (rsasp1 (sk_2651) (m_2656)) (fun s_2657 => i2osp (s_2657) ( - byte_size_v))). - -Definition proof_to_hash (pi_string_2658 : byte_seq) : byte_seq_result_t := - let hash_string_2659 : seq uint8 := - array_concat (suite_string_v) (array_concat (two_v) (pi_string_2658)) in - @Ok seq uint8 error_t (array_slice (sha256 (hash_string_2659)) (usize 0) ( - usize 32)). - -Definition verify - (pk_2660 : pk_t) - (alpha_2661 : byte_seq) - (pi_string_2662 : byte_seq) - : byte_seq_result_t := - let '(n_2663, e_2664) := - (pk_2660) in - let s_2665 : rsa_int_t := - os2ip (pi_string_2662) in - bind (rsavp1 (pk_2660) (s_2665)) (fun m_2666 => bind (vrf_mgf1 (n_2663) ( - alpha_2661)) (fun em_prime_2667 => let m_prime_2668 : rsa_int_t := - os2ip (em_prime_2667) in - (if ((m_2666) =.? (m_prime_2668)):bool then (proof_to_hash ( - pi_string_2662)) else (@Err seq uint8 error_t ( - VerificationFailed))))). - diff --git a/proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v deleted file mode 100644 index 150f38634..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Rsa_Pkcs1.v +++ /dev/null @@ -1,121 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition bit_size_v : int32 := - @repr WORDSIZE32 2048. - -Definition byte_size_v : int32 := - (@repr WORDSIZE32 2048) ./ (@repr WORDSIZE32 8). - -Definition hlen_v : uint_size := - usize 32. - -Definition rsa_int_t := nat_mod pow2 2048. - -Inductive error_t := -| InvalidLength : error_t -| MessageTooLarge : error_t -| DecryptionFailed : error_t -| VerificationFailed : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | InvalidLength => match y with | InvalidLength=> true | _ => false end - | MessageTooLarge => match y with | MessageTooLarge=> true | _ => false end - | DecryptionFailed => match y with | DecryptionFailed=> true | _ => false end - | VerificationFailed => - match y with - | VerificationFailed=> true - | _ => false - end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Notation "'pk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. - -Notation "'sk_t'" := ((rsa_int_t '× rsa_int_t)) : hacspec_scope. - -Notation "'key_pair_t'" := ((pk_t '× sk_t)) : hacspec_scope. - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Notation "'rsa_int_result_t'" := ((result rsa_int_t error_t)) : hacspec_scope. - -Definition rsaep (pk_2530 : pk_t) (m_2531 : rsa_int_t) : rsa_int_result_t := - let '(n_2532, e_2533) := - pk_2530 in - (if ((m_2531) >.? ((n_2532) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (m_2531) (e_2533) (n_2532)))). - -Definition rsadp (sk_2534 : sk_t) (c_2535 : rsa_int_t) : rsa_int_result_t := - let '(n_2536, d_2537) := - sk_2534 in - (if ((c_2535) >.? ((n_2536) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (c_2535) (d_2537) (n_2536)))). - -Definition rsasp1 (sk_2538 : sk_t) (m_2539 : rsa_int_t) : rsa_int_result_t := - let '(n_2540, d_2541) := - sk_2538 in - (if ((m_2539) >.? ((n_2540) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (m_2539) (d_2541) (n_2540)))). - -Definition rsavp1 (pk_2542 : pk_t) (s_2543 : rsa_int_t) : rsa_int_result_t := - let '(n_2544, e_2545) := - pk_2542 in - (if ((s_2543) >.? ((n_2544) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (s_2543) (e_2545) (n_2544)))). - -Definition i2osp - (x_2546 : rsa_int_t) - (x_len_2547 : int32) - : byte_seq_result_t := - (if (((x_2546) >=.? (nat_mod_exp (nat_mod_from_literal (0x) ( - @repr WORDSIZE128 256) : rsa_int_t) (x_len_2547))) && (( - x_len_2547) !=.? (byte_size_v))):bool then (@Err byte_seq error_t ( - InvalidLength)) else (@Ok byte_seq error_t (seq_slice ( - nat_mod_to_byte_seq_be (x_2546)) (@cast _ uint32 _ ((byte_size_v) .- ( - x_len_2547))) (@cast _ uint32 _ (x_len_2547))))). - -Definition os2ip (x_2548 : byte_seq) : rsa_int_t := - nat_mod_from_byte_seq_be (x_2548) : rsa_int_t. - -Definition mgf1 - (mgf_seed_2549 : byte_seq) - (mask_len_2550 : uint_size) - : byte_seq_result_t := - let result_2551 : (result byte_seq error_t) := - @Err byte_seq error_t (InvalidLength) in - ifbnd (mask_len_2550) <.? ((usize 2) .^ ((usize 32) * (hlen_v))) : bool - thenbnd (let t_2552 : seq uint8 := - seq_new_ (default : uint8) (usize 0) in - bind (foldibnd (usize 0) to (((mask_len_2550) + (usize 32)) / ( - usize 32)) for t_2552 >> (fun i_2553 t_2552 => - bind (i2osp (nat_mod_from_literal (0x) (pub_u128 (i_2553)) : rsa_int_t) ( - @repr WORDSIZE32 4)) (fun x_2554 => let t_2552 := - seq_concat (t_2552) (array_to_seq (sha256 (seq_concat ( - mgf_seed_2549) (x_2554)))) in - @Ok (seq uint8) error_t ((t_2552))))) (fun t_2552 => let result_2551 := - @Ok byte_seq error_t (seq_slice (t_2552) (usize 0) (mask_len_2550)) in - @Ok ((result byte_seq error_t)) error_t ((result_2551)))) - else ((result_2551)) >> (fun '(result_2551) => - result_2551). - diff --git a/proof-libs/coq/coq/src/Hacspec_Sha1.v b/proof-libs/coq/coq/src/Hacspec_Sha1.v deleted file mode 100644 index f633b67ac..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Sha1.v +++ /dev/null @@ -1,205 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition schedule_t := nseq (uint32) (usize 80). - -Definition block_words_v : uint_size := - (usize 512) / (usize 32). - -Definition hash_words_v : uint_size := - (usize 160) / (usize 32). - -Definition block_t := nseq (uint32) (block_words_v). - -Definition hash_t := nseq (uint32) (hash_words_v). - -Definition block_bytes_v : uint_size := - (usize 512) / (usize 8). - -Definition hash_bytes_v : uint_size := - (usize 160) / (usize 8). - -Definition block_bytes_t := nseq (uint8) (block_bytes_v). - -Definition sha1_digest_t := nseq (uint8) (hash_bytes_v). - -Definition bitlength_bytes_v : uint_size := - (usize 64) / (usize 8). - -Definition ch (x_1225 : uint32) (y_1226 : uint32) (z_1227 : uint32) : uint32 := - ((x_1225) .& (y_1226)) .^ ((not (x_1225)) .& (z_1227)). - -Definition parity - (x_1228 : uint32) - (y_1229 : uint32) - (z_1230 : uint32) - : uint32 := - ((x_1228) .^ (y_1229)) .^ (z_1230). - -Definition maj (x_1231 : uint32) (y_1232 : uint32) (z_1233 : uint32) : uint32 := - (((x_1231) .& (y_1232)) .^ ((x_1231) .& (z_1233))) .^ ((y_1232) .& (z_1233)). - -Definition hash_init_v : hash_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1732584193) : int32; - secret (@repr WORDSIZE32 4023233417) : int32; - secret (@repr WORDSIZE32 2562383102) : int32; - secret (@repr WORDSIZE32 271733878) : int32; - secret (@repr WORDSIZE32 3285377520) : int32 - ] in l). - -Definition compress (m_bytes_1234 : block_bytes_t) (h_1235 : hash_t) : hash_t := - let m_1236 : seq uint32 := - array_to_be_uint32s (m_bytes_1234) in - let w_1237 : schedule_t := - array_new_ (default : uint32) (80) in - let w_1237 := - foldi (usize 0) (usize 80) (fun t_1238 w_1237 => - let '(w_1237) := - if (t_1238) <.? (usize 16):bool then (let w_1237 := - array_upd w_1237 (t_1238) (seq_index (m_1236) (t_1238)) in - (w_1237)) else (let w_1237 := - array_upd w_1237 (t_1238) (uint32_rotate_left ((((array_index ( - w_1237) ((t_1238) - (usize 3))) .^ (array_index ( - w_1237) ((t_1238) - (usize 8)))) .^ (array_index ( - w_1237) ((t_1238) - (usize 14)))) .^ (array_index ( - w_1237) ((t_1238) - (usize 16)))) (usize 1)) in - (w_1237)) in - (w_1237)) - w_1237 in - let a_1239 : uint32 := - array_index (h_1235) (usize 0) in - let b_1240 : uint32 := - array_index (h_1235) (usize 1) in - let c_1241 : uint32 := - array_index (h_1235) (usize 2) in - let d_1242 : uint32 := - array_index (h_1235) (usize 3) in - let e_1243 : uint32 := - array_index (h_1235) (usize 4) in - let '(a_1239, b_1240, c_1241, d_1242, e_1243) := - foldi (usize 0) (usize 80) (fun t_1244 '( - a_1239, - b_1240, - c_1241, - d_1242, - e_1243 - ) => - let t_1245 : uint32 := - uint32_zero in - let '(t_1245) := - if ((usize 0) <=.? (t_1244)) && ((t_1244) <.? (usize 20)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (ch (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 1518500249) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let '(t_1245) := - if ((usize 20) <=.? (t_1244)) && ((t_1244) <.? (usize 40)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 1859775393) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let '(t_1245) := - if ((usize 40) <=.? (t_1244)) && ((t_1244) <.? (usize 60)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (maj (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 2400959708) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let '(t_1245) := - if ((usize 60) <=.? (t_1244)) && ((t_1244) <.? (usize 80)):bool then ( - let t_1245 := - ((((uint32_rotate_left (a_1239) (usize 5)) .+ (parity (b_1240) ( - c_1241) (d_1242))) .+ (e_1243)) .+ (secret ( - @repr WORDSIZE32 3395469782) : int32)) .+ (array_index ( - w_1237) (t_1244)) in - (t_1245)) else ((t_1245)) in - let e_1243 := - d_1242 in - let d_1242 := - c_1241 in - let c_1241 := - uint32_rotate_left (b_1240) (usize 30) in - let b_1240 := - a_1239 in - let a_1239 := - t_1245 in - (a_1239, b_1240, c_1241, d_1242, e_1243)) - (a_1239, b_1240, c_1241, d_1242, e_1243) in - let h_1235 := - array_upd h_1235 (usize 0) ((a_1239) .+ (array_index (h_1235) ( - usize 0))) in - let h_1235 := - array_upd h_1235 (usize 1) ((b_1240) .+ (array_index (h_1235) ( - usize 1))) in - let h_1235 := - array_upd h_1235 (usize 2) ((c_1241) .+ (array_index (h_1235) ( - usize 2))) in - let h_1235 := - array_upd h_1235 (usize 3) ((d_1242) .+ (array_index (h_1235) ( - usize 3))) in - let h_1235 := - array_upd h_1235 (usize 4) ((e_1243) .+ (array_index (h_1235) ( - usize 4))) in - h_1235. - -Definition hash (msg_1246 : byte_seq) : sha1_digest_t := - let h_1247 : hash_t := - hash_init_v in - let h_1247 := - foldi (usize 0) (seq_num_exact_chunks (msg_1246) ( - block_bytes_v)) (fun i_1248 h_1247 => - let raw_bytes_1249 : seq uint8 := - seq_get_exact_chunk (msg_1246) (block_bytes_v) (i_1248) in - let block_bytes_1250 : block_bytes_t := - array_from_seq (block_bytes_v) (raw_bytes_1249) in - let h_1247 := - compress (block_bytes_1250) (h_1247) in - (h_1247)) - h_1247 in - let raw_bytes_1251 : seq uint8 := - seq_get_remainder_chunk (msg_1246) (block_bytes_v) in - let block_bytes_1252 : block_bytes_t := - array_update_start (array_new_ (default : uint8) (block_bytes_v)) ( - raw_bytes_1251) in - let block_bytes_1252 := - array_upd block_bytes_1252 (seq_len (raw_bytes_1251)) (secret ( - @repr WORDSIZE8 128) : int8) in - let message_bitlength_1253 : uint64 := - secret (pub_u64 ((seq_len (msg_1246)) * (usize 8))) : int64 in - let '(h_1247, block_bytes_1252) := - if (seq_len (raw_bytes_1251)) <.? ((block_bytes_v) - ( - bitlength_bytes_v)):bool then (let block_bytes_1252 := - array_update (block_bytes_1252) ((block_bytes_v) - ( - bitlength_bytes_v)) (array_to_seq (uint64_to_be_bytes ( - message_bitlength_1253))) in - let h_1247 := - compress (block_bytes_1252) (h_1247) in - (h_1247, block_bytes_1252)) else (let h_1247 := - compress (block_bytes_1252) (h_1247) in - let pad_block_1254 : block_bytes_t := - array_new_ (default : uint8) (block_bytes_v) in - let pad_block_1254 := - array_update (pad_block_1254) ((block_bytes_v) - (bitlength_bytes_v)) ( - array_to_seq (uint64_to_be_bytes (message_bitlength_1253))) in - let h_1247 := - compress (pad_block_1254) (h_1247) in - (h_1247, block_bytes_1252)) in - array_from_seq (hash_bytes_v) (array_to_be_bytes (h_1247)). - -Definition sha1 (msg_1255 : byte_seq) : sha1_digest_t := - hash (msg_1255). - diff --git a/proof-libs/coq/coq/src/Hacspec_Sha256.v b/proof-libs/coq/coq/src/Hacspec_Sha256.v deleted file mode 100644 index 782c6f634..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Sha256.v +++ /dev/null @@ -1,305 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition block_size_v : uint_size := - usize 64. - -Definition len_size_v : uint_size := - usize 8. - -Definition k_size_v : uint_size := - usize 64. - -Definition hash_size_v : uint_size := - (usize 256) / (usize 8). - -Definition block_t := nseq (uint8) (block_size_v). - -Definition op_table_type_t := nseq (uint_size) (usize 12). - -Definition sha256_digest_t := nseq (uint8) (hash_size_v). - -Definition round_constants_table_t := nseq (uint32) (k_size_v). - -Definition hash_t := nseq (uint32) (usize 8). - -Definition ch (x_663 : uint32) (y_664 : uint32) (z_665 : uint32) : uint32 := - ((x_663) .& (y_664)) .^ ((not (x_663)) .& (z_665)). - -Definition maj (x_666 : uint32) (y_667 : uint32) (z_668 : uint32) : uint32 := - ((x_666) .& (y_667)) .^ (((x_666) .& (z_668)) .^ ((y_667) .& (z_668))). - -Definition op_table_v : op_table_type_t := - array_from_list uint_size (let l := - [ - usize 2; - usize 13; - usize 22; - usize 6; - usize 11; - usize 25; - usize 7; - usize 18; - usize 3; - usize 17; - usize 19; - usize 10 - ] in l). - -Definition k_table_v : round_constants_table_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1116352408) : int32; - secret (@repr WORDSIZE32 1899447441) : int32; - secret (@repr WORDSIZE32 3049323471) : int32; - secret (@repr WORDSIZE32 3921009573) : int32; - secret (@repr WORDSIZE32 961987163) : int32; - secret (@repr WORDSIZE32 1508970993) : int32; - secret (@repr WORDSIZE32 2453635748) : int32; - secret (@repr WORDSIZE32 2870763221) : int32; - secret (@repr WORDSIZE32 3624381080) : int32; - secret (@repr WORDSIZE32 310598401) : int32; - secret (@repr WORDSIZE32 607225278) : int32; - secret (@repr WORDSIZE32 1426881987) : int32; - secret (@repr WORDSIZE32 1925078388) : int32; - secret (@repr WORDSIZE32 2162078206) : int32; - secret (@repr WORDSIZE32 2614888103) : int32; - secret (@repr WORDSIZE32 3248222580) : int32; - secret (@repr WORDSIZE32 3835390401) : int32; - secret (@repr WORDSIZE32 4022224774) : int32; - secret (@repr WORDSIZE32 264347078) : int32; - secret (@repr WORDSIZE32 604807628) : int32; - secret (@repr WORDSIZE32 770255983) : int32; - secret (@repr WORDSIZE32 1249150122) : int32; - secret (@repr WORDSIZE32 1555081692) : int32; - secret (@repr WORDSIZE32 1996064986) : int32; - secret (@repr WORDSIZE32 2554220882) : int32; - secret (@repr WORDSIZE32 2821834349) : int32; - secret (@repr WORDSIZE32 2952996808) : int32; - secret (@repr WORDSIZE32 3210313671) : int32; - secret (@repr WORDSIZE32 3336571891) : int32; - secret (@repr WORDSIZE32 3584528711) : int32; - secret (@repr WORDSIZE32 113926993) : int32; - secret (@repr WORDSIZE32 338241895) : int32; - secret (@repr WORDSIZE32 666307205) : int32; - secret (@repr WORDSIZE32 773529912) : int32; - secret (@repr WORDSIZE32 1294757372) : int32; - secret (@repr WORDSIZE32 1396182291) : int32; - secret (@repr WORDSIZE32 1695183700) : int32; - secret (@repr WORDSIZE32 1986661051) : int32; - secret (@repr WORDSIZE32 2177026350) : int32; - secret (@repr WORDSIZE32 2456956037) : int32; - secret (@repr WORDSIZE32 2730485921) : int32; - secret (@repr WORDSIZE32 2820302411) : int32; - secret (@repr WORDSIZE32 3259730800) : int32; - secret (@repr WORDSIZE32 3345764771) : int32; - secret (@repr WORDSIZE32 3516065817) : int32; - secret (@repr WORDSIZE32 3600352804) : int32; - secret (@repr WORDSIZE32 4094571909) : int32; - secret (@repr WORDSIZE32 275423344) : int32; - secret (@repr WORDSIZE32 430227734) : int32; - secret (@repr WORDSIZE32 506948616) : int32; - secret (@repr WORDSIZE32 659060556) : int32; - secret (@repr WORDSIZE32 883997877) : int32; - secret (@repr WORDSIZE32 958139571) : int32; - secret (@repr WORDSIZE32 1322822218) : int32; - secret (@repr WORDSIZE32 1537002063) : int32; - secret (@repr WORDSIZE32 1747873779) : int32; - secret (@repr WORDSIZE32 1955562222) : int32; - secret (@repr WORDSIZE32 2024104815) : int32; - secret (@repr WORDSIZE32 2227730452) : int32; - secret (@repr WORDSIZE32 2361852424) : int32; - secret (@repr WORDSIZE32 2428436474) : int32; - secret (@repr WORDSIZE32 2756734187) : int32; - secret (@repr WORDSIZE32 3204031479) : int32; - secret (@repr WORDSIZE32 3329325298) : int32 - ] in l). - -Definition hash_init_v : hash_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1779033703) : int32; - secret (@repr WORDSIZE32 3144134277) : int32; - secret (@repr WORDSIZE32 1013904242) : int32; - secret (@repr WORDSIZE32 2773480762) : int32; - secret (@repr WORDSIZE32 1359893119) : int32; - secret (@repr WORDSIZE32 2600822924) : int32; - secret (@repr WORDSIZE32 528734635) : int32; - secret (@repr WORDSIZE32 1541459225) : int32 - ] in l). - -Definition sigma - (x_669 : uint32) - (i_670 : uint_size) - (op_671 : uint_size) - : uint32 := - let tmp_672 : uint32 := - uint32_rotate_right (x_669) (array_index (op_table_v) (((usize 3) * ( - i_670)) + (usize 2))) in - let '(tmp_672) := - if (op_671) =.? (usize 0):bool then (let tmp_672 := - (x_669) shift_right (array_index (op_table_v) (((usize 3) * (i_670)) + ( - usize 2))) in - (tmp_672)) else ((tmp_672)) in - ((uint32_rotate_right (x_669) (array_index (op_table_v) ((usize 3) * ( - i_670)))) .^ (uint32_rotate_right (x_669) (array_index ( - op_table_v) (((usize 3) * (i_670)) + (usize 1))))) .^ (tmp_672). - -Definition schedule (block_673 : block_t) : round_constants_table_t := - let b_674 : seq uint32 := - array_to_be_uint32s (block_673) in - let s_675 : round_constants_table_t := - array_new_ (default : uint32) (k_size_v) in - let s_675 := - foldi (usize 0) (k_size_v) (fun i_676 s_675 => - let '(s_675) := - if (i_676) <.? (usize 16):bool then (let s_675 := - array_upd s_675 (i_676) (seq_index (b_674) (i_676)) in - (s_675)) else (let t16_677 : uint32 := - array_index (s_675) ((i_676) - (usize 16)) in - let t15_678 : uint32 := - array_index (s_675) ((i_676) - (usize 15)) in - let t7_679 : uint32 := - array_index (s_675) ((i_676) - (usize 7)) in - let t2_680 : uint32 := - array_index (s_675) ((i_676) - (usize 2)) in - let s1_681 : uint32 := - sigma (t2_680) (usize 3) (usize 0) in - let s0_682 : uint32 := - sigma (t15_678) (usize 2) (usize 0) in - let s_675 := - array_upd s_675 (i_676) ((((s1_681) .+ (t7_679)) .+ (s0_682)) .+ ( - t16_677)) in - (s_675)) in - (s_675)) - s_675 in - s_675. - -Definition shuffle - (ws_683 : round_constants_table_t) - (hashi_684 : hash_t) - : hash_t := - let h_685 : hash_t := - hashi_684 in - let h_685 := - foldi (usize 0) (k_size_v) (fun i_686 h_685 => - let a0_687 : uint32 := - array_index (h_685) (usize 0) in - let b0_688 : uint32 := - array_index (h_685) (usize 1) in - let c0_689 : uint32 := - array_index (h_685) (usize 2) in - let d0_690 : uint32 := - array_index (h_685) (usize 3) in - let e0_691 : uint32 := - array_index (h_685) (usize 4) in - let f0_692 : uint32 := - array_index (h_685) (usize 5) in - let g0_693 : uint32 := - array_index (h_685) (usize 6) in - let h0_694 : uint32 := - array_index (h_685) (usize 7) in - let t1_695 : uint32 := - ((((h0_694) .+ (sigma (e0_691) (usize 1) (usize 1))) .+ (ch (e0_691) ( - f0_692) (g0_693))) .+ (array_index (k_table_v) (i_686))) .+ ( - array_index (ws_683) (i_686)) in - let t2_696 : uint32 := - (sigma (a0_687) (usize 0) (usize 1)) .+ (maj (a0_687) (b0_688) ( - c0_689)) in - let h_685 := - array_upd h_685 (usize 0) ((t1_695) .+ (t2_696)) in - let h_685 := - array_upd h_685 (usize 1) (a0_687) in - let h_685 := - array_upd h_685 (usize 2) (b0_688) in - let h_685 := - array_upd h_685 (usize 3) (c0_689) in - let h_685 := - array_upd h_685 (usize 4) ((d0_690) .+ (t1_695)) in - let h_685 := - array_upd h_685 (usize 5) (e0_691) in - let h_685 := - array_upd h_685 (usize 6) (f0_692) in - let h_685 := - array_upd h_685 (usize 7) (g0_693) in - (h_685)) - h_685 in - h_685. - -Definition compress (block_697 : block_t) (h_in_698 : hash_t) : hash_t := - let s_699 : round_constants_table_t := - schedule (block_697) in - let h_700 : hash_t := - shuffle (s_699) (h_in_698) in - let h_700 := - foldi (usize 0) (usize 8) (fun i_701 h_700 => - let h_700 := - array_upd h_700 (i_701) ((array_index (h_700) (i_701)) .+ (array_index ( - h_in_698) (i_701))) in - (h_700)) - h_700 in - h_700. - -Definition hash (msg_702 : byte_seq) : sha256_digest_t := - let h_703 : hash_t := - hash_init_v in - let last_block_704 : block_t := - array_new_ (default : uint8) (block_size_v) in - let last_block_len_705 : uint_size := - usize 0 in - let '(h_703, last_block_704, last_block_len_705) := - foldi (usize 0) (seq_num_chunks (msg_702) (block_size_v)) (fun i_706 '( - h_703, - last_block_704, - last_block_len_705 - ) => - let '(block_len_707, block_708) := - seq_get_chunk (msg_702) (block_size_v) (i_706) in - let '(h_703, last_block_704, last_block_len_705) := - if (block_len_707) <.? (block_size_v):bool then (let last_block_704 := - array_update_start (array_new_ (default : uint8) (block_size_v)) ( - block_708) in - let last_block_len_705 := - block_len_707 in - (h_703, last_block_704, last_block_len_705)) else ( - let compress_input_709 : block_t := - array_from_seq (block_size_v) (block_708) in - let h_703 := - compress (compress_input_709) (h_703) in - (h_703, last_block_704, last_block_len_705)) in - (h_703, last_block_704, last_block_len_705)) - (h_703, last_block_704, last_block_len_705) in - let last_block_704 := - array_upd last_block_704 (last_block_len_705) (secret ( - @repr WORDSIZE8 128) : int8) in - let len_bist_710 : uint64 := - secret (pub_u64 ((seq_len (msg_702)) * (usize 8))) : int64 in - let '(h_703, last_block_704) := - if (last_block_len_705) <.? ((block_size_v) - (len_size_v)):bool then ( - let last_block_704 := - array_update (last_block_704) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint64_to_be_bytes (len_bist_710))) in - let h_703 := - compress (last_block_704) (h_703) in - (h_703, last_block_704)) else (let pad_block_711 : block_t := - array_new_ (default : uint8) (block_size_v) in - let pad_block_711 := - array_update (pad_block_711) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint64_to_be_bytes (len_bist_710))) in - let h_703 := - compress (last_block_704) (h_703) in - let h_703 := - compress (pad_block_711) (h_703) in - (h_703, last_block_704)) in - array_from_seq (hash_size_v) (array_to_be_bytes (h_703)). - -Definition sha256 (msg_712 : byte_seq) : sha256_digest_t := - hash (msg_712). - diff --git a/proof-libs/coq/coq/src/Hacspec_Sha3.v b/proof-libs/coq/coq/src/Hacspec_Sha3.v deleted file mode 100644 index 91088d815..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Sha3.v +++ /dev/null @@ -1,357 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition rounds_v : uint_size := - usize 24. - -Definition sha3224_rate_v : uint_size := - usize 144. - -Definition sha3256_rate_v : uint_size := - usize 136. - -Definition sha3384_rate_v : uint_size := - usize 104. - -Definition sha3512_rate_v : uint_size := - usize 72. - -Definition shake128_rate_v : uint_size := - usize 168. - -Definition shake256_rate_v : uint_size := - usize 136. - -Definition state_t := nseq (uint64) (usize 25). - -Definition row_t := nseq (uint64) (usize 5). - -Definition digest224_t := nseq (uint8) (usize 28). - -Definition digest256_t := nseq (uint8) (usize 32). - -Definition digest384_t := nseq (uint8) (usize 48). - -Definition digest512_t := nseq (uint8) (usize 64). - -Definition round_constants_t := nseq (int64) (rounds_v). - -Definition rotation_constants_t := nseq (uint_size) (usize 25). - -Definition roundconstants_v : round_constants_t := - array_from_list int64 (let l := - [ - @repr WORDSIZE64 1; - @repr WORDSIZE64 32898; - @repr WORDSIZE64 9223372036854808714; - @repr WORDSIZE64 9223372039002292224; - @repr WORDSIZE64 32907; - @repr WORDSIZE64 2147483649; - @repr WORDSIZE64 9223372039002292353; - @repr WORDSIZE64 9223372036854808585; - @repr WORDSIZE64 138; - @repr WORDSIZE64 136; - @repr WORDSIZE64 2147516425; - @repr WORDSIZE64 2147483658; - @repr WORDSIZE64 2147516555; - @repr WORDSIZE64 9223372036854775947; - @repr WORDSIZE64 9223372036854808713; - @repr WORDSIZE64 9223372036854808579; - @repr WORDSIZE64 9223372036854808578; - @repr WORDSIZE64 9223372036854775936; - @repr WORDSIZE64 32778; - @repr WORDSIZE64 9223372039002259466; - @repr WORDSIZE64 9223372039002292353; - @repr WORDSIZE64 9223372036854808704; - @repr WORDSIZE64 2147483649; - @repr WORDSIZE64 9223372039002292232 - ] in l). - -Definition rotc_v : rotation_constants_t := - array_from_list uint_size (let l := - [ - usize 0; - usize 1; - usize 62; - usize 28; - usize 27; - usize 36; - usize 44; - usize 6; - usize 55; - usize 20; - usize 3; - usize 10; - usize 43; - usize 25; - usize 39; - usize 41; - usize 45; - usize 15; - usize 21; - usize 8; - usize 18; - usize 2; - usize 61; - usize 56; - usize 14 - ] in l). - -Definition pi_v : rotation_constants_t := - array_from_list uint_size (let l := - [ - usize 0; - usize 6; - usize 12; - usize 18; - usize 24; - usize 3; - usize 9; - usize 10; - usize 16; - usize 22; - usize 1; - usize 7; - usize 13; - usize 19; - usize 20; - usize 4; - usize 5; - usize 11; - usize 17; - usize 23; - usize 2; - usize 8; - usize 14; - usize 15; - usize 21 - ] in l). - -Definition theta (s_1068 : state_t) : state_t := - let b_1069 : row_t := - array_new_ (default : uint64) (5) in - let b_1069 := - foldi (usize 0) (usize 5) (fun i_1070 b_1069 => - let b_1069 := - array_upd b_1069 (i_1070) (((((array_index (s_1068) (i_1070)) .^ ( - array_index (s_1068) ((i_1070) + (usize 5)))) .^ ( - array_index (s_1068) ((i_1070) + (usize 10)))) .^ (array_index ( - s_1068) ((i_1070) + (usize 15)))) .^ (array_index (s_1068) (( - i_1070) + (usize 20)))) in - (b_1069)) - b_1069 in - let s_1068 := - foldi (usize 0) (usize 5) (fun i_1071 s_1068 => - let u_1072 : uint64 := - array_index (b_1069) (((i_1071) + (usize 1)) %% (usize 5)) in - let t_1073 : uint64 := - (array_index (b_1069) (((i_1071) + (usize 4)) %% (usize 5))) .^ ( - uint64_rotate_left (u_1072) (usize 1)) in - let s_1068 := - foldi (usize 0) (usize 5) (fun j_1074 s_1068 => - let s_1068 := - array_upd s_1068 (((usize 5) * (j_1074)) + (i_1071)) ((array_index ( - s_1068) (((usize 5) * (j_1074)) + (i_1071))) .^ (t_1073)) in - (s_1068)) - s_1068 in - (s_1068)) - s_1068 in - s_1068. - -Definition rho (s_1075 : state_t) : state_t := - let s_1075 := - foldi (usize 0) (usize 25) (fun i_1076 s_1075 => - let u_1077 : uint64 := - array_index (s_1075) (i_1076) in - let s_1075 := - array_upd s_1075 (i_1076) (uint64_rotate_left (u_1077) (array_index ( - rotc_v) (i_1076))) in - (s_1075)) - s_1075 in - s_1075. - -Definition pi (s_1078 : state_t) : state_t := - let v_1079 : state_t := - array_new_ (default : uint64) (25) in - let v_1079 := - foldi (usize 0) (usize 25) (fun i_1080 v_1079 => - let v_1079 := - array_upd v_1079 (i_1080) (array_index (s_1078) (array_index (pi_v) ( - i_1080))) in - (v_1079)) - v_1079 in - v_1079. - -Definition chi (s_1081 : state_t) : state_t := - let b_1082 : row_t := - array_new_ (default : uint64) (5) in - let '(s_1081, b_1082) := - foldi (usize 0) (usize 5) (fun i_1083 '(s_1081, b_1082) => - let b_1082 := - foldi (usize 0) (usize 5) (fun j_1084 b_1082 => - let b_1082 := - array_upd b_1082 (j_1084) (array_index (s_1081) (((usize 5) * ( - i_1083)) + (j_1084))) in - (b_1082)) - b_1082 in - let s_1081 := - foldi (usize 0) (usize 5) (fun j_1085 s_1081 => - let u_1086 : uint64 := - array_index (b_1082) (((j_1085) + (usize 1)) %% (usize 5)) in - let s_1081 := - array_upd s_1081 (((usize 5) * (i_1083)) + (j_1085)) ((array_index ( - s_1081) (((usize 5) * (i_1083)) + (j_1085))) .^ ((not ( - u_1086)) .& (array_index (b_1082) (((j_1085) + ( - usize 2)) %% (usize 5))))) in - (s_1081)) - s_1081 in - (s_1081, b_1082)) - (s_1081, b_1082) in - s_1081. - -Definition iota (s_1087 : state_t) (rndconst_1088 : int64) : state_t := - let s_1087 := - array_upd s_1087 (usize 0) ((array_index (s_1087) (usize 0)) .^ ( - uint64_classify (rndconst_1088))) in - s_1087. - -Definition keccakf1600 (s_1089 : state_t) : state_t := - let s_1089 := - foldi (usize 0) (rounds_v) (fun i_1090 s_1089 => - let s_1089 := - theta (s_1089) in - let s_1089 := - rho (s_1089) in - let s_1089 := - pi (s_1089) in - let s_1089 := - chi (s_1089) in - let s_1089 := - iota (s_1089) (array_index (roundconstants_v) (i_1090)) in - (s_1089)) - s_1089 in - s_1089. - -Definition absorb_block (s_1091 : state_t) (block_1092 : byte_seq) : state_t := - let s_1091 := - foldi (usize 0) (seq_len (block_1092)) (fun i_1093 s_1091 => - let w_1094 : uint_size := - (i_1093) usize_shift_right (@repr WORDSIZE32 3) in - let o_1095 : uint_size := - (usize 8) * ((i_1093) .& (usize 7)) in - let s_1091 := - array_upd s_1091 (w_1094) ((array_index (s_1091) (w_1094)) .^ (( - uint64_from_uint8 (seq_index (block_1092) (i_1093))) shift_left ( - o_1095))) in - (s_1091)) - s_1091 in - keccakf1600 (s_1091). - -Definition squeeze - (s_1096 : state_t) - (nbytes_1097 : uint_size) - (rate_1098 : uint_size) - : byte_seq := - let out_1099 : seq uint8 := - seq_new_ (default : uint8) (nbytes_1097) in - let '(s_1096, out_1099) := - foldi (usize 0) (nbytes_1097) (fun i_1100 '(s_1096, out_1099) => - let pos_1101 : uint_size := - (i_1100) %% (rate_1098) in - let w_1102 : uint_size := - (pos_1101) usize_shift_right (@repr WORDSIZE32 3) in - let o_1103 : uint_size := - (usize 8) * ((pos_1101) .& (usize 7)) in - let b_1104 : uint64 := - ((array_index (s_1096) (w_1102)) shift_right (o_1103)) .& ( - uint64_classify (@repr WORDSIZE64 255)) in - let out_1099 := - seq_upd out_1099 (i_1100) (uint8_from_uint64 (b_1104)) in - let '(s_1096) := - if (((i_1100) + (usize 1)) %% (rate_1098)) =.? (usize 0):bool then ( - let s_1096 := - keccakf1600 (s_1096) in - (s_1096)) else ((s_1096)) in - (s_1096, out_1099)) - (s_1096, out_1099) in - out_1099. - -Definition keccak - (rate_1105 : uint_size) - (data_1106 : byte_seq) - (p_1107 : int8) - (outbytes_1108 : uint_size) - : byte_seq := - let buf_1109 : seq uint8 := - seq_new_ (default : uint8) (rate_1105) in - let last_block_len_1110 : uint_size := - usize 0 in - let s_1111 : state_t := - array_new_ (default : uint64) (25) in - let '(buf_1109, last_block_len_1110, s_1111) := - foldi (usize 0) (seq_num_chunks (data_1106) (rate_1105)) (fun i_1112 '( - buf_1109, - last_block_len_1110, - s_1111 - ) => - let '(block_len_1113, block_1114) := - seq_get_chunk (data_1106) (rate_1105) (i_1112) in - let '(buf_1109, last_block_len_1110, s_1111) := - if (block_len_1113) =.? (rate_1105):bool then (let s_1111 := - absorb_block (s_1111) (block_1114) in - (buf_1109, last_block_len_1110, s_1111)) else (let buf_1109 := - seq_update_start (buf_1109) (block_1114) in - let last_block_len_1110 := - block_len_1113 in - (buf_1109, last_block_len_1110, s_1111)) in - (buf_1109, last_block_len_1110, s_1111)) - (buf_1109, last_block_len_1110, s_1111) in - let buf_1109 := - seq_upd buf_1109 (last_block_len_1110) (secret (p_1107) : int8) in - let buf_1109 := - seq_upd buf_1109 ((rate_1105) - (usize 1)) ((seq_index (buf_1109) (( - rate_1105) - (usize 1))) .| (secret ( - @repr WORDSIZE8 128) : int8)) in - let s_1111 := - absorb_block (s_1111) (buf_1109) in - squeeze (s_1111) (outbytes_1108) (rate_1105). - -Definition sha3224 (data_1115 : byte_seq) : digest224_t := - let t_1116 : seq uint8 := - keccak (sha3224_rate_v) (data_1115) (@repr WORDSIZE8 6) (usize 28) in - array_from_seq (28) (t_1116). - -Definition sha3256 (data_1117 : byte_seq) : digest256_t := - let t_1118 : seq uint8 := - keccak (sha3256_rate_v) (data_1117) (@repr WORDSIZE8 6) (usize 32) in - array_from_seq (32) (t_1118). - -Definition sha3384 (data_1119 : byte_seq) : digest384_t := - let t_1120 : seq uint8 := - keccak (sha3384_rate_v) (data_1119) (@repr WORDSIZE8 6) (usize 48) in - array_from_seq (48) (t_1120). - -Definition sha3512 (data_1121 : byte_seq) : digest512_t := - let t_1122 : seq uint8 := - keccak (sha3512_rate_v) (data_1121) (@repr WORDSIZE8 6) (usize 64) in - array_from_seq (64) (t_1122). - -Definition shake128 - (data_1123 : byte_seq) - (outlen_1124 : uint_size) - : byte_seq := - keccak (shake128_rate_v) (data_1123) (@repr WORDSIZE8 31) (outlen_1124). - -Definition shake256 - (data_1125 : byte_seq) - (outlen_1126 : uint_size) - : byte_seq := - keccak (shake256_rate_v) (data_1125) (@repr WORDSIZE8 31) (outlen_1126). - diff --git a/proof-libs/coq/coq/src/Hacspec_Sha512.v b/proof-libs/coq/coq/src/Hacspec_Sha512.v deleted file mode 100644 index 9e24e3f00..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Sha512.v +++ /dev/null @@ -1,321 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition block_size_v : uint_size := - usize 128. - -Definition len_size_v : uint_size := - usize 16. - -Definition k_size_v : uint_size := - usize 80. - -Definition hash_size_v : uint_size := - (usize 512) / (usize 8). - -Definition block_t := nseq (uint8) (block_size_v). - -Definition op_table_type_t := nseq (uint_size) (usize 12). - -Definition sha512_digest_t := nseq (uint8) (hash_size_v). - -Definition round_constants_table_t := nseq (uint64) (k_size_v). - -Definition hash_t := nseq (uint64) (usize 8). - -Definition ch (x_2240 : uint64) (y_2241 : uint64) (z_2242 : uint64) : uint64 := - ((x_2240) .& (y_2241)) .^ ((not (x_2240)) .& (z_2242)). - -Definition maj (x_2243 : uint64) (y_2244 : uint64) (z_2245 : uint64) : uint64 := - ((x_2243) .& (y_2244)) .^ (((x_2243) .& (z_2245)) .^ ((y_2244) .& (z_2245))). - -Definition op_table_v : op_table_type_t := - array_from_list uint_size (let l := - [ - usize 28; - usize 34; - usize 39; - usize 14; - usize 18; - usize 41; - usize 1; - usize 8; - usize 7; - usize 19; - usize 61; - usize 6 - ] in l). - -Definition k_table_v : round_constants_table_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 4794697086780616226) : int64; - secret (@repr WORDSIZE64 8158064640168781261) : int64; - secret (@repr WORDSIZE64 13096744586834688815) : int64; - secret (@repr WORDSIZE64 16840607885511220156) : int64; - secret (@repr WORDSIZE64 4131703408338449720) : int64; - secret (@repr WORDSIZE64 6480981068601479193) : int64; - secret (@repr WORDSIZE64 10538285296894168987) : int64; - secret (@repr WORDSIZE64 12329834152419229976) : int64; - secret (@repr WORDSIZE64 15566598209576043074) : int64; - secret (@repr WORDSIZE64 1334009975649890238) : int64; - secret (@repr WORDSIZE64 2608012711638119052) : int64; - secret (@repr WORDSIZE64 6128411473006802146) : int64; - secret (@repr WORDSIZE64 8268148722764581231) : int64; - secret (@repr WORDSIZE64 9286055187155687089) : int64; - secret (@repr WORDSIZE64 11230858885718282805) : int64; - secret (@repr WORDSIZE64 13951009754708518548) : int64; - secret (@repr WORDSIZE64 16472876342353939154) : int64; - secret (@repr WORDSIZE64 17275323862435702243) : int64; - secret (@repr WORDSIZE64 1135362057144423861) : int64; - secret (@repr WORDSIZE64 2597628984639134821) : int64; - secret (@repr WORDSIZE64 3308224258029322869) : int64; - secret (@repr WORDSIZE64 5365058923640841347) : int64; - secret (@repr WORDSIZE64 6679025012923562964) : int64; - secret (@repr WORDSIZE64 8573033837759648693) : int64; - secret (@repr WORDSIZE64 10970295158949994411) : int64; - secret (@repr WORDSIZE64 12119686244451234320) : int64; - secret (@repr WORDSIZE64 12683024718118986047) : int64; - secret (@repr WORDSIZE64 13788192230050041572) : int64; - secret (@repr WORDSIZE64 14330467153632333762) : int64; - secret (@repr WORDSIZE64 15395433587784984357) : int64; - secret (@repr WORDSIZE64 489312712824947311) : int64; - secret (@repr WORDSIZE64 1452737877330783856) : int64; - secret (@repr WORDSIZE64 2861767655752347644) : int64; - secret (@repr WORDSIZE64 3322285676063803686) : int64; - secret (@repr WORDSIZE64 5560940570517711597) : int64; - secret (@repr WORDSIZE64 5996557281743188959) : int64; - secret (@repr WORDSIZE64 7280758554555802590) : int64; - secret (@repr WORDSIZE64 8532644243296465576) : int64; - secret (@repr WORDSIZE64 9350256976987008742) : int64; - secret (@repr WORDSIZE64 10552545826968843579) : int64; - secret (@repr WORDSIZE64 11727347734174303076) : int64; - secret (@repr WORDSIZE64 12113106623233404929) : int64; - secret (@repr WORDSIZE64 14000437183269869457) : int64; - secret (@repr WORDSIZE64 14369950271660146224) : int64; - secret (@repr WORDSIZE64 15101387698204529176) : int64; - secret (@repr WORDSIZE64 15463397548674623760) : int64; - secret (@repr WORDSIZE64 17586052441742319658) : int64; - secret (@repr WORDSIZE64 1182934255886127544) : int64; - secret (@repr WORDSIZE64 1847814050463011016) : int64; - secret (@repr WORDSIZE64 2177327727835720531) : int64; - secret (@repr WORDSIZE64 2830643537854262169) : int64; - secret (@repr WORDSIZE64 3796741975233480872) : int64; - secret (@repr WORDSIZE64 4115178125766777443) : int64; - secret (@repr WORDSIZE64 5681478168544905931) : int64; - secret (@repr WORDSIZE64 6601373596472566643) : int64; - secret (@repr WORDSIZE64 7507060721942968483) : int64; - secret (@repr WORDSIZE64 8399075790359081724) : int64; - secret (@repr WORDSIZE64 8693463985226723168) : int64; - secret (@repr WORDSIZE64 9568029438360202098) : int64; - secret (@repr WORDSIZE64 10144078919501101548) : int64; - secret (@repr WORDSIZE64 10430055236837252648) : int64; - secret (@repr WORDSIZE64 11840083180663258601) : int64; - secret (@repr WORDSIZE64 13761210420658862357) : int64; - secret (@repr WORDSIZE64 14299343276471374635) : int64; - secret (@repr WORDSIZE64 14566680578165727644) : int64; - secret (@repr WORDSIZE64 15097957966210449927) : int64; - secret (@repr WORDSIZE64 16922976911328602910) : int64; - secret (@repr WORDSIZE64 17689382322260857208) : int64; - secret (@repr WORDSIZE64 500013540394364858) : int64; - secret (@repr WORDSIZE64 748580250866718886) : int64; - secret (@repr WORDSIZE64 1242879168328830382) : int64; - secret (@repr WORDSIZE64 1977374033974150939) : int64; - secret (@repr WORDSIZE64 2944078676154940804) : int64; - secret (@repr WORDSIZE64 3659926193048069267) : int64; - secret (@repr WORDSIZE64 4368137639120453308) : int64; - secret (@repr WORDSIZE64 4836135668995329356) : int64; - secret (@repr WORDSIZE64 5532061633213252278) : int64; - secret (@repr WORDSIZE64 6448918945643986474) : int64; - secret (@repr WORDSIZE64 6902733635092675308) : int64; - secret (@repr WORDSIZE64 7801388544844847127) : int64 - ] in l). - -Definition hash_init_v : hash_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 7640891576956012808) : int64; - secret (@repr WORDSIZE64 13503953896175478587) : int64; - secret (@repr WORDSIZE64 4354685564936845355) : int64; - secret (@repr WORDSIZE64 11912009170470909681) : int64; - secret (@repr WORDSIZE64 5840696475078001361) : int64; - secret (@repr WORDSIZE64 11170449401992604703) : int64; - secret (@repr WORDSIZE64 2270897969802886507) : int64; - secret (@repr WORDSIZE64 6620516959819538809) : int64 - ] in l). - -Definition sigma - (x_2246 : uint64) - (i_2247 : uint_size) - (op_2248 : uint_size) - : uint64 := - let tmp_2249 : uint64 := - uint64_rotate_right (x_2246) (array_index (op_table_v) (((usize 3) * ( - i_2247)) + (usize 2))) in - let '(tmp_2249) := - if (op_2248) =.? (usize 0):bool then (let tmp_2249 := - (x_2246) shift_right (array_index (op_table_v) (((usize 3) * ( - i_2247)) + (usize 2))) in - (tmp_2249)) else ((tmp_2249)) in - ((uint64_rotate_right (x_2246) (array_index (op_table_v) ((usize 3) * ( - i_2247)))) .^ (uint64_rotate_right (x_2246) (array_index ( - op_table_v) (((usize 3) * (i_2247)) + (usize 1))))) .^ (tmp_2249). - -Definition schedule (block_2250 : block_t) : round_constants_table_t := - let b_2251 : seq uint64 := - array_to_be_uint64s (block_2250) in - let s_2252 : round_constants_table_t := - array_new_ (default : uint64) (k_size_v) in - let s_2252 := - foldi (usize 0) (k_size_v) (fun i_2253 s_2252 => - let '(s_2252) := - if (i_2253) <.? (usize 16):bool then (let s_2252 := - array_upd s_2252 (i_2253) (seq_index (b_2251) (i_2253)) in - (s_2252)) else (let t16_2254 : uint64 := - array_index (s_2252) ((i_2253) - (usize 16)) in - let t15_2255 : uint64 := - array_index (s_2252) ((i_2253) - (usize 15)) in - let t7_2256 : uint64 := - array_index (s_2252) ((i_2253) - (usize 7)) in - let t2_2257 : uint64 := - array_index (s_2252) ((i_2253) - (usize 2)) in - let s1_2258 : uint64 := - sigma (t2_2257) (usize 3) (usize 0) in - let s0_2259 : uint64 := - sigma (t15_2255) (usize 2) (usize 0) in - let s_2252 := - array_upd s_2252 (i_2253) ((((s1_2258) .+ (t7_2256)) .+ ( - s0_2259)) .+ (t16_2254)) in - (s_2252)) in - (s_2252)) - s_2252 in - s_2252. - -Definition shuffle - (ws_2260 : round_constants_table_t) - (hashi_2261 : hash_t) - : hash_t := - let h_2262 : hash_t := - hashi_2261 in - let h_2262 := - foldi (usize 0) (k_size_v) (fun i_2263 h_2262 => - let a0_2264 : uint64 := - array_index (h_2262) (usize 0) in - let b0_2265 : uint64 := - array_index (h_2262) (usize 1) in - let c0_2266 : uint64 := - array_index (h_2262) (usize 2) in - let d0_2267 : uint64 := - array_index (h_2262) (usize 3) in - let e0_2268 : uint64 := - array_index (h_2262) (usize 4) in - let f0_2269 : uint64 := - array_index (h_2262) (usize 5) in - let g0_2270 : uint64 := - array_index (h_2262) (usize 6) in - let h0_2271 : uint64 := - array_index (h_2262) (usize 7) in - let t1_2272 : uint64 := - ((((h0_2271) .+ (sigma (e0_2268) (usize 1) (usize 1))) .+ (ch ( - e0_2268) (f0_2269) (g0_2270))) .+ (array_index (k_table_v) ( - i_2263))) .+ (array_index (ws_2260) (i_2263)) in - let t2_2273 : uint64 := - (sigma (a0_2264) (usize 0) (usize 1)) .+ (maj (a0_2264) (b0_2265) ( - c0_2266)) in - let h_2262 := - array_upd h_2262 (usize 0) ((t1_2272) .+ (t2_2273)) in - let h_2262 := - array_upd h_2262 (usize 1) (a0_2264) in - let h_2262 := - array_upd h_2262 (usize 2) (b0_2265) in - let h_2262 := - array_upd h_2262 (usize 3) (c0_2266) in - let h_2262 := - array_upd h_2262 (usize 4) ((d0_2267) .+ (t1_2272)) in - let h_2262 := - array_upd h_2262 (usize 5) (e0_2268) in - let h_2262 := - array_upd h_2262 (usize 6) (f0_2269) in - let h_2262 := - array_upd h_2262 (usize 7) (g0_2270) in - (h_2262)) - h_2262 in - h_2262. - -Definition compress (block_2274 : block_t) (h_in_2275 : hash_t) : hash_t := - let s_2276 : round_constants_table_t := - schedule (block_2274) in - let h_2277 : hash_t := - shuffle (s_2276) (h_in_2275) in - let h_2277 := - foldi (usize 0) (usize 8) (fun i_2278 h_2277 => - let h_2277 := - array_upd h_2277 (i_2278) ((array_index (h_2277) (i_2278)) .+ ( - array_index (h_in_2275) (i_2278))) in - (h_2277)) - h_2277 in - h_2277. - -Definition hash (msg_2279 : byte_seq) : sha512_digest_t := - let h_2280 : hash_t := - hash_init_v in - let last_block_2281 : block_t := - array_new_ (default : uint8) (block_size_v) in - let last_block_len_2282 : uint_size := - usize 0 in - let '(h_2280, last_block_2281, last_block_len_2282) := - foldi (usize 0) (seq_num_chunks (msg_2279) (block_size_v)) (fun i_2283 '( - h_2280, - last_block_2281, - last_block_len_2282 - ) => - let '(block_len_2284, block_2285) := - seq_get_chunk (msg_2279) (block_size_v) (i_2283) in - let '(h_2280, last_block_2281, last_block_len_2282) := - if (block_len_2284) <.? (block_size_v):bool then (let last_block_2281 := - array_update_start (array_new_ (default : uint8) (block_size_v)) ( - block_2285) in - let last_block_len_2282 := - block_len_2284 in - (h_2280, last_block_2281, last_block_len_2282)) else ( - let compress_input_2286 : block_t := - array_from_seq (block_size_v) (block_2285) in - let h_2280 := - compress (compress_input_2286) (h_2280) in - (h_2280, last_block_2281, last_block_len_2282)) in - (h_2280, last_block_2281, last_block_len_2282)) - (h_2280, last_block_2281, last_block_len_2282) in - let last_block_2281 := - array_upd last_block_2281 (last_block_len_2282) (secret ( - @repr WORDSIZE8 128) : int8) in - let len_bist_2287 : uint128 := - secret (pub_u128 ((seq_len (msg_2279)) * (usize 8))) : int128 in - let '(h_2280, last_block_2281) := - if (last_block_len_2282) <.? ((block_size_v) - (len_size_v)):bool then ( - let last_block_2281 := - array_update (last_block_2281) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint128_to_be_bytes (len_bist_2287))) in - let h_2280 := - compress (last_block_2281) (h_2280) in - (h_2280, last_block_2281)) else (let pad_block_2288 : block_t := - array_new_ (default : uint8) (block_size_v) in - let pad_block_2288 := - array_update (pad_block_2288) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint128_to_be_bytes (len_bist_2287))) in - let h_2280 := - compress (last_block_2281) (h_2280) in - let h_2280 := - compress (pad_block_2288) (h_2280) in - (h_2280, last_block_2281)) in - array_from_seq (hash_size_v) (array_to_be_bytes (h_2280)). - -Definition sha512 (msg_2289 : byte_seq) : sha512_digest_t := - hash (msg_2289). - diff --git a/proof-libs/coq/coq/src/Pearlite_Example.v b/proof-libs/coq/coq/src/Pearlite_Example.v deleted file mode 100644 index 782def6e7..000000000 --- a/proof-libs/coq/coq/src/Pearlite_Example.v +++ /dev/null @@ -1,19 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition ensure_something (x_0 : int8) (y_1 : int8) `{x_0 = y_1} : bool := - (x_0) =.? (y_1). - -Theorem ensures_ensure_something : forall result_2 (x_0 : int8) (y_1 : int8), - forall {H_0 : x_0 = y_1}, - @ensure_something x_0 y_1 H_0 = result_2 -> - ~ (result_2 = false). - Proof. red ; intros. subst. cbn in *. now rewrite (eq_true y_1) in H0. Qed. - diff --git a/proof-libs/coq/coq/src/Strobe.v b/proof-libs/coq/coq/src/Strobe.v deleted file mode 100644 index 62958a562..000000000 --- a/proof-libs/coq/coq/src/Strobe.v +++ /dev/null @@ -1,305 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha3. - -Definition strobe_r_v : int8 := - @repr WORDSIZE8 166. - -Definition flag_i_v : int8 := - @repr WORDSIZE8 1. - -Definition flag_a_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 1). - -Definition flag_c_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 2). - -Definition flag_m_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 4). - -Definition flag_k_v : int8 := - (@repr WORDSIZE8 1) shift_left (usize 5). - -Notation "'state_uint64_t'" := (state_t) : hacspec_scope. - -Definition state_uint8_t := nseq (uint8) (usize 200). - -Notation "'strobe_t'" := ((state_uint8_t '× int8 '× int8 '× int8 -)) : hacspec_scope. - -Definition transmute_state_to_u64 - (state_986 : state_uint8_t) - : state_uint64_t := - let new_state_987 : state_t := - array_new_ (default : uint64) (25) in - let new_state_987 := - foldi (usize 0) (array_len (new_state_987)) (fun i_988 new_state_987 => - let word_989 : uint64_word_t := - array_new_ (default : uint8) (8) in - let word_989 := - foldi (usize 0) (array_len (word_989)) (fun j_990 word_989 => - let word_989 := - array_upd word_989 (j_990) (array_index (state_986) (((i_988) * ( - usize 8)) + (j_990))) in - (word_989)) - word_989 in - let new_state_987 := - array_upd new_state_987 (i_988) (uint64_from_le_bytes (word_989)) in - (new_state_987)) - new_state_987 in - new_state_987. - -Definition transmute_state_to_u8 (state_991 : state_uint64_t) : state_uint8_t := - let new_state_992 : state_uint8_t := - array_new_ (default : uint8) (200) in - let new_state_992 := - foldi (usize 0) (array_len (state_991)) (fun i_993 new_state_992 => - let bytes_994 : seq uint8 := - uint64_to_le_bytes (array_index (state_991) (i_993)) in - let new_state_992 := - foldi (usize 0) (seq_len (bytes_994)) (fun j_995 new_state_992 => - let new_state_992 := - array_upd new_state_992 (((i_993) * (usize 8)) + (j_995)) ( - seq_index (bytes_994) (j_995)) in - (new_state_992)) - new_state_992 in - (new_state_992)) - new_state_992 in - new_state_992. - -Definition run_f (strobe_996 : strobe_t) : strobe_t := - let '(state_997, pos_998, pos_begin_999, cur_fl_1000) := - strobe_996 in - let state_997 := - array_upd state_997 (pos_998) ((array_index (state_997) (pos_998)) .^ ( - secret (pos_begin_999) : int8)) in - let state_997 := - array_upd state_997 ((pos_998) .+ (@repr WORDSIZE8 1)) ((array_index ( - state_997) ((pos_998) .+ (@repr WORDSIZE8 1))) .^ (secret ( - @repr WORDSIZE8 4) : int8)) in - let state_997 := - array_upd state_997 ((strobe_r_v) .+ (@repr WORDSIZE8 1)) ((array_index ( - state_997) ((strobe_r_v) .+ (@repr WORDSIZE8 1))) .^ (secret ( - @repr WORDSIZE8 128) : int8)) in - let state_uint64_1001 : state_t := - transmute_state_to_u64 (state_997) in - let state_997 := - transmute_state_to_u8 (keccakf1600 (state_uint64_1001)) in - let pos_998 := - @repr WORDSIZE8 0 in - let pos_begin_999 := - @repr WORDSIZE8 0 in - (state_997, pos_998, pos_begin_999, cur_fl_1000). - -Definition absorb (strobe_1002 : strobe_t) (data_1003 : seq uint8) : strobe_t := - let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := - strobe_1002 in - let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := - foldi (usize 0) (seq_len (data_1003)) (fun i_1008 '( - state_1004, - pos_1005, - pos_begin_1006, - cur_fl_1007 - ) => - let state_1004 := - array_upd state_1004 (pos_1005) ((array_index (state_1004) ( - pos_1005)) .^ (seq_index (data_1003) (i_1008))) in - let pos_1005 := - (pos_1005) .+ (@repr WORDSIZE8 1) in - let '(state_1004, pos_1005, pos_begin_1006, cur_fl_1007) := - if (pos_1005) =.? (strobe_r_v):bool then (let '( - s_1009, - p_1010, - pb_1011, - cf_1012 - ) := - run_f ((state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) in - let state_1004 := - s_1009 in - let pos_1005 := - p_1010 in - let pos_begin_1006 := - pb_1011 in - let cur_fl_1007 := - cf_1012 in - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) else (( - state_1004, - pos_1005, - pos_begin_1006, - cur_fl_1007 - )) in - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007)) - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007) in - (state_1004, pos_1005, pos_begin_1006, cur_fl_1007). - -Definition squeeze - (strobe_1013 : strobe_t) - (data_1014 : seq uint8) - : (strobe_t '× seq uint8) := - let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := - strobe_1013 in - let '(data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := - foldi (usize 0) (seq_len (data_1014)) (fun i_1019 '( - data_1014, - state_1015, - pos_1016, - pos_begin_1017, - cur_fl_1018 - ) => - let data_1014 := - seq_upd data_1014 (i_1019) (array_index (state_1015) (pos_1016)) in - let state_1015 := - array_upd state_1015 (pos_1016) (uint8_classify (@repr WORDSIZE8 0)) in - let pos_1016 := - (pos_1016) .+ (@repr WORDSIZE8 1) in - let '(state_1015, pos_1016, pos_begin_1017, cur_fl_1018) := - if (pos_1016) =.? (strobe_r_v):bool then (let '( - s_1020, - p_1021, - pb_1022, - cf_1023 - ) := - run_f (((state_1015), pos_1016, pos_begin_1017, cur_fl_1018)) in - let state_1015 := - s_1020 in - let pos_1016 := - p_1021 in - let pos_begin_1017 := - pb_1022 in - let cur_fl_1018 := - cf_1023 in - (state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) else (( - state_1015, - pos_1016, - pos_begin_1017, - cur_fl_1018 - )) in - (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018)) - (data_1014, state_1015, pos_1016, pos_begin_1017, cur_fl_1018) in - ((state_1015, pos_1016, pos_begin_1017, cur_fl_1018), data_1014). - -Definition begin_op - (strobe_1024 : strobe_t) - (flags_1025 : int8) - (more_1026 : bool) - : strobe_t := - let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030) := - strobe_1024 in - let ret_1031 : (state_uint8_t '× int8 '× int8 '× int8) := - (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in - let '(state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031) := - if negb (more_1026):bool then (let old_begin_1032 : int8 := - pos_begin_1029 in - let pos_begin_1029 := - (pos_1028) .+ (@repr WORDSIZE8 1) in - let cur_fl_1030 := - flags_1025 in - let data_1033 : seq uint8 := - seq_new_ (default : uint8) (usize 2) in - let data_1033 := - seq_upd data_1033 (usize 0) (secret (old_begin_1032) : int8) in - let data_1033 := - seq_upd data_1033 (usize 1) (secret (flags_1025) : int8) in - let '(s_1034, p_1035, pb_1036, cf_1037) := - absorb ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) ( - data_1033) in - let state_1027 := - s_1034 in - let pos_1028 := - p_1035 in - let pos_begin_1029 := - pb_1036 in - let cur_fl_1030 := - cf_1037 in - let force_f_1038 : bool := - (@repr WORDSIZE8 0) !=.? ((flags_1025) .& ((flag_c_v) .| ( - flag_k_v))) in - let '(ret_1031) := - if (force_f_1038) && ((pos_1028) !=.? (@repr WORDSIZE8 0)):bool then ( - let ret_1031 := - run_f ((state_1027, pos_1028, pos_begin_1029, cur_fl_1030)) in - (ret_1031)) else (let ret_1031 := - (state_1027, pos_1028, pos_begin_1029, cur_fl_1030) in - (ret_1031)) in - (state_1027, pos_1028, pos_begin_1029, cur_fl_1030, ret_1031)) else (( - state_1027, - pos_1028, - pos_begin_1029, - cur_fl_1030, - ret_1031 - )) in - ret_1031. - -Definition new_strobe (protocol_label_1039 : seq uint8) : strobe_t := - let st_1040 : state_uint8_t := - array_new_ (default : uint8) (200) in - let st_1040 := - array_set_chunk (st_1040) (usize 6) (usize 0) ([ - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 96) : int8 - ]) in - let st_1040 := - array_set_chunk (st_1040) (usize 6) (usize 1) ([ - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 69) : int8 - ]) in - let st_1040 := - array_set_chunk (st_1040) (usize 6) (usize 2) ([ - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 48) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 50) : int8 - ]) in - let st_uint64_1041 : state_t := - transmute_state_to_u64 (st_1040) in - let st_1040 := - transmute_state_to_u8 (keccakf1600 (st_uint64_1041)) in - meta_ad ((st_1040, @repr WORDSIZE8 0, @repr WORDSIZE8 0, @repr WORDSIZE8 0)) ( - protocol_label_1039) (false). - -Definition meta_ad - (strobe_1042 : strobe_t) - (data_1043 : seq uint8) - (more_1044 : bool) - : strobe_t := - let strobe_1042 := - begin_op (strobe_1042) ((flag_m_v) .| (flag_a_v)) (more_1044) in - absorb (strobe_1042) (data_1043). - -Definition ad - (strobe_1045 : strobe_t) - (data_1046 : seq uint8) - (more_1047 : bool) - : strobe_t := - let strobe_1045 := - begin_op (strobe_1045) (flag_a_v) (more_1047) in - absorb (strobe_1045) (data_1046). - -Definition prf - (strobe_1048 : strobe_t) - (data_1049 : seq uint8) - (more_1050 : bool) - : (strobe_t '× seq uint8) := - let strobe_1048 := - begin_op (strobe_1048) (((flag_i_v) .| (flag_a_v)) .| (flag_c_v)) ( - more_1050) in - squeeze (strobe_1048) (data_1049). - diff --git a/proof-libs/coq/coq/src/Tls_Cryptolib.v b/proof-libs/coq/coq/src/Tls_Cryptolib.v deleted file mode 100644 index 0f2e2125a..000000000 --- a/proof-libs/coq/coq/src/Tls_Cryptolib.v +++ /dev/null @@ -1,673 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Aes. - -Require Import Hacspec_Aes128_Gcm. - -Require Import Hacspec_Chacha20. - -Require Import Hacspec_Chacha20poly1305. - -Require Import Hacspec_Curve25519. - -Require Import Hacspec_Ecdsa_P256_Sha256. - -Require Import Hacspec_Gf128. - -Require Import Hacspec_Hkdf. - -Require Import Hacspec_Hmac. - -Require Import Hacspec_P256. - -Require Import Hacspec_Poly1305. - -Require Import Hacspec_Sha256. - -Inductive crypto_error_t := -| CryptoError : crypto_error_t -| HkdfError : crypto_error_t -| InsufficientEntropy : crypto_error_t -| InvalidCert : crypto_error_t -| MacFailed : crypto_error_t -| UnsupportedAlgorithm : crypto_error_t -| VerifyFailed : crypto_error_t. - -Definition empty : byte_seq := - seq_new_ (default : uint8) (usize 0). - -Definition zeros (u_0 : uint_size) : byte_seq := - seq_new_ (default : uint8) (u_0). - -Notation "'entropy_t'" := (byte_seq) : hacspec_scope. - -Definition random_t := nseq (uint8) (usize 32). - -Notation "'dh_sk_t'" := (byte_seq) : hacspec_scope. - -Notation "'dh_pk_t'" := (byte_seq) : hacspec_scope. - -Notation "'signature_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'verification_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'mac_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'key_t'" := (byte_seq) : hacspec_scope. - -Notation "'psk_t'" := (key_t) : hacspec_scope. - -Notation "'digest_t'" := (byte_seq) : hacspec_scope. - -Notation "'hmac_t'" := (byte_seq) : hacspec_scope. - -Notation "'signature_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_iv_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_key_iv_t'" := ((aead_key_t '× aead_iv_t)) : hacspec_scope. - -Inductive named_group_t := -| X25519 : named_group_t -| Secp256r1 : named_group_t. - -Definition eqb_named_group_t (x y : named_group_t) : bool := -match x with - | X25519 => match y with | X25519=> true | _ => false end - | Secp256r1 => match y with | Secp256r1=> true | _ => false end - end. - -Definition eqb_leibniz_named_group_t (x y : named_group_t) : eqb_named_group_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_named_group_t : EqDec (named_group_t) := -Build_EqDec (named_group_t) (eqb_named_group_t) (eqb_leibniz_named_group_t). - - -Inductive hash_algorithm_t := -| SHA256 : hash_algorithm_t -| SHA384 : hash_algorithm_t. - -Definition eqb_hash_algorithm_t (x y : hash_algorithm_t) : bool := -match x with - | SHA256 => match y with | SHA256=> true | _ => false end - | SHA384 => match y with | SHA384=> true | _ => false end - end. - -Definition eqb_leibniz_hash_algorithm_t (x y : hash_algorithm_t) : eqb_hash_algorithm_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_hash_algorithm_t : EqDec (hash_algorithm_t) := -Build_EqDec (hash_algorithm_t) (eqb_hash_algorithm_t) (eqb_leibniz_hash_algorithm_t). - - -Inductive aead_algorithm_t := -| Chacha20Poly1305 : aead_algorithm_t -| Aes128Gcm : aead_algorithm_t -| Aes256Gcm : aead_algorithm_t. - -Definition eqb_aead_algorithm_t (x y : aead_algorithm_t) : bool := -match x with - | Chacha20Poly1305 => match y with | Chacha20Poly1305=> true | _ => false end - | Aes128Gcm => match y with | Aes128Gcm=> true | _ => false end - | Aes256Gcm => match y with | Aes256Gcm=> true | _ => false end - end. - -Definition eqb_leibniz_aead_algorithm_t (x y : aead_algorithm_t) : eqb_aead_algorithm_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_aead_algorithm_t : EqDec (aead_algorithm_t) := -Build_EqDec (aead_algorithm_t) (eqb_aead_algorithm_t) (eqb_leibniz_aead_algorithm_t). - - -Inductive signature_scheme_t := -| ED25519 : signature_scheme_t -| EcdsaSecp256r1Sha256 : signature_scheme_t -| RsaPssRsaSha256 : signature_scheme_t. - -Definition eqb_signature_scheme_t (x y : signature_scheme_t) : bool := -match x with - | ED25519 => match y with | ED25519=> true | _ => false end - | EcdsaSecp256r1Sha256 => - match y with - | EcdsaSecp256r1Sha256=> true - | _ => false - end - | RsaPssRsaSha256 => match y with | RsaPssRsaSha256=> true | _ => false end - end. - -Definition eqb_leibniz_signature_scheme_t (x y : signature_scheme_t) : eqb_signature_scheme_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_signature_scheme_t : EqDec (signature_scheme_t) := -Build_EqDec (signature_scheme_t) (eqb_signature_scheme_t) (eqb_leibniz_signature_scheme_t). - - -Definition hash_len (ha_1 : hash_algorithm_t) : uint_size := - match ha_1 with | SHA256 => usize 32 | SHA384 => usize 48 end. - -Definition hmac_key_len (ha_2 : hash_algorithm_t) : uint_size := - match ha_2 with | SHA256 => usize 32 | SHA384 => usize 48 end. - -Definition ae_key_len (ae_3 : aead_algorithm_t) : uint_size := - match ae_3 with - | Chacha20Poly1305 => usize 32 - | Aes128Gcm => usize 16 - | Aes256Gcm => usize 16 - end. - -Definition ae_iv_len (ae_4 : aead_algorithm_t) : uint_size := - match ae_4 with - | Chacha20Poly1305 => usize 12 - | Aes128Gcm => usize 12 - | Aes256Gcm => usize 12 - end. - -Definition dh_priv_len (gn_5 : named_group_t) : uint_size := - match gn_5 with | X25519 => usize 32 | Secp256r1 => usize 32 end. - -Definition dh_pub_len (gn_6 : named_group_t) : uint_size := - match gn_6 with | X25519 => usize 32 | Secp256r1 => usize 64 end. - -Definition zero_key (ha_7 : hash_algorithm_t) : key_t := - seq_new_ (default : uint8) (usize (hash_len (ha_7))). - -Definition secret_to_public - (group_name_8 : named_group_t) - (x_9 : dh_sk_t) - : (result dh_pk_t crypto_error_t) := - match group_name_8 with - | Secp256r1 => match p256_point_mul_base (nat_mod_from_byte_seq_be ( - x_9) : p256_scalar_t) with - | Ok ((x_10, y_11)) => @Ok dh_pk_t crypto_error_t (seq_concat ( - nat_mod_to_byte_seq_be (x_10)) (nat_mod_to_byte_seq_be (y_11))) - | Err (_) => @Err dh_pk_t crypto_error_t (CryptoError) - end - | X25519 => @Ok dh_pk_t crypto_error_t (seq_from_seq ( - array_to_seq (x25519_secret_to_public (array_from_seq (32) (x_9))))) - end. - -Definition p256_check_point_len - (p_12 : dh_pk_t) - : (result unit crypto_error_t) := - (if ((seq_len (p_12)) !=.? (usize 64)):bool then (@Err unit crypto_error_t ( - CryptoError)) else (@Ok unit crypto_error_t (tt))). - -Definition p256_ecdh - (x_13 : dh_sk_t) - (y_14 : dh_pk_t) - : (result key_t crypto_error_t) := - bind (p256_check_point_len (y_14)) (fun _ => let pk_15 : ( - p256_field_element_t '× - p256_field_element_t - ) := - ( - nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 0, usize 32 - ))) : p256_field_element_t, - nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 32, usize 64 - ))) : p256_field_element_t - ) in - match p256_point_mul (nat_mod_from_byte_seq_be (x_13) : p256_scalar_t) ( - pk_15) with - | Ok ((x_16, y_17)) => @Ok key_t crypto_error_t (seq_concat ( - nat_mod_to_byte_seq_be (x_16)) (nat_mod_to_byte_seq_be (y_17))) - | Err (_) => @Err key_t crypto_error_t (CryptoError) - end). - -Definition ecdh - (group_name_18 : named_group_t) - (x_19 : dh_sk_t) - (y_20 : dh_pk_t) - : (result key_t crypto_error_t) := - match group_name_18 with - | Secp256r1 => p256_ecdh (x_19) (y_20) - | X25519 => @Ok key_t crypto_error_t (seq_from_seq ( - array_to_seq (x25519_scalarmult (array_from_seq (32) (x_19)) ( - array_from_seq (32) (y_20))))) - end. - -Notation "'kem_scheme_t'" := (named_group_t) : hacspec_scope. - -Notation "'kem_sk_t'" := (byte_seq) : hacspec_scope. - -Notation "'kem_pk_t'" := (byte_seq) : hacspec_scope. - -Definition kem_priv_len (ks_21 : kem_scheme_t) : uint_size := - dh_priv_len (ks_21). - -Definition kem_pub_len (ks_22 : kem_scheme_t) : uint_size := - dh_pub_len (ks_22). - -Definition kem_priv_to_pub - (ks_23 : kem_scheme_t) - (sk_24 : kem_sk_t) - : (result kem_pk_t crypto_error_t) := - secret_to_public (ks_23) (sk_24). - -Definition kem_keygen_inner - (ks_25 : kem_scheme_t) - (ent_26 : entropy_t) - : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := - let sk_27 : seq uint8 := - seq_from_seq (seq_slice_range (ent_26) ((usize 0, dh_priv_len (ks_25)))) in - bind (kem_priv_to_pub (ks_25) (sk_27)) (fun pk_28 => @Ok ( - kem_sk_t '× - kem_pk_t - ) crypto_error_t ((sk_27, pk_28))). - -Definition kem_keygen - (ks_29 : kem_scheme_t) - (ent_30 : entropy_t) - : (result (kem_sk_t '× kem_pk_t) crypto_error_t) := - (if ((seq_len (ent_30)) <.? (dh_priv_len (ks_29))):bool then (@Err ( - kem_sk_t '× - kem_pk_t - ) crypto_error_t (InsufficientEntropy)) else (kem_keygen_inner (ks_29) ( - ent_30))). - -Definition kem_encap - (ks_31 : kem_scheme_t) - (pk_32 : kem_pk_t) - (ent_33 : entropy_t) - : (result (key_t '× byte_seq) crypto_error_t) := - bind (kem_keygen (ks_31) (ent_33)) (fun '(x_34, gx_35) => bind (ecdh (ks_31) ( - x_34) (pk_32)) (fun gxy_36 => @Ok (key_t '× byte_seq) crypto_error_t (( - gxy_36, - gx_35 - )))). - -Definition kem_decap - (ks_37 : kem_scheme_t) - (ct_38 : byte_seq) - (sk_39 : kem_sk_t) - : (result key_t crypto_error_t) := - bind (ecdh (ks_37) (sk_39) (ct_38)) (fun gxy_40 => @Ok key_t crypto_error_t ( - gxy_40)). - -Definition hash - (ha_41 : hash_algorithm_t) - (payload_42 : byte_seq) - : (result digest_t crypto_error_t) := - match ha_41 with - | SHA256 => @Ok digest_t crypto_error_t (seq_from_seq (array_to_seq (sha256 ( - payload_42)))) - | SHA384 => @Err digest_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hmac_tag - (ha_43 : hash_algorithm_t) - (mk_44 : mac_key_t) - (payload_45 : byte_seq) - : (result hmac_t crypto_error_t) := - match ha_43 with - | SHA256 => @Ok hmac_t crypto_error_t (seq_from_seq (array_to_seq (hmac ( - mk_44) (payload_45)))) - | SHA384 => @Err hmac_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition check_tag_len - (a_46 : hmac_t) - (b_47 : hmac_t) - : (result unit crypto_error_t) := - (if ((seq_len (a_46)) =.? (seq_len (b_47))):bool then ( - @Ok unit crypto_error_t (tt)) else (@Err unit crypto_error_t ( - MacFailed))). - -Definition check_bytes - (a_48 : uint8) - (b_49 : uint8) - : (result unit crypto_error_t) := - (if (negb (uint8_equal (a_48) (b_49))):bool then (@Err unit crypto_error_t ( - MacFailed)) else (@Ok unit crypto_error_t (tt))). - -Definition hmac_verify - (ha_50 : hash_algorithm_t) - (mk_51 : mac_key_t) - (payload_52 : byte_seq) - (m_53 : hmac_t) - : (result unit crypto_error_t) := - bind (hmac_tag (ha_50) (mk_51) (payload_52)) (fun my_hmac_54 => bind ( - check_tag_len (m_53) (my_hmac_54)) (fun _ => bind (foldibnd (usize 0) to ( - seq_len (m_53)) for tt >> (fun i_55 'tt => - bind (check_bytes (seq_index (my_hmac_54) (i_55)) (seq_index (m_53) ( - i_55))) (fun _ => @Ok unit crypto_error_t (tt)))) (fun _ => - @Ok unit crypto_error_t (tt)))). - -Definition ec_oid_tag_t := nseq (uint8) (usize 9). - -Definition get_length_length (b_56 : byte_seq) : uint_size := - (if (((uint8_declassify (seq_index (b_56) (usize 0))) shift_right ( - usize 7)) =.? (@repr WORDSIZE8 1)):bool then ( - declassify_usize_from_uint8 ((seq_index (b_56) (usize 0)) .& (secret ( - @repr WORDSIZE8 127) : int8))) else (usize 0)). - -Definition get_length (b_57 : byte_seq) (len_58 : uint_size) : uint_size := - (@cast _ uint32 _ (declassify_u32_from_uint32 (uint32_from_be_bytes ( - array_from_slice (default : uint8) (4) (b_57) (usize 0) ( - len_58))))) usize_shift_right (((usize 4) - (len_58)) * (usize 8)). - -Definition get_short_length (b_59 : byte_seq) : uint_size := - declassify_usize_from_uint8 ((seq_index (b_59) (usize 0)) .& (secret ( - @repr WORDSIZE8 127) : int8)). - -Definition verification_key_from_cert - (cert_60 : byte_seq) - : (result verification_key_t crypto_error_t) := - let skip_61 : uint_size := - ((usize 2) + (get_length_length (seq_slice_range (cert_60) (( - usize 1, - seq_len (cert_60) - ))))) + (usize 1) in - let seq1_len_len_62 : uint_size := - get_length_length (seq_slice_range (cert_60) ((skip_61, seq_len (cert_60) - ))) in - let skip_63 : uint_size := - (skip_61) + (usize 1) in - let seq1_len_64 : uint_size := - get_length (seq_slice (cert_60) (skip_63) ((seq_len (cert_60)) - ( - skip_63))) (seq1_len_len_62) in - let seq1_65 : seq uint8 := - seq_slice_range (cert_60) (( - (skip_63) + (seq1_len_len_62), - ((skip_63) + (seq1_len_len_62)) + (seq1_len_64) - )) in - let pk_66 : seq uint8 := - seq_new_ (default : uint8) (usize 0) in - let '(seq1_65, pk_66) := - foldi (usize 0) (seq_len (seq1_65)) (fun i_67 '(seq1_65, pk_66) => - let '(seq1_65, pk_66) := - if (seq_len (seq1_65)) >.? (usize 0):bool then ( - let element_type_68 : int8 := - uint8_declassify (seq_index (seq1_65) (usize 0)) in - let seq1_65 := - seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in - let len_len_69 : uint_size := - get_length_length (seq1_65) in - let len_70 : uint_size := - get_short_length (seq1_65) in - let seq1_65 := - seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in - let '(len_70) := - if (len_len_69) !=.? (usize 0):bool then (let len_70 := - (get_length (seq1_65) (len_len_69)) + (len_len_69) in - (len_70)) else ((len_70)) in - let '(pk_66) := - if ((element_type_68) =.? (@repr WORDSIZE8 48)) && ((seq_len ( - pk_66)) =.? (usize 0)):bool then (let seq2_71 : seq uint8 := - seq_slice (seq1_65) (len_len_69) (len_70) in - let element_type_72 : int8 := - uint8_declassify (seq_index (seq2_71) (usize 0)) in - let seq2_73 : seq uint8 := - seq_slice (seq2_71) (usize 1) ((seq_len (seq2_71)) - ( - usize 1)) in - let '(pk_66) := - if (element_type_72) =.? (@repr WORDSIZE8 48):bool then ( - let len_len_74 : uint_size := - get_length_length (seq2_73) in - let '(pk_66) := - if (len_len_74) =.? (usize 0):bool then ( - let oid_len_75 : uint_size := - get_short_length (seq2_73) in - let '(pk_66) := - if (oid_len_75) >=.? (usize 9):bool then ( - let expected_76 : seq uint8 := - seq_from_seq (array_to_seq (array_from_list uint8 ( - let l := - [ - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 7) : int8; - secret (@repr WORDSIZE8 42) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 1) : int8 - ] in l))) in - let oid_77 : seq uint8 := - seq_slice (seq2_73) (usize 1) (usize 9) in - let ec_pk_oid_78 : bool := - true in - let ec_pk_oid_78 := - foldi (usize 0) (usize 9) (fun i_79 ec_pk_oid_78 => - let oid_byte_equal_80 : bool := - (uint8_declassify (seq_index (oid_77) ( - i_79))) =.? (uint8_declassify (seq_index ( - expected_76) (i_79))) in - let ec_pk_oid_78 := - (ec_pk_oid_78) && (oid_byte_equal_80) in - (ec_pk_oid_78)) - ec_pk_oid_78 in - let '(pk_66) := - if ec_pk_oid_78:bool then ( - let bit_string_81 : seq uint8 := - seq_slice (seq2_73) ((oid_len_75) + (usize 1)) ( - ((seq_len (seq2_73)) - (oid_len_75)) - ( - usize 1)) in - let '(pk_66) := - if (uint8_declassify (seq_index ( - bit_string_81) (usize 0))) =.? ( - @repr WORDSIZE8 3):bool then ( - let pk_len_82 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 1)) in - let zeroes_83 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 2)) in - let uncompressed_84 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 3)) in - let pk_66 := - seq_slice (bit_string_81) (usize 4) (( - pk_len_82) - (usize 2)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - let seq1_65 := - seq_slice (seq1_65) (len_70) ((seq_len (seq1_65)) - (len_70)) in - (seq1_65, pk_66)) else ((seq1_65, pk_66)) in - (seq1_65, pk_66)) - (seq1_65, pk_66) in - (if ((seq_len (pk_66)) =.? (usize 0)):bool then ( - @Err verification_key_t crypto_error_t (InvalidCert)) else ( - @Ok verification_key_t crypto_error_t (pk_66))). - -Definition concat_signature - (r_85 : p256_scalar_t) - (s_86 : p256_scalar_t) - : (result signature_t crypto_error_t) := - let signature_87 : seq uint8 := - seq_concat (seq_concat (seq_new_ (default : uint8) (usize 0)) ( - nat_mod_to_byte_seq_be (r_85))) (nat_mod_to_byte_seq_be (s_86)) in - @Ok signature_t crypto_error_t (signature_87). - -Definition p256_sign - (ps_88 : signature_key_t) - (payload_89 : byte_seq) - (ent_90 : entropy_t) - : (result signature_t crypto_error_t) := - let random_91 : random_t := - array_from_seq (32) (seq_slice_range (ent_90) ((usize 0, usize 32))) in - let nonce_92 : p256_scalar_t := - nat_mod_from_byte_seq_be (array_to_seq (random_91)) : p256_scalar_t in - match ecdsa_p256_sha256_sign (payload_89) (nat_mod_from_byte_seq_be ( - ps_88) : p256_scalar_t) (nonce_92) with - | Ok ((r_93, s_94)) => concat_signature (r_93) (s_94) - | Err (_) => @Err signature_t crypto_error_t (CryptoError) - end. - -Definition sign - (sa_95 : signature_scheme_t) - (ps_96 : signature_key_t) - (payload_97 : byte_seq) - (ent_98 : entropy_t) - : (result signature_t crypto_error_t) := - match sa_95 with - | EcdsaSecp256r1Sha256 => p256_sign (ps_96) (payload_97) (ent_98) - | ED25519 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) - | RsaPssRsaSha256 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition p256_verify - (pk_99 : verification_key_t) - (payload_100 : byte_seq) - (sig_101 : byte_seq) - : (result unit crypto_error_t) := - let '(pk_x_102, pk_y_103) := - ( - nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 0) ( - usize 32)) : p256_field_element_t, - nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 32) ( - usize 32)) : p256_field_element_t - ) in - let '(r_104, s_105) := - ( - nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 0) ( - usize 32)) : p256_scalar_t, - nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 32) ( - usize 32)) : p256_scalar_t - ) in - match ecdsa_p256_sha256_verify (payload_100) ((pk_x_102, pk_y_103)) (( - r_104, - s_105 - )) with - | Ok (tt) => @Ok unit crypto_error_t (tt) - | Err (_) => @Err unit crypto_error_t (VerifyFailed) - end. - -Definition verify - (sa_106 : signature_scheme_t) - (pk_107 : verification_key_t) - (payload_108 : byte_seq) - (sig_109 : byte_seq) - : (result unit crypto_error_t) := - match sa_106 with - | EcdsaSecp256r1Sha256 => p256_verify (pk_107) (payload_108) (sig_109) - | ED25519 => @Err unit crypto_error_t (UnsupportedAlgorithm) - | RsaPssRsaSha256 => @Err unit crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hkdf_extract - (ha_110 : hash_algorithm_t) - (k_111 : key_t) - (salt_112 : key_t) - : (result key_t crypto_error_t) := - match ha_110 with - | SHA256 => @Ok key_t crypto_error_t (seq_from_seq (array_to_seq (extract ( - salt_112) (k_111)))) - | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hkdf_expand - (ha_113 : hash_algorithm_t) - (k_114 : key_t) - (info_115 : byte_seq) - (len_116 : uint_size) - : (result key_t crypto_error_t) := - match ha_113 with - | SHA256 => match expand (k_114) (info_115) (len_116) with - | Ok (b_117) => @Ok key_t crypto_error_t (seq_from_seq (b_117)) - | Err (_) => @Err key_t crypto_error_t (HkdfError) - end - | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition aes128_encrypt - (k_118 : aead_key_t) - (iv_119 : aead_iv_t) - (payload_120 : byte_seq) - (ad_121 : byte_seq) - : (result byte_seq crypto_error_t) := - let '(ctxt_122, tag_123) := - encrypt_aes128 (array_from_seq (_) (k_118)) (array_from_seq (_) (iv_119)) ( - ad_121) (payload_120) in - @Ok byte_seq crypto_error_t (seq_concat (ctxt_122) (seq_from_seq ( - array_to_seq (tag_123)))). - -Definition chacha_encrypt - (k_124 : aead_key_t) - (iv_125 : aead_iv_t) - (payload_126 : byte_seq) - (ad_127 : byte_seq) - : (result byte_seq crypto_error_t) := - let '(ctxt_128, tag_129) := - chacha20_poly1305_encrypt (array_from_seq (32) (k_124)) (array_from_seq ( - 12) (iv_125)) (ad_127) (payload_126) in - @Ok byte_seq crypto_error_t (seq_concat (ctxt_128) (array_to_seq (tag_129))). - -Definition aead_encrypt - (a_130 : aead_algorithm_t) - (k_131 : aead_key_t) - (iv_132 : aead_iv_t) - (payload_133 : byte_seq) - (ad_134 : byte_seq) - : (result byte_seq crypto_error_t) := - match a_130 with - | Aes128Gcm => aes128_encrypt (k_131) (iv_132) (payload_133) (ad_134) - | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) - | Chacha20Poly1305 => chacha_encrypt (k_131) (iv_132) (payload_133) (ad_134) - end. - -Definition aes128_decrypt - (k_135 : aead_key_t) - (iv_136 : aead_iv_t) - (ciphertext_137 : byte_seq) - (ad_138 : byte_seq) - : (result byte_seq crypto_error_t) := - match decrypt_aes128 (array_from_seq (_) (k_135)) (array_from_seq (_) ( - iv_136)) (ad_138) (seq_slice_range (ciphertext_137) (( - usize 0, - (seq_len (ciphertext_137)) - (usize 16) - ))) (array_from_seq (_) (seq_slice_range (ciphertext_137) (( - (seq_len (ciphertext_137)) - (usize 16), - seq_len (ciphertext_137) - )))) with - | Ok (m_139) => @Ok byte_seq crypto_error_t (m_139) - | Err (_) => @Err byte_seq crypto_error_t (MacFailed) - end. - -Definition chacha_decrypt - (k_140 : aead_key_t) - (iv_141 : aead_iv_t) - (ciphertext_142 : byte_seq) - (ad_143 : byte_seq) - : (result byte_seq crypto_error_t) := - match chacha20_poly1305_decrypt (array_from_seq (32) (k_140)) ( - array_from_seq (12) (iv_141)) (ad_143) (seq_slice_range (ciphertext_142) (( - usize 0, - (seq_len (ciphertext_142)) - (usize 16) - ))) (array_from_seq (16) (seq_slice_range (ciphertext_142) (( - (seq_len (ciphertext_142)) - (usize 16), - seq_len (ciphertext_142) - )))) with - | Ok (ptxt_144) => @Ok byte_seq crypto_error_t (ptxt_144) - | Err (_) => @Err byte_seq crypto_error_t (MacFailed) - end. - -Definition aead_decrypt - (a_145 : aead_algorithm_t) - (k_146 : aead_key_t) - (iv_147 : aead_iv_t) - (ciphertext_148 : byte_seq) - (ad_149 : byte_seq) - : (result byte_seq crypto_error_t) := - match a_145 with - | Aes128Gcm => aes128_decrypt (k_146) (iv_147) (ciphertext_148) (ad_149) - | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) - | Chacha20Poly1305 => chacha_decrypt (k_146) (iv_147) (ciphertext_148) ( - ad_149) - end. - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Aes.v b/proof-libs/coq/coq/src/_vc/Hacspec_Aes.v deleted file mode 100644 index bb00b4b98..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Aes.v +++ /dev/null @@ -1,714 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition blocksize_v : uint_size := - usize 16. - -Definition ivsize_v : uint_size := - usize 12. - -Definition key_length_v : uint_size := - usize 4. - -Definition rounds_v : uint_size := - usize 10. - -Definition key_schedule_length_v : uint_size := - usize 176. - -Definition iterations_v : uint_size := - usize 40. - -Definition invalid_key_expansion_index_v : int8 := - @repr WORDSIZE8 1. - -Definition block_t := nseq (uint8) (blocksize_v). - -Definition word_t := nseq (uint8) (key_length_v). - -Definition round_key_t := nseq (uint8) (blocksize_v). - -Definition aes_nonce_t := nseq (uint8) (ivsize_v). - -Definition s_box_t := nseq (uint8) (usize 256). - -Definition r_con_t := nseq (uint8) (usize 15). - -Definition bytes144_t := nseq (uint8) (usize 144). - -Definition bytes176_t := nseq (uint8) (key_schedule_length_v). - -Definition key128_t := nseq (uint8) (blocksize_v). - -Notation "'byte_seq_result_t'" := ((result byte_seq int8)) : hacspec_scope. - -Notation "'block_result_t'" := ((result block_t int8)) : hacspec_scope. - -Notation "'word_result_t'" := ((result word_t int8)) : hacspec_scope. - -Definition sbox_v : s_box_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 123) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 111) : int8; - secret (@repr WORDSIZE8 197) : int8; - secret (@repr WORDSIZE8 48) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 103) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 215) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 202) : int8; - secret (@repr WORDSIZE8 130) : int8; - secret (@repr WORDSIZE8 201) : int8; - secret (@repr WORDSIZE8 125) : int8; - secret (@repr WORDSIZE8 250) : int8; - secret (@repr WORDSIZE8 89) : int8; - secret (@repr WORDSIZE8 71) : int8; - secret (@repr WORDSIZE8 240) : int8; - secret (@repr WORDSIZE8 173) : int8; - secret (@repr WORDSIZE8 212) : int8; - secret (@repr WORDSIZE8 162) : int8; - secret (@repr WORDSIZE8 175) : int8; - secret (@repr WORDSIZE8 156) : int8; - secret (@repr WORDSIZE8 164) : int8; - secret (@repr WORDSIZE8 114) : int8; - secret (@repr WORDSIZE8 192) : int8; - secret (@repr WORDSIZE8 183) : int8; - secret (@repr WORDSIZE8 253) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 38) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 63) : int8; - secret (@repr WORDSIZE8 247) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 52) : int8; - secret (@repr WORDSIZE8 165) : int8; - secret (@repr WORDSIZE8 229) : int8; - secret (@repr WORDSIZE8 241) : int8; - secret (@repr WORDSIZE8 113) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 21) : int8; - secret (@repr WORDSIZE8 4) : int8; - secret (@repr WORDSIZE8 199) : int8; - secret (@repr WORDSIZE8 35) : int8; - secret (@repr WORDSIZE8 195) : int8; - secret (@repr WORDSIZE8 24) : int8; - secret (@repr WORDSIZE8 150) : int8; - secret (@repr WORDSIZE8 5) : int8; - secret (@repr WORDSIZE8 154) : int8; - secret (@repr WORDSIZE8 7) : int8; - secret (@repr WORDSIZE8 18) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 178) : int8; - secret (@repr WORDSIZE8 117) : int8; - secret (@repr WORDSIZE8 9) : int8; - secret (@repr WORDSIZE8 131) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 110) : int8; - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 82) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 214) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 41) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 47) : int8; - secret (@repr WORDSIZE8 132) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 237) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 252) : int8; - secret (@repr WORDSIZE8 177) : int8; - secret (@repr WORDSIZE8 91) : int8; - secret (@repr WORDSIZE8 106) : int8; - secret (@repr WORDSIZE8 203) : int8; - secret (@repr WORDSIZE8 190) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 76) : int8; - secret (@repr WORDSIZE8 88) : int8; - secret (@repr WORDSIZE8 207) : int8; - secret (@repr WORDSIZE8 208) : int8; - secret (@repr WORDSIZE8 239) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 251) : int8; - secret (@repr WORDSIZE8 67) : int8; - secret (@repr WORDSIZE8 77) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 133) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 249) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 80) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 159) : int8; - secret (@repr WORDSIZE8 168) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 163) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 143) : int8; - secret (@repr WORDSIZE8 146) : int8; - secret (@repr WORDSIZE8 157) : int8; - secret (@repr WORDSIZE8 56) : int8; - secret (@repr WORDSIZE8 245) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 218) : int8; - secret (@repr WORDSIZE8 33) : int8; - secret (@repr WORDSIZE8 16) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 243) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 205) : int8; - secret (@repr WORDSIZE8 12) : int8; - secret (@repr WORDSIZE8 19) : int8; - secret (@repr WORDSIZE8 236) : int8; - secret (@repr WORDSIZE8 95) : int8; - secret (@repr WORDSIZE8 151) : int8; - secret (@repr WORDSIZE8 68) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 196) : int8; - secret (@repr WORDSIZE8 167) : int8; - secret (@repr WORDSIZE8 126) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 100) : int8; - secret (@repr WORDSIZE8 93) : int8; - secret (@repr WORDSIZE8 25) : int8; - secret (@repr WORDSIZE8 115) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 220) : int8; - secret (@repr WORDSIZE8 34) : int8; - secret (@repr WORDSIZE8 42) : int8; - secret (@repr WORDSIZE8 144) : int8; - secret (@repr WORDSIZE8 136) : int8; - secret (@repr WORDSIZE8 70) : int8; - secret (@repr WORDSIZE8 238) : int8; - secret (@repr WORDSIZE8 184) : int8; - secret (@repr WORDSIZE8 20) : int8; - secret (@repr WORDSIZE8 222) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 11) : int8; - secret (@repr WORDSIZE8 219) : int8; - secret (@repr WORDSIZE8 224) : int8; - secret (@repr WORDSIZE8 50) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 10) : int8; - secret (@repr WORDSIZE8 73) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 36) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 211) : int8; - secret (@repr WORDSIZE8 172) : int8; - secret (@repr WORDSIZE8 98) : int8; - secret (@repr WORDSIZE8 145) : int8; - secret (@repr WORDSIZE8 149) : int8; - secret (@repr WORDSIZE8 228) : int8; - secret (@repr WORDSIZE8 121) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 200) : int8; - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 109) : int8; - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 213) : int8; - secret (@repr WORDSIZE8 78) : int8; - secret (@repr WORDSIZE8 169) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 86) : int8; - secret (@repr WORDSIZE8 244) : int8; - secret (@repr WORDSIZE8 234) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 122) : int8; - secret (@repr WORDSIZE8 174) : int8; - secret (@repr WORDSIZE8 8) : int8; - secret (@repr WORDSIZE8 186) : int8; - secret (@repr WORDSIZE8 120) : int8; - secret (@repr WORDSIZE8 37) : int8; - secret (@repr WORDSIZE8 46) : int8; - secret (@repr WORDSIZE8 28) : int8; - secret (@repr WORDSIZE8 166) : int8; - secret (@repr WORDSIZE8 180) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 232) : int8; - secret (@repr WORDSIZE8 221) : int8; - secret (@repr WORDSIZE8 116) : int8; - secret (@repr WORDSIZE8 31) : int8; - secret (@repr WORDSIZE8 75) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 139) : int8; - secret (@repr WORDSIZE8 138) : int8; - secret (@repr WORDSIZE8 112) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 181) : int8; - secret (@repr WORDSIZE8 102) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 14) : int8; - secret (@repr WORDSIZE8 97) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 87) : int8; - secret (@repr WORDSIZE8 185) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 193) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 225) : int8; - secret (@repr WORDSIZE8 248) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 17) : int8; - secret (@repr WORDSIZE8 105) : int8; - secret (@repr WORDSIZE8 217) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 148) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 30) : int8; - secret (@repr WORDSIZE8 135) : int8; - secret (@repr WORDSIZE8 233) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 40) : int8; - secret (@repr WORDSIZE8 223) : int8; - secret (@repr WORDSIZE8 140) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 137) : int8; - secret (@repr WORDSIZE8 13) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 230) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 65) : int8; - secret (@repr WORDSIZE8 153) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 84) : int8; - secret (@repr WORDSIZE8 187) : int8; - secret (@repr WORDSIZE8 22) : int8 - ] in l). - -Definition rcon_v : r_con_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 141) : int8; - secret (@repr WORDSIZE8 1) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 4) : int8; - secret (@repr WORDSIZE8 8) : int8; - secret (@repr WORDSIZE8 16) : int8; - secret (@repr WORDSIZE8 32) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 128) : int8; - secret (@repr WORDSIZE8 27) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 108) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 171) : int8; - secret (@repr WORDSIZE8 77) : int8 - ] in l). - -Definition sub_bytes (state_150 : block_t) : block_t := - let st_151 : block_t := - state_150 in - let st_151 := - foldi (usize 0) (blocksize_v) (fun i_152 st_151 => - let st_151 := - array_upd st_151 (i_152) (array_index (sbox_v) (uint8_declassify ( - array_index (state_150) (i_152)))) in - (st_151)) - st_151 in - st_151. - -Definition shift_row - (i_153 : uint_size) - (shift_154 : uint_size) - (state_155 : block_t) - : block_t := - let out_156 : block_t := - state_155 in - let out_156 := - array_upd out_156 (i_153) (array_index (state_155) ((i_153) + ((usize 4) * ( - (shift_154) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 4)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 1)) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 8)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 2)) %% (usize 4))))) in - let out_156 := - array_upd out_156 ((i_153) + (usize 12)) (array_index (state_155) (( - i_153) + ((usize 4) * (((shift_154) + (usize 3)) %% (usize 4))))) in - out_156. - -Definition shift_rows (state_157 : block_t) : block_t := - let state_158 : block_t := - shift_row (usize 1) (usize 1) (state_157) in - let state_159 : block_t := - shift_row (usize 2) (usize 2) (state_158) in - shift_row (usize 3) (usize 3) (state_159). - -Definition xtime (x_160 : uint8) : uint8 := - let x1_161 : uint8 := - (x_160) shift_left (usize 1) in - let x7_162 : uint8 := - (x_160) shift_right (usize 7) in - let x71_163 : uint8 := - (x7_162) .& (secret (@repr WORDSIZE8 1) : int8) in - let x711b_164 : uint8 := - (x71_163) .* (secret (@repr WORDSIZE8 27) : int8) in - (x1_161) .^ (x711b_164). - -Definition mix_column (c_165 : uint_size) (state_166 : block_t) : block_t := - let i0_167 : uint_size := - (usize 4) * (c_165) in - let s0_168 : uint8 := - array_index (state_166) (i0_167) in - let s1_169 : uint8 := - array_index (state_166) ((i0_167) + (usize 1)) in - let s2_170 : uint8 := - array_index (state_166) ((i0_167) + (usize 2)) in - let s3_171 : uint8 := - array_index (state_166) ((i0_167) + (usize 3)) in - let st_172 : block_t := - state_166 in - let tmp_173 : uint8 := - (((s0_168) .^ (s1_169)) .^ (s2_170)) .^ (s3_171) in - let st_172 := - array_upd st_172 (i0_167) (((s0_168) .^ (tmp_173)) .^ (xtime ((s0_168) .^ ( - s1_169)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 1)) (((s1_169) .^ (tmp_173)) .^ (xtime ( - (s1_169) .^ (s2_170)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 2)) (((s2_170) .^ (tmp_173)) .^ (xtime ( - (s2_170) .^ (s3_171)))) in - let st_172 := - array_upd st_172 ((i0_167) + (usize 3)) (((s3_171) .^ (tmp_173)) .^ (xtime ( - (s3_171) .^ (s0_168)))) in - st_172. - -Definition mix_columns (state_174 : block_t) : block_t := - let state_175 : block_t := - mix_column (usize 0) (state_174) in - let state_176 : block_t := - mix_column (usize 1) (state_175) in - let state_177 : block_t := - mix_column (usize 2) (state_176) in - mix_column (usize 3) (state_177). - -Definition add_round_key - (state_178 : block_t) - (key_179 : round_key_t) - : block_t := - let out_180 : block_t := - state_178 in - let out_180 := - foldi (usize 0) (blocksize_v) (fun i_181 out_180 => - let out_180 := - array_upd out_180 (i_181) ((array_index (out_180) (i_181)) .^ ( - array_index (key_179) (i_181))) in - (out_180)) - out_180 in - out_180. - -Definition aes_enc - (state_182 : block_t) - (round_key_183 : round_key_t) - : block_t := - let state_184 : block_t := - sub_bytes (state_182) in - let state_185 : block_t := - shift_rows (state_184) in - let state_186 : block_t := - mix_columns (state_185) in - add_round_key (state_186) (round_key_183). - -Definition aes_enc_last - (state_187 : block_t) - (round_key_188 : round_key_t) - : block_t := - let state_189 : block_t := - sub_bytes (state_187) in - let state_190 : block_t := - shift_rows (state_189) in - add_round_key (state_190) (round_key_188). - -Definition rounds_aes (state_191 : block_t) (key_192 : byte_seq) : block_t := - let out_193 : block_t := - state_191 in - let out_193 := - foldi (usize 0) (seq_num_chunks (key_192) ( - blocksize_v)) (fun i_194 out_193 => - let '(_, key_block_195) := - seq_get_chunk (key_192) (blocksize_v) (i_194) in - let out_193 := - aes_enc (out_193) (array_from_seq (blocksize_v) (key_block_195)) in - (out_193)) - out_193 in - out_193. - -Definition block_cipher_aes - (input_196 : block_t) - (key_197 : byte_seq) - (nr_198 : uint_size) - : block_t := - let k0_199 : round_key_t := - array_from_slice_range (default) (blocksize_v) (key_197) ((usize 0, usize 16 - )) in - let k_200 : seq uint8 := - seq_from_slice_range (key_197) ((usize 16, (nr_198) * (usize 16))) in - let kn_201 : round_key_t := - array_from_slice (default) (blocksize_v) (key_197) ((nr_198) * (usize 16)) ( - usize 16) in - let state_202 : block_t := - add_round_key (input_196) (k0_199) in - let state_203 : block_t := - rounds_aes (state_202) (k_200) in - aes_enc_last (state_203) (kn_201). - -Definition rotate_word (w_204 : word_t) : word_t := - array_from_list uint8 (let l := - [ - array_index (w_204) (usize 1); - array_index (w_204) (usize 2); - array_index (w_204) (usize 3); - array_index (w_204) (usize 0) - ] in l). - -Definition slice_word (w_205 : word_t) : word_t := - array_from_list uint8 (let l := - [ - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 0))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 1))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 2))); - array_index (sbox_v) (declassify_usize_from_uint8 (array_index (w_205) ( - usize 3))) - ] in l). - -Definition aes_keygen_assist (w_206 : word_t) (rcon_207 : uint8) : word_t := - let k_208 : word_t := - rotate_word (w_206) in - let k_208 := - slice_word (k_208) in - let k_208 := - array_upd k_208 (usize 0) ((array_index (k_208) (usize 0)) .^ ( - rcon_207)) in - k_208. - -Definition key_expansion_word - (w0_209 : word_t) - (w1_210 : word_t) - (i_211 : uint_size) - (nk_212 : uint_size) - (nr_213 : uint_size) - : word_result_t := - let k_214 : word_t := - w1_210 in - let result_215 : (result word_t int8) := - @Err word_t int8 (invalid_key_expansion_index_v) in - let '(k_214, result_215) := - if (i_211) <.? ((usize 4) * ((nr_213) + (usize 1))):bool then (let '(k_214 - ) := - if ((i_211) %% (nk_212)) =.? (usize 0):bool then (let k_214 := - aes_keygen_assist (k_214) (array_index (rcon_v) ((i_211) / ( - nk_212))) in - (k_214)) else (let '(k_214) := - if ((nk_212) >.? (usize 6)) && (((i_211) %% (nk_212)) =.? ( - usize 4)):bool then (let k_214 := - slice_word (k_214) in - (k_214)) else ((k_214)) in - (k_214)) in - let k_214 := - foldi (usize 0) (usize 4) (fun i_216 k_214 => - let k_214 := - array_upd k_214 (i_216) ((array_index (k_214) (i_216)) .^ ( - array_index (w0_209) (i_216))) in - (k_214)) - k_214 in - let result_215 := - @Ok word_t int8 (k_214) in - (k_214, result_215)) else ((k_214, result_215)) in - result_215. - -Definition key_expansion_aes - (key_217 : byte_seq) - (nk_218 : uint_size) - (nr_219 : uint_size) - (key_schedule_length_220 : uint_size) - (key_length_221 : uint_size) - (iterations_222 : uint_size) - : byte_seq_result_t := - let key_ex_223 : seq uint8 := - seq_new_ (default) (key_schedule_length_220) in - let key_ex_223 := - seq_update_start (key_ex_223) (key_217) in - let word_size_224 : uint_size := - key_length_221 in - bind (foldibnd (usize 0) to ( - iterations_222) for key_ex_223 >> (fun j_225 key_ex_223 => - let i_226 : uint_size := - (j_225) + (word_size_224) in - bind (key_expansion_word (array_from_slice (default) (key_length_v) ( - key_ex_223) ((usize 4) * ((i_226) - (word_size_224))) (usize 4)) ( - array_from_slice (default) (key_length_v) (key_ex_223) (((usize 4) * ( - i_226)) - (usize 4)) (usize 4)) (i_226) (nk_218) (nr_219)) ( - fun word_227 => let key_ex_223 := - seq_update (key_ex_223) ((usize 4) * (i_226)) ( - array_to_seq (word_227)) in - Ok ((key_ex_223))))) (fun key_ex_223 => @Ok byte_seq int8 (key_ex_223)). - -Definition aes_encrypt_block - (k_228 : byte_seq) - (input_229 : block_t) - (nk_230 : uint_size) - (nr_231 : uint_size) - (key_schedule_length_232 : uint_size) - (key_length_233 : uint_size) - (iterations_234 : uint_size) - : block_result_t := - bind (key_expansion_aes (k_228) (nk_230) (nr_231) (key_schedule_length_232) ( - key_length_233) (iterations_234)) (fun key_ex_235 => @Ok block_t int8 ( - block_cipher_aes (input_229) (key_ex_235) (nr_231))). - -Definition aes128_encrypt_block - (k_236 : key128_t) - (input_237 : block_t) - : block_t := - result_unwrap (aes_encrypt_block (seq_from_seq (array_to_seq (k_236))) ( - input_237) (key_length_v) (rounds_v) (key_schedule_length_v) ( - key_length_v) (iterations_v)). - -Definition aes_ctr_key_block - (k_238 : byte_seq) - (n_239 : aes_nonce_t) - (c_240 : uint32) - (nk_241 : uint_size) - (nr_242 : uint_size) - (key_schedule_length_243 : uint_size) - (key_length_244 : uint_size) - (iterations_245 : uint_size) - : block_result_t := - let input_246 : block_t := - array_new_ (default) (blocksize_v) in - let input_246 := - array_update (input_246) (usize 0) (array_to_seq (n_239)) in - let input_246 := - array_update (input_246) (usize 12) (array_to_seq (uint32_to_be_bytes ( - c_240))) in - aes_encrypt_block (k_238) (input_246) (nk_241) (nr_242) ( - key_schedule_length_243) (key_length_244) (iterations_245). - -Definition xor_block - (block_247 : block_t) - (key_block_248 : block_t) - : block_t := - let out_249 : block_t := - block_247 in - let out_249 := - foldi (usize 0) (blocksize_v) (fun i_250 out_249 => - let out_249 := - array_upd out_249 (i_250) ((array_index (out_249) (i_250)) .^ ( - array_index (key_block_248) (i_250))) in - (out_249)) - out_249 in - out_249. - -Definition aes_counter_mode - (key_251 : byte_seq) - (nonce_252 : aes_nonce_t) - (counter_253 : uint32) - (msg_254 : byte_seq) - (nk_255 : uint_size) - (nr_256 : uint_size) - (key_schedule_length_257 : uint_size) - (key_length_258 : uint_size) - (iterations_259 : uint_size) - : byte_seq_result_t := - let ctr_260 : uint32 := - counter_253 in - let blocks_out_261 : seq uint8 := - seq_new_ (default) (seq_len (msg_254)) in - let n_blocks_262 : uint_size := - seq_num_exact_chunks (msg_254) (blocksize_v) in - bind (foldibnd (usize 0) to (n_blocks_262) for (ctr_260, blocks_out_261 - ) >> (fun i_263 '(ctr_260, blocks_out_261) => - let msg_block_264 : seq uint8 := - seq_get_exact_chunk (msg_254) (blocksize_v) (i_263) in - bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) (nr_256) ( - key_schedule_length_257) (key_length_258) (iterations_259)) ( - fun key_block_265 => let blocks_out_261 := - seq_set_chunk (blocks_out_261) (blocksize_v) (i_263) ( - array_to_seq (xor_block (array_from_seq (blocksize_v) ( - msg_block_264)) (key_block_265))) in - let ctr_260 := - (ctr_260) .+ (secret (@repr WORDSIZE32 1) : int32) in - Ok ((ctr_260, blocks_out_261))))) (fun '(ctr_260, blocks_out_261) => - let last_block_266 : seq uint8 := - seq_get_remainder_chunk (msg_254) (blocksize_v) in - let last_block_len_267 : uint_size := - seq_len (last_block_266) in - ifbnd (last_block_len_267) !=.? (usize 0) : bool - thenbnd (let last_block_268 : block_t := - array_update_start (array_new_ (default) (blocksize_v)) ( - last_block_266) in - bind (aes_ctr_key_block (key_251) (nonce_252) (ctr_260) (nk_255) ( - nr_256) (key_schedule_length_257) (key_length_258) (iterations_259)) ( - fun key_block_269 => let blocks_out_261 := - seq_set_chunk (blocks_out_261) (blocksize_v) (n_blocks_262) ( - array_slice_range (xor_block (last_block_268) (key_block_269)) (( - usize 0, - last_block_len_267 - ))) in - Ok ((blocks_out_261)))) - else ((blocks_out_261)) >> (fun '(blocks_out_261) => - @Ok byte_seq int8 (blocks_out_261))). - -Definition aes128_encrypt - (key_270 : key128_t) - (nonce_271 : aes_nonce_t) - (counter_272 : uint32) - (msg_273 : byte_seq) - : byte_seq := - result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_270))) ( - nonce_271) (counter_272) (msg_273) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)). - -Definition aes128_decrypt - (key_274 : key128_t) - (nonce_275 : aes_nonce_t) - (counter_276 : uint32) - (ctxt_277 : byte_seq) - : byte_seq := - result_unwrap (aes_counter_mode (seq_from_seq (array_to_seq (key_274))) ( - nonce_275) (counter_276) (ctxt_277) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Aes128_Gcm.v b/proof-libs/coq/coq/src/_vc/Hacspec_Aes128_Gcm.v deleted file mode 100644 index 83a91bc40..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Aes128_Gcm.v +++ /dev/null @@ -1,124 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Aes. - -Require Import Hacspec_Gf128. - -Notation "'aes_gcm_byte_seq_result_t'" := (( - result byte_seq int8)) : hacspec_scope. - -Definition invalid_tag_v : int8 := - @repr WORDSIZE8 1. - -Definition pad_aad_msg (aad_278 : byte_seq) (msg_279 : byte_seq) : byte_seq := - let laad_280 : uint_size := - seq_len (aad_278) in - let lmsg_281 : uint_size := - seq_len (msg_279) in - let pad_aad_282 : uint_size := - (if (((laad_280) %% (usize 16)) =.? (usize 0)):bool then (laad_280) else (( - laad_280) + ((usize 16) - ((laad_280) %% (usize 16))))) in - let pad_msg_283 : uint_size := - (if (((lmsg_281) %% (usize 16)) =.? (usize 0)):bool then (lmsg_281) else (( - lmsg_281) + ((usize 16) - ((lmsg_281) %% (usize 16))))) in - let padded_msg_284 : seq uint8 := - seq_new_ (default) (((pad_aad_282) + (pad_msg_283)) + (usize 16)) in - let padded_msg_284 := - seq_update (padded_msg_284) (usize 0) (aad_278) in - let padded_msg_284 := - seq_update (padded_msg_284) (pad_aad_282) (msg_279) in - let padded_msg_284 := - seq_update (padded_msg_284) ((pad_aad_282) + (pad_msg_283)) ( - array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( - laad_280)) : int64) .* (secret ( - @repr WORDSIZE64 8) : int64)))) in - let padded_msg_284 := - seq_update (padded_msg_284) (((pad_aad_282) + (pad_msg_283)) + (usize 8)) ( - array_to_seq (uint64_to_be_bytes ((secret (pub_u64 ( - lmsg_281)) : int64) .* (secret ( - @repr WORDSIZE64 8) : int64)))) in - padded_msg_284. - -Definition encrypt_aes - (key_285 : byte_seq) - (iv_286 : aes_nonce_t) - (aad_287 : byte_seq) - (msg_288 : byte_seq) - : (byte_seq × gf128_tag_t) := - let iv0_289 : aes_nonce_t := - array_new_ (default) (_) in - let mac_key_290 : block_t := - result_unwrap (aes_ctr_key_block (key_285) (iv0_289) (secret ( - @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) in - let tag_mix_291 : block_t := - result_unwrap (aes_ctr_key_block (key_285) ((iv_286)) (secret ( - @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) in - let cipher_text_292 : seq uint8 := - aes128_encrypt (array_from_seq (_) (key_285)) (iv_286) (secret ( - @repr WORDSIZE32 2) : int32) (msg_288) in - let padded_msg_293 : seq uint8 := - pad_aad_msg (aad_287) (cipher_text_292) in - let tag_294 : gf128_tag_t := - gmac (padded_msg_293) (array_from_seq (_) (array_to_seq (mac_key_290))) in - let tag_295 : block_t := - xor_block (array_from_seq (_) (array_to_seq (tag_294))) (tag_mix_291) in - (cipher_text_292, array_from_seq (_) (array_to_seq (tag_295))). - -Definition encrypt_aes128 - (key_296 : key128_t) - (iv_297 : aes_nonce_t) - (aad_298 : byte_seq) - (msg_299 : byte_seq) - : (byte_seq × gf128_tag_t) := - encrypt_aes (seq_from_seq (array_to_seq (key_296))) (iv_297) (aad_298) ( - msg_299). - -Definition decrypt_aes - (key_300 : byte_seq) - (iv_301 : aes_nonce_t) - (aad_302 : byte_seq) - (cipher_text_303 : byte_seq) - (tag_304 : gf128_tag_t) - : aes_gcm_byte_seq_result_t := - let iv0_305 : aes_nonce_t := - array_new_ (default) (_) in - bind (aes_ctr_key_block (key_300) (iv0_305) (secret ( - @repr WORDSIZE32 0) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) (fun mac_key_306 => - bind (aes_ctr_key_block (key_300) ((iv_301)) (secret ( - @repr WORDSIZE32 1) : int32) (key_length_v) (rounds_v) ( - key_schedule_length_v) (key_length_v) (iterations_v)) ( - fun tag_mix_307 => let padded_msg_308 : seq uint8 := - pad_aad_msg (aad_302) (cipher_text_303) in - let my_tag_309 : gf128_tag_t := - gmac (padded_msg_308) (array_from_seq (_) ( - array_to_seq (mac_key_306))) in - let my_tag_310 : block_t := - xor_block (array_from_seq (_) (array_to_seq (my_tag_309))) ( - tag_mix_307) in - let ptxt_311 : seq uint8 := - aes128_decrypt (array_from_seq (_) (key_300)) (iv_301) (secret ( - @repr WORDSIZE32 2) : int32) (cipher_text_303) in - (if (array_declassify_eq (my_tag_310) (array_from_seq (_) ( - array_to_seq (tag_304)))):bool then (@Ok byte_seq int8 ( - ptxt_311)) else (@Err byte_seq int8 (invalid_tag_v))))). - -Definition decrypt_aes128 - (key_312 : key128_t) - (iv_313 : aes_nonce_t) - (aad_314 : byte_seq) - (cipher_text_315 : byte_seq) - (tag_316 : gf128_tag_t) - : aes_gcm_byte_seq_result_t := - decrypt_aes (seq_from_seq (array_to_seq (key_312))) (iv_313) (aad_314) ( - cipher_text_315) (tag_316). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381.v b/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381.v deleted file mode 100644 index bf5cb3088..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381.v +++ /dev/null @@ -1,763 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -From QuickChick Require Import QuickChick. -Require Import QuickChickLib. -Require Import Hacspec_Lib. - -Definition fp_canvas_t := nseq (int8) (48). -Definition fp_t := - nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. -Instance show_fp_t : Show (fp_t) := Build_Show (fp_t) (fun x => show (GZnZ.val _ x)). -Definition g_fp_t : G (fp_t) := @bindGen Z (fp_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). -Instance gen_fp_t : Gen (fp_t) := Build_Gen fp_t g_fp_t. - - -Definition serialized_fp_t := nseq (uint8) (usize 48). - -Definition array_fp_t := nseq (uint64) (usize 6). - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. -Instance show_scalar_t : Show (scalar_t) := Build_Show (scalar_t) (fun x => show (GZnZ.val _ x)). -Definition g_scalar_t : G (scalar_t) := @bindGen Z (scalar_t) (arbitrary) (fun x => returnGen (@Z_in_nat_mod _ x)). -Instance gen_scalar_t : Gen (scalar_t) := Build_Gen scalar_t g_scalar_t. - - -Notation "'g1_t'" := ((fp_t × fp_t × bool)) : hacspec_scope. -Instance show_g1_t : Show (g1_t) := -Build_Show g1_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_g1_t : G (g1_t) := -bindGen arbitrary (fun x0 : fp_t => - bindGen arbitrary (fun x1 : fp_t => - bindGen arbitrary (fun x2 : bool => - returnGen (x0,x1,x2)))). -Instance gen_g1_t : Gen (g1_t) := Build_Gen g1_t g_g1_t. - - -Notation "'fp2_t'" := ((fp_t × fp_t)) : hacspec_scope. -Instance show_fp2_t : Show (fp2_t) := -Build_Show fp2_t (fun x => - let (x, x0) := x in - (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. -Definition g_fp2_t : G (fp2_t) := -bindGen arbitrary (fun x0 : fp_t => - bindGen arbitrary (fun x1 : fp_t => - returnGen (x0,x1))). -Instance gen_fp2_t : Gen (fp2_t) := Build_Gen fp2_t g_fp2_t. - - -Notation "'g2_t'" := ((fp2_t × fp2_t × bool)) : hacspec_scope. -Instance show_g2_t : Show (g2_t) := -Build_Show g2_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_g2_t : G (g2_t) := -bindGen arbitrary (fun x0 : fp2_t => - bindGen arbitrary (fun x1 : fp2_t => - bindGen arbitrary (fun x2 : bool => - returnGen (x0,x1,x2)))). -Instance gen_g2_t : Gen (g2_t) := Build_Gen g2_t g_g2_t. - - -Notation "'fp6_t'" := ((fp2_t × fp2_t × fp2_t)) : hacspec_scope. -Instance show_fp6_t : Show (fp6_t) := -Build_Show fp6_t (fun x => - let (x, x0) := x in - let (x, x1) := x in - ( - ("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ ((",") ++ ((show x1) ++ (")"))))))))%string. -Definition g_fp6_t : G (fp6_t) := -bindGen arbitrary (fun x0 : fp2_t => - bindGen arbitrary (fun x1 : fp2_t => - bindGen arbitrary (fun x2 : fp2_t => - returnGen (x0,x1,x2)))). -Instance gen_fp6_t : Gen (fp6_t) := Build_Gen fp6_t g_fp6_t. - - -Notation "'fp12_t'" := ((fp6_t × fp6_t)) : hacspec_scope. -Instance show_fp12_t : Show (fp12_t) := -Build_Show fp12_t (fun x => - let (x, x0) := x in - (("(") ++ ((show x) ++ ((",") ++ ((show x0) ++ (")"))))))%string. -Definition g_fp12_t : G (fp12_t) := -bindGen arbitrary (fun x0 : fp6_t => - bindGen arbitrary (fun x1 : fp6_t => - returnGen (x0,x1))). -Instance gen_fp12_t : Gen (fp12_t) := Build_Gen fp12_t g_fp12_t. - - -Definition fp2fromfp (n_1063 : fp_t) : fp2_t := - (n_1063, nat_mod_zero ). - -Definition fp2zero : fp2_t := - fp2fromfp (nat_mod_zero ). - -Definition fp2neg (n_1064 : fp2_t) : fp2_t := - let '(n1_1065, n2_1066) := - n_1064 in - ((nat_mod_zero ) -% (n1_1065), (nat_mod_zero ) -% (n2_1066)). - -Definition fp2add (n_1067 : fp2_t) (m_1068 : fp2_t) : fp2_t := - let '(n1_1069, n2_1070) := - n_1067 in - let '(m1_1071, m2_1072) := - m_1068 in - ((n1_1069) +% (m1_1071), (n2_1070) +% (m2_1072)). - -Definition fp2sub (n_1073 : fp2_t) (m_1074 : fp2_t) : fp2_t := - fp2add (n_1073) (fp2neg (m_1074)). - -Definition fp2mul (n_1075 : fp2_t) (m_1076 : fp2_t) : fp2_t := - let '(n1_1077, n2_1078) := - n_1075 in - let '(m1_1079, m2_1080) := - m_1076 in - let x1_1081 : fp_t := - ((n1_1077) *% (m1_1079)) -% ((n2_1078) *% (m2_1080)) in - let x2_1082 : fp_t := - ((n1_1077) *% (m2_1080)) +% ((n2_1078) *% (m1_1079)) in - (x1_1081, x2_1082). - -Definition fp2inv (n_1083 : fp2_t) : fp2_t := - let '(n1_1084, n2_1085) := - n_1083 in - let t0_1086 : fp_t := - ((n1_1084) *% (n1_1084)) +% ((n2_1085) *% (n2_1085)) in - let t1_1087 : fp_t := - nat_mod_inv (t0_1086) in - let x1_1088 : fp_t := - (n1_1084) *% (t1_1087) in - let x2_1089 : fp_t := - (nat_mod_zero ) -% ((n2_1085) *% (t1_1087)) in - (x1_1088, x2_1089). - -Definition fp2conjugate (n_1090 : fp2_t) : fp2_t := - let '(n1_1091, n2_1092) := - n_1090 in - (n1_1091, (nat_mod_zero ) -% (n2_1092)). - -Definition fp6fromfp2 (n_1093 : fp2_t) : fp6_t := - (n_1093, fp2zero , fp2zero ). - -Definition fp6zero : fp6_t := - fp6fromfp2 (fp2zero ). - -Definition fp6neg (n_1094 : fp6_t) : fp6_t := - let '(n1_1095, n2_1096, n3_1097) := - n_1094 in - ( - fp2sub (fp2zero ) (n1_1095), - fp2sub (fp2zero ) (n2_1096), - fp2sub (fp2zero ) (n3_1097) - ). - -Definition fp6add (n_1098 : fp6_t) (m_1099 : fp6_t) : fp6_t := - let '(n1_1100, n2_1101, n3_1102) := - n_1098 in - let '(m1_1103, m2_1104, m3_1105) := - m_1099 in - ( - fp2add (n1_1100) (m1_1103), - fp2add (n2_1101) (m2_1104), - fp2add (n3_1102) (m3_1105) - ). - -Definition fp6sub (n_1106 : fp6_t) (m_1107 : fp6_t) : fp6_t := - fp6add (n_1106) (fp6neg (m_1107)). - -Definition fp6mul (n_1108 : fp6_t) (m_1109 : fp6_t) : fp6_t := - let '(n1_1110, n2_1111, n3_1112) := - n_1108 in - let '(m1_1113, m2_1114, m3_1115) := - m_1109 in - let eps_1116 : (fp_t × fp_t) := - (nat_mod_one , nat_mod_one ) in - let t1_1117 : (fp_t × fp_t) := - fp2mul (n1_1110) (m1_1113) in - let t2_1118 : (fp_t × fp_t) := - fp2mul (n2_1111) (m2_1114) in - let t3_1119 : (fp_t × fp_t) := - fp2mul (n3_1112) (m3_1115) in - let t4_1120 : (fp_t × fp_t) := - fp2mul (fp2add (n2_1111) (n3_1112)) (fp2add (m2_1114) (m3_1115)) in - let t5_1121 : (fp_t × fp_t) := - fp2sub (fp2sub (t4_1120) (t2_1118)) (t3_1119) in - let x_1122 : (fp_t × fp_t) := - fp2add (fp2mul (t5_1121) (eps_1116)) (t1_1117) in - let t4_1123 : (fp_t × fp_t) := - fp2mul (fp2add (n1_1110) (n2_1111)) (fp2add (m1_1113) (m2_1114)) in - let t5_1124 : (fp_t × fp_t) := - fp2sub (fp2sub (t4_1123) (t1_1117)) (t2_1118) in - let y_1125 : (fp_t × fp_t) := - fp2add (t5_1124) (fp2mul (eps_1116) (t3_1119)) in - let t4_1126 : (fp_t × fp_t) := - fp2mul (fp2add (n1_1110) (n3_1112)) (fp2add (m1_1113) (m3_1115)) in - let t5_1127 : (fp_t × fp_t) := - fp2sub (fp2sub (t4_1126) (t1_1117)) (t3_1119) in - let z_1128 : (fp_t × fp_t) := - fp2add (t5_1127) (t2_1118) in - (x_1122, y_1125, z_1128). - -Definition fp6inv (n_1129 : fp6_t) : fp6_t := - let '(n1_1130, n2_1131, n3_1132) := - n_1129 in - let eps_1133 : (fp_t × fp_t) := - (nat_mod_one , nat_mod_one ) in - let t1_1134 : (fp_t × fp_t) := - fp2mul (n1_1130) (n1_1130) in - let t2_1135 : (fp_t × fp_t) := - fp2mul (n2_1131) (n2_1131) in - let t3_1136 : (fp_t × fp_t) := - fp2mul (n3_1132) (n3_1132) in - let t4_1137 : (fp_t × fp_t) := - fp2mul (n1_1130) (n2_1131) in - let t5_1138 : (fp_t × fp_t) := - fp2mul (n1_1130) (n3_1132) in - let t6_1139 : (fp_t × fp_t) := - fp2mul (n2_1131) (n3_1132) in - let x0_1140 : (fp_t × fp_t) := - fp2sub (t1_1134) (fp2mul (eps_1133) (t6_1139)) in - let y0_1141 : (fp_t × fp_t) := - fp2sub (fp2mul (eps_1133) (t3_1136)) (t4_1137) in - let z0_1142 : (fp_t × fp_t) := - fp2sub (t2_1135) (t5_1138) in - let t0_1143 : (fp_t × fp_t) := - fp2mul (n1_1130) (x0_1140) in - let t0_1144 : (fp_t × fp_t) := - fp2add (t0_1143) (fp2mul (eps_1133) (fp2mul (n3_1132) (y0_1141))) in - let t0_1145 : (fp_t × fp_t) := - fp2add (t0_1144) (fp2mul (eps_1133) (fp2mul (n2_1131) (z0_1142))) in - let t0_1146 : (fp_t × fp_t) := - fp2inv (t0_1145) in - let x_1147 : (fp_t × fp_t) := - fp2mul (x0_1140) (t0_1146) in - let y_1148 : (fp_t × fp_t) := - fp2mul (y0_1141) (t0_1146) in - let z_1149 : (fp_t × fp_t) := - fp2mul (z0_1142) (t0_1146) in - (x_1147, y_1148, z_1149). - -Definition fp12fromfp6 (n_1150 : fp6_t) : fp12_t := - (n_1150, fp6zero ). - -Definition fp12neg (n_1151 : fp12_t) : fp12_t := - let '(n1_1152, n2_1153) := - n_1151 in - (fp6sub (fp6zero ) (n1_1152), fp6sub (fp6zero ) (n2_1153)). - -Definition fp12add (n_1154 : fp12_t) (m_1155 : fp12_t) : fp12_t := - let '(n1_1156, n2_1157) := - n_1154 in - let '(m1_1158, m2_1159) := - m_1155 in - (fp6add (n1_1156) (m1_1158), fp6add (n2_1157) (m2_1159)). - -Definition fp12sub (n_1160 : fp12_t) (m_1161 : fp12_t) : fp12_t := - fp12add (n_1160) (fp12neg (m_1161)). - -Definition fp12mul (n_1162 : fp12_t) (m_1163 : fp12_t) : fp12_t := - let '(n1_1164, n2_1165) := - n_1162 in - let '(m1_1166, m2_1167) := - m_1163 in - let gamma_1168 : (fp2_t × fp2_t × fp2_t) := - (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in - let t1_1169 : (fp2_t × fp2_t × fp2_t) := - fp6mul (n1_1164) (m1_1166) in - let t2_1170 : (fp2_t × fp2_t × fp2_t) := - fp6mul (n2_1165) (m2_1167) in - let x_1171 : (fp2_t × fp2_t × fp2_t) := - fp6add (t1_1169) (fp6mul (t2_1170) (gamma_1168)) in - let y_1172 : (fp2_t × fp2_t × fp2_t) := - fp6mul (fp6add (n1_1164) (n2_1165)) (fp6add (m1_1166) (m2_1167)) in - let y_1173 : (fp2_t × fp2_t × fp2_t) := - fp6sub (fp6sub (y_1172) (t1_1169)) (t2_1170) in - (x_1171, y_1173). - -Definition fp12inv (n_1174 : fp12_t) : fp12_t := - let '(n1_1175, n2_1176) := - n_1174 in - let gamma_1177 : (fp2_t × fp2_t × fp2_t) := - (fp2zero , fp2fromfp (nat_mod_one ), fp2zero ) in - let t1_1178 : (fp2_t × fp2_t × fp2_t) := - fp6mul (n1_1175) (n1_1175) in - let t2_1179 : (fp2_t × fp2_t × fp2_t) := - fp6mul (n2_1176) (n2_1176) in - let t1_1180 : (fp2_t × fp2_t × fp2_t) := - fp6sub (t1_1178) (fp6mul (gamma_1177) (t2_1179)) in - let t2_1181 : (fp2_t × fp2_t × fp2_t) := - fp6inv (t1_1180) in - let x_1182 : (fp2_t × fp2_t × fp2_t) := - fp6mul (n1_1175) (t2_1181) in - let y_1183 : (fp2_t × fp2_t × fp2_t) := - fp6neg (fp6mul (n2_1176) (t2_1181)) in - (x_1182, y_1183). - -Definition fp12exp (n_1184 : fp12_t) (k_1185 : scalar_t) : fp12_t := - let c_1186 : (fp6_t × fp6_t) := - fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in - let c_1186 := - foldi (usize 0) (usize 256) (fun i_1187 c_1186 => - let c_1186 := - fp12mul (c_1186) (c_1186) in - let '(c_1186) := - if nat_mod_bit (k_1185) ((usize 255) - (i_1187)):bool then ( - let c_1186 := - fp12mul (c_1186) (n_1184) in - (c_1186)) else ((c_1186)) in - (c_1186)) - c_1186 in - c_1186. - -Definition fp12conjugate (n_1188 : fp12_t) : fp12_t := - let '(n1_1189, n2_1190) := - n_1188 in - (n1_1189, fp6neg (n2_1190)). - -Definition fp12zero : fp12_t := - fp12fromfp6 (fp6zero ). - -Definition g1add_a (p_1191 : g1_t) (q_1192 : g1_t) : g1_t := - let '(x1_1193, y1_1194, _) := - p_1191 in - let '(x2_1195, y2_1196, _) := - q_1192 in - let x_diff_1197 : fp_t := - (x2_1195) -% (x1_1193) in - let y_diff_1198 : fp_t := - (y2_1196) -% (y1_1194) in - let xovery_1199 : fp_t := - (y_diff_1198) *% (nat_mod_inv (x_diff_1197)) in - let x3_1200 : fp_t := - ((nat_mod_exp (xovery_1199) (@repr WORDSIZE32 2)) -% (x1_1193)) -% ( - x2_1195) in - let y3_1201 : fp_t := - ((xovery_1199) *% ((x1_1193) -% (x3_1200))) -% (y1_1194) in - (x3_1200, y3_1201, false). - -Definition g1double_a (p_1202 : g1_t) : g1_t := - let '(x1_1203, y1_1204, _) := - p_1202 in - let x12_1205 : fp_t := - nat_mod_exp (x1_1203) (@repr WORDSIZE32 2) in - let xovery_1206 : fp_t := - ((nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t) *% (x12_1205)) *% (nat_mod_inv (( - nat_mod_two ) *% (y1_1204))) in - let x3_1207 : fp_t := - (nat_mod_exp (xovery_1206) (@repr WORDSIZE32 2)) -% ((nat_mod_two ) *% ( - x1_1203)) in - let y3_1208 : fp_t := - ((xovery_1206) *% ((x1_1203) -% (x3_1207))) -% (y1_1204) in - (x3_1207, y3_1208, false). - -Definition g1double (p_1209 : g1_t) : g1_t := - let '(x1_1210, y1_1211, inf1_1212) := - p_1209 in - (if (((y1_1211) !=.? (nat_mod_zero )) && (negb (inf1_1212))):bool then ( - g1double_a (p_1209)) else ((nat_mod_zero , nat_mod_zero , true))). - -Definition g1add (p_1213 : g1_t) (q_1214 : g1_t) : g1_t := - let '(x1_1215, y1_1216, inf1_1217) := - p_1213 in - let '(x2_1218, y2_1219, inf2_1220) := - q_1214 in - (if (inf1_1217):bool then (q_1214) else ((if (inf2_1220):bool then ( - p_1213) else ((if ((p_1213) =.? (q_1214)):bool then (g1double ( - p_1213)) else ((if (negb (((x1_1215) =.? (x2_1218)) && (( - y1_1216) =.? ((nat_mod_zero ) -% ( - y2_1219))))):bool then (g1add_a (p_1213) ( - q_1214)) else ((nat_mod_zero , nat_mod_zero , true))))))))). - -Definition g1mul (m_1221 : scalar_t) (p_1222 : g1_t) : g1_t := - let t_1223 : (fp_t × fp_t × bool) := - (nat_mod_zero , nat_mod_zero , true) in - let t_1223 := - foldi (usize 0) (usize 256) (fun i_1224 t_1223 => - let t_1223 := - g1double (t_1223) in - let '(t_1223) := - if nat_mod_bit (m_1221) ((usize 255) - (i_1224)):bool then ( - let t_1223 := - g1add (t_1223) (p_1222) in - (t_1223)) else ((t_1223)) in - (t_1223)) - t_1223 in - t_1223. - -Definition g1neg (p_1225 : g1_t) : g1_t := - let '(x_1226, y_1227, inf_1228) := - p_1225 in - (x_1226, (nat_mod_zero ) -% (y_1227), inf_1228). - -Definition g2add_a (p_1229 : g2_t) (q_1230 : g2_t) : g2_t := - let '(x1_1231, y1_1232, _) := - p_1229 in - let '(x2_1233, y2_1234, _) := - q_1230 in - let x_diff_1235 : (fp_t × fp_t) := - fp2sub (x2_1233) (x1_1231) in - let y_diff_1236 : (fp_t × fp_t) := - fp2sub (y2_1234) (y1_1232) in - let xovery_1237 : (fp_t × fp_t) := - fp2mul (y_diff_1236) (fp2inv (x_diff_1235)) in - let t1_1238 : (fp_t × fp_t) := - fp2mul (xovery_1237) (xovery_1237) in - let t2_1239 : (fp_t × fp_t) := - fp2sub (t1_1238) (x1_1231) in - let x3_1240 : (fp_t × fp_t) := - fp2sub (t2_1239) (x2_1233) in - let t1_1241 : (fp_t × fp_t) := - fp2sub (x1_1231) (x3_1240) in - let t2_1242 : (fp_t × fp_t) := - fp2mul (xovery_1237) (t1_1241) in - let y3_1243 : (fp_t × fp_t) := - fp2sub (t2_1242) (y1_1232) in - (x3_1240, y3_1243, false). - -Definition g2double_a (p_1244 : g2_t) : g2_t := - let '(x1_1245, y1_1246, _) := - p_1244 in - let x12_1247 : (fp_t × fp_t) := - fp2mul (x1_1245) (x1_1245) in - let t1_1248 : (fp_t × fp_t) := - fp2mul (fp2fromfp (nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t)) (x12_1247) in - let t2_1249 : (fp_t × fp_t) := - fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (y1_1246)) in - let xovery_1250 : (fp_t × fp_t) := - fp2mul (t1_1248) (t2_1249) in - let t1_1251 : (fp_t × fp_t) := - fp2mul (xovery_1250) (xovery_1250) in - let t2_1252 : (fp_t × fp_t) := - fp2mul (fp2fromfp (nat_mod_two )) (x1_1245) in - let x3_1253 : (fp_t × fp_t) := - fp2sub (t1_1251) (t2_1252) in - let t1_1254 : (fp_t × fp_t) := - fp2sub (x1_1245) (x3_1253) in - let t2_1255 : (fp_t × fp_t) := - fp2mul (xovery_1250) (t1_1254) in - let y3_1256 : (fp_t × fp_t) := - fp2sub (t2_1255) (y1_1246) in - (x3_1253, y3_1256, false). - -Definition g2double (p_1257 : g2_t) : g2_t := - let '(x1_1258, y1_1259, inf1_1260) := - p_1257 in - (if (((y1_1259) !=.? (fp2zero )) && (negb (inf1_1260))):bool then ( - g2double_a (p_1257)) else ((fp2zero , fp2zero , true))). - -Definition g2add (p_1261 : g2_t) (q_1262 : g2_t) : g2_t := - let '(x1_1263, y1_1264, inf1_1265) := - p_1261 in - let '(x2_1266, y2_1267, inf2_1268) := - q_1262 in - (if (inf1_1265):bool then (q_1262) else ((if (inf2_1268):bool then ( - p_1261) else ((if ((p_1261) =.? (q_1262)):bool then (g2double ( - p_1261)) else ((if (negb (((x1_1263) =.? (x2_1266)) && (( - y1_1264) =.? (fp2neg (y2_1267))))):bool then (g2add_a ( - p_1261) (q_1262)) else ((fp2zero , fp2zero , true))))))))). - -Definition g2mul (m_1269 : scalar_t) (p_1270 : g2_t) : g2_t := - let t_1271 : (fp2_t × fp2_t × bool) := - (fp2zero , fp2zero , true) in - let t_1271 := - foldi (usize 0) (usize 256) (fun i_1272 t_1271 => - let t_1271 := - g2double (t_1271) in - let '(t_1271) := - if nat_mod_bit (m_1269) ((usize 255) - (i_1272)):bool then ( - let t_1271 := - g2add (t_1271) (p_1270) in - (t_1271)) else ((t_1271)) in - (t_1271)) - t_1271 in - t_1271. - -Definition g2neg (p_1273 : g2_t) : g2_t := - let '(x_1274, y_1275, inf_1276) := - p_1273 in - (x_1274, fp2neg (y_1275), inf_1276). - -Definition twist (p_1277 : g1_t) : (fp12_t × fp12_t) := - let '(p0_1278, p1_1279, _) := - p_1277 in - let x_1280 : ((fp2_t × fp2_t × fp2_t) × fp6_t) := - ((fp2zero , fp2fromfp (p0_1278), fp2zero ), fp6zero ) in - let y_1281 : (fp6_t × (fp2_t × fp2_t × fp2_t)) := - (fp6zero , (fp2zero , fp2fromfp (p1_1279), fp2zero )) in - (x_1280, y_1281). - -Definition line_double_p (r_1282 : g2_t) (p_1283 : g1_t) : fp12_t := - let '(r0_1284, r1_1285, _) := - r_1282 in - let a_1286 : (fp_t × fp_t) := - fp2mul (fp2fromfp (nat_mod_from_literal ( - 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab) ( - @repr WORDSIZE128 3) : fp_t)) (fp2mul (r0_1284) (r0_1284)) in - let a_1287 : (fp_t × fp_t) := - fp2mul (a_1286) (fp2inv (fp2mul (fp2fromfp (nat_mod_two )) (r1_1285))) in - let b_1288 : (fp_t × fp_t) := - fp2sub (r1_1285) (fp2mul (a_1287) (r0_1284)) in - let a_1289 : (fp6_t × fp6_t) := - fp12fromfp6 (fp6fromfp2 (a_1287)) in - let b_1290 : (fp6_t × fp6_t) := - fp12fromfp6 (fp6fromfp2 (b_1288)) in - let '(x_1291, y_1292) := - twist (p_1283) in - fp12neg (fp12sub (fp12sub (y_1292) (fp12mul (a_1289) (x_1291))) (b_1290)). - -Definition line_add_p - (r_1293 : g2_t) - (q_1294 : g2_t) - (p_1295 : g1_t) - : fp12_t := - let '(r0_1296, r1_1297, _) := - r_1293 in - let '(q0_1298, q1_1299, _) := - q_1294 in - let a_1300 : (fp_t × fp_t) := - fp2mul (fp2sub (q1_1299) (r1_1297)) (fp2inv (fp2sub (q0_1298) ( - r0_1296))) in - let b_1301 : (fp_t × fp_t) := - fp2sub (r1_1297) (fp2mul (a_1300) (r0_1296)) in - let a_1302 : (fp6_t × fp6_t) := - fp12fromfp6 (fp6fromfp2 (a_1300)) in - let b_1303 : (fp6_t × fp6_t) := - fp12fromfp6 (fp6fromfp2 (b_1301)) in - let '(x_1304, y_1305) := - twist (p_1295) in - fp12neg (fp12sub (fp12sub (y_1305) (fp12mul (a_1302) (x_1304))) (b_1303)). - -Definition frobenius (f_1306 : fp12_t) : fp12_t := - let '((g0_1307, g1_1308, g2_1309), (h0_1310, h1_1311, h2_1312)) := - f_1306 in - let t1_1313 : (fp_t × fp_t) := - fp2conjugate (g0_1307) in - let t2_1314 : (fp_t × fp_t) := - fp2conjugate (h0_1310) in - let t3_1315 : (fp_t × fp_t) := - fp2conjugate (g1_1308) in - let t4_1316 : (fp_t × fp_t) := - fp2conjugate (h1_1311) in - let t5_1317 : (fp_t × fp_t) := - fp2conjugate (g2_1309) in - let t6_1318 : (fp_t × fp_t) := - fp2conjugate (h2_1312) in - let c1_1319 : array_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 10162220747404304312) : int64; - secret (@repr WORDSIZE64 17761815663483519293) : int64; - secret (@repr WORDSIZE64 8873291758750579140) : int64; - secret (@repr WORDSIZE64 1141103941765652303) : int64; - secret (@repr WORDSIZE64 13993175198059990303) : int64; - secret (@repr WORDSIZE64 1802798568193066599) : int64 - ] in l) in - let c1_1320 : seq uint8 := - array_to_le_bytes (c1_1319) in - let c1_1321 : fp_t := - nat_mod_from_byte_seq_le (c1_1320) : fp_t in - let c2_1322 : array_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 3240210268673559283) : int64; - secret (@repr WORDSIZE64 2895069921743240898) : int64; - secret (@repr WORDSIZE64 17009126888523054175) : int64; - secret (@repr WORDSIZE64 6098234018649060207) : int64; - secret (@repr WORDSIZE64 9865672654120263608) : int64; - secret (@repr WORDSIZE64 71000049454473266) : int64 - ] in l) in - let c2_1323 : seq uint8 := - array_to_le_bytes (c2_1322) in - let c2_1324 : fp_t := - nat_mod_from_byte_seq_le (c2_1323) : fp_t in - let gamma11_1325 : (fp_t × fp_t) := - (c1_1321, c2_1324) in - let gamma12_1326 : (fp_t × fp_t) := - fp2mul (gamma11_1325) (gamma11_1325) in - let gamma13_1327 : (fp_t × fp_t) := - fp2mul (gamma12_1326) (gamma11_1325) in - let gamma14_1328 : (fp_t × fp_t) := - fp2mul (gamma13_1327) (gamma11_1325) in - let gamma15_1329 : (fp_t × fp_t) := - fp2mul (gamma14_1328) (gamma11_1325) in - let t2_1330 : (fp_t × fp_t) := - fp2mul (t2_1314) (gamma11_1325) in - let t3_1331 : (fp_t × fp_t) := - fp2mul (t3_1315) (gamma12_1326) in - let t4_1332 : (fp_t × fp_t) := - fp2mul (t4_1316) (gamma13_1327) in - let t5_1333 : (fp_t × fp_t) := - fp2mul (t5_1317) (gamma14_1328) in - let t6_1334 : (fp_t × fp_t) := - fp2mul (t6_1318) (gamma15_1329) in - ((t1_1313, t3_1331, t5_1333), (t2_1330, t4_1332, t6_1334)). - -Definition final_exponentiation (f_1335 : fp12_t) : fp12_t := - let fp6_1336 : (fp6_t × fp6_t) := - fp12conjugate (f_1335) in - let finv_1337 : (fp6_t × fp6_t) := - fp12inv (f_1335) in - let fp6_1_1338 : (fp6_t × fp6_t) := - fp12mul (fp6_1336) (finv_1337) in - let fp8_1339 : (fp6_t × fp6_t) := - frobenius (frobenius (fp6_1_1338)) in - let f_1340 : (fp6_t × fp6_t) := - fp12mul (fp8_1339) (fp6_1_1338) in - let u_1341 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let t0_1342 : (fp6_t × fp6_t) := - fp12mul (f_1340) (f_1340) in - let t1_1343 : (fp6_t × fp6_t) := - fp12exp (t0_1342) (u_1341) in - let t1_1344 : (fp6_t × fp6_t) := - fp12conjugate (t1_1343) in - let t2_1345 : (fp6_t × fp6_t) := - fp12exp (t1_1344) ((u_1341) /% (nat_mod_two )) in - let t2_1346 : (fp6_t × fp6_t) := - fp12conjugate (t2_1345) in - let t3_1347 : (fp6_t × fp6_t) := - fp12conjugate (f_1340) in - let t1_1348 : (fp6_t × fp6_t) := - fp12mul (t3_1347) (t1_1344) in - let t1_1349 : (fp6_t × fp6_t) := - fp12conjugate (t1_1348) in - let t1_1350 : (fp6_t × fp6_t) := - fp12mul (t1_1349) (t2_1346) in - let t2_1351 : (fp6_t × fp6_t) := - fp12exp (t1_1350) (u_1341) in - let t2_1352 : (fp6_t × fp6_t) := - fp12conjugate (t2_1351) in - let t3_1353 : (fp6_t × fp6_t) := - fp12exp (t2_1352) (u_1341) in - let t3_1354 : (fp6_t × fp6_t) := - fp12conjugate (t3_1353) in - let t1_1355 : (fp6_t × fp6_t) := - fp12conjugate (t1_1350) in - let t3_1356 : (fp6_t × fp6_t) := - fp12mul (t1_1355) (t3_1354) in - let t1_1357 : (fp6_t × fp6_t) := - fp12conjugate (t1_1355) in - let t1_1358 : (fp6_t × fp6_t) := - frobenius (frobenius (frobenius (t1_1357))) in - let t2_1359 : (fp6_t × fp6_t) := - frobenius (frobenius (t2_1352)) in - let t1_1360 : (fp6_t × fp6_t) := - fp12mul (t1_1358) (t2_1359) in - let t2_1361 : (fp6_t × fp6_t) := - fp12exp (t3_1356) (u_1341) in - let t2_1362 : (fp6_t × fp6_t) := - fp12conjugate (t2_1361) in - let t2_1363 : (fp6_t × fp6_t) := - fp12mul (t2_1362) (t0_1342) in - let t2_1364 : (fp6_t × fp6_t) := - fp12mul (t2_1363) (f_1340) in - let t1_1365 : (fp6_t × fp6_t) := - fp12mul (t1_1360) (t2_1364) in - let t2_1366 : (fp6_t × fp6_t) := - frobenius (t3_1356) in - let t1_1367 : (fp6_t × fp6_t) := - fp12mul (t1_1365) (t2_1366) in - t1_1367. - -Definition pairing (p_1368 : g1_t) (q_1369 : g2_t) : fp12_t := - let t_1370 : scalar_t := - nat_mod_from_literal ( - 0x8000000000000000000000000000000000000000000000000000000000000000) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let r_1371 : (fp2_t × fp2_t × bool) := - q_1369 in - let f_1372 : (fp6_t × fp6_t) := - fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one ))) in - let '(r_1371, f_1372) := - foldi (usize 1) (usize 64) (fun i_1373 '(r_1371, f_1372) => - let lrr_1374 : (fp6_t × fp6_t) := - line_double_p (r_1371) (p_1368) in - let r_1371 := - g2double (r_1371) in - let f_1372 := - fp12mul (fp12mul (f_1372) (f_1372)) (lrr_1374) in - let '(r_1371, f_1372) := - if nat_mod_bit (t_1370) (((usize 64) - (i_1373)) - ( - usize 1)):bool then (let lrq_1375 : (fp6_t × fp6_t) := - line_add_p (r_1371) (q_1369) (p_1368) in - let r_1371 := - g2add (r_1371) (q_1369) in - let f_1372 := - fp12mul (f_1372) (lrq_1375) in - (r_1371, f_1372)) else ((r_1371, f_1372)) in - (r_1371, f_1372)) - (r_1371, f_1372) in - final_exponentiation (fp12conjugate (f_1372)). - -Definition test_fp2_prop_add_neg (a_1376 : fp2_t) : bool := - let b_1377 : (fp_t × fp_t) := - fp2neg (a_1376) in - (fp2fromfp (nat_mod_zero )) =.? (fp2add (a_1376) (b_1377)). -QuickChick (forAll g_fp2_t (fun a_1376 : fp2_t =>test_fp2_prop_add_neg a_1376)). - - -Definition test_fp2_prop_mul_inv (a_1378 : fp2_t) : bool := - let b_1379 : (fp_t × fp_t) := - fp2inv (a_1378) in - (fp2fromfp (nat_mod_one )) =.? (fp2mul (a_1378) (b_1379)). -QuickChick (forAll g_fp2_t (fun a_1378 : fp2_t =>test_fp2_prop_mul_inv a_1378)). - - -Definition test_extraction_issue : bool := - let b_1380 : (fp_t × fp_t) := - fp2inv ((nat_mod_one , nat_mod_one )) in - (fp2fromfp (nat_mod_one )) =.? (fp2mul ((nat_mod_one , nat_mod_one )) ( - b_1380)). -QuickChick (test_extraction_issue). - - -Definition test_fp6_prop_mul_inv (a_1381 : fp6_t) : bool := - let b_1382 : (fp2_t × fp2_t × fp2_t) := - fp6inv (a_1381) in - (fp6fromfp2 (fp2fromfp (nat_mod_one ))) =.? (fp6mul (a_1381) (b_1382)). -QuickChick (forAll g_fp6_t (fun a_1381 : fp6_t =>test_fp6_prop_mul_inv a_1381)). - - -Definition test_fp6_prop_add_neg (a_1383 : fp6_t) : bool := - let b_1384 : (fp2_t × fp2_t × fp2_t) := - fp6neg (a_1383) in - (fp6fromfp2 (fp2fromfp (nat_mod_zero ))) =.? (fp6add (a_1383) (b_1384)). -QuickChick (forAll g_fp6_t (fun a_1383 : fp6_t =>test_fp6_prop_add_neg a_1383)). - - -Definition test_fp12_prop_add_neg (a_1385 : fp12_t) : bool := - let b_1386 : (fp6_t × fp6_t) := - fp12neg (a_1385) in - (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_zero )))) =.? (fp12add (a_1385) ( - b_1386)). -QuickChick ( - forAll g_fp12_t (fun a_1385 : fp12_t =>test_fp12_prop_add_neg a_1385)). - - -Definition test_fp12_prop_mul_inv (a_1387 : fp12_t) : bool := - let b_1388 : (fp6_t × fp6_t) := - fp12inv (a_1387) in - (fp12fromfp6 (fp6fromfp2 (fp2fromfp (nat_mod_one )))) =.? (fp12mul (a_1387) ( - b_1388)). -QuickChick ( - forAll g_fp12_t (fun a_1387 : fp12_t =>test_fp12_prop_mul_inv a_1387)). - - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v b/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v deleted file mode 100644 index c1f7cb776..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Bls12_381_Hash.v +++ /dev/null @@ -1,1752 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Bls12_381. - -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition fp_hash_canvas_t := nseq (int8) (64). -Definition fp_hash_t := - nat_mod 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab. - -Definition arr_fp_t := nseq (uint64) (usize 6). - -Definition b_in_bytes_v : uint_size := - usize 32. - -Definition s_in_bytes_v : uint_size := - usize 64. - -Definition l_v : uint_size := - usize 64. - -Definition p_1_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 936899308823769933) : int64; - secret (@repr WORDSIZE64 2706051889235351147) : int64; - secret (@repr WORDSIZE64 12843041017062132063) : int64; - secret (@repr WORDSIZE64 12941209323636816658) : int64; - secret (@repr WORDSIZE64 1105070755758604287) : int64; - secret (@repr WORDSIZE64 15924587544893707605) : int64 - ] in l). - -Definition p_1_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 468449654411884966) : int64; - secret (@repr WORDSIZE64 10576397981472451381) : int64; - secret (@repr WORDSIZE64 15644892545385841839) : int64; - secret (@repr WORDSIZE64 15693976698673184137) : int64; - secret (@repr WORDSIZE64 552535377879302143) : int64; - secret (@repr WORDSIZE64 17185665809301629611) : int64 - ] in l). - -Definition p_3_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 468449654411884966) : int64; - secret (@repr WORDSIZE64 10576397981472451381) : int64; - secret (@repr WORDSIZE64 15644892545385841839) : int64; - secret (@repr WORDSIZE64 15693976698673184137) : int64; - secret (@repr WORDSIZE64 552535377879302143) : int64; - secret (@repr WORDSIZE64 17185665809301629610) : int64 - ] in l). - -Definition expand_message_xmd - (msg_1389 : byte_seq) - (dst_1390 : byte_seq) - (len_in_bytes_1391 : uint_size) - : byte_seq := - let ell_1392 : uint_size := - (((len_in_bytes_1391) + (b_in_bytes_v)) - (usize 1)) / (b_in_bytes_v) in - let dst_prime_1393 : seq uint8 := - seq_push (dst_1390) (uint8_from_usize (seq_len (dst_1390))) in - let z_pad_1394 : seq uint8 := - seq_new_ (default) (s_in_bytes_v) in - let l_i_b_str_1395 : seq uint8 := - seq_new_ (default) (usize 2) in - let l_i_b_str_1395 := - seq_upd l_i_b_str_1395 (usize 0) (uint8_from_usize ((len_in_bytes_1391) / ( - usize 256))) in - let l_i_b_str_1395 := - seq_upd l_i_b_str_1395 (usize 1) (uint8_from_usize (len_in_bytes_1391)) in - let msg_prime_1396 : seq uint8 := - seq_concat (seq_concat (seq_concat (seq_concat (z_pad_1394) (msg_1389)) ( - l_i_b_str_1395)) (seq_new_ (default) (usize 1))) (dst_prime_1393) in - let b_0_1397 : seq uint8 := - seq_from_seq (array_to_seq (hash (msg_prime_1396))) in - let b_i_1398 : seq uint8 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (b_0_1397) (secret ( - @repr WORDSIZE8 1) : int8)) (dst_prime_1393)))) in - let uniform_bytes_1399 : seq uint8 := - seq_from_seq (b_i_1398) in - let '(b_i_1398, uniform_bytes_1399) := - foldi (usize 2) ((ell_1392) + (usize 1)) (fun i_1400 '( - b_i_1398, - uniform_bytes_1399 - ) => - let t_1401 : seq uint8 := - seq_from_seq (b_0_1397) in - let b_i_1398 := - seq_from_seq (array_to_seq (hash (seq_concat (seq_push (( - t_1401) seq_xor (b_i_1398)) (uint8_from_usize (i_1400))) ( - dst_prime_1393)))) in - let uniform_bytes_1399 := - seq_concat (uniform_bytes_1399) (b_i_1398) in - (b_i_1398, uniform_bytes_1399)) - (b_i_1398, uniform_bytes_1399) in - seq_truncate (uniform_bytes_1399) (len_in_bytes_1391). - -Definition fp_hash_to_field - (msg_1402 : byte_seq) - (dst_1403 : byte_seq) - (count_1404 : uint_size) - : seq fp_t := - let len_in_bytes_1405 : uint_size := - (count_1404) * (l_v) in - let uniform_bytes_1406 : seq uint8 := - expand_message_xmd (msg_1402) (dst_1403) (len_in_bytes_1405) in - let output_1407 : seq fp_t := - seq_new_ (default) (count_1404) in - let output_1407 := - foldi (usize 0) (count_1404) (fun i_1408 output_1407 => - let elm_offset_1409 : uint_size := - (l_v) * (i_1408) in - let tv_1410 : seq uint8 := - seq_slice (uniform_bytes_1406) (elm_offset_1409) (l_v) in - let u_i_1411 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1410) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let output_1407 := - seq_upd output_1407 (i_1408) (u_i_1411) in - (output_1407)) - output_1407 in - output_1407. - -Definition fp_sgn0 (x_1412 : fp_t) : bool := - ((x_1412) rem (nat_mod_two )) =.? (nat_mod_one ). - -Definition fp_is_square (x_1413 : fp_t) : bool := - let c1_1414 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let tv_1415 : fp_t := - nat_mod_pow_self (x_1413) (c1_1414) in - ((tv_1415) =.? (nat_mod_zero )) || ((tv_1415) =.? (nat_mod_one )). - -Definition fp_sqrt (x_1416 : fp_t) : fp_t := - let c1_1417 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_4_v)) : fp_t in - nat_mod_pow_self (x_1416) (c1_1417). - -Definition g1_curve_func (x_1418 : fp_t) : fp_t := - (((x_1418) *% (x_1418)) *% (x_1418)) +% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t). - -Definition g1_map_to_curve_svdw (u_1419 : fp_t) : g1_t := - let z_1420 : fp_t := - (nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t) in - let gz_1421 : fp_t := - g1_curve_func (z_1420) in - let tv1_1422 : fp_t := - ((u_1419) *% (u_1419)) *% (gz_1421) in - let tv2_1423 : fp_t := - (nat_mod_one ) +% (tv1_1422) in - let tv1_1424 : fp_t := - (nat_mod_one ) -% (tv1_1422) in - let tv3_1425 : fp_t := - nat_mod_inv ((tv1_1424) *% (tv2_1423)) in - let tv4_1426 : fp_t := - fp_sqrt (((nat_mod_zero ) -% (gz_1421)) *% (((nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t) *% (z_1420)) *% (z_1420))) in - let '(tv4_1426) := - if fp_sgn0 (tv4_1426):bool then (let tv4_1426 := - (nat_mod_zero ) -% (tv4_1426) in - (tv4_1426)) else ((tv4_1426)) in - let tv5_1427 : fp_t := - (((u_1419) *% (tv1_1424)) *% (tv3_1425)) *% (tv4_1426) in - let tv6_1428 : fp_t := - (((nat_mod_zero ) -% (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t)) *% (gz_1421)) *% (nat_mod_inv ((( - nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t) *% ( - z_1420)) *% (z_1420))) in - let x1_1429 : fp_t := - (((nat_mod_zero ) -% (z_1420)) *% (nat_mod_inv (nat_mod_two ))) -% ( - tv5_1427) in - let x2_1430 : fp_t := - (((nat_mod_zero ) -% (z_1420)) *% (nat_mod_inv (nat_mod_two ))) +% ( - tv5_1427) in - let x3_1431 : fp_t := - (z_1420) +% (((tv6_1428) *% (((tv2_1423) *% (tv2_1423)) *% (tv3_1425))) *% ( - ((tv2_1423) *% (tv2_1423)) *% (tv3_1425))) in - let x_1432 : fp_t := - (if (fp_is_square (g1_curve_func (x1_1429))):bool then (x1_1429) else ((if ( - fp_is_square (g1_curve_func (x2_1430))):bool then (x2_1430) else ( - x3_1431)))) in - let y_1433 : fp_t := - fp_sqrt (g1_curve_func (x_1432)) in - let '(y_1433) := - if (fp_sgn0 (u_1419)) !=.? (fp_sgn0 (y_1433)):bool then (let y_1433 := - (nat_mod_zero ) -% (y_1433) in - (y_1433)) else ((y_1433)) in - (x_1432, y_1433, false). - -Definition g1_clear_cofactor (x_1434 : g1_t) : g1_t := - let h_eff_1435 : scalar_t := - nat_mod_from_literal (_) ( - @repr WORDSIZE128 15132376222941642753) : scalar_t in - g1mul (h_eff_1435) (x_1434). - -Definition g1_hash_to_curve_svdw - (msg_1436 : byte_seq) - (dst_1437 : byte_seq) - : g1_t := - let u_1438 : seq fp_t := - fp_hash_to_field (msg_1436) (dst_1437) (usize 2) in - let q0_1439 : (fp_t × fp_t × bool) := - g1_map_to_curve_svdw (seq_index (u_1438) (usize 0)) in - let q1_1440 : (fp_t × fp_t × bool) := - g1_map_to_curve_svdw (seq_index (u_1438) (usize 1)) in - let r_1441 : (fp_t × fp_t × bool) := - g1add (q0_1439) (q1_1440) in - let p_1442 : (fp_t × fp_t × bool) := - g1_clear_cofactor (r_1441) in - p_1442. - -Definition g1_encode_to_curve_svdw - (msg_1443 : byte_seq) - (dst_1444 : byte_seq) - : g1_t := - let u_1445 : seq fp_t := - fp_hash_to_field (msg_1443) (dst_1444) (usize 1) in - let q_1446 : (fp_t × fp_t × bool) := - g1_map_to_curve_svdw (seq_index (u_1445) (usize 0)) in - let p_1447 : (fp_t × fp_t × bool) := - g1_clear_cofactor (q_1446) in - p_1447. - -Definition fp2_hash_to_field - (msg_1448 : byte_seq) - (dst_1449 : byte_seq) - (count_1450 : uint_size) - : seq fp2_t := - let len_in_bytes_1451 : uint_size := - ((count_1450) * (usize 2)) * (l_v) in - let uniform_bytes_1452 : seq uint8 := - expand_message_xmd (msg_1448) (dst_1449) (len_in_bytes_1451) in - let output_1453 : seq (fp_t × fp_t) := - seq_new_ (default) (count_1450) in - let output_1453 := - foldi (usize 0) (count_1450) (fun i_1454 output_1453 => - let elm_offset_1455 : uint_size := - ((l_v) * (i_1454)) * (usize 2) in - let tv_1456 : seq uint8 := - seq_slice (uniform_bytes_1452) (elm_offset_1455) (l_v) in - let e_1_1457 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1456) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let elm_offset_1458 : uint_size := - (l_v) * ((usize 1) + ((i_1454) * (usize 2))) in - let tv_1459 : seq uint8 := - seq_slice (uniform_bytes_1452) (elm_offset_1458) (l_v) in - let e_2_1460 : fp_t := - nat_mod_from_byte_seq_be (seq_slice (nat_mod_to_byte_seq_be ( - nat_mod_from_byte_seq_be (tv_1459) : fp_hash_t)) (usize 16) ( - usize 48)) : fp_t in - let output_1453 := - seq_upd output_1453 (i_1454) ((e_1_1457, e_2_1460)) in - (output_1453)) - output_1453 in - output_1453. - -Definition fp2_sgn0 (x_1461 : fp2_t) : bool := - let '(x0_1462, x1_1463) := - x_1461 in - let sign_0_1464 : bool := - fp_sgn0 (x0_1462) in - let zero_0_1465 : bool := - (x0_1462) =.? (nat_mod_zero ) in - let sign_1_1466 : bool := - fp_sgn0 (x1_1463) in - (sign_0_1464) || ((zero_0_1465) && (sign_1_1466)). - -Definition fp2_is_square (x_1467 : fp2_t) : bool := - let c1_1468 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let '(x1_1469, x2_1470) := - x_1467 in - let tv1_1471 : fp_t := - (x1_1469) *% (x1_1469) in - let tv2_1472 : fp_t := - (x2_1470) *% (x2_1470) in - let tv1_1473 : fp_t := - (tv1_1471) +% (tv2_1472) in - let tv1_1474 : fp_t := - nat_mod_pow_self (tv1_1473) (c1_1468) in - let neg1_1475 : fp_t := - (nat_mod_zero ) -% (nat_mod_one ) in - (tv1_1474) !=.? (neg1_1475). - -Definition fp2exp (n_1476 : fp2_t) (k_1477 : fp_t) : fp2_t := - let c_1478 : (fp_t × fp_t) := - fp2fromfp (nat_mod_one ) in - let c_1478 := - foldi (usize 0) (usize 381) (fun i_1479 c_1478 => - let c_1478 := - fp2mul (c_1478) (c_1478) in - let '(c_1478) := - if nat_mod_bit (k_1477) ((usize 380) - (i_1479)):bool then ( - let c_1478 := - fp2mul (c_1478) (n_1476) in - (c_1478)) else ((c_1478)) in - (c_1478)) - c_1478 in - c_1478. - -Definition fp2_sqrt (a_1480 : fp2_t) : fp2_t := - let c1_1481 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_3_4_v)) : fp_t in - let c2_1482 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (p_1_2_v)) : fp_t in - let a1_1483 : (fp_t × fp_t) := - fp2exp (a_1480) (c1_1481) in - let alpha_1484 : (fp_t × fp_t) := - fp2mul (a1_1483) (fp2mul (a1_1483) (a_1480)) in - let x0_1485 : (fp_t × fp_t) := - fp2mul (a1_1483) (a_1480) in - let neg1_1486 : (fp_t × fp_t) := - ((nat_mod_zero ) -% (nat_mod_one ), nat_mod_zero ) in - let b_1487 : (fp_t × fp_t) := - fp2exp (fp2add (fp2fromfp (nat_mod_one )) (alpha_1484)) (c2_1482) in - (if ((alpha_1484) =.? (neg1_1486)):bool then (fp2mul (( - nat_mod_zero , - nat_mod_one - )) (x0_1485)) else (fp2mul (b_1487) (x0_1485))). - -Definition g2_curve_func (x_1488 : fp2_t) : fp2_t := - fp2add (fp2mul (x_1488) (fp2mul (x_1488) (x_1488))) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t, - nat_mod_from_literal (_) (@repr WORDSIZE128 4) : fp_t - )). - -Definition g2_map_to_curve_svdw (u_1489 : fp2_t) : g2_t := - let z_1490 : (fp_t × fp_t) := - fp2neg (fp2fromfp (nat_mod_one )) in - let gz_1491 : (fp_t × fp_t) := - g2_curve_func (z_1490) in - let tv1_1492 : (fp_t × fp_t) := - fp2mul (fp2mul (u_1489) (u_1489)) (gz_1491) in - let tv2_1493 : (fp_t × fp_t) := - fp2add (fp2fromfp (nat_mod_one )) (tv1_1492) in - let tv1_1494 : (fp_t × fp_t) := - fp2sub (fp2fromfp (nat_mod_one )) (tv1_1492) in - let tv3_1495 : (fp_t × fp_t) := - fp2inv (fp2mul (tv1_1494) (tv2_1493)) in - let tv4_1496 : (fp_t × fp_t) := - fp2_sqrt (fp2mul (fp2neg (gz_1491)) (fp2mul (fp2fromfp ( - nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) (fp2mul ( - z_1490) (z_1490)))) in - let '(tv4_1496) := - if fp2_sgn0 (tv4_1496):bool then (let tv4_1496 := - fp2neg (tv4_1496) in - (tv4_1496)) else ((tv4_1496)) in - let tv5_1497 : (fp_t × fp_t) := - fp2mul (fp2mul (fp2mul (u_1489) (tv1_1494)) (tv3_1495)) (tv4_1496) in - let tv6_1498 : (fp_t × fp_t) := - fp2mul (fp2mul (fp2neg (fp2fromfp (nat_mod_from_literal (_) ( - @repr WORDSIZE128 4) : fp_t))) (gz_1491)) (fp2inv (fp2mul ( - fp2fromfp (nat_mod_from_literal (_) (@repr WORDSIZE128 3) : fp_t)) ( - fp2mul (z_1490) (z_1490)))) in - let x1_1499 : (fp_t × fp_t) := - fp2sub (fp2mul (fp2neg (z_1490)) (fp2inv (fp2fromfp (nat_mod_two )))) ( - tv5_1497) in - let x2_1500 : (fp_t × fp_t) := - fp2add (fp2mul (fp2neg (z_1490)) (fp2inv (fp2fromfp (nat_mod_two )))) ( - tv5_1497) in - let tv7_1501 : (fp_t × fp_t) := - fp2mul (fp2mul (tv2_1493) (tv2_1493)) (tv3_1495) in - let x3_1502 : (fp_t × fp_t) := - fp2add (z_1490) (fp2mul (tv6_1498) (fp2mul (tv7_1501) (tv7_1501))) in - let x_1503 : (fp_t × fp_t) := - (if (fp2_is_square (g2_curve_func (x1_1499))):bool then (x1_1499) else (( - if (fp2_is_square (g2_curve_func (x2_1500))):bool then ( - x2_1500) else (x3_1502)))) in - let y_1504 : (fp_t × fp_t) := - fp2_sqrt (g2_curve_func (x_1503)) in - let '(y_1504) := - if (fp2_sgn0 (u_1489)) !=.? (fp2_sgn0 (y_1504)):bool then (let y_1504 := - fp2neg (y_1504) in - (y_1504)) else ((y_1504)) in - (x_1503, y_1504, false). - -Definition psi (p_1505 : g2_t) : g2_t := - let c1_1506 : (fp_t × fp_t) := - fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( - nat_mod_one )) *% (nat_mod_inv (nat_mod_from_literal (_) ( - @repr WORDSIZE128 3) : fp_t)))) in - let c2_1507 : (fp_t × fp_t) := - fp2inv (fp2exp ((nat_mod_one , nat_mod_one )) (((nat_mod_zero ) -% ( - nat_mod_one )) *% (nat_mod_inv (nat_mod_two )))) in - let '(x_1508, y_1509, inf_1510) := - p_1505 in - let qx_1511 : (fp_t × fp_t) := - fp2mul (c1_1506) (fp2conjugate (x_1508)) in - let qy_1512 : (fp_t × fp_t) := - fp2mul (c2_1507) (fp2conjugate (y_1509)) in - (qx_1511, qy_1512, inf_1510). - -Definition g2_clear_cofactor (p_1513 : g2_t) : g2_t := - let c1_1514 : scalar_t := - nat_mod_from_literal (_) ( - @repr WORDSIZE128 15132376222941642752) : scalar_t in - let t1_1515 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2mul (c1_1514) (p_1513) in - let t1_1516 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2neg (t1_1515) in - let t2_1517 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - psi (p_1513) in - let t3_1518 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2double (p_1513) in - let t3_1519 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - psi (psi (t3_1518)) in - let t3_1520 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (t3_1519) (g2neg (t2_1517)) in - let t2_1521 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (t1_1516) (t2_1517) in - let t2_1522 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2mul (c1_1514) (t2_1521) in - let t2_1523 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2neg (t2_1522) in - let t3_1524 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (t3_1520) (t2_1523) in - let t3_1525 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (t3_1524) (g2neg (t1_1516)) in - let q_1526 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (t3_1525) (g2neg (p_1513)) in - q_1526. - -Definition g2_hash_to_curve_svdw - (msg_1527 : byte_seq) - (dst_1528 : byte_seq) - : g2_t := - let u_1529 : seq fp2_t := - fp2_hash_to_field (msg_1527) (dst_1528) (usize 2) in - let q0_1530 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_map_to_curve_svdw (seq_index (u_1529) (usize 0)) in - let q1_1531 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_map_to_curve_svdw (seq_index (u_1529) (usize 1)) in - let r_1532 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (q0_1530) (q1_1531) in - let p_1533 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_clear_cofactor (r_1532) in - p_1533. - -Definition g2_encode_to_curve_svdw - (msg_1534 : byte_seq) - (dst_1535 : byte_seq) - : g2_t := - let u_1536 : seq fp2_t := - fp2_hash_to_field (msg_1534) (dst_1535) (usize 1) in - let q_1537 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_map_to_curve_svdw (seq_index (u_1536) (usize 0)) in - let p_1538 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_clear_cofactor (q_1537) in - p_1538. - -Definition g1_iso_a_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 5707120929990979) : int64; - secret (@repr WORDSIZE64 4425131892511951234) : int64; - secret (@repr WORDSIZE64 12748169179688756904) : int64; - secret (@repr WORDSIZE64 15629909748249821612) : int64; - secret (@repr WORDSIZE64 10994253769421683071) : int64; - secret (@repr WORDSIZE64 6698022561392380957) : int64 - ] in l). - -Definition g1_iso_b_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1360808972976160816) : int64; - secret (@repr WORDSIZE64 111203405409480251) : int64; - secret (@repr WORDSIZE64 2312248699302920304) : int64; - secret (@repr WORDSIZE64 11581500465278574325) : int64; - secret (@repr WORDSIZE64 6495071758858381989) : int64; - secret (@repr WORDSIZE64 15117538217124375520) : int64 - ] in l). - -Definition g1_xnum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1270119733718627136) : int64; - secret (@repr WORDSIZE64 13261148298159854981) : int64; - secret (@repr WORDSIZE64 7723742117508874335) : int64; - secret (@repr WORDSIZE64 17465657917644792520) : int64; - secret (@repr WORDSIZE64 6201670911048166766) : int64; - secret (@repr WORDSIZE64 12586459670690286007) : int64 - ] in l). - -Definition g1_xnum_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1668951808976071471) : int64; - secret (@repr WORDSIZE64 398773841247578140) : int64; - secret (@repr WORDSIZE64 8941869963990959127) : int64; - secret (@repr WORDSIZE64 17682789360670468203) : int64; - secret (@repr WORDSIZE64 5204176168283587414) : int64; - secret (@repr WORDSIZE64 16732261237459223483) : int64 - ] in l). - -Definition g1_xnum_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 960393023080265964) : int64; - secret (@repr WORDSIZE64 2094253841180170779) : int64; - secret (@repr WORDSIZE64 14844748873776858085) : int64; - secret (@repr WORDSIZE64 7528018573573808732) : int64; - secret (@repr WORDSIZE64 10776056440809943711) : int64; - secret (@repr WORDSIZE64 16147550488514976944) : int64 - ] in l). - -Definition g1_xnum_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1691355743628586423) : int64; - secret (@repr WORDSIZE64 5622191986793862162) : int64; - secret (@repr WORDSIZE64 15561595211679121189) : int64; - secret (@repr WORDSIZE64 17416319752018800771) : int64; - secret (@repr WORDSIZE64 5996228842464768403) : int64; - secret (@repr WORDSIZE64 14245880009877842017) : int64 - ] in l). - -Definition g1_xnum_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1051997788391994435) : int64; - secret (@repr WORDSIZE64 7368650625050054228) : int64; - secret (@repr WORDSIZE64 11086623519836470079) : int64; - secret (@repr WORDSIZE64 607681821319080984) : int64; - secret (@repr WORDSIZE64 10978131499682789316) : int64; - secret (@repr WORDSIZE64 5842660658088809945) : int64 - ] in l). - -Definition g1_xnum_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1598992431623377919) : int64; - secret (@repr WORDSIZE64 130921168661596853) : int64; - secret (@repr WORDSIZE64 15797696746983946651) : int64; - secret (@repr WORDSIZE64 11444679715590672272) : int64; - secret (@repr WORDSIZE64 11567228658253249817) : int64; - secret (@repr WORDSIZE64 14777367860349315459) : int64 - ] in l). - -Definition g1_xnum_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 967946631563726121) : int64; - secret (@repr WORDSIZE64 7653628713030275775) : int64; - secret (@repr WORDSIZE64 12760252618317466849) : int64; - secret (@repr WORDSIZE64 10378793938173061930) : int64; - secret (@repr WORDSIZE64 10205808941053849290) : int64; - secret (@repr WORDSIZE64 15985511645807504772) : int64 - ] in l). - -Definition g1_xnum_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1709149555065084898) : int64; - secret (@repr WORDSIZE64 16750075057192140371) : int64; - secret (@repr WORDSIZE64 3849985779734105521) : int64; - secret (@repr WORDSIZE64 11998370262181639475) : int64; - secret (@repr WORDSIZE64 4159013751748851119) : int64; - secret (@repr WORDSIZE64 11298218755092433038) : int64 - ] in l). - -Definition g1_xnum_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 580186936973955012) : int64; - secret (@repr WORDSIZE64 8903813505199544589) : int64; - secret (@repr WORDSIZE64 14140024565662700916) : int64; - secret (@repr WORDSIZE64 11728946595272970718) : int64; - secret (@repr WORDSIZE64 5738313744366653077) : int64; - secret (@repr WORDSIZE64 7886252005760951063) : int64 - ] in l). - -Definition g1_xnum_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1628930385436977092) : int64; - secret (@repr WORDSIZE64 3318087848058654498) : int64; - secret (@repr WORDSIZE64 15937899882900905113) : int64; - secret (@repr WORDSIZE64 7449821001803307903) : int64; - secret (@repr WORDSIZE64 11752436998487615353) : int64; - secret (@repr WORDSIZE64 9161465579737517214) : int64 - ] in l). - -Definition g1_xnum_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1167027828517898210) : int64; - secret (@repr WORDSIZE64 8275623842221021965) : int64; - secret (@repr WORDSIZE64 18049808134997311382) : int64; - secret (@repr WORDSIZE64 15351349873550116966) : int64; - secret (@repr WORDSIZE64 17769927732099571180) : int64; - secret (@repr WORDSIZE64 14584871380308065147) : int64 - ] in l). - -Definition g1_xnum_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 495550047642324592) : int64; - secret (@repr WORDSIZE64 13627494601717575229) : int64; - secret (@repr WORDSIZE64 3591512392926246844) : int64; - secret (@repr WORDSIZE64 2576269112800734056) : int64; - secret (@repr WORDSIZE64 14000314106239596831) : int64; - secret (@repr WORDSIZE64 12234233096825917993) : int64 - ] in l). - -Definition g1_xden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 633474091881273774) : int64; - secret (@repr WORDSIZE64 1779737893574802031) : int64; - secret (@repr WORDSIZE64 132274872219551930) : int64; - secret (@repr WORDSIZE64 11283074393783708770) : int64; - secret (@repr WORDSIZE64 13067430171545714168) : int64; - secret (@repr WORDSIZE64 11041975239630265116) : int64 - ] in l). - -Definition g1_xden_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1321272531362356291) : int64; - secret (@repr WORDSIZE64 5238936591227237942) : int64; - secret (@repr WORDSIZE64 8089002360232247308) : int64; - secret (@repr WORDSIZE64 82967328719421271) : int64; - secret (@repr WORDSIZE64 1430641118356186857) : int64; - secret (@repr WORDSIZE64 16557527386785790975) : int64 - ] in l). - -Definition g1_xden_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 804282852993868382) : int64; - secret (@repr WORDSIZE64 9311163821600184607) : int64; - secret (@repr WORDSIZE64 8037026956533927121) : int64; - secret (@repr WORDSIZE64 18205324308570099372) : int64; - secret (@repr WORDSIZE64 15466434890074226396) : int64; - secret (@repr WORDSIZE64 18213183315621985817) : int64 - ] in l). - -Definition g1_xden_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 234844145893171966) : int64; - secret (@repr WORDSIZE64 14428037799351479124) : int64; - secret (@repr WORDSIZE64 6559532710647391569) : int64; - secret (@repr WORDSIZE64 6110444250091843536) : int64; - secret (@repr WORDSIZE64 5293652763671852484) : int64; - secret (@repr WORDSIZE64 1373009181854280920) : int64 - ] in l). - -Definition g1_xden_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1416629893867312296) : int64; - secret (@repr WORDSIZE64 751851957792514173) : int64; - secret (@repr WORDSIZE64 18437674587247370939) : int64; - secret (@repr WORDSIZE64 10190314345946351322) : int64; - secret (@repr WORDSIZE64 11228207967368476701) : int64; - secret (@repr WORDSIZE64 6025034940388909598) : int64 - ] in l). - -Definition g1_xden_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1041270466333271993) : int64; - secret (@repr WORDSIZE64 6140956605115975401) : int64; - secret (@repr WORDSIZE64 4131830461445745997) : int64; - secret (@repr WORDSIZE64 739642499118176303) : int64; - secret (@repr WORDSIZE64 8358912131254619921) : int64; - secret (@repr WORDSIZE64 13847998906088228005) : int64 - ] in l). - -Definition g1_xden_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 536714149743900185) : int64; - secret (@repr WORDSIZE64 1098328982230230817) : int64; - secret (@repr WORDSIZE64 6273329123533496713) : int64; - secret (@repr WORDSIZE64 5633448088282521244) : int64; - secret (@repr WORDSIZE64 16894043798660571244) : int64; - secret (@repr WORDSIZE64 17016134625831438906) : int64 - ] in l). - -Definition g1_xden_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1488347500898461874) : int64; - secret (@repr WORDSIZE64 3509418672874520985) : int64; - secret (@repr WORDSIZE64 7962192351555381416) : int64; - secret (@repr WORDSIZE64 1843909372225399896) : int64; - secret (@repr WORDSIZE64 1127511003250156243) : int64; - secret (@repr WORDSIZE64 1294742680819751518) : int64 - ] in l). - -Definition g1_xden_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 725340084226051970) : int64; - secret (@repr WORDSIZE64 6814521545734988748) : int64; - secret (@repr WORDSIZE64 16176803544133875307) : int64; - secret (@repr WORDSIZE64 8363199516777220149) : int64; - secret (@repr WORDSIZE64 252877309218538352) : int64; - secret (@repr WORDSIZE64 5149562959837648449) : int64 - ] in l). - -Definition g1_xden_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 675470927100193492) : int64; - secret (@repr WORDSIZE64 5146891164735334016) : int64; - secret (@repr WORDSIZE64 17762958817130696759) : int64; - secret (@repr WORDSIZE64 8565656522589412373) : int64; - secret (@repr WORDSIZE64 10599026333335446784) : int64; - secret (@repr WORDSIZE64 3270603789344496906) : int64 - ] in l). - -Definition g1_ynum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 652344406751465184) : int64; - secret (@repr WORDSIZE64 2710356675495255290) : int64; - secret (@repr WORDSIZE64 1273695771440998738) : int64; - secret (@repr WORDSIZE64 3121750372618945491) : int64; - secret (@repr WORDSIZE64 14775319642720936898) : int64; - secret (@repr WORDSIZE64 13733803417833814835) : int64 - ] in l). - -Definition g1_ynum_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1389807578337138705) : int64; - secret (@repr WORDSIZE64 15352831428748068483) : int64; - secret (@repr WORDSIZE64 1307144967559264317) : int64; - secret (@repr WORDSIZE64 1121505450578652468) : int64; - secret (@repr WORDSIZE64 15475889019760388287) : int64; - secret (@repr WORDSIZE64 16183658160488302230) : int64 - ] in l). - -Definition g1_ynum_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 57553299067792998) : int64; - secret (@repr WORDSIZE64 17628079362768849300) : int64; - secret (@repr WORDSIZE64 2689461337731570914) : int64; - secret (@repr WORDSIZE64 14070580367580990887) : int64; - secret (@repr WORDSIZE64 15162865775551710499) : int64; - secret (@repr WORDSIZE64 13321614990632673782) : int64 - ] in l). - -Definition g1_ynum_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 141972750621744161) : int64; - secret (@repr WORDSIZE64 8689824239172478807) : int64; - secret (@repr WORDSIZE64 15288216298323671324) : int64; - secret (@repr WORDSIZE64 712874875091754233) : int64; - secret (@repr WORDSIZE64 16014900032503684588) : int64; - secret (@repr WORDSIZE64 11976580453200426187) : int64 - ] in l). - -Definition g1_ynum_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 633886036738506515) : int64; - secret (@repr WORDSIZE64 6678644607214234052) : int64; - secret (@repr WORDSIZE64 1825425679455244472) : int64; - secret (@repr WORDSIZE64 8755912272271186652) : int64; - secret (@repr WORDSIZE64 3379943669301788840) : int64; - secret (@repr WORDSIZE64 4735212769449148123) : int64 - ] in l). - -Definition g1_ynum_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1612358804494830442) : int64; - secret (@repr WORDSIZE64 2454990789666711200) : int64; - secret (@repr WORDSIZE64 8405916841409361853) : int64; - secret (@repr WORDSIZE64 8525415512662168654) : int64; - secret (@repr WORDSIZE64 2323684950984523890) : int64; - secret (@repr WORDSIZE64 11074978966450447856) : int64 - ] in l). - -Definition g1_ynum_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 336375361001233340) : int64; - secret (@repr WORDSIZE64 12882959944969186108) : int64; - secret (@repr WORDSIZE64 16671121624101127371) : int64; - secret (@repr WORDSIZE64 5922586712221110071) : int64; - secret (@repr WORDSIZE64 5163511947597922654) : int64; - secret (@repr WORDSIZE64 14511152726087948018) : int64 - ] in l). - -Definition g1_ynum_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 686738286210365551) : int64; - secret (@repr WORDSIZE64 16039894141796533876) : int64; - secret (@repr WORDSIZE64 1660145734357211167) : int64; - secret (@repr WORDSIZE64 18231571463891878950) : int64; - secret (@repr WORDSIZE64 4825120264949852469) : int64; - secret (@repr WORDSIZE64 11627815551290637097) : int64 - ] in l). - -Definition g1_ynum_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 719520515476580427) : int64; - secret (@repr WORDSIZE64 16756942182913253819) : int64; - secret (@repr WORDSIZE64 10320769399998235244) : int64; - secret (@repr WORDSIZE64 2200974244968450750) : int64; - secret (@repr WORDSIZE64 7626373186594408355) : int64; - secret (@repr WORDSIZE64 6933025920263103879) : int64 - ] in l). - -Definition g1_ynum_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1016611174344998325) : int64; - secret (@repr WORDSIZE64 2466492548686891555) : int64; - secret (@repr WORDSIZE64 14135124294293452542) : int64; - secret (@repr WORDSIZE64 475233659467912251) : int64; - secret (@repr WORDSIZE64 11186783513499056751) : int64; - secret (@repr WORDSIZE64 3147922594245844016) : int64 - ] in l). - -Definition g1_ynum_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1833315000454533566) : int64; - secret (@repr WORDSIZE64 1007974600900082579) : int64; - secret (@repr WORDSIZE64 14785260176242854207) : int64; - secret (@repr WORDSIZE64 15066861003931772432) : int64; - secret (@repr WORDSIZE64 3584647998681889532) : int64; - secret (@repr WORDSIZE64 16722834201330696498) : int64 - ] in l). - -Definition g1_ynum_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1780164921828767454) : int64; - secret (@repr WORDSIZE64 13337622794239929804) : int64; - secret (@repr WORDSIZE64 5923739534552515142) : int64; - secret (@repr WORDSIZE64 3345046972101780530) : int64; - secret (@repr WORDSIZE64 5321510883028162054) : int64; - secret (@repr WORDSIZE64 14846055306840460686) : int64 - ] in l). - -Definition g1_ynum_k_12_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 799438051374502809) : int64; - secret (@repr WORDSIZE64 15083972834952036164) : int64; - secret (@repr WORDSIZE64 8838227588559581326) : int64; - secret (@repr WORDSIZE64 13846054168121598783) : int64; - secret (@repr WORDSIZE64 488730451382505970) : int64; - secret (@repr WORDSIZE64 958146249756188408) : int64 - ] in l). - -Definition g1_ynum_k_13_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 163716820423854747) : int64; - secret (@repr WORDSIZE64 8285498163857659356) : int64; - secret (@repr WORDSIZE64 8465424830341846400) : int64; - secret (@repr WORDSIZE64 1433942577299613084) : int64; - secret (@repr WORDSIZE64 14325828012864645732) : int64; - secret (@repr WORDSIZE64 4817114329354076467) : int64 - ] in l). - -Definition g1_ynum_k_14_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 414658151749832465) : int64; - secret (@repr WORDSIZE64 189531577938912252) : int64; - secret (@repr WORDSIZE64 6802473390048830824) : int64; - secret (@repr WORDSIZE64 15684647020317539556) : int64; - secret (@repr WORDSIZE64 7755485098777620407) : int64; - secret (@repr WORDSIZE64 9685868895687483979) : int64 - ] in l). - -Definition g1_ynum_k_15_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1578157964224562126) : int64; - secret (@repr WORDSIZE64 5666948055268535989) : int64; - secret (@repr WORDSIZE64 14634479491382401593) : int64; - secret (@repr WORDSIZE64 6317940024988860850) : int64; - secret (@repr WORDSIZE64 13142913832013798519) : int64; - secret (@repr WORDSIZE64 338991247778166276) : int64 - ] in l). - -Definition g1_yden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1590100849350973618) : int64; - secret (@repr WORDSIZE64 5915497081334721257) : int64; - secret (@repr WORDSIZE64 6924968209373727718) : int64; - secret (@repr WORDSIZE64 17204633670617869946) : int64; - secret (@repr WORDSIZE64 572916540828819565) : int64; - secret (@repr WORDSIZE64 92203205520679873) : int64 - ] in l). - -Definition g1_yden_k_1_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1829261189398470686) : int64; - secret (@repr WORDSIZE64 1877083417397643448) : int64; - secret (@repr WORDSIZE64 9640042925497046428) : int64; - secret (@repr WORDSIZE64 11862766565471805471) : int64; - secret (@repr WORDSIZE64 8693114993904885301) : int64; - secret (@repr WORDSIZE64 3672140328108400701) : int64 - ] in l). - -Definition g1_yden_k_2_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 400243331105348135) : int64; - secret (@repr WORDSIZE64 8046435537999802711) : int64; - secret (@repr WORDSIZE64 8702226981475745585) : int64; - secret (@repr WORDSIZE64 879791671491744492) : int64; - secret (@repr WORDSIZE64 11994630442058346377) : int64; - secret (@repr WORDSIZE64 2172204746352322546) : int64 - ] in l). - -Definition g1_yden_k_3_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1637008473169220501) : int64; - secret (@repr WORDSIZE64 17441636237435581649) : int64; - secret (@repr WORDSIZE64 15066165676546511630) : int64; - secret (@repr WORDSIZE64 1314387578457599809) : int64; - secret (@repr WORDSIZE64 8247046336453711789) : int64; - secret (@repr WORDSIZE64 12164906044230685718) : int64 - ] in l). - -Definition g1_yden_k_4_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 855930740911588324) : int64; - secret (@repr WORDSIZE64 12685735333705453020) : int64; - secret (@repr WORDSIZE64 14326404096614579120) : int64; - secret (@repr WORDSIZE64 6066025509460822294) : int64; - secret (@repr WORDSIZE64 11676450493790612973) : int64; - secret (@repr WORDSIZE64 15724621714793234461) : int64 - ] in l). - -Definition g1_yden_k_5_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 637792788410719021) : int64; - secret (@repr WORDSIZE64 11507373155986977154) : int64; - secret (@repr WORDSIZE64 13186912195705886849) : int64; - secret (@repr WORDSIZE64 14262012144631372388) : int64; - secret (@repr WORDSIZE64 5328758613570342114) : int64; - secret (@repr WORDSIZE64 199925847119476652) : int64 - ] in l). - -Definition g1_yden_k_6_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1612297190139091759) : int64; - secret (@repr WORDSIZE64 14103733843373163083) : int64; - secret (@repr WORDSIZE64 6840121186619029743) : int64; - secret (@repr WORDSIZE64 6760859324815900753) : int64; - secret (@repr WORDSIZE64 15418807805142572985) : int64; - secret (@repr WORDSIZE64 4402853133867972444) : int64 - ] in l). - -Definition g1_yden_k_7_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1631410310868805610) : int64; - secret (@repr WORDSIZE64 269334146695233390) : int64; - secret (@repr WORDSIZE64 16547411811928854487) : int64; - secret (@repr WORDSIZE64 18353100669930795314) : int64; - secret (@repr WORDSIZE64 13339932232668798692) : int64; - secret (@repr WORDSIZE64 6984591927261867737) : int64 - ] in l). - -Definition g1_yden_k_8_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1758313625630302499) : int64; - secret (@repr WORDSIZE64 1881349400343039172) : int64; - secret (@repr WORDSIZE64 18013005311323887904) : int64; - secret (@repr WORDSIZE64 12377427846571989832) : int64; - secret (@repr WORDSIZE64 5967237584920922243) : int64; - secret (@repr WORDSIZE64 7720081932193848650) : int64 - ] in l). - -Definition g1_yden_k_9_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1619701357752249884) : int64; - secret (@repr WORDSIZE64 16898074901591262352) : int64; - secret (@repr WORDSIZE64 3609344159736760251) : int64; - secret (@repr WORDSIZE64 5983130161189999867) : int64; - secret (@repr WORDSIZE64 14355327869992416094) : int64; - secret (@repr WORDSIZE64 3778226018344582997) : int64 - ] in l). - -Definition g1_yden_k_10_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 347606589330687421) : int64; - secret (@repr WORDSIZE64 5255719044972187933) : int64; - secret (@repr WORDSIZE64 11271894388753671721) : int64; - secret (@repr WORDSIZE64 1033887512062764488) : int64; - secret (@repr WORDSIZE64 8189165486932690436) : int64; - secret (@repr WORDSIZE64 70004379462101672) : int64 - ] in l). - -Definition g1_yden_k_11_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 778202887894139711) : int64; - secret (@repr WORDSIZE64 17691595219776375879) : int64; - secret (@repr WORDSIZE64 9193253711563866834) : int64; - secret (@repr WORDSIZE64 10092455202333888821) : int64; - secret (@repr WORDSIZE64 1655469341950262250) : int64; - secret (@repr WORDSIZE64 10845992994110574738) : int64 - ] in l). - -Definition g1_yden_k_12_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 781015344221683683) : int64; - secret (@repr WORDSIZE64 14078588081290548374) : int64; - secret (@repr WORDSIZE64 6067271023149908518) : int64; - secret (@repr WORDSIZE64 9033357708497886086) : int64; - secret (@repr WORDSIZE64 10592474449179118273) : int64; - secret (@repr WORDSIZE64 2204988348113831372) : int64 - ] in l). - -Definition g1_yden_k_13_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 172830037692534587) : int64; - secret (@repr WORDSIZE64 7101012286790006514) : int64; - secret (@repr WORDSIZE64 13787308004332873665) : int64; - secret (@repr WORDSIZE64 14660498759553796110) : int64; - secret (@repr WORDSIZE64 4757234684169342080) : int64; - secret (@repr WORDSIZE64 15130647872920159991) : int64 - ] in l). - -Definition g1_yden_k_14_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1013206390650290238) : int64; - secret (@repr WORDSIZE64 7720336747103001025) : int64; - secret (@repr WORDSIZE64 8197694151986493523) : int64; - secret (@repr WORDSIZE64 3625112747029342752) : int64; - secret (@repr WORDSIZE64 6675167463148394368) : int64; - secret (@repr WORDSIZE64 4905905684016745359) : int64 - ] in l). - -Definition g1_simple_swu_iso (u_1539 : fp_t) : (fp_t × fp_t) := - let z_1540 : fp_t := - nat_mod_from_literal (_) (@repr WORDSIZE128 11) : fp_t in - let a_1541 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_a_v)) : fp_t in - let b_1542 : fp_t := - nat_mod_from_byte_seq_be (array_to_be_bytes (g1_iso_b_v)) : fp_t in - let tv1_1543 : fp_t := - nat_mod_inv ((((z_1540) *% (z_1540)) *% (nat_mod_exp (u_1539) ( - @repr WORDSIZE32 4))) +% (((z_1540) *% (u_1539)) *% (u_1539))) in - let x1_1544 : fp_t := - (((nat_mod_zero ) -% (b_1542)) *% (nat_mod_inv (a_1541))) *% (( - nat_mod_one ) +% (tv1_1543)) in - let '(x1_1544) := - if (tv1_1543) =.? (nat_mod_zero ):bool then (let x1_1544 := - (b_1542) *% (nat_mod_inv ((z_1540) *% (a_1541))) in - (x1_1544)) else ((x1_1544)) in - let gx1_1545 : fp_t := - ((nat_mod_exp (x1_1544) (@repr WORDSIZE32 3)) +% ((a_1541) *% ( - x1_1544))) +% (b_1542) in - let x2_1546 : fp_t := - (((z_1540) *% (u_1539)) *% (u_1539)) *% (x1_1544) in - let gx2_1547 : fp_t := - ((nat_mod_exp (x2_1546) (@repr WORDSIZE32 3)) +% ((a_1541) *% ( - x2_1546))) +% (b_1542) in - let '(x_1548, y_1549) := - (if (fp_is_square (gx1_1545)):bool then ((x1_1544, fp_sqrt (gx1_1545) - )) else ((x2_1546, fp_sqrt (gx2_1547)))) in - let '(y_1549) := - if (fp_sgn0 (u_1539)) !=.? (fp_sgn0 (y_1549)):bool then (let y_1549 := - (nat_mod_zero ) -% (y_1549) in - (y_1549)) else ((y_1549)) in - (x_1548, y_1549). - -Definition g1_isogeny_map (x_1550 : fp_t) (y_1551 : fp_t) : g1_t := - let xnum_k_1552 : seq fp_t := - seq_new_ (default) (usize 12) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_0_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_1_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_2_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_3_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_4_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_5_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_6_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_7_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_8_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xnum_k_9_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_xnum_k_10_v)) : fp_t) in - let xnum_k_1552 := - seq_upd xnum_k_1552 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_xnum_k_11_v)) : fp_t) in - let xden_k_1553 : seq fp_t := - seq_new_ (default) (usize 10) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_0_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_1_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_2_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_3_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_4_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_5_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_6_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_7_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_8_v)) : fp_t) in - let xden_k_1553 := - seq_upd xden_k_1553 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_xden_k_9_v)) : fp_t) in - let ynum_k_1554 : seq fp_t := - seq_new_ (default) (usize 16) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_0_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_1_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_2_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_3_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_4_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_5_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_6_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_7_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_8_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_ynum_k_9_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_10_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_11_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 12) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_12_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 13) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_13_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 14) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_14_v)) : fp_t) in - let ynum_k_1554 := - seq_upd ynum_k_1554 (usize 15) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_ynum_k_15_v)) : fp_t) in - let yden_k_1555 : seq fp_t := - seq_new_ (default) (usize 15) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 0) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_0_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 1) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_1_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 2) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_2_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 3) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_3_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 4) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_4_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 5) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_5_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 6) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_6_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 7) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_7_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 8) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_8_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 9) (nat_mod_from_byte_seq_be (array_to_be_bytes ( - g1_yden_k_9_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 10) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_10_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 11) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_11_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 12) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_12_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 13) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_13_v)) : fp_t) in - let yden_k_1555 := - seq_upd yden_k_1555 (usize 14) (nat_mod_from_byte_seq_be ( - array_to_be_bytes (g1_yden_k_14_v)) : fp_t) in - let xnum_1556 : fp_t := - nat_mod_zero in - let xx_1557 : fp_t := - nat_mod_one in - let '(xnum_1556, xx_1557) := - foldi (usize 0) (seq_len (xnum_k_1552)) (fun i_1558 '(xnum_1556, xx_1557) => - let xnum_1556 := - (xnum_1556) +% ((xx_1557) *% (seq_index (xnum_k_1552) (i_1558))) in - let xx_1557 := - (xx_1557) *% (x_1550) in - (xnum_1556, xx_1557)) - (xnum_1556, xx_1557) in - let xden_1559 : fp_t := - nat_mod_zero in - let xx_1560 : fp_t := - nat_mod_one in - let '(xden_1559, xx_1560) := - foldi (usize 0) (seq_len (xden_k_1553)) (fun i_1561 '(xden_1559, xx_1560) => - let xden_1559 := - (xden_1559) +% ((xx_1560) *% (seq_index (xden_k_1553) (i_1561))) in - let xx_1560 := - (xx_1560) *% (x_1550) in - (xden_1559, xx_1560)) - (xden_1559, xx_1560) in - let xden_1559 := - (xden_1559) +% (xx_1560) in - let ynum_1562 : fp_t := - nat_mod_zero in - let xx_1563 : fp_t := - nat_mod_one in - let '(ynum_1562, xx_1563) := - foldi (usize 0) (seq_len (ynum_k_1554)) (fun i_1564 '(ynum_1562, xx_1563) => - let ynum_1562 := - (ynum_1562) +% ((xx_1563) *% (seq_index (ynum_k_1554) (i_1564))) in - let xx_1563 := - (xx_1563) *% (x_1550) in - (ynum_1562, xx_1563)) - (ynum_1562, xx_1563) in - let yden_1565 : fp_t := - nat_mod_zero in - let xx_1566 : fp_t := - nat_mod_one in - let '(yden_1565, xx_1566) := - foldi (usize 0) (seq_len (yden_k_1555)) (fun i_1567 '(yden_1565, xx_1566) => - let yden_1565 := - (yden_1565) +% ((xx_1566) *% (seq_index (yden_k_1555) (i_1567))) in - let xx_1566 := - (xx_1566) *% (x_1550) in - (yden_1565, xx_1566)) - (yden_1565, xx_1566) in - let yden_1565 := - (yden_1565) +% (xx_1566) in - let xr_1568 : fp_t := - (xnum_1556) *% (nat_mod_inv (xden_1559)) in - let yr_1569 : fp_t := - ((y_1551) *% (ynum_1562)) *% (nat_mod_inv (yden_1565)) in - let inf_1570 : bool := - false in - let '(inf_1570) := - if ((xden_1559) =.? (nat_mod_zero )) || ((yden_1565) =.? ( - nat_mod_zero )):bool then (let inf_1570 := - true in - (inf_1570)) else ((inf_1570)) in - (xr_1568, yr_1569, inf_1570). - -Definition g1_map_to_curve_sswu (u_1571 : fp_t) : g1_t := - let '(xp_1572, yp_1573) := - g1_simple_swu_iso (u_1571) in - let p_1574 : (fp_t × fp_t × bool) := - g1_isogeny_map (xp_1572) (yp_1573) in - p_1574. - -Definition g1_hash_to_curve_sswu - (msg_1575 : byte_seq) - (dst_1576 : byte_seq) - : g1_t := - let u_1577 : seq fp_t := - fp_hash_to_field (msg_1575) (dst_1576) (usize 2) in - let q0_1578 : (fp_t × fp_t × bool) := - g1_map_to_curve_sswu (seq_index (u_1577) (usize 0)) in - let q1_1579 : (fp_t × fp_t × bool) := - g1_map_to_curve_sswu (seq_index (u_1577) (usize 1)) in - let r_1580 : (fp_t × fp_t × bool) := - g1add (q0_1578) (q1_1579) in - let p_1581 : (fp_t × fp_t × bool) := - g1_clear_cofactor (r_1580) in - p_1581. - -Definition g1_encode_to_curve_sswu - (msg_1582 : byte_seq) - (dst_1583 : byte_seq) - : g1_t := - let u_1584 : seq fp_t := - fp_hash_to_field (msg_1582) (dst_1583) (usize 1) in - let q_1585 : (fp_t × fp_t × bool) := - g1_map_to_curve_sswu (seq_index (u_1584) (usize 0)) in - let p_1586 : (fp_t × fp_t × bool) := - g1_clear_cofactor (q_1585) in - p_1586. - -Definition g2_xnum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 416399692810564414) : int64; - secret (@repr WORDSIZE64 13500519111022079365) : int64; - secret (@repr WORDSIZE64 3658379999393219626) : int64; - secret (@repr WORDSIZE64 9850925049107374429) : int64; - secret (@repr WORDSIZE64 6640057249351452444) : int64; - secret (@repr WORDSIZE64 7077594464397203414) : int64 - ] in l). - -Definition g2_xnum_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058522) : int64 - ] in l). - -Definition g2_xnum_k_2_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058526) : int64 - ] in l). - -Definition g2_xnum_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 624599539215846622) : int64; - secret (@repr WORDSIZE64 1804034592823567431) : int64; - secret (@repr WORDSIZE64 14710942035944605247) : int64; - secret (@repr WORDSIZE64 14776387573661061644) : int64; - secret (@repr WORDSIZE64 736713837172402858) : int64; - secret (@repr WORDSIZE64 10616391696595805069) : int64 - ] in l). - -Definition g2_xnum_k_3_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1665598771242257658) : int64; - secret (@repr WORDSIZE64 17108588296669214228) : int64; - secret (@repr WORDSIZE64 14633519997572878506) : int64; - secret (@repr WORDSIZE64 2510212049010394485) : int64; - secret (@repr WORDSIZE64 8113484923696258161) : int64; - secret (@repr WORDSIZE64 9863633783879261905) : int64 - ] in l). - -Definition g2_xden_k_0_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863523) : int64 - ] in l). - -Definition g2_xden_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863583) : int64 - ] in l). - -Definition g2_ynum_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1526798873638736187) : int64; - secret (@repr WORDSIZE64 6459500568425337235) : int64; - secret (@repr WORDSIZE64 1116230615302104219) : int64; - secret (@repr WORDSIZE64 17673314439684154624) : int64; - secret (@repr WORDSIZE64 18197961889718808424) : int64; - secret (@repr WORDSIZE64 1355520937843676934) : int64 - ] in l). - -Definition g2_ynum_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 416399692810564414) : int64; - secret (@repr WORDSIZE64 13500519111022079365) : int64; - secret (@repr WORDSIZE64 3658379999393219626) : int64; - secret (@repr WORDSIZE64 9850925049107374429) : int64; - secret (@repr WORDSIZE64 6640057249351452444) : int64; - secret (@repr WORDSIZE64 7077594464397203390) : int64 - ] in l). - -Definition g2_ynum_k_2_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1249199078431693244) : int64; - secret (@repr WORDSIZE64 3608069185647134863) : int64; - secret (@repr WORDSIZE64 10975139998179658879) : int64; - secret (@repr WORDSIZE64 11106031073612571672) : int64; - secret (@repr WORDSIZE64 1473427674344805717) : int64; - secret (@repr WORDSIZE64 2786039319482058524) : int64 - ] in l). - -Definition g2_ynum_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 624599539215846622) : int64; - secret (@repr WORDSIZE64 1804034592823567431) : int64; - secret (@repr WORDSIZE64 14710942035944605247) : int64; - secret (@repr WORDSIZE64 14776387573661061644) : int64; - secret (@repr WORDSIZE64 736713837172402858) : int64; - secret (@repr WORDSIZE64 10616391696595805071) : int64 - ] in l). - -Definition g2_ynum_k_3_r_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1318599027233453979) : int64; - secret (@repr WORDSIZE64 18155985086623849168) : int64; - secret (@repr WORDSIZE64 8510412652460270214) : int64; - secret (@repr WORDSIZE64 12747851915130467410) : int64; - secret (@repr WORDSIZE64 5654561228188306393) : int64; - secret (@repr WORDSIZE64 16263467779354626832) : int64 - ] in l). - -Definition g2_yden_k_0_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863163) : int64 - ] in l). - -Definition g2_yden_k_1_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863379) : int64 - ] in l). - -Definition g2_yden_k_2_i_v : arr_fp_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 1873798617647539866) : int64; - secret (@repr WORDSIZE64 5412103778470702295) : int64; - secret (@repr WORDSIZE64 7239337960414712511) : int64; - secret (@repr WORDSIZE64 7435674573564081700) : int64; - secret (@repr WORDSIZE64 2210141511517208575) : int64; - secret (@repr WORDSIZE64 13402431016077863577) : int64 - ] in l). - -Definition g2_simple_swu_iso (u_1587 : fp2_t) : (fp2_t × fp2_t) := - let z_1588 : (fp_t × fp_t) := - fp2neg ((nat_mod_two , nat_mod_one )) in - let a_1589 : (fp_t × fp_t) := - (nat_mod_zero , nat_mod_from_literal (_) (@repr WORDSIZE128 240) : fp_t) in - let b_1590 : (fp_t × fp_t) := - ( - nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t, - nat_mod_from_literal (_) (@repr WORDSIZE128 1012) : fp_t - ) in - let tv1_1591 : (fp_t × fp_t) := - fp2inv (fp2add (fp2mul (fp2mul (z_1588) (z_1588)) (fp2mul (fp2mul (u_1587) ( - u_1587)) (fp2mul (u_1587) (u_1587)))) (fp2mul (z_1588) (fp2mul ( - u_1587) (u_1587)))) in - let x1_1592 : (fp_t × fp_t) := - fp2mul (fp2mul (fp2neg (b_1590)) (fp2inv (a_1589))) (fp2add (fp2fromfp ( - nat_mod_one )) (tv1_1591)) in - let '(x1_1592) := - if (tv1_1591) =.? (fp2zero ):bool then (let x1_1592 := - fp2mul (b_1590) (fp2inv (fp2mul (z_1588) (a_1589))) in - (x1_1592)) else ((x1_1592)) in - let gx1_1593 : (fp_t × fp_t) := - fp2add (fp2add (fp2mul (fp2mul (x1_1592) (x1_1592)) (x1_1592)) (fp2mul ( - a_1589) (x1_1592))) (b_1590) in - let x2_1594 : (fp_t × fp_t) := - fp2mul (fp2mul (z_1588) (fp2mul (u_1587) (u_1587))) (x1_1592) in - let gx2_1595 : (fp_t × fp_t) := - fp2add (fp2add (fp2mul (fp2mul (x2_1594) (x2_1594)) (x2_1594)) (fp2mul ( - a_1589) (x2_1594))) (b_1590) in - let '(x_1596, y_1597) := - (if (fp2_is_square (gx1_1593)):bool then ((x1_1592, fp2_sqrt (gx1_1593) - )) else ((x2_1594, fp2_sqrt (gx2_1595)))) in - let '(y_1597) := - if (fp2_sgn0 (u_1587)) !=.? (fp2_sgn0 (y_1597)):bool then (let y_1597 := - fp2neg (y_1597) in - (y_1597)) else ((y_1597)) in - (x_1596, y_1597). - -Definition g2_isogeny_map (x_1598 : fp2_t) (y_1599 : fp2_t) : g2_t := - let xnum_k_1600 : seq (fp_t × fp_t) := - seq_new_ (default) (usize 4) in - let xnum_k_1600 := - seq_upd xnum_k_1600 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_0_v)) : fp_t - )) in - let xnum_k_1600 := - seq_upd xnum_k_1600 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_1_i_v)) : fp_t - )) in - let xnum_k_1600 := - seq_upd xnum_k_1600 (usize 2) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_r_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_2_i_v)) : fp_t - )) in - let xnum_k_1600 := - seq_upd xnum_k_1600 (usize 3) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xnum_k_3_r_v)) : fp_t, - nat_mod_zero - )) in - let xden_k_1601 : seq (fp_t × fp_t) := - seq_new_ (default) (usize 2) in - let xden_k_1601 := - seq_upd xden_k_1601 (usize 0) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_0_i_v)) : fp_t - )) in - let xden_k_1601 := - seq_upd xden_k_1601 (usize 1) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 12) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_xden_k_1_i_v)) : fp_t - )) in - let ynum_k_1602 : seq (fp_t × fp_t) := - seq_new_ (default) (usize 4) in - let ynum_k_1602 := - seq_upd ynum_k_1602 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_0_v)) : fp_t - )) in - let ynum_k_1602 := - seq_upd ynum_k_1602 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_1_i_v)) : fp_t - )) in - let ynum_k_1602 := - seq_upd ynum_k_1602 (usize 2) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_r_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_2_i_v)) : fp_t - )) in - let ynum_k_1602 := - seq_upd ynum_k_1602 (usize 3) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_ynum_k_3_r_v)) : fp_t, - nat_mod_zero - )) in - let yden_k_1603 : seq (fp_t × fp_t) := - seq_new_ (default) (usize 3) in - let yden_k_1603 := - seq_upd yden_k_1603 (usize 0) (( - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_0_v)) : fp_t - )) in - let yden_k_1603 := - seq_upd yden_k_1603 (usize 1) (( - nat_mod_zero , - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_1_i_v)) : fp_t - )) in - let yden_k_1603 := - seq_upd yden_k_1603 (usize 2) (( - nat_mod_from_literal (_) (@repr WORDSIZE128 18) : fp_t, - nat_mod_from_byte_seq_be (array_to_be_bytes (g2_yden_k_2_i_v)) : fp_t - )) in - let xnum_1604 : (fp_t × fp_t) := - fp2zero in - let xx_1605 : (fp_t × fp_t) := - fp2fromfp (nat_mod_one ) in - let '(xnum_1604, xx_1605) := - foldi (usize 0) (seq_len (xnum_k_1600)) (fun i_1606 '(xnum_1604, xx_1605) => - let xnum_1604 := - fp2add (xnum_1604) (fp2mul (xx_1605) (seq_index (xnum_k_1600) ( - i_1606))) in - let xx_1605 := - fp2mul (xx_1605) (x_1598) in - (xnum_1604, xx_1605)) - (xnum_1604, xx_1605) in - let xden_1607 : (fp_t × fp_t) := - fp2zero in - let xx_1608 : (fp_t × fp_t) := - fp2fromfp (nat_mod_one ) in - let '(xden_1607, xx_1608) := - foldi (usize 0) (seq_len (xden_k_1601)) (fun i_1609 '(xden_1607, xx_1608) => - let xden_1607 := - fp2add (xden_1607) (fp2mul (xx_1608) (seq_index (xden_k_1601) ( - i_1609))) in - let xx_1608 := - fp2mul (xx_1608) (x_1598) in - (xden_1607, xx_1608)) - (xden_1607, xx_1608) in - let xden_1607 := - fp2add (xden_1607) (xx_1608) in - let ynum_1610 : (fp_t × fp_t) := - fp2zero in - let xx_1611 : (fp_t × fp_t) := - fp2fromfp (nat_mod_one ) in - let '(ynum_1610, xx_1611) := - foldi (usize 0) (seq_len (ynum_k_1602)) (fun i_1612 '(ynum_1610, xx_1611) => - let ynum_1610 := - fp2add (ynum_1610) (fp2mul (xx_1611) (seq_index (ynum_k_1602) ( - i_1612))) in - let xx_1611 := - fp2mul (xx_1611) (x_1598) in - (ynum_1610, xx_1611)) - (ynum_1610, xx_1611) in - let yden_1613 : (fp_t × fp_t) := - fp2zero in - let xx_1614 : (fp_t × fp_t) := - fp2fromfp (nat_mod_one ) in - let '(yden_1613, xx_1614) := - foldi (usize 0) (seq_len (yden_k_1603)) (fun i_1615 '(yden_1613, xx_1614) => - let yden_1613 := - fp2add (yden_1613) (fp2mul (xx_1614) (seq_index (yden_k_1603) ( - i_1615))) in - let xx_1614 := - fp2mul (xx_1614) (x_1598) in - (yden_1613, xx_1614)) - (yden_1613, xx_1614) in - let yden_1613 := - fp2add (yden_1613) (xx_1614) in - let xr_1616 : (fp_t × fp_t) := - fp2mul (xnum_1604) (fp2inv (xden_1607)) in - let yr_1617 : (fp_t × fp_t) := - fp2mul (y_1599) (fp2mul (ynum_1610) (fp2inv (yden_1613))) in - let inf_1618 : bool := - false in - let '(inf_1618) := - if ((xden_1607) =.? (fp2zero )) || ((yden_1613) =.? (fp2zero )):bool then ( - let inf_1618 := - true in - (inf_1618)) else ((inf_1618)) in - (xr_1616, yr_1617, inf_1618). - -Definition g2_map_to_curve_sswu (u_1619 : fp2_t) : g2_t := - let '(xp_1620, yp_1621) := - g2_simple_swu_iso (u_1619) in - let p_1622 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_isogeny_map (xp_1620) (yp_1621) in - p_1622. - -Definition g2_hash_to_curve_sswu - (msg_1623 : byte_seq) - (dst_1624 : byte_seq) - : g2_t := - let u_1625 : seq fp2_t := - fp2_hash_to_field (msg_1623) (dst_1624) (usize 2) in - let q0_1626 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_map_to_curve_sswu (seq_index (u_1625) (usize 0)) in - let q1_1627 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_map_to_curve_sswu (seq_index (u_1625) (usize 1)) in - let r_1628 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2add (q0_1626) (q1_1627) in - let p_1629 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_clear_cofactor (r_1628) in - p_1629. - -Definition g2_encode_to_curve_sswu - (msg_1630 : byte_seq) - (dst_1631 : byte_seq) - : g2_t := - let u_1632 : seq fp2_t := - fp2_hash_to_field (msg_1630) (dst_1631) (usize 1) in - let q_1633 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_map_to_curve_sswu (seq_index (u_1632) (usize 0)) in - let p_1634 : ((fp_t × fp_t) × (fp_t × fp_t) × bool) := - g2_clear_cofactor (q_1633) in - p_1634. - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v b/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v deleted file mode 100644 index f99e1874c..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20.v +++ /dev/null @@ -1,222 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition state_t := nseq (uint32) (usize 16). - -Definition state_idx_t := - nat_mod (usize 16). -Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. -Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. - -Definition constants_t := nseq (uint32) (usize 4). - -Definition constants_idx_t := - nat_mod (usize 4). -Definition uint_size_in_constants_idx_t(n : uint_size) : constants_idx_t := int_in_nat_mod n. -Coercion uint_size_in_constants_idx_t : uint_size >-> constants_idx_t. - -Definition block_t := nseq (uint8) (usize 64). - -Definition cha_cha_iv_t := nseq (uint8) (usize 12). - -Definition cha_cha_key_t := nseq (uint8) (usize 32). - -Definition chacha20_line - (a_345 : state_idx_t) - (b_346 : state_idx_t) - (d_347 : state_idx_t) - (s_348 : uint_size) - (m_349 : state_t) - : state_t := - let state_350 : state_t := - m_349 in - let state_350 := - array_upd state_350 (a_345) ((array_index (state_350) (a_345)) .+ ( - array_index (state_350) (b_346))) in - let state_350 := - array_upd state_350 (d_347) ((array_index (state_350) (d_347)) .^ ( - array_index (state_350) (a_345))) in - let state_350 := - array_upd state_350 (d_347) (uint32_rotate_left (array_index (state_350) ( - d_347)) (s_348)) in - state_350. - -Definition chacha20_quarter_round - (a_351 : state_idx_t) - (b_352 : state_idx_t) - (c_353 : state_idx_t) - (d_354 : state_idx_t) - (state_355 : state_t) - : state_t := - let state_356 : state_t := - chacha20_line (a_351) (b_352) (d_354) (usize 16) (state_355) in - let state_357 : state_t := - chacha20_line (c_353) (d_354) (b_352) (usize 12) (state_356) in - let state_358 : state_t := - chacha20_line (a_351) (b_352) (d_354) (usize 8) (state_357) in - chacha20_line (c_353) (d_354) (b_352) (usize 7) (state_358). - -Definition chacha20_double_round (state_359 : state_t) : state_t := - let state_360 : state_t := - chacha20_quarter_round (usize 0) (usize 4) (usize 8) (usize 12) ( - state_359) in - let state_361 : state_t := - chacha20_quarter_round (usize 1) (usize 5) (usize 9) (usize 13) ( - state_360) in - let state_362 : state_t := - chacha20_quarter_round (usize 2) (usize 6) (usize 10) (usize 14) ( - state_361) in - let state_363 : state_t := - chacha20_quarter_round (usize 3) (usize 7) (usize 11) (usize 15) ( - state_362) in - let state_364 : state_t := - chacha20_quarter_round (usize 0) (usize 5) (usize 10) (usize 15) ( - state_363) in - let state_365 : state_t := - chacha20_quarter_round (usize 1) (usize 6) (usize 11) (usize 12) ( - state_364) in - let state_366 : state_t := - chacha20_quarter_round (usize 2) (usize 7) (usize 8) (usize 13) ( - state_365) in - chacha20_quarter_round (usize 3) (usize 4) (usize 9) (usize 14) (state_366). - -Definition chacha20_rounds (state_367 : state_t) : state_t := - let st_368 : state_t := - state_367 in - let st_368 := - foldi (usize 0) (usize 10) (fun i_369 st_368 => - let st_368 := - chacha20_double_round (st_368) in - (st_368)) - st_368 in - st_368. - -Definition chacha20_core (ctr_370 : uint32) (st0_371 : state_t) : state_t := - let state_372 : state_t := - st0_371 in - let state_372 := - array_upd state_372 (usize 12) ((array_index (state_372) (usize 12)) .+ ( - ctr_370)) in - let k_373 : state_t := - chacha20_rounds (state_372) in - (k_373) array_add (state_372). - -Definition chacha20_constants_init : constants_t := - let constants_374 : constants_t := - array_new_ (default) (4) in - let constants_374 := - array_upd constants_374 (usize 0) (secret ( - @repr WORDSIZE32 1634760805) : int32) in - let constants_374 := - array_upd constants_374 (usize 1) (secret ( - @repr WORDSIZE32 857760878) : int32) in - let constants_374 := - array_upd constants_374 (usize 2) (secret ( - @repr WORDSIZE32 2036477234) : int32) in - let constants_374 := - array_upd constants_374 (usize 3) (secret ( - @repr WORDSIZE32 1797285236) : int32) in - constants_374. - -Definition chacha20_init - (key_375 : cha_cha_key_t) - (iv_376 : cha_cha_iv_t) - (ctr_377 : uint32) - : state_t := - let st_378 : state_t := - array_new_ (default) (16) in - let st_378 := - array_update (st_378) (usize 0) ( - array_to_seq (chacha20_constants_init )) in - let st_378 := - array_update (st_378) (usize 4) (array_to_le_uint32s (key_375)) in - let st_378 := - array_upd st_378 (usize 12) (ctr_377) in - let st_378 := - array_update (st_378) (usize 13) (array_to_le_uint32s (iv_376)) in - st_378. - -Definition chacha20_key_block (state_379 : state_t) : block_t := - let state_380 : state_t := - chacha20_core (secret (@repr WORDSIZE32 0) : int32) (state_379) in - array_from_seq (64) (array_to_le_bytes (state_380)). - -Definition chacha20_key_block0 - (key_381 : cha_cha_key_t) - (iv_382 : cha_cha_iv_t) - : block_t := - let state_383 : state_t := - chacha20_init (key_381) (iv_382) (secret (@repr WORDSIZE32 0) : int32) in - chacha20_key_block (state_383). - -Definition chacha20_encrypt_block - (st0_384 : state_t) - (ctr_385 : uint32) - (plain_386 : block_t) - : block_t := - let st_387 : state_t := - chacha20_core (ctr_385) (st0_384) in - let pl_388 : state_t := - array_from_seq (16) (array_to_le_uint32s (plain_386)) in - let st_389 : state_t := - (pl_388) array_xor (st_387) in - array_from_seq (64) (array_to_le_bytes (st_389)). - -Definition chacha20_encrypt_last - (st0_390 : state_t) - (ctr_391 : uint32) - (plain_392 : byte_seq) - : byte_seq := - let b_393 : block_t := - array_new_ (default) (64) in - let b_393 := - array_update (b_393) (usize 0) (plain_392) in - let b_393 := - chacha20_encrypt_block (st0_390) (ctr_391) (b_393) in - array_slice (b_393) (usize 0) (seq_len (plain_392)). - -Definition chacha20_update (st0_394 : state_t) (m_395 : byte_seq) : byte_seq := - let blocks_out_396 : seq uint8 := - seq_new_ (default) (seq_len (m_395)) in - let n_blocks_397 : uint_size := - seq_num_exact_chunks (m_395) (usize 64) in - let blocks_out_396 := - foldi (usize 0) (n_blocks_397) (fun i_398 blocks_out_396 => - let msg_block_399 : seq uint8 := - seq_get_exact_chunk (m_395) (usize 64) (i_398) in - let b_400 : block_t := - chacha20_encrypt_block (st0_394) (secret (pub_u32 (i_398)) : int32) ( - array_from_seq (64) (msg_block_399)) in - let blocks_out_396 := - seq_set_exact_chunk (blocks_out_396) (usize 64) (i_398) ( - array_to_seq (b_400)) in - (blocks_out_396)) - blocks_out_396 in - let last_block_401 : seq uint8 := - seq_get_remainder_chunk (m_395) (usize 64) in - let '(blocks_out_396) := - if (seq_len (last_block_401)) !=.? (usize 0):bool then ( - let b_402 : seq uint8 := - chacha20_encrypt_last (st0_394) (secret (pub_u32 ( - n_blocks_397)) : int32) (last_block_401) in - let blocks_out_396 := - seq_set_chunk (blocks_out_396) (usize 64) (n_blocks_397) (b_402) in - (blocks_out_396)) else ((blocks_out_396)) in - blocks_out_396. - -Definition chacha20 - (key_403 : cha_cha_key_t) - (iv_404 : cha_cha_iv_t) - (ctr_405 : int32) - (m_406 : byte_seq) - : byte_seq := - let state_407 : state_t := - chacha20_init (key_403) (iv_404) (secret (ctr_405) : int32) in - chacha20_update (state_407) (m_406). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20poly1305.v b/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20poly1305.v deleted file mode 100644 index 0567711ca..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Chacha20poly1305.v +++ /dev/null @@ -1,97 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Chacha20. - -Require Import Hacspec_Poly1305. - -Inductive error_t := -| InvalidTag : error_t. - -Notation "'cha_cha_poly_key_t'" := (cha_cha_key_t) : hacspec_scope. - -Notation "'cha_cha_poly_iv_t'" := (cha_cha_iv_t) : hacspec_scope. - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Definition init - (key_408 : cha_cha_poly_key_t) - (iv_409 : cha_cha_poly_iv_t) - : poly_state_t := - let key_block0_410 : block_t := - chacha20_key_block0 (key_408) (iv_409) in - let poly_key_411 : poly_key_t := - array_from_slice (default) (32) (array_to_seq (key_block0_410)) (usize 0) ( - usize 32) in - poly1305_init (poly_key_411). - -Definition poly1305_update_padded - (m_412 : byte_seq) - (st_413 : poly_state_t) - : poly_state_t := - let st_414 : (field_element_t × field_element_t × poly_key_t) := - poly1305_update_blocks (m_412) (st_413) in - let last_415 : seq uint8 := - seq_get_remainder_chunk (m_412) (usize 16) in - poly1305_update_last (usize 16) (last_415) (st_414). - -Definition finish - (aad_len_416 : uint_size) - (cipher_len_417 : uint_size) - (st_418 : poly_state_t) - : poly1305_tag_t := - let last_block_419 : poly_block_t := - array_new_ (default) (16) in - let last_block_419 := - array_update (last_block_419) (usize 0) (array_to_seq (uint64_to_le_bytes ( - secret (pub_u64 (aad_len_416)) : int64))) in - let last_block_419 := - array_update (last_block_419) (usize 8) (array_to_seq (uint64_to_le_bytes ( - secret (pub_u64 (cipher_len_417)) : int64))) in - let st_420 : (field_element_t × field_element_t × poly_key_t) := - poly1305_update_block (last_block_419) (st_418) in - poly1305_finish (st_420). - -Definition chacha20_poly1305_encrypt - (key_421 : cha_cha_poly_key_t) - (iv_422 : cha_cha_poly_iv_t) - (aad_423 : byte_seq) - (msg_424 : byte_seq) - : (byte_seq × poly1305_tag_t) := - let cipher_text_425 : seq uint8 := - chacha20 (key_421) (iv_422) (@repr WORDSIZE32 1) (msg_424) in - let poly_st_426 : (field_element_t × field_element_t × poly_key_t) := - init (key_421) (iv_422) in - let poly_st_426 := - poly1305_update_padded (aad_423) (poly_st_426) in - let poly_st_426 := - poly1305_update_padded (cipher_text_425) (poly_st_426) in - let tag_427 : poly1305_tag_t := - finish (seq_len (aad_423)) (seq_len (cipher_text_425)) (poly_st_426) in - (cipher_text_425, tag_427). - -Definition chacha20_poly1305_decrypt - (key_428 : cha_cha_poly_key_t) - (iv_429 : cha_cha_poly_iv_t) - (aad_430 : byte_seq) - (cipher_text_431 : byte_seq) - (tag_432 : poly1305_tag_t) - : byte_seq_result_t := - let poly_st_433 : (field_element_t × field_element_t × poly_key_t) := - init (key_428) (iv_429) in - let poly_st_433 := - poly1305_update_padded (aad_430) (poly_st_433) in - let poly_st_433 := - poly1305_update_padded (cipher_text_431) (poly_st_433) in - let my_tag_434 : poly1305_tag_t := - finish (seq_len (aad_430)) (seq_len (cipher_text_431)) (poly_st_433) in - (if (array_declassify_eq (my_tag_434) (tag_432)):bool then ( - @Ok byte_seq error_t (chacha20 (key_428) (iv_429) (@repr WORDSIZE32 1) ( - cipher_text_431))) else (@Err byte_seq error_t (InvalidTag))). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Curve25519.v b/proof-libs/coq/coq/src/_vc/Hacspec_Curve25519.v deleted file mode 100644 index 449f760b5..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Curve25519.v +++ /dev/null @@ -1,169 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition field_canvas_t := nseq (int8) (32). -Definition x25519_field_element_t := - nat_mod 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition scalar_t := - nat_mod 0x8000000000000000000000000000000000000000000000000000000000000000. - -Notation "'point_t'" := ((x25519_field_element_t × x25519_field_element_t -)) : hacspec_scope. - -Definition x25519_serialized_point_t := nseq (uint8) (usize 32). - -Definition x25519_serialized_scalar_t := nseq (uint8) (usize 32). - -Definition mask_scalar - (s_477 : x25519_serialized_scalar_t) - : x25519_serialized_scalar_t := - let k_478 : x25519_serialized_scalar_t := - s_477 in - let k_478 := - array_upd k_478 (usize 0) ((array_index (k_478) (usize 0)) .& (secret ( - @repr WORDSIZE8 248) : int8)) in - let k_478 := - array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - let k_478 := - array_upd k_478 (usize 31) ((array_index (k_478) (usize 31)) .| (secret ( - @repr WORDSIZE8 64) : int8)) in - k_478. - -Definition decode_scalar (s_479 : x25519_serialized_scalar_t) : scalar_t := - let k_480 : x25519_serialized_scalar_t := - mask_scalar (s_479) in - nat_mod_from_byte_seq_le (array_to_seq (k_480)) : scalar_t. - -Definition decode_point (u_481 : x25519_serialized_point_t) : point_t := - let u_482 : x25519_serialized_point_t := - u_481 in - let u_482 := - array_upd u_482 (usize 31) ((array_index (u_482) (usize 31)) .& (secret ( - @repr WORDSIZE8 127) : int8)) in - ( - nat_mod_from_byte_seq_le (array_to_seq (u_482)) : x25519_field_element_t, - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 1) : x25519_field_element_t - ). - -Definition encode_point (p_483 : point_t) : x25519_serialized_point_t := - let '(x_484, y_485) := - p_483 in - let b_486 : x25519_field_element_t := - (x_484) *% (nat_mod_inv (y_485)) in - array_update_start (array_new_ (default) (32)) (nat_mod_to_byte_seq_le ( - b_486)). - -Definition point_add_and_double - (q_487 : point_t) - (np_488 : (point_t × point_t)) - : (point_t × point_t) := - let '(nq_489, nqp1_490) := - np_488 in - let '(x_1_491, z_1_492) := - q_487 in - let '(x_2_493, z_2_494) := - nq_489 in - let '(x_3_495, z_3_496) := - nqp1_490 in - let a_497 : x25519_field_element_t := - (x_2_493) +% (z_2_494) in - let aa_498 : x25519_field_element_t := - nat_mod_pow (a_497) (@repr WORDSIZE128 2) in - let b_499 : x25519_field_element_t := - (x_2_493) -% (z_2_494) in - let bb_500 : x25519_field_element_t := - (b_499) *% (b_499) in - let e_501 : x25519_field_element_t := - (aa_498) -% (bb_500) in - let c_502 : x25519_field_element_t := - (x_3_495) +% (z_3_496) in - let d_503 : x25519_field_element_t := - (x_3_495) -% (z_3_496) in - let da_504 : x25519_field_element_t := - (d_503) *% (a_497) in - let cb_505 : x25519_field_element_t := - (c_502) *% (b_499) in - let x_3_506 : x25519_field_element_t := - nat_mod_pow ((da_504) +% (cb_505)) (@repr WORDSIZE128 2) in - let z_3_507 : x25519_field_element_t := - (x_1_491) *% (nat_mod_pow ((da_504) -% (cb_505)) (@repr WORDSIZE128 2)) in - let x_2_508 : x25519_field_element_t := - (aa_498) *% (bb_500) in - let e121665_509 : x25519_field_element_t := - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 121665) : x25519_field_element_t in - let z_2_510 : x25519_field_element_t := - (e_501) *% ((aa_498) +% ((e121665_509) *% (e_501))) in - ((x_2_508, z_2_510), (x_3_506, z_3_507)). - -Definition swap (x_511 : (point_t × point_t)) : (point_t × point_t) := - let '(x0_512, x1_513) := - x_511 in - (x1_513, x0_512). - -Definition montgomery_ladder - (k_514 : scalar_t) - (init_515 : point_t) - : point_t := - let inf_516 : (x25519_field_element_t × x25519_field_element_t) := - ( - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 1) : x25519_field_element_t, - nat_mod_from_literal ( - 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) ( - @repr WORDSIZE128 0) : x25519_field_element_t - ) in - let acc_517 : (point_t × point_t) := - (inf_516, init_515) in - let acc_517 := - foldi (usize 0) (usize 256) (fun i_518 acc_517 => - let '(acc_517) := - if nat_mod_bit (k_514) ((usize 255) - (i_518)):bool then (let acc_517 := - swap (acc_517) in - let acc_517 := - point_add_and_double (init_515) (acc_517) in - let acc_517 := - swap (acc_517) in - (acc_517)) else (let acc_517 := - point_add_and_double (init_515) (acc_517) in - (acc_517)) in - (acc_517)) - acc_517 in - let '(out_519, _) := - acc_517 in - out_519. - -Definition x25519_scalarmult - (s_520 : x25519_serialized_scalar_t) - (p_521 : x25519_serialized_point_t) - : x25519_serialized_point_t := - let s_522 : scalar_t := - decode_scalar (s_520) in - let p_523 : (x25519_field_element_t × x25519_field_element_t) := - decode_point (p_521) in - let r_524 : (x25519_field_element_t × x25519_field_element_t) := - montgomery_ladder (s_522) (p_523) in - encode_point (r_524). - -Definition x25519_secret_to_public - (s_525 : x25519_serialized_scalar_t) - : x25519_serialized_point_t := - let base_526 : x25519_serialized_point_t := - array_new_ (default) (32) in - let base_526 := - array_upd base_526 (usize 0) (secret (@repr WORDSIZE8 9) : int8) in - x25519_scalarmult (s_525) (base_526). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v b/proof-libs/coq/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v deleted file mode 100644 index 813844eec..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Ecdsa_P256_Sha256.v +++ /dev/null @@ -1,127 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_P256. - -Require Import Hacspec_Sha256. - -Inductive error_t := -| InvalidScalar : error_t -| InvalidSignature : error_t. - -Notation "'p256_public_key_t'" := (affine_t) : hacspec_scope. - -Notation "'p256_secret_key_t'" := (p256_scalar_t) : hacspec_scope. - -Notation "'p256_signature_t'" := ((p256_scalar_t × p256_scalar_t -)) : hacspec_scope. - -Notation "'p256_signature_result_t'" := (( - result p256_signature_t error_t)) : hacspec_scope. - -Notation "'p256_verify_result_t'" := ((result unit error_t)) : hacspec_scope. - -Notation "'check_result_t'" := ((result unit error_t)) : hacspec_scope. - -Notation "'arithmetic_result_t'" := ((result affine_t error_t)) : hacspec_scope. - -Definition check_scalar_zero (r_527 : p256_scalar_t) : check_result_t := - (if (nat_mod_equal (r_527) (nat_mod_zero )):bool then (@Err unit error_t ( - InvalidScalar)) else (@Ok unit error_t (tt))). - -Definition ecdsa_point_mul_base (x_528 : p256_scalar_t) : arithmetic_result_t := - match p256_point_mul_base (x_528) with - | Ok s_529 => @Ok affine_t error_t (s_529) - | Err _ => @Err affine_t error_t (InvalidScalar) - end. - -Definition ecdsa_point_mul - (k_530 : p256_scalar_t) - (p_531 : affine_t) - : arithmetic_result_t := - match p256_point_mul (k_530) (p_531) with - | Ok s_532 => @Ok affine_t error_t (s_532) - | Err _ => @Err affine_t error_t (InvalidScalar) - end. - -Definition ecdsa_point_add - (p_533 : affine_t) - (q_534 : affine_t) - : arithmetic_result_t := - match point_add (p_533) (q_534) with - | Ok s_535 => @Ok affine_t error_t (s_535) - | Err _ => @Err affine_t error_t (InvalidScalar) - end. - -Definition sign - (payload_536 : byte_seq) - (sk_537 : p256_secret_key_t) - (nonce_538 : p256_scalar_t) - : p256_signature_result_t := - bind (check_scalar_zero (nonce_538)) (fun _ => bind (ecdsa_point_mul_base ( - nonce_538)) (fun '(k_x_539, k_y_540) => let r_541 : p256_scalar_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - k_x_539)) : p256_scalar_t in - bind (check_scalar_zero (r_541)) (fun _ => - let payload_hash_542 : sha256_digest_t := - hash (payload_536) in - let payload_hash_543 : p256_scalar_t := - nat_mod_from_byte_seq_be ( - array_to_seq (payload_hash_542)) : p256_scalar_t in - let rsk_544 : p256_scalar_t := - (r_541) *% (sk_537) in - let hash_rsk_545 : p256_scalar_t := - (payload_hash_543) +% (rsk_544) in - let nonce_inv_546 : p256_scalar_t := - nat_mod_inv (nonce_538) in - let s_547 : p256_scalar_t := - (nonce_inv_546) *% (hash_rsk_545) in - @Ok p256_signature_t error_t ((r_541, s_547))))). - -Definition ecdsa_p256_sha256_sign - (payload_548 : byte_seq) - (sk_549 : p256_secret_key_t) - (nonce_550 : p256_scalar_t) - : p256_signature_result_t := - sign (payload_548) (sk_549) (nonce_550). - -Definition verify - (payload_551 : byte_seq) - (pk_552 : p256_public_key_t) - (signature_553 : p256_signature_t) - : p256_verify_result_t := - let '(r_554, s_555) := - signature_553 in - let payload_hash_556 : sha256_digest_t := - hash (payload_551) in - let payload_hash_557 : p256_scalar_t := - nat_mod_from_byte_seq_be ( - array_to_seq (payload_hash_556)) : p256_scalar_t in - let s_inv_558 : p256_scalar_t := - nat_mod_inv (s_555) in - let u1_559 : p256_scalar_t := - (payload_hash_557) *% (s_inv_558) in - bind (ecdsa_point_mul_base (u1_559)) (fun u1_560 => - let u2_561 : p256_scalar_t := - (r_554) *% (s_inv_558) in - bind (ecdsa_point_mul (u2_561) (pk_552)) (fun u2_562 => bind ( - ecdsa_point_add (u1_560) (u2_562)) (fun '(x_563, y_564) => - let x_565 : p256_scalar_t := - nat_mod_from_byte_seq_be (nat_mod_to_byte_seq_be ( - x_563)) : p256_scalar_t in - (if ((x_565) =.? (r_554)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature)))))). - -Definition ecdsa_p256_sha256_verify - (payload_566 : byte_seq) - (pk_567 : p256_public_key_t) - (signature_568 : p256_signature_t) - : p256_verify_result_t := - verify (payload_566) (pk_567) (signature_568). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v b/proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v deleted file mode 100644 index 599394625..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Ed25519.v +++ /dev/null @@ -1,619 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha512. - -Require Import Hacspec_Edwards25519. - -Definition scalar_from_hash (h_1635 : sha512_digest_t) : scalar_t := - let s_1636 : big_scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (h_1635)) : big_scalar_t in - nat_mod_from_byte_seq_le (seq_slice (nat_mod_to_byte_seq_le (s_1636)) ( - usize 0) (usize 32)) : scalar_t. - -Definition sign (sk_1637 : secret_key_t) (msg_1638 : byte_seq) : signature_t := - let '(a_1639, prefix_1640) := - secret_expand (sk_1637) in - let a_1641 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (a_1639)) : scalar_t in - let b_1642 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let a_p_1643 : compressed_ed_point_t := - compress (point_mul (a_1641) (b_1642)) in - let r_1644 : scalar_t := - scalar_from_hash (sha512 (array_concat (prefix_1640) (msg_1638))) in - let r_p_1645 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (r_1644) (b_1642) in - let r_s_1646 : compressed_ed_point_t := - compress (r_p_1645) in - let h_1647 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_s_1646) ( - array_to_seq (a_p_1643))) (msg_1638))) in - let s_1648 : scalar_t := - (r_1644) +% ((h_1647) *% (a_1641)) in - let s_bytes_1649 : seq uint8 := - seq_slice (nat_mod_to_byte_seq_le (s_1648)) (usize 0) (usize 32) in - array_update (array_update (array_new_ (default) (64)) (usize 0) ( - array_to_seq (r_s_1646))) (usize 32) (s_bytes_1649). - -Definition zcash_verify - (pk_1650 : public_key_t) - (signature_1651 : signature_t) - (msg_1652 : byte_seq) - : verify_result_t := - let b_1653 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress_non_canonical (base_v)) in - bind (option_ok_or (decompress_non_canonical (pk_1650)) (InvalidPublickey)) ( - fun a_1654 => let r_bytes_1655 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1651)) ( - usize 0) (usize 32) in - let s_bytes_1656 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1651)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1656)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress_non_canonical (r_bytes_1655)) (InvalidR)) ( - fun r_1657 => let s_1658 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1656)) : scalar_t in - let k_1659 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1655) ( - pk_1650)) (msg_1652))) in - let sb_1660 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_1658) (b_1653)) in - let rc_1661 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_1657) in - let ka_1662 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_1659) (a_1654)) in - (if (point_eq (sb_1660) (point_add (rc_1661) (ka_1662))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition ietf_cofactored_verify - (pk_1663 : public_key_t) - (signature_1664 : signature_t) - (msg_1665 : byte_seq) - : verify_result_t := - let b_1666 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_1663)) (InvalidPublickey)) (fun a_1667 => - let r_bytes_1668 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1664)) ( - usize 0) (usize 32) in - let s_bytes_1669 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1664)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1669)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_1668)) (InvalidR)) (fun r_1670 => - let s_1671 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1669)) : scalar_t in - let k_1672 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1668) ( - pk_1663)) (msg_1665))) in - let sb_1673 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_1671) (b_1666)) in - let rc_1674 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_1670) in - let ka_1675 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_1672) (a_1667)) in - (if (point_eq (sb_1673) (point_add (rc_1674) (ka_1675))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition ietf_cofactorless_verify - (pk_1676 : public_key_t) - (signature_1677 : signature_t) - (msg_1678 : byte_seq) - : verify_result_t := - let b_1679 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_1676)) (InvalidPublickey)) (fun a_1680 => - let r_bytes_1681 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1677)) ( - usize 0) (usize 32) in - let s_bytes_1682 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1677)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1682)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_1681)) (InvalidR)) (fun r_1683 => - let s_1684 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1682)) : scalar_t in - let k_1685 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1681) ( - pk_1676)) (msg_1678))) in - let sb_1686 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (s_1684) (b_1679) in - let ka_1687 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (k_1685) (a_1680) in - (if (point_eq (sb_1686) (point_add (r_1683) (ka_1687))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature)))))). - -Definition is_identity (p_1688 : ed_point_t) : bool := - point_eq (p_1688) (point_identity ). - -Definition alg2_verify - (pk_1689 : public_key_t) - (signature_1690 : signature_t) - (msg_1691 : byte_seq) - : verify_result_t := - let b_1692 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - bind (option_ok_or (decompress (pk_1689)) (InvalidPublickey)) (fun a_1693 => - ifbnd is_identity (point_mul_by_cofactor (a_1693)) : bool - thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - let r_bytes_1694 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1690)) ( - usize 0) (usize 32) in - let s_bytes_1695 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1690)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1695)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_1694)) (InvalidR)) (fun r_1696 => - let s_1697 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1695)) : scalar_t in - let k_1698 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1694) ( - pk_1689)) (msg_1691))) in - let sb_1699 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (s_1697) (b_1692)) in - let rc_1700 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (r_1696) in - let ka_1701 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_mul (k_1698) (a_1693)) in - (if (point_eq (sb_1699) (point_add (rc_1700) (ka_1701))):bool then ( - @Ok unit error_t (tt)) else (@Err unit error_t ( - InvalidSignature))))))). - -Inductive batch_entry_t := -| BatchEntry : (public_key_t × byte_seq × signature_t) -> batch_entry_t. - -Definition zcash_batch_verify - (entries_1702 : seq batch_entry_t) - (entropy_1703 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_1703)) <.? ((usize 16) * (seq_len ( - entries_1702))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - let s_sum_1704 : scalar_t := - nat_mod_zero in - let r_sum_1705 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - let a_sum_1706 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_1702)) for ( - s_sum_1704, - r_sum_1705, - a_sum_1706 - ) >> (fun i_1707 '(s_sum_1704, r_sum_1705, a_sum_1706) => - let 'BatchEntry ((pk_1708, msg_1709, signature_1710)) := - (seq_index (entries_1702) (i_1707)) in - bind (option_ok_or (decompress_non_canonical (pk_1708)) ( - InvalidPublickey)) (fun a_1711 => - let r_bytes_1712 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1710)) ( - usize 0) (usize 32) in - let s_bytes_1713 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1710)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1713)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress_non_canonical (r_bytes_1712)) (InvalidR)) ( - fun r_1714 => let s_1715 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1713)) : scalar_t in - let c_1716 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1712) ( - array_to_seq (pk_1708))) (msg_1709))) in - let z_1717 : seq uint8 := - seq_slice (entropy_1703) ((usize 16) * (i_1707)) (usize 16) in - let z_1718 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_1717) (seq_new_ (default) ( - usize 16))) : scalar_t in - let s_sum_1704 := - (s_sum_1704) +% ((s_1715) *% (z_1718)) in - let r_sum_1705 := - point_add (r_sum_1705) (point_mul (z_1718) (r_1714)) in - let a_sum_1706 := - point_add (a_sum_1706) (point_mul ((z_1718) *% (c_1716)) (a_1711)) in - Ok ((s_sum_1704, r_sum_1705, a_sum_1706))))))) (fun '( - s_sum_1704, - r_sum_1705, - a_sum_1706 - ) => let b_1719 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_1720 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (s_sum_1704) (b_1719) in - let check_1721 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_1720)) (point_add ( - r_sum_1705) (a_sum_1706))) in - (if (is_identity (check_1721)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition ietf_cofactored_batch_verify - (entries_1722 : seq batch_entry_t) - (entropy_1723 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_1723)) <.? ((usize 16) * (seq_len ( - entries_1722))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - let s_sum_1724 : scalar_t := - nat_mod_zero in - let r_sum_1725 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - let a_sum_1726 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_1722)) for ( - s_sum_1724, - r_sum_1725, - a_sum_1726 - ) >> (fun i_1727 '(s_sum_1724, r_sum_1725, a_sum_1726) => - let 'BatchEntry ((pk_1728, msg_1729, signature_1730)) := - (seq_index (entries_1722) (i_1727)) in - bind (option_ok_or (decompress (pk_1728)) (InvalidPublickey)) (fun a_1731 => - let r_bytes_1732 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1730)) ( - usize 0) (usize 32) in - let s_bytes_1733 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1730)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1733)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_1732)) (InvalidR)) (fun r_1734 => - let s_1735 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1733)) : scalar_t in - let c_1736 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1732) ( - array_to_seq (pk_1728))) (msg_1729))) in - let z_1737 : seq uint8 := - seq_slice (entropy_1723) ((usize 16) * (i_1727)) (usize 16) in - let z_1738 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_1737) (seq_new_ (default) ( - usize 16))) : scalar_t in - let s_sum_1724 := - (s_sum_1724) +% ((s_1735) *% (z_1738)) in - let r_sum_1725 := - point_add (r_sum_1725) (point_mul (z_1738) (r_1734)) in - let a_sum_1726 := - point_add (a_sum_1726) (point_mul ((z_1738) *% (c_1736)) (a_1731)) in - Ok ((s_sum_1724, r_sum_1725, a_sum_1726))))))) (fun '( - s_sum_1724, - r_sum_1725, - a_sum_1726 - ) => let b_1739 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_1740 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (s_sum_1724) (b_1739) in - let check_1741 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_1740)) (point_add ( - r_sum_1725) (a_sum_1726))) in - (if (is_identity (check_1741)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition ietf_cofactorless_batch_verify - (entries_1742 : seq batch_entry_t) - (entropy_1743 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_1743)) <.? ((usize 16) * (seq_len ( - entries_1742))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - let s_sum_1744 : scalar_t := - nat_mod_zero in - let r_sum_1745 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - let a_sum_1746 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_1742)) for ( - s_sum_1744, - r_sum_1745, - a_sum_1746 - ) >> (fun i_1747 '(s_sum_1744, r_sum_1745, a_sum_1746) => - let 'BatchEntry ((pk_1748, msg_1749, signature_1750)) := - (seq_index (entries_1742) (i_1747)) in - bind (option_ok_or (decompress (pk_1748)) (InvalidPublickey)) (fun a_1751 => - let r_bytes_1752 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1750)) ( - usize 0) (usize 32) in - let s_bytes_1753 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1750)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1753)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_1752)) (InvalidR)) (fun r_1754 => - let s_1755 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1753)) : scalar_t in - let c_1756 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1752) ( - array_to_seq (pk_1748))) (msg_1749))) in - let z_1757 : seq uint8 := - seq_slice (entropy_1743) ((usize 16) * (i_1747)) (usize 16) in - let z_1758 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_1757) (seq_new_ (default) ( - usize 16))) : scalar_t in - let s_sum_1744 := - (s_sum_1744) +% ((s_1755) *% (z_1758)) in - let r_sum_1745 := - point_add (r_sum_1745) (point_mul (z_1758) (r_1754)) in - let a_sum_1746 := - point_add (a_sum_1746) (point_mul ((z_1758) *% (c_1756)) (a_1751)) in - Ok ((s_sum_1744, r_sum_1745, a_sum_1746))))))) (fun '( - s_sum_1744, - r_sum_1745, - a_sum_1746 - ) => let b_1759 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_1760 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (s_sum_1744) (b_1759) in - let check_1761 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_add (point_neg (sb_1760)) (point_add (r_sum_1745) (a_sum_1746)) in - (if (is_identity (check_1761)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - -Definition alg3_batch_verify - (entries_1762 : seq batch_entry_t) - (entropy_1763 : byte_seq) - : verify_result_t := - ifbnd (seq_len (entropy_1763)) <.? ((usize 16) * (seq_len ( - entries_1762))) : bool - thenbnd (bind (@Err unit error_t (NotEnoughRandomness)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - let s_sum_1764 : scalar_t := - nat_mod_zero in - let r_sum_1765 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - let a_sum_1766 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_identity in - bind (foldibnd (usize 0) to (seq_len (entries_1762)) for ( - s_sum_1764, - r_sum_1765, - a_sum_1766 - ) >> (fun i_1767 '(s_sum_1764, r_sum_1765, a_sum_1766) => - let 'BatchEntry ((pk_1768, msg_1769, signature_1770)) := - (seq_index (entries_1762) (i_1767)) in - bind (option_ok_or (decompress (pk_1768)) (InvalidPublickey)) (fun a_1771 => - ifbnd is_identity (point_mul_by_cofactor (a_1771)) : bool - thenbnd (bind (@Err unit error_t (SmallOrderPoint)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - let r_bytes_1772 : compressed_ed_point_t := - array_from_slice (default) (32) (array_to_seq (signature_1770)) ( - usize 0) (usize 32) in - let s_bytes_1773 : serialized_scalar_t := - array_from_slice (default) (32) (array_to_seq (signature_1770)) ( - usize 32) (usize 32) in - ifbnd negb (check_canonical_scalar (s_bytes_1773)) : bool - thenbnd (bind (@Err unit error_t (InvalidS)) (fun _ => Ok (tt))) - else (tt) >> (fun 'tt => - bind (option_ok_or (decompress (r_bytes_1772)) (InvalidR)) (fun r_1774 => - let s_1775 : scalar_t := - nat_mod_from_byte_seq_le (array_to_seq (s_bytes_1773)) : scalar_t in - let c_1776 : scalar_t := - scalar_from_hash (sha512 (seq_concat (array_concat (r_bytes_1772) ( - array_to_seq (pk_1768))) (msg_1769))) in - let z_1777 : seq uint8 := - seq_slice (entropy_1763) ((usize 16) * (i_1767)) (usize 16) in - let z_1778 : scalar_t := - nat_mod_from_byte_seq_le (seq_concat (z_1777) (seq_new_ (default) ( - usize 16))) : scalar_t in - let s_sum_1764 := - (s_sum_1764) +% ((s_1775) *% (z_1778)) in - let r_sum_1765 := - point_add (r_sum_1765) (point_mul (z_1778) (r_1774)) in - let a_sum_1766 := - point_add (a_sum_1766) (point_mul ((z_1778) *% (c_1776)) (a_1771)) in - Ok ((s_sum_1764, r_sum_1765, a_sum_1766)))))))) (fun '( - s_sum_1764, - r_sum_1765, - a_sum_1766 - ) => let b_1779 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - option_unwrap (decompress (base_v)) in - let sb_1780 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul (s_sum_1764) (b_1779) in - let check_1781 : ( - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t × - ed25519_field_element_t - ) := - point_mul_by_cofactor (point_add (point_neg (sb_1780)) (point_add ( - r_sum_1765) (a_sum_1766))) in - (if (is_identity (check_1781)):bool then (@Ok unit error_t (tt)) else ( - @Err unit error_t (InvalidSignature))))). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v b/proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v deleted file mode 100644 index 64d5ffc0c..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Gf128.v +++ /dev/null @@ -1,112 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition blocksize_v : uint_size := - usize 16. - -Definition gf128_block_t := nseq (uint8) (blocksize_v). - -Definition gf128_key_t := nseq (uint8) (blocksize_v). - -Definition gf128_tag_t := nseq (uint8) (blocksize_v). - -Notation "'element_t'" := (uint128) : hacspec_scope. - -Definition irred_v : element_t := - secret (@repr WORDSIZE128 299076299051606071403356588563077529600) : int128. - -Definition fadd (x_317 : element_t) (y_318 : element_t) : element_t := - (x_317) .^ (y_318). - -Definition fmul (x_319 : element_t) (y_320 : element_t) : element_t := - let res_321 : element_t := - secret (@repr WORDSIZE128 0) : int128 in - let sh_322 : uint128 := - x_319 in - let '(res_321, sh_322) := - foldi (usize 0) (usize 128) (fun i_323 '(res_321, sh_322) => - let '(res_321) := - if (uint128_declassify ((y_320) .& ((secret ( - @repr WORDSIZE128 1) : int128) shift_left ((usize 127) - ( - i_323))))) !=.? (uint128_declassify (secret ( - @repr WORDSIZE128 0) : int128)):bool then (let res_321 := - (res_321) .^ (sh_322) in - (res_321)) else ((res_321)) in - let '(sh_322) := - if (uint128_declassify ((sh_322) .& (secret ( - @repr WORDSIZE128 1) : int128))) !=.? (uint128_declassify ( - secret (@repr WORDSIZE128 0) : int128)):bool then (let sh_322 := - ((sh_322) shift_right (usize 1)) .^ (irred_v) in - (sh_322)) else (let sh_322 := - (sh_322) shift_right (usize 1) in - (sh_322)) in - (res_321, sh_322)) - (res_321, sh_322) in - res_321. - -Definition encode (block_324 : gf128_block_t) : element_t := - uint128_from_be_bytes (array_from_seq (16) (array_to_seq (block_324))). - -Definition decode (e_325 : element_t) : gf128_block_t := - array_from_seq (blocksize_v) (array_to_seq (uint128_to_be_bytes (e_325))). - -Definition update - (r_326 : element_t) - (block_327 : gf128_block_t) - (acc_328 : element_t) - : element_t := - fmul (fadd (encode (block_327)) (acc_328)) (r_326). - -Definition poly (msg_329 : byte_seq) (r_330 : element_t) : element_t := - let l_331 : uint_size := - seq_len (msg_329) in - let n_blocks_332 : uint_size := - (l_331) / (blocksize_v) in - let rem_333 : uint_size := - (l_331) %% (blocksize_v) in - let acc_334 : uint128 := - secret (@repr WORDSIZE128 0) : int128 in - let acc_334 := - foldi (usize 0) (n_blocks_332) (fun i_335 acc_334 => - let k_336 : uint_size := - (i_335) * (blocksize_v) in - let block_337 : gf128_block_t := - array_new_ (default) (blocksize_v) in - let block_337 := - array_update_start (block_337) (seq_slice_range (msg_329) (( - k_336, - (k_336) + (blocksize_v) - ))) in - let acc_334 := - update (r_330) (block_337) (acc_334) in - (acc_334)) - acc_334 in - let '(acc_334) := - if (rem_333) !=.? (usize 0):bool then (let k_338 : uint_size := - (n_blocks_332) * (blocksize_v) in - let last_block_339 : gf128_block_t := - array_new_ (default) (blocksize_v) in - let last_block_339 := - array_update_slice (last_block_339) (usize 0) (msg_329) (k_338) ( - rem_333) in - let acc_334 := - update (r_330) (last_block_339) (acc_334) in - (acc_334)) else ((acc_334)) in - acc_334. - -Definition gmac (text_340 : byte_seq) (k_341 : gf128_key_t) : gf128_tag_t := - let s_342 : gf128_block_t := - array_new_ (default) (blocksize_v) in - let r_343 : uint128 := - encode (array_from_seq (blocksize_v) (array_to_seq (k_341))) in - let a_344 : uint128 := - poly (text_340) (r_343) in - array_from_seq (blocksize_v) (array_to_seq (decode (fadd (a_344) (encode ( - s_342))))). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v b/proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v deleted file mode 100644 index 3669b32fd..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Gimli.v +++ /dev/null @@ -1,395 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition state_t := nseq (uint32) (usize 12). - -Definition state_idx_t := - nat_mod (usize 12). -Definition uint_size_in_state_idx_t(n : uint_size) : state_idx_t := int_in_nat_mod n. -Coercion uint_size_in_state_idx_t : uint_size >-> state_idx_t. - -Definition swap - (s_757 : state_t) - (i_758 : state_idx_t) - (j_759 : state_idx_t) - : state_t := - let tmp_760 : uint32 := - array_index (s_757) (i_758) in - let s_757 := - array_upd s_757 (i_758) (array_index (s_757) (j_759)) in - let s_757 := - array_upd s_757 (j_759) (tmp_760) in - s_757. - -Definition gimli_round (s_761 : state_t) (r_762 : int32) : state_t := - let s_761 := - foldi (usize 0) (usize 4) (fun col_763 s_761 => - let x_764 : uint32 := - uint32_rotate_left (array_index (s_761) (col_763)) (usize 24) in - let y_765 : uint32 := - uint32_rotate_left (array_index (s_761) ((col_763) + (usize 4))) ( - usize 9) in - let z_766 : uint32 := - array_index (s_761) ((col_763) + (usize 8)) in - let s_761 := - array_upd s_761 ((col_763) + (usize 8)) (((x_764) .^ (( - z_766) shift_left (usize 1))) .^ (((y_765) .& ( - z_766)) shift_left (usize 2))) in - let s_761 := - array_upd s_761 ((col_763) + (usize 4)) (((y_765) .^ (x_764)) .^ ((( - x_764) .| (z_766)) shift_left (usize 1))) in - let s_761 := - array_upd s_761 (col_763) (((z_766) .^ (y_765)) .^ (((x_764) .& ( - y_765)) shift_left (usize 3))) in - (s_761)) - s_761 in - let '(s_761) := - if ((r_762) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( - let s_761 := - swap (s_761) (usize 0) (usize 1) in - let s_761 := - swap (s_761) (usize 2) (usize 3) in - (s_761)) else ((s_761)) in - let '(s_761) := - if ((r_762) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 2):bool then ( - let s_761 := - swap (s_761) (usize 0) (usize 2) in - let s_761 := - swap (s_761) (usize 1) (usize 3) in - (s_761)) else ((s_761)) in - let '(s_761) := - if ((r_762) .& (@repr WORDSIZE32 3)) =.? (@repr WORDSIZE32 0):bool then ( - let s_761 := - array_upd s_761 (usize 0) ((array_index (s_761) (usize 0)) .^ ((secret ( - @repr WORDSIZE32 2654435584) : int32) .| (secret ( - r_762) : int32))) in - (s_761)) else ((s_761)) in - s_761. - -Definition gimli (s_767 : state_t) : state_t := - let s_767 := - foldi (usize 0) (usize 24) (fun rnd_768 s_767 => - let rnd_769 : int32 := - pub_u32 ((usize 24) - (rnd_768)) in - let s_767 := - gimli_round (s_767) (rnd_769) in - (s_767)) - s_767 in - s_767. - -Definition block_t := nseq (uint8) (usize 16). - -Definition digest_t := nseq (uint8) (usize 32). - -Definition absorb_block - (input_block_770 : block_t) - (s_771 : state_t) - : state_t := - let input_bytes_772 : seq uint32 := - array_to_le_uint32s (input_block_770) in - let s_771 := - array_upd s_771 (usize 0) ((array_index (s_771) (usize 0)) .^ (seq_index ( - input_bytes_772) (usize 0))) in - let s_771 := - array_upd s_771 (usize 1) ((array_index (s_771) (usize 1)) .^ (seq_index ( - input_bytes_772) (usize 1))) in - let s_771 := - array_upd s_771 (usize 2) ((array_index (s_771) (usize 2)) .^ (seq_index ( - input_bytes_772) (usize 2))) in - let s_771 := - array_upd s_771 (usize 3) ((array_index (s_771) (usize 3)) .^ (seq_index ( - input_bytes_772) (usize 3))) in - gimli (s_771). - -Definition squeeze_block (s_773 : state_t) : block_t := - let block_774 : block_t := - array_new_ (default) (16) in - let block_774 := - foldi (usize 0) (usize 4) (fun i_775 block_774 => - let s_i_776 : uint32 := - array_index (s_773) (i_775) in - let s_i_bytes_777 : seq uint8 := - uint32_to_le_bytes (s_i_776) in - let block_774 := - array_upd block_774 ((usize 4) * (i_775)) (seq_index (s_i_bytes_777) ( - usize 0)) in - let block_774 := - array_upd block_774 (((usize 4) * (i_775)) + (usize 1)) (seq_index ( - s_i_bytes_777) (usize 1)) in - let block_774 := - array_upd block_774 (((usize 4) * (i_775)) + (usize 2)) (seq_index ( - s_i_bytes_777) (usize 2)) in - let block_774 := - array_upd block_774 (((usize 4) * (i_775)) + (usize 3)) (seq_index ( - s_i_bytes_777) (usize 3)) in - (block_774)) - block_774 in - block_774. - -Definition gimli_hash_state - (input_778 : byte_seq) - (s_779 : state_t) - : state_t := - let rate_780 : uint_size := - array_length in - let chunks_781 : uint_size := - seq_num_exact_chunks (input_778) (rate_780) in - let s_779 := - foldi (usize 0) (chunks_781) (fun i_782 s_779 => - let input_block_783 : seq uint8 := - seq_get_exact_chunk (input_778) (rate_780) (i_782) in - let full_block_784 : block_t := - array_from_seq (16) (input_block_783) in - let s_779 := - absorb_block (full_block_784) (s_779) in - (s_779)) - s_779 in - let input_block_785 : seq uint8 := - seq_get_remainder_chunk (input_778) (rate_780) in - let input_block_padded_786 : block_t := - array_new_ (default) (16) in - let input_block_padded_787 : block_t := - array_update_start (input_block_padded_786) (input_block_785) in - let input_block_padded_787 := - array_upd input_block_padded_787 (seq_len (input_block_785)) (secret ( - @repr WORDSIZE8 1) : int8) in - let s_779 := - array_upd s_779 (usize 11) ((array_index (s_779) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_779 := - absorb_block (input_block_padded_787) (s_779) in - s_779. - -Definition gimli_hash (input_bytes_788 : byte_seq) : digest_t := - let s_789 : state_t := - array_new_ (default) (12) in - let s_790 : state_t := - gimli_hash_state (input_bytes_788) (s_789) in - let output_791 : digest_t := - array_new_ (default) (32) in - let output_792 : digest_t := - array_update_start (output_791) (array_to_seq (squeeze_block (s_790))) in - let s_793 : state_t := - gimli (s_790) in - array_update (output_792) (array_length ) (array_to_seq (squeeze_block ( - s_793))). - -Definition nonce_t := nseq (uint8) (usize 16). - -Definition key_t := nseq (uint8) (usize 32). - -Definition tag_t := nseq (uint8) (usize 16). - -Definition process_ad (ad_794 : byte_seq) (s_795 : state_t) : state_t := - gimli_hash_state (ad_794) (s_795). - -Definition process_msg - (message_796 : byte_seq) - (s_797 : state_t) - : (state_t × byte_seq) := - let ciphertext_798 : seq uint8 := - seq_new_ (default) (seq_len (message_796)) in - let rate_799 : uint_size := - array_length in - let num_chunks_800 : uint_size := - seq_num_exact_chunks (message_796) (rate_799) in - let '(s_797, ciphertext_798) := - foldi (usize 0) (num_chunks_800) (fun i_801 '(s_797, ciphertext_798) => - let key_block_802 : block_t := - squeeze_block (s_797) in - let msg_block_803 : seq uint8 := - seq_get_exact_chunk (message_796) (rate_799) (i_801) in - let msg_block_804 : block_t := - array_from_seq (16) (msg_block_803) in - let ciphertext_798 := - seq_set_exact_chunk (ciphertext_798) (rate_799) (i_801) (array_to_seq (( - msg_block_804) array_xor (key_block_802))) in - let s_797 := - absorb_block (msg_block_804) (s_797) in - (s_797, ciphertext_798)) - (s_797, ciphertext_798) in - let key_block_805 : block_t := - squeeze_block (s_797) in - let last_block_806 : seq uint8 := - seq_get_remainder_chunk (message_796) (rate_799) in - let block_len_807 : uint_size := - seq_len (last_block_806) in - let msg_block_padded_808 : block_t := - array_new_ (default) (16) in - let msg_block_padded_809 : block_t := - array_update_start (msg_block_padded_808) (last_block_806) in - let ciphertext_798 := - seq_set_chunk (ciphertext_798) (rate_799) (num_chunks_800) ( - array_slice_range ((msg_block_padded_809) array_xor (key_block_805)) (( - usize 0, - block_len_807 - ))) in - let msg_block_padded_809 := - array_upd msg_block_padded_809 (block_len_807) ((array_index ( - msg_block_padded_809) (block_len_807)) .^ (secret ( - @repr WORDSIZE8 1) : int8)) in - let s_797 := - array_upd s_797 (usize 11) ((array_index (s_797) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_797 := - absorb_block (msg_block_padded_809) (s_797) in - (s_797, ciphertext_798). - -Definition process_ct - (ciphertext_810 : byte_seq) - (s_811 : state_t) - : (state_t × byte_seq) := - let message_812 : seq uint8 := - seq_new_ (default) (seq_len (ciphertext_810)) in - let rate_813 : uint_size := - array_length in - let num_chunks_814 : uint_size := - seq_num_exact_chunks (ciphertext_810) (rate_813) in - let '(s_811, message_812) := - foldi (usize 0) (num_chunks_814) (fun i_815 '(s_811, message_812) => - let key_block_816 : block_t := - squeeze_block (s_811) in - let ct_block_817 : seq uint8 := - seq_get_exact_chunk (ciphertext_810) (rate_813) (i_815) in - let ct_block_818 : block_t := - array_from_seq (16) (ct_block_817) in - let msg_block_819 : block_t := - (ct_block_818) array_xor (key_block_816) in - let message_812 := - seq_set_exact_chunk (message_812) (rate_813) (i_815) (array_to_seq (( - ct_block_818) array_xor (key_block_816))) in - let s_811 := - absorb_block (msg_block_819) (s_811) in - (s_811, message_812)) - (s_811, message_812) in - let key_block_820 : block_t := - squeeze_block (s_811) in - let ct_final_821 : seq uint8 := - seq_get_remainder_chunk (ciphertext_810) (rate_813) in - let block_len_822 : uint_size := - seq_len (ct_final_821) in - let ct_block_padded_823 : block_t := - array_new_ (default) (16) in - let ct_block_padded_824 : block_t := - array_update_start (ct_block_padded_823) (ct_final_821) in - let msg_block_825 : block_t := - (ct_block_padded_824) array_xor (key_block_820) in - let message_812 := - seq_set_chunk (message_812) (rate_813) (num_chunks_814) (array_slice_range ( - msg_block_825) ((usize 0, block_len_822))) in - let msg_block_826 : block_t := - array_from_slice_range (default) (16) (array_to_seq (msg_block_825)) (( - usize 0, - block_len_822 - )) in - let msg_block_826 := - array_upd msg_block_826 (block_len_822) ((array_index (msg_block_826) ( - block_len_822)) .^ (secret (@repr WORDSIZE8 1) : int8)) in - let s_811 := - array_upd s_811 (usize 11) ((array_index (s_811) (usize 11)) .^ (secret ( - @repr WORDSIZE32 16777216) : int32)) in - let s_811 := - absorb_block (msg_block_826) (s_811) in - (s_811, message_812). - -Definition nonce_to_u32s (nonce_827 : nonce_t) : seq uint32 := - let uints_828 : seq uint32 := - seq_new_ (default) (usize 4) in - let uints_828 := - seq_upd uints_828 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (nonce_827)) ((usize 0, usize 4)))) in - let uints_828 := - seq_upd uints_828 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (nonce_827)) ((usize 4, usize 8)))) in - let uints_828 := - seq_upd uints_828 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (nonce_827)) ((usize 8, usize 12)))) in - let uints_828 := - seq_upd uints_828 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (nonce_827)) ((usize 12, usize 16)))) in - uints_828. - -Definition key_to_u32s (key_829 : key_t) : seq uint32 := - let uints_830 : seq uint32 := - seq_new_ (default) (usize 8) in - let uints_830 := - seq_upd uints_830 (usize 0) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 0, usize 4)))) in - let uints_830 := - seq_upd uints_830 (usize 1) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 4, usize 8)))) in - let uints_830 := - seq_upd uints_830 (usize 2) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 8, usize 12)))) in - let uints_830 := - seq_upd uints_830 (usize 3) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 12, usize 16)))) in - let uints_830 := - seq_upd uints_830 (usize 4) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 16, usize 20)))) in - let uints_830 := - seq_upd uints_830 (usize 5) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 20, usize 24)))) in - let uints_830 := - seq_upd uints_830 (usize 6) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 24, usize 28)))) in - let uints_830 := - seq_upd uints_830 (usize 7) (uint32_from_le_bytes (array_from_slice_range ( - default) (4) (array_to_seq (key_829)) ((usize 28, usize 32)))) in - uints_830. - -Definition gimli_aead_encrypt - (message_831 : byte_seq) - (ad_832 : byte_seq) - (nonce_833 : nonce_t) - (key_834 : key_t) - : (byte_seq × tag_t) := - let s_835 : state_t := - array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_833)) (key_to_u32s ( - key_834))) in - let s_836 : state_t := - gimli (s_835) in - let s_837 : state_t := - process_ad (ad_832) (s_836) in - let '(s_838, ciphertext_839) := - process_msg (message_831) (s_837) in - let tag_840 : block_t := - squeeze_block (s_838) in - let tag_841 : tag_t := - array_from_seq (16) (array_to_seq (tag_840)) in - (ciphertext_839, tag_841). - -Definition gimli_aead_decrypt - (ciphertext_842 : byte_seq) - (ad_843 : byte_seq) - (tag_844 : tag_t) - (nonce_845 : nonce_t) - (key_846 : key_t) - : byte_seq := - let s_847 : state_t := - array_from_seq (12) (seq_concat (nonce_to_u32s (nonce_845)) (key_to_u32s ( - key_846))) in - let s_848 : state_t := - gimli (s_847) in - let s_849 : state_t := - process_ad (ad_843) (s_848) in - let '(s_850, message_851) := - process_ct (ciphertext_842) (s_849) in - let my_tag_852 : block_t := - squeeze_block (s_850) in - let my_tag_853 : tag_t := - array_from_seq (16) (array_to_seq (my_tag_852)) in - let out_854 : seq uint8 := - seq_new_ (default) (usize 0) in - let '(out_854) := - if array_equal (my_tag_853) (tag_844):bool then (let out_854 := - message_851 in - (out_854)) else ((out_854)) in - out_854. - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v b/proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v deleted file mode 100644 index 944f32405..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Hkdf.v +++ /dev/null @@ -1,91 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Hmac. - -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition hash_len_v : uint_size := - (usize 256) / (usize 8). - -Inductive hkdf_error_t := -| InvalidOutputLength : hkdf_error_t. - -Notation "'hkdf_byte_seq_result_t'" := (( - result byte_seq hkdf_error_t)) : hacspec_scope. - -Definition extract (salt_713 : byte_seq) (ikm_714 : byte_seq) : prk_t := - let salt_or_zero_715 : seq uint8 := - seq_new_ (default) (hash_len_v) in - let '(salt_or_zero_715) := - if (seq_len (salt_713)) >.? (usize 0):bool then (let salt_or_zero_715 := - seq_from_seq (salt_713) in - (salt_or_zero_715)) else ((salt_or_zero_715)) in - array_from_seq (_) (array_to_seq (hmac (salt_or_zero_715) (ikm_714))). - -Definition build_hmac_txt - (t_716 : byte_seq) - (info_717 : byte_seq) - (iteration_718 : uint8) - : byte_seq := - let out_719 : seq uint8 := - seq_new_ (default) (((seq_len (t_716)) + (seq_len (info_717))) + ( - usize 1)) in - let out_719 := - seq_update (out_719) (usize 0) (t_716) in - let out_719 := - seq_update (out_719) (seq_len (t_716)) (info_717) in - let out_719 := - seq_upd out_719 ((seq_len (t_716)) + (seq_len (info_717))) ( - iteration_718) in - out_719. - -Definition div_ceil (a_720 : uint_size) (b_721 : uint_size) : uint_size := - let q_722 : uint_size := - (a_720) / (b_721) in - let '(q_722) := - if ((a_720) %% (b_721)) !=.? (usize 0):bool then (let q_722 := - (q_722) + (usize 1) in - (q_722)) else ((q_722)) in - q_722. - -Definition check_output_limit - (l_723 : uint_size) - : (result uint_size hkdf_error_t) := - let n_724 : uint_size := - div_ceil (l_723) (hash_len_v) in - (if ((n_724) <=.? (usize 255)):bool then (@Ok uint_size hkdf_error_t ( - n_724)) else (@Err uint_size hkdf_error_t (InvalidOutputLength))). - -Definition expand - (prk_725 : byte_seq) - (info_726 : byte_seq) - (l_727 : uint_size) - : hkdf_byte_seq_result_t := - bind (check_output_limit (l_727)) (fun n_728 => let t_i_729 : prk_t := - array_new_ (default) (_) in - let t_730 : seq uint8 := - seq_new_ (default) ((n_728) * (hash_size_v)) in - let '(t_i_729, t_730) := - foldi (usize 0) (n_728) (fun i_731 '(t_i_729, t_730) => - let hmac_txt_in_732 : seq uint8 := - (if ((i_731) =.? (usize 0)):bool then (build_hmac_txt (seq_new_ ( - default) (usize 0)) (info_726) (secret ((pub_u8 (i_731)) .+ ( - @repr WORDSIZE8 1)) : int8)) else (build_hmac_txt ( - seq_from_seq (array_to_seq (t_i_729))) (info_726) (secret (( - pub_u8 (i_731)) .+ (@repr WORDSIZE8 1)) : int8))) in - let t_i_729 := - hmac (prk_725) (hmac_txt_in_732) in - let t_730 := - seq_update (t_730) ((i_731) * (array_len (t_i_729))) ( - array_to_seq (t_i_729)) in - (t_i_729, t_730)) - (t_i_729, t_730) in - @Ok byte_seq hkdf_error_t (seq_slice (t_730) (usize 0) (l_727))). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v b/proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v deleted file mode 100644 index e9a37708f..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Hmac.v +++ /dev/null @@ -1,177 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition block_len_v : uint_size := - k_size_v. - -Definition prk_t := nseq (uint8) (hash_size_v). - -Definition block_t := nseq (uint8) (block_len_v). - -Definition i_pad_v : block_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8; - secret (@repr WORDSIZE8 54) : int8 - ] in l). - -Definition o_pad_v : block_t := - array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8; - secret (@repr WORDSIZE8 92) : int8 - ] in l). - -Definition k_block (k_733 : byte_seq) : block_t := - (if ((seq_len (k_733)) >.? (block_len_v)):bool then (array_update_start ( - array_new_ (default) (block_len_v)) (array_to_seq (hash ( - k_733)))) else (array_update_start (array_new_ (default) ( - block_len_v)) (k_733))). - -Definition hmac (k_734 : byte_seq) (txt_735 : byte_seq) : prk_t := - let k_block_736 : block_t := - k_block (k_734) in - let h_in_737 : seq uint8 := - seq_from_seq (array_to_seq ((k_block_736) array_xor (i_pad_v))) in - let h_in_737 := - seq_concat (h_in_737) (txt_735) in - let h_inner_738 : sha256_digest_t := - hash (h_in_737) in - let h_in_739 : seq uint8 := - seq_from_seq (array_to_seq ((k_block_736) array_xor (o_pad_v))) in - let h_in_739 := - seq_concat (h_in_739) (array_to_seq (h_inner_738)) in - array_from_seq (hash_size_v) (array_to_seq (hash (h_in_739))). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v b/proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v deleted file mode 100644 index 72a3df965..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Linalg.v +++ /dev/null @@ -1,64 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Notation "'dim_type_t'" := (uint_size) : hacspec_scope. - -Notation "'scalar_t'" := (int128) : hacspec_scope. - -Notation "'dims_t'" := ((dim_type_t × dim_type_t)) : hacspec_scope. - -Notation "'matrix_t'" := ((dims_t × seq scalar_t)) : hacspec_scope. - -Notation "'mat_res_t'" := ((result matrix_t unit)) : hacspec_scope. - -Definition new_ - (rows_740 : dim_type_t) - (cols_741 : dim_type_t) - (seq_742 : seq scalar_t) - : mat_res_t := - (if (((seq_len (seq_742)) >.? (usize 0)) && (((rows_740) * (cols_741)) =.? ( - seq_len (seq_742)))):bool then (@Ok matrix_t unit (( - (rows_740, cols_741), - seq_742 - ))) else (@Err matrix_t unit (tt))). - -Definition repeat - (n_743 : dim_type_t) - (m_744 : dim_type_t) - (scalar_745 : scalar_t) - : mat_res_t := - let ret_746 : seq int128 := - seq_new_ (default) ((n_743) * (m_744)) in - let ret_746 := - foldi (usize 0) ((n_743) * (m_744)) (fun i_747 ret_746 => - let ret_746 := - seq_upd ret_746 (i_747) (scalar_745) in - (ret_746)) - ret_746 in - new_ (n_743) (m_744) (ret_746). - -Definition zeros (n_748 : dim_type_t) (m_749 : dim_type_t) : mat_res_t := - repeat (n_748) (m_749) (pub_int128_zero ). - -Definition ones (n_750 : dim_type_t) (m_751 : dim_type_t) : mat_res_t := - repeat (n_750) (m_751) (pub_int128_one ). - -Definition identity (n_752 : dim_type_t) (m_753 : dim_type_t) : mat_res_t := - let ret_754 : seq int128 := - seq_new_ (default) ((n_752) * (m_753)) in - let ret_754 := - foldi (usize 0) (min (n_752) (m_753)) (fun i_755 ret_754 => - let index_756 : uint_size := - ((i_755) * (min (n_752) (m_753))) + (i_755) in - let ret_754 := - seq_upd ret_754 (index_756) (pub_int128_one ) in - (ret_754)) - ret_754 in - new_ (n_752) (m_753) (ret_754). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Ntru_Prime.v b/proof-libs/coq/coq/src/_vc/Hacspec_Ntru_Prime.v deleted file mode 100644 index 1ea95475f..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Ntru_Prime.v +++ /dev/null @@ -1,136 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition build_irreducible (p_914 : uint_size) : seq int128 := - let irr_915 : seq int128 := - seq_new_ (default) ((p_914) + (usize 1)) in - let irr_915 := - seq_upd irr_915 (usize 0) (- (@repr WORDSIZE128 1)) in - let irr_915 := - seq_upd irr_915 (usize 1) (- (@repr WORDSIZE128 1)) in - let irr_915 := - seq_upd irr_915 (p_914) (@repr WORDSIZE128 1) in - irr_915. - -Definition round_to_3 (poly_916 : seq int128) (q_917 : int128) : seq int128 := - let result_918 : seq int128 := - (poly_916) in - let q_12_919 : int128 := - ((q_917) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in - let result_918 := - foldi (usize 0) (seq_len (poly_916)) (fun i_920 result_918 => - let '(result_918) := - if (seq_index (poly_916) (i_920)) >.? (q_12_919):bool then ( - let result_918 := - seq_upd result_918 (i_920) ((seq_index (poly_916) (i_920)) .- ( - q_917)) in - (result_918)) else ((result_918)) in - (result_918)) - result_918 in - let result_918 := - foldi (usize 0) (seq_len (result_918)) (fun i_921 result_918 => - let '(result_918) := - if ((seq_index (result_918) (i_921)) .% (@repr WORDSIZE128 3)) !=.? ( - @repr WORDSIZE128 0):bool then (let result_918 := - seq_upd result_918 (i_921) ((seq_index (result_918) (i_921)) .- ( - @repr WORDSIZE128 1)) in - let '(result_918) := - if ((seq_index (result_918) (i_921)) .% ( - @repr WORDSIZE128 3)) !=.? (@repr WORDSIZE128 0):bool then ( - let result_918 := - seq_upd result_918 (i_921) ((seq_index (result_918) ( - i_921)) .+ (@repr WORDSIZE128 2)) in - (result_918)) else ((result_918)) in - (result_918)) else ((result_918)) in - (result_918)) - result_918 in - result_918. - -Definition encrypt - (r_922 : seq int128) - (h_923 : seq int128) - (q_924 : int128) - (irreducible_925 : seq int128) - : seq int128 := - let pre_926 : seq int128 := - mul_poly_irr (r_922) (h_923) (irreducible_925) (q_924) in - round_to_3 (pre_926) (q_924). - -Definition ntru_prime_653_encrypt - (r_927 : seq int128) - (h_928 : seq int128) - : seq int128 := - let p_929 : uint_size := - usize 653 in - let q_930 : int128 := - @repr WORDSIZE128 4621 in - let w_931 : uint_size := - usize 288 in - let irreducible_932 : seq int128 := - build_irreducible (p_929) in - encrypt (r_927) (h_928) (q_930) (irreducible_932). - -Definition ntru_prime_653_decrypt - (c_933 : seq int128) - (key_f_934 : seq int128) - (key_v_935 : seq int128) - : (seq int128 × bool) := - let p_936 : uint_size := - usize 653 in - let q_937 : int128 := - @repr WORDSIZE128 4621 in - let w_938 : uint_size := - usize 288 in - let irreducible_939 : seq int128 := - build_irreducible (p_936) in - let f_c_940 : seq int128 := - mul_poly_irr (key_f_934) (c_933) (irreducible_939) (q_937) in - let f_3_c_and_decryption_ok_941 : (seq int128 × bool) := - poly_to_ring (irreducible_939) (add_poly (f_c_940) (add_poly (f_c_940) ( - f_c_940) (q_937)) (q_937)) (q_937) in - let '(f_3_c_942, ok_decrypt_943) := - f_3_c_and_decryption_ok_941 in - let f_3_c_944 : seq int128 := - f_3_c_942 in - let q_12_945 : int128 := - ((q_937) .- (@repr WORDSIZE128 1)) ./ (@repr WORDSIZE128 2) in - let f_3_c_944 := - foldi (usize 0) (seq_len (f_3_c_944)) (fun i_946 f_3_c_944 => - let '(f_3_c_944) := - if (seq_index (f_3_c_944) (i_946)) >.? (q_12_945):bool then ( - let f_3_c_944 := - seq_upd f_3_c_944 (i_946) ((seq_index (f_3_c_944) (i_946)) .- ( - q_937)) in - (f_3_c_944)) else ((f_3_c_944)) in - (f_3_c_944)) - f_3_c_944 in - let e_947 : seq int128 := - seq_new_ (default) (seq_len (f_3_c_944)) in - let e_947 := - foldi (usize 0) (seq_len (e_947)) (fun i_948 e_947 => - let e_947 := - seq_upd e_947 (i_948) ((seq_index (f_3_c_944) (i_948)) .% ( - @repr WORDSIZE128 3)) in - (e_947)) - e_947 in - let e_947 := - make_positive (e_947) (@repr WORDSIZE128 3) in - let r_949 : seq int128 := - mul_poly_irr (e_947) (key_v_935) (irreducible_939) (@repr WORDSIZE128 3) in - let r_949 := - foldi (usize 0) (seq_len (r_949)) (fun i_950 r_949 => - let '(r_949) := - if (seq_index (r_949) (i_950)) =.? (@repr WORDSIZE128 2):bool then ( - let r_949 := - seq_upd r_949 (i_950) (- (@repr WORDSIZE128 1)) in - (r_949)) else ((r_949)) in - (r_949)) - r_949 in - (r_949, ok_decrypt_943). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_P256.v b/proof-libs/coq/coq/src/_vc/Hacspec_P256.v deleted file mode 100644 index 19a6a01cf..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_P256.v +++ /dev/null @@ -1,486 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Inductive error_t := -| InvalidAddition : error_t. - -Definition bits_v : uint_size := - usize 256. - -Definition field_canvas_t := nseq (int8) (32). -Definition p256_field_element_t := - nat_mod 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff. - -Definition scalar_canvas_t := nseq (int8) (32). -Definition p256_scalar_t := - nat_mod 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551. - -Notation "'affine_t'" := ((p256_field_element_t × p256_field_element_t -)) : hacspec_scope. - -Notation "'affine_result_t'" := ((result affine_t error_t)) : hacspec_scope. - -Notation "'p256_jacobian_t'" := (( - p256_field_element_t × - p256_field_element_t × - p256_field_element_t -)) : hacspec_scope. - -Notation "'jacobian_result_t'" := (( - result p256_jacobian_t error_t)) : hacspec_scope. - -Definition element_t := nseq (uint8) (usize 32). - -Definition jacobian_to_affine (p_569 : p256_jacobian_t) : affine_t := - let '(x_570, y_571, z_572) := - p_569 in - let z2_573 : p256_field_element_t := - nat_mod_exp (z_572) (@repr WORDSIZE32 2) in - let z2i_574 : p256_field_element_t := - nat_mod_inv (z2_573) in - let z3_575 : p256_field_element_t := - (z_572) *% (z2_573) in - let z3i_576 : p256_field_element_t := - nat_mod_inv (z3_575) in - let x_577 : p256_field_element_t := - (x_570) *% (z2i_574) in - let y_578 : p256_field_element_t := - (y_571) *% (z3i_576) in - (x_577, y_578). - -Definition affine_to_jacobian (p_579 : affine_t) : p256_jacobian_t := - let '(x_580, y_581) := - p_579 in - ( - x_580, - y_581, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t - ). - -Definition point_double (p_582 : p256_jacobian_t) : p256_jacobian_t := - let '(x1_583, y1_584, z1_585) := - p_582 in - let delta_586 : p256_field_element_t := - nat_mod_exp (z1_585) (@repr WORDSIZE32 2) in - let gamma_587 : p256_field_element_t := - nat_mod_exp (y1_584) (@repr WORDSIZE32 2) in - let beta_588 : p256_field_element_t := - (x1_583) *% (gamma_587) in - let alpha_1_589 : p256_field_element_t := - (x1_583) -% (delta_586) in - let alpha_2_590 : p256_field_element_t := - (x1_583) +% (delta_586) in - let alpha_591 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% ((alpha_1_589) *% ( - alpha_2_590)) in - let x3_592 : p256_field_element_t := - (nat_mod_exp (alpha_591) (@repr WORDSIZE32 2)) -% ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 8) : p256_field_element_t) *% (beta_588)) in - let z3_593 : p256_field_element_t := - nat_mod_exp ((y1_584) +% (z1_585)) (@repr WORDSIZE32 2) in - let z3_594 : p256_field_element_t := - (z3_593) -% ((gamma_587) +% (delta_586)) in - let y3_1_595 : p256_field_element_t := - ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 4) : p256_field_element_t) *% (beta_588)) -% ( - x3_592) in - let y3_2_596 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 8) : p256_field_element_t) *% ((gamma_587) *% ( - gamma_587)) in - let y3_597 : p256_field_element_t := - ((alpha_591) *% (y3_1_595)) -% (y3_2_596) in - (x3_592, y3_597, z3_594). - -Definition is_point_at_infinity (p_598 : p256_jacobian_t) : bool := - let '(x_599, y_600, z_601) := - p_598 in - nat_mod_equal (z_601) (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t). - -Definition s1_equal_s2 - (s1_602 : p256_field_element_t) - (s2_603 : p256_field_element_t) - : jacobian_result_t := - (if (nat_mod_equal (s1_602) (s2_603)):bool then ( - @Err p256_jacobian_t error_t (InvalidAddition)) else ( - @Ok p256_jacobian_t error_t (( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t - )))). - -Definition point_add_jacob - (p_604 : p256_jacobian_t) - (q_605 : p256_jacobian_t) - : jacobian_result_t := - let result_606 : (result p256_jacobian_t error_t) := - @Ok p256_jacobian_t error_t (q_605) in - let '(result_606) := - if negb (is_point_at_infinity (p_604)):bool then (let '(result_606) := - if is_point_at_infinity (q_605):bool then (let result_606 := - @Ok p256_jacobian_t error_t (p_604) in - (result_606)) else (let '(x1_607, y1_608, z1_609) := - p_604 in - let '(x2_610, y2_611, z2_612) := - q_605 in - let z1z1_613 : p256_field_element_t := - nat_mod_exp (z1_609) (@repr WORDSIZE32 2) in - let z2z2_614 : p256_field_element_t := - nat_mod_exp (z2_612) (@repr WORDSIZE32 2) in - let u1_615 : p256_field_element_t := - (x1_607) *% (z2z2_614) in - let u2_616 : p256_field_element_t := - (x2_610) *% (z1z1_613) in - let s1_617 : p256_field_element_t := - ((y1_608) *% (z2_612)) *% (z2z2_614) in - let s2_618 : p256_field_element_t := - ((y2_611) *% (z1_609)) *% (z1z1_613) in - let '(result_606) := - if nat_mod_equal (u1_615) (u2_616):bool then (let result_606 := - s1_equal_s2 (s1_617) (s2_618) in - (result_606)) else (let h_619 : p256_field_element_t := - (u2_616) -% (u1_615) in - let i_620 : p256_field_element_t := - nat_mod_exp ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (h_619)) ( - @repr WORDSIZE32 2) in - let j_621 : p256_field_element_t := - (h_619) *% (i_620) in - let r_622 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (( - s2_618) -% (s1_617)) in - let v_623 : p256_field_element_t := - (u1_615) *% (i_620) in - let x3_1_624 : p256_field_element_t := - (nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% (v_623) in - let x3_2_625 : p256_field_element_t := - (nat_mod_exp (r_622) (@repr WORDSIZE32 2)) -% (j_621) in - let x3_626 : p256_field_element_t := - (x3_2_625) -% (x3_1_624) in - let y3_1_627 : p256_field_element_t := - ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 2) : p256_field_element_t) *% ( - s1_617)) *% (j_621) in - let y3_2_628 : p256_field_element_t := - (r_622) *% ((v_623) -% (x3_626)) in - let y3_629 : p256_field_element_t := - (y3_2_628) -% (y3_1_627) in - let z3_630 : p256_field_element_t := - nat_mod_exp ((z1_609) +% (z2_612)) (@repr WORDSIZE32 2) in - let z3_631 : p256_field_element_t := - ((z3_630) -% ((z1z1_613) +% (z2z2_614))) *% (h_619) in - let result_606 := - @Ok p256_jacobian_t error_t ((x3_626, y3_629, z3_631)) in - (result_606)) in - (result_606)) in - (result_606)) else ((result_606)) in - result_606. - -Definition ltr_mul - (k_632 : p256_scalar_t) - (p_633 : p256_jacobian_t) - : jacobian_result_t := - let q_634 : ( - p256_field_element_t × - p256_field_element_t × - p256_field_element_t - ) := - ( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 1) : p256_field_element_t, - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 0) : p256_field_element_t - ) in - bind (foldibnd (usize 0) to (bits_v) for q_634 >> (fun i_635 q_634 => - let q_634 := - point_double (q_634) in - ifbnd nat_mod_equal (nat_mod_get_bit (k_632) (((bits_v) - (usize 1)) - ( - i_635))) (nat_mod_one ) : bool - thenbnd (bind (point_add_jacob (q_634) (p_633)) (fun q_634 => Ok ((q_634 - )))) - else ((q_634)) >> (fun '(q_634) => - Ok ((q_634))))) (fun q_634 => @Ok p256_jacobian_t error_t (q_634)). - -Definition p256_point_mul - (k_636 : p256_scalar_t) - (p_637 : affine_t) - : affine_result_t := - bind (ltr_mul (k_636) (affine_to_jacobian (p_637))) (fun jac_638 => - @Ok affine_t error_t (jacobian_to_affine (jac_638))). - -Definition p256_point_mul_base (k_639 : p256_scalar_t) : affine_result_t := - let base_point_640 : (p256_field_element_t × p256_field_element_t) := - ( - nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 23) : int8; - secret (@repr WORDSIZE8 209) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 225) : int8; - secret (@repr WORDSIZE8 44) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 71) : int8; - secret (@repr WORDSIZE8 248) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 230) : int8; - secret (@repr WORDSIZE8 229) : int8; - secret (@repr WORDSIZE8 99) : int8; - secret (@repr WORDSIZE8 164) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 242) : int8; - secret (@repr WORDSIZE8 119) : int8; - secret (@repr WORDSIZE8 3) : int8; - secret (@repr WORDSIZE8 125) : int8; - secret (@repr WORDSIZE8 129) : int8; - secret (@repr WORDSIZE8 45) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 160) : int8; - secret (@repr WORDSIZE8 244) : int8; - secret (@repr WORDSIZE8 161) : int8; - secret (@repr WORDSIZE8 57) : int8; - secret (@repr WORDSIZE8 69) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 194) : int8; - secret (@repr WORDSIZE8 150) : int8 - ] in l))) : p256_field_element_t, - nat_mod_from_byte_seq_be (array_to_seq (array_from_list uint8 (let l := - [ - secret (@repr WORDSIZE8 79) : int8; - secret (@repr WORDSIZE8 227) : int8; - secret (@repr WORDSIZE8 66) : int8; - secret (@repr WORDSIZE8 226) : int8; - secret (@repr WORDSIZE8 254) : int8; - secret (@repr WORDSIZE8 26) : int8; - secret (@repr WORDSIZE8 127) : int8; - secret (@repr WORDSIZE8 155) : int8; - secret (@repr WORDSIZE8 142) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 74) : int8; - secret (@repr WORDSIZE8 124) : int8; - secret (@repr WORDSIZE8 15) : int8; - secret (@repr WORDSIZE8 158) : int8; - secret (@repr WORDSIZE8 22) : int8; - secret (@repr WORDSIZE8 43) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 51) : int8; - secret (@repr WORDSIZE8 87) : int8; - secret (@repr WORDSIZE8 107) : int8; - secret (@repr WORDSIZE8 49) : int8; - secret (@repr WORDSIZE8 94) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 203) : int8; - secret (@repr WORDSIZE8 182) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 104) : int8; - secret (@repr WORDSIZE8 55) : int8; - secret (@repr WORDSIZE8 191) : int8; - secret (@repr WORDSIZE8 81) : int8; - secret (@repr WORDSIZE8 245) : int8 - ] in l))) : p256_field_element_t - ) in - p256_point_mul (k_639) (base_point_640). - -Definition point_add_distinct - (p_641 : affine_t) - (q_642 : affine_t) - : affine_result_t := - bind (point_add_jacob (affine_to_jacobian (p_641)) (affine_to_jacobian ( - q_642))) (fun r_643 => @Ok affine_t error_t (jacobian_to_affine ( - r_643))). - -Definition point_add (p_644 : affine_t) (q_645 : affine_t) : affine_result_t := - (if ((p_644) !=.? (q_645)):bool then (point_add_distinct (p_644) ( - q_645)) else (@Ok affine_t error_t (jacobian_to_affine (point_double ( - affine_to_jacobian (p_644)))))). - -Definition p256_validate_private_key (k_646 : byte_seq) : bool := - let valid_647 : bool := - true in - let k_element_648 : p256_scalar_t := - nat_mod_from_byte_seq_be (k_646) : p256_scalar_t in - let k_element_bytes_649 : seq uint8 := - nat_mod_to_byte_seq_be (k_element_648) in - let all_zero_650 : bool := - true in - let '(valid_647, all_zero_650) := - foldi (usize 0) (seq_len (k_646)) (fun i_651 '(valid_647, all_zero_650) => - let '(all_zero_650) := - if negb (uint8_equal (seq_index (k_646) (i_651)) (secret ( - @repr WORDSIZE8 0) : int8)):bool then (let all_zero_650 := - false in - (all_zero_650)) else ((all_zero_650)) in - let '(valid_647) := - if negb (uint8_equal (seq_index (k_element_bytes_649) (i_651)) ( - seq_index (k_646) (i_651))):bool then (let valid_647 := - false in - (valid_647)) else ((valid_647)) in - (valid_647, all_zero_650)) - (valid_647, all_zero_650) in - (valid_647) && (negb (all_zero_650)). - -Definition p256_validate_public_key (p_652 : affine_t) : bool := - let b_653 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 75) : int8 - ]) : p256_field_element_t in - let point_at_infinity_654 : bool := - is_point_at_infinity (affine_to_jacobian (p_652)) in - let '(x_655, y_656) := - p_652 in - let on_curve_657 : bool := - ((y_656) *% (y_656)) =.? (((((x_655) *% (x_655)) *% (x_655)) -% (( - nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% (x_655))) +% ( - b_653)) in - (negb (point_at_infinity_654)) && (on_curve_657). - -Definition p256_calculate_w - (x_658 : p256_field_element_t) - : p256_field_element_t := - let b_659 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 90) : int8; - secret (@repr WORDSIZE8 198) : int8; - secret (@repr WORDSIZE8 53) : int8; - secret (@repr WORDSIZE8 216) : int8; - secret (@repr WORDSIZE8 170) : int8; - secret (@repr WORDSIZE8 58) : int8; - secret (@repr WORDSIZE8 147) : int8; - secret (@repr WORDSIZE8 231) : int8; - secret (@repr WORDSIZE8 179) : int8; - secret (@repr WORDSIZE8 235) : int8; - secret (@repr WORDSIZE8 189) : int8; - secret (@repr WORDSIZE8 85) : int8; - secret (@repr WORDSIZE8 118) : int8; - secret (@repr WORDSIZE8 152) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 188) : int8; - secret (@repr WORDSIZE8 101) : int8; - secret (@repr WORDSIZE8 29) : int8; - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 204) : int8; - secret (@repr WORDSIZE8 83) : int8; - secret (@repr WORDSIZE8 176) : int8; - secret (@repr WORDSIZE8 246) : int8; - secret (@repr WORDSIZE8 59) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 60) : int8; - secret (@repr WORDSIZE8 62) : int8; - secret (@repr WORDSIZE8 39) : int8; - secret (@repr WORDSIZE8 210) : int8; - secret (@repr WORDSIZE8 96) : int8; - secret (@repr WORDSIZE8 75) : int8 - ]) : p256_field_element_t in - let exp_660 : p256_field_element_t := - nat_mod_from_byte_seq_be ([ - secret (@repr WORDSIZE8 63) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 255) : int8; - secret (@repr WORDSIZE8 192) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 64) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8; - secret (@repr WORDSIZE8 0) : int8 - ]) : p256_field_element_t in - let z_661 : p256_field_element_t := - ((((x_658) *% (x_658)) *% (x_658)) -% ((nat_mod_from_literal ( - 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff) ( - @repr WORDSIZE128 3) : p256_field_element_t) *% (x_658))) +% ( - b_659) in - let w_662 : p256_field_element_t := - nat_mod_pow_felem (z_661) (exp_660) in - w_662. - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v b/proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v deleted file mode 100644 index 8ac6f9ac9..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Poly1305.v +++ /dev/null @@ -1,143 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition poly_key_t := nseq (uint8) (usize 32). - -Definition blocksize_v : uint_size := - usize 16. - -Definition poly_block_t := nseq (uint8) (usize 16). - -Definition poly1305_tag_t := nseq (uint8) (usize 16). - -Notation "'sub_block_t'" := (byte_seq) : hacspec_scope. - -Notation "'block_index_t'" := (uint_size) : hacspec_scope. - -Definition field_canvas_t := nseq (int8) (17). -Definition field_element_t := nat_mod 0x03fffffffffffffffffffffffffffffffb. - -Notation "'poly_state_t'" := ((field_element_t × field_element_t × poly_key_t -)) : hacspec_scope. - -Definition poly1305_encode_r (b_435 : poly_block_t) : field_element_t := - let n_436 : uint128 := - uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_435))) in - let n_436 := - (n_436) .& (secret ( - @repr WORDSIZE128 21267647620597763993911028882763415551) : int128) in - nat_mod_from_secret_literal (n_436). - -Definition poly1305_encode_block (b_437 : poly_block_t) : field_element_t := - let n_438 : uint128 := - uint128_from_le_bytes (array_from_seq (16) (array_to_seq (b_437))) in - let f_439 : field_element_t := - nat_mod_from_secret_literal (n_438) in - (f_439) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ( - usize 128) : field_element_t). - -Definition poly1305_encode_last - (pad_len_440 : block_index_t) - (b_441 : sub_block_t) - : field_element_t := - let n_442 : uint128 := - uint128_from_le_bytes (array_from_slice (default) (16) (b_441) (usize 0) ( - seq_len (b_441))) in - let f_443 : field_element_t := - nat_mod_from_secret_literal (n_442) in - (f_443) +% (nat_mod_pow2 (0x03fffffffffffffffffffffffffffffffb) ((usize 8) * ( - pad_len_440)) : field_element_t). - -Definition poly1305_init (k_444 : poly_key_t) : poly_state_t := - let r_445 : field_element_t := - poly1305_encode_r (array_from_slice (default) (16) (array_to_seq (k_444)) ( - usize 0) (usize 16)) in - (nat_mod_zero , r_445, k_444). - -Definition poly1305_update_block - (b_446 : poly_block_t) - (st_447 : poly_state_t) - : poly_state_t := - let '(acc_448, r_449, k_450) := - st_447 in - (((poly1305_encode_block (b_446)) +% (acc_448)) *% (r_449), r_449, k_450). - -Definition poly1305_update_blocks - (m_451 : byte_seq) - (st_452 : poly_state_t) - : poly_state_t := - let st_453 : (field_element_t × field_element_t × poly_key_t) := - st_452 in - let n_blocks_454 : uint_size := - (seq_len (m_451)) / (blocksize_v) in - let st_453 := - foldi (usize 0) (n_blocks_454) (fun i_455 st_453 => - let block_456 : poly_block_t := - array_from_seq (16) (seq_get_exact_chunk (m_451) (blocksize_v) ( - i_455)) in - let st_453 := - poly1305_update_block (block_456) (st_453) in - (st_453)) - st_453 in - st_453. - -Definition poly1305_update_last - (pad_len_457 : uint_size) - (b_458 : sub_block_t) - (st_459 : poly_state_t) - : poly_state_t := - let st_460 : (field_element_t × field_element_t × poly_key_t) := - st_459 in - let '(st_460) := - if (seq_len (b_458)) !=.? (usize 0):bool then (let '(acc_461, r_462, k_463 - ) := - st_460 in - let st_460 := - ( - ((poly1305_encode_last (pad_len_457) (b_458)) +% (acc_461)) *% ( - r_462), - r_462, - k_463 - ) in - (st_460)) else ((st_460)) in - st_460. - -Definition poly1305_update - (m_464 : byte_seq) - (st_465 : poly_state_t) - : poly_state_t := - let st_466 : (field_element_t × field_element_t × poly_key_t) := - poly1305_update_blocks (m_464) (st_465) in - let last_467 : seq uint8 := - seq_get_remainder_chunk (m_464) (blocksize_v) in - poly1305_update_last (seq_len (last_467)) (last_467) (st_466). - -Definition poly1305_finish (st_468 : poly_state_t) : poly1305_tag_t := - let '(acc_469, _, k_470) := - st_468 in - let n_471 : uint128 := - uint128_from_le_bytes (array_from_slice (default) (16) ( - array_to_seq (k_470)) (usize 16) (usize 16)) in - let aby_472 : seq uint8 := - nat_mod_to_byte_seq_le (acc_469) in - let a_473 : uint128 := - uint128_from_le_bytes (array_from_slice (default) (16) (aby_472) (usize 0) ( - usize 16)) in - array_from_seq (16) (array_to_seq (uint128_to_le_bytes ((a_473) .+ (n_471)))). - -Definition poly1305 - (m_474 : byte_seq) - (key_475 : poly_key_t) - : poly1305_tag_t := - let st_476 : (field_element_t × field_element_t × poly_key_t) := - poly1305_init (key_475) in - let st_476 := - poly1305_update (m_474) (st_476) in - poly1305_finish (st_476). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Bootloader.v b/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Bootloader.v deleted file mode 100644 index b6ece891b..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Bootloader.v +++ /dev/null @@ -1,180 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition riotboot_magic_v : int32 := - @repr WORDSIZE32 1414482258. - -Notation "'fletcher_t'" := ((int32 × int32)) : hacspec_scope. - -Definition new_fletcher : fletcher_t := - (@repr WORDSIZE32 65535, @repr WORDSIZE32 65535). - -Definition max_chunk_size : uint_size := - usize 360. - -Definition reduce_u32 (x_951 : int32) : int32 := - ((x_951) .& (@repr WORDSIZE32 65535)) .+ ((x_951) shift_right ( - @repr WORDSIZE32 16)). - -Definition combine (lower_952 : int32) (upper_953 : int32) : int32 := - (lower_952) .| ((upper_953) shift_left (@repr WORDSIZE32 16)). - -Definition update_fletcher - (f_954 : fletcher_t) - (data_955 : seq int16) - : fletcher_t := - let max_chunk_size_956 : uint_size := - max_chunk_size in - let '(a_957, b_958) := - f_954 in - let '(a_957, b_958) := - foldi (usize 0) (seq_num_chunks (data_955) ( - max_chunk_size_956)) (fun i_959 '(a_957, b_958) => - let '(chunk_len_960, chunk_961) := - seq_get_chunk (data_955) (max_chunk_size_956) (i_959) in - let intermediate_a_962 : int32 := - a_957 in - let intermediate_b_963 : int32 := - b_958 in - let '(intermediate_a_962, intermediate_b_963) := - foldi (usize 0) (chunk_len_960) (fun j_964 '( - intermediate_a_962, - intermediate_b_963 - ) => - let intermediate_a_962 := - (intermediate_a_962) .+ (@cast _ uint32 _ (seq_index (chunk_961) ( - j_964))) in - let intermediate_b_963 := - (intermediate_b_963) .+ (intermediate_a_962) in - (intermediate_a_962, intermediate_b_963)) - (intermediate_a_962, intermediate_b_963) in - let a_957 := - reduce_u32 (intermediate_a_962) in - let b_958 := - reduce_u32 (intermediate_b_963) in - (a_957, b_958)) - (a_957, b_958) in - let a_957 := - reduce_u32 (a_957) in - let b_958 := - reduce_u32 (b_958) in - (a_957, b_958). - -Definition value (x_965 : fletcher_t) : int32 := - let '(a_966, b_967) := - x_965 in - combine (a_966) (b_967). - -Notation "'header_t'" := ((int32 × int32 × int32 × int32)) : hacspec_scope. - -Definition header_as_u16_slice (h_968 : header_t) : seq int16 := - let '(magic_969, seq_number_970, start_addr_971, _) := - h_968 in - let magic_972 : u32_word_t := - u32_to_be_bytes (magic_969) in - let seq_number_973 : u32_word_t := - u32_to_be_bytes (seq_number_970) in - let start_addr_974 : u32_word_t := - u32_to_be_bytes (start_addr_971) in - let u8_seq_975 : seq int8 := - seq_new_ (default) (usize 12) in - let u8_seq_976 : seq int8 := - seq_update_slice (u8_seq_975) (usize 0) (array_to_seq (magic_972)) ( - usize 0) (usize 4) in - let u8_seq_977 : seq int8 := - seq_update_slice (u8_seq_976) (usize 4) (array_to_seq (seq_number_973)) ( - usize 0) (usize 4) in - let u8_seq_978 : seq int8 := - seq_update_slice (u8_seq_977) (usize 8) (array_to_seq (start_addr_974)) ( - usize 0) (usize 4) in - let u16_seq_979 : seq int16 := - seq_new_ (default) (usize 6) in - let u16_seq_979 := - foldi (usize 0) (usize 3) (fun i_980 u16_seq_979 => - let u16_word_981 : u16_word_t := - array_from_seq (2) (seq_slice (u8_seq_978) ((i_980) * (usize 4)) ( - usize 2)) in - let u16_value_982 : int16 := - u16_from_be_bytes (u16_word_981) in - let u16_seq_979 := - seq_upd u16_seq_979 (((usize 2) * (i_980)) + (usize 1)) ( - u16_value_982) in - let u16_word_983 : u16_word_t := - array_from_seq (2) (seq_slice (u8_seq_978) (((i_980) * (usize 4)) + ( - usize 2)) (usize 2)) in - let u16_value_984 : int16 := - u16_from_be_bytes (u16_word_983) in - let u16_seq_979 := - seq_upd u16_seq_979 ((usize 2) * (i_980)) (u16_value_984) in - (u16_seq_979)) - u16_seq_979 in - u16_seq_979. - -Definition is_valid_header (h_985 : header_t) : bool := - let '(magic_number_986, seq_number_987, start_addr_988, checksum_989) := - h_985 in - let slice_990 : seq int16 := - header_as_u16_slice (( - magic_number_986, - seq_number_987, - start_addr_988, - checksum_989 - )) in - let result_991 : bool := - false in - let '(result_991) := - if (magic_number_986) =.? (riotboot_magic_v):bool then (let fletcher_992 : ( - int32 × - int32 - ) := - new_fletcher in - let fletcher_993 : (int32 × int32) := - update_fletcher (fletcher_992) (slice_990) in - let sum_994 : int32 := - value (fletcher_993) in - let result_991 := - (sum_994) =.? (checksum_989) in - (result_991)) else ((result_991)) in - result_991. - -Definition choose_image (images_995 : seq header_t) : (bool × int32) := - let image_996 : int32 := - @repr WORDSIZE32 0 in - let image_found_997 : bool := - false in - let '(image_996, image_found_997) := - foldi (usize 0) (seq_len (images_995)) (fun i_998 '( - image_996, - image_found_997 - ) => - let header_999 : (int32 × int32 × int32 × int32) := - seq_index (images_995) (i_998) in - let '(magic_number_1000, seq_number_1001, start_addr_1002, checksum_1003 - ) := - header_999 in - let '(image_996, image_found_997) := - if is_valid_header (( - magic_number_1000, - seq_number_1001, - start_addr_1002, - checksum_1003 - )):bool then (let change_image_1004 : bool := - negb ((image_found_997) && ((seq_number_1001) <=.? (image_996))) in - let '(image_996, image_found_997) := - if change_image_1004:bool then (let image_996 := - start_addr_1002 in - let image_found_997 := - true in - (image_996, image_found_997)) else ((image_996, image_found_997 - )) in - (image_996, image_found_997)) else ((image_996, image_found_997)) in - (image_996, image_found_997)) - (image_996, image_found_997) in - (image_found_997, image_996). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Runqueue.v b/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Runqueue.v deleted file mode 100644 index 9647a3e5c..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Riot_Runqueue.v +++ /dev/null @@ -1,223 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition uint32_bits_v : uint_size := - (usize 4) * (usize 8). - -Definition n_queues_v : uint_size := - usize 20. - -Definition n_threads_v : uint_size := - usize 30. - -Definition sentinel_v : int8 := - @repr WORDSIZE8 255. - -Inductive runqueue_id_t := -| RunqueueId : int8 -> runqueue_id_t. - -Inductive thread_id_t := -| ThreadId : int8 -> thread_id_t. - -Definition tail_t := nseq (int8) (n_queues_v). - -Definition next_ids_t := nseq (int8) (n_threads_v). - -Inductive clist_t := -| Clist : (tail_t × next_ids_t) -> clist_t. - -Definition clist_new : clist_t := - let tail_1005 : tail_t := - array_new_ (default) (n_queues_v) in - let tail_1005 := - foldi (usize 0) (array_len (tail_1005)) (fun i_1006 tail_1005 => - let tail_1005 := - array_upd tail_1005 (i_1006) (sentinel_v) in - (tail_1005)) - tail_1005 in - let next_idxs_1007 : next_ids_t := - array_new_ (default) (n_threads_v) in - let next_idxs_1007 := - foldi (usize 0) (array_len (next_idxs_1007)) (fun i_1008 next_idxs_1007 => - let next_idxs_1007 := - array_upd next_idxs_1007 (i_1008) (sentinel_v) in - (next_idxs_1007)) - next_idxs_1007 in - Clist ((tail_1005, next_idxs_1007)). - -Definition clist_is_empty (x_1009 : clist_t) (rq_1010 : runqueue_id_t) : bool := - let 'RunqueueId (rq_1011) := - rq_1010 in - let 'Clist ((tail_1012, next_ids_1013)) := - x_1009 in - (array_index (tail_1012) (@cast _ uint32 _ (rq_1011))) =.? (sentinel_v). - -Definition clist_push - (x_1014 : clist_t) - (n_1015 : thread_id_t) - (rq_1016 : runqueue_id_t) - : clist_t := - let 'RunqueueId (rq_1017) := - rq_1016 in - let 'ThreadId (n_1018) := - n_1015 in - let 'Clist ((tail_1019, next_idxs_1020)) := - x_1014 in - let '(tail_1019, next_idxs_1020) := - if (array_index (next_idxs_1020) (@cast _ uint32 _ (n_1018))) =.? ( - sentinel_v):bool then (let '(tail_1019, next_idxs_1020) := - if (array_index (tail_1019) (@cast _ uint32 _ (rq_1017))) =.? ( - sentinel_v):bool then (let tail_1019 := - array_upd tail_1019 (@cast _ uint32 _ (rq_1017)) (n_1018) in - let next_idxs_1020 := - array_upd next_idxs_1020 (@cast _ uint32 _ (n_1018)) (n_1018) in - (tail_1019, next_idxs_1020)) else (let next_idxs_1020 := - array_upd next_idxs_1020 (@cast _ uint32 _ (n_1018)) (array_index ( - next_idxs_1020) (@cast _ uint32 _ (array_index (tail_1019) ( - @cast _ uint32 _ (rq_1017))))) in - let next_idxs_1020 := - array_upd next_idxs_1020 (@cast _ uint32 _ (array_index ( - tail_1019) (@cast _ uint32 _ (rq_1017)))) (n_1018) in - let tail_1019 := - array_upd tail_1019 (@cast _ uint32 _ (rq_1017)) (n_1018) in - (tail_1019, next_idxs_1020)) in - (tail_1019, next_idxs_1020)) else ((tail_1019, next_idxs_1020)) in - Clist ((tail_1019, next_idxs_1020)). - -Definition clist_pop_head - (x_1021 : clist_t) - (rq_1022 : runqueue_id_t) - : (clist_t × (option int8)) := - let 'RunqueueId (rq_1023) := - rq_1022 in - let 'Clist ((tail_1024, next_idxs_1025)) := - x_1021 in - let out_1026 : (option int8) := - @None int8 in - let '(tail_1024, next_idxs_1025, out_1026) := - if (array_index (tail_1024) (@cast _ uint32 _ (rq_1023))) =.? ( - sentinel_v):bool then ((tail_1024, next_idxs_1025, out_1026)) else ( - let head_1027 : int8 := - array_index (next_idxs_1025) (@cast _ uint32 _ (array_index ( - tail_1024) (@cast _ uint32 _ (rq_1023)))) in - let '(tail_1024, next_idxs_1025) := - if (head_1027) =.? (array_index (tail_1024) (@cast _ uint32 _ ( - rq_1023))):bool then (let tail_1024 := - array_upd tail_1024 (@cast _ uint32 _ (rq_1023)) (sentinel_v) in - (tail_1024, next_idxs_1025)) else (let next_idxs_1025 := - array_upd next_idxs_1025 (@cast _ uint32 _ (array_index ( - tail_1024) (@cast _ uint32 _ (rq_1023)))) (array_index ( - next_idxs_1025) (@cast _ uint32 _ (head_1027))) in - (tail_1024, next_idxs_1025)) in - let next_idxs_1025 := - array_upd next_idxs_1025 (@cast _ uint32 _ (head_1027)) (sentinel_v) in - let out_1026 := - @Some int8 (head_1027) in - (tail_1024, next_idxs_1025, out_1026)) in - (Clist ((tail_1024, next_idxs_1025)), out_1026). - -Definition clist_peek_head - (x_1028 : clist_t) - (rq_1029 : runqueue_id_t) - : (option int8) := - let 'RunqueueId (rq_1030) := - rq_1029 in - let 'Clist ((tail_1031, next_idxs_1032)) := - x_1028 in - (if ((array_index (tail_1031) (@cast _ uint32 _ (rq_1030))) =.? ( - sentinel_v)):bool then (@None int8) else (@Some int8 (array_index ( - next_idxs_1032) (@cast _ uint32 _ (array_index (tail_1031) ( - @cast _ uint32 _ (rq_1030))))))). - -Definition clist_advance - (x_1033 : clist_t) - (rq_1034 : runqueue_id_t) - : clist_t := - let 'RunqueueId (rq_1035) := - rq_1034 in - let 'Clist ((tail_1036, next_idxs_1037)) := - x_1033 in - let '(tail_1036) := - if (array_index (tail_1036) (@cast _ uint32 _ (rq_1035))) !=.? ( - sentinel_v):bool then (let tail_1036 := - array_upd tail_1036 (@cast _ uint32 _ (rq_1035)) (array_index ( - next_idxs_1037) (@cast _ uint32 _ (array_index (tail_1036) ( - @cast _ uint32 _ (rq_1035))))) in - (tail_1036)) else ((tail_1036)) in - Clist ((tail_1036, next_idxs_1037)). - -Inductive run_queue_t := -| RunQueue : (int32 × clist_t) -> run_queue_t. - -Definition runqueue_new : run_queue_t := - RunQueue ((@repr WORDSIZE32 0, clist_new )). - -Definition runqueue_add - (y_1038 : run_queue_t) - (n_1039 : thread_id_t) - (rq_1040 : runqueue_id_t) - : run_queue_t := - let 'RunqueueId (rq_u8_1041) := - rq_1040 in - let 'RunQueue ((bitcache_1042, queues_1043)) := - y_1038 in - let bitcache_1042 := - (bitcache_1042) .| ((@repr WORDSIZE32 1) shift_left (@cast _ uint32 _ ( - rq_u8_1041))) in - let queues_1043 := - clist_push (queues_1043) (n_1039) (rq_1040) in - RunQueue ((bitcache_1042, queues_1043)). - -Definition runqueue_del - (y_1044 : run_queue_t) - (n_1045 : thread_id_t) - (rq_1046 : runqueue_id_t) - : run_queue_t := - let 'RunqueueId (rq_u8_1047) := - rq_1046 in - let 'RunQueue ((bitcache_1048, queues_1049)) := - y_1044 in - let '(queues_1050, popped_1051) := - clist_pop_head (queues_1049) (rq_1046) in - let '(bitcache_1048) := - if clist_is_empty (queues_1050) (rq_1046):bool then (let bitcache_1048 := - (bitcache_1048) .& (not ((@repr WORDSIZE32 1) shift_left ( - @cast _ uint32 _ (rq_u8_1047)))) in - (bitcache_1048)) else ((bitcache_1048)) in - RunQueue ((bitcache_1048, queues_1050)). - -Definition runqueue_ffs (val_1052 : int32) : int32 := - (pub_u32 (uint32_bits_v)) .- (pub_uint32_leading_zeros (val_1052)). - -Definition runqueue_get_next (y_1053 : run_queue_t) : (option int8) := - let 'RunQueue ((bitcache_1054, queues_1055)) := - y_1053 in - let rq_ffs_1056 : int32 := - runqueue_ffs ((bitcache_1054)) in - let out_1057 : (option int8) := - @None int8 in - let '(out_1057) := - if (rq_ffs_1056) >.? (@repr WORDSIZE32 0):bool then ( - let rq_1058 : runqueue_id_t := - RunqueueId (@cast _ uint8 _ ((rq_ffs_1056) .- (@repr WORDSIZE32 1))) in - let out_1057 := - clist_peek_head (queues_1055) (rq_1058) in - (out_1057)) else ((out_1057)) in - out_1057. - -Definition runqueue_advance - (y_1059 : run_queue_t) - (rq_1060 : runqueue_id_t) - : run_queue_t := - let 'RunQueue ((bitcache_1061, queues_1062)) := - y_1059 in - let queues_1062 := - clist_advance (queues_1062) (rq_1060) in - RunQueue ((bitcache_1061, queues_1062)). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v b/proof-libs/coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v deleted file mode 100644 index bde095ee3..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Rsa_Pkcs1.v +++ /dev/null @@ -1,112 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Sha256. - -Definition bit_size_v : int32 := - @repr WORDSIZE32 2048. - -Definition byte_size_v : int32 := - (@repr WORDSIZE32 2048) ./ (@repr WORDSIZE32 8). - -Definition hlen_v : uint_size := - usize 32. - -Definition rsa_int_t := nat_mod pow2 2048. - -Inductive error_t := -| InvalidLength : error_t -| MessageTooLarge : error_t. - -Definition eqb_error_t (x y : error_t) : bool := -match x with - | InvalidLength => match y with | InvalidLength=> true | _ => false end - | MessageTooLarge => match y with | MessageTooLarge=> true | _ => false end - end. - -Definition eqb_leibniz_error_t (x y : error_t) : eqb_error_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_error_t : EqDec (error_t) := -Build_EqDec (error_t) (eqb_error_t) (eqb_leibniz_error_t). - - -Notation "'pk_t'" := ((rsa_int_t × rsa_int_t)) : hacspec_scope. - -Notation "'sk_t'" := ((rsa_int_t × rsa_int_t)) : hacspec_scope. - -Notation "'key_pair_t'" := ((pk_t × sk_t)) : hacspec_scope. - -Notation "'byte_seq_result_t'" := ((result byte_seq error_t)) : hacspec_scope. - -Notation "'rsa_int_result_t'" := ((result rsa_int_t error_t)) : hacspec_scope. - -Definition rsaep (pk_1947 : pk_t) (m_1948 : rsa_int_t) : rsa_int_result_t := - let '(n_1949, e_1950) := - pk_1947 in - (if ((m_1948) >.? ((n_1949) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (m_1948) (e_1950) (n_1949)))). - -Definition rsadp (sk_1951 : sk_t) (c_1952 : rsa_int_t) : rsa_int_result_t := - let '(n_1953, d_1954) := - sk_1951 in - (if ((c_1952) >.? ((n_1953) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (c_1952) (d_1954) (n_1953)))). - -Definition rsasp1 (sk_1955 : sk_t) (m_1956 : rsa_int_t) : rsa_int_result_t := - let '(n_1957, d_1958) := - sk_1955 in - (if ((m_1956) >.? ((n_1957) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (m_1956) (d_1958) (n_1957)))). - -Definition rsavp1 (pk_1959 : pk_t) (s_1960 : rsa_int_t) : rsa_int_result_t := - let '(n_1961, e_1962) := - pk_1959 in - (if ((s_1960) >.? ((n_1961) -% (nat_mod_one ))):bool then ( - @Err rsa_int_t error_t (MessageTooLarge)) else (@Ok rsa_int_t error_t ( - nat_mod_pow_mod (s_1960) (e_1962) (n_1961)))). - -Definition i2osp - (x_1963 : rsa_int_t) - (x_len_1964 : int32) - : byte_seq_result_t := - (if (((x_1963) >=.? (nat_mod_exp (nat_mod_from_literal (0x) ( - @repr WORDSIZE128 256) : rsa_int_t) (x_len_1964))) && (( - x_len_1964) !=.? (byte_size_v))):bool then (@Err byte_seq error_t ( - InvalidLength)) else (@Ok byte_seq error_t (seq_slice ( - nat_mod_to_byte_seq_be (x_1963)) (@cast _ uint32 _ ((byte_size_v) .- ( - x_len_1964))) (@cast _ uint32 _ (x_len_1964))))). - -Definition os2ip (x_1965 : byte_seq) : rsa_int_t := - nat_mod_from_byte_seq_be (x_1965) : rsa_int_t. - -Definition mgf1 - (mgf_seed_1966 : byte_seq) - (mask_len_1967 : uint_size) - : byte_seq_result_t := - let result_1968 : (result byte_seq error_t) := - @Err byte_seq error_t (InvalidLength) in - ifbnd (mask_len_1967) <.? ((usize 2) .^ ((usize 32) * (hlen_v))) : bool - thenbnd (let t_1969 : seq uint8 := - seq_new_ (default) (usize 0) in - bind (foldibnd (usize 0) to (((mask_len_1967) + (usize 32)) / ( - usize 32)) for t_1969 >> (fun i_1970 t_1969 => - bind (i2osp (nat_mod_from_literal (0x) (pub_u128 (i_1970)) : rsa_int_t) ( - @repr WORDSIZE32 4)) (fun x_1971 => let t_1969 := - seq_concat (t_1969) (array_to_seq (sha256 (seq_concat ( - mgf_seed_1966) (x_1971)))) in - Ok ((t_1969))))) (fun t_1969 => let result_1968 := - @Ok byte_seq error_t (seq_slice (t_1969) (usize 0) (mask_len_1967)) in - Ok ((result_1968)))) - else ((result_1968)) >> (fun '(result_1968) => - result_1968). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v b/proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v deleted file mode 100644 index 2e5d8933b..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Sha256.v +++ /dev/null @@ -1,304 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition block_size_v : uint_size := - usize 64. - -Definition len_size_v : uint_size := - usize 8. - -Definition k_size_v : uint_size := - usize 64. - -Definition hash_size_v : uint_size := - (usize 256) / (usize 8). - -Definition block_t := nseq (uint8) (block_size_v). - -Definition op_table_type_t := nseq (uint_size) (usize 12). - -Definition sha256_digest_t := nseq (uint8) (hash_size_v). - -Definition round_constants_table_t := nseq (uint32) (k_size_v). - -Definition hash_t := nseq (uint32) (usize 8). - -Definition ch (x_663 : uint32) (y_664 : uint32) (z_665 : uint32) : uint32 := - ((x_663) .& (y_664)) .^ ((not (x_663)) .& (z_665)). - -Definition maj (x_666 : uint32) (y_667 : uint32) (z_668 : uint32) : uint32 := - ((x_666) .& (y_667)) .^ (((x_666) .& (z_668)) .^ ((y_667) .& (z_668))). - -Definition op_table_v : op_table_type_t := - array_from_list uint_size (let l := - [ - usize 2; - usize 13; - usize 22; - usize 6; - usize 11; - usize 25; - usize 7; - usize 18; - usize 3; - usize 17; - usize 19; - usize 10 - ] in l). - -Definition k_table_v : round_constants_table_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1116352408) : int32; - secret (@repr WORDSIZE32 1899447441) : int32; - secret (@repr WORDSIZE32 3049323471) : int32; - secret (@repr WORDSIZE32 3921009573) : int32; - secret (@repr WORDSIZE32 961987163) : int32; - secret (@repr WORDSIZE32 1508970993) : int32; - secret (@repr WORDSIZE32 2453635748) : int32; - secret (@repr WORDSIZE32 2870763221) : int32; - secret (@repr WORDSIZE32 3624381080) : int32; - secret (@repr WORDSIZE32 310598401) : int32; - secret (@repr WORDSIZE32 607225278) : int32; - secret (@repr WORDSIZE32 1426881987) : int32; - secret (@repr WORDSIZE32 1925078388) : int32; - secret (@repr WORDSIZE32 2162078206) : int32; - secret (@repr WORDSIZE32 2614888103) : int32; - secret (@repr WORDSIZE32 3248222580) : int32; - secret (@repr WORDSIZE32 3835390401) : int32; - secret (@repr WORDSIZE32 4022224774) : int32; - secret (@repr WORDSIZE32 264347078) : int32; - secret (@repr WORDSIZE32 604807628) : int32; - secret (@repr WORDSIZE32 770255983) : int32; - secret (@repr WORDSIZE32 1249150122) : int32; - secret (@repr WORDSIZE32 1555081692) : int32; - secret (@repr WORDSIZE32 1996064986) : int32; - secret (@repr WORDSIZE32 2554220882) : int32; - secret (@repr WORDSIZE32 2821834349) : int32; - secret (@repr WORDSIZE32 2952996808) : int32; - secret (@repr WORDSIZE32 3210313671) : int32; - secret (@repr WORDSIZE32 3336571891) : int32; - secret (@repr WORDSIZE32 3584528711) : int32; - secret (@repr WORDSIZE32 113926993) : int32; - secret (@repr WORDSIZE32 338241895) : int32; - secret (@repr WORDSIZE32 666307205) : int32; - secret (@repr WORDSIZE32 773529912) : int32; - secret (@repr WORDSIZE32 1294757372) : int32; - secret (@repr WORDSIZE32 1396182291) : int32; - secret (@repr WORDSIZE32 1695183700) : int32; - secret (@repr WORDSIZE32 1986661051) : int32; - secret (@repr WORDSIZE32 2177026350) : int32; - secret (@repr WORDSIZE32 2456956037) : int32; - secret (@repr WORDSIZE32 2730485921) : int32; - secret (@repr WORDSIZE32 2820302411) : int32; - secret (@repr WORDSIZE32 3259730800) : int32; - secret (@repr WORDSIZE32 3345764771) : int32; - secret (@repr WORDSIZE32 3516065817) : int32; - secret (@repr WORDSIZE32 3600352804) : int32; - secret (@repr WORDSIZE32 4094571909) : int32; - secret (@repr WORDSIZE32 275423344) : int32; - secret (@repr WORDSIZE32 430227734) : int32; - secret (@repr WORDSIZE32 506948616) : int32; - secret (@repr WORDSIZE32 659060556) : int32; - secret (@repr WORDSIZE32 883997877) : int32; - secret (@repr WORDSIZE32 958139571) : int32; - secret (@repr WORDSIZE32 1322822218) : int32; - secret (@repr WORDSIZE32 1537002063) : int32; - secret (@repr WORDSIZE32 1747873779) : int32; - secret (@repr WORDSIZE32 1955562222) : int32; - secret (@repr WORDSIZE32 2024104815) : int32; - secret (@repr WORDSIZE32 2227730452) : int32; - secret (@repr WORDSIZE32 2361852424) : int32; - secret (@repr WORDSIZE32 2428436474) : int32; - secret (@repr WORDSIZE32 2756734187) : int32; - secret (@repr WORDSIZE32 3204031479) : int32; - secret (@repr WORDSIZE32 3329325298) : int32 - ] in l). - -Definition hash_init_v : hash_t := - array_from_list uint32 (let l := - [ - secret (@repr WORDSIZE32 1779033703) : int32; - secret (@repr WORDSIZE32 3144134277) : int32; - secret (@repr WORDSIZE32 1013904242) : int32; - secret (@repr WORDSIZE32 2773480762) : int32; - secret (@repr WORDSIZE32 1359893119) : int32; - secret (@repr WORDSIZE32 2600822924) : int32; - secret (@repr WORDSIZE32 528734635) : int32; - secret (@repr WORDSIZE32 1541459225) : int32 - ] in l). - -Definition sigma - (x_669 : uint32) - (i_670 : uint_size) - (op_671 : uint_size) - : uint32 := - let tmp_672 : uint32 := - uint32_rotate_right (x_669) (array_index (op_table_v) (((usize 3) * ( - i_670)) + (usize 2))) in - let '(tmp_672) := - if (op_671) =.? (usize 0):bool then (let tmp_672 := - (x_669) shift_right (array_index (op_table_v) (((usize 3) * (i_670)) + ( - usize 2))) in - (tmp_672)) else ((tmp_672)) in - ((uint32_rotate_right (x_669) (array_index (op_table_v) ((usize 3) * ( - i_670)))) .^ (uint32_rotate_right (x_669) (array_index ( - op_table_v) (((usize 3) * (i_670)) + (usize 1))))) .^ (tmp_672). - -Definition schedule (block_673 : block_t) : round_constants_table_t := - let b_674 : seq uint32 := - array_to_be_uint32s (block_673) in - let s_675 : round_constants_table_t := - array_new_ (default) (k_size_v) in - let s_675 := - foldi (usize 0) (k_size_v) (fun i_676 s_675 => - let '(s_675) := - if (i_676) <.? (usize 16):bool then (let s_675 := - array_upd s_675 (i_676) (seq_index (b_674) (i_676)) in - (s_675)) else (let t16_677 : uint32 := - array_index (s_675) ((i_676) - (usize 16)) in - let t15_678 : uint32 := - array_index (s_675) ((i_676) - (usize 15)) in - let t7_679 : uint32 := - array_index (s_675) ((i_676) - (usize 7)) in - let t2_680 : uint32 := - array_index (s_675) ((i_676) - (usize 2)) in - let s1_681 : uint32 := - sigma (t2_680) (usize 3) (usize 0) in - let s0_682 : uint32 := - sigma (t15_678) (usize 2) (usize 0) in - let s_675 := - array_upd s_675 (i_676) ((((s1_681) .+ (t7_679)) .+ (s0_682)) .+ ( - t16_677)) in - (s_675)) in - (s_675)) - s_675 in - s_675. - -Definition shuffle - (ws_683 : round_constants_table_t) - (hashi_684 : hash_t) - : hash_t := - let h_685 : hash_t := - hashi_684 in - let h_685 := - foldi (usize 0) (k_size_v) (fun i_686 h_685 => - let a0_687 : uint32 := - array_index (h_685) (usize 0) in - let b0_688 : uint32 := - array_index (h_685) (usize 1) in - let c0_689 : uint32 := - array_index (h_685) (usize 2) in - let d0_690 : uint32 := - array_index (h_685) (usize 3) in - let e0_691 : uint32 := - array_index (h_685) (usize 4) in - let f0_692 : uint32 := - array_index (h_685) (usize 5) in - let g0_693 : uint32 := - array_index (h_685) (usize 6) in - let h0_694 : uint32 := - array_index (h_685) (usize 7) in - let t1_695 : uint32 := - ((((h0_694) .+ (sigma (e0_691) (usize 1) (usize 1))) .+ (ch (e0_691) ( - f0_692) (g0_693))) .+ (array_index (k_table_v) (i_686))) .+ ( - array_index (ws_683) (i_686)) in - let t2_696 : uint32 := - (sigma (a0_687) (usize 0) (usize 1)) .+ (maj (a0_687) (b0_688) ( - c0_689)) in - let h_685 := - array_upd h_685 (usize 0) ((t1_695) .+ (t2_696)) in - let h_685 := - array_upd h_685 (usize 1) (a0_687) in - let h_685 := - array_upd h_685 (usize 2) (b0_688) in - let h_685 := - array_upd h_685 (usize 3) (c0_689) in - let h_685 := - array_upd h_685 (usize 4) ((d0_690) .+ (t1_695)) in - let h_685 := - array_upd h_685 (usize 5) (e0_691) in - let h_685 := - array_upd h_685 (usize 6) (f0_692) in - let h_685 := - array_upd h_685 (usize 7) (g0_693) in - (h_685)) - h_685 in - h_685. - -Definition compress (block_697 : block_t) (h_in_698 : hash_t) : hash_t := - let s_699 : round_constants_table_t := - schedule (block_697) in - let h_700 : hash_t := - shuffle (s_699) (h_in_698) in - let h_700 := - foldi (usize 0) (usize 8) (fun i_701 h_700 => - let h_700 := - array_upd h_700 (i_701) ((array_index (h_700) (i_701)) .+ (array_index ( - h_in_698) (i_701))) in - (h_700)) - h_700 in - h_700. - -Definition hash (msg_702 : byte_seq) : sha256_digest_t := - let h_703 : hash_t := - hash_init_v in - let last_block_704 : block_t := - array_new_ (default) (block_size_v) in - let last_block_len_705 : uint_size := - usize 0 in - let '(h_703, last_block_704, last_block_len_705) := - foldi (usize 0) (seq_num_chunks (msg_702) (block_size_v)) (fun i_706 '( - h_703, - last_block_704, - last_block_len_705 - ) => - let '(block_len_707, block_708) := - seq_get_chunk (msg_702) (block_size_v) (i_706) in - let '(h_703, last_block_704, last_block_len_705) := - if (block_len_707) <.? (block_size_v):bool then (let last_block_704 := - array_update_start (array_new_ (default) (block_size_v)) ( - block_708) in - let last_block_len_705 := - block_len_707 in - (h_703, last_block_704, last_block_len_705)) else ( - let compress_input_709 : block_t := - array_from_seq (block_size_v) (block_708) in - let h_703 := - compress (compress_input_709) (h_703) in - (h_703, last_block_704, last_block_len_705)) in - (h_703, last_block_704, last_block_len_705)) - (h_703, last_block_704, last_block_len_705) in - let last_block_704 := - array_upd last_block_704 (last_block_len_705) (secret ( - @repr WORDSIZE8 128) : int8) in - let len_bist_710 : uint64 := - secret (pub_u64 ((seq_len (msg_702)) * (usize 8))) : int64 in - let '(h_703, last_block_704) := - if (last_block_len_705) <.? ((block_size_v) - (len_size_v)):bool then ( - let last_block_704 := - array_update (last_block_704) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint64_to_be_bytes (len_bist_710))) in - let h_703 := - compress (last_block_704) (h_703) in - (h_703, last_block_704)) else (let pad_block_711 : block_t := - array_new_ (default) (block_size_v) in - let pad_block_711 := - array_update (pad_block_711) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint64_to_be_bytes (len_bist_710))) in - let h_703 := - compress (last_block_704) (h_703) in - let h_703 := - compress (pad_block_711) (h_703) in - (h_703, last_block_704)) in - array_from_seq (hash_size_v) (array_to_be_bytes (h_703)). - -Definition sha256 (msg_712 : byte_seq) : sha256_digest_t := - hash (msg_712). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v b/proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v deleted file mode 100644 index f05ba459c..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Sha3.v +++ /dev/null @@ -1,350 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition rounds_v : uint_size := - usize 24. - -Definition sha3224_rate_v : uint_size := - usize 144. - -Definition sha3256_rate_v : uint_size := - usize 136. - -Definition sha3384_rate_v : uint_size := - usize 104. - -Definition sha3512_rate_v : uint_size := - usize 72. - -Definition shake128_rate_v : uint_size := - usize 168. - -Definition shake256_rate_v : uint_size := - usize 136. - -Definition state_t := nseq (uint64) (usize 25). - -Definition row_t := nseq (uint64) (usize 5). - -Definition digest224_t := nseq (uint8) (usize 28). - -Definition digest256_t := nseq (uint8) (usize 32). - -Definition digest384_t := nseq (uint8) (usize 48). - -Definition digest512_t := nseq (uint8) (usize 64). - -Definition round_constants_t := nseq (int64) (rounds_v). - -Definition rotation_constants_t := nseq (uint_size) (usize 25). - -Definition roundconstants_v : round_constants_t := - array_from_list int64 (let l := - [ - @repr WORDSIZE64 1; - @repr WORDSIZE64 32898; - @repr WORDSIZE64 9223372036854808714; - @repr WORDSIZE64 9223372039002292224; - @repr WORDSIZE64 32907; - @repr WORDSIZE64 2147483649; - @repr WORDSIZE64 9223372039002292353; - @repr WORDSIZE64 9223372036854808585; - @repr WORDSIZE64 138; - @repr WORDSIZE64 136; - @repr WORDSIZE64 2147516425; - @repr WORDSIZE64 2147483658; - @repr WORDSIZE64 2147516555; - @repr WORDSIZE64 9223372036854775947; - @repr WORDSIZE64 9223372036854808713; - @repr WORDSIZE64 9223372036854808579; - @repr WORDSIZE64 9223372036854808578; - @repr WORDSIZE64 9223372036854775936; - @repr WORDSIZE64 32778; - @repr WORDSIZE64 9223372039002259466; - @repr WORDSIZE64 9223372039002292353; - @repr WORDSIZE64 9223372036854808704; - @repr WORDSIZE64 2147483649; - @repr WORDSIZE64 9223372039002292232 - ] in l). - -Definition rotc_v : rotation_constants_t := - array_from_list uint_size (let l := - [ - usize 0; - usize 1; - usize 62; - usize 28; - usize 27; - usize 36; - usize 44; - usize 6; - usize 55; - usize 20; - usize 3; - usize 10; - usize 43; - usize 25; - usize 39; - usize 41; - usize 45; - usize 15; - usize 21; - usize 8; - usize 18; - usize 2; - usize 61; - usize 56; - usize 14 - ] in l). - -Definition pi_v : rotation_constants_t := - array_from_list uint_size (let l := - [ - usize 0; - usize 6; - usize 12; - usize 18; - usize 24; - usize 3; - usize 9; - usize 10; - usize 16; - usize 22; - usize 1; - usize 7; - usize 13; - usize 19; - usize 20; - usize 4; - usize 5; - usize 11; - usize 17; - usize 23; - usize 2; - usize 8; - usize 14; - usize 15; - usize 21 - ] in l). - -Definition theta (s_855 : state_t) : state_t := - let b_856 : row_t := - array_new_ (default) (5) in - let b_856 := - foldi (usize 0) (usize 5) (fun i_857 b_856 => - let b_856 := - array_upd b_856 (i_857) (((((array_index (s_855) (i_857)) .^ ( - array_index (s_855) ((i_857) + (usize 5)))) .^ (array_index ( - s_855) ((i_857) + (usize 10)))) .^ (array_index (s_855) (( - i_857) + (usize 15)))) .^ (array_index (s_855) ((i_857) + ( - usize 20)))) in - (b_856)) - b_856 in - let s_855 := - foldi (usize 0) (usize 5) (fun i_858 s_855 => - let u_859 : uint64 := - array_index (b_856) (((i_858) + (usize 1)) %% (usize 5)) in - let t_860 : uint64 := - (array_index (b_856) (((i_858) + (usize 4)) %% (usize 5))) .^ ( - uint64_rotate_left (u_859) (usize 1)) in - let s_855 := - foldi (usize 0) (usize 5) (fun j_861 s_855 => - let s_855 := - array_upd s_855 (((usize 5) * (j_861)) + (i_858)) ((array_index ( - s_855) (((usize 5) * (j_861)) + (i_858))) .^ (t_860)) in - (s_855)) - s_855 in - (s_855)) - s_855 in - s_855. - -Definition rho (s_862 : state_t) : state_t := - let s_862 := - foldi (usize 0) (usize 25) (fun i_863 s_862 => - let u_864 : uint64 := - array_index (s_862) (i_863) in - let s_862 := - array_upd s_862 (i_863) (uint64_rotate_left (u_864) (array_index ( - rotc_v) (i_863))) in - (s_862)) - s_862 in - s_862. - -Definition pi (s_865 : state_t) : state_t := - let v_866 : state_t := - array_new_ (default) (25) in - let v_866 := - foldi (usize 0) (usize 25) (fun i_867 v_866 => - let v_866 := - array_upd v_866 (i_867) (array_index (s_865) (array_index (pi_v) ( - i_867))) in - (v_866)) - v_866 in - v_866. - -Definition chi (s_868 : state_t) : state_t := - let b_869 : row_t := - array_new_ (default) (5) in - let '(s_868, b_869) := - foldi (usize 0) (usize 5) (fun i_870 '(s_868, b_869) => - let b_869 := - foldi (usize 0) (usize 5) (fun j_871 b_869 => - let b_869 := - array_upd b_869 (j_871) (array_index (s_868) (((usize 5) * ( - i_870)) + (j_871))) in - (b_869)) - b_869 in - let s_868 := - foldi (usize 0) (usize 5) (fun j_872 s_868 => - let u_873 : uint64 := - array_index (b_869) (((j_872) + (usize 1)) %% (usize 5)) in - let s_868 := - array_upd s_868 (((usize 5) * (i_870)) + (j_872)) ((array_index ( - s_868) (((usize 5) * (i_870)) + (j_872))) .^ ((not ( - u_873)) .& (array_index (b_869) (((j_872) + (usize 2)) %% ( - usize 5))))) in - (s_868)) - s_868 in - (s_868, b_869)) - (s_868, b_869) in - s_868. - -Definition iota (s_874 : state_t) (rndconst_875 : int64) : state_t := - let s_874 := - array_upd s_874 (usize 0) ((array_index (s_874) (usize 0)) .^ ( - uint64_classify (rndconst_875))) in - s_874. - -Definition keccakf1600 (s_876 : state_t) : state_t := - let s_876 := - foldi (usize 0) (rounds_v) (fun i_877 s_876 => - let s_876 := - theta (s_876) in - let s_876 := - rho (s_876) in - let s_876 := - pi (s_876) in - let s_876 := - chi (s_876) in - let s_876 := - iota (s_876) (array_index (roundconstants_v) (i_877)) in - (s_876)) - s_876 in - s_876. - -Definition absorb_block (s_878 : state_t) (block_879 : byte_seq) : state_t := - let s_878 := - foldi (usize 0) (seq_len (block_879)) (fun i_880 s_878 => - let w_881 : uint_size := - (i_880) usize_shift_right (@repr WORDSIZE32 3) in - let o_882 : uint_size := - (usize 8) * ((i_880) .& (usize 7)) in - let s_878 := - array_upd s_878 (w_881) ((array_index (s_878) (w_881)) .^ (( - uint64_from_uint8 (seq_index (block_879) (i_880))) shift_left ( - o_882))) in - (s_878)) - s_878 in - keccakf1600 (s_878). - -Definition squeeze - (s_883 : state_t) - (nbytes_884 : uint_size) - (rate_885 : uint_size) - : byte_seq := - let out_886 : seq uint8 := - seq_new_ (default) (nbytes_884) in - let '(s_883, out_886) := - foldi (usize 0) (nbytes_884) (fun i_887 '(s_883, out_886) => - let pos_888 : uint_size := - (i_887) %% (rate_885) in - let w_889 : uint_size := - (pos_888) usize_shift_right (@repr WORDSIZE32 3) in - let o_890 : uint_size := - (usize 8) * ((pos_888) .& (usize 7)) in - let b_891 : uint64 := - ((array_index (s_883) (w_889)) shift_right (o_890)) .& ( - uint64_classify (@repr WORDSIZE64 255)) in - let out_886 := - seq_upd out_886 (i_887) (uint8_from_uint64 (b_891)) in - let '(s_883) := - if (((i_887) + (usize 1)) %% (rate_885)) =.? (usize 0):bool then ( - let s_883 := - keccakf1600 (s_883) in - (s_883)) else ((s_883)) in - (s_883, out_886)) - (s_883, out_886) in - out_886. - -Definition keccak - (rate_892 : uint_size) - (data_893 : byte_seq) - (p_894 : int8) - (outbytes_895 : uint_size) - : byte_seq := - let buf_896 : seq uint8 := - seq_new_ (default) (rate_892) in - let last_block_len_897 : uint_size := - usize 0 in - let s_898 : state_t := - array_new_ (default) (25) in - let '(buf_896, last_block_len_897, s_898) := - foldi (usize 0) (seq_num_chunks (data_893) (rate_892)) (fun i_899 '( - buf_896, - last_block_len_897, - s_898 - ) => - let '(block_len_900, block_901) := - seq_get_chunk (data_893) (rate_892) (i_899) in - let '(buf_896, last_block_len_897, s_898) := - if (block_len_900) =.? (rate_892):bool then (let s_898 := - absorb_block (s_898) (block_901) in - (buf_896, last_block_len_897, s_898)) else (let buf_896 := - seq_update_start (buf_896) (block_901) in - let last_block_len_897 := - block_len_900 in - (buf_896, last_block_len_897, s_898)) in - (buf_896, last_block_len_897, s_898)) - (buf_896, last_block_len_897, s_898) in - let buf_896 := - seq_upd buf_896 (last_block_len_897) (secret (p_894) : int8) in - let buf_896 := - seq_upd buf_896 ((rate_892) - (usize 1)) ((seq_index (buf_896) (( - rate_892) - (usize 1))) .| (secret ( - @repr WORDSIZE8 128) : int8)) in - let s_898 := - absorb_block (s_898) (buf_896) in - squeeze (s_898) (outbytes_895) (rate_892). - -Definition sha3224 (data_902 : byte_seq) : digest224_t := - let t_903 : seq uint8 := - keccak (sha3224_rate_v) (data_902) (@repr WORDSIZE8 6) (usize 28) in - array_from_seq (28) (t_903). - -Definition sha3256 (data_904 : byte_seq) : digest256_t := - let t_905 : seq uint8 := - keccak (sha3256_rate_v) (data_904) (@repr WORDSIZE8 6) (usize 32) in - array_from_seq (32) (t_905). - -Definition sha3384 (data_906 : byte_seq) : digest384_t := - let t_907 : seq uint8 := - keccak (sha3384_rate_v) (data_906) (@repr WORDSIZE8 6) (usize 48) in - array_from_seq (48) (t_907). - -Definition sha3512 (data_908 : byte_seq) : digest512_t := - let t_909 : seq uint8 := - keccak (sha3512_rate_v) (data_908) (@repr WORDSIZE8 6) (usize 64) in - array_from_seq (64) (t_909). - -Definition shake128 (data_910 : byte_seq) (outlen_911 : uint_size) : byte_seq := - keccak (shake128_rate_v) (data_910) (@repr WORDSIZE8 31) (outlen_911). - -Definition shake256 (data_912 : byte_seq) (outlen_913 : uint_size) : byte_seq := - keccak (shake256_rate_v) (data_912) (@repr WORDSIZE8 31) (outlen_913). - diff --git a/proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v b/proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v deleted file mode 100644 index 8bf4ac6ad..000000000 --- a/proof-libs/coq/coq/src/_vc/Hacspec_Sha512.v +++ /dev/null @@ -1,320 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition block_size_v : uint_size := - usize 128. - -Definition len_size_v : uint_size := - usize 16. - -Definition k_size_v : uint_size := - usize 80. - -Definition hash_size_v : uint_size := - (usize 512) / (usize 8). - -Definition block_t := nseq (uint8) (block_size_v). - -Definition op_table_type_t := nseq (uint_size) (usize 12). - -Definition sha512_digest_t := nseq (uint8) (hash_size_v). - -Definition round_constants_table_t := nseq (uint64) (k_size_v). - -Definition hash_t := nseq (uint64) (usize 8). - -Definition ch (x_1897 : uint64) (y_1898 : uint64) (z_1899 : uint64) : uint64 := - ((x_1897) .& (y_1898)) .^ ((not (x_1897)) .& (z_1899)). - -Definition maj (x_1900 : uint64) (y_1901 : uint64) (z_1902 : uint64) : uint64 := - ((x_1900) .& (y_1901)) .^ (((x_1900) .& (z_1902)) .^ ((y_1901) .& (z_1902))). - -Definition op_table_v : op_table_type_t := - array_from_list uint_size (let l := - [ - usize 28; - usize 34; - usize 39; - usize 14; - usize 18; - usize 41; - usize 1; - usize 8; - usize 7; - usize 19; - usize 61; - usize 6 - ] in l). - -Definition k_table_v : round_constants_table_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 4794697086780616226) : int64; - secret (@repr WORDSIZE64 8158064640168781261) : int64; - secret (@repr WORDSIZE64 13096744586834688815) : int64; - secret (@repr WORDSIZE64 16840607885511220156) : int64; - secret (@repr WORDSIZE64 4131703408338449720) : int64; - secret (@repr WORDSIZE64 6480981068601479193) : int64; - secret (@repr WORDSIZE64 10538285296894168987) : int64; - secret (@repr WORDSIZE64 12329834152419229976) : int64; - secret (@repr WORDSIZE64 15566598209576043074) : int64; - secret (@repr WORDSIZE64 1334009975649890238) : int64; - secret (@repr WORDSIZE64 2608012711638119052) : int64; - secret (@repr WORDSIZE64 6128411473006802146) : int64; - secret (@repr WORDSIZE64 8268148722764581231) : int64; - secret (@repr WORDSIZE64 9286055187155687089) : int64; - secret (@repr WORDSIZE64 11230858885718282805) : int64; - secret (@repr WORDSIZE64 13951009754708518548) : int64; - secret (@repr WORDSIZE64 16472876342353939154) : int64; - secret (@repr WORDSIZE64 17275323862435702243) : int64; - secret (@repr WORDSIZE64 1135362057144423861) : int64; - secret (@repr WORDSIZE64 2597628984639134821) : int64; - secret (@repr WORDSIZE64 3308224258029322869) : int64; - secret (@repr WORDSIZE64 5365058923640841347) : int64; - secret (@repr WORDSIZE64 6679025012923562964) : int64; - secret (@repr WORDSIZE64 8573033837759648693) : int64; - secret (@repr WORDSIZE64 10970295158949994411) : int64; - secret (@repr WORDSIZE64 12119686244451234320) : int64; - secret (@repr WORDSIZE64 12683024718118986047) : int64; - secret (@repr WORDSIZE64 13788192230050041572) : int64; - secret (@repr WORDSIZE64 14330467153632333762) : int64; - secret (@repr WORDSIZE64 15395433587784984357) : int64; - secret (@repr WORDSIZE64 489312712824947311) : int64; - secret (@repr WORDSIZE64 1452737877330783856) : int64; - secret (@repr WORDSIZE64 2861767655752347644) : int64; - secret (@repr WORDSIZE64 3322285676063803686) : int64; - secret (@repr WORDSIZE64 5560940570517711597) : int64; - secret (@repr WORDSIZE64 5996557281743188959) : int64; - secret (@repr WORDSIZE64 7280758554555802590) : int64; - secret (@repr WORDSIZE64 8532644243296465576) : int64; - secret (@repr WORDSIZE64 9350256976987008742) : int64; - secret (@repr WORDSIZE64 10552545826968843579) : int64; - secret (@repr WORDSIZE64 11727347734174303076) : int64; - secret (@repr WORDSIZE64 12113106623233404929) : int64; - secret (@repr WORDSIZE64 14000437183269869457) : int64; - secret (@repr WORDSIZE64 14369950271660146224) : int64; - secret (@repr WORDSIZE64 15101387698204529176) : int64; - secret (@repr WORDSIZE64 15463397548674623760) : int64; - secret (@repr WORDSIZE64 17586052441742319658) : int64; - secret (@repr WORDSIZE64 1182934255886127544) : int64; - secret (@repr WORDSIZE64 1847814050463011016) : int64; - secret (@repr WORDSIZE64 2177327727835720531) : int64; - secret (@repr WORDSIZE64 2830643537854262169) : int64; - secret (@repr WORDSIZE64 3796741975233480872) : int64; - secret (@repr WORDSIZE64 4115178125766777443) : int64; - secret (@repr WORDSIZE64 5681478168544905931) : int64; - secret (@repr WORDSIZE64 6601373596472566643) : int64; - secret (@repr WORDSIZE64 7507060721942968483) : int64; - secret (@repr WORDSIZE64 8399075790359081724) : int64; - secret (@repr WORDSIZE64 8693463985226723168) : int64; - secret (@repr WORDSIZE64 9568029438360202098) : int64; - secret (@repr WORDSIZE64 10144078919501101548) : int64; - secret (@repr WORDSIZE64 10430055236837252648) : int64; - secret (@repr WORDSIZE64 11840083180663258601) : int64; - secret (@repr WORDSIZE64 13761210420658862357) : int64; - secret (@repr WORDSIZE64 14299343276471374635) : int64; - secret (@repr WORDSIZE64 14566680578165727644) : int64; - secret (@repr WORDSIZE64 15097957966210449927) : int64; - secret (@repr WORDSIZE64 16922976911328602910) : int64; - secret (@repr WORDSIZE64 17689382322260857208) : int64; - secret (@repr WORDSIZE64 500013540394364858) : int64; - secret (@repr WORDSIZE64 748580250866718886) : int64; - secret (@repr WORDSIZE64 1242879168328830382) : int64; - secret (@repr WORDSIZE64 1977374033974150939) : int64; - secret (@repr WORDSIZE64 2944078676154940804) : int64; - secret (@repr WORDSIZE64 3659926193048069267) : int64; - secret (@repr WORDSIZE64 4368137639120453308) : int64; - secret (@repr WORDSIZE64 4836135668995329356) : int64; - secret (@repr WORDSIZE64 5532061633213252278) : int64; - secret (@repr WORDSIZE64 6448918945643986474) : int64; - secret (@repr WORDSIZE64 6902733635092675308) : int64; - secret (@repr WORDSIZE64 7801388544844847127) : int64 - ] in l). - -Definition hash_init_v : hash_t := - array_from_list uint64 (let l := - [ - secret (@repr WORDSIZE64 7640891576956012808) : int64; - secret (@repr WORDSIZE64 13503953896175478587) : int64; - secret (@repr WORDSIZE64 4354685564936845355) : int64; - secret (@repr WORDSIZE64 11912009170470909681) : int64; - secret (@repr WORDSIZE64 5840696475078001361) : int64; - secret (@repr WORDSIZE64 11170449401992604703) : int64; - secret (@repr WORDSIZE64 2270897969802886507) : int64; - secret (@repr WORDSIZE64 6620516959819538809) : int64 - ] in l). - -Definition sigma - (x_1903 : uint64) - (i_1904 : uint_size) - (op_1905 : uint_size) - : uint64 := - let tmp_1906 : uint64 := - uint64_rotate_right (x_1903) (array_index (op_table_v) (((usize 3) * ( - i_1904)) + (usize 2))) in - let '(tmp_1906) := - if (op_1905) =.? (usize 0):bool then (let tmp_1906 := - (x_1903) shift_right (array_index (op_table_v) (((usize 3) * ( - i_1904)) + (usize 2))) in - (tmp_1906)) else ((tmp_1906)) in - ((uint64_rotate_right (x_1903) (array_index (op_table_v) ((usize 3) * ( - i_1904)))) .^ (uint64_rotate_right (x_1903) (array_index ( - op_table_v) (((usize 3) * (i_1904)) + (usize 1))))) .^ (tmp_1906). - -Definition schedule (block_1907 : block_t) : round_constants_table_t := - let b_1908 : seq uint64 := - array_to_be_uint64s (block_1907) in - let s_1909 : round_constants_table_t := - array_new_ (default) (k_size_v) in - let s_1909 := - foldi (usize 0) (k_size_v) (fun i_1910 s_1909 => - let '(s_1909) := - if (i_1910) <.? (usize 16):bool then (let s_1909 := - array_upd s_1909 (i_1910) (seq_index (b_1908) (i_1910)) in - (s_1909)) else (let t16_1911 : uint64 := - array_index (s_1909) ((i_1910) - (usize 16)) in - let t15_1912 : uint64 := - array_index (s_1909) ((i_1910) - (usize 15)) in - let t7_1913 : uint64 := - array_index (s_1909) ((i_1910) - (usize 7)) in - let t2_1914 : uint64 := - array_index (s_1909) ((i_1910) - (usize 2)) in - let s1_1915 : uint64 := - sigma (t2_1914) (usize 3) (usize 0) in - let s0_1916 : uint64 := - sigma (t15_1912) (usize 2) (usize 0) in - let s_1909 := - array_upd s_1909 (i_1910) ((((s1_1915) .+ (t7_1913)) .+ ( - s0_1916)) .+ (t16_1911)) in - (s_1909)) in - (s_1909)) - s_1909 in - s_1909. - -Definition shuffle - (ws_1917 : round_constants_table_t) - (hashi_1918 : hash_t) - : hash_t := - let h_1919 : hash_t := - hashi_1918 in - let h_1919 := - foldi (usize 0) (k_size_v) (fun i_1920 h_1919 => - let a0_1921 : uint64 := - array_index (h_1919) (usize 0) in - let b0_1922 : uint64 := - array_index (h_1919) (usize 1) in - let c0_1923 : uint64 := - array_index (h_1919) (usize 2) in - let d0_1924 : uint64 := - array_index (h_1919) (usize 3) in - let e0_1925 : uint64 := - array_index (h_1919) (usize 4) in - let f0_1926 : uint64 := - array_index (h_1919) (usize 5) in - let g0_1927 : uint64 := - array_index (h_1919) (usize 6) in - let h0_1928 : uint64 := - array_index (h_1919) (usize 7) in - let t1_1929 : uint64 := - ((((h0_1928) .+ (sigma (e0_1925) (usize 1) (usize 1))) .+ (ch ( - e0_1925) (f0_1926) (g0_1927))) .+ (array_index (k_table_v) ( - i_1920))) .+ (array_index (ws_1917) (i_1920)) in - let t2_1930 : uint64 := - (sigma (a0_1921) (usize 0) (usize 1)) .+ (maj (a0_1921) (b0_1922) ( - c0_1923)) in - let h_1919 := - array_upd h_1919 (usize 0) ((t1_1929) .+ (t2_1930)) in - let h_1919 := - array_upd h_1919 (usize 1) (a0_1921) in - let h_1919 := - array_upd h_1919 (usize 2) (b0_1922) in - let h_1919 := - array_upd h_1919 (usize 3) (c0_1923) in - let h_1919 := - array_upd h_1919 (usize 4) ((d0_1924) .+ (t1_1929)) in - let h_1919 := - array_upd h_1919 (usize 5) (e0_1925) in - let h_1919 := - array_upd h_1919 (usize 6) (f0_1926) in - let h_1919 := - array_upd h_1919 (usize 7) (g0_1927) in - (h_1919)) - h_1919 in - h_1919. - -Definition compress (block_1931 : block_t) (h_in_1932 : hash_t) : hash_t := - let s_1933 : round_constants_table_t := - schedule (block_1931) in - let h_1934 : hash_t := - shuffle (s_1933) (h_in_1932) in - let h_1934 := - foldi (usize 0) (usize 8) (fun i_1935 h_1934 => - let h_1934 := - array_upd h_1934 (i_1935) ((array_index (h_1934) (i_1935)) .+ ( - array_index (h_in_1932) (i_1935))) in - (h_1934)) - h_1934 in - h_1934. - -Definition hash (msg_1936 : byte_seq) : sha512_digest_t := - let h_1937 : hash_t := - hash_init_v in - let last_block_1938 : block_t := - array_new_ (default) (block_size_v) in - let last_block_len_1939 : uint_size := - usize 0 in - let '(h_1937, last_block_1938, last_block_len_1939) := - foldi (usize 0) (seq_num_chunks (msg_1936) (block_size_v)) (fun i_1940 '( - h_1937, - last_block_1938, - last_block_len_1939 - ) => - let '(block_len_1941, block_1942) := - seq_get_chunk (msg_1936) (block_size_v) (i_1940) in - let '(h_1937, last_block_1938, last_block_len_1939) := - if (block_len_1941) <.? (block_size_v):bool then (let last_block_1938 := - array_update_start (array_new_ (default) (block_size_v)) ( - block_1942) in - let last_block_len_1939 := - block_len_1941 in - (h_1937, last_block_1938, last_block_len_1939)) else ( - let compress_input_1943 : block_t := - array_from_seq (block_size_v) (block_1942) in - let h_1937 := - compress (compress_input_1943) (h_1937) in - (h_1937, last_block_1938, last_block_len_1939)) in - (h_1937, last_block_1938, last_block_len_1939)) - (h_1937, last_block_1938, last_block_len_1939) in - let last_block_1938 := - array_upd last_block_1938 (last_block_len_1939) (secret ( - @repr WORDSIZE8 128) : int8) in - let len_bist_1944 : uint128 := - secret (pub_u128 ((seq_len (msg_1936)) * (usize 8))) : int128 in - let '(h_1937, last_block_1938) := - if (last_block_len_1939) <.? ((block_size_v) - (len_size_v)):bool then ( - let last_block_1938 := - array_update (last_block_1938) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint128_to_be_bytes (len_bist_1944))) in - let h_1937 := - compress (last_block_1938) (h_1937) in - (h_1937, last_block_1938)) else (let pad_block_1945 : block_t := - array_new_ (default) (block_size_v) in - let pad_block_1945 := - array_update (pad_block_1945) ((block_size_v) - (len_size_v)) ( - array_to_seq (uint128_to_be_bytes (len_bist_1944))) in - let h_1937 := - compress (last_block_1938) (h_1937) in - let h_1937 := - compress (pad_block_1945) (h_1937) in - (h_1937, last_block_1938)) in - array_from_seq (hash_size_v) (array_to_be_bytes (h_1937)). - -Definition sha512 (msg_1946 : byte_seq) : sha512_digest_t := - hash (msg_1946). - diff --git a/proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v b/proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v deleted file mode 100644 index b602649a3..000000000 --- a/proof-libs/coq/coq/src/_vc/Tls_Cryptolib.v +++ /dev/null @@ -1,670 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Require Import Hacspec_Aes. - -Require Import Hacspec_Aes128_Gcm. - -Require Import Hacspec_Chacha20. - -Require Import Hacspec_Chacha20poly1305. - -Require Import Hacspec_Curve25519. - -Require Import Hacspec_Ecdsa_P256_Sha256. - -Require Import Hacspec_Gf128. - -Require Import Hacspec_Hkdf. - -Require Import Hacspec_Hmac. - -Require Import Hacspec_P256. - -Require Import Hacspec_Poly1305. - -Require Import Hacspec_Sha256. - -Inductive crypto_error_t := -| CryptoError : crypto_error_t -| HkdfError : crypto_error_t -| InsufficientEntropy : crypto_error_t -| InvalidCert : crypto_error_t -| MacFailed : crypto_error_t -| UnsupportedAlgorithm : crypto_error_t -| VerifyFailed : crypto_error_t. - -Definition empty : byte_seq := - seq_new_ (default) (usize 0). - -Definition zeros (u_0 : uint_size) : byte_seq := - seq_new_ (default) (u_0). - -Notation "'entropy_t'" := (byte_seq) : hacspec_scope. - -Definition random_t := nseq (uint8) (usize 32). - -Notation "'dh_sk_t'" := (byte_seq) : hacspec_scope. - -Notation "'dh_pk_t'" := (byte_seq) : hacspec_scope. - -Notation "'signature_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'verification_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'mac_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_key_t'" := (byte_seq) : hacspec_scope. - -Notation "'key_t'" := (byte_seq) : hacspec_scope. - -Notation "'psk_t'" := (key_t) : hacspec_scope. - -Notation "'digest_t'" := (byte_seq) : hacspec_scope. - -Notation "'hmac_t'" := (byte_seq) : hacspec_scope. - -Notation "'signature_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_iv_t'" := (byte_seq) : hacspec_scope. - -Notation "'aead_key_iv_t'" := ((aead_key_t × aead_iv_t)) : hacspec_scope. - -Inductive named_group_t := -| X25519 : named_group_t -| Secp256r1 : named_group_t. - -Definition eqb_named_group_t (x y : named_group_t) : bool := -match x with - | X25519 => match y with | X25519=> true | _ => false end - | Secp256r1 => match y with | Secp256r1=> true | _ => false end - end. - -Definition eqb_leibniz_named_group_t (x y : named_group_t) : eqb_named_group_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_named_group_t : EqDec (named_group_t) := -Build_EqDec (named_group_t) (eqb_named_group_t) (eqb_leibniz_named_group_t). - - -Inductive hash_algorithm_t := -| SHA256 : hash_algorithm_t -| SHA384 : hash_algorithm_t. - -Definition eqb_hash_algorithm_t (x y : hash_algorithm_t) : bool := -match x with - | SHA256 => match y with | SHA256=> true | _ => false end - | SHA384 => match y with | SHA384=> true | _ => false end - end. - -Definition eqb_leibniz_hash_algorithm_t (x y : hash_algorithm_t) : eqb_hash_algorithm_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_hash_algorithm_t : EqDec (hash_algorithm_t) := -Build_EqDec (hash_algorithm_t) (eqb_hash_algorithm_t) (eqb_leibniz_hash_algorithm_t). - - -Inductive aead_algorithm_t := -| Chacha20Poly1305 : aead_algorithm_t -| Aes128Gcm : aead_algorithm_t -| Aes256Gcm : aead_algorithm_t. - -Definition eqb_aead_algorithm_t (x y : aead_algorithm_t) : bool := -match x with - | Chacha20Poly1305 => match y with | Chacha20Poly1305=> true | _ => false end - | Aes128Gcm => match y with | Aes128Gcm=> true | _ => false end - | Aes256Gcm => match y with | Aes256Gcm=> true | _ => false end - end. - -Definition eqb_leibniz_aead_algorithm_t (x y : aead_algorithm_t) : eqb_aead_algorithm_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_aead_algorithm_t : EqDec (aead_algorithm_t) := -Build_EqDec (aead_algorithm_t) (eqb_aead_algorithm_t) (eqb_leibniz_aead_algorithm_t). - - -Inductive signature_scheme_t := -| ED25519 : signature_scheme_t -| EcdsaSecp256r1Sha256 : signature_scheme_t -| RsaPssRsaSha256 : signature_scheme_t. - -Definition eqb_signature_scheme_t (x y : signature_scheme_t) : bool := -match x with - | ED25519 => match y with | ED25519=> true | _ => false end - | EcdsaSecp256r1Sha256 => - match y with - | EcdsaSecp256r1Sha256=> true - | _ => false - end - | RsaPssRsaSha256 => match y with | RsaPssRsaSha256=> true | _ => false end - end. - -Definition eqb_leibniz_signature_scheme_t (x y : signature_scheme_t) : eqb_signature_scheme_t x y = true <-> x = y. -Proof. split. intros; destruct x ; destruct y ; try (f_equal ; apply eqb_leibniz) ; easy. intros ; subst ; destruct y ; try reflexivity ; try (apply eqb_refl). Qed. - -Instance eq_dec_signature_scheme_t : EqDec (signature_scheme_t) := -Build_EqDec (signature_scheme_t) (eqb_signature_scheme_t) (eqb_leibniz_signature_scheme_t). - - -Definition hash_len (ha_1 : hash_algorithm_t) : uint_size := - match ha_1 with | SHA256 => usize 32 | SHA384 => usize 48 end. - -Definition hmac_key_len (ha_2 : hash_algorithm_t) : uint_size := - match ha_2 with | SHA256 => usize 32 | SHA384 => usize 48 end. - -Definition ae_key_len (ae_3 : aead_algorithm_t) : uint_size := - match ae_3 with - | Chacha20Poly1305 => usize 32 - | Aes128Gcm => usize 16 - | Aes256Gcm => usize 16 - end. - -Definition ae_iv_len (ae_4 : aead_algorithm_t) : uint_size := - match ae_4 with - | Chacha20Poly1305 => usize 12 - | Aes128Gcm => usize 12 - | Aes256Gcm => usize 12 - end. - -Definition dh_priv_len (gn_5 : named_group_t) : uint_size := - match gn_5 with | X25519 => usize 32 | Secp256r1 => usize 32 end. - -Definition dh_pub_len (gn_6 : named_group_t) : uint_size := - match gn_6 with | X25519 => usize 32 | Secp256r1 => usize 64 end. - -Definition zero_key (ha_7 : hash_algorithm_t) : key_t := - seq_new_ (default) (usize (hash_len (ha_7))). - -Definition secret_to_public - (group_name_8 : named_group_t) - (x_9 : dh_sk_t) - : (result dh_pk_t crypto_error_t) := - match group_name_8 with - | Secp256r1 => match p256_point_mul_base (nat_mod_from_byte_seq_be ( - x_9) : p256_scalar_t) with - | Ok (x_10, y_11) => @Ok dh_pk_t crypto_error_t (seq_concat ( - nat_mod_to_byte_seq_be (x_10)) (nat_mod_to_byte_seq_be (y_11))) - | Err _ => @Err dh_pk_t crypto_error_t (CryptoError) - end - | X25519 => @Ok dh_pk_t crypto_error_t (seq_from_seq ( - array_to_seq (x25519_secret_to_public (array_from_seq (32) (x_9))))) - end. - -Definition p256_check_point_len - (p_12 : dh_pk_t) - : (result unit crypto_error_t) := - (if ((seq_len (p_12)) !=.? (usize 64)):bool then (@Err unit crypto_error_t ( - CryptoError)) else (@Ok unit crypto_error_t (tt))). - -Definition p256_ecdh - (x_13 : dh_sk_t) - (y_14 : dh_pk_t) - : (result key_t crypto_error_t) := - bind (p256_check_point_len (y_14)) (fun _ => let pk_15 : ( - p256_field_element_t × - p256_field_element_t - ) := - ( - nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 0, usize 32 - ))) : p256_field_element_t, - nat_mod_from_byte_seq_be (seq_slice_range (y_14) ((usize 32, usize 64 - ))) : p256_field_element_t - ) in - match p256_point_mul (nat_mod_from_byte_seq_be (x_13) : p256_scalar_t) ( - pk_15) with - | Ok (x_16, y_17) => @Ok key_t crypto_error_t (seq_concat ( - nat_mod_to_byte_seq_be (x_16)) (nat_mod_to_byte_seq_be (y_17))) - | Err _ => @Err key_t crypto_error_t (CryptoError) - end). - -Definition ecdh - (group_name_18 : named_group_t) - (x_19 : dh_sk_t) - (y_20 : dh_pk_t) - : (result key_t crypto_error_t) := - match group_name_18 with - | Secp256r1 => p256_ecdh (x_19) (y_20) - | X25519 => @Ok key_t crypto_error_t (seq_from_seq ( - array_to_seq (x25519_scalarmult (array_from_seq (32) (x_19)) ( - array_from_seq (32) (y_20))))) - end. - -Notation "'kem_scheme_t'" := (named_group_t) : hacspec_scope. - -Notation "'kem_sk_t'" := (byte_seq) : hacspec_scope. - -Notation "'kem_pk_t'" := (byte_seq) : hacspec_scope. - -Definition kem_priv_len (ks_21 : kem_scheme_t) : uint_size := - dh_priv_len (ks_21). - -Definition kem_pub_len (ks_22 : kem_scheme_t) : uint_size := - dh_pub_len (ks_22). - -Definition kem_priv_to_pub - (ks_23 : kem_scheme_t) - (sk_24 : kem_sk_t) - : (result kem_pk_t crypto_error_t) := - secret_to_public (ks_23) (sk_24). - -Definition kem_keygen_inner - (ks_25 : kem_scheme_t) - (ent_26 : entropy_t) - : (result (kem_sk_t × kem_pk_t) crypto_error_t) := - let sk_27 : seq uint8 := - seq_from_seq (seq_slice_range (ent_26) ((usize 0, dh_priv_len (ks_25)))) in - bind (kem_priv_to_pub (ks_25) (sk_27)) (fun pk_28 => @Ok (kem_sk_t × kem_pk_t - ) crypto_error_t ((sk_27, pk_28))). - -Definition kem_keygen - (ks_29 : kem_scheme_t) - (ent_30 : entropy_t) - : (result (kem_sk_t × kem_pk_t) crypto_error_t) := - (if ((seq_len (ent_30)) <.? (dh_priv_len (ks_29))):bool then (@Err ( - kem_sk_t × - kem_pk_t - ) crypto_error_t (InsufficientEntropy)) else (kem_keygen_inner (ks_29) ( - ent_30))). - -Definition kem_encap - (ks_31 : kem_scheme_t) - (pk_32 : kem_pk_t) - (ent_33 : entropy_t) - : (result (key_t × byte_seq) crypto_error_t) := - bind (kem_keygen (ks_31) (ent_33)) (fun '(x_34, gx_35) => bind (ecdh (ks_31) ( - x_34) (pk_32)) (fun gxy_36 => @Ok (key_t × byte_seq) crypto_error_t (( - gxy_36, - gx_35 - )))). - -Definition kem_decap - (ks_37 : kem_scheme_t) - (ct_38 : byte_seq) - (sk_39 : kem_sk_t) - : (result key_t crypto_error_t) := - bind (ecdh (ks_37) (sk_39) (ct_38)) (fun gxy_40 => @Ok key_t crypto_error_t ( - gxy_40)). - -Definition hash - (ha_41 : hash_algorithm_t) - (payload_42 : byte_seq) - : (result digest_t crypto_error_t) := - match ha_41 with - | SHA256 => @Ok digest_t crypto_error_t (seq_from_seq (array_to_seq (sha256 ( - payload_42)))) - | SHA384 => @Err digest_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hmac_tag - (ha_43 : hash_algorithm_t) - (mk_44 : mac_key_t) - (payload_45 : byte_seq) - : (result hmac_t crypto_error_t) := - match ha_43 with - | SHA256 => @Ok hmac_t crypto_error_t (seq_from_seq (array_to_seq (hmac ( - mk_44) (payload_45)))) - | SHA384 => @Err hmac_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition check_tag_len - (a_46 : hmac_t) - (b_47 : hmac_t) - : (result unit crypto_error_t) := - (if ((seq_len (a_46)) =.? (seq_len (b_47))):bool then ( - @Ok unit crypto_error_t (tt)) else (@Err unit crypto_error_t ( - MacFailed))). - -Definition check_bytes - (a_48 : uint8) - (b_49 : uint8) - : (result unit crypto_error_t) := - (if (negb (uint8_equal (a_48) (b_49))):bool then (@Err unit crypto_error_t ( - MacFailed)) else (@Ok unit crypto_error_t (tt))). - -Definition hmac_verify - (ha_50 : hash_algorithm_t) - (mk_51 : mac_key_t) - (payload_52 : byte_seq) - (m_53 : hmac_t) - : (result unit crypto_error_t) := - bind (hmac_tag (ha_50) (mk_51) (payload_52)) (fun my_hmac_54 => bind ( - check_tag_len (m_53) (my_hmac_54)) (fun _ => bind (foldibnd (usize 0) to ( - seq_len (m_53)) for tt >> (fun i_55 'tt => - bind (check_bytes (seq_index (my_hmac_54) (i_55)) (seq_index (m_53) ( - i_55))) (fun _ => Ok (tt)))) (fun _ => @Ok unit crypto_error_t ( - tt)))). - -Definition ec_oid_tag_t := nseq (uint8) (usize 9). - -Definition get_length_length (b_56 : byte_seq) : uint_size := - (if (((uint8_declassify (seq_index (b_56) (usize 0))) shift_right ( - usize 7)) =.? (@repr WORDSIZE8 1)):bool then ( - declassify_usize_from_uint8 ((seq_index (b_56) (usize 0)) .& (secret ( - @repr WORDSIZE8 127) : int8))) else (usize 0)). - -Definition get_length (b_57 : byte_seq) (len_58 : uint_size) : uint_size := - (@cast _ uint32 _ (declassify_u32_from_uint32 (uint32_from_be_bytes ( - array_from_slice (default) (4) (b_57) (usize 0) ( - len_58))))) usize_shift_right (((usize 4) - (len_58)) * (usize 8)). - -Definition get_short_length (b_59 : byte_seq) : uint_size := - declassify_usize_from_uint8 ((seq_index (b_59) (usize 0)) .& (secret ( - @repr WORDSIZE8 127) : int8)). - -Definition verification_key_from_cert - (cert_60 : byte_seq) - : (result verification_key_t crypto_error_t) := - let skip_61 : uint_size := - ((usize 2) + (get_length_length (seq_slice_range (cert_60) (( - usize 1, - seq_len (cert_60) - ))))) + (usize 1) in - let seq1_len_len_62 : uint_size := - get_length_length (seq_slice_range (cert_60) ((skip_61, seq_len (cert_60) - ))) in - let skip_63 : uint_size := - (skip_61) + (usize 1) in - let seq1_len_64 : uint_size := - get_length (seq_slice (cert_60) (skip_63) ((seq_len (cert_60)) - ( - skip_63))) (seq1_len_len_62) in - let seq1_65 : seq uint8 := - seq_slice_range (cert_60) (( - (skip_63) + (seq1_len_len_62), - ((skip_63) + (seq1_len_len_62)) + (seq1_len_64) - )) in - let pk_66 : seq uint8 := - seq_new_ (default) (usize 0) in - let '(seq1_65, pk_66) := - foldi (usize 0) (seq_len (seq1_65)) (fun i_67 '(seq1_65, pk_66) => - let '(seq1_65, pk_66) := - if (seq_len (seq1_65)) >.? (usize 0):bool then ( - let element_type_68 : int8 := - uint8_declassify (seq_index (seq1_65) (usize 0)) in - let seq1_65 := - seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in - let len_len_69 : uint_size := - get_length_length (seq1_65) in - let len_70 : uint_size := - get_short_length (seq1_65) in - let seq1_65 := - seq_slice (seq1_65) (usize 1) ((seq_len (seq1_65)) - (usize 1)) in - let '(len_70) := - if (len_len_69) !=.? (usize 0):bool then (let len_70 := - (get_length (seq1_65) (len_len_69)) + (len_len_69) in - (len_70)) else ((len_70)) in - let '(pk_66) := - if ((element_type_68) =.? (@repr WORDSIZE8 48)) && ((seq_len ( - pk_66)) =.? (usize 0)):bool then (let seq2_71 : seq uint8 := - seq_slice (seq1_65) (len_len_69) (len_70) in - let element_type_72 : int8 := - uint8_declassify (seq_index (seq2_71) (usize 0)) in - let seq2_73 : seq uint8 := - seq_slice (seq2_71) (usize 1) ((seq_len (seq2_71)) - ( - usize 1)) in - let '(pk_66) := - if (element_type_72) =.? (@repr WORDSIZE8 48):bool then ( - let len_len_74 : uint_size := - get_length_length (seq2_73) in - let '(pk_66) := - if (len_len_74) =.? (usize 0):bool then ( - let oid_len_75 : uint_size := - get_short_length (seq2_73) in - let '(pk_66) := - if (oid_len_75) >=.? (usize 9):bool then ( - let expected_76 : seq uint8 := - seq_from_seq (array_to_seq (array_from_list uint8 ( - let l := - [ - secret (@repr WORDSIZE8 6) : int8; - secret (@repr WORDSIZE8 7) : int8; - secret (@repr WORDSIZE8 42) : int8; - secret (@repr WORDSIZE8 134) : int8; - secret (@repr WORDSIZE8 72) : int8; - secret (@repr WORDSIZE8 206) : int8; - secret (@repr WORDSIZE8 61) : int8; - secret (@repr WORDSIZE8 2) : int8; - secret (@repr WORDSIZE8 1) : int8 - ] in l))) in - let oid_77 : seq uint8 := - seq_slice (seq2_73) (usize 1) (usize 9) in - let ec_pk_oid_78 : bool := - true in - let ec_pk_oid_78 := - foldi (usize 0) (usize 9) (fun i_79 ec_pk_oid_78 => - let oid_byte_equal_80 : bool := - (uint8_declassify (seq_index (oid_77) ( - i_79))) =.? (uint8_declassify (seq_index ( - expected_76) (i_79))) in - let ec_pk_oid_78 := - (ec_pk_oid_78) && (oid_byte_equal_80) in - (ec_pk_oid_78)) - ec_pk_oid_78 in - let '(pk_66) := - if ec_pk_oid_78:bool then ( - let bit_string_81 : seq uint8 := - seq_slice (seq2_73) ((oid_len_75) + (usize 1)) ( - ((seq_len (seq2_73)) - (oid_len_75)) - ( - usize 1)) in - let '(pk_66) := - if (uint8_declassify (seq_index ( - bit_string_81) (usize 0))) =.? ( - @repr WORDSIZE8 3):bool then ( - let pk_len_82 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 1)) in - let zeroes_83 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 2)) in - let uncompressed_84 : uint_size := - declassify_usize_from_uint8 (seq_index ( - bit_string_81) (usize 3)) in - let pk_66 := - seq_slice (bit_string_81) (usize 4) (( - pk_len_82) - (usize 2)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - (pk_66)) else ((pk_66)) in - let seq1_65 := - seq_slice (seq1_65) (len_70) ((seq_len (seq1_65)) - (len_70)) in - (seq1_65, pk_66)) else ((seq1_65, pk_66)) in - (seq1_65, pk_66)) - (seq1_65, pk_66) in - (if ((seq_len (pk_66)) =.? (usize 0)):bool then ( - @Err verification_key_t crypto_error_t (InvalidCert)) else ( - @Ok verification_key_t crypto_error_t (pk_66))). - -Definition concat_signature - (r_85 : p256_scalar_t) - (s_86 : p256_scalar_t) - : (result signature_t crypto_error_t) := - let signature_87 : seq uint8 := - seq_concat (seq_concat (seq_new_ (default) (usize 0)) ( - nat_mod_to_byte_seq_be (r_85))) (nat_mod_to_byte_seq_be (s_86)) in - @Ok signature_t crypto_error_t (signature_87). - -Definition p256_sign - (ps_88 : signature_key_t) - (payload_89 : byte_seq) - (ent_90 : entropy_t) - : (result signature_t crypto_error_t) := - let random_91 : random_t := - array_from_seq (32) (seq_slice_range (ent_90) ((usize 0, usize 32))) in - let nonce_92 : p256_scalar_t := - nat_mod_from_byte_seq_be (array_to_seq (random_91)) : p256_scalar_t in - match ecdsa_p256_sha256_sign (payload_89) (nat_mod_from_byte_seq_be ( - ps_88) : p256_scalar_t) (nonce_92) with - | Ok (r_93, s_94) => concat_signature (r_93) (s_94) - | Err _ => @Err signature_t crypto_error_t (CryptoError) - end. - -Definition sign - (sa_95 : signature_scheme_t) - (ps_96 : signature_key_t) - (payload_97 : byte_seq) - (ent_98 : entropy_t) - : (result signature_t crypto_error_t) := - match sa_95 with - | EcdsaSecp256r1Sha256 => p256_sign (ps_96) (payload_97) (ent_98) - | ED25519 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) - | RsaPssRsaSha256 => @Err signature_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition p256_verify - (pk_99 : verification_key_t) - (payload_100 : byte_seq) - (sig_101 : byte_seq) - : (result unit crypto_error_t) := - let '(pk_x_102, pk_y_103) := - ( - nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 0) ( - usize 32)) : p256_field_element_t, - nat_mod_from_byte_seq_be (seq_slice (pk_99) (usize 32) ( - usize 32)) : p256_field_element_t - ) in - let '(r_104, s_105) := - ( - nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 0) ( - usize 32)) : p256_scalar_t, - nat_mod_from_byte_seq_be (seq_slice (sig_101) (usize 32) ( - usize 32)) : p256_scalar_t - ) in - match ecdsa_p256_sha256_verify (payload_100) ((pk_x_102, pk_y_103)) (( - r_104, - s_105 - )) with - | Ok tt => @Ok unit crypto_error_t (tt) - | Err _ => @Err unit crypto_error_t (VerifyFailed) - end. - -Definition verify - (sa_106 : signature_scheme_t) - (pk_107 : verification_key_t) - (payload_108 : byte_seq) - (sig_109 : byte_seq) - : (result unit crypto_error_t) := - match sa_106 with - | EcdsaSecp256r1Sha256 => p256_verify (pk_107) (payload_108) (sig_109) - | ED25519 => @Err unit crypto_error_t (UnsupportedAlgorithm) - | RsaPssRsaSha256 => @Err unit crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hkdf_extract - (ha_110 : hash_algorithm_t) - (k_111 : key_t) - (salt_112 : key_t) - : (result key_t crypto_error_t) := - match ha_110 with - | SHA256 => @Ok key_t crypto_error_t (seq_from_seq (array_to_seq (extract ( - salt_112) (k_111)))) - | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition hkdf_expand - (ha_113 : hash_algorithm_t) - (k_114 : key_t) - (info_115 : byte_seq) - (len_116 : uint_size) - : (result key_t crypto_error_t) := - match ha_113 with - | SHA256 => match expand (k_114) (info_115) (len_116) with - | Ok b_117 => @Ok key_t crypto_error_t (seq_from_seq (b_117)) - | Err _ => @Err key_t crypto_error_t (HkdfError) - end - | SHA384 => @Err key_t crypto_error_t (UnsupportedAlgorithm) - end. - -Definition aes128_encrypt - (k_118 : aead_key_t) - (iv_119 : aead_iv_t) - (payload_120 : byte_seq) - (ad_121 : byte_seq) - : (result byte_seq crypto_error_t) := - let '(ctxt_122, tag_123) := - encrypt_aes128 (array_from_seq (_) (k_118)) (array_from_seq (_) (iv_119)) ( - ad_121) (payload_120) in - @Ok byte_seq crypto_error_t (seq_concat (ctxt_122) (seq_from_seq ( - array_to_seq (tag_123)))). - -Definition chacha_encrypt - (k_124 : aead_key_t) - (iv_125 : aead_iv_t) - (payload_126 : byte_seq) - (ad_127 : byte_seq) - : (result byte_seq crypto_error_t) := - let '(ctxt_128, tag_129) := - chacha20_poly1305_encrypt (array_from_seq (32) (k_124)) (array_from_seq ( - 12) (iv_125)) (ad_127) (payload_126) in - @Ok byte_seq crypto_error_t (seq_concat (ctxt_128) (array_to_seq (tag_129))). - -Definition aead_encrypt - (a_130 : aead_algorithm_t) - (k_131 : aead_key_t) - (iv_132 : aead_iv_t) - (payload_133 : byte_seq) - (ad_134 : byte_seq) - : (result byte_seq crypto_error_t) := - match a_130 with - | Aes128Gcm => aes128_encrypt (k_131) (iv_132) (payload_133) (ad_134) - | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) - | Chacha20Poly1305 => chacha_encrypt (k_131) (iv_132) (payload_133) (ad_134) - end. - -Definition aes128_decrypt - (k_135 : aead_key_t) - (iv_136 : aead_iv_t) - (ciphertext_137 : byte_seq) - (ad_138 : byte_seq) - : (result byte_seq crypto_error_t) := - match decrypt_aes128 (array_from_seq (_) (k_135)) (array_from_seq (_) ( - iv_136)) (ad_138) (seq_slice_range (ciphertext_137) (( - usize 0, - (seq_len (ciphertext_137)) - (usize 16) - ))) (array_from_seq (_) (seq_slice_range (ciphertext_137) (( - (seq_len (ciphertext_137)) - (usize 16), - seq_len (ciphertext_137) - )))) with - | Ok m_139 => @Ok byte_seq crypto_error_t (m_139) - | Err _ => @Err byte_seq crypto_error_t (MacFailed) - end. - -Definition chacha_decrypt - (k_140 : aead_key_t) - (iv_141 : aead_iv_t) - (ciphertext_142 : byte_seq) - (ad_143 : byte_seq) - : (result byte_seq crypto_error_t) := - match chacha20_poly1305_decrypt (array_from_seq (32) (k_140)) ( - array_from_seq (12) (iv_141)) (ad_143) (seq_slice_range (ciphertext_142) (( - usize 0, - (seq_len (ciphertext_142)) - (usize 16) - ))) (array_from_seq (16) (seq_slice_range (ciphertext_142) (( - (seq_len (ciphertext_142)) - (usize 16), - seq_len (ciphertext_142) - )))) with - | Ok ptxt_144 => @Ok byte_seq crypto_error_t (ptxt_144) - | Err _ => @Err byte_seq crypto_error_t (MacFailed) - end. - -Definition aead_decrypt - (a_145 : aead_algorithm_t) - (k_146 : aead_key_t) - (iv_147 : aead_iv_t) - (ciphertext_148 : byte_seq) - (ad_149 : byte_seq) - : (result byte_seq crypto_error_t) := - match a_145 with - | Aes128Gcm => aes128_decrypt (k_146) (iv_147) (ciphertext_148) (ad_149) - | Aes256Gcm => @Err byte_seq crypto_error_t (UnsupportedAlgorithm) - | Chacha20Poly1305 => chacha_decrypt (k_146) (iv_147) (ciphertext_148) ( - ad_149) - end. - From 2629129c77e8c4c8c9ac71f0b2f5259785017b7f Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Thu, 7 Dec 2023 14:32:04 +0100 Subject: [PATCH 04/12] Cleanup --- .../coq/coq/src/Hacspec_Coverage_Test.v | 163 ------------------ 1 file changed, 163 deletions(-) delete mode 100644 proof-libs/coq/coq/src/Hacspec_Coverage_Test.v diff --git a/proof-libs/coq/coq/src/Hacspec_Coverage_Test.v b/proof-libs/coq/coq/src/Hacspec_Coverage_Test.v deleted file mode 100644 index 5b3b169f5..000000000 --- a/proof-libs/coq/coq/src/Hacspec_Coverage_Test.v +++ /dev/null @@ -1,163 +0,0 @@ -(** This file was automatically generated using Hacspec **) -Set Warnings "-notation-overridden,-ambiguous-paths". -Require Import Hacspec_Lib MachineIntegers. -From Coq Require Import ZArith. -Import List.ListNotations. -Open Scope Z_scope. -Open Scope bool_scope. -Open Scope hacspec_scope. -Require Import Hacspec_Lib. - -Definition big_integer_test : unit := - let _ : big_int_t := - big_int_zero in - let _ : big_int_t := - big_int_one in - let _ : big_int_t := - big_int_two in - let bi_2669 : big_int_t := - big_int_from_literal (@repr WORDSIZE128 1238) in - let bi_2669 := - big_int_get_bit (bi_2669) (usize 3) in - let bi_2669 := - big_int_set_bit (bi_2669) (big_int_one ) (usize 3) in - let bi_2669 := - big_int_set (bi_2669) (usize 4) (big_int_two ) (usize 2) in - let bi_2669 := - big_int_wrap_add (bi_2669) (big_int_two ) in - let bi_2669 := - big_int_wrap_sub (bi_2669) (big_int_two ) in - let bi_2669 := - big_int_wrap_mul (bi_2669) (big_int_two ) in - let _ : bool := - big_int_equal (big_int_one ) (big_int_two ) in - let bi_2669 := - big_int_sub_mod (bi_2669) (big_int_two ) (big_int_from_literal ( - @repr WORDSIZE128 4)) in - let bi_2669 := - big_int_add_mod (bi_2669) (big_int_two ) (big_int_from_literal ( - @repr WORDSIZE128 4)) in - let bi_2669 := - big_int_mul_mod (bi_2669) (big_int_two ) (big_int_from_literal ( - @repr WORDSIZE128 4)) in - let bi_2669 := - big_int_absolute (bi_2669) in - tt. - -Definition machine_integer_test : unit := - let _ : int32 := - pub_uint32_zero in - let _ : int8 := - pub_uint8_one in - let _ : int128 := - pub_uint128_two in - let mi_2670 : int16 := - pub_uint16_from_literal (@repr WORDSIZE128 1238) in - let mi_2670 := - pub_uint16_get_bit (mi_2670) (usize 3) in - let mi_2670 := - pub_uint16_set_bit (mi_2670) (pub_uint16_one ) (usize 3) in - let mi_2670 := - pub_uint16_set (mi_2670) (usize 4) (pub_uint16_two ) (usize 2) in - let mi_2670 := - pub_uint16_rotate_left (mi_2670) (@repr WORDSIZE32 4) in - let mi_2670 := - pub_uint16_rotate_right (mi_2670) (@repr WORDSIZE32 4) in - let _ : int16 := - pub_uint16_max_val in - let mi_2670 := - pub_uint16_wrap_add (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_wrap_sub (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_wrap_mul (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_exp (mi_2670) (@repr WORDSIZE32 2) in - let mi_2670 := - pub_uint16_divide (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_inv (pub_uint16_from_literal (@repr WORDSIZE128 79)) ( - pub_uint16_two ) in - let _ : bool := - pub_uint16_equal (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_greater_than (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_greater_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_less_than (pub_uint16_one ) (pub_uint16_two ) in - let _ : bool := - pub_uint16_less_than_or_equal (pub_uint16_one ) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_not_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_greater_than_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_greater_than_or_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_less_than_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_less_than_or_equal_bm (mi_2670) (pub_uint16_two ) in - let mi_2670 := - pub_uint16_sub_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( - @repr WORDSIZE128 4)) in - let mi_2670 := - pub_uint16_add_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( - @repr WORDSIZE128 4)) in - let mi_2670 := - pub_uint16_mul_mod (mi_2670) (pub_uint16_two ) (pub_uint16_from_literal ( - @repr WORDSIZE128 4)) in - let mi_2670 := - pub_uint16_absolute (mi_2670) in - let _ : uint64 := - secret (@repr WORDSIZE64 12) : int64 in - tt. - -Definition seq_test : unit := - let ns_2671 : seq int8 := - seq_with_capacity (usize 5) in - let ns_2671 := - seq_new_ (default : int8) (usize 5) in - let ns_2671 := - seq_reserve (ns_2671) (usize 10) in - let _ : uint_size := - seq_len (ns_2671) in - let ns_2671 := - seq_slice (ns_2671) (usize 0) (usize 5) in - let ns_2671 := - seq_into_slice (ns_2671) (usize 1) (usize 3) in - let ns_2671 := - seq_slice_range (ns_2671) ((usize 0, usize 2)) in - let ns_2671 := - seq_into_slice_range (ns_2671) ((usize 0, usize 1)) in - let '(ns1_2672, ns2_2673) := - seq_split_off (ns_2671) (usize 1) in - let ns1_2672 := - seq_truncate (ns1_2672) (usize 2) in - let ns2_2673 := - seq_from_slice (ns1_2672) (usize 0) (usize 1) in - let ns_2674 : seq int8 := - seq_concat (ns1_2672) (ns2_2673) in - let ns_2674 := - seq_concat_owned (ns1_2672) (ns2_2673) in - let ns_2674 := - seq_push (ns_2674) (@repr WORDSIZE8 2) in - let ns_2674 := - seq_push_owned (ns_2674) (@repr WORDSIZE8 4) in - let ns_2674 := - seq_from_slice_range (ns_2674) ((usize 0, usize 4)) in - let _ : uint_size := - seq_num_chunks (ns_2674) (usize 2) in - let _ : uint_size := - seq_num_exact_chunks (ns_2674) (usize 2) in - tt. - -Definition arr_name_t := nseq (uint64) (usize 8). - -Definition byte_arr_name_t := nseq (uint8) (usize 128). - -Definition array_test : unit := - tt. - From 698d2b64d5ae700525ad3725aaa814603a848d24 Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Thu, 7 Dec 2023 14:34:09 +0100 Subject: [PATCH 05/12] Cleanup --- proof-libs/coq/coq/_CoqProject | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/proof-libs/coq/coq/_CoqProject b/proof-libs/coq/coq/_CoqProject index 9b71d810b..923a70ebc 100644 --- a/proof-libs/coq/coq/_CoqProject +++ b/proof-libs/coq/coq/_CoqProject @@ -1,27 +1,7 @@ -R src/ Hacspec -# -Q src/_vc "" # Folder should be ignored! -arg -w -arg all src/MachineIntegers.v src/Hacspec_Lib.v src/QuickChickLib.v - -# # src/Hacspec_Coverage_Test.v -# # src/Hacspec_Aes.v # TODO: not currently working ? -# # src/Hacspec_Aes128_Gcm.v # requires Aes -# src/Hacspec_Bls12_381.v -# # src/Hacspec_Bls12_381_Hash.v -# src/Hacspec_Chacha20.v -# src/Hacspec_Poly1305.v -# # src/Hacspec_Chacha20poly1305.v -# src/Hacspec_Curve25519.v -# # src/Hacspec_Ecdsa_P256_Sha256.v -# src/Hacspec_Gf128.v -# # src/Hacspec_Gimli.v # ArrayName::length() impl missing -# # src/Hacspec_Hkdf.v # Cannot infer M for bind (should use result_monad) -# # src/Hacspec_Hmac.v -# # src/Hacspec_Ntru_Prime.v # missing mul_poly_irr /// Polynomial multiplication of two size fixed polynomials in R_modulo \ irr -# # src/Hacspec_P256.v -# # src/Hacspec_Sha3.v # Issues with operations with different types eg ".*" vs "*" -# src/Hacspec_Sha256.v From fb9259e748a0c585479fa7a4d33a8eb854d29d7a Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Thu, 14 Dec 2023 16:01:35 +0100 Subject: [PATCH 06/12] Update --- proof-libs/coq/coq/README.md | 3 +- proof-libs/coq/coq/_CoqProject | 1 + proof-libs/coq/coq/src/Hacspec_Lib.v | 1783 ++++++++++++++++++++++++++ proof-libs/coq/coq/src/Hacspec_lib.v | 146 +++ 4 files changed, 1931 insertions(+), 2 deletions(-) create mode 100644 proof-libs/coq/coq/src/Hacspec_Lib.v create mode 100644 proof-libs/coq/coq/src/Hacspec_lib.v diff --git a/proof-libs/coq/coq/README.md b/proof-libs/coq/coq/README.md index 725ca4607..62587eca1 100644 --- a/proof-libs/coq/coq/README.md +++ b/proof-libs/coq/coq/README.md @@ -16,7 +16,6 @@ opam install coq-compcert coq-coqprime ## Compiling the coq files -In folder `/coq`, type `make`. This compiles the coq libraries and the compiled examples, as defined in `_CoqProject`. -This requires the coq compiler to be installed (only tested on coq 8.13.1) +In folder `/coq`, type `make`. This compiles the coq libraries and the compiled examples, as defined in `_CoqProject`. This requires the coq compiler to be installed. If you want to add a new example to `_CoqProject`, such that it is compiled through `make`, you should run `coq_makefile -f _CoqProject -o Makefile` in `/coq` to update the makefile. diff --git a/proof-libs/coq/coq/_CoqProject b/proof-libs/coq/coq/_CoqProject index 923a70ebc..66b54f0db 100644 --- a/proof-libs/coq/coq/_CoqProject +++ b/proof-libs/coq/coq/_CoqProject @@ -4,4 +4,5 @@ src/MachineIntegers.v src/Hacspec_Lib.v +src/Hacspec_lib.v src/QuickChickLib.v diff --git a/proof-libs/coq/coq/src/Hacspec_Lib.v b/proof-libs/coq/coq/src/Hacspec_Lib.v new file mode 100644 index 000000000..db9798fa4 --- /dev/null +++ b/proof-libs/coq/coq/src/Hacspec_Lib.v @@ -0,0 +1,1783 @@ +Global Set Warnings "-ambiguous-paths". +Global Set Warnings "-uniform-inheritance". +Global Set Warnings "-auto-template". +Global Set Warnings "-disj-pattern-notation". +(*** Integers *) +From Coq Require Import ZArith List. +Import ListNotations. +(* Require Import IntTypes. *) + +Require Import MachineIntegers. +From Coqprime Require GZnZ. + +Require Import Lia. + +Declare Scope hacspec_scope. + +Axiom secret : forall {WS : WORDSIZE}, (@int WS) -> (@int WS). + +Axiom uint8_declassify : int8 -> int8. +Axiom int8_declassify : int8 -> int8. +Axiom uint16_declassify : int16 -> int16. +Axiom int16_declassify : int16 -> int16. +Axiom uint32_declassify : int32 -> int32. +Axiom int32_declassify : int32 -> int32. +Axiom uint64_declassify : int64 -> int64. +Axiom int64_declassify : int64 -> int64. +Axiom uint128_declassify : int128 -> int128. +Axiom int128_declassify : int128 -> int128. + +Axiom uint8_classify : int8 -> int8. +Axiom int8_classify : int8 -> int8. +Axiom uint16_classify : int16 -> int16. +Axiom int16_classify : int16 -> int16. +Axiom uint32_classify : int32 -> int32. +Axiom int32_classify : int32 -> int32. +Axiom uint64_classify : int64 -> int64. +Axiom int64_classify : int64 -> int64. +Axiom uint128_classify : int128 -> int128. +Axiom int128_classify : int128 -> int128. + + +(* CompCert integers' signedness is only interpreted through 'signed' and 'unsigned', + and not in the representation. Therefore, uints are just names for their respective ints. +*) +Definition uint8 := int8. +Definition uint16 := int16. +Definition uint32 := int32. +Definition uint64 := int64. +Definition uint128 := int128. + +Definition uint_size := int32. +Definition int_size := int32. + +Axiom declassify_usize_from_uint8 : uint8 -> uint_size. + +(* Represents any type that can be converted to uint_size and back *) +Class UInt_sizable (A : Type) := { + usize : A -> uint_size; + from_uint_size : uint_size -> A; +}. +Arguments usize {_} {_}. +Arguments from_uint_size {_} {_}. + +Global Instance nat_uint_sizable : UInt_sizable nat := { + usize n := repr (Z.of_nat n); + from_uint_size n := Z.to_nat (unsigned n); +}. + +Global Instance N_uint_sizable : UInt_sizable N := { + usize n := repr (Z.of_N n); + from_uint_size n := Z.to_N (unsigned n); +}. + +Global Instance Z_uint_sizable : UInt_sizable Z := { + usize n := repr n; + from_uint_size n := unsigned n; +}. + + +(* Same, but for int_size *) +Class Int_sizable (A : Type) := { + isize : A -> int_size; + from_int_size : int_size -> A; +}. + +Arguments isize {_} {_}. +Arguments from_int_size {_} {_}. + +Global Instance nat_Int_sizable : Int_sizable nat := { + isize n := repr (Z.of_nat n); + from_int_size n := Z.to_nat (signed n); +}. + +Global Instance N_Int_sizable : Int_sizable N := { + isize n := repr (Z.of_N n); + from_int_size n := Z.to_N (signed n); +}. + +Global Instance Z_Int_sizable : Int_sizable Z := { + isize n := repr n; + from_int_size n := signed n; +}. + + +(**** Public integers *) + +Definition pub_u8 (n : Z) : int8 := repr n. +Definition pub_i8 (n : Z) : int8 := repr n. +Definition pub_u16 (n : Z) : int16 := repr n. +Definition pub_i16 (n : Z) : int16 := repr n. +Definition pub_u32 (n : Z) : int32 := repr n. +Definition pub_i32 (n : Z) : int32 := repr n. +Definition pub_u64 (n : Z) : int64 := repr n. +Definition pub_i64 (n : Z) : int64 := repr n. +Definition pub_u128 (n : Z) : int128 := repr n. +Definition pub_i128 (n : Z) : int128 := repr n. + +(**** Operations *) + +(* Should maybe use size of s instead? *) +Definition uint8_rotate_left (u: int8) (s: int8) : int8 := rol u s. +Definition uint8_rotate_right (u: int8) (s: int8) : int8 := ror u s. + +Definition uint16_rotate_left (u: int16) (s: int16) : int16 := rol u s. +Definition uint16_rotate_right (u: int16) (s: int16) : int16 := ror u s. + +Definition uint32_rotate_left (u: int32) (s: int32) : int32 := rol u s. +Definition uint32_rotate_right (u: int32) (s: int32) : int32 := ror u s. + +Definition uint64_rotate_left (u: int64) (s: int64) : int64 := rol u s. +Definition uint64_rotate_right (u: int64) (s: int64) : int64 := ror u s. + +Definition uint128_rotate_left (u: int128) (s: int128) : int128 := rol u s. +Definition uint128_rotate_right (u: int128) (s: int128) : int128 := ror u s. + +(* should use size u instead of u? *) +Definition usize_shift_right (u: uint_size) (s: int32) : uint_size := ror u s. +Infix "usize_shift_right" := (usize_shift_right) (at level 77) : hacspec_scope. + +(* should use size u instead of u? *) +Definition usize_shift_left (u: uint_size) (s: int32) : uint_size := rol u s. +Infix "usize_shift_left" := (usize_shift_left) (at level 77) : hacspec_scope. + +Definition pub_uint128_wrapping_add (x y: int128) : int128 := add x y. + +Definition shift_left_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := + MachineIntegers.shl i (repr (from_uint_size j)). + +Definition shift_right_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := + MachineIntegers.shr i (repr (from_uint_size j)) . + +Infix "shift_left" := (shift_left_) (at level 77) : hacspec_scope. +Infix "shift_right" := (shift_right_) (at level 77) : hacspec_scope. + +Infix "%%" := Z.rem (at level 40, left associativity) : Z_scope. +Infix ".+" := (MachineIntegers.add) (at level 77) : hacspec_scope. +Infix ".-" := (MachineIntegers.sub) (at level 77) : hacspec_scope. +Notation "-" := (MachineIntegers.neg) (at level 77) : hacspec_scope. +Infix ".*" := (MachineIntegers.mul) (at level 77) : hacspec_scope. +Infix "./" := (MachineIntegers.divs) (at level 77) : hacspec_scope. +Infix ".%" := (MachineIntegers.mods) (at level 77) : hacspec_scope. +Infix ".^" := (MachineIntegers.xor) (at level 77) : hacspec_scope. +Infix ".&" := (MachineIntegers.and) (at level 77) : hacspec_scope. +Infix ".|" := (MachineIntegers.or) (at level 77) : hacspec_scope. +Infix "==" := (MachineIntegers.eq) (at level 32) : hacspec_scope. +(* Definition one := (@one WORDSIZE32). *) +(* Definition zero := (@zero WORDSIZE32). *) +Notation "A × B" := (prod A B) (at level 79, left associativity) : hacspec_scope. + +(*** Positive util *) + +Fixpoint binary_representation_pre (n : nat) {struct n}: positive := + match n with + | O => 1 + | S O => 1 + | S n => Pos.succ (binary_representation_pre n) + end%positive. +Definition binary_representation (n : nat) `(n <> O) := binary_representation_pre n. + +Theorem positive_is_succs : forall n, forall (H : n <> O) (K : S n <> O), + @binary_representation (S n) K = Pos.succ (@binary_representation n H). +Proof. induction n ; [contradiction | reflexivity]. Qed. + +(* Conversion of positive to binary representation *) +Theorem positive_to_positive_succs : forall p, binary_representation (Pos.to_nat p) (Nat.neq_sym _ _ (Nat.lt_neq _ _ (Pos2Nat.is_pos p))) = p. +Proof. + intros p. + generalize dependent (Nat.neq_sym 0 (Pos.to_nat p) (Nat.lt_neq 0 (Pos.to_nat p) (Pos2Nat.is_pos p))). + + destruct Pos.to_nat eqn:ptno. + - contradiction. + - generalize dependent p. + induction n ; intros. + + cbn. + apply Pos2Nat.inj. + symmetry. + apply ptno. + + rewrite positive_is_succs with (H := Nat.neq_succ_0 n). + rewrite IHn with (p := Pos.of_nat (S n)). + * rewrite <- Nat2Pos.inj_succ by apply Nat.neq_succ_0. + rewrite <- ptno. + apply Pos2Nat.id. + * apply Nat2Pos.id. + apply Nat.neq_succ_0. +Qed. + +(*** Uint size util *) + +(* If a natural number is in bound then a smaller natural number is still in bound *) +Lemma range_of_nat_succ : + forall {WS : WORDSIZE}, + forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. +Proof. lia. Qed. + +(* Conversion to equivalent bound *) +Lemma modulus_range_helper : + forall {WS : WORDSIZE}, + forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. +Proof. unfold max_unsigned. lia. Qed. + +Definition unsigned_repr_alt {WS : WORDSIZE} (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := + unsigned_repr a (modulus_range_helper a H). + +Theorem zero_always_modulus {WS : WORDSIZE} : (Z.pred 0 < 0 < modulus)%Z. +Proof. easy. Qed. + +(* any uint_size can be represented as a natural number and a bound *) +(* this is easier for proofs, however less efficient for computation *) +(* as Z uses a binary representation *) +Theorem uint_size_as_nat : + forall (us: uint_size), + { n : nat | + us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z}. +Proof. + destruct us. + exists (Z.to_nat intval). + rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). + + split. + - apply mkint_eq. + rewrite Z_mod_modulus_eq. + rewrite Z.mod_small. + + reflexivity. + + lia. + - apply intrange. +Qed. + +(* destruct uint_size as you would a natural number *) +Definition destruct_uint_size_as_nat (a : uint_size) : forall (P : uint_size -> Prop), + forall (zero_case : P (repr 0)), + forall (succ_case : forall (n : nat), (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z -> P (repr (Z.of_nat n))), + P a. +Proof. + intros. + destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + destruct n. + - apply zero_case. + - apply succ_case. + apply yb. +Qed. + +Ltac destruct_uint_size_as_nat a := + generalize dependent a ; + intros a ; + apply (destruct_uint_size_as_nat a) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt WORDSIZE32 _ H)] ; intros. + +(* induction for uint_size as you would do for a natural number *) +Definition induction_uint_size_as_nat : + forall (P : uint_size -> Prop), + (P (repr 0)) -> + (forall n, + (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus WORDSIZE32)%Z -> + P (repr (Z.of_nat n)) -> + P (repr (Z.succ (Z.of_nat n)))) -> + forall (a : uint_size), P a. +Proof. + intros P H_zero H_ind a. + destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + induction n. + - apply H_zero. + - rewrite Nat2Z.inj_succ. + apply H_ind. + + rewrite <- Nat2Z.inj_succ. + apply yb. + + apply IHn. + lia. +Qed. + +Ltac induction_uint_size_as_nat var := + generalize dependent var ; + intros var ; + apply induction_uint_size_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt WORDSIZE32 _ IH)] ; intros. + +(* conversion of usize to positive or zero and the respective bound *) +Theorem uint_size_as_positive : + forall (us: uint_size), + { pu : unit + positive | + match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus WORDSIZE32)%Z end + }. +Proof. + destruct us. + destruct intval. + - exists (inl tt). apply mkint_eq. reflexivity. + - exists (inr p). + split. + + apply mkint_eq. + rewrite Z_mod_modulus_eq. + symmetry. + apply Zmod_small. + lia. + + apply intrange. + - exfalso. + lia. +Defined. + +(* destruction of uint_size as positive *) +Definition destruct_uint_size_as_positive (a : uint_size) : forall (P : uint_size -> Prop), + (P (repr 0)) -> + (forall b, (Z.pred 0 < Z.pos b < @modulus WORDSIZE32)%Z -> P (repr (Z.pos b))) -> + P a. +Proof. + intros P H_zero H_succ. + destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - apply H_succ. + apply yb. +Qed. + +Ltac destruct_uint_size_as_positive a := + generalize dependent a ; + intros a ; + apply (destruct_uint_size_as_positive a) ; intros. + +(* induction of uint_size as positive *) +Definition induction_uint_size_as_positive : + forall (P : uint_size -> Prop), + (P (repr 0)) -> + (P (repr 1)) -> + (forall b, + (Z.pred 0 < Z.succ (Z.pos b) < @modulus WORDSIZE32)%Z -> + P (repr (Z.pos b)) -> + P (repr (Z.succ (Z.pos b)))) -> + forall (a : uint_size), P a. +Proof. + intros P H_zero H_one H_ind a. + + destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - pose proof (pos_succ_b := positive_to_positive_succs b) + ; symmetry in pos_succ_b + ; rewrite pos_succ_b in * + ; clear pos_succ_b. + + generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). + + induction (Pos.to_nat b). + + contradiction. + + intros n_neq yb. + destruct n. + * apply H_one. + * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. + rewrite Pos2Z.inj_succ in *. + apply H_ind. + -- apply yb. + -- apply IHn. + lia. +Qed. + +Ltac induction_uint_size_as_positive var := + generalize dependent var ; + intros var ; + apply induction_uint_size_as_positive with (a := var) ; intros ; [ | | ]. + +(*** Loops *) + +Open Scope nat_scope. +Fixpoint foldi_ + {acc : Type} + (fuel : nat) + (i : uint_size) + (f : uint_size -> acc -> acc) + (cur : acc) : acc := + match fuel with + | 0 => cur + | S n' => foldi_ n' (add i one) f (f i cur) + end. +Close Scope nat_scope. +Definition foldi + {acc: Type} + (lo: uint_size) + (hi: uint_size) (* {lo <= hi} *) + (f: (uint_size) -> acc -> acc) (* {i < hi} *) + (init: acc) : acc := + match Z.sub (unsigned hi) (unsigned lo) with + | Z0 => init + | Zneg p => init + | Zpos p => foldi_ (Pos.to_nat p) lo f init + end. + +(* Fold done using natural numbers for bounds *) +Fixpoint foldi_nat_ + {acc : Type} + (fuel : nat) + (i : nat) + (f : nat -> acc -> acc) + (cur : acc) : acc := + match fuel with + | O => cur + | S n' => foldi_nat_ n' (S i) f (f i cur) + end. +Definition foldi_nat + {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc) : acc := + match Nat.sub hi lo with + | O => init + | S n' => foldi_nat_ (S n') lo f init + end. + +Lemma foldi__move_S : + forall {acc: Type} + (fuel : nat) + (i : uint_size) + (f : uint_size -> acc -> acc) + (cur : acc), + foldi_ fuel (add i one) f (f i cur) = foldi_ (S fuel) i f cur. +Proof. reflexivity. Qed. + +Lemma foldi__nat_move_S : + forall {acc: Type} + (fuel : nat) + (i : nat) + (f : nat -> acc -> acc) + (cur : acc), + foldi_nat_ fuel (S i) f (f i cur) = foldi_nat_ (S fuel) i f cur. +Proof. reflexivity. Qed. + +(* You can do one iteration of the fold by burning a unit of fuel *) +Lemma foldi__move_S_fuel : + forall {acc: Type} + (fuel : nat) + (i : uint_size) + (f : uint_size -> acc -> acc) + (cur : acc), + (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> + f (add (repr (Z.of_nat fuel)) i) (foldi_ (fuel) i f cur) = foldi_ (S (fuel)) i f cur. +Proof. + intros acc fuel. + induction fuel ; intros. + - cbn. + replace (repr 0) with (@zero WORDSIZE32) by reflexivity. + rewrite add_zero_l. + reflexivity. + - do 2 rewrite <- foldi__move_S. + replace (add (repr (Z.of_nat (S fuel))) i) + with (add (repr (Z.of_nat fuel)) (add i one)). + 2 : { + rewrite <- (add_commut one). + rewrite <- add_assoc. + f_equal. + unfold add. + f_equal. + rewrite unsigned_one. + rewrite Z.add_1_r. + rewrite Nat2Z.inj_succ. + f_equal. + apply unsigned_repr. + lia. + } + rewrite IHfuel. + reflexivity. + lia. +Qed. + +(* You can do one iteration of the fold by burning a unit of fuel *) +Lemma foldi__nat_move_S_fuel : + forall {acc: Type} + (fuel : nat) + (i : nat) + (f : nat -> acc -> acc) + (cur : acc), + (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> + f (fuel + i)%nat (foldi_nat_ fuel i f cur) = foldi_nat_ (S fuel) i f cur. +Proof. + induction fuel ; intros. + - reflexivity. + - do 2 rewrite <- foldi__nat_move_S. + replace (S fuel + i)%nat with (fuel + (S i))%nat by (symmetry ; apply plus_Snm_nSm). + rewrite IHfuel. + + reflexivity. + + lia. +Qed. + +(* folds and natural number folds compute the same thing *) +Lemma foldi_to_foldi_nat : + forall {acc: Type} + (lo: uint_size) (* {lo <= hi} *) + (hi: uint_size) (* {lo <= hi} *) + (f: (uint_size) -> acc -> acc) (* {i < hi} *) + (init: acc), + (unsigned lo <= unsigned hi)%Z -> + foldi lo hi f init = foldi_nat (Z.to_nat (unsigned lo)) (Z.to_nat (unsigned hi)) (fun x => f (repr (Z.of_nat x))) init. +Proof. + intros. + + unfold foldi. + unfold foldi_nat. + + destruct (uint_size_as_nat hi) as [ hi_n [ hi_eq hi_H ] ] ; subst. + rewrite (@unsigned_repr_alt WORDSIZE32 _ hi_H) in *. + rewrite Nat2Z.id. + + destruct (uint_size_as_nat lo) as [ lo_n [ lo_eq lo_H ] ] ; subst. + rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. + rewrite Nat2Z.id. + + remember (hi_n - lo_n)%nat as n. + apply f_equal with (f := Z.of_nat) in Heqn. + rewrite (Nat2Z.inj_sub) in Heqn by (apply Nat2Z.inj_le ; apply H). + rewrite <- Heqn. + + assert (H_bound : (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z) by lia. + + clear Heqn. + induction n. + - reflexivity. + - pose proof (H_max_bound := modulus_range_helper _ (range_of_nat_succ _ H_bound)). + rewrite <- foldi__nat_move_S_fuel by apply H_max_bound. + cbn. + rewrite SuccNat2Pos.id_succ. + rewrite <- foldi__move_S_fuel by apply H_max_bound. + + destruct n. + + cbn. + replace (repr 0) with (@zero WORDSIZE32) by reflexivity. + rewrite add_zero_l. + reflexivity. + + cbn in *. + assert (H_bound_pred: (Z.pred 0 < Z.pos (Pos.of_succ_nat n) < @modulus WORDSIZE32)%Z) by lia. + rewrite <- (IHn H_bound_pred) ; clear IHn. + f_equal. + * unfold add. + f_equal. + rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. + rewrite (unsigned_repr_alt _ H_bound_pred). + do 2 rewrite Zpos_P_of_succ_nat. + rewrite Z.add_succ_l. + f_equal. + rewrite Nat2Z.inj_add. + reflexivity. + * rewrite SuccNat2Pos.id_succ. + rewrite foldi__move_S. + reflexivity. +Qed. + +(* folds can be computed by doing one iteration and incrementing the lower bound *) +Lemma foldi_nat_split_S : + forall {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc), + (lo < hi)%nat -> + foldi_nat lo hi f init = foldi_nat (S lo) hi f (foldi_nat lo (S lo) f init). +Proof. + unfold foldi_nat. + intros. + + assert (succ_sub_diag : forall n, (S n - n = 1)%nat) by lia. + rewrite (succ_sub_diag lo). + + induction hi ; [ lia | ]. + destruct (S hi =? S lo)%nat eqn:hi_eq_lo. + - apply Nat.eqb_eq in hi_eq_lo ; rewrite hi_eq_lo in *. + rewrite (succ_sub_diag lo). + rewrite Nat.sub_diag. + reflexivity. + - apply Nat.eqb_neq in hi_eq_lo. + apply Nat.lt_gt_cases in hi_eq_lo. + destruct hi_eq_lo. + + lia. + + rewrite (Nat.sub_succ_l (S lo)) by apply (Nat.lt_le_pred _ _ H0). + rewrite Nat.sub_succ_l by apply (Nat.lt_le_pred _ _ H). + replace ((S (hi - S lo))) with (hi - lo)%nat by lia. + reflexivity. +Qed. + +(* folds can be split at some valid offset from lower bound *) +Lemma foldi_nat_split_add : + forall (k : nat), + forall {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc), + forall {guarantee: (lo + k <= hi)%nat}, + foldi_nat lo hi f init = foldi_nat (k + lo) hi f (foldi_nat lo (k + lo) f init). +Proof. + induction k ; intros. + - cbn. + unfold foldi_nat. + rewrite Nat.sub_diag. + reflexivity. + - rewrite foldi_nat_split_S by lia. + replace (S k + lo)%nat with (k + S lo)%nat by lia. + specialize (IHk acc (S lo) hi f (foldi_nat lo (S lo) f init)). + rewrite IHk by lia. + f_equal. + rewrite <- foldi_nat_split_S by lia. + reflexivity. +Qed. + +(* folds can be split at some midpoint *) +Lemma foldi_nat_split : + forall (mid : nat), (* {lo <= mid <= hi} *) + forall {acc: Type} + (lo: nat) + (hi: nat) (* {lo <= hi} *) + (f: nat -> acc -> acc) (* {i < hi} *) + (init: acc), + forall {guarantee: (lo <= mid <= hi)%nat}, + foldi_nat lo hi f init = foldi_nat mid hi f (foldi_nat lo mid f init). +Proof. + intros. + assert (mid_is_low_plus_constant : {k : nat | (mid = lo + k)%nat}) by (exists (mid - lo)%nat ; lia). + destruct mid_is_low_plus_constant ; subst. + rewrite Nat.add_comm. + apply foldi_nat_split_add. + apply guarantee. +Qed. + +(* folds can be split at some midpoint *) +Lemma foldi_split : + forall (mid : uint_size), (* {lo <= mid <= hi} *) + forall {acc: Type} + (lo: uint_size) + (hi: uint_size) (* {lo <= hi} *) + (f: uint_size -> acc -> acc) (* {i < hi} *) + (init: acc), + forall {guarantee: (unsigned lo <= unsigned mid <= unsigned hi)%Z}, + foldi lo hi f init = foldi mid hi f (foldi lo mid f init). +Proof. + intros. + do 3 rewrite foldi_to_foldi_nat by lia. + apply foldi_nat_split ; lia. +Qed. + +(*** Default *) + +(* Typeclass handling of default elements, for use in sequences/arrays. + We provide instances for the library integer types *) +Class Default (A : Type) := { + default : A +}. +Global Arguments default {_} {_}. + +(*** Seq *) + +Definition nseq := VectorDef.t. + +Definition seq (A : Type) := list A. + +(* Automatic conversion from nseq/vector/array to seq/list *) +(* Global Coercion VectorDef.to_list : VectorDef.t >-> list. *) + +Definition public_byte_seq := seq int8. +Definition byte_seq := seq int8. +Definition list_len := length. + +Definition seq_index {A: Type} `{Default A} (s: seq A) (i : nat) := + List.nth i s default. + +Definition seq_len {A: Type} (s: seq A) : N := N.of_nat (length s). + +Definition seq_new_ {A: Type} (init : A) (len: nat) : seq A := + Vector.to_list (VectorDef.const init len). + +Definition seq_new {A: Type} `{Default A} (len: nat) : seq A := + seq_new_ default len. + +Fixpoint array_from_list (A: Type) (l: list A) : nseq A (length l) := + match l return (nseq A (length l)) with + | [] => VectorDef.nil A + | x :: xs => VectorDef.cons A x (length xs) (array_from_list A xs) + end. + + (* match l, length l with *) +(* | [], O => VectorDef.nil A *) +(* | (x :: xs), S n => VectorDef.cons A x (length xs) (array_from_list A xs) *) +(* end. *) +(* - apply (VectorDef.cons A a (length l) (array_from_list A l)). *) +(* Defined. *) + + (* match l with *) + (* | [] => VectorDef.nil *) + (* | (x :: xs) => VectorDef.cons A x (length xs) (array_from_list xs) *) + (* end. *) + +(* Definition array_from_list (A: Type) (l: list A) : nseq A (length l) := *) + (* VectorDef.of_list l. *) +(* Proof. *) +(* induction l. *) +(* - apply (VectorDef.nil A). *) +(* - apply (VectorDef.cons A a (length l) IHl). *) +(* Defined. *) + +(* automatic conversion from list to array *) +(* Global Coercion array_from_list : list >-> nseq. *) + + +(**** Array manipulation *) + + +Definition array_new_ {A: Type} (init:A) (len: nat) : nseq A len := + VectorDef.const init len. + +Open Scope nat_scope. +Definition array_index {A: Type} `{Default A} {len : nat} (s: nseq A len) (i: nat) : A. +Proof. + destruct (i nat -> nat -> seq A -> t A len. *) +Definition update_sub {A len slen} `{Default A} (v : nseq A len) (i : nat) (n : nat) (sub : nseq A slen) : nseq A len := + let fix rec x acc := + match x with + | 0 => acc + (* | 0 => array_upd acc 0 (array_index sub 0) *) + | S x => rec x (array_upd acc (i+x) (array_index sub x)) + end in + rec (n - i + 1) v. + +(* Sanity check *) +(* Compute (to_list (update_sub [1;2;3;4;5] 0 4 (of_list [9;8;7;6;12]))). *) + +Definition array_to_seq + {a: Type} + {out_len:nat} + (input: nseq a out_len) + (* {H : List.length input = out_len} *) + : seq a := VectorDef.to_list input. + +Definition array_from_seq + {a: Type} + `{Default a} + (out_len:nat) + (input: seq a) + : nseq a out_len := + let out := VectorDef.const default out_len in + update_sub out 0 (out_len - 1) (Vector.of_list input). + +(* Global Coercion array_from_seq : seq >-> nseq. *) + +Definition slice {A} (l : seq A) (i j : nat) : seq A := + if j <=? i then [] else firstn (j-i+1) (skipn i l). + +Definition lseq_slice {A n} (l : nseq A n) (i j : nat) : nseq A _ := + VectorDef.of_list (slice (VectorDef.to_list l) i j). + +Definition array_from_slice + {a: Type} + `{Default a} + (default_value: a) + (out_len: nat) + (input: seq a) + (start: nat) + (slice_len: nat) + : nseq a out_len := + let out := VectorDef.const default_value out_len in + update_sub out 0 slice_len (lseq_slice (VectorDef.of_list input) start (start + slice_len)). + + +Definition array_slice + {a: Type} + `{Default a} + {len : nat} + (input: nseq a len) + (start: nat) + (slice_len: nat) + : seq a := + slice (array_to_seq input) start (start + slice_len). + + +Definition array_from_slice_range + {a: Type} + `{Default a} + (default_value: a) + (out_len: nat) + (input: seq a) + (start_fin: (uint_size * uint_size)) + : nseq a out_len := + let out := array_new_ default_value out_len in + let (start, fin) := start_fin in + update_sub out 0 ((from_uint_size fin) - (from_uint_size start)) (VectorDef.of_list (slice input (from_uint_size start) (from_uint_size fin))). + + +Definition array_slice_range + {a: Type} + {len : nat} + (input: nseq a len) + (start_fin:(uint_size * uint_size)) + : nseq a _ := + lseq_slice input (from_uint_size (fst start_fin)) (from_uint_size (snd start_fin)). + +Definition array_update + {a: Type} + `{Default a} + {len: nat} + (s: nseq a len) + (start : nat) + (start_s: seq a) + : nseq a len := + update_sub (s) start (length start_s) (VectorDef.of_list start_s). + +Definition array_update_start + {a: Type} + `{Default a} + {len: nat} + (s: nseq a len) + (start_s: seq a) + : nseq a len := + update_sub (s) 0 (length start_s) (VectorDef.of_list start_s). + +Definition array_len {a: Type} {len: nat} (s: nseq a len) := len. +(* May also come up as 'length' instead of 'len' *) +Definition array_length {a: Type} {len: nat} (s: nseq a len) := len. + +(**** Seq manipulation *) + +Definition seq_slice + {a: Type} + `{Default a} + (s: seq a) + (start: nat) + (len: nat) + : seq a := + (slice s start (start + len)). + +Definition seq_slice_range + {a: Type} + `{Default a} + (input: seq a) + (start_fin:(uint_size * uint_size)) + : seq a := + seq_slice input (from_uint_size (fst start_fin)) (from_uint_size (snd start_fin)). + +(* updating a subsequence in a sequence *) +Definition seq_update + {a: Type} + `{Default a} + (s: seq a) + (start: nat) + (input: seq a) + : seq a := + array_to_seq (update_sub (VectorDef.of_list s) start (length input) (VectorDef.of_list input)). + +(* updating only a single value in a sequence*) +Definition seq_upd + {a: Type} + `{Default a} + (s: seq a) + (start: nat) + (v: a) + : seq a := + array_to_seq (update_sub (VectorDef.of_list s) start 1 (VectorDef.of_list [v])). + +Definition sub {a} (s : list a) start n := + slice s start (start + n). + +Definition seq_update_start + {a: Type} + `{Default a} + (s: seq a) + (start_s: seq a) + : seq a := + array_to_seq (update_sub (VectorDef.of_list s) 0 (length start_s) (VectorDef.of_list start_s)). + +Definition array_update_slice + {a : Type} + `{Default a} + {l : nat} + (out: nseq a l) + (start_out: nat) + (input: seq a) + (start_in: nat) + (len: nat) + : nseq a (array_length out) + := + update_sub (out) start_out len + (VectorDef.of_list (sub input start_in len)). + +Definition seq_update_slice + {a : Type} + `{Default a} + (out: seq a) + (start_out: nat) + (input: seq a) + (start_in: nat) + (len: nat) + : nseq a (length out) + := + update_sub (VectorDef.of_list out) start_out len + (VectorDef.of_list (sub input start_in len)). + +Definition seq_concat + {a : Type} + (s1 :seq a) + (s2: seq a) + : seq a := + (s1 ++ s2). + +Definition seq_push + {a : Type} + (s1 :seq a) + (s2: a) + : seq a := + (s1 ++ [s2]). + +Definition seq_from_slice_range + {a: Type} + `{Default a} + (input: seq a) + (start_fin: (uint_size * uint_size)) + : seq a := + let out := array_new_ (default) (length input) in + let (start, fin) := start_fin in + array_to_seq (update_sub out 0 ((from_uint_size fin) - (from_uint_size start)) (VectorDef.of_list (slice input (from_uint_size start) (from_uint_size fin)))). + +Definition seq_from_seq {A} (l : seq A) := l. + + +(**** Chunking *) + +Definition seq_num_chunks {a: Type} (s: seq a) (chunk_len: nat) : nat := + ((length s) + chunk_len - 1) / chunk_len. + +Definition seq_chunk_len + {a: Type} + (s: seq a) + (chunk_len: nat) + (chunk_num: nat) + : nat := + let idx_start := chunk_len * chunk_num in + if (length s) + out_len := seq_chunk_len s chunk_len chunk_num /\ LSeq.length chunk := out_len + )) *) + := + let idx_start := chunk_len * chunk_num in + let out_len := seq_chunk_len s chunk_len chunk_num in + (usize out_len, slice + s idx_start (idx_start + seq_chunk_len s chunk_len chunk_num)). + +Definition seq_set_chunk + {a: Type} + `{Default a} + (s: seq a) + (chunk_len: nat) + (chunk_num: nat) + (chunk: seq a ) : seq a := + let idx_start := chunk_len * chunk_num in + let out_len := seq_chunk_len s chunk_len chunk_num in + VectorDef.to_list (update_sub (VectorDef.of_list s) idx_start out_len (VectorDef.of_list chunk)). + + +Definition seq_num_exact_chunks {a} (l : seq a) (chunk_size : uint_size) : uint_size := + divs (repr (Z.of_nat (length l))) chunk_size. + +(* Until #84 is fixed this returns an empty sequence if not enough *) +Definition seq_get_exact_chunk {a} (l : seq a) (chunk_size chunk_num: uint_size) : seq a := + let '(len, chunk) := seq_get_chunk l (from_uint_size chunk_size) (from_uint_size chunk_num) in + if eq len chunk_size then [] else chunk. + +Definition seq_set_exact_chunk {a} `{H : Default a} := @seq_set_chunk a H. + +Definition seq_get_remainder_chunk : forall {a}, seq a -> uint_size -> seq a := + fun _ l chunk_size => + let chunks := seq_num_chunks l (from_uint_size chunk_size) in + let last_chunk := if 0 @MachineIntegers.xor WS x y :: (seq_xor_ xs ys) + | [], y => y + | x, [] => x + end. +Infix "seq_xor" := seq_xor_ (at level 33) : hacspec_scope. + +Fixpoint seq_truncate {a} (x : seq a) (n : nat) : seq a := (* uint_size *) + match x, n with + | _, 0 => [] + | [], _ => [] + | (x :: xs), S n' => x :: (seq_truncate xs n') + end. + +(**** Numeric operations *) + +(* takes two nseq's and joins them using a function op : a -> a -> a *) +Definition array_join_map + {a: Type} + `{Default a} + {len: nat} + (op: a -> a -> a) + (s1: nseq a len) + (s2 : nseq a len) := + let out := s1 in + foldi (usize 0) (usize len) (fun i out => + let i := from_uint_size i in + array_upd out i (op (array_index s1 i) (array_index s2 i)) + ) out. + +Infix "array_xor" := (array_join_map xor) (at level 33) : hacspec_scope. +Infix "array_add" := (array_join_map add) (at level 33) : hacspec_scope. +Infix "array_minus" := (array_join_map sub) (at level 33) : hacspec_scope. +Infix "array_mul" := (array_join_map mul) (at level 33) : hacspec_scope. +Infix "array_div" := (array_join_map divs) (at level 33) : hacspec_scope. +Infix "array_or" := (array_join_map or) (at level 33) : hacspec_scope. +Infix "array_and" := (array_join_map and) (at level 33) : hacspec_scope. + +Definition array_eq_ + {a: Type} + {len: nat} + (eq: a -> a -> bool) + (s1: nseq a len) + (s2 : nseq a len) + : bool := Vector.eqb _ eq s1 s2. + +Infix "array_eq" := (array_eq_ eq) (at level 33) : hacspec_scope. +Infix "array_neq" := (fun s1 s2 => negb (array_eq_ eq s1 s2)) (at level 33) : hacspec_scope. + + +(**** Integers to arrays *) +Axiom uint32_to_le_bytes : int32 -> nseq int8 4. +Axiom uint32_to_be_bytes : int32 -> nseq int8 4. +Axiom uint32_from_le_bytes : nseq int8 4 -> int32. +Axiom uint32_from_be_bytes : nseq int8 4 -> int32. +Axiom uint64_to_le_bytes : int64 -> nseq int8 8. +Axiom uint64_to_be_bytes : int64 -> nseq int8 8. +Axiom uint64_from_le_bytes : nseq int8 8 -> int64. +Axiom uint64_from_be_bytes : nseq int8 8 -> int64. +Axiom uint128_to_le_bytes : int128 -> nseq int8 16. +Axiom uint128_to_be_bytes : int128 -> nseq int8 16. +Axiom uint128_from_le_bytes : nseq int8 16 -> int128. +Axiom uint128_from_be_bytes : nseq int8 16 -> int128. +Axiom u32_to_le_bytes : int32 -> nseq int8 4. +Axiom u32_to_be_bytes : int32 -> nseq int8 4. +Axiom u32_from_le_bytes : nseq int8 4 -> int32. +Axiom u32_from_be_bytes : nseq int8 4 -> int32. +Axiom u64_to_le_bytes : int64 -> nseq int8 8. +Axiom u64_from_le_bytes : nseq int8 8 -> int64. +Axiom u128_to_le_bytes : int128 -> nseq int8 16. +Axiom u128_to_be_bytes : int128 -> nseq int8 16. +Axiom u128_from_le_bytes : nseq int8 16 -> int128. +Axiom u128_from_be_bytes : nseq int8 16 -> int128. + +(*** Nats *) + + +Definition nat_mod (p : Z) : Set := GZnZ.znz p. + + +Definition nat_mod_equal {p} (a b : nat_mod p) : bool := + Z.eqb (GZnZ.val p a) (GZnZ.val p b). + +Definition nat_mod_zero {p} : nat_mod p := GZnZ.zero p. +Definition nat_mod_one {p} : nat_mod p := GZnZ.one p. +Definition nat_mod_two {p} : nat_mod p := GZnZ.mkznz p _ (GZnZ.modz p 2). + + +(* convenience coercions from nat_mod to Z and N *) +(* Coercion Z.of_N : N >-> Z. *) + +Definition nat_mod_add {n : Z} (a : nat_mod n) (b : nat_mod n) : nat_mod n := GZnZ.add n a b. + +Infix "+%" := nat_mod_add (at level 33) : hacspec_scope. + +Definition nat_mod_mul {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.mul n a b. +Infix "*%" := nat_mod_mul (at level 33) : hacspec_scope. + +Definition nat_mod_sub {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.sub n a b. +Infix "-%" := nat_mod_sub (at level 33) : hacspec_scope. + +Definition nat_mod_div {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := GZnZ.div n a b. +Infix "/%" := nat_mod_div (at level 33) : hacspec_scope. + +(* A % B = (a * B + r) *) + +Definition nat_mod_neg {n : Z} (a:nat_mod n) : nat_mod n := GZnZ.opp n a. + +Definition nat_mod_inv {n : Z} (a:nat_mod n) : nat_mod n := GZnZ.inv n a. + +Definition nat_mod_exp_def {p : Z} (a:nat_mod p) (n : nat) : nat_mod p := + let fix exp_ (e : nat_mod p) (n : nat) := + match n with + | 0%nat => nat_mod_one + | S n => nat_mod_mul a (exp_ a n) + end in + exp_ a n. + +Definition nat_mod_exp {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). +Definition nat_mod_pow {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). +Definition nat_mod_pow_self {p} a n := @nat_mod_exp_def p a (Z.to_nat (from_uint_size n)). + +Close Scope nat_scope. +Open Scope Z_scope. + +(* We assume x < m *) +Definition nat_mod_from_secret_literal {m : Z} (x:int128) : nat_mod m. +Proof. + unfold nat_mod. + (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) + remember ((unsigned x) mod m) as zmodm. + apply (GZnZ.mkznz m zmodm). + rewrite Heqzmodm. + rewrite Zmod_mod. + reflexivity. +Defined. + +Definition nat_mod_from_literal (m : Z) (x:int128) : nat_mod m := nat_mod_from_secret_literal x. + +Axiom nat_mod_to_byte_seq_le : forall {n : Z}, nat_mod n -> seq int8. +Axiom nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8. +Axiom nat_mod_to_public_byte_seq_le : forall (n : Z), nat_mod n -> seq int8. +Axiom nat_mod_to_public_byte_seq_be : forall (n : Z), nat_mod n -> seq int8. + +Definition nat_mod_bit {n : Z} (a : nat_mod n) (i : uint_size) := + Z.testbit (GZnZ.val n a) (from_uint_size i). + +(* Alias for nat_mod_bit *) +Definition nat_get_mod_bit {p} (a : nat_mod p) := nat_mod_bit a. +Definition nat_mod_get_bit {p} (a : nat_mod p) n := + if (nat_mod_bit a n) + then @nat_mod_one p + else @nat_mod_zero p. + +(* +Definition nat_mod_to_public_byte_seq_le (n: pos) (len: uint_size) (x: nat_mod_mod n) : lseq pub_uint8 len = + Definition n' := n % (pow2 (8 * len)) in + Lib.ByteSequence.nat_mod_to_bytes_le len n'*) + +(* Definition nat_to_public_byte_seq_be (n: pos) (len: uint_size) (x: nat_mod n) : lseq pub_uint8 len = + Definition n' := n % (pow2 (8 * len)) in + Lib.ByteSequence.nat_to_bytes_be len n' *) + +Axiom array_declassify_eq : forall {A l}, nseq A l -> nseq A l -> bool. +Axiom array_to_le_uint32s : forall {A l}, nseq A l -> seq uint32. +Axiom array_to_be_uint32s : forall {A l}, nseq A l -> seq uint32. (* nseq uint32 (l/4) *) +Axiom array_to_le_bytes : forall {A l}, nseq A l -> seq uint8. +Axiom array_to_be_bytes : forall {A l}, nseq A l -> seq uint8. +Axiom nat_mod_from_byte_seq_le : forall {A n}, seq A -> nat_mod n. +Axiom nat_mod_from_byte_seq_be : forall {A n}, seq A -> nat_mod n. +Axiom nat_mod_from_public_byte_seq_le : forall {A n}, seq A -> nat_mod n. +Axiom nat_mod_from_public_byte_seq_be : forall {A n}, seq A -> nat_mod n. +Axiom most_significant_bit : forall {m}, nat_mod m -> uint_size -> uint_size. + + +(* We assume 2^x < m *) +Definition nat_mod_pow2 (m : Z) (x : N) : nat_mod m. +Proof. + remember (Z.pow 2 (Z.of_N x) mod m) as y. + apply (GZnZ.mkznz m y). + rewrite Heqy. + rewrite Zmod_mod. + reflexivity. +Defined. + + +Section Casting. + + (* Type casts, as defined in Section 4.5 in https://arxiv.org/pdf/1106.3448.pdf *) + Class Cast A B := cast : A -> B. + + Arguments cast {_} _ {_}. + + Notation "' x" := (cast _ x) (at level 20) : hacspec_scope. + Open Scope hacspec_scope. + + (* Casting to self is always possible *) + Global Instance cast_self {A} : Cast A A := { + cast a := a + }. + + Global Instance cast_transitive {A B C} `{Hab: Cast A B} `{Hbc: Cast B C} : Cast A C := { + cast a := Hbc (Hab a) + }. + + Global Instance cast_prod {A B C D} `{Cast A B} `{Cast C D} : Cast (A * C) (B * D) := { + cast '(a, c) := ('a, 'c) + }. + + Global Instance cast_option {A B} `{Cast A B} : Cast (option A) (option B) := { + cast a := match a with Some a => Some ('a) | None => None end + }. + + Global Instance cast_option_b {A B} `{Cast A B} : Cast A (option B) := { + cast a := Some ('a) + }. + + (* Global Instances for common types *) + + Global Instance cast_nat_to_N : Cast nat N := { + cast := N.of_nat + }. + + Global Instance cast_N_to_Z : Cast N Z := { + cast := Z.of_N + }. + + Global Instance cast_Z_to_int {WORDSIZE} : Cast Z (@int WORDSIZE) := { + cast n := repr n + }. + + Global Instance cast_natmod_to_Z {p} : Cast (nat_mod p) Z := { + cast n := GZnZ.val p n + }. + + (* Note: should be aware of typeclass resolution with int/uint since they are just aliases of each other currently *) + Global Instance cast_int8_to_uint32 : Cast int8 uint32 := { + cast n := repr (unsigned n) + }. + Global Instance cast_int8_to_int32 : Cast int8 int32 := { + cast n := repr (signed n) + }. + + Global Instance cast_uint8_to_uint32 : Cast uint8 uint32 := { + cast n := repr (unsigned n) + }. + + Global Instance cast_int_to_nat `{WORDSIZE} : Cast int nat := { + cast n := Z.to_nat (signed n) + }. + + Close Scope hacspec_scope. +End Casting. + + +Global Arguments pair {_ _} & _ _. +Global Arguments id {_} & _. +Section Coercions. + (* First, in order to have automatic coercions for tuples, we add bidirectionality hints: *) + + (* Integer coercions *) + (* We have nat >-> N >-> Z >-> int/int32 *) + (* and uint >-> Z *) + (* and N >-> nat *) + + Global Coercion N.to_nat : N >-> nat. + Global Coercion Z.of_N : N >-> Z. + + Global Coercion repr : Z >-> int. + + Definition Z_to_int `{WORDSIZE} (n : Z) : int := repr n. + Global Coercion Z_to_int : Z >-> int. + + Definition Z_to_uint_size (n : Z) : uint_size := repr n. + Global Coercion Z_to_uint_size : Z >-> uint_size. + Definition Z_to_int_size (n : Z) : int_size := repr n. + Global Coercion Z_to_int_size : Z >-> int_size. + + Definition N_to_int `{WORDSIZE} (n : N) : int := repr (Z.of_N n). + Global Coercion N.of_nat : nat >-> N. + Global Coercion N_to_int : N >-> int. + Definition N_to_uint_size (n : Z) : uint_size := repr n. + Global Coercion N_to_uint_size : Z >-> uint_size. + Definition nat_to_int `{WORDSIZE} (n : nat) := repr (Z.of_nat n). + Global Coercion nat_to_int : nat >-> int. + + Definition uint_size_to_nat (n : uint_size) : nat := from_uint_size n. + Global Coercion uint_size_to_nat : uint_size >-> nat. + + Definition uint_size_to_Z (n : uint_size) : Z := from_uint_size n. + Global Coercion uint_size_to_Z : uint_size >-> Z. + + Definition uint32_to_nat (n : uint32) : nat := unsigned n. + Global Coercion uint32_to_nat : uint32 >-> nat. + + + Global Coercion GZnZ.val : GZnZ.znz >-> Z. + + Definition int8_to_nat (n : int8) : nat := unsigned n. + Global Coercion int8_to_nat : int8 >-> nat. + Definition int16_to_nat (n : int16) : nat := unsigned n. + Global Coercion int16_to_nat : int16 >-> nat. + Definition int32_to_nat (n : int32) : nat := unsigned n. + Global Coercion int32_to_nat : int32 >-> nat. + Definition int64_to_nat (n : int64) : nat := unsigned n. + Global Coercion int64_to_nat : int64 >-> nat. + Definition int128_to_nat (n : int128) : nat := unsigned n. + Global Coercion int128_to_nat : int128 >-> nat. + + (* coercions int8 >-> int16 >-> ... int128 *) + + Definition int8_to_int16 (n : int8) : int16 := repr n. + Global Coercion int8_to_int16 : int8 >-> int16. + + Definition int8_to_int32 (n : int8) : int32 := repr n. + Global Coercion int8_to_int32 : int8 >-> int32. + + Definition int16_to_int32 (n : int16) : int32 := repr n. + Global Coercion int16_to_int32 : int16 >-> int32. + + Definition int32_to_int64 (n : int32) : int64 := repr n. + Global Coercion int32_to_int64 : int32 >-> int64. + + Definition int64_to_int128 (n : int64) : int128 := repr n. + Global Coercion int64_to_int128 : int64 >-> int128. + + Definition int32_to_int128 (n : int32) : int128 := repr n. + Global Coercion int32_to_int128 : int32 >-> int128. + + Definition uint_size_to_int64 (n : uint_size) : int64 := repr n. + Global Coercion uint_size_to_int64 : uint_size >-> int64. + + + (* coercions into nat_mod *) + Definition Z_in_nat_mod {m : Z} (x:Z) : nat_mod m. + Proof. + unfold nat_mod. + remember ((x) mod m) as zmodm. + apply (GZnZ.mkznz m zmodm). + rewrite Heqzmodm. + rewrite Zmod_mod. + reflexivity. + Defined. + (* Global Coercion Z_in_nat_mod : Z >-> nat_mod. *) + + Definition int_in_nat_mod {m : Z} `{WORDSIZE} (x:int) : nat_mod m. + Proof. + unfold nat_mod. + (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) + remember ((unsigned x) mod m) as zmodm. + apply (GZnZ.mkznz m zmodm). + rewrite Heqzmodm. + rewrite Zmod_mod. + reflexivity. + Show Proof. + Defined. + Global Coercion int_in_nat_mod : int >-> nat_mod. + + Definition uint_size_in_nat_mod (n : uint_size) : nat_mod 16 := int_in_nat_mod n. + Global Coercion uint_size_in_nat_mod : uint_size >-> nat_mod. + +End Coercions. + + +(*** Casting *) + +Definition uint128_from_usize (n : uint_size) : int128 := repr n. +Definition uint64_from_usize (n : uint_size) : int64 := repr n. +Definition uint32_from_usize (n : uint_size) : int32 := repr n. +Definition uint16_from_usize (n : uint_size) : int16 := repr n. +Definition uint8_from_usize (n : uint_size) : int8 := repr n. + +Definition uint128_from_uint8 (n : int8) : int128 := repr n. +Definition uint64_from_uint8 (n : int8) : int64 := repr n. +Definition uint32_from_uint8 (n : int8) : int32 := repr n. +Definition uint16_from_uint8 (n : int8) : int16 := repr n. +Definition usize_from_uint8 (n : int8) : uint_size := repr n. + +Definition uint128_from_uint16 (n : int16) : int128 := repr n. +Definition uint64_from_uint16 (n : int16) : int64 := repr n. +Definition uint32_from_uint16 (n : int16) : int32 := repr n. +Definition uint8_from_uint16 (n : int16) : int8 := repr n. +Definition usize_from_uint16 (n : int16) : uint_size := repr n. + +Definition uint128_from_uint32 (n : int32) : int128 := repr n. +Definition uint64_from_uint32 (n : int32) : int64 := repr n. +Definition uint16_from_uint32 (n : int32) : int16 := repr n. +Definition uint8_from_uint32 (n : int32) : int8 := repr n. +Definition usize_from_uint32 (n : int32) : uint_size := repr n. + +Definition uint128_from_uint64 (n : int64) : int128 := repr n. +Definition uint32_from_uint64 (n : int64) : int32 := repr n. +Definition uint16_from_uint64 (n : int64) : int16 := repr n. +Definition uint8_from_uint64 (n : int64) : int8 := repr n. +Definition usize_from_uint64 (n : int64) : uint_size := repr n. + +Definition uint64_from_uint128 (n : int128) : int64 := repr n. +Definition uint32_from_uint128 (n : int128) : int32 := repr n. +Definition uint16_from_uint128 (n : int128) : int16 := repr n. +Definition uint8_from_uint128 (n : int128) : int8 := repr n. +Definition usize_from_uint128 (n : int128) : uint_size := repr n. + + +(* Comparisons, boolean equality, and notation *) + +Class EqDec (A : Type) := + { eqb : A -> A -> bool ; + eqb_leibniz : forall x y, eqb x y = true <-> x = y }. + +Infix "=.?" := eqb (at level 40) : hacspec_scope. +Infix "!=.?" := (fun a b => negb (eqb a b)) (at level 40) : hacspec_scope. + +Class Comparable (A : Type) := { + ltb : A -> A -> bool; + leb : A -> A -> bool; + gtb : A -> A -> bool; + geb : A -> A -> bool; +}. +Infix "<.?" := ltb (at level 42) : hacspec_scope. +Infix "<=.?" := leb (at level 42) : hacspec_scope. +Infix ">.?" := gtb (at level 42) : hacspec_scope. +Infix ">=.?" := geb (at level 42) : hacspec_scope. + +Theorem eqb_refl : forall {A} {H : EqDec A} (x : A), @eqb A H x x = true. +Proof. + intros. + now rewrite eqb_leibniz. +Qed. + +Global Program Instance nat_eqdec : EqDec nat := { + eqb := Nat.eqb; + eqb_leibniz := Nat.eqb_eq ; +}. + +Global Instance nat_comparable : Comparable nat := { + ltb := Nat.ltb; + leb := Nat.leb; + gtb a b := Nat.ltb b a; + geb a b := Nat.leb b a; +}. + +Global Instance N_eqdec : EqDec N := { + eqb := N.eqb; + eqb_leibniz := N.eqb_eq ; +}. + +Global Instance N_comparable : Comparable N := { + ltb := N.ltb; + leb := N.leb; + gtb a b := N.ltb b a; + geb a b := N.leb b a; +}. + +Global Instance Z_eqdec : EqDec Z := { + eqb := Z.eqb; + eqb_leibniz := Z.eqb_eq ; +}. + +Global Instance Z_comparable : Comparable Z := { + ltb := Z.ltb; + leb := Z.leb; + gtb a b := Z.ltb b a; + geb a b := Z.leb b a; +}. + +Lemma int_eqb_eq : forall {WS : WORDSIZE} (a b : int), eq a b = true <-> a = b. +Proof. + intros. split. + - apply same_if_eq. + - intros. rewrite H. apply eq_true. +Qed. + +Global Instance int_eqdec `{WORDSIZE}: EqDec int := { + eqb := eq; + eqb_leibniz := int_eqb_eq ; +}. + +Global Instance int_comparable `{WORDSIZE} : Comparable int := { + ltb := lt; + leb a b := if eq a b then true else lt a b ; + gtb a b := lt b a; + geb a b := if eq a b then true else lt b a; +}. + +Definition uint8_equal : int8 -> int8 -> bool := eqb. + +Definition nat_mod_val (p : Z) (a : nat_mod p) : Z := GZnZ.val p a. + +Theorem nat_mod_eqb_spec : forall {p} (a b : nat_mod p), Z.eqb (nat_mod_val p a) (nat_mod_val p b) = true <-> a = b. +Proof. + split ; intros. + - apply Z.eqb_eq in H. + destruct a, b. + cbn in H. + apply (GZnZ.zirr p val val0 inZnZ inZnZ0 H). + - subst. + apply Z.eqb_eq. + reflexivity. +Qed. + +Global Instance nat_mod_eqdec {p} : EqDec (nat_mod p) := { + eqb a b := Z.eqb (nat_mod_val p a) (nat_mod_val p b); + eqb_leibniz := nat_mod_eqb_spec; +}. + +Global Instance nat_mod_comparable `{p : Z} : Comparable (nat_mod p) := { + ltb a b := Z.ltb (nat_mod_val p a) (nat_mod_val p b); + leb a b := if Zeq_bool a b then true else Z.ltb (nat_mod_val p a) (nat_mod_val p b) ; + gtb a b := Z.ltb (nat_mod_val p b) (nat_mod_val p a); + geb a b := if Zeq_bool b a then true else Z.ltb (nat_mod_val p b) (nat_mod_val p a) ; +}. + +Fixpoint nat_mod_rem_aux {n : Z} (a:nat_mod n) (b:nat_mod n) (f : nat) {struct f} : nat_mod n := + match f with + | O => a + | S f' => + if geb a b + then nat_mod_rem_aux (nat_mod_sub a b) b f' + else a + end. + +Definition nat_mod_rem {n : Z} (a:nat_mod n) (b:nat_mod n) : nat_mod n := + if nat_mod_equal b nat_mod_zero + then nat_mod_one + else nat_mod_rem_aux a b (S (nat_mod_div a b)). + +Infix "rem" := nat_mod_rem (at level 33) : hacspec_scope. + +Global Instance bool_eqdec : EqDec bool := { + eqb := Bool.eqb; + eqb_leibniz := Bool.eqb_true_iff; +}. + +Global Instance string_eqdec : EqDec String.string := { + eqb := String.eqb; + eqb_leibniz := String.eqb_eq ; +}. + +Global Instance unit_eqdec : EqDec unit := { + eqb := fun _ _ => true ; + eqb_leibniz := fun 'tt 'tt => (conj (fun _ => eq_refl) (fun _ => eq_refl)) ; +}. + +Require Import Sumbool. +Open Scope list_scope. + +Fixpoint list_eqdec {A} `{EqDec A} (l1 l2 : list A) : bool := + match l1, l2 with + | x::xs, y::ys => if eqb x y then list_eqdec xs ys else false + | [], [] => true + | _,_ => false + end. + +Lemma list_eqdec_refl : forall {A} `{EqDec A} (l1 : list A), list_eqdec l1 l1 = true. +Proof. + intros ; induction l1 ; cbn ; try rewrite eqb_refl ; easy. +Qed. + +Lemma list_eqdec_sound : forall {A} `{EqDec A} (l1 l2 : list A), list_eqdec l1 l2 = true <-> l1 = l2. +Proof. + intros A H l1. + induction l1 ; induction l2 ; split ; intros ; simpl in * ; try easy ; try inversion H0. + - (* inductive case *) + apply Field_theory.if_true in H0; destruct H0. + f_equal. + (* show heads are equal *) + + apply (proj1 (eqb_leibniz a a0) H0). + (* show tails are equal using induction hypothesis *) + + apply IHl1. assumption. + - rewrite eqb_refl. + apply list_eqdec_refl. +Qed. + +Global Instance List_eqdec {A} `{EqDec A} : EqDec (list A) := { + eqb := list_eqdec; + eqb_leibniz := list_eqdec_sound; +}. + +Lemma vector_eqb_sound : forall {A : Type} {n : nat} `{EqDec A} (v1 v2 : VectorDef.t A n), Vector.eqb _ eqb v1 v2 = true <-> v1 = v2. +Proof. + intros. + apply Vector.eqb_eq. + intros. + apply eqb_leibniz. +Qed. + +Global Program Instance Vector_eqdec {A n} `{EqDec A}: EqDec (VectorDef.t A n) := { + eqb := Vector.eqb _ eqb; + eqb_leibniz := vector_eqb_sound; +}. + +Global Program Instance Dec_eq_prod (A B : Type) `{EqDec A} `{EqDec B} : EqDec (A * B) := { + eqb '(a0, b0) '(a1, b1) := andb (eqb a0 a1) (eqb b0 b1) +}. +Next Obligation. + split ; intros. + - symmetry in H1. + apply Bool.andb_true_eq in H1. destruct H1. + symmetry in H1. apply (eqb_leibniz a0 a) in H1. + symmetry in H2. apply (eqb_leibniz b0 b) in H2. + rewrite H1, H2. reflexivity. + - inversion_clear H1. now do 2 rewrite eqb_refl. +Defined. + +(*** Result *) + +Inductive result (a: Type) (b: Type) := + | Ok : a -> result a b + | Err : b -> result a b. + +Arguments Ok {_ _}. +Arguments Err {_ _}. + +(*** Be Bytes *) + + +Fixpoint nat_be_range_at_position (k : nat) (z : Z) (n : Z) : list bool := + match k with + | O => [] + | S k' => Z.testbit z (n + k') :: nat_be_range_at_position k' z n + end. + +Fixpoint nat_be_range_to_position_ (z : list bool) (val : Z) : Z := + match z with + | [] => val + | x :: xs => nat_be_range_to_position_ xs ((if x then 2 ^ List.length xs else 0) + val) + end. + +Definition nat_be_range_to_position (k : nat) (z : list bool) (n : Z) : Z := + (nat_be_range_to_position_ z 0 * 2^(k * n)). + +Definition nat_be_range (k : nat) (z : Z) (n : nat) : Z := + nat_be_range_to_position_ (nat_be_range_at_position k z (n * k)) 0. (* * 2^(k * n) *) + +Compute nat_be_range 4 0 300. + +Definition u64_to_be_bytes' : int64 -> nseq int8 8 := + fun k => array_from_list (int8) [@nat_to_int WORDSIZE8 (nat_be_range 4 k 7) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 6) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 5) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 4) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 3) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 2) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 1) ; + @nat_to_int WORDSIZE8 (nat_be_range 4 k 0)]. + +Open Scope hacspec_scope. + +Definition u64_from_be_bytes_fold_fun (i : int8) (s : nat × int64) : nat × int64 := + let (n,v) := s in + (S n, v .+ (@repr WORDSIZE64 ((int8_to_nat i) * 2 ^ (4 * n)))). + +Definition u64_from_be_bytes' : nseq int8 8 -> int64 := + (fun v => snd (VectorDef.fold_right u64_from_be_bytes_fold_fun v (0, @repr WORDSIZE64 0))). + +Definition u64_to_be_bytes : int64 -> nseq int8 8 := u64_to_be_bytes'. +Definition u64_from_be_bytes : nseq int8 8 -> int64 := u64_from_be_bytes'. + +(* Definition nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8 := *) +(* fun k => VectorDef.of_list . *) + +(*** Monad / Bind *) + +Class Monad (M : Type -> Type) := + { bind {A B} (x : M A) (f : A -> M B) : M B ; + ret {A} (x : A) : M A ; + }. + +Definition result2 (b: Type) (a: Type) := result a b. + +Definition result_bind {A B C} (r : result2 C A) (f : A -> result2 C B) : result2 C B := + match r with + Ok a => f a + | Err e => Err e + end. + +Definition result_ret {A C} (a : A) : result2 C A := Ok a. + +Global Instance result_monad {C} : Monad (result2 C) := + Build_Monad (result2 C) (fun A B => @result_bind A B C) (fun A => @result_ret A C). + +Definition option_bind {A B} (r : option A) (f : A -> option B) : option B := + match r with + Some (a) => f a + | None => None + end. + + + +Definition option_ret {A} (a : A) : option A := Some a. + +Global Instance option_monad : Monad option := + Build_Monad option (@option_bind) (@option_ret). + +Definition option_is_none {A} (x : option A) : bool := + match x with + | None => true + | _ => false + end. + +Definition foldi_bind {A : Type} {M : Type -> Type} `{Monad M} (a : uint_size) (b : uint_size) (f : uint_size -> A -> M A) (init : M A) : M A := + @foldi (M A) a b (fun x y => bind y (f x)) init. + +Definition lift_to_result {A B C} (r : result A C) (f : A -> B) : result B C := + result_bind r (fun x => result_ret (f x)). + +Definition result_uint_size_to_result_int64 {C} (r : result uint_size C) := lift_to_result r uint_size_to_int64. + +Definition result_uint_size_unit := (result uint_size unit). +Definition result_int64_unit := (result int64 unit). + +Definition result_uint_size_unit_to_result_int64_unit (r : result_uint_size_unit) : result_int64_unit := result_uint_size_to_result_int64 r. + +Global Coercion lift_to_result_coerce {A B C} (f : A -> B) := (fun (r : result A C) => lift_to_result r f). + +Global Coercion result_uint_size_unit_to_result_int64_unit : result_uint_size_unit >-> result_int64_unit. + +(*** Notation *) + +Notation "'ifbnd' b 'then' x 'else' y '>>' f" := (if b then f x else f y) (at level 200). +Notation "'ifbnd' b 'thenbnd' x 'else' y '>>' f" := (if b then (bind x) f else f y) (at level 200). +Notation "'ifbnd' b 'then' x 'elsebnd' y '>>' f" := (if b then f x else (bind y) f) (at level 200). +Notation "'ifbnd' b 'thenbnd' x 'elsebnd' y '>>' f" := (if b then bind x f else bind y f) (at level 200). + +Notation "'foldibnd' s 'to' e 'for' z '>>' f" := (foldi s e (fun x y => bind y (f x)) (Ok z)) (at level 50). + + +(*** Default *) + +(* Default instances for common types *) +Global Instance nat_default : Default nat := { + default := 0%nat +}. +Global Instance N_default : Default N := { + default := 0%N +}. +Global Instance Z_default : Default Z := { + default := 0%Z +}. +Global Instance uint_size_default : Default uint_size := { + default := zero +}. +Global Instance int_size_default : Default int_size := { + default := zero +}. +Global Instance int_default {WS : WORDSIZE} : Default int := { + default := repr 0 +}. +Global Instance uint8_default : Default uint8 := _. +Global Instance nat_mod_default {p : Z} : Default (nat_mod p) := { + default := nat_mod_zero +}. +Global Instance prod_default {A B} `{Default A} `{Default B} : Default (A × B) := { + default := (default, default) +}. diff --git a/proof-libs/coq/coq/src/Hacspec_lib.v b/proof-libs/coq/coq/src/Hacspec_lib.v new file mode 100644 index 000000000..b274c7dd5 --- /dev/null +++ b/proof-libs/coq/coq/src/Hacspec_lib.v @@ -0,0 +1,146 @@ +(* File automatically generated by Hacspec *) +From Hacspec Require Import Hacspec_Lib MachineIntegers. + +From Coq Require Import ZArith. +Import List.ListNotations. +Open Scope Z_scope. +Open Scope bool_scope. + +From Hacspec Require Export MachineIntegers. +From Hacspec Require Export Hacspec_Lib. + +(** Should be moved to Hacspec_Lib.v **) +Definition int_xI {WS : WORDSIZE} (a : int) : int := MachineIntegers.add (MachineIntegers.mul a (repr 2)) MachineIntegers.one. +Definition int_xO {WS : WORDSIZE} (a : int) : int := MachineIntegers.mul a (repr 2). +Number Notation int Pos.of_num_int Pos.to_num_int (via positive mapping [[int_xI] => xI, [int_xO] => xO , [MachineIntegers.one] => xH]) : hacspec_scope. +Notation "0" := (repr O). +Notation U8_t := int8. +Notation U8 := id. +Notation U16_t := int16. +Notation U16 := id. +Notation U32_t := int32. +Notation U32 := id. +Notation U64_t := int64. +Notation U64 := id. +Notation U128_t := int128. +Notation U128 := id. + +Definition array_index {A: Type} `{Default A} {len : nat} (s: nseq A len) {WS} (i : @int WS) := array_index s (unsigned i). +Notation " x .[ a ]" := (array_index x a) (at level 40). +Definition array_upd {A: Type} {len : nat} (s: nseq A len) {WS} (i: @int WS) (new_v: A) : nseq A len := array_upd s (unsigned i) new_v. +Notation " x .[ i ]<- a" := (array_upd x i a) (at level 40). + +Class Addition A := add : A -> A -> A. +Notation "a .+ b" := (add a b). +Instance array_add_inst {ws : WORDSIZE} {len: nat} : Addition (nseq (@int ws) len) := { add a b := a array_add b }. +Instance int_add_inst {ws : WORDSIZE} : Addition (@int ws) := { add a b := MachineIntegers.add a b }. + +Class Subtraction A := sub : A -> A -> A. +Notation "a .- b" := (sub a b). +Instance array_sub_inst {ws : WORDSIZE} {len: nat} : Subtraction (nseq (@int ws) len) := { sub := array_join_map MachineIntegers.sub }. +Instance int_sub_inst {ws : WORDSIZE} : Subtraction (@int ws) := { sub a b := MachineIntegers.sub a b }. + +Class Multiplication A := mul : A -> A -> A. +Notation "a .* b" := (mul a b). +Instance array_mul_inst {ws : WORDSIZE} {len: nat} : Multiplication (nseq (@int ws) len) := { mul a b := a array_mul b }. +Instance int_mul_inst {ws : WORDSIZE} : Multiplication (@int ws) := { mul a b := MachineIntegers.mul a b }. + +Class Xor A := xor : A -> A -> A. +Notation "a .^ b" := (xor a b). + +Instance array_xor_inst {ws : WORDSIZE} {len: nat} : Xor (nseq (@int ws) len) := { xor a b := a array_xor b }. +Instance int_xor_inst {ws : WORDSIZE} : Xor (@int ws) := { xor a b := MachineIntegers.xor a b }. + +Definition new {A : Type} `{Default A} {len} : nseq A len := array_new_ default _. +Class array_or_seq A len := +{ as_seq : seq A ; as_nseq : nseq A len }. + +Arguments as_seq {_} {_} array_or_seq. +Arguments as_nseq {_} {_} array_or_seq. +Coercion as_seq : array_or_seq >-> seq. +Coercion as_nseq : array_or_seq >-> nseq. + +Instance nseq_array_or_seq {A len} (a : nseq A len) : array_or_seq A len := +{ as_seq := array_to_seq a ; as_nseq := a ; }. +Coercion nseq_array_or_seq : nseq >-> array_or_seq. + +Instance seq_array_or_seq {A} `{Default A} (a : seq A) : array_or_seq A (length a) := +{ as_seq := a ; as_nseq := array_from_seq _ a ; }. +Coercion seq_array_or_seq : seq >-> array_or_seq. + +Definition update {A : Type} `{Default A} {len slen} (s : nseq A len) {WS} (start : @int WS) (start_a : array_or_seq A slen) : nseq A len := +array_update (a := A) (len := len) s (unsigned start) (as_seq start_a). + +Definition to_le_U32s {A l} := array_to_le_uint32s (A := A) (l := l). +Axiom to_le_bytes : forall {ws : WORDSIZE} {len}, nseq (@int ws) len -> seq int8. +Definition from_seq {A : Type} `{Default A} {len slen} (s : array_or_seq A slen) : nseq A len := array_from_seq _ (as_seq s). + +Notation Seq_t := seq. +Notation len := (fun s => seq_len s : int32). + +Definition array_slice {a: Type} `{Default a} {len : nat} (input: nseq a len) {WS} (start: @int WS) (slice_len: @int WS) : seq a := slice (array_to_seq input) (unsigned start) (unsigned (start .+ slice_len)). +Notation slice := array_slice. +Definition seq_new {A: Type} `{Default A} {WS} (len: @int WS) : seq A := seq_new (unsigned len). +Notation new_seq := seq_new. +Notation num_exact_chunks := seq_num_exact_chunks. +Notation get_exact_chunk := seq_get_exact_chunk. +Definition set_chunk {a: Type} `{Default a} {len} (s: seq a) {WS} (chunk_len: @int WS) (chunk_num: @int WS) (chunk: array_or_seq a len) : seq a := seq_set_chunk s (unsigned chunk_len) (unsigned chunk_num) (as_seq chunk). +Definition set_exact_chunk {a} `{H : Default a} {len} s {WS} := @set_chunk a H len s WS. + Notation get_remainder_chunk := seq_get_remainder_chunk. +Notation "a <> b" := (negb (eqb a b)). + +Notation from_secret_literal := nat_mod_from_secret_literal. +Definition pow2 {m} (x : @int WORDSIZE32) := nat_mod_pow2 m (unsigned x). +Instance nat_mod_addition {n} : Addition (nat_mod n) := { add a b := a +% b }. +Instance nat_mod_subtraction {n} : Subtraction (nat_mod n) := { sub a b := a -% b }. +Instance nat_mod_multiplication {n} : Multiplication (nat_mod n) := { mul a b := a *% b }. +Definition from_slice {a: Type} `{Default a} {len slen} (x : array_or_seq a slen) {WS} (start: @int WS) (slice_len: @int WS) := array_from_slice default len (as_seq x) (unsigned start) (unsigned slice_len). +Notation zero := nat_mod_zero. +Notation to_byte_seq_le := nat_mod_to_byte_seq_le. +Notation U128_to_le_bytes := u128_to_le_bytes. +Notation U64_to_le_bytes := u64_to_le_bytes. + Notation from_byte_seq_le := nat_mod_from_byte_seq_le. +Definition from_literal {m} := nat_mod_from_literal m. +Notation inv := nat_mod_inv. +Notation update_start := array_update_start. +Notation pow := nat_mod_pow_self. +Notation bit := nat_mod_bit. + +Definition int_to_int {ws1 ws2} (i : @int ws1) : @int ws2 := repr (unsigned i). +Coercion int_to_int : int >-> int. +Notation push := seq_push. +Notation Build_secret := secret. +Notation "a -× b" := +(prod a b) (at level 80, right associativity) : hacspec_scope. +Notation Result_t := result. +Axiom TODO_name : Type. +Notation ONE := nat_mod_one. +Notation exp := nat_mod_exp. +Notation nat_mod := GZnZ.znz. +Instance nat_mod_znz_addition {n} : Addition (GZnZ.znz n) := { add a b := a +% b }. +Instance nat_mod_znz_subtraction {n} : Subtraction (GZnZ.znz n) := { sub a b := a -% b }. +Instance nat_mod_znz_multiplication {n} : Multiplication (GZnZ.znz n) := { mul a b := a *% b }. +Notation TWO := nat_mod_two. +Notation ne := (fun x y => negb (eqb x y)). +Notation eq := (eqb). +Notation rotate_right := (ror). +Notation to_be_U32s := array_to_be_uint32s. +Notation get_chunk := seq_get_chunk. +Notation num_chunks := seq_num_chunks. +Notation U64_to_be_bytes := uint64_to_be_bytes. +Notation to_be_bytes := array_to_be_bytes. +Notation U8_from_usize := uint8_from_usize. +Notation concat := seq_concat. +Notation declassify := id. +Notation U128_from_be_bytes := uint128_from_be_bytes. +Notation U128_to_be_bytes := uint128_to_be_bytes. +Notation slice_range := array_slice_range. +Notation truncate := seq_truncate. +Axiom array_to_be_uint64s : forall {A l}, nseq A l -> seq uint64. +Notation to_be_U64s := array_to_be_uint64s. +Notation classify := id. +Notation U64_from_U8 := uint64_from_uint8. +Fixpoint Build_Range_t (a b : nat) := (a,b). (* match (b - a)%nat with O => [] | S n => match b with | O => [] | S b' => Build_Range_t a b' ++ [b] end end. *) +Notation declassify_eq := eq. +Notation String_t := String.string. +(** end of: Should be moved to Hacspec_Lib.v **) From 6d62405974d095ba6923bc3bdf40e05365b1589c Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Mon, 25 Mar 2024 14:23:17 +0100 Subject: [PATCH 07/12] Move to CompCert Integer --- proof-libs/coq/coq/_CoqProject | 3 +- proof-libs/coq/coq/src/Hacspec_Integers.v | 345 ++ proof-libs/coq/coq/src/Hacspec_Lib.v | 716 +-- proof-libs/coq/coq/src/Hacspec_Types.v | 8 + proof-libs/coq/coq/src/MachineIntegers.v | 4886 --------------------- 5 files changed, 538 insertions(+), 5420 deletions(-) create mode 100644 proof-libs/coq/coq/src/Hacspec_Integers.v create mode 100644 proof-libs/coq/coq/src/Hacspec_Types.v delete mode 100644 proof-libs/coq/coq/src/MachineIntegers.v diff --git a/proof-libs/coq/coq/_CoqProject b/proof-libs/coq/coq/_CoqProject index 66b54f0db..ff25a5d44 100644 --- a/proof-libs/coq/coq/_CoqProject +++ b/proof-libs/coq/coq/_CoqProject @@ -2,7 +2,8 @@ -arg -w -arg all -src/MachineIntegers.v +src/Hacspec_Types.v +src/Hacspec_Integers.v src/Hacspec_Lib.v src/Hacspec_lib.v src/QuickChickLib.v diff --git a/proof-libs/coq/coq/src/Hacspec_Integers.v b/proof-libs/coq/coq/src/Hacspec_Integers.v new file mode 100644 index 000000000..ed373dad7 --- /dev/null +++ b/proof-libs/coq/coq/src/Hacspec_Integers.v @@ -0,0 +1,345 @@ +Global Set Warnings "-ambiguous-paths". +Global Set Warnings "-uniform-inheritance". +Global Set Warnings "-auto-template". +Global Set Warnings "-disj-pattern-notation". +(*** Integers *) +From Coq Require Import ZArith List. +Import ListNotations. +(* Require Import IntTypes. *) + +(* Require Import MachineIntegers. *) From compcert Require Import Integers. +From Coqprime Require GZnZ. + +Require Import Lia. + +Declare Scope hacspec_scope. + +Set Default Goal Selector "!". + +(*** Positive util *) + +Fixpoint binary_representation_pre (n : nat) {struct n}: positive := + match n with + | O => 1 + | S O => 1 + | S n => Pos.succ (binary_representation_pre n) + end%positive. +Definition binary_representation (n : nat) `(n <> O) := binary_representation_pre n. + +Theorem positive_is_succs : forall n, forall (H : n <> O) (K : S n <> O), + @binary_representation (S n) K = Pos.succ (@binary_representation n H). +Proof. induction n ; [contradiction | reflexivity]. Qed. + +(* Conversion of positive to binary Int8.representation *) +Theorem positive_to_positive_succs : forall p, binary_representation (Pos.to_nat p) (Nat.neq_sym _ _ (Nat.lt_neq _ _ (Pos2Nat.is_pos p))) = p. +Proof. + intros p. + generalize dependent (Nat.neq_sym 0 (Pos.to_nat p) (Nat.lt_neq 0 (Pos.to_nat p) (Pos2Nat.is_pos p))). + + destruct Pos.to_nat eqn:ptno. + - contradiction. + - generalize dependent p. + induction n ; intros. + + cbn. + apply Pos2Nat.inj. + symmetry. + apply ptno. + + rewrite positive_is_succs with (H := Nat.neq_succ_0 n). + rewrite IHn with (p := Pos.of_nat (S n)). + * rewrite <- Nat2Pos.inj_succ by apply Nat.neq_succ_0. + rewrite <- ptno. + apply Pos2Nat.id. + * apply Nat2Pos.id. + apply Nat.neq_succ_0. +Qed. + +(*** Hacspec Integers *) + +Module HacspecIntegers (WS : WORDSIZE). + + (**** Public integers *) + Include Make WS. + + Definition pub (n : Z) : int := repr n. + + (**** Operations *) + + (* Should maybe use size of s instead? *) + Definition rotate_left (u: int) (s: int) : int := rol u s. + + Definition pub_uint_wrapping_add (x y: int) : int := add x y. + + Definition shift_left_ (i : int) (j : int) := + shl i j. + + Definition shift_right_ (i : int) (j : int) := + shr i j. + + Infix "shift_left" := (shift_left_) (at level 77) : hacspec_scope. + Infix "shift_right" := (shift_right_) (at level 77) : hacspec_scope. + + Infix "%%" := Z.rem (at level 40, left associativity) : Z_scope. + Infix ".+" := (add) (at level 77) : hacspec_scope. + Infix ".-" := (sub) (at level 77) : hacspec_scope. + Notation "-" := (neg) (at level 77) : hacspec_scope. + Infix ".*" := (mul) (at level 77) : hacspec_scope. + Infix "./" := (divs) (at level 77) : hacspec_scope. + Infix ".%" := (mods) (at level 77) : hacspec_scope. + Infix ".^" := (xor) (at level 77) : hacspec_scope. + Infix ".&" := (and) (at level 77) : hacspec_scope. + Infix ".|" := (or) (at level 77) : hacspec_scope. + Infix "==" := (eq) (at level 32) : hacspec_scope. + (* Definition one := (@one WORDSIZE32). *) + (* Definition zero := (@zero WORDSIZE32). *) + Notation "A × B" := (prod A B) (at level 79, left associativity) : hacspec_scope. + +(*** Uint size util *) + +(* If a natural number is in bound then a smaller natural number is still in bound *) +Lemma range_of_nat_succ : + forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. +Proof. lia. Qed. + +(* Conversion to equivalent bound *) +Lemma modulus_range_helper : + forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. +Proof. unfold max_unsigned. lia. Qed. + +Definition unsigned_repr_alt (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := + unsigned_repr a (modulus_range_helper a H). + +Theorem zero_always_modulus : (Z.pred 0 < 0 < modulus)%Z. +Proof. easy. Qed. + +(* any uint_size can be .represented as a natural number and a bound *) +(* this is easier for proofs, however less efficient for computation *) +(* as Z uses a binary .representation *) +Theorem int_as_nat : + forall (us: int), + { n : nat | + us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < modulus)%Z}. +Proof. + destruct us as [intval intrange]. + exists (Z.to_nat intval). + rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). + + split. + - apply mkint_eq. + rewrite Z_mod_modulus_eq. + rewrite Z.mod_small. + + reflexivity. + + lia. + - apply intrange. +Qed. + +(* destruct int as you would a natural number *) +Definition destruct_int_as_nat (a : int) : forall (P : int -> Prop), + forall (zero_case : P (repr 0)), + forall (succ_case : forall (n : nat), (Z.pred 0 < Z.of_nat n < modulus)%Z -> P (repr (Z.of_nat n))), + P a. +Proof. + intros. + destruct (int_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + destruct n. + - apply zero_case. + - apply succ_case. + apply yb. +Qed. + +Ltac destruct_int_as_nat a := + generalize dependent a ; + intros a ; + apply (destruct_int_as_nat a) ; [ pose proof (@unsigned_repr_alt 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt _ H)] ; intros. + +(* induction for int as you would do for a natural number *) +Definition induction_int_as_nat : + forall (P : int -> Prop), + (P (repr 0)) -> + (forall n, + (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus)%Z -> + P (repr (Z.of_nat n)) -> + P (repr (Z.succ (Z.of_nat n)))) -> + forall (a : int), P a. +Proof. + intros P H_zero H_ind a. + destruct (int_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + induction n. + - apply H_zero. + - rewrite Nat2Z.inj_succ. + apply H_ind. + + rewrite <- Nat2Z.inj_succ. + apply yb. + + apply IHn. + lia. +Qed. + +Ltac induction_int_as_nat var := + generalize dependent var ; + intros var ; + apply induction_int_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt _ IH)] ; intros. + +(* conversion of usize to positive or zero and the respective bound *) +Theorem int_as_positive : + forall (us: int), + { pu : unit + positive | + match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus)%Z end + }. +Proof. + destruct us as [intval intrange]. + destruct intval. + - exists (inl tt). apply mkint_eq. reflexivity. + - exists (inr p). + split. + + apply mkint_eq. + rewrite Z_mod_modulus_eq. + symmetry. + apply Zmod_small. + lia. + + apply intrange. + - exfalso. + lia. +Defined. + +(* destruction of int as positive *) +Definition destruct_int_as_positive (a : int) : forall (P : int -> Prop), + (P (repr 0)) -> + (forall b, (Z.pred 0 < Z.pos b < @modulus)%Z -> P (repr (Z.pos b))) -> + P a. +Proof. + intros P H_zero H_succ. + destruct (int_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - apply H_succ. + apply yb. +Qed. + +Ltac destruct_int_as_positive a := + generalize dependent a ; + intros a ; + apply (destruct_int_as_positive a) ; intros. + +(* induction of int as positive *) +Definition induction_int_as_positive : + forall (P : int -> Prop), + (P (repr 0)) -> + (P (repr 1)) -> + (forall b, + (Z.pred 0 < Z.succ (Z.pos b) < @modulus)%Z -> + P (repr (Z.pos b)) -> + P (repr (Z.succ (Z.pos b)))) -> + forall (a : int), P a. +Proof. + intros P H_zero H_one H_ind a. + + destruct (int_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - pose proof (pos_succ_b := positive_to_positive_succs b) + ; symmetry in pos_succ_b + ; rewrite pos_succ_b in * + ; clear pos_succ_b. + + generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). + + induction (Pos.to_nat b). + + contradiction. + + intros n_neq yb. + destruct n. + * apply H_one. + * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. + rewrite Pos2Z.inj_succ in *. + apply H_ind. + -- apply yb. + -- apply IHn. + lia. +Qed. + +Ltac induction_int_as_positive var := + generalize dependent var ; + intros var ; + apply induction_int_as_positive with (a := var) ; intros ; [ | | ]. + +End HacspecIntegers. + +Module Wordsize_16 : WORDSIZE. + Definition wordsize := 16. + Theorem wordsize_not_zero : wordsize <> 0%nat. easy. Qed. +End Wordsize_16. + +Module Wordsize_128 : WORDSIZE. + Definition wordsize := 128. + Theorem wordsize_not_zero : wordsize <> 0%nat. easy. Qed. +End Wordsize_128. + +Module Int8 := HacspecIntegers Wordsize_8. +Module Int16 := HacspecIntegers Wordsize_16. +Module Int32 := HacspecIntegers Wordsize_32. +Module Int64 := HacspecIntegers Wordsize_64. +Module Int128 := HacspecIntegers Wordsize_128. + +Definition int8 := Int8.int. +Definition int16 := Int16.int. +Definition int32 := Int32.int. +Definition int64 := Int64.int. +Definition int128 := Int128.int. + +(* CompCert integers' signedness is only interpreted through 'signed' and 'unsigned', + and not in the representation. Therefore, uints are just names for their respective ints. + *) +Definition uint8 := int8. +Definition uint16 := int16. +Definition uint32 := int32. +Definition uint64 := int64. +Definition uint128 := int128. + +Definition uint_size := int32. +Definition int_size := int32. + +Axiom declassify_usize_from_uint8 : uint8 -> uint_size. + +(* Represents any type that can be converted to uint_size and back *) +Class UInt_sizable (A : Type) := { + usize : A -> uint_size; + from_uint_size : uint_size -> A; +}. +Arguments usize {_} {_}. +Arguments from_uint_size {_} {_}. + +Global Instance nat_uint_sizable : UInt_sizable nat := { + usize n := Int32.repr (Z.of_nat n); + from_uint_size n := Z.to_nat (Int32.unsigned n); +}. + +Global Instance N_uint_sizable : UInt_sizable N := { + usize n := Int32.repr (Z.of_N n); + from_uint_size n := Z.to_N (Int32.unsigned n); +}. + +Global Instance Z_uint_sizable : UInt_sizable Z := { + usize n := Int32.repr n; + from_uint_size n := Int32.unsigned n; +}. + + +(* Same, but for int_size *) +Class Int_sizable (A : Type) := { + isize : A -> int_size; + from_int_size : int_size -> A; +}. + +Arguments isize {_} {_}. +Arguments from_int_size {_} {_}. + +Global Instance nat_Int_sizable : Int_sizable nat := { + isize n := Int32.repr (Z.of_nat n); + from_int_size n := Z.to_nat (Int32.signed n); +}. + +Global Instance N_Int_sizable : Int_sizable N := { + isize n := Int32.repr (Z.of_N n); + from_int_size n := Z.to_N (Int32.signed n); +}. + +Global Instance Z_Int_sizable : Int_sizable Z := { + isize n := Int32.repr n; + from_int_size n := Int32.signed n; +}. diff --git a/proof-libs/coq/coq/src/Hacspec_Lib.v b/proof-libs/coq/coq/src/Hacspec_Lib.v index db9798fa4..24b0bb9ed 100644 --- a/proof-libs/coq/coq/src/Hacspec_Lib.v +++ b/proof-libs/coq/coq/src/Hacspec_Lib.v @@ -7,369 +7,16 @@ From Coq Require Import ZArith List. Import ListNotations. (* Require Import IntTypes. *) -Require Import MachineIntegers. +(* Require Import MachineIntegers. *) From compcert Require Import Integers. From Coqprime Require GZnZ. Require Import Lia. Declare Scope hacspec_scope. -Axiom secret : forall {WS : WORDSIZE}, (@int WS) -> (@int WS). - -Axiom uint8_declassify : int8 -> int8. -Axiom int8_declassify : int8 -> int8. -Axiom uint16_declassify : int16 -> int16. -Axiom int16_declassify : int16 -> int16. -Axiom uint32_declassify : int32 -> int32. -Axiom int32_declassify : int32 -> int32. -Axiom uint64_declassify : int64 -> int64. -Axiom int64_declassify : int64 -> int64. -Axiom uint128_declassify : int128 -> int128. -Axiom int128_declassify : int128 -> int128. - -Axiom uint8_classify : int8 -> int8. -Axiom int8_classify : int8 -> int8. -Axiom uint16_classify : int16 -> int16. -Axiom int16_classify : int16 -> int16. -Axiom uint32_classify : int32 -> int32. -Axiom int32_classify : int32 -> int32. -Axiom uint64_classify : int64 -> int64. -Axiom int64_classify : int64 -> int64. -Axiom uint128_classify : int128 -> int128. -Axiom int128_classify : int128 -> int128. - - -(* CompCert integers' signedness is only interpreted through 'signed' and 'unsigned', - and not in the representation. Therefore, uints are just names for their respective ints. -*) -Definition uint8 := int8. -Definition uint16 := int16. -Definition uint32 := int32. -Definition uint64 := int64. -Definition uint128 := int128. - -Definition uint_size := int32. -Definition int_size := int32. - -Axiom declassify_usize_from_uint8 : uint8 -> uint_size. - -(* Represents any type that can be converted to uint_size and back *) -Class UInt_sizable (A : Type) := { - usize : A -> uint_size; - from_uint_size : uint_size -> A; -}. -Arguments usize {_} {_}. -Arguments from_uint_size {_} {_}. - -Global Instance nat_uint_sizable : UInt_sizable nat := { - usize n := repr (Z.of_nat n); - from_uint_size n := Z.to_nat (unsigned n); -}. - -Global Instance N_uint_sizable : UInt_sizable N := { - usize n := repr (Z.of_N n); - from_uint_size n := Z.to_N (unsigned n); -}. - -Global Instance Z_uint_sizable : UInt_sizable Z := { - usize n := repr n; - from_uint_size n := unsigned n; -}. - - -(* Same, but for int_size *) -Class Int_sizable (A : Type) := { - isize : A -> int_size; - from_int_size : int_size -> A; -}. - -Arguments isize {_} {_}. -Arguments from_int_size {_} {_}. - -Global Instance nat_Int_sizable : Int_sizable nat := { - isize n := repr (Z.of_nat n); - from_int_size n := Z.to_nat (signed n); -}. - -Global Instance N_Int_sizable : Int_sizable N := { - isize n := repr (Z.of_N n); - from_int_size n := Z.to_N (signed n); -}. - -Global Instance Z_Int_sizable : Int_sizable Z := { - isize n := repr n; - from_int_size n := signed n; -}. - - -(**** Public integers *) - -Definition pub_u8 (n : Z) : int8 := repr n. -Definition pub_i8 (n : Z) : int8 := repr n. -Definition pub_u16 (n : Z) : int16 := repr n. -Definition pub_i16 (n : Z) : int16 := repr n. -Definition pub_u32 (n : Z) : int32 := repr n. -Definition pub_i32 (n : Z) : int32 := repr n. -Definition pub_u64 (n : Z) : int64 := repr n. -Definition pub_i64 (n : Z) : int64 := repr n. -Definition pub_u128 (n : Z) : int128 := repr n. -Definition pub_i128 (n : Z) : int128 := repr n. - -(**** Operations *) - -(* Should maybe use size of s instead? *) -Definition uint8_rotate_left (u: int8) (s: int8) : int8 := rol u s. -Definition uint8_rotate_right (u: int8) (s: int8) : int8 := ror u s. - -Definition uint16_rotate_left (u: int16) (s: int16) : int16 := rol u s. -Definition uint16_rotate_right (u: int16) (s: int16) : int16 := ror u s. - -Definition uint32_rotate_left (u: int32) (s: int32) : int32 := rol u s. -Definition uint32_rotate_right (u: int32) (s: int32) : int32 := ror u s. - -Definition uint64_rotate_left (u: int64) (s: int64) : int64 := rol u s. -Definition uint64_rotate_right (u: int64) (s: int64) : int64 := ror u s. - -Definition uint128_rotate_left (u: int128) (s: int128) : int128 := rol u s. -Definition uint128_rotate_right (u: int128) (s: int128) : int128 := ror u s. - -(* should use size u instead of u? *) -Definition usize_shift_right (u: uint_size) (s: int32) : uint_size := ror u s. -Infix "usize_shift_right" := (usize_shift_right) (at level 77) : hacspec_scope. - -(* should use size u instead of u? *) -Definition usize_shift_left (u: uint_size) (s: int32) : uint_size := rol u s. -Infix "usize_shift_left" := (usize_shift_left) (at level 77) : hacspec_scope. - -Definition pub_uint128_wrapping_add (x y: int128) : int128 := add x y. - -Definition shift_left_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := - MachineIntegers.shl i (repr (from_uint_size j)). - -Definition shift_right_ `{WS : WORDSIZE} (i : @int WS) (j : uint_size) := - MachineIntegers.shr i (repr (from_uint_size j)) . - -Infix "shift_left" := (shift_left_) (at level 77) : hacspec_scope. -Infix "shift_right" := (shift_right_) (at level 77) : hacspec_scope. - -Infix "%%" := Z.rem (at level 40, left associativity) : Z_scope. -Infix ".+" := (MachineIntegers.add) (at level 77) : hacspec_scope. -Infix ".-" := (MachineIntegers.sub) (at level 77) : hacspec_scope. -Notation "-" := (MachineIntegers.neg) (at level 77) : hacspec_scope. -Infix ".*" := (MachineIntegers.mul) (at level 77) : hacspec_scope. -Infix "./" := (MachineIntegers.divs) (at level 77) : hacspec_scope. -Infix ".%" := (MachineIntegers.mods) (at level 77) : hacspec_scope. -Infix ".^" := (MachineIntegers.xor) (at level 77) : hacspec_scope. -Infix ".&" := (MachineIntegers.and) (at level 77) : hacspec_scope. -Infix ".|" := (MachineIntegers.or) (at level 77) : hacspec_scope. -Infix "==" := (MachineIntegers.eq) (at level 32) : hacspec_scope. -(* Definition one := (@one WORDSIZE32). *) -(* Definition zero := (@zero WORDSIZE32). *) -Notation "A × B" := (prod A B) (at level 79, left associativity) : hacspec_scope. - -(*** Positive util *) - -Fixpoint binary_representation_pre (n : nat) {struct n}: positive := - match n with - | O => 1 - | S O => 1 - | S n => Pos.succ (binary_representation_pre n) - end%positive. -Definition binary_representation (n : nat) `(n <> O) := binary_representation_pre n. - -Theorem positive_is_succs : forall n, forall (H : n <> O) (K : S n <> O), - @binary_representation (S n) K = Pos.succ (@binary_representation n H). -Proof. induction n ; [contradiction | reflexivity]. Qed. - -(* Conversion of positive to binary representation *) -Theorem positive_to_positive_succs : forall p, binary_representation (Pos.to_nat p) (Nat.neq_sym _ _ (Nat.lt_neq _ _ (Pos2Nat.is_pos p))) = p. -Proof. - intros p. - generalize dependent (Nat.neq_sym 0 (Pos.to_nat p) (Nat.lt_neq 0 (Pos.to_nat p) (Pos2Nat.is_pos p))). - - destruct Pos.to_nat eqn:ptno. - - contradiction. - - generalize dependent p. - induction n ; intros. - + cbn. - apply Pos2Nat.inj. - symmetry. - apply ptno. - + rewrite positive_is_succs with (H := Nat.neq_succ_0 n). - rewrite IHn with (p := Pos.of_nat (S n)). - * rewrite <- Nat2Pos.inj_succ by apply Nat.neq_succ_0. - rewrite <- ptno. - apply Pos2Nat.id. - * apply Nat2Pos.id. - apply Nat.neq_succ_0. -Qed. - -(*** Uint size util *) - -(* If a natural number is in bound then a smaller natural number is still in bound *) -Lemma range_of_nat_succ : - forall {WS : WORDSIZE}, - forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. -Proof. lia. Qed. - -(* Conversion to equivalent bound *) -Lemma modulus_range_helper : - forall {WS : WORDSIZE}, - forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. -Proof. unfold max_unsigned. lia. Qed. - -Definition unsigned_repr_alt {WS : WORDSIZE} (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := - unsigned_repr a (modulus_range_helper a H). - -Theorem zero_always_modulus {WS : WORDSIZE} : (Z.pred 0 < 0 < modulus)%Z. -Proof. easy. Qed. - -(* any uint_size can be represented as a natural number and a bound *) -(* this is easier for proofs, however less efficient for computation *) -(* as Z uses a binary representation *) -Theorem uint_size_as_nat : - forall (us: uint_size), - { n : nat | - us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z}. -Proof. - destruct us. - exists (Z.to_nat intval). - rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). - - split. - - apply mkint_eq. - rewrite Z_mod_modulus_eq. - rewrite Z.mod_small. - + reflexivity. - + lia. - - apply intrange. -Qed. - -(* destruct uint_size as you would a natural number *) -Definition destruct_uint_size_as_nat (a : uint_size) : forall (P : uint_size -> Prop), - forall (zero_case : P (repr 0)), - forall (succ_case : forall (n : nat), (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z -> P (repr (Z.of_nat n))), - P a. -Proof. - intros. - destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. - destruct n. - - apply zero_case. - - apply succ_case. - apply yb. -Qed. - -Ltac destruct_uint_size_as_nat a := - generalize dependent a ; - intros a ; - apply (destruct_uint_size_as_nat a) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt WORDSIZE32 _ H)] ; intros. - -(* induction for uint_size as you would do for a natural number *) -Definition induction_uint_size_as_nat : - forall (P : uint_size -> Prop), - (P (repr 0)) -> - (forall n, - (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus WORDSIZE32)%Z -> - P (repr (Z.of_nat n)) -> - P (repr (Z.succ (Z.of_nat n)))) -> - forall (a : uint_size), P a. -Proof. - intros P H_zero H_ind a. - destruct (uint_size_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. - induction n. - - apply H_zero. - - rewrite Nat2Z.inj_succ. - apply H_ind. - + rewrite <- Nat2Z.inj_succ. - apply yb. - + apply IHn. - lia. -Qed. - -Ltac induction_uint_size_as_nat var := - generalize dependent var ; - intros var ; - apply induction_uint_size_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt WORDSIZE32 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt WORDSIZE32 _ IH)] ; intros. - -(* conversion of usize to positive or zero and the respective bound *) -Theorem uint_size_as_positive : - forall (us: uint_size), - { pu : unit + positive | - match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus WORDSIZE32)%Z end - }. -Proof. - destruct us. - destruct intval. - - exists (inl tt). apply mkint_eq. reflexivity. - - exists (inr p). - split. - + apply mkint_eq. - rewrite Z_mod_modulus_eq. - symmetry. - apply Zmod_small. - lia. - + apply intrange. - - exfalso. - lia. -Defined. - -(* destruction of uint_size as positive *) -Definition destruct_uint_size_as_positive (a : uint_size) : forall (P : uint_size -> Prop), - (P (repr 0)) -> - (forall b, (Z.pred 0 < Z.pos b < @modulus WORDSIZE32)%Z -> P (repr (Z.pos b))) -> - P a. -Proof. - intros P H_zero H_succ. - destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. - - apply H_zero. - - apply H_succ. - apply yb. -Qed. - -Ltac destruct_uint_size_as_positive a := - generalize dependent a ; - intros a ; - apply (destruct_uint_size_as_positive a) ; intros. - -(* induction of uint_size as positive *) -Definition induction_uint_size_as_positive : - forall (P : uint_size -> Prop), - (P (repr 0)) -> - (P (repr 1)) -> - (forall b, - (Z.pred 0 < Z.succ (Z.pos b) < @modulus WORDSIZE32)%Z -> - P (repr (Z.pos b)) -> - P (repr (Z.succ (Z.pos b)))) -> - forall (a : uint_size), P a. -Proof. - intros P H_zero H_one H_ind a. - - destruct (uint_size_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. - - apply H_zero. - - pose proof (pos_succ_b := positive_to_positive_succs b) - ; symmetry in pos_succ_b - ; rewrite pos_succ_b in * - ; clear pos_succ_b. - - generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). - - induction (Pos.to_nat b). - + contradiction. - + intros n_neq yb. - destruct n. - * apply H_one. - * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. - rewrite Pos2Z.inj_succ in *. - apply H_ind. - -- apply yb. - -- apply IHn. - lia. -Qed. +Require Import Hacspec_Types. +Require Import Hacspec_Integers. -Ltac induction_uint_size_as_positive var := - generalize dependent var ; - intros var ; - apply induction_uint_size_as_positive with (a := var) ; intros ; [ | | ]. (*** Loops *) @@ -382,7 +29,7 @@ Fixpoint foldi_ (cur : acc) : acc := match fuel with | 0 => cur - | S n' => foldi_ n' (add i one) f (f i cur) + | S n' => foldi_ n' (Int32.add i Int32.one) f (f i cur) end. Close Scope nat_scope. Definition foldi @@ -391,7 +38,7 @@ Definition foldi (hi: uint_size) (* {lo <= hi} *) (f: (uint_size) -> acc -> acc) (* {i < hi} *) (init: acc) : acc := - match Z.sub (unsigned hi) (unsigned lo) with + match Z.sub (Int32.unsigned hi) (Int32.unsigned lo) with | Z0 => init | Zneg p => init | Zpos p => foldi_ (Pos.to_nat p) lo f init @@ -425,7 +72,7 @@ Lemma foldi__move_S : (i : uint_size) (f : uint_size -> acc -> acc) (cur : acc), - foldi_ fuel (add i one) f (f i cur) = foldi_ (S fuel) i f cur. + foldi_ fuel (Int32.add i Int32.one) f (f i cur) = foldi_ (S fuel) i f cur. Proof. reflexivity. Qed. Lemma foldi__nat_move_S : @@ -444,29 +91,29 @@ Lemma foldi__move_S_fuel : (i : uint_size) (f : uint_size -> acc -> acc) (cur : acc), - (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> - f (add (repr (Z.of_nat fuel)) i) (foldi_ (fuel) i f cur) = foldi_ (S (fuel)) i f cur. + (0 <= Z.of_nat fuel <= Int32.max_unsigned)%Z -> + f (Int32.add (Int32.repr (Z.of_nat fuel)) i) (foldi_ (fuel) i f cur) = foldi_ (S (fuel)) i f cur. Proof. intros acc fuel. induction fuel ; intros. - cbn. - replace (repr 0) with (@zero WORDSIZE32) by reflexivity. - rewrite add_zero_l. + replace (Int32.repr 0) with (Int32.zero) by reflexivity. + rewrite Int32.add_zero_l. reflexivity. - do 2 rewrite <- foldi__move_S. - replace (add (repr (Z.of_nat (S fuel))) i) - with (add (repr (Z.of_nat fuel)) (add i one)). + replace (Int32.add (Int32.repr (Z.of_nat (S fuel))) i) + with (Int32.add (Int32.repr (Z.of_nat fuel)) (Int32.add i Int32.one)). 2 : { - rewrite <- (add_commut one). - rewrite <- add_assoc. + rewrite <- (Int32.add_commut Int32.one). + rewrite <- Int32.add_assoc. f_equal. - unfold add. + unfold Int32.add. f_equal. - rewrite unsigned_one. + rewrite Int32.unsigned_one. rewrite Z.add_1_r. rewrite Nat2Z.inj_succ. f_equal. - apply unsigned_repr. + apply Int32.unsigned_repr. lia. } rewrite IHfuel. @@ -481,7 +128,7 @@ Lemma foldi__nat_move_S_fuel : (i : nat) (f : nat -> acc -> acc) (cur : acc), - (0 <= Z.of_nat fuel <= @max_unsigned WORDSIZE32)%Z -> + (0 <= Z.of_nat fuel <= @Int32.max_unsigned)%Z -> f (fuel + i)%nat (foldi_nat_ fuel i f cur) = foldi_nat_ (S fuel) i f cur. Proof. induction fuel ; intros. @@ -500,20 +147,20 @@ Lemma foldi_to_foldi_nat : (hi: uint_size) (* {lo <= hi} *) (f: (uint_size) -> acc -> acc) (* {i < hi} *) (init: acc), - (unsigned lo <= unsigned hi)%Z -> - foldi lo hi f init = foldi_nat (Z.to_nat (unsigned lo)) (Z.to_nat (unsigned hi)) (fun x => f (repr (Z.of_nat x))) init. + (Int32.unsigned lo <= Int32.unsigned hi)%Z -> + foldi lo hi f init = foldi_nat (Z.to_nat (Int32.unsigned lo)) (Z.to_nat (Int32.unsigned hi)) (fun x => f (Int32.repr (Z.of_nat x))) init. Proof. intros. unfold foldi. unfold foldi_nat. - destruct (uint_size_as_nat hi) as [ hi_n [ hi_eq hi_H ] ] ; subst. - rewrite (@unsigned_repr_alt WORDSIZE32 _ hi_H) in *. + destruct (Int32.int_as_nat hi) as [ hi_n [ hi_eq hi_H ] ] ; subst. + rewrite (Int32.unsigned_repr_alt _ hi_H) in *. rewrite Nat2Z.id. - destruct (uint_size_as_nat lo) as [ lo_n [ lo_eq lo_H ] ] ; subst. - rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. + destruct (Int32.int_as_nat lo) as [ lo_n [ lo_eq lo_H ] ] ; subst. + rewrite (Int32.unsigned_repr_alt _ lo_H) in *. rewrite Nat2Z.id. remember (hi_n - lo_n)%nat as n. @@ -521,12 +168,12 @@ Proof. rewrite (Nat2Z.inj_sub) in Heqn by (apply Nat2Z.inj_le ; apply H). rewrite <- Heqn. - assert (H_bound : (Z.pred 0 < Z.of_nat n < @modulus WORDSIZE32)%Z) by lia. + assert (H_bound : (Z.pred 0 < Z.of_nat n < Int32.modulus)%Z) by lia. clear Heqn. induction n. - reflexivity. - - pose proof (H_max_bound := modulus_range_helper _ (range_of_nat_succ _ H_bound)). + - pose proof (H_max_bound := Int32.modulus_range_helper _ (Int32.range_of_nat_succ _ H_bound)). rewrite <- foldi__nat_move_S_fuel by apply H_max_bound. cbn. rewrite SuccNat2Pos.id_succ. @@ -534,17 +181,17 @@ Proof. destruct n. + cbn. - replace (repr 0) with (@zero WORDSIZE32) by reflexivity. - rewrite add_zero_l. + replace (Int32.repr 0) with (Int32.zero) by reflexivity. + rewrite Int32.add_zero_l. reflexivity. + cbn in *. - assert (H_bound_pred: (Z.pred 0 < Z.pos (Pos.of_succ_nat n) < @modulus WORDSIZE32)%Z) by lia. + assert (H_bound_pred: (Z.pred 0 < Z.pos (Pos.of_succ_nat n) < @Int32.modulus)%Z) by lia. rewrite <- (IHn H_bound_pred) ; clear IHn. f_equal. - * unfold add. + * unfold Int32.add. f_equal. - rewrite (@unsigned_repr_alt WORDSIZE32 _ lo_H) in *. - rewrite (unsigned_repr_alt _ H_bound_pred). + rewrite (Int32.unsigned_repr_alt _ lo_H) in *. + rewrite (Int32.unsigned_repr_alt _ H_bound_pred). do 2 rewrite Zpos_P_of_succ_nat. rewrite Z.add_succ_l. f_equal. @@ -639,7 +286,7 @@ Lemma foldi_split : (hi: uint_size) (* {lo <= hi} *) (f: uint_size -> acc -> acc) (* {i < hi} *) (init: acc), - forall {guarantee: (unsigned lo <= unsigned mid <= unsigned hi)%Z}, + forall {guarantee: (Int32.unsigned lo <= Int32.unsigned mid <= Int32.unsigned hi)%Z}, foldi lo hi f init = foldi mid hi f (foldi lo mid f init). Proof. intros. @@ -658,13 +305,6 @@ Global Arguments default {_} {_}. (*** Seq *) -Definition nseq := VectorDef.t. - -Definition seq (A : Type) := list A. - -(* Automatic conversion from nseq/vector/array to seq/list *) -(* Global Coercion VectorDef.to_list : VectorDef.t >-> list. *) - Definition public_byte_seq := seq int8. Definition byte_seq := seq int8. Definition list_len := length. @@ -1005,12 +645,12 @@ Definition seq_set_chunk Definition seq_num_exact_chunks {a} (l : seq a) (chunk_size : uint_size) : uint_size := - divs (repr (Z.of_nat (length l))) chunk_size. + Int32.divs (Int32.repr (Z.of_nat (length l))) chunk_size. (* Until #84 is fixed this returns an empty sequence if not enough *) Definition seq_get_exact_chunk {a} (l : seq a) (chunk_size chunk_num: uint_size) : seq a := let '(len, chunk) := seq_get_chunk l (from_uint_size chunk_size) (from_uint_size chunk_num) in - if eq len chunk_size then [] else chunk. + if Int32.eq len chunk_size then [] else chunk. Definition seq_set_exact_chunk {a} `{H : Default a} := @seq_set_chunk a H. @@ -1021,18 +661,10 @@ Definition seq_get_remainder_chunk : forall {a}, seq a -> uint_size -> seq a := chunks - 1 else 0 in let (len, chunk) := seq_get_chunk l (from_uint_size chunk_size) last_chunk in - if eq len chunk_size then + if Int32.eq len chunk_size then [] else chunk. -Fixpoint seq_xor_ {WS} (x : seq int) (y : seq int) : seq int := - match x, y with - | (x :: xs), (y :: ys) => @MachineIntegers.xor WS x y :: (seq_xor_ xs ys) - | [], y => y - | x, [] => x - end. -Infix "seq_xor" := seq_xor_ (at level 33) : hacspec_scope. - Fixpoint seq_truncate {a} (x : seq a) (n : nat) : seq a := (* uint_size *) match x, n with | _, 0 => [] @@ -1056,13 +688,17 @@ Definition array_join_map array_upd out i (op (array_index s1 i) (array_index s2 i)) ) out. -Infix "array_xor" := (array_join_map xor) (at level 33) : hacspec_scope. -Infix "array_add" := (array_join_map add) (at level 33) : hacspec_scope. -Infix "array_minus" := (array_join_map sub) (at level 33) : hacspec_scope. -Infix "array_mul" := (array_join_map mul) (at level 33) : hacspec_scope. -Infix "array_div" := (array_join_map divs) (at level 33) : hacspec_scope. -Infix "array_or" := (array_join_map or) (at level 33) : hacspec_scope. -Infix "array_and" := (array_join_map and) (at level 33) : hacspec_scope. +Module ArrayJoint (WS : WORDSIZE). + Include (HacspecIntegers WS). + Import Int. + Infix "array_xor" := (array_join_map xor) (at level 33) : hacspec_scope. + Infix "array_add" := (array_join_map add) (at level 33) : hacspec_scope. + Infix "array_minus" := (array_join_map sub) (at level 33) : hacspec_scope. + Infix "array_mul" := (array_join_map mul) (at level 33) : hacspec_scope. + Infix "array_div" := (array_join_map divs) (at level 33) : hacspec_scope. + Infix "array_or" := (array_join_map or) (at level 33) : hacspec_scope. + Infix "array_and" := (array_join_map and) (at level 33) : hacspec_scope. +End ArrayJoint. Definition array_eq_ {a: Type} @@ -1144,9 +780,22 @@ Definition nat_mod_exp_def {p : Z} (a:nat_mod p) (n : nat) : nat_mod p := end in exp_ a n. -Definition nat_mod_exp {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). -Definition nat_mod_pow {WS} {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned WS n)). -Definition nat_mod_pow_self {p} a n := @nat_mod_exp_def p a (Z.to_nat (from_uint_size n)). +Module temp (WS : WORDSIZE). + Include HacspecIntegers WS. + Definition nat_mod_exp {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned n)). + Definition nat_mod_pow {p} a n := @nat_mod_exp_def p a (Z.to_nat (@unsigned n)). + Definition nat_mod_pow_self {p} a n := @nat_mod_exp_def p a (Z.to_nat (from_uint_size n)). +End temp. +Module temp8 := temp Wordsize_8. +Module temp16 := temp Wordsize_16. +Module temp32 := temp Wordsize_32. +Module temp64 := temp Wordsize_64. +Module temp128 := temp Wordsize_128. +Import temp8. +Import temp16. +Import temp32. +Import temp64. +Import temp128. Close Scope nat_scope. Open Scope Z_scope. @@ -1156,7 +805,7 @@ Definition nat_mod_from_secret_literal {m : Z} (x:int128) : nat_mod m. Proof. unfold nat_mod. (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) - remember ((unsigned x) mod m) as zmodm. + remember ((Int128.unsigned x) mod m) as zmodm. apply (GZnZ.mkznz m zmodm). rewrite Heqzmodm. rewrite Zmod_mod. @@ -1253,9 +902,9 @@ Section Casting. cast := Z.of_N }. - Global Instance cast_Z_to_int {WORDSIZE} : Cast Z (@int WORDSIZE) := { - cast n := repr n - }. + (* Global Instance cast_Z_to_int {WORDSIZE} : Cast Z (@int WORDSIZE) := { *) + (* cast n := repr n *) + (* }. *) Global Instance cast_natmod_to_Z {p} : Cast (nat_mod p) Z := { cast n := GZnZ.val p n @@ -1263,19 +912,19 @@ Section Casting. (* Note: should be aware of typeclass resolution with int/uint since they are just aliases of each other currently *) Global Instance cast_int8_to_uint32 : Cast int8 uint32 := { - cast n := repr (unsigned n) + cast n := Int32.repr (Int8.unsigned n) }. Global Instance cast_int8_to_int32 : Cast int8 int32 := { - cast n := repr (signed n) + cast n := Int32.repr (Int8.signed n) }. Global Instance cast_uint8_to_uint32 : Cast uint8 uint32 := { - cast n := repr (unsigned n) + cast n := Int32.repr (Int8.unsigned n) }. - Global Instance cast_int_to_nat `{WORDSIZE} : Cast int nat := { - cast n := Z.to_nat (signed n) - }. + (* Global Instance cast_int_to_nat `{WORDSIZE} : Cast int nat := { *) + (* cast n := Z.to_nat (signed n) *) + (* }. *) Close Scope hacspec_scope. End Casting. @@ -1296,21 +945,22 @@ Section Coercions. Global Coercion repr : Z >-> int. - Definition Z_to_int `{WORDSIZE} (n : Z) : int := repr n. - Global Coercion Z_to_int : Z >-> int. + (* Definition Z_to_int `{WORDSIZE} (n : Z) : int := repr n. *) + (* Global Coercion Z_to_int : Z >-> int. *) - Definition Z_to_uint_size (n : Z) : uint_size := repr n. + Definition Z_to_uint_size (n : Z) : uint_size := Int32.repr n. Global Coercion Z_to_uint_size : Z >-> uint_size. - Definition Z_to_int_size (n : Z) : int_size := repr n. + Definition Z_to_int_size (n : Z) : int_size := Int32.repr n. Global Coercion Z_to_int_size : Z >-> int_size. - Definition N_to_int `{WORDSIZE} (n : N) : int := repr (Z.of_N n). - Global Coercion N.of_nat : nat >-> N. - Global Coercion N_to_int : N >-> int. - Definition N_to_uint_size (n : Z) : uint_size := repr n. + (* Definition N_to_int `{WORDSIZE} (n : N) : int := repr (Z.of_N n). *) + (* Global Coercion N.of_nat : nat >-> N. *) + (* Global Coercion N_to_int : N >-> int. *) + Definition N_to_uint_size (n : Z) : uint_size := Int32.repr n. Global Coercion N_to_uint_size : Z >-> uint_size. - Definition nat_to_int `{WORDSIZE} (n : nat) := repr (Z.of_nat n). - Global Coercion nat_to_int : nat >-> int. + + (* Definition nat_to_int `{WORDSIZE} (n : nat) := repr (Z.of_nat n). *) + (* Global Coercion nat_to_int : nat >-> int. *) Definition uint_size_to_nat (n : uint_size) : nat := from_uint_size n. Global Coercion uint_size_to_nat : uint_size >-> nat. @@ -1318,44 +968,44 @@ Section Coercions. Definition uint_size_to_Z (n : uint_size) : Z := from_uint_size n. Global Coercion uint_size_to_Z : uint_size >-> Z. - Definition uint32_to_nat (n : uint32) : nat := unsigned n. + Definition uint32_to_nat (n : uint32) : nat := Int32.unsigned n. Global Coercion uint32_to_nat : uint32 >-> nat. Global Coercion GZnZ.val : GZnZ.znz >-> Z. - Definition int8_to_nat (n : int8) : nat := unsigned n. + Definition int8_to_nat (n : int8) : nat := Int8.unsigned n. Global Coercion int8_to_nat : int8 >-> nat. - Definition int16_to_nat (n : int16) : nat := unsigned n. + Definition int16_to_nat (n : int16) : nat := Int16.unsigned n. Global Coercion int16_to_nat : int16 >-> nat. - Definition int32_to_nat (n : int32) : nat := unsigned n. + Definition int32_to_nat (n : int32) : nat := Int32.unsigned n. Global Coercion int32_to_nat : int32 >-> nat. - Definition int64_to_nat (n : int64) : nat := unsigned n. + Definition int64_to_nat (n : int64) : nat := Int64.unsigned n. Global Coercion int64_to_nat : int64 >-> nat. - Definition int128_to_nat (n : int128) : nat := unsigned n. + Definition int128_to_nat (n : int128) : nat := Int128.unsigned n. Global Coercion int128_to_nat : int128 >-> nat. (* coercions int8 >-> int16 >-> ... int128 *) - Definition int8_to_int16 (n : int8) : int16 := repr n. + Definition int8_to_int16 (n : int8) : int16 := Int16.repr (Int8.unsigned n). Global Coercion int8_to_int16 : int8 >-> int16. - Definition int8_to_int32 (n : int8) : int32 := repr n. + Definition int8_to_int32 (n : int8) : int32 := Int32.repr (Int8.unsigned n). Global Coercion int8_to_int32 : int8 >-> int32. - Definition int16_to_int32 (n : int16) : int32 := repr n. + Definition int16_to_int32 (n : int16) : int32 := Int32.repr (Int16.unsigned n). Global Coercion int16_to_int32 : int16 >-> int32. - Definition int32_to_int64 (n : int32) : int64 := repr n. + Definition int32_to_int64 (n : int32) : int64 := Int64.repr (Int32.unsigned n). Global Coercion int32_to_int64 : int32 >-> int64. - Definition int64_to_int128 (n : int64) : int128 := repr n. + Definition int64_to_int128 (n : int64) : int128 := Int128.repr (Int64.unsigned n). Global Coercion int64_to_int128 : int64 >-> int128. - Definition int32_to_int128 (n : int32) : int128 := repr n. + Definition int32_to_int128 (n : int32) : int128 := Int128.repr (Int32.unsigned n). Global Coercion int32_to_int128 : int32 >-> int128. - Definition uint_size_to_int64 (n : uint_size) : int64 := repr n. + Definition uint_size_to_int64 (n : uint_size) : int64 := Int64.repr (Int32.unsigned n). Global Coercion uint_size_to_int64 : uint_size >-> int64. @@ -1371,62 +1021,62 @@ Section Coercions. Defined. (* Global Coercion Z_in_nat_mod : Z >-> nat_mod. *) - Definition int_in_nat_mod {m : Z} `{WORDSIZE} (x:int) : nat_mod m. - Proof. - unfold nat_mod. - (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) - remember ((unsigned x) mod m) as zmodm. - apply (GZnZ.mkznz m zmodm). - rewrite Heqzmodm. - rewrite Zmod_mod. - reflexivity. - Show Proof. - Defined. - Global Coercion int_in_nat_mod : int >-> nat_mod. - - Definition uint_size_in_nat_mod (n : uint_size) : nat_mod 16 := int_in_nat_mod n. - Global Coercion uint_size_in_nat_mod : uint_size >-> nat_mod. + (* Definition int_in_nat_mod {m : Z} `{WORDSIZE} (x:int) : nat_mod m. *) + (* Proof. *) + (* unfold nat_mod. *) + (* (* since we assume x < m, it will be true that (unsigned x) = (unsigned x) mod m *) *) + (* remember ((unsigned x) mod m) as zmodm. *) + (* apply (GZnZ.mkznz m zmodm). *) + (* rewrite Heqzmodm. *) + (* rewrite Zmod_mod. *) + (* reflexivity. *) + (* Show Proof. *) + (* Defined. *) + (* Global Coercion int_in_nat_mod : int >-> nat_mod. *) + + (* Definition uint_size_in_nat_mod (n : uint_size) : nat_mod 16 := int_in_nat_mod n. *) + (* Global Coercion uint_size_in_nat_mod : uint_size >-> nat_mod. *) End Coercions. -(*** Casting *) +(* (*** Casting *) *) -Definition uint128_from_usize (n : uint_size) : int128 := repr n. -Definition uint64_from_usize (n : uint_size) : int64 := repr n. -Definition uint32_from_usize (n : uint_size) : int32 := repr n. -Definition uint16_from_usize (n : uint_size) : int16 := repr n. -Definition uint8_from_usize (n : uint_size) : int8 := repr n. +(* Definition uint128_from_usize (n : uint_size) : int128 := repr n. *) +(* Definition uint64_from_usize (n : uint_size) : int64 := repr n. *) +(* Definition uint32_from_usize (n : uint_size) : int32 := repr n. *) +(* Definition uint16_from_usize (n : uint_size) : int16 := repr n. *) +(* Definition uint8_from_usize (n : uint_size) : int8 := repr n. *) -Definition uint128_from_uint8 (n : int8) : int128 := repr n. -Definition uint64_from_uint8 (n : int8) : int64 := repr n. -Definition uint32_from_uint8 (n : int8) : int32 := repr n. -Definition uint16_from_uint8 (n : int8) : int16 := repr n. -Definition usize_from_uint8 (n : int8) : uint_size := repr n. +(* Definition uint128_from_uint8 (n : int8) : int128 := repr n. *) +(* Definition uint64_from_uint8 (n : int8) : int64 := repr n. *) +(* Definition uint32_from_uint8 (n : int8) : int32 := repr n. *) +(* Definition uint16_from_uint8 (n : int8) : int16 := repr n. *) +(* Definition usize_from_uint8 (n : int8) : uint_size := repr n. *) -Definition uint128_from_uint16 (n : int16) : int128 := repr n. -Definition uint64_from_uint16 (n : int16) : int64 := repr n. -Definition uint32_from_uint16 (n : int16) : int32 := repr n. -Definition uint8_from_uint16 (n : int16) : int8 := repr n. -Definition usize_from_uint16 (n : int16) : uint_size := repr n. +(* Definition uint128_from_uint16 (n : int16) : int128 := repr n. *) +(* Definition uint64_from_uint16 (n : int16) : int64 := repr n. *) +(* Definition uint32_from_uint16 (n : int16) : int32 := repr n. *) +(* Definition uint8_from_uint16 (n : int16) : int8 := repr n. *) +(* Definition usize_from_uint16 (n : int16) : uint_size := repr n. *) -Definition uint128_from_uint32 (n : int32) : int128 := repr n. -Definition uint64_from_uint32 (n : int32) : int64 := repr n. -Definition uint16_from_uint32 (n : int32) : int16 := repr n. -Definition uint8_from_uint32 (n : int32) : int8 := repr n. -Definition usize_from_uint32 (n : int32) : uint_size := repr n. +(* Definition uint128_from_uint32 (n : int32) : int128 := repr n. *) +(* Definition uint64_from_uint32 (n : int32) : int64 := repr n. *) +(* Definition uint16_from_uint32 (n : int32) : int16 := repr n. *) +(* Definition uint8_from_uint32 (n : int32) : int8 := repr n. *) +(* Definition usize_from_uint32 (n : int32) : uint_size := repr n. *) -Definition uint128_from_uint64 (n : int64) : int128 := repr n. -Definition uint32_from_uint64 (n : int64) : int32 := repr n. -Definition uint16_from_uint64 (n : int64) : int16 := repr n. -Definition uint8_from_uint64 (n : int64) : int8 := repr n. -Definition usize_from_uint64 (n : int64) : uint_size := repr n. +(* Definition uint128_from_uint64 (n : int64) : int128 := repr n. *) +(* Definition uint32_from_uint64 (n : int64) : int32 := repr n. *) +(* Definition uint16_from_uint64 (n : int64) : int16 := repr n. *) +(* Definition uint8_from_uint64 (n : int64) : int8 := repr n. *) +(* Definition usize_from_uint64 (n : int64) : uint_size := repr n. *) -Definition uint64_from_uint128 (n : int128) : int64 := repr n. -Definition uint32_from_uint128 (n : int128) : int32 := repr n. -Definition uint16_from_uint128 (n : int128) : int16 := repr n. -Definition uint8_from_uint128 (n : int128) : int8 := repr n. -Definition usize_from_uint128 (n : int128) : uint_size := repr n. +(* Definition uint64_from_uint128 (n : int128) : int64 := repr n. *) +(* Definition uint32_from_uint128 (n : int128) : int32 := repr n. *) +(* Definition uint16_from_uint128 (n : int128) : int16 := repr n. *) +(* Definition uint8_from_uint128 (n : int128) : int8 := repr n. *) +(* Definition usize_from_uint128 (n : int128) : uint_size := repr n. *) (* Comparisons, boolean equality, and notation *) @@ -1491,26 +1141,26 @@ Global Instance Z_comparable : Comparable Z := { geb a b := Z.leb b a; }. -Lemma int_eqb_eq : forall {WS : WORDSIZE} (a b : int), eq a b = true <-> a = b. -Proof. - intros. split. - - apply same_if_eq. - - intros. rewrite H. apply eq_true. -Qed. +(* Lemma int_eqb_eq : forall {WS : WORDSIZE} (a b : int), eq a b = true <-> a = b. *) +(* Proof. *) +(* intros. split. *) +(* - apply same_if_eq. *) +(* - intros. rewrite H. apply eq_true. *) +(* Qed. *) -Global Instance int_eqdec `{WORDSIZE}: EqDec int := { - eqb := eq; - eqb_leibniz := int_eqb_eq ; -}. +(* Global Instance int_eqdec `{WORDSIZE}: EqDec int := { *) +(* eqb := eq; *) +(* eqb_leibniz := int_eqb_eq ; *) +(* }. *) -Global Instance int_comparable `{WORDSIZE} : Comparable int := { - ltb := lt; - leb a b := if eq a b then true else lt a b ; - gtb a b := lt b a; - geb a b := if eq a b then true else lt b a; -}. +(* Global Instance int_comparable `{WORDSIZE} : Comparable int := { *) +(* ltb := lt; *) +(* leb a b := if eq a b then true else lt a b ; *) +(* gtb a b := lt b a; *) +(* geb a b := if eq a b then true else lt b a; *) +(* }. *) -Definition uint8_equal : int8 -> int8 -> bool := eqb. +(* Definition uint8_equal : int8 -> int8 -> bool := eqb. *) Definition nat_mod_val (p : Z) (a : nat_mod p) : Z := GZnZ.val p a. @@ -1645,44 +1295,44 @@ Arguments Err {_ _}. Fixpoint nat_be_range_at_position (k : nat) (z : Z) (n : Z) : list bool := match k with | O => [] - | S k' => Z.testbit z (n + k') :: nat_be_range_at_position k' z n + | S k' => Z.testbit z (n + Z.of_nat k') :: nat_be_range_at_position k' z n end. Fixpoint nat_be_range_to_position_ (z : list bool) (val : Z) : Z := match z with | [] => val - | x :: xs => nat_be_range_to_position_ xs ((if x then 2 ^ List.length xs else 0) + val) + | x :: xs => nat_be_range_to_position_ xs ((if x then 2 ^ Z.of_nat (List.length xs) else 0) + val) end. Definition nat_be_range_to_position (k : nat) (z : list bool) (n : Z) : Z := - (nat_be_range_to_position_ z 0 * 2^(k * n)). + (nat_be_range_to_position_ z 0 * 2^(Z.of_nat k * n)). Definition nat_be_range (k : nat) (z : Z) (n : nat) : Z := - nat_be_range_to_position_ (nat_be_range_at_position k z (n * k)) 0. (* * 2^(k * n) *) + nat_be_range_to_position_ (nat_be_range_at_position k z (Z.of_nat (n * k)%nat)) 0. (* * 2^(k * n) *) Compute nat_be_range 4 0 300. -Definition u64_to_be_bytes' : int64 -> nseq int8 8 := - fun k => array_from_list (int8) [@nat_to_int WORDSIZE8 (nat_be_range 4 k 7) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 6) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 5) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 4) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 3) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 2) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 1) ; - @nat_to_int WORDSIZE8 (nat_be_range 4 k 0)]. +(* Definition u64_to_be_bytes' : int64 -> nseq int8 8 := *) +(* fun k => array_from_list (int8) [@nat_to_int WORDSIZE8 (nat_be_range 4 k 7) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 6) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 5) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 4) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 3) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 2) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 1) ; *) +(* @nat_to_int WORDSIZE8 (nat_be_range 4 k 0)]. *) Open Scope hacspec_scope. Definition u64_from_be_bytes_fold_fun (i : int8) (s : nat × int64) : nat × int64 := let (n,v) := s in - (S n, v .+ (@repr WORDSIZE64 ((int8_to_nat i) * 2 ^ (4 * n)))). + (S n, Int64.add v (Int64.repr (Z.of_nat (int8_to_nat i) * 2 ^ (4 * Z.of_nat n)))). Definition u64_from_be_bytes' : nseq int8 8 -> int64 := - (fun v => snd (VectorDef.fold_right u64_from_be_bytes_fold_fun v (0, @repr WORDSIZE64 0))). + (fun v => snd (VectorDef.fold_right u64_from_be_bytes_fold_fun v (0, @Int64.repr 0))). -Definition u64_to_be_bytes : int64 -> nseq int8 8 := u64_to_be_bytes'. -Definition u64_from_be_bytes : nseq int8 8 -> int64 := u64_from_be_bytes'. +(* Definition u64_to_be_bytes : int64 -> nseq int8 8 := u64_to_be_bytes'. *) +(* Definition u64_from_be_bytes : nseq int8 8 -> int64 := u64_from_be_bytes'. *) (* Definition nat_mod_to_byte_seq_be : forall {n : Z}, nat_mod n -> seq int8 := *) (* fun k => VectorDef.of_list . *) @@ -1766,15 +1416,15 @@ Global Instance Z_default : Default Z := { default := 0%Z }. Global Instance uint_size_default : Default uint_size := { - default := zero + default := Int32.zero }. Global Instance int_size_default : Default int_size := { - default := zero -}. -Global Instance int_default {WS : WORDSIZE} : Default int := { - default := repr 0 + default := Int32.zero }. -Global Instance uint8_default : Default uint8 := _. +(* Global Instance int_default {WS : WORDSIZE} : Default int := { *) +(* default := repr 0 *) +(* }. *) +(* Global Instance uint8_default : Default uint8 := _. *) Global Instance nat_mod_default {p : Z} : Default (nat_mod p) := { default := nat_mod_zero }. diff --git a/proof-libs/coq/coq/src/Hacspec_Types.v b/proof-libs/coq/coq/src/Hacspec_Types.v new file mode 100644 index 000000000..f4035e0b3 --- /dev/null +++ b/proof-libs/coq/coq/src/Hacspec_Types.v @@ -0,0 +1,8 @@ + +From Coqprime Require GZnZ. + +(*** Seq *) + +Definition nseq := VectorDef.t. + +Definition seq (A : Type) := list A. diff --git a/proof-libs/coq/coq/src/MachineIntegers.v b/proof-libs/coq/coq/src/MachineIntegers.v deleted file mode 100644 index ba865033b..000000000 --- a/proof-libs/coq/coq/src/MachineIntegers.v +++ /dev/null @@ -1,4886 +0,0 @@ -(* *********************************************************************) -(* *) -(* The Compcert verified compiler *) -(* *) -(* Xavier Leroy, INRIA Paris-Rocquencourt *) -(* *) -(* Copyright Institut National de Recherche en Informatique et en *) -(* Automatique. All rights reserved. This file is distributed *) -(* under the terms of the GNU General Public License as published by *) -(* the Free Software Foundation, either version 2 of the License, or *) -(* (at your option) any later version. This file is also distributed *) -(* under the terms of the INRIA Non-Commercial License Agreement. *) -(* *) -(* *********************************************************************) - -(** Formalizations of machine integers modulo $2^N$ #2N#. *) - -Require Import Eqdep_dec Zquot Zwf. -From compcert Require Import Coqlib Zbits. -From compcert Require Archi. -Require Import Lia. -(** * Comparisons *) - -Inductive comparison : Type := - | Ceq : comparison (**r same *) - | Cne : comparison (**r different *) - | Clt : comparison (**r less than *) - | Cle : comparison (**r less than or equal *) - | Cgt : comparison (**r greater than *) - | Cge : comparison. (**r greater than or equal *) - -Definition negate_comparison (c: comparison): comparison := - match c with - | Ceq => Cne - | Cne => Ceq - | Clt => Cge - | Cle => Cgt - | Cgt => Cle - | Cge => Clt - end. - -Definition swap_comparison (c: comparison): comparison := - match c with - | Ceq => Ceq - | Cne => Cne - | Clt => Cgt - | Cle => Cge - | Cgt => Clt - | Cge => Cle - end. - -(** * Parameterization by the word size, in bits. *) -Class WORDSIZE := { - wordsize : nat; - wordsize_not_zero: wordsize <> 0%nat; -}. -(* Module Type WORDSIZE. - Parameter wordsize: nat. - Axiom wordsize_not_zero: wordsize <> 0%nat. -End WORDSIZE. *) - -(* To avoid useless definitions of inductors in extracted code. *) -Local Unset Elimination Schemes. -Local Unset Case Analysis Schemes. -Local Set Printing Projections. - -Section Make. -Context {WS : WORDSIZE}. -Global Opaque wordsize wordsize_not_zero. - -(* Variable wordsize : nat. *) -(* Hypothesis wordsize_not_zero: wordsize <> 0%nat. *) - -Definition zwordsize: Z := Z.of_nat wordsize. -Definition modulus : Z := two_power_nat wordsize. -Definition half_modulus : Z := modulus / 2. -Definition max_unsigned : Z := modulus - 1. -Definition max_signed : Z := half_modulus - 1. -Definition min_signed : Z := - half_modulus. - -Remark wordsize_pos: zwordsize > 0. -Proof. - unfold zwordsize. generalize wordsize_not_zero. lia. -Qed. - -Remark modulus_power: modulus = two_p zwordsize. -Proof. - unfold modulus. apply two_power_nat_two_p. -Qed. - -Remark modulus_gt_one: modulus > 1. -Proof. - rewrite modulus_power. apply Z.lt_gt. apply (two_p_monotone_strict 0). - generalize wordsize_pos; lia. -Qed. - -Remark modulus_pos: modulus > 0. -Proof. - generalize modulus_gt_one; lia. -Qed. - -Hint Resolve modulus_pos: ints. - -(** * Representation of machine integers *) - -(** A machine integer (type [int]) is represented as a Coq arbitrary-precision - integer (type [Z]) plus a proof that it is in the range 0 (included) to - [modulus] (excluded). *) - -Record int: Type := mkint { intval: Z; intrange: -1 < intval < modulus }. - -(** Fast normalization modulo [2^wordsize] *) - -Definition Z_mod_modulus (x: Z) : Z := - match x with - | Z0 => 0 - | Zpos p => P_mod_two_p p wordsize - | Zneg p => let r := P_mod_two_p p wordsize in if zeq r 0 then 0 else modulus - r - end. - -Lemma Z_mod_modulus_range: - forall x, 0 <= Z_mod_modulus x < modulus. -Proof (Z_mod_two_p_range wordsize). - -Lemma Z_mod_modulus_range': - forall x, -1 < Z_mod_modulus x < modulus. -Proof. - intros. generalize (Z_mod_modulus_range x); intuition. -Qed. - -Lemma Z_mod_modulus_eq: - forall x, Z_mod_modulus x = x mod modulus. -Proof (Z_mod_two_p_eq wordsize). - -(** The [unsigned] and [signed] functions return the Coq integer corresponding - to the given machine integer, interpreted as unsigned or signed - respectively. *) - -Definition unsigned (n: int) : Z := intval n. - -Definition signed (n: int) : Z := - let x := unsigned n in - if zlt x half_modulus then x else x - modulus. - -(** Conversely, [repr] takes a Coq integer and returns the corresponding - machine integer. The argument is treated modulo [modulus]. *) - -Definition repr (x: Z) : int := - mkint (Z_mod_modulus x) (Z_mod_modulus_range' x). - -Definition zero := repr 0. -Definition one := repr 1. -Definition mone := repr (-1). -Definition iwordsize := repr zwordsize. - -Lemma mkint_eq: - forall x y Px Py, x = y -> mkint x Px = mkint y Py. -Proof. - intros. subst y. - assert (forall (n m: Z) (P1 P2: n < m), P1 = P2). - { - unfold Z.lt; intros. - apply eq_proofs_unicity. - intros c1 c2. destruct c1; destruct c2; (left; reflexivity) || (right; congruence). - } - destruct Px as [Px1 Px2]. destruct Py as [Py1 Py2]. - rewrite (H _ _ Px1 Py1). - rewrite (H _ _ Px2 Py2). - reflexivity. -Qed. - -Lemma eq_dec: forall (x y: int), {x = y} + {x <> y}. -Proof. - intros. destruct x; destruct y. destruct (zeq intval0 intval1). - left. apply mkint_eq. auto. - right. red; intro. injection H. exact n. -Defined. - -(** * Arithmetic and logical operations over machine integers *) - -Definition eq (x y: int) : bool := - if zeq (unsigned x) (unsigned y) then true else false. -Definition lt (x y: int) : bool := - if zlt (signed x) (signed y) then true else false. -Definition ltu (x y: int) : bool := - if zlt (unsigned x) (unsigned y) then true else false. - -Definition neg (x: int) : int := repr (- unsigned x). - -Definition add (x y: int) : int := - repr (unsigned x + unsigned y). -Definition sub (x y: int) : int := - repr (unsigned x - unsigned y). -Definition mul (x y: int) : int := - repr (unsigned x * unsigned y). - -Definition divs (x y: int) : int := - repr (Z.quot (signed x) (signed y)). -Definition mods (x y: int) : int := - repr (Z.rem (signed x) (signed y)). - -Definition divu (x y: int) : int := - repr (unsigned x / unsigned y). -Definition modu (x y: int) : int := - repr ((unsigned x) mod (unsigned y)). - -(** Bitwise boolean operations. *) - -Definition and (x y: int): int := repr (Z.land (unsigned x) (unsigned y)). -Definition or (x y: int): int := repr (Z.lor (unsigned x) (unsigned y)). -Definition xor (x y: int) : int := repr (Z.lxor (unsigned x) (unsigned y)). - -Definition not (x: int) : int := xor x mone. - -(** Shifts and rotates. *) - -Definition shl (x y: int): int := repr (Z.shiftl (unsigned x) (unsigned y)). -Definition shru (x y: int): int := repr (Z.shiftr (unsigned x) (unsigned y)). -Definition shr (x y: int): int := repr (Z.shiftr (signed x) (unsigned y)). - -Definition rol (x y: int) : int := - let n := (unsigned y) mod zwordsize in - repr (Z.lor (Z.shiftl (unsigned x) n) (Z.shiftr (unsigned x) (zwordsize - n))). -Definition ror (x y: int) : int := - let n := (unsigned y) mod zwordsize in - repr (Z.lor (Z.shiftr (unsigned x) n) (Z.shiftl (unsigned x) (zwordsize - n))). - -Definition rolm (x a m: int): int := and (rol x a) m. - -(** Viewed as signed divisions by powers of two, [shrx] rounds towards - zero, while [shr] rounds towards minus infinity. *) - -Definition shrx (x y: int): int := - divs x (shl one y). - -(** High half of full multiply. *) - -Definition mulhu (x y: int): int := repr ((unsigned x * unsigned y) / modulus). -Definition mulhs (x y: int): int := repr ((signed x * signed y) / modulus). - -(** Condition flags *) - -Definition negative (x: int): int := - if lt x zero then one else zero. - -Definition add_carry (x y cin: int): int := - if zlt (unsigned x + unsigned y + unsigned cin) modulus then zero else one. - -Definition add_overflow (x y cin: int): int := - let s := signed x + signed y + signed cin in - if zle min_signed s && zle s max_signed then zero else one. - -Definition sub_borrow (x y bin: int): int := - if zlt (unsigned x - unsigned y - unsigned bin) 0 then one else zero. - -Definition sub_overflow (x y bin: int): int := - let s := signed x - signed y - signed bin in - if zle min_signed s && zle s max_signed then zero else one. - -(** [shr_carry x y] is 1 if [x] is negative and at least one 1 bit is shifted away. *) - -Definition shr_carry (x y: int) : int := - if lt x zero && negb (eq (and x (sub (shl one y) one)) zero) - then one else zero. - -(** Zero and sign extensions *) - -Definition zero_ext (n: Z) (x: int) : int := repr (Zzero_ext n (unsigned x)). -Definition sign_ext (n: Z) (x: int) : int := repr (Zsign_ext n (unsigned x)). - -(** Decomposition of a number as a sum of powers of two. *) - -Definition one_bits (x: int) : list int := - List.map repr (Z_one_bits wordsize (unsigned x) 0). - -(** Recognition of powers of two. *) - -Definition is_power2 (x: int) : option int := - match Z_is_power2 (unsigned x) with - | Some i => Some (repr i) - | None => None - end. - -(** Comparisons. *) - -Definition cmp (c: comparison) (x y: int) : bool := - match c with - | Ceq => eq x y - | Cne => negb (eq x y) - | Clt => lt x y - | Cle => negb (lt y x) - | Cgt => lt y x - | Cge => negb (lt x y) - end. - -Definition cmpu (c: comparison) (x y: int) : bool := - match c with - | Ceq => eq x y - | Cne => negb (eq x y) - | Clt => ltu x y - | Cle => negb (ltu y x) - | Cgt => ltu y x - | Cge => negb (ltu x y) - end. - -Definition is_false (x: int) : Prop := x = zero. -Definition is_true (x: int) : Prop := x <> zero. -Definition notbool (x: int) : int := if eq x zero then one else zero. - -(** x86-style extended division and modulus *) - -Definition divmodu2 (nhi nlo: int) (d: int) : option (int * int) := - if eq_dec d zero then None else - (let (q, r) := Z.div_eucl (unsigned nhi * modulus + unsigned nlo) (unsigned d) in - if zle q max_unsigned then Some(repr q, repr r) else None). - -Definition divmods2 (nhi nlo: int) (d: int) : option (int * int) := - if eq_dec d zero then None else - (let (q, r) := Z.quotrem (signed nhi * modulus + unsigned nlo) (signed d) in - if zle min_signed q && zle q max_signed then Some(repr q, repr r) else None). - -(** * Properties of integers and integer arithmetic *) - -(** ** Properties of [modulus], [max_unsigned], etc. *) - -Remark half_modulus_power: - half_modulus = two_p (zwordsize - 1). -Proof. - unfold half_modulus. rewrite modulus_power. - set (ws1 := zwordsize - 1). - replace (zwordsize) with (Z.succ ws1). - rewrite two_p_S. rewrite Z.mul_comm. apply Z_div_mult. lia. - unfold ws1. generalize wordsize_pos; lia. - unfold ws1. lia. -Qed. - -Remark half_modulus_modulus: modulus = 2 * half_modulus. -Proof. - rewrite half_modulus_power. rewrite modulus_power. - rewrite <- two_p_S. apply f_equal. lia. - generalize wordsize_pos; lia. -Qed. - -(** Relative positions, from greatest to smallest: -<< - max_unsigned - max_signed - 2*wordsize-1 - wordsize - 0 - min_signed ->> -*) - -Remark half_modulus_pos: half_modulus > 0. -Proof. - rewrite half_modulus_power. apply two_p_gt_ZERO. generalize wordsize_pos; lia. -Qed. - -Remark min_signed_neg: min_signed < 0. -Proof. - unfold min_signed. generalize half_modulus_pos. lia. -Qed. - -Remark max_signed_pos: max_signed >= 0. -Proof. - unfold max_signed. generalize half_modulus_pos. lia. -Qed. - -Remark wordsize_max_unsigned: zwordsize <= max_unsigned. -Proof. - assert (zwordsize < modulus). - rewrite modulus_power. apply two_p_strict. - generalize wordsize_pos. lia. - unfold max_unsigned. lia. -Qed. - -Remark two_wordsize_max_unsigned: 2 * zwordsize - 1 <= max_unsigned. -Proof. - assert (2 * zwordsize - 1 < modulus). - rewrite modulus_power. apply two_p_strict_2. generalize wordsize_pos; lia. - unfold max_unsigned; lia. -Qed. - -Remark max_signed_unsigned: max_signed < max_unsigned. -Proof. - unfold max_signed, max_unsigned. rewrite half_modulus_modulus. - generalize half_modulus_pos. lia. -Qed. - -Lemma unsigned_repr_eq: - forall x, unsigned (repr x) = Z.modulo x modulus. -Proof. - intros. simpl. apply Z_mod_modulus_eq. -Qed. - -Lemma signed_repr_eq: - forall x, signed (repr x) = if zlt (Z.modulo x modulus) half_modulus then Z.modulo x modulus else Z.modulo x modulus - modulus. -Proof. - intros. unfold signed. rewrite unsigned_repr_eq. auto. -Qed. - -(** ** Modulo arithmetic *) - -(** [eqm] is equality modulo $2^{wordsize}$ #2wordsize#. *) - -Definition eqm := eqmod modulus. - -Lemma eqm_refl: forall x, eqm x x. -Proof (eqmod_refl modulus). -Hint Resolve eqm_refl: ints. - -Lemma eqm_refl2: - forall x y, x = y -> eqm x y. -Proof (eqmod_refl2 modulus). -Hint Resolve eqm_refl2: ints. - -Lemma eqm_sym: forall x y, eqm x y -> eqm y x. -Proof (eqmod_sym modulus). -Hint Resolve eqm_sym: ints. - -Lemma eqm_trans: forall x y z, eqm x y -> eqm y z -> eqm x z. -Proof (eqmod_trans modulus). -Hint Resolve eqm_trans: ints. - -Lemma eqm_small_eq: - forall x y, eqm x y -> 0 <= x < modulus -> 0 <= y < modulus -> x = y. -Proof (eqmod_small_eq modulus). -Hint Resolve eqm_small_eq: ints. - -Lemma eqm_add: - forall a b c d, eqm a b -> eqm c d -> eqm (a + c) (b + d). -Proof (eqmod_add modulus). -Hint Resolve eqm_add: ints. - -Lemma eqm_neg: - forall x y, eqm x y -> eqm (-x) (-y). -Proof (eqmod_neg modulus). -Hint Resolve eqm_neg: ints. - -Lemma eqm_sub: - forall a b c d, eqm a b -> eqm c d -> eqm (a - c) (b - d). -Proof (eqmod_sub modulus). -Hint Resolve eqm_sub: ints. - -Lemma eqm_mult: - forall a b c d, eqm a c -> eqm b d -> eqm (a * b) (c * d). -Proof (eqmod_mult modulus). -Hint Resolve eqm_mult: ints. - -Lemma eqm_same_bits: - forall x y, - (forall i, 0 <= i < zwordsize -> Z.testbit x i = Z.testbit y i) -> - eqm x y. -Proof (eqmod_same_bits wordsize). - -Lemma same_bits_eqm: - forall x y i, - eqm x y -> - 0 <= i < zwordsize -> - Z.testbit x i = Z.testbit y i. -Proof (same_bits_eqmod wordsize). - -(** ** Properties of the coercions between [Z] and [int] *) - -Lemma eqm_samerepr: forall x y, eqm x y -> repr x = repr y. -Proof. - intros. unfold repr. apply mkint_eq. - rewrite !Z_mod_modulus_eq. apply eqmod_mod_eq. auto with ints. exact H. -Qed. - -Lemma eqm_unsigned_repr: - forall z, eqm z (unsigned (repr z)). -Proof. - unfold eqm; intros. rewrite unsigned_repr_eq. apply eqmod_mod. auto with ints. -Qed. -Hint Resolve eqm_unsigned_repr: ints. - -Lemma eqm_unsigned_repr_l: - forall a b, eqm a b -> eqm (unsigned (repr a)) b. -Proof. - intros. apply eqm_trans with a. - apply eqm_sym. apply eqm_unsigned_repr. auto. -Qed. -Hint Resolve eqm_unsigned_repr_l: ints. - -Lemma eqm_unsigned_repr_r: - forall a b, eqm a b -> eqm a (unsigned (repr b)). -Proof. - intros. apply eqm_trans with b. auto. - apply eqm_unsigned_repr. -Qed. -Hint Resolve eqm_unsigned_repr_r: ints. - -Lemma eqm_signed_unsigned: - forall x, eqm (signed x) (unsigned x). -Proof. - intros; red. unfold signed. set (y := unsigned x). - case (zlt y half_modulus); intro. - apply eqmod_refl. red; exists (-1); ring. -Qed. - -Theorem unsigned_range: - forall i, 0 <= unsigned i < modulus. -Proof. - destruct i. simpl. lia. -Qed. -Hint Resolve unsigned_range: ints. - -Theorem unsigned_range_2: - forall i, 0 <= unsigned i <= max_unsigned. -Proof. - intro; unfold max_unsigned. - generalize (unsigned_range i). lia. -Qed. -Hint Resolve unsigned_range_2: ints. - -Theorem signed_range: - forall i, min_signed <= signed i <= max_signed. -Proof. - intros. unfold signed. - generalize (unsigned_range i). set (n := unsigned i). intros. - case (zlt n half_modulus); intro. - unfold max_signed. generalize min_signed_neg. lia. - unfold min_signed, max_signed. - rewrite half_modulus_modulus in *. lia. -Qed. - -Theorem repr_unsigned: - forall i, repr (unsigned i) = i. -Proof. - destruct i; simpl. unfold repr. apply mkint_eq. - rewrite Z_mod_modulus_eq. apply Z.mod_small; lia. -Qed. -Hint Resolve repr_unsigned: ints. - -Lemma repr_signed: - forall i, repr (signed i) = i. -Proof. - intros. transitivity (repr (unsigned i)). - apply eqm_samerepr. apply eqm_signed_unsigned. auto with ints. -Qed. -Hint Resolve repr_signed: ints. - -Opaque repr. - -Lemma eqm_repr_eq: forall x y, eqm x (unsigned y) -> repr x = y. -Proof. - intros. rewrite <- (repr_unsigned y). apply eqm_samerepr; auto. -Qed. - -Theorem unsigned_repr: - forall z, 0 <= z <= max_unsigned -> unsigned (repr z) = z. -Proof. - intros. rewrite unsigned_repr_eq. - apply Z.mod_small. unfold max_unsigned in H. lia. -Qed. -Hint Resolve unsigned_repr: ints. - -Theorem signed_repr: - forall z, min_signed <= z <= max_signed -> signed (repr z) = z. -Proof. - intros. unfold signed. destruct (zle 0 z). - replace (unsigned (repr z)) with z. - rewrite zlt_true. auto. unfold max_signed in H. lia. - symmetry. apply unsigned_repr. generalize max_signed_unsigned. lia. - pose (z' := z + modulus). - replace (repr z) with (repr z'). - replace (unsigned (repr z')) with z'. - rewrite zlt_false. unfold z'. lia. - unfold z'. unfold min_signed in H. - rewrite half_modulus_modulus. lia. - symmetry. apply unsigned_repr. - unfold z', max_unsigned. unfold min_signed, max_signed in H. - rewrite half_modulus_modulus. lia. - apply eqm_samerepr. unfold z'; red. exists 1. lia. -Qed. - -Ltac extlia := unfold Plt, Ple in *; lia. - -Theorem signed_eq_unsigned: - forall x, unsigned x <= max_signed -> signed x = unsigned x. -Proof. - intros. unfold signed. destruct (zlt (unsigned x) half_modulus). - auto. unfold max_signed in H. extlia. -Qed. - -Theorem signed_positive: - forall x, signed x >= 0 <-> unsigned x <= max_signed. -Proof. - intros. unfold signed, max_signed. - generalize (unsigned_range x) half_modulus_modulus half_modulus_pos; intros. - destruct (zlt (unsigned x) half_modulus); lia. -Qed. - -(** ** Properties of zero, one, minus one *) - -Theorem unsigned_zero: unsigned zero = 0. -Proof. - unfold zero; rewrite unsigned_repr_eq. apply Zmod_0_l. -Qed. - -Theorem unsigned_one: unsigned one = 1. -Proof. - unfold one; rewrite unsigned_repr_eq. apply Z.mod_small. split. lia. - unfold modulus. replace wordsize with (S(Init.Nat.pred wordsize)). - rewrite two_power_nat_S. generalize (two_power_nat_pos (Init.Nat.pred wordsize)). - lia. - generalize wordsize_pos. unfold zwordsize. lia. -Qed. - -Theorem unsigned_mone: unsigned mone = modulus - 1. -Proof. - unfold mone; rewrite unsigned_repr_eq. - replace (-1) with ((modulus - 1) + (-1) * modulus). - rewrite Z_mod_plus_full. apply Z.mod_small. - generalize modulus_pos. lia. lia. -Qed. - -Theorem signed_zero: signed zero = 0. -Proof. - unfold signed. rewrite unsigned_zero. apply zlt_true. generalize half_modulus_pos; lia. -Qed. - -Theorem signed_one: zwordsize > 1 -> signed one = 1. -Proof. - intros. unfold signed. rewrite unsigned_one. apply zlt_true. - change 1 with (two_p 0). rewrite half_modulus_power. apply two_p_monotone_strict. lia. -Qed. - -Theorem signed_mone: signed mone = -1. -Proof. - unfold signed. rewrite unsigned_mone. - rewrite zlt_false. lia. - rewrite half_modulus_modulus. generalize half_modulus_pos. lia. -Qed. - -Theorem one_not_zero: one <> zero. -Proof. - assert (unsigned one <> unsigned zero). - rewrite unsigned_one; rewrite unsigned_zero; congruence. - congruence. -Qed. - -Theorem unsigned_repr_wordsize: - unsigned iwordsize = zwordsize. -Proof. - unfold iwordsize; rewrite unsigned_repr_eq. apply Z.mod_small. - generalize wordsize_pos wordsize_max_unsigned; unfold max_unsigned; lia. -Qed. - -(** ** Properties of equality *) - -Theorem eq_sym: - forall x y, eq x y = eq y x. -Proof. - intros; unfold eq. case (zeq (unsigned x) (unsigned y)); intro. - rewrite e. rewrite zeq_true. auto. - rewrite zeq_false. auto. auto. -Qed. - -Theorem eq_spec: forall (x y: int), if eq x y then x = y else x <> y. -Proof. - intros; unfold eq. case (eq_dec x y); intro. - subst y. rewrite zeq_true. auto. - rewrite zeq_false. auto. - destruct x; destruct y. - simpl. red; intro. elim n. apply mkint_eq. auto. -Qed. - -Theorem eq_true: forall x, eq x x = true. -Proof. - intros. generalize (eq_spec x x); case (eq x x); intros; congruence. -Qed. - -Theorem eq_false: forall x y, x <> y -> eq x y = false. -Proof. - intros. generalize (eq_spec x y); case (eq x y); intros; congruence. -Qed. - -Theorem same_if_eq: forall x y, eq x y = true -> x = y. -Proof. - intros. generalize (eq_spec x y); rewrite H; auto. -Qed. - -Theorem eq_signed: - forall x y, eq x y = if zeq (signed x) (signed y) then true else false. -Proof. - intros. predSpec eq eq_spec x y. - subst x. rewrite zeq_true; auto. - destruct (zeq (signed x) (signed y)); auto. - elim H. rewrite <- (repr_signed x). rewrite <- (repr_signed y). congruence. -Qed. - -(** ** Properties of addition *) - -Theorem add_unsigned: forall x y, add x y = repr (unsigned x + unsigned y). -Proof. intros; reflexivity. -Qed. - -Theorem add_signed: forall x y, add x y = repr (signed x + signed y). -Proof. - intros. rewrite add_unsigned. apply eqm_samerepr. - apply eqm_add; apply eqm_sym; apply eqm_signed_unsigned. -Qed. - -Theorem add_commut: forall x y, add x y = add y x. -Proof. intros; unfold add. decEq. lia. Qed. - -Theorem add_zero: forall x, add x zero = x. -Proof. - intros. unfold add. rewrite unsigned_zero. - rewrite Z.add_0_r. apply repr_unsigned. -Qed. - -Theorem add_zero_l: forall x, add zero x = x. -Proof. - intros. rewrite add_commut. apply add_zero. -Qed. - -Theorem add_assoc: forall x y z, add (add x y) z = add x (add y z). -Proof. - intros; unfold add. - set (x' := unsigned x). - set (y' := unsigned y). - set (z' := unsigned z). - apply eqm_samerepr. - apply eqm_trans with ((x' + y') + z'). - auto with ints. - rewrite <- Z.add_assoc. auto with ints. -Qed. - -Theorem add_permut: forall x y z, add x (add y z) = add y (add x z). -Proof. - intros. rewrite (add_commut y z). rewrite <- add_assoc. apply add_commut. -Qed. - -Theorem add_neg_zero: forall x, add x (neg x) = zero. -Proof. - intros; unfold add, neg, zero. apply eqm_samerepr. - replace 0 with (unsigned x + (- (unsigned x))). - auto with ints. lia. -Qed. - -Theorem unsigned_add_carry: - forall x y, - unsigned (add x y) = unsigned x + unsigned y - unsigned (add_carry x y zero) * modulus. -Proof. - intros. - unfold add, add_carry. rewrite unsigned_zero. rewrite Z.add_0_r. - rewrite unsigned_repr_eq. - generalize (unsigned_range x) (unsigned_range y). intros. - destruct (zlt (unsigned x + unsigned y) modulus). - rewrite unsigned_zero. apply Zmod_unique with 0. lia. lia. - rewrite unsigned_one. apply Zmod_unique with 1. lia. lia. -Qed. - -Corollary unsigned_add_either: - forall x y, - unsigned (add x y) = unsigned x + unsigned y - \/ unsigned (add x y) = unsigned x + unsigned y - modulus. -Proof. - intros. rewrite unsigned_add_carry. unfold add_carry. - rewrite unsigned_zero. rewrite Z.add_0_r. - destruct (zlt (unsigned x + unsigned y) modulus). - rewrite unsigned_zero. left; lia. - rewrite unsigned_one. right; lia. -Qed. - -(** ** Properties of negation *) - -Theorem neg_repr: forall z, neg (repr z) = repr (-z). -Proof. - intros; unfold neg. apply eqm_samerepr. auto with ints. -Qed. - -Theorem neg_zero: neg zero = zero. -Proof. - unfold neg. rewrite unsigned_zero. auto. -Qed. - -Theorem neg_involutive: forall x, neg (neg x) = x. -Proof. - intros; unfold neg. - apply eqm_repr_eq. eapply eqm_trans. apply eqm_neg. - apply eqm_unsigned_repr_l. apply eqm_refl. apply eqm_refl2. lia. -Qed. - -Theorem neg_add_distr: forall x y, neg(add x y) = add (neg x) (neg y). -Proof. - intros; unfold neg, add. apply eqm_samerepr. - apply eqm_trans with (- (unsigned x + unsigned y)). - auto with ints. - replace (- (unsigned x + unsigned y)) - with ((- unsigned x) + (- unsigned y)). - auto with ints. lia. -Qed. - -(** ** Properties of subtraction *) - -Theorem sub_zero_l: forall x, sub x zero = x. -Proof. - intros; unfold sub. rewrite unsigned_zero. - replace (unsigned x - 0) with (unsigned x) by lia. apply repr_unsigned. -Qed. - -Theorem sub_zero_r: forall x, sub zero x = neg x. -Proof. - intros; unfold sub, neg. rewrite unsigned_zero. auto. -Qed. - -Theorem sub_add_opp: forall x y, sub x y = add x (neg y). -Proof. - intros; unfold sub, add, neg. apply eqm_samerepr. - apply eqm_add; auto with ints. -Qed. - -Theorem sub_idem: forall x, sub x x = zero. -Proof. - intros; unfold sub. unfold zero. decEq. lia. -Qed. - -Theorem sub_add_l: forall x y z, sub (add x y) z = add (sub x z) y. -Proof. - intros. repeat rewrite sub_add_opp. - repeat rewrite add_assoc. decEq. apply add_commut. -Qed. - -Theorem sub_add_r: forall x y z, sub x (add y z) = add (sub x z) (neg y). -Proof. - intros. repeat rewrite sub_add_opp. - rewrite neg_add_distr. rewrite add_permut. apply add_commut. -Qed. - -Theorem sub_shifted: - forall x y z, - sub (add x z) (add y z) = sub x y. -Proof. - intros. rewrite sub_add_opp. rewrite neg_add_distr. - rewrite add_assoc. - rewrite (add_commut (neg y) (neg z)). - rewrite <- (add_assoc z). rewrite add_neg_zero. - rewrite (add_commut zero). rewrite add_zero. - symmetry. apply sub_add_opp. -Qed. - -Theorem sub_signed: - forall x y, sub x y = repr (signed x - signed y). -Proof. - intros. unfold sub. apply eqm_samerepr. - apply eqm_sub; apply eqm_sym; apply eqm_signed_unsigned. -Qed. - -Theorem unsigned_sub_borrow: - forall x y, - unsigned (sub x y) = unsigned x - unsigned y + unsigned (sub_borrow x y zero) * modulus. -Proof. - intros. - unfold sub, sub_borrow. rewrite unsigned_zero. rewrite Z.sub_0_r. - rewrite unsigned_repr_eq. - generalize (unsigned_range x) (unsigned_range y). intros. - destruct (zlt (unsigned x - unsigned y) 0). - rewrite unsigned_one. apply Zmod_unique with (-1). lia. lia. - rewrite unsigned_zero. apply Zmod_unique with 0. lia. lia. -Qed. - -(** ** Properties of multiplication *) - -Theorem mul_commut: forall x y, mul x y = mul y x. -Proof. - intros; unfold mul. decEq. ring. -Qed. - -Theorem mul_zero: forall x, mul x zero = zero. -Proof. - intros; unfold mul. rewrite unsigned_zero. - unfold zero. decEq. ring. -Qed. - -Theorem mul_one: forall x, mul x one = x. -Proof. - intros; unfold mul. rewrite unsigned_one. - transitivity (repr (unsigned x)). decEq. ring. - apply repr_unsigned. -Qed. - -Theorem mul_mone: forall x, mul x mone = neg x. -Proof. - intros; unfold mul, neg. rewrite unsigned_mone. - apply eqm_samerepr. - replace (-unsigned x) with (0 - unsigned x) by lia. - replace (unsigned x * (modulus - 1)) with (unsigned x * modulus - unsigned x) by ring. - apply eqm_sub. exists (unsigned x). lia. apply eqm_refl. -Qed. - -Theorem mul_assoc: forall x y z, mul (mul x y) z = mul x (mul y z). -Proof. - intros; unfold mul. - set (x' := unsigned x). - set (y' := unsigned y). - set (z' := unsigned z). - apply eqm_samerepr. apply eqm_trans with ((x' * y') * z'). - auto with ints. - rewrite <- Z.mul_assoc. auto with ints. -Qed. - -Theorem mul_add_distr_l: - forall x y z, mul (add x y) z = add (mul x z) (mul y z). -Proof. - intros; unfold mul, add. - apply eqm_samerepr. - set (x' := unsigned x). - set (y' := unsigned y). - set (z' := unsigned z). - apply eqm_trans with ((x' + y') * z'). - auto with ints. - replace ((x' + y') * z') with (x' * z' + y' * z'). - auto with ints. - ring. -Qed. - -Theorem mul_add_distr_r: - forall x y z, mul x (add y z) = add (mul x y) (mul x z). -Proof. - intros. rewrite mul_commut. rewrite mul_add_distr_l. - decEq; apply mul_commut. -Qed. - -Theorem neg_mul_distr_l: - forall x y, neg(mul x y) = mul (neg x) y. -Proof. - intros. unfold mul, neg. - set (x' := unsigned x). set (y' := unsigned y). - apply eqm_samerepr. apply eqm_trans with (- (x' * y')). - auto with ints. - replace (- (x' * y')) with ((-x') * y') by ring. - auto with ints. -Qed. - -Theorem neg_mul_distr_r: - forall x y, neg(mul x y) = mul x (neg y). -Proof. - intros. rewrite (mul_commut x y). rewrite (mul_commut x (neg y)). - apply neg_mul_distr_l. -Qed. - -Theorem mul_signed: - forall x y, mul x y = repr (signed x * signed y). -Proof. - intros; unfold mul. apply eqm_samerepr. - apply eqm_mult; apply eqm_sym; apply eqm_signed_unsigned. -Qed. - -(** ** Properties of division and modulus *) - -Lemma modu_divu_Euclid: - forall x y, y <> zero -> x = add (mul (divu x y) y) (modu x y). -Proof. - intros. unfold add, mul, divu, modu. - transitivity (repr (unsigned x)). auto with ints. - apply eqm_samerepr. - set (x' := unsigned x). set (y' := unsigned y). - apply eqm_trans with ((x' / y') * y' + x' mod y'). - apply eqm_refl2. rewrite Z.mul_comm. apply Z_div_mod_eq. - generalize (unsigned_range y); intro. - assert (unsigned y <> 0). red; intro. - elim H. rewrite <- (repr_unsigned y). unfold zero. congruence. - unfold y'. lia. - auto with ints. -Qed. - -Theorem modu_divu: - forall x y, y <> zero -> modu x y = sub x (mul (divu x y) y). -Proof. - intros. - assert (forall a b c, a = add b c -> c = sub a b). - intros. subst a. rewrite sub_add_l. rewrite sub_idem. - rewrite add_commut. rewrite add_zero. auto. - apply H0. apply modu_divu_Euclid. auto. -Qed. - -Lemma mods_divs_Euclid: - forall x y, x = add (mul (divs x y) y) (mods x y). -Proof. - intros. unfold add, mul, divs, mods. - transitivity (repr (signed x)). auto with ints. - apply eqm_samerepr. - set (x' := signed x). set (y' := signed y). - apply eqm_trans with ((Z.quot x' y') * y' + Z.rem x' y'). - apply eqm_refl2. rewrite Z.mul_comm. apply Z.quot_rem'. - apply eqm_add; auto with ints. - apply eqm_unsigned_repr_r. apply eqm_mult; auto with ints. - unfold y'. apply eqm_signed_unsigned. -Qed. - -Theorem mods_divs: - forall x y, mods x y = sub x (mul (divs x y) y). -Proof. - intros. - assert (forall a b c, a = add b c -> c = sub a b). - intros. subst a. rewrite sub_add_l. rewrite sub_idem. - rewrite add_commut. rewrite add_zero. auto. - apply H. apply mods_divs_Euclid. -Qed. - -Theorem divu_one: - forall x, divu x one = x. -Proof. - unfold divu; intros. rewrite unsigned_one. rewrite Zdiv_1_r. apply repr_unsigned. -Qed. - -Theorem divs_one: - forall x, zwordsize > 1 -> divs x one = x. -Proof. - unfold divs; intros. rewrite signed_one. rewrite Z.quot_1_r. apply repr_signed. auto. -Qed. - -Theorem modu_one: - forall x, modu x one = zero. -Proof. - intros. rewrite modu_divu. rewrite divu_one. rewrite mul_one. apply sub_idem. - apply one_not_zero. -Qed. - -Theorem divs_mone: - forall x, divs x mone = neg x. -Proof. - unfold divs, neg; intros. - rewrite signed_mone. - replace (Z.quot (signed x) (-1)) with (- (signed x)). - apply eqm_samerepr. apply eqm_neg. apply eqm_signed_unsigned. - set (x' := signed x). - set (one := 1). - change (-1) with (- one). rewrite Zquot_opp_r. - assert (Z.quot x' one = x'). - symmetry. apply Zquot_unique_full with 0. red. - change (Z.abs one) with 1. - destruct (zle 0 x'). left. lia. right. lia. - unfold one; ring. - congruence. -Qed. - -Theorem mods_mone: - forall x, mods x mone = zero. -Proof. - intros. rewrite mods_divs. rewrite divs_mone. - rewrite <- neg_mul_distr_l. rewrite mul_mone. rewrite neg_involutive. apply sub_idem. -Qed. - -Theorem divmodu2_divu_modu: - forall n d, - d <> zero -> divmodu2 zero n d = Some (divu n d, modu n d). -Proof. - unfold divmodu2, divu, modu; intros. - rewrite dec_eq_false by auto. - set (N := unsigned zero * modulus + unsigned n). - assert (E1: unsigned n = N) by (unfold N; rewrite unsigned_zero; ring). rewrite ! E1. - set (D := unsigned d). - set (Q := N / D); set (R := N mod D). - assert (E2: Z.div_eucl N D = (Q, R)). - { unfold Q, R, Z.div, Z.modulo. destruct (Z.div_eucl N D); auto. } - rewrite E2. rewrite zle_true. auto. - assert (unsigned d <> 0). - { red; intros. elim H. rewrite <- (repr_unsigned d). rewrite H0; auto. } - assert (0 < D). - { unfold D. generalize (unsigned_range d); intros. lia. } - assert (0 <= Q <= max_unsigned). - { unfold Q. apply Zdiv_interval_2. - rewrite <- E1; apply unsigned_range_2. - lia. unfold max_unsigned; generalize modulus_pos; lia. lia. } - lia. -Qed. - -Lemma unsigned_signed: - forall n, unsigned n = if lt n zero then signed n + modulus else signed n. -Proof. - intros. unfold lt. rewrite signed_zero. unfold signed. - generalize (unsigned_range n). rewrite half_modulus_modulus. intros. - destruct (zlt (unsigned n) half_modulus). -- rewrite zlt_false by lia. auto. -- rewrite zlt_true by lia. ring. -Qed. - -Theorem divmods2_divs_mods: - forall n d, - d <> zero -> n <> repr min_signed \/ d <> mone -> - divmods2 (if lt n zero then mone else zero) n d = Some (divs n d, mods n d). -Proof. - unfold divmods2, divs, mods; intros. - rewrite dec_eq_false by auto. - set (N := signed (if lt n zero then mone else zero) * modulus + unsigned n). - set (D := signed d). - assert (D <> 0). - { unfold D; red; intros. elim H. rewrite <- (repr_signed d). rewrite H1; auto. } - assert (N = signed n). - { unfold N. rewrite unsigned_signed. destruct (lt n zero). - rewrite signed_mone. ring. - rewrite signed_zero. ring. } - set (Q := Z.quot N D); set (R := Z.rem N D). - assert (E2: Z.quotrem N D = (Q, R)). - { unfold Q, R, Z.quot, Z.rem. destruct (Z.quotrem N D); auto. } - rewrite E2. - assert (min_signed <= N <= max_signed) by (rewrite H2; apply signed_range). - assert (min_signed <= Q <= max_signed). - { unfold Q. destruct (zeq D 1); [ | destruct (zeq D (-1))]. - - (* D = 1 *) - rewrite e. rewrite Z.quot_1_r; auto. - - (* D = -1 *) - rewrite e. change (-1) with (Z.opp 1). rewrite Z.quot_opp_r by lia. - rewrite Z.quot_1_r. - assert (N <> min_signed). - { red; intros; destruct H0. - + elim H0. rewrite <- (repr_signed n). rewrite <- H2. rewrite H4. auto. - + elim H0. rewrite <- (repr_signed d). unfold D in e; rewrite e; auto. } - unfold min_signed, max_signed in *. lia. - - (* |D| > 1 *) - assert (Z.abs (Z.quot N D) < half_modulus). - { rewrite <- Z.quot_abs by lia. apply Zquot_lt_upper_bound. - extlia. extlia. - apply Z.le_lt_trans with (half_modulus * 1). - rewrite Z.mul_1_r. unfold min_signed, max_signed in H3; extlia. - apply Zmult_lt_compat_l. generalize half_modulus_pos; lia. extlia. } - rewrite Z.abs_lt in H4. - unfold min_signed, max_signed; lia. - } - unfold proj_sumbool; rewrite ! zle_true by lia; simpl. - unfold Q, R; rewrite H2; auto. -Qed. - -(** ** Bit-level properties *) - -Definition testbit (x: int) (i: Z) : bool := Z.testbit (unsigned x) i. - -Lemma testbit_repr: - forall x i, - 0 <= i < zwordsize -> - testbit (repr x) i = Z.testbit x i. -Proof. - intros. unfold testbit. apply same_bits_eqm; auto with ints. -Qed. - -Lemma same_bits_eq: - forall x y, - (forall i, 0 <= i < zwordsize -> testbit x i = testbit y i) -> - x = y. -Proof. - intros. rewrite <- (repr_unsigned x). rewrite <- (repr_unsigned y). - apply eqm_samerepr. apply eqm_same_bits. auto. -Qed. - -Lemma bits_above: - forall x i, i >= zwordsize -> testbit x i = false. -Proof. - intros. apply Ztestbit_above with wordsize; auto. apply unsigned_range. -Qed. - -Lemma bits_below: - forall x i, i < 0 -> testbit x i = false. -Proof. - intros. apply Z.testbit_neg_r; auto. -Qed. - -Lemma bits_zero: - forall i, testbit zero i = false. -Proof. - intros. unfold testbit. rewrite unsigned_zero. apply Ztestbit_0. -Qed. - -Remark bits_one: forall n, testbit one n = zeq n 0. -Proof. - unfold testbit; intros. rewrite unsigned_one. apply Ztestbit_1. -Qed. - -Lemma bits_mone: - forall i, 0 <= i < zwordsize -> testbit mone i = true. -Proof. - intros. unfold mone. rewrite testbit_repr; auto. apply Ztestbit_m1. lia. -Qed. - -Hint Rewrite bits_zero bits_mone : ints. - -Ltac bit_solve := - intros; apply same_bits_eq; intros; autorewrite with ints; auto with bool. - -Lemma sign_bit_of_unsigned: - forall x, testbit x (zwordsize - 1) = if zlt (unsigned x) half_modulus then false else true. -Proof. - intros. unfold testbit. - set (ws1 := Init.Nat.pred wordsize). - assert (zwordsize - 1 = Z.of_nat ws1). - unfold zwordsize, ws1. - destruct wordsize as [] eqn:E. - elim wordsize_not_zero; auto. - rewrite Nat2Z.inj_succ. simpl. lia. - assert (half_modulus = two_power_nat ws1). - rewrite two_power_nat_two_p. rewrite <- H. apply half_modulus_power. - rewrite H; rewrite H0. - apply Zsign_bit. rewrite two_power_nat_S. rewrite <- H0. - rewrite <- half_modulus_modulus. apply unsigned_range. -Qed. - -Lemma bits_signed: - forall x i, 0 <= i -> - Z.testbit (signed x) i = testbit x (if zlt i zwordsize then i else zwordsize - 1). -Proof. - intros. - destruct (zlt i zwordsize). - - apply same_bits_eqm. apply eqm_signed_unsigned. lia. - - unfold signed. rewrite sign_bit_of_unsigned. destruct (zlt (unsigned x) half_modulus). - + apply Ztestbit_above with wordsize. apply unsigned_range. auto. - + apply Ztestbit_above_neg with wordsize. - fold modulus. generalize (unsigned_range x). lia. auto. -Qed. - -Lemma bits_le: - forall x y, - (forall i, 0 <= i < zwordsize -> testbit x i = true -> testbit y i = true) -> - unsigned x <= unsigned y. -Proof. - intros. apply Ztestbit_le. generalize (unsigned_range y); lia. - intros. fold (testbit y i). destruct (zlt i zwordsize). - apply H. lia. auto. - fold (testbit x i) in H1. rewrite bits_above in H1; auto. congruence. -Qed. - -(** ** Properties of bitwise and, or, xor *) - -Lemma bits_and: - forall x y i, 0 <= i < zwordsize -> - testbit (and x y) i = testbit x i && testbit y i. -Proof. - intros. unfold and. rewrite testbit_repr; auto. rewrite Z.land_spec; intuition. -Qed. - -Lemma bits_or: - forall x y i, 0 <= i < zwordsize -> - testbit (or x y) i = testbit x i || testbit y i. -Proof. - intros. unfold or. rewrite testbit_repr; auto. rewrite Z.lor_spec; intuition. -Qed. - -Lemma bits_xor: - forall x y i, 0 <= i < zwordsize -> - testbit (xor x y) i = xorb (testbit x i) (testbit y i). -Proof. - intros. unfold xor. rewrite testbit_repr; auto. rewrite Z.lxor_spec; intuition. -Qed. - -Lemma bits_not: - forall x i, 0 <= i < zwordsize -> - testbit (not x) i = negb (testbit x i). -Proof. - intros. unfold not. rewrite bits_xor; auto. rewrite bits_mone; auto. -Qed. - -Hint Rewrite bits_and bits_or bits_xor bits_not: ints. - -Theorem and_commut: forall x y, and x y = and y x. -Proof. - bit_solve. -Qed. - -Theorem and_assoc: forall x y z, and (and x y) z = and x (and y z). -Proof. - bit_solve. -Qed. - -Theorem and_zero: forall x, and x zero = zero. -Proof. - bit_solve. apply andb_b_false. -Qed. - -Corollary and_zero_l: forall x, and zero x = zero. -Proof. - intros. rewrite and_commut. apply and_zero. -Qed. - -Theorem and_mone: forall x, and x mone = x. -Proof. - bit_solve. apply andb_b_true. -Qed. - -Corollary and_mone_l: forall x, and mone x = x. -Proof. - intros. rewrite and_commut. apply and_mone. -Qed. - -Theorem and_idem: forall x, and x x = x. -Proof. - bit_solve. destruct (testbit x i); auto. -Qed. - -Theorem or_commut: forall x y, or x y = or y x. -Proof. - bit_solve. -Qed. - -Theorem or_assoc: forall x y z, or (or x y) z = or x (or y z). -Proof. - bit_solve. -Qed. - -Theorem or_zero: forall x, or x zero = x. -Proof. - bit_solve. -Qed. - -Corollary or_zero_l: forall x, or zero x = x. -Proof. - intros. rewrite or_commut. apply or_zero. -Qed. - -Theorem or_mone: forall x, or x mone = mone. -Proof. - bit_solve. -Qed. - -Theorem or_idem: forall x, or x x = x. -Proof. - bit_solve. destruct (testbit x i); auto. -Qed. - -Theorem and_or_distrib: - forall x y z, - and x (or y z) = or (and x y) (and x z). -Proof. - bit_solve. apply demorgan1. -Qed. - -Corollary and_or_distrib_l: - forall x y z, - and (or x y) z = or (and x z) (and y z). -Proof. - intros. rewrite (and_commut (or x y)). rewrite and_or_distrib. f_equal; apply and_commut. -Qed. - -Theorem or_and_distrib: - forall x y z, - or x (and y z) = and (or x y) (or x z). -Proof. - bit_solve. apply orb_andb_distrib_r. -Qed. - -Corollary or_and_distrib_l: - forall x y z, - or (and x y) z = and (or x z) (or y z). -Proof. - intros. rewrite (or_commut (and x y)). rewrite or_and_distrib. f_equal; apply or_commut. -Qed. - -Theorem and_or_absorb: forall x y, and x (or x y) = x. -Proof. - bit_solve. - assert (forall a b, a && (a || b) = a) by destr_bool. - auto. -Qed. - -Theorem or_and_absorb: forall x y, or x (and x y) = x. -Proof. - bit_solve. - assert (forall a b, a || (a && b) = a) by destr_bool. - auto. -Qed. - -Theorem xor_commut: forall x y, xor x y = xor y x. -Proof. - bit_solve. apply xorb_comm. -Qed. - -Theorem xor_assoc: forall x y z, xor (xor x y) z = xor x (xor y z). -Proof. - bit_solve. apply xorb_assoc. -Qed. - -Theorem xor_zero: forall x, xor x zero = x. -Proof. - bit_solve. apply xorb_false. -Qed. - -Corollary xor_zero_l: forall x, xor zero x = x. -Proof. - intros. rewrite xor_commut. apply xor_zero. -Qed. - -Theorem xor_idem: forall x, xor x x = zero. -Proof. - bit_solve. apply xorb_nilpotent. -Qed. - -Theorem xor_zero_one: xor zero one = one. -Proof. rewrite xor_commut. apply xor_zero. Qed. - -Theorem xor_one_one: xor one one = zero. -Proof. apply xor_idem. Qed. - -Theorem xor_zero_equal: forall x y, xor x y = zero -> x = y. -Proof. - intros. apply same_bits_eq; intros. - assert (xorb (testbit x i) (testbit y i) = false). - rewrite <- bits_xor; auto. rewrite H. apply bits_zero. - destruct (testbit x i); destruct (testbit y i); reflexivity || discriminate. -Qed. - -Theorem xor_is_zero: forall x y, eq (xor x y) zero = eq x y. -Proof. - intros. predSpec eq eq_spec (xor x y) zero. -- apply xor_zero_equal in H. subst y. rewrite eq_true; auto. -- predSpec eq eq_spec x y. -+ elim H; subst y; apply xor_idem. -+ auto. -Qed. - -Theorem and_xor_distrib: - forall x y z, - and x (xor y z) = xor (and x y) (and x z). -Proof. - bit_solve. - assert (forall a b c, a && (xorb b c) = xorb (a && b) (a && c)) by destr_bool. - auto. -Qed. - -Theorem and_le: - forall x y, unsigned (and x y) <= unsigned x. -Proof. - intros. apply bits_le; intros. - rewrite bits_and in H0; auto. rewrite andb_true_iff in H0. tauto. -Qed. - -Theorem or_le: - forall x y, unsigned x <= unsigned (or x y). -Proof. - intros. apply bits_le; intros. - rewrite bits_or; auto. rewrite H0; auto. -Qed. - -(** ** Properties of bitwise complement.*) - -Theorem not_involutive: - forall (x: int), not (not x) = x. -Proof. - intros. unfold not. rewrite xor_assoc. rewrite xor_idem. apply xor_zero. -Qed. - -Theorem not_zero: - not zero = mone. -Proof. - unfold not. rewrite xor_commut. apply xor_zero. -Qed. - -Theorem not_mone: - not mone = zero. -Proof. - rewrite <- (not_involutive zero). symmetry. decEq. apply not_zero. -Qed. - -Theorem not_or_and_not: - forall x y, not (or x y) = and (not x) (not y). -Proof. - bit_solve. apply negb_orb. -Qed. - -Theorem not_and_or_not: - forall x y, not (and x y) = or (not x) (not y). -Proof. - bit_solve. apply negb_andb. -Qed. - -Theorem and_not_self: - forall x, and x (not x) = zero. -Proof. - bit_solve. -Qed. - -Theorem or_not_self: - forall x, or x (not x) = mone. -Proof. - bit_solve. -Qed. - -Theorem xor_not_self: - forall x, xor x (not x) = mone. -Proof. - bit_solve. destruct (testbit x i); auto. -Qed. - -Lemma unsigned_not: - forall x, unsigned (not x) = max_unsigned - unsigned x. -Proof. - intros. transitivity (unsigned (repr(-unsigned x - 1))). - f_equal. bit_solve. rewrite testbit_repr; auto. symmetry. apply Z_one_complement. lia. - rewrite unsigned_repr_eq. apply Zmod_unique with (-1). - unfold max_unsigned. lia. - generalize (unsigned_range x). unfold max_unsigned. lia. -Qed. - -Theorem not_neg: - forall x, not x = add (neg x) mone. -Proof. - bit_solve. - rewrite <- (repr_unsigned x) at 1. unfold add. - rewrite !testbit_repr; auto. - transitivity (Z.testbit (-unsigned x - 1) i). - symmetry. apply Z_one_complement. lia. - apply same_bits_eqm; auto. - replace (-unsigned x - 1) with (-unsigned x + (-1)) by lia. - apply eqm_add. - unfold neg. apply eqm_unsigned_repr. - rewrite unsigned_mone. exists (-1). ring. -Qed. - -Theorem neg_not: - forall x, neg x = add (not x) one. -Proof. - intros. rewrite not_neg. rewrite add_assoc. - replace (add mone one) with zero. rewrite add_zero. auto. - apply eqm_samerepr. rewrite unsigned_mone. rewrite unsigned_one. - exists (-1). ring. -Qed. - -Theorem sub_add_not: - forall x y, sub x y = add (add x (not y)) one. -Proof. - intros. rewrite sub_add_opp. rewrite neg_not. - rewrite ! add_assoc. auto. -Qed. - -Theorem sub_add_not_3: - forall x y b, - b = zero \/ b = one -> - sub (sub x y) b = add (add x (not y)) (xor b one). -Proof. - intros. rewrite ! sub_add_not. rewrite ! add_assoc. f_equal. f_equal. - rewrite <- neg_not. rewrite <- sub_add_opp. destruct H; subst b. - rewrite xor_zero_l. rewrite sub_zero_l. auto. - rewrite xor_idem. rewrite sub_idem. auto. -Qed. - -Theorem sub_borrow_add_carry: - forall x y b, - b = zero \/ b = one -> - sub_borrow x y b = xor (add_carry x (not y) (xor b one)) one. -Proof. - intros. unfold sub_borrow, add_carry. rewrite unsigned_not. - replace (unsigned (xor b one)) with (1 - unsigned b). - destruct (zlt (unsigned x - unsigned y - unsigned b)). - rewrite zlt_true. rewrite xor_zero_l; auto. - unfold max_unsigned; lia. - rewrite zlt_false. rewrite xor_idem; auto. - unfold max_unsigned; lia. - destruct H; subst b. - rewrite xor_zero_l. rewrite unsigned_one, unsigned_zero; auto. - rewrite xor_idem. rewrite unsigned_one, unsigned_zero; auto. -Qed. - -(** ** Connections between [add] and bitwise logical operations. *) - -Lemma Z_add_is_or: - forall i, 0 <= i -> - forall x y, - (forall j, 0 <= j <= i -> Z.testbit x j && Z.testbit y j = false) -> - Z.testbit (x + y) i = Z.testbit x i || Z.testbit y i. -Proof. - intros i0 POS0. pattern i0. apply Zlt_0_ind; auto. - intros i IND POS x y EXCL. - rewrite (Zdecomp x) in *. rewrite (Zdecomp y) in *. - transitivity (Z.testbit (Zshiftin (Z.odd x || Z.odd y) (Z.div2 x + Z.div2 y)) i). - - f_equal. rewrite !Zshiftin_spec. - exploit (EXCL 0). lia. rewrite !Ztestbit_shiftin_base. intros. -Opaque Z.mul. - destruct (Z.odd x); destruct (Z.odd y); simpl in *; discriminate || ring. - - rewrite !Ztestbit_shiftin; auto. - destruct (zeq i 0). - + auto. - + apply IND. lia. intros. - exploit (EXCL (Z.succ j)). lia. - rewrite !Ztestbit_shiftin_succ. auto. - lia. lia. -Qed. - -Theorem add_is_or: - forall x y, - and x y = zero -> - add x y = or x y. -Proof. - bit_solve. unfold add. rewrite testbit_repr; auto. - apply Z_add_is_or. lia. - intros. - assert (testbit (and x y) j = testbit zero j) by congruence. - autorewrite with ints in H2. assumption. lia. -Qed. - -Theorem xor_is_or: - forall x y, and x y = zero -> xor x y = or x y. -Proof. - bit_solve. - assert (testbit (and x y) i = testbit zero i) by congruence. - autorewrite with ints in H1; auto. - destruct (testbit x i); destruct (testbit y i); simpl in *; congruence. -Qed. - -Theorem add_is_xor: - forall x y, - and x y = zero -> - add x y = xor x y. -Proof. - intros. rewrite xor_is_or; auto. apply add_is_or; auto. -Qed. - -Theorem add_and: - forall x y z, - and y z = zero -> - add (and x y) (and x z) = and x (or y z). -Proof. - intros. rewrite add_is_or. - rewrite and_or_distrib; auto. - rewrite (and_commut x y). - rewrite and_assoc. - repeat rewrite <- (and_assoc x). - rewrite (and_commut (and x x)). - rewrite <- and_assoc. - rewrite H. rewrite and_commut. apply and_zero. -Qed. - -(** ** Properties of shifts *) - -Lemma bits_shl: - forall x y i, - 0 <= i < zwordsize -> - testbit (shl x y) i = - if zlt i (unsigned y) then false else testbit x (i - unsigned y). -Proof. - intros. unfold shl. rewrite testbit_repr; auto. - destruct (zlt i (unsigned y)). - apply Z.shiftl_spec_low. auto. - apply Z.shiftl_spec_high. lia. lia. -Qed. - -Lemma bits_shru: - forall x y i, - 0 <= i < zwordsize -> - testbit (shru x y) i = - if zlt (i + unsigned y) zwordsize then testbit x (i + unsigned y) else false. -Proof. - intros. unfold shru. rewrite testbit_repr; auto. - rewrite Z.shiftr_spec. fold (testbit x (i + unsigned y)). - destruct (zlt (i + unsigned y) zwordsize). - auto. - apply bits_above; auto. - lia. -Qed. - -Lemma bits_shr: - forall x y i, - 0 <= i < zwordsize -> - testbit (shr x y) i = - testbit x (if zlt (i + unsigned y) zwordsize then i + unsigned y else zwordsize - 1). -Proof. - intros. unfold shr. rewrite testbit_repr; auto. - rewrite Z.shiftr_spec. apply bits_signed. - generalize (unsigned_range y); lia. - lia. -Qed. - -Hint Rewrite bits_shl bits_shru bits_shr: ints. - -Theorem shl_zero: forall x, shl x zero = x. -Proof. - bit_solve. rewrite unsigned_zero. rewrite zlt_false. f_equal; lia. lia. -Qed. - -Lemma bitwise_binop_shl: - forall f f' x y n, - (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> - f' false false = false -> - f (shl x n) (shl y n) = shl (f x y) n. -Proof. - intros. apply same_bits_eq; intros. - rewrite H; auto. rewrite !bits_shl; auto. - destruct (zlt i (unsigned n)); auto. - rewrite H; auto. generalize (unsigned_range n); lia. -Qed. - -Theorem and_shl: - forall x y n, - and (shl x n) (shl y n) = shl (and x y) n. -Proof. - intros. apply bitwise_binop_shl with andb. exact bits_and. auto. -Qed. - -Theorem or_shl: - forall x y n, - or (shl x n) (shl y n) = shl (or x y) n. -Proof. - intros. apply bitwise_binop_shl with orb. exact bits_or. auto. -Qed. - -Theorem xor_shl: - forall x y n, - xor (shl x n) (shl y n) = shl (xor x y) n. -Proof. - intros. apply bitwise_binop_shl with xorb. exact bits_xor. auto. -Qed. - -Lemma ltu_inv: - forall x y, ltu x y = true -> 0 <= unsigned x < unsigned y. -Proof. - unfold ltu; intros. destruct (zlt (unsigned x) (unsigned y)). - split; auto. generalize (unsigned_range x); lia. - discriminate. -Qed. - -Lemma ltu_iwordsize_inv: - forall x, ltu x iwordsize = true -> 0 <= unsigned x < zwordsize. -Proof. - intros. generalize (ltu_inv _ _ H). rewrite unsigned_repr_wordsize. auto. -Qed. - -Theorem shl_shl: - forall x y z, - ltu y iwordsize = true -> - ltu z iwordsize = true -> - ltu (add y z) iwordsize = true -> - shl (shl x y) z = shl x (add y z). -Proof. - intros. - generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. - assert (unsigned (add y z) = unsigned y + unsigned z). - unfold add. apply unsigned_repr. - generalize two_wordsize_max_unsigned; lia. - apply same_bits_eq; intros. - rewrite bits_shl; auto. - destruct (zlt i (unsigned z)). - - rewrite bits_shl; auto. rewrite zlt_true. auto. lia. - - rewrite bits_shl. destruct (zlt (i - unsigned z) (unsigned y)). - + rewrite bits_shl; auto. rewrite zlt_true. auto. lia. - + rewrite bits_shl; auto. rewrite zlt_false. f_equal. lia. lia. - + lia. -Qed. - -Theorem sub_ltu: - forall x y, - ltu x y = true -> - 0 <= unsigned y - unsigned x <= unsigned y. -Proof. - intros. - generalize (ltu_inv x y H). intros . - split. lia. lia. -Qed. - -Theorem shru_zero: forall x, shru x zero = x. -Proof. - bit_solve. rewrite unsigned_zero. rewrite zlt_true. f_equal; lia. lia. -Qed. - -Lemma bitwise_binop_shru: - forall f f' x y n, - (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> - f' false false = false -> - f (shru x n) (shru y n) = shru (f x y) n. -Proof. - intros. apply same_bits_eq; intros. - rewrite H; auto. rewrite !bits_shru; auto. - destruct (zlt (i + unsigned n) zwordsize); auto. - rewrite H; auto. generalize (unsigned_range n); lia. -Qed. - -Theorem and_shru: - forall x y n, - and (shru x n) (shru y n) = shru (and x y) n. -Proof. - intros. apply bitwise_binop_shru with andb; auto. exact bits_and. -Qed. - -Theorem or_shru: - forall x y n, - or (shru x n) (shru y n) = shru (or x y) n. -Proof. - intros. apply bitwise_binop_shru with orb; auto. exact bits_or. -Qed. - -Theorem xor_shru: - forall x y n, - xor (shru x n) (shru y n) = shru (xor x y) n. -Proof. - intros. apply bitwise_binop_shru with xorb; auto. exact bits_xor. -Qed. - -Theorem shru_shru: - forall x y z, - ltu y iwordsize = true -> - ltu z iwordsize = true -> - ltu (add y z) iwordsize = true -> - shru (shru x y) z = shru x (add y z). -Proof. - intros. - generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. - assert (unsigned (add y z) = unsigned y + unsigned z). - unfold add. apply unsigned_repr. - generalize two_wordsize_max_unsigned; lia. - apply same_bits_eq; intros. - rewrite bits_shru; auto. - destruct (zlt (i + unsigned z) zwordsize). - - rewrite bits_shru. destruct (zlt (i + unsigned z + unsigned y) zwordsize). - + rewrite bits_shru; auto. rewrite zlt_true. f_equal. lia. lia. - + rewrite bits_shru; auto. rewrite zlt_false. auto. lia. - + lia. - - rewrite bits_shru; auto. rewrite zlt_false. auto. lia. -Qed. - -Theorem shr_zero: forall x, shr x zero = x. -Proof. - bit_solve. rewrite unsigned_zero. rewrite zlt_true. f_equal; lia. lia. -Qed. - -Lemma bitwise_binop_shr: - forall f f' x y n, - (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> - f (shr x n) (shr y n) = shr (f x y) n. -Proof. - intros. apply same_bits_eq; intros. - rewrite H; auto. rewrite !bits_shr; auto. - rewrite H; auto. - destruct (zlt (i + unsigned n) zwordsize). - generalize (unsigned_range n); lia. - lia. -Qed. - -Theorem and_shr: - forall x y n, - and (shr x n) (shr y n) = shr (and x y) n. -Proof. - intros. apply bitwise_binop_shr with andb. exact bits_and. -Qed. - -Theorem or_shr: - forall x y n, - or (shr x n) (shr y n) = shr (or x y) n. -Proof. - intros. apply bitwise_binop_shr with orb. exact bits_or. -Qed. - -Theorem xor_shr: - forall x y n, - xor (shr x n) (shr y n) = shr (xor x y) n. -Proof. - intros. apply bitwise_binop_shr with xorb. exact bits_xor. -Qed. - -Theorem shr_shr: - forall x y z, - ltu y iwordsize = true -> - ltu z iwordsize = true -> - ltu (add y z) iwordsize = true -> - shr (shr x y) z = shr x (add y z). -Proof. - intros. - generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. - assert (unsigned (add y z) = unsigned y + unsigned z). - unfold add. apply unsigned_repr. - generalize two_wordsize_max_unsigned; lia. - apply same_bits_eq; intros. - rewrite !bits_shr; auto. f_equal. - destruct (zlt (i + unsigned z) zwordsize). - rewrite H4. replace (i + (unsigned y + unsigned z)) with (i + unsigned z + unsigned y) by lia. auto. - rewrite (zlt_false _ (i + unsigned (add y z))). - destruct (zlt (zwordsize - 1 + unsigned y) zwordsize); lia. - lia. - destruct (zlt (i + unsigned z) zwordsize); lia. -Qed. - -Theorem and_shr_shru: - forall x y z, - and (shr x z) (shru y z) = shru (and x y) z. -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_and; auto. rewrite bits_shr; auto. rewrite !bits_shru; auto. - destruct (zlt (i + unsigned z) zwordsize). - - rewrite bits_and; auto. generalize (unsigned_range z); lia. - - apply andb_false_r. -Qed. - -Theorem shr_and_shru_and: - forall x y z, - shru (shl z y) y = z -> - and (shr x y) z = and (shru x y) z. -Proof. - intros. - rewrite <- H. - rewrite and_shru. rewrite and_shr_shru. auto. -Qed. - -Theorem shru_lt_zero: - forall x, - shru x (repr (zwordsize - 1)) = if lt x zero then one else zero. -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_shru; auto. - rewrite unsigned_repr. - destruct (zeq i 0). - subst i. rewrite Z.add_0_l. rewrite zlt_true. - rewrite sign_bit_of_unsigned. - unfold lt. rewrite signed_zero. unfold signed. - destruct (zlt (unsigned x) half_modulus). - rewrite zlt_false. auto. generalize (unsigned_range x); lia. - rewrite zlt_true. unfold one; rewrite testbit_repr; auto. - generalize (unsigned_range x); lia. - lia. - rewrite zlt_false. - unfold testbit. rewrite Ztestbit_eq. rewrite zeq_false. - destruct (lt x zero). - rewrite unsigned_one. simpl Z.div2. rewrite Z.testbit_0_l; auto. - rewrite unsigned_zero. simpl Z.div2. rewrite Z.testbit_0_l; auto. - auto. lia. lia. - generalize wordsize_max_unsigned; lia. -Qed. - -Theorem shr_lt_zero: - forall x, - shr x (repr (zwordsize - 1)) = if lt x zero then mone else zero. -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_shr; auto. - rewrite unsigned_repr. - transitivity (testbit x (zwordsize - 1)). - f_equal. destruct (zlt (i + (zwordsize - 1)) zwordsize); lia. - rewrite sign_bit_of_unsigned. - unfold lt. rewrite signed_zero. unfold signed. - destruct (zlt (unsigned x) half_modulus). - rewrite zlt_false. rewrite bits_zero; auto. generalize (unsigned_range x); lia. - rewrite zlt_true. rewrite bits_mone; auto. generalize (unsigned_range x); lia. - generalize wordsize_max_unsigned; lia. -Qed. - -(** ** Properties of rotations *) - -Lemma bits_rol: - forall x y i, - 0 <= i < zwordsize -> - testbit (rol x y) i = testbit x ((i - unsigned y) mod zwordsize). -Proof. - intros. unfold rol. - exploit (Z_div_mod_eq (unsigned y) zwordsize). apply wordsize_pos. - set (j := unsigned y mod zwordsize). set (k := unsigned y / zwordsize). - intros EQ. - exploit (Z_mod_lt (unsigned y) zwordsize). apply wordsize_pos. - fold j. intros RANGE. - rewrite testbit_repr; auto. - rewrite Z.lor_spec. rewrite Z.shiftr_spec. 2: lia. - destruct (zlt i j). - - rewrite Z.shiftl_spec_low; auto. simpl. - unfold testbit. f_equal. - symmetry. apply Zmod_unique with (-k - 1). - rewrite EQ. ring. - lia. - - rewrite Z.shiftl_spec_high. - fold (testbit x (i + (zwordsize - j))). - rewrite bits_above. rewrite orb_false_r. - fold (testbit x (i - j)). - f_equal. symmetry. apply Zmod_unique with (-k). - rewrite EQ. ring. - lia. lia. lia. lia. -Qed. - -Lemma bits_ror: - forall x y i, - 0 <= i < zwordsize -> - testbit (ror x y) i = testbit x ((i + unsigned y) mod zwordsize). -Proof. - intros. unfold ror. - exploit (Z_div_mod_eq (unsigned y) zwordsize). apply wordsize_pos. - set (j := unsigned y mod zwordsize). set (k := unsigned y / zwordsize). - intros EQ. - exploit (Z_mod_lt (unsigned y) zwordsize). apply wordsize_pos. - fold j. intros RANGE. - rewrite testbit_repr; auto. - rewrite Z.lor_spec. rewrite Z.shiftr_spec. 2: lia. - destruct (zlt (i + j) zwordsize). - - rewrite Z.shiftl_spec_low; auto. rewrite orb_false_r. - unfold testbit. f_equal. - symmetry. apply Zmod_unique with k. - rewrite EQ. ring. - lia. lia. - - rewrite Z.shiftl_spec_high. - fold (testbit x (i + j)). - rewrite bits_above. simpl. - unfold testbit. f_equal. - symmetry. apply Zmod_unique with (k + 1). - rewrite EQ. ring. - lia. lia. lia. lia. -Qed. - -Hint Rewrite bits_rol bits_ror: ints. - -Theorem shl_rolm: - forall x n, - ltu n iwordsize = true -> - shl x n = rolm x n (shl mone n). -Proof. - intros. generalize (ltu_inv _ _ H). rewrite unsigned_repr_wordsize; intros. - unfold rolm. apply same_bits_eq; intros. - rewrite bits_and; auto. rewrite !bits_shl; auto. rewrite bits_rol; auto. - destruct (zlt i (unsigned n)). - - rewrite andb_false_r; auto. - - generalize (unsigned_range n); intros. - rewrite bits_mone. rewrite andb_true_r. f_equal. - symmetry. apply Z.mod_small. lia. - lia. -Qed. - -Theorem shru_rolm: - forall x n, - ltu n iwordsize = true -> - shru x n = rolm x (sub iwordsize n) (shru mone n). -Proof. - intros. generalize (ltu_inv _ _ H). rewrite unsigned_repr_wordsize; intros. - unfold rolm. apply same_bits_eq; intros. - rewrite bits_and; auto. rewrite !bits_shru; auto. rewrite bits_rol; auto. - destruct (zlt (i + unsigned n) zwordsize). - - generalize (unsigned_range n); intros. - rewrite bits_mone. rewrite andb_true_r. f_equal. - unfold sub. rewrite unsigned_repr. rewrite unsigned_repr_wordsize. - symmetry. apply Zmod_unique with (-1). ring. lia. - rewrite unsigned_repr_wordsize. generalize wordsize_max_unsigned. lia. - lia. - - rewrite andb_false_r; auto. -Qed. - -Theorem rol_zero: - forall x, - rol x zero = x. -Proof. - bit_solve. f_equal. rewrite unsigned_zero. rewrite Z.sub_0_r. - apply Z.mod_small; auto. -Qed. - -Lemma bitwise_binop_rol: - forall f f' x y n, - (forall x y i, 0 <= i < zwordsize -> testbit (f x y) i = f' (testbit x i) (testbit y i)) -> - rol (f x y) n = f (rol x n) (rol y n). -Proof. - intros. apply same_bits_eq; intros. - rewrite H; auto. rewrite !bits_rol; auto. rewrite H; auto. - apply Z_mod_lt. apply wordsize_pos. -Qed. - -Theorem rol_and: - forall x y n, - rol (and x y) n = and (rol x n) (rol y n). -Proof. - intros. apply bitwise_binop_rol with andb. exact bits_and. -Qed. - -Theorem rol_or: - forall x y n, - rol (or x y) n = or (rol x n) (rol y n). -Proof. - intros. apply bitwise_binop_rol with orb. exact bits_or. -Qed. - -Theorem rol_xor: - forall x y n, - rol (xor x y) n = xor (rol x n) (rol y n). -Proof. - intros. apply bitwise_binop_rol with xorb. exact bits_xor. -Qed. - -Theorem rol_rol: - forall x n m, - Z.divide zwordsize modulus -> - rol (rol x n) m = rol x (modu (add n m) iwordsize). -Proof. - bit_solve. f_equal. apply eqmod_mod_eq. apply wordsize_pos. - set (M := unsigned m); set (N := unsigned n). - apply eqmod_trans with (i - M - N). - apply eqmod_sub. - apply eqmod_sym. apply eqmod_mod. apply wordsize_pos. - apply eqmod_refl. - replace (i - M - N) with (i - (M + N)) by lia. - apply eqmod_sub. - apply eqmod_refl. - apply eqmod_trans with (Z.modulo (unsigned n + unsigned m) zwordsize). - replace (M + N) with (N + M) by lia. apply eqmod_mod. apply wordsize_pos. - unfold modu, add. fold M; fold N. rewrite unsigned_repr_wordsize. - assert (forall a, eqmod zwordsize a (unsigned (repr a))). - intros. eapply eqmod_divides. apply eqm_unsigned_repr. assumption. - eapply eqmod_trans. 2: apply H1. - apply eqmod_refl2. apply eqmod_mod_eq. apply wordsize_pos. auto. - apply Z_mod_lt. apply wordsize_pos. -Qed. - -Theorem rolm_zero: - forall x m, - rolm x zero m = and x m. -Proof. - intros. unfold rolm. rewrite rol_zero. auto. -Qed. - -Theorem rolm_rolm: - forall x n1 m1 n2 m2, - Z.divide zwordsize modulus -> - rolm (rolm x n1 m1) n2 m2 = - rolm x (modu (add n1 n2) iwordsize) - (and (rol m1 n2) m2). -Proof. - intros. - unfold rolm. rewrite rol_and. rewrite and_assoc. - rewrite rol_rol. reflexivity. auto. -Qed. - -Theorem or_rolm: - forall x n m1 m2, - or (rolm x n m1) (rolm x n m2) = rolm x n (or m1 m2). -Proof. - intros; unfold rolm. symmetry. apply and_or_distrib. -Qed. - -Theorem ror_rol: - forall x y, - ltu y iwordsize = true -> - ror x y = rol x (sub iwordsize y). -Proof. - intros. - generalize (ltu_iwordsize_inv _ H); intros. - apply same_bits_eq; intros. - rewrite bits_ror; auto. rewrite bits_rol; auto. f_equal. - unfold sub. rewrite unsigned_repr. rewrite unsigned_repr_wordsize. - apply eqmod_mod_eq. apply wordsize_pos. exists 1. ring. - rewrite unsigned_repr_wordsize. - generalize wordsize_pos; generalize wordsize_max_unsigned; lia. -Qed. - -Theorem ror_rol_neg: - forall x y, (zwordsize | modulus) -> ror x y = rol x (neg y). -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_ror by auto. rewrite bits_rol by auto. - f_equal. apply eqmod_mod_eq. lia. - apply eqmod_trans with (i - (- unsigned y)). - apply eqmod_refl2; lia. - apply eqmod_sub. apply eqmod_refl. - apply eqmod_divides with modulus. - apply eqm_unsigned_repr. auto. -Qed. - -Theorem or_ror: - forall x y z, - ltu y iwordsize = true -> - ltu z iwordsize = true -> - add y z = iwordsize -> - ror x z = or (shl x y) (shru x z). -Proof. - intros. - generalize (ltu_iwordsize_inv _ H) (ltu_iwordsize_inv _ H0); intros. - unfold ror, or, shl, shru. apply same_bits_eq; intros. - rewrite !testbit_repr; auto. - rewrite !Z.lor_spec. rewrite orb_comm. f_equal; apply same_bits_eqm; auto. - - apply eqm_unsigned_repr_r. apply eqm_refl2. f_equal. - rewrite Z.mod_small; auto. - assert (unsigned (add y z) = zwordsize). - rewrite H1. apply unsigned_repr_wordsize. - unfold add in H5. rewrite unsigned_repr in H5. - lia. - generalize two_wordsize_max_unsigned; lia. - - apply eqm_unsigned_repr_r. apply eqm_refl2. f_equal. - apply Z.mod_small; auto. -Qed. - -(** ** Properties of [is_power2]. *) - -Remark is_power2_inv: - forall n logn, - is_power2 n = Some logn -> - Z_is_power2 (unsigned n) = Some (unsigned logn) /\ 0 <= unsigned logn < zwordsize. -Proof. - unfold is_power2; intros. - destruct (Z_is_power2 (unsigned n)) as [i|] eqn:E; inv H. - assert (0 <= i < zwordsize). - { apply Z_is_power2_range with (unsigned n). - generalize wordsize_pos; lia. - rewrite <- modulus_power. apply unsigned_range. - auto. } - rewrite unsigned_repr; auto. generalize wordsize_max_unsigned; lia. -Qed. - -Lemma is_power2_rng: - forall n logn, - is_power2 n = Some logn -> - 0 <= unsigned logn < zwordsize. -Proof. - intros. apply (is_power2_inv n logn); auto. -Qed. - -Theorem is_power2_range: - forall n logn, - is_power2 n = Some logn -> ltu logn iwordsize = true. -Proof. - intros. unfold ltu. rewrite unsigned_repr_wordsize. - apply zlt_true. generalize (is_power2_rng _ _ H). tauto. -Qed. - -Lemma is_power2_correct: - forall n logn, - is_power2 n = Some logn -> - unsigned n = two_p (unsigned logn). -Proof. - intros. apply is_power2_inv in H. destruct H as [P Q]. - apply Z_is_power2_sound in P. tauto. -Qed. - -Remark two_p_range: - forall n, - 0 <= n < zwordsize -> - 0 <= two_p n <= max_unsigned. -Proof. - intros. split. - assert (two_p n > 0). apply two_p_gt_ZERO. lia. lia. - generalize (two_p_monotone_strict _ _ H). - unfold zwordsize; rewrite <- two_power_nat_two_p. - unfold max_unsigned, modulus. lia. -Qed. - -Lemma is_power2_two_p: - forall n, 0 <= n < zwordsize -> - is_power2 (repr (two_p n)) = Some (repr n). -Proof. - intros. unfold is_power2. rewrite unsigned_repr. - rewrite Z_is_power2_complete by lia; auto. - apply two_p_range. auto. -Qed. - -(** ** Relation between bitwise operations and multiplications / divisions by powers of 2 *) - -(** Left shifts and multiplications by powers of 2. *) - -Lemma shl_mul_two_p: - forall x y, - shl x y = mul x (repr (two_p (unsigned y))). -Proof. - intros. unfold shl, mul. apply eqm_samerepr. - rewrite Zshiftl_mul_two_p. auto with ints. - generalize (unsigned_range y); lia. -Qed. - -Theorem shl_mul: - forall x y, - shl x y = mul x (shl one y). -Proof. - intros. - assert (shl one y = repr (two_p (unsigned y))). - { - rewrite shl_mul_two_p. rewrite mul_commut. rewrite mul_one. auto. - } - rewrite H. apply shl_mul_two_p. -Qed. - -Theorem mul_pow2: - forall x n logn, - is_power2 n = Some logn -> - mul x n = shl x logn. -Proof. - intros. generalize (is_power2_correct n logn H); intro. - rewrite shl_mul_two_p. rewrite <- H0. rewrite repr_unsigned. - auto. -Qed. - -Theorem shifted_or_is_add: - forall x y n, - 0 <= n < zwordsize -> - unsigned y < two_p n -> - or (shl x (repr n)) y = repr(unsigned x * two_p n + unsigned y). -Proof. - intros. rewrite <- add_is_or. - - unfold add. apply eqm_samerepr. apply eqm_add; auto with ints. - rewrite shl_mul_two_p. unfold mul. apply eqm_unsigned_repr_l. - apply eqm_mult; auto with ints. apply eqm_unsigned_repr_l. - apply eqm_refl2. rewrite unsigned_repr. auto. - generalize wordsize_max_unsigned; lia. - - bit_solve. - rewrite unsigned_repr. - destruct (zlt i n). - + auto. - + replace (testbit y i) with false. apply andb_false_r. - symmetry. unfold testbit. - assert (EQ: Z.of_nat (Z.to_nat n) = n) by (apply Z2Nat.id; lia). - apply Ztestbit_above with (Z.to_nat n). - rewrite <- EQ in H0. rewrite <- two_power_nat_two_p in H0. - generalize (unsigned_range y); lia. - rewrite EQ; auto. - + generalize wordsize_max_unsigned; lia. -Qed. - -(** Unsigned right shifts and unsigned divisions by powers of 2. *) - -Lemma shru_div_two_p: - forall x y, - shru x y = repr (unsigned x / two_p (unsigned y)). -Proof. - intros. unfold shru. - rewrite Zshiftr_div_two_p. auto. - generalize (unsigned_range y); lia. -Qed. - -Theorem divu_pow2: - forall x n logn, - is_power2 n = Some logn -> - divu x n = shru x logn. -Proof. - intros. generalize (is_power2_correct n logn H). intro. - symmetry. unfold divu. rewrite H0. apply shru_div_two_p. -Qed. - -(** Signed right shifts and signed divisions by powers of 2. *) - -Lemma shr_div_two_p: - forall x y, - shr x y = repr (signed x / two_p (unsigned y)). -Proof. - intros. unfold shr. - rewrite Zshiftr_div_two_p. auto. - generalize (unsigned_range y); lia. -Qed. - -Theorem divs_pow2: - forall x n logn, - is_power2 n = Some logn -> - divs x n = shrx x logn. -Proof. - intros. generalize (is_power2_correct _ _ H); intro. - unfold shrx. rewrite shl_mul_two_p. - rewrite mul_commut. rewrite mul_one. - rewrite <- H0. rewrite repr_unsigned. auto. -Qed. - -(** Unsigned modulus over [2^n] is masking with [2^n-1]. *) - -Theorem modu_and: - forall x n logn, - is_power2 n = Some logn -> - modu x n = and x (sub n one). -Proof. - intros. generalize (is_power2_correct _ _ H); intro. - generalize (is_power2_rng _ _ H); intro. - apply same_bits_eq; intros. - rewrite bits_and; auto. - unfold sub. rewrite testbit_repr; auto. - rewrite H0. rewrite unsigned_one. - unfold modu. rewrite testbit_repr; auto. rewrite H0. - rewrite Ztestbit_mod_two_p. rewrite Ztestbit_two_p_m1. - destruct (zlt i (unsigned logn)). - rewrite andb_true_r; auto. - rewrite andb_false_r; auto. - tauto. tauto. tauto. tauto. -Qed. - -(** ** Properties of [shrx] (signed division by a power of 2) *) - -Theorem shrx_zero: - forall x, zwordsize > 1 -> shrx x zero = x. -Proof. - intros. unfold shrx. rewrite shl_zero. unfold divs. rewrite signed_one by auto. - rewrite Z.quot_1_r. apply repr_signed. -Qed. - -Theorem shrx_shr: - forall x y, - ltu y (repr (zwordsize - 1)) = true -> - shrx x y = shr (if lt x zero then add x (sub (shl one y) one) else x) y. -Proof. - intros. - set (uy := unsigned y). - assert (0 <= uy < zwordsize - 1). - generalize (ltu_inv _ _ H). rewrite unsigned_repr. auto. - generalize wordsize_pos wordsize_max_unsigned; lia. - rewrite shr_div_two_p. unfold shrx. unfold divs. - assert (shl one y = repr (two_p uy)). - transitivity (mul one (repr (two_p uy))). - symmetry. apply mul_pow2. replace y with (repr uy). - apply is_power2_two_p. lia. apply repr_unsigned. - rewrite mul_commut. apply mul_one. - assert (two_p uy > 0). apply two_p_gt_ZERO. lia. - assert (two_p uy < half_modulus). - rewrite half_modulus_power. - apply two_p_monotone_strict. auto. - assert (two_p uy < modulus). - rewrite modulus_power. apply two_p_monotone_strict. lia. - assert (unsigned (shl one y) = two_p uy). - rewrite H1. apply unsigned_repr. unfold max_unsigned. lia. - assert (signed (shl one y) = two_p uy). - rewrite H1. apply signed_repr. - unfold max_signed. generalize min_signed_neg. lia. - rewrite H6. - rewrite Zquot_Zdiv; auto. - unfold lt. rewrite signed_zero. - destruct (zlt (signed x) 0); auto. - rewrite add_signed. - assert (signed (sub (shl one y) one) = two_p uy - 1). - unfold sub. rewrite H5. rewrite unsigned_one. - apply signed_repr. - generalize min_signed_neg. unfold max_signed. lia. - rewrite H7. rewrite signed_repr. f_equal. f_equal. lia. - generalize (signed_range x). intros. - assert (two_p uy - 1 <= max_signed). unfold max_signed. lia. lia. -Qed. - -Theorem shrx_shr_2: - forall x y, - ltu y (repr (zwordsize - 1)) = true -> - shrx x y = shr (add x (shru (shr x (repr (zwordsize - 1))) (sub iwordsize y))) y. -Proof. - intros. - rewrite shrx_shr by auto. f_equal. - rewrite shr_lt_zero. destruct (lt x zero). -- set (uy := unsigned y). - generalize (unsigned_range y); fold uy; intros. - assert (0 <= uy < zwordsize - 1). - generalize (ltu_inv _ _ H). rewrite unsigned_repr. auto. - generalize wordsize_pos wordsize_max_unsigned; lia. - assert (two_p uy < modulus). - rewrite modulus_power. apply two_p_monotone_strict. lia. - f_equal. rewrite shl_mul_two_p. fold uy. rewrite mul_commut. rewrite mul_one. - unfold sub. rewrite unsigned_one. rewrite unsigned_repr. - rewrite unsigned_repr_wordsize. fold uy. - apply same_bits_eq; intros. rewrite bits_shru by auto. - rewrite testbit_repr by auto. rewrite Ztestbit_two_p_m1 by lia. - rewrite unsigned_repr by (generalize wordsize_max_unsigned; lia). - destruct (zlt i uy). - rewrite zlt_true by lia. rewrite bits_mone by lia. auto. - rewrite zlt_false by lia. auto. - assert (two_p uy > 0) by (apply two_p_gt_ZERO; lia). unfold max_unsigned; lia. -- replace (shru zero (sub iwordsize y)) with zero. - rewrite add_zero; auto. - bit_solve. destruct (zlt (i + unsigned (sub iwordsize y)) zwordsize); auto. -Qed. - -Theorem shrx_carry: - forall x y, - ltu y (repr (zwordsize - 1)) = true -> - shrx x y = add (shr x y) (shr_carry x y). -Proof. - intros. rewrite shrx_shr; auto. unfold shr_carry. - unfold lt. set (sx := signed x). rewrite signed_zero. - destruct (zlt sx 0); simpl. - 2: rewrite add_zero; auto. - set (uy := unsigned y). - assert (0 <= uy < zwordsize - 1). - generalize (ltu_inv _ _ H). rewrite unsigned_repr. auto. - generalize wordsize_pos wordsize_max_unsigned; lia. - assert (shl one y = repr (two_p uy)). - rewrite shl_mul_two_p. rewrite mul_commut. apply mul_one. - assert (and x (sub (shl one y) one) = modu x (repr (two_p uy))). - symmetry. rewrite H1. apply modu_and with (logn := y). - rewrite is_power2_two_p. unfold uy. rewrite repr_unsigned. auto. - lia. - rewrite H2. rewrite H1. - repeat rewrite shr_div_two_p. fold sx. fold uy. - assert (two_p uy > 0). apply two_p_gt_ZERO. lia. - assert (two_p uy < modulus). - rewrite modulus_power. apply two_p_monotone_strict. lia. - assert (two_p uy < half_modulus). - rewrite half_modulus_power. - apply two_p_monotone_strict. auto. - assert (two_p uy < modulus). - rewrite modulus_power. apply two_p_monotone_strict. lia. - assert (sub (repr (two_p uy)) one = repr (two_p uy - 1)). - unfold sub. apply eqm_samerepr. apply eqm_sub. apply eqm_sym; apply eqm_unsigned_repr. - rewrite unsigned_one. apply eqm_refl. - rewrite H7. rewrite add_signed. fold sx. - rewrite (signed_repr (two_p uy - 1)). rewrite signed_repr. - unfold modu. rewrite unsigned_repr. - unfold eq. rewrite unsigned_zero. rewrite unsigned_repr. - assert (unsigned x mod two_p uy = sx mod two_p uy). - apply eqmod_mod_eq; auto. apply eqmod_divides with modulus. - fold eqm. unfold sx. apply eqm_sym. apply eqm_signed_unsigned. - unfold modulus. rewrite two_power_nat_two_p. - exists (two_p (zwordsize - uy)). rewrite <- two_p_is_exp. - f_equal. fold zwordsize; lia. lia. lia. - rewrite H8. rewrite Zdiv_shift; auto. - unfold add. apply eqm_samerepr. apply eqm_add. - apply eqm_unsigned_repr. - destruct (zeq (sx mod two_p uy) 0); simpl. - rewrite unsigned_zero. apply eqm_refl. - rewrite unsigned_one. apply eqm_refl. - generalize (Z_mod_lt (unsigned x) (two_p uy) H3). unfold max_unsigned. lia. - unfold max_unsigned; lia. - generalize (signed_range x). fold sx. intros. split. lia. unfold max_signed. lia. - generalize min_signed_neg. unfold max_signed. lia. -Qed. - -(** Connections between [shr] and [shru]. *) - -Lemma shr_shru_positive: - forall x y, - signed x >= 0 -> - shr x y = shru x y. -Proof. - intros. - rewrite shr_div_two_p. rewrite shru_div_two_p. - rewrite signed_eq_unsigned. auto. apply signed_positive. auto. -Qed. - -Lemma and_positive: - forall x y, signed y >= 0 -> signed (and x y) >= 0. -Proof. - intros. - assert (unsigned y < half_modulus). rewrite signed_positive in H. unfold max_signed in H; lia. - generalize (sign_bit_of_unsigned y). rewrite zlt_true; auto. intros A. - generalize (sign_bit_of_unsigned (and x y)). rewrite bits_and. rewrite A. - rewrite andb_false_r. unfold signed. - destruct (zlt (unsigned (and x y)) half_modulus). - intros. generalize (unsigned_range (and x y)); lia. - congruence. - generalize wordsize_pos; lia. -Qed. - -Theorem shr_and_is_shru_and: - forall x y z, - lt y zero = false -> shr (and x y) z = shru (and x y) z. -Proof. - intros. apply shr_shru_positive. apply and_positive. - unfold lt in H. rewrite signed_zero in H. destruct (zlt (signed y) 0). congruence. auto. -Qed. - -(** ** Properties of integer zero extension and sign extension. *) - -Lemma bits_zero_ext: - forall n x i, 0 <= i -> - testbit (zero_ext n x) i = if zlt i n then testbit x i else false. -Proof. - intros. unfold zero_ext. destruct (zlt i zwordsize). - rewrite testbit_repr; auto. rewrite Zzero_ext_spec. auto. auto. - rewrite !bits_above; auto. destruct (zlt i n); auto. -Qed. - -Lemma bits_sign_ext: - forall n x i, 0 <= i < zwordsize -> - testbit (sign_ext n x) i = testbit x (if zlt i n then i else n - 1). -Proof. - intros. unfold sign_ext. - rewrite testbit_repr; auto. apply Zsign_ext_spec. lia. -Qed. - -Hint Rewrite bits_zero_ext bits_sign_ext: ints. - -Theorem zero_ext_above: - forall n x, n >= zwordsize -> zero_ext n x = x. -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_zero_ext. apply zlt_true. lia. lia. -Qed. - -Theorem zero_ext_below: - forall n x, n <= 0 -> zero_ext n x = zero. -Proof. - intros. bit_solve. destruct (zlt i n); auto. apply bits_below; lia. lia. -Qed. - -Theorem sign_ext_above: - forall n x, n >= zwordsize -> sign_ext n x = x. -Proof. - intros. apply same_bits_eq; intros. - unfold sign_ext; rewrite testbit_repr; auto. - rewrite Zsign_ext_spec. rewrite zlt_true. auto. lia. lia. -Qed. - -Theorem sign_ext_below: - forall n x, n <= 0 -> sign_ext n x = zero. -Proof. - intros. bit_solve. apply bits_below. destruct (zlt i n); lia. -Qed. - -Theorem zero_ext_and: - forall n x, 0 <= n -> zero_ext n x = and x (repr (two_p n - 1)). -Proof. - bit_solve. rewrite testbit_repr; auto. rewrite Ztestbit_two_p_m1; intuition. - destruct (zlt i n). - rewrite andb_true_r; auto. - rewrite andb_false_r; auto. - tauto. -Qed. - -Theorem zero_ext_mod: - forall n x, 0 <= n < zwordsize -> - unsigned (zero_ext n x) = Z.modulo (unsigned x) (two_p n). -Proof. - intros. apply equal_same_bits. intros. - rewrite Ztestbit_mod_two_p; auto. - fold (testbit (zero_ext n x) i). - destruct (zlt i zwordsize). - rewrite bits_zero_ext; auto. - rewrite bits_above. rewrite zlt_false; auto. lia. lia. - lia. -Qed. - -Theorem zero_ext_widen: - forall x n n', 0 <= n <= n' -> - zero_ext n' (zero_ext n x) = zero_ext n x. -Proof. - bit_solve. destruct (zlt i n). - apply zlt_true. lia. - destruct (zlt i n'); auto. - tauto. tauto. -Qed. - -Theorem sign_ext_widen: - forall x n n', 0 < n <= n' -> - sign_ext n' (sign_ext n x) = sign_ext n x. -Proof. - intros. destruct (zlt n' zwordsize). - bit_solve. destruct (zlt i n'). - auto. - rewrite (zlt_false _ i n). - destruct (zlt (n' - 1) n); f_equal; lia. - lia. - destruct (zlt i n'); lia. - apply sign_ext_above; auto. -Qed. - -Theorem sign_zero_ext_widen: - forall x n n', 0 <= n < n' -> - sign_ext n' (zero_ext n x) = zero_ext n x. -Proof. - intros. destruct (zlt n' zwordsize). - bit_solve. - destruct (zlt i n'). - auto. - rewrite !zlt_false. auto. lia. lia. lia. - destruct (zlt i n'); lia. - apply sign_ext_above; auto. -Qed. - -Theorem zero_ext_narrow: - forall x n n', 0 <= n <= n' -> - zero_ext n (zero_ext n' x) = zero_ext n x. -Proof. - bit_solve. destruct (zlt i n). - apply zlt_true. lia. - auto. - lia. lia. lia. -Qed. - -Theorem sign_ext_narrow: - forall x n n', 0 < n <= n' -> - sign_ext n (sign_ext n' x) = sign_ext n x. -Proof. - intros. destruct (zlt n zwordsize). - bit_solve. destruct (zlt i n); f_equal; apply zlt_true; lia. - destruct (zlt i n); lia. - rewrite (sign_ext_above n'). auto. lia. -Qed. - -Theorem zero_sign_ext_narrow: - forall x n n', 0 < n <= n' -> - zero_ext n (sign_ext n' x) = zero_ext n x. -Proof. - intros. destruct (zlt n' zwordsize). - bit_solve. - destruct (zlt i n); auto. - rewrite zlt_true; auto. lia. - lia. lia. - rewrite sign_ext_above; auto. -Qed. - -Theorem zero_ext_idem: - forall n x, 0 <= n -> zero_ext n (zero_ext n x) = zero_ext n x. -Proof. - intros. apply zero_ext_widen. lia. -Qed. - -Theorem sign_ext_idem: - forall n x, 0 < n -> sign_ext n (sign_ext n x) = sign_ext n x. -Proof. - intros. apply sign_ext_widen. lia. -Qed. - -Theorem sign_ext_zero_ext: - forall n x, 0 < n -> sign_ext n (zero_ext n x) = sign_ext n x. -Proof. - intros. destruct (zlt n zwordsize). - bit_solve. - destruct (zlt i n). - rewrite zlt_true; auto. - rewrite zlt_true; auto. lia. - destruct (zlt i n); lia. - rewrite zero_ext_above; auto. -Qed. - -Theorem zero_ext_sign_ext: - forall n x, 0 < n -> zero_ext n (sign_ext n x) = zero_ext n x. -Proof. - intros. apply zero_sign_ext_narrow. lia. -Qed. - -Theorem sign_ext_equal_if_zero_equal: - forall n x y, 0 < n -> - zero_ext n x = zero_ext n y -> - sign_ext n x = sign_ext n y. -Proof. - intros. rewrite <- (sign_ext_zero_ext n x H). - rewrite <- (sign_ext_zero_ext n y H). congruence. -Qed. - -Theorem shru_shl: - forall x y z, ltu y iwordsize = true -> ltu z iwordsize = true -> - shru (shl x y) z = - if ltu z y then shl (zero_ext (zwordsize - unsigned y) x) (sub y z) - else zero_ext (zwordsize - unsigned z) (shru x (sub z y)). -Proof. - intros. apply ltu_iwordsize_inv in H; apply ltu_iwordsize_inv in H0. - unfold ltu. set (Y := unsigned y) in *; set (Z := unsigned z) in *. - apply same_bits_eq; intros. rewrite bits_shru by auto. fold Z. - destruct (zlt Z Y). -- assert (A: unsigned (sub y z) = Y - Z). - { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } - symmetry; rewrite bits_shl, A by lia. - destruct (zlt (i + Z) zwordsize). -+ rewrite bits_shl by lia. fold Y. - destruct (zlt i (Y - Z)); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. - rewrite bits_zero_ext by lia. rewrite zlt_true by lia. f_equal; lia. -+ rewrite bits_zero_ext by lia. rewrite ! zlt_false by lia. auto. -- assert (A: unsigned (sub z y) = Z - Y). - { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } - rewrite bits_zero_ext, bits_shru, A by lia. - destruct (zlt (i + Z) zwordsize); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. - rewrite bits_shl by lia. fold Y. - destruct (zlt (i + Z) Y). -+ rewrite zlt_false by lia. auto. -+ rewrite zlt_true by lia. f_equal; lia. -Qed. - -Corollary zero_ext_shru_shl: - forall n x, - 0 < n < zwordsize -> - let y := repr (zwordsize - n) in - zero_ext n x = shru (shl x y) y. -Proof. - intros. - assert (A: unsigned y = zwordsize - n). - { unfold y. apply unsigned_repr. generalize wordsize_max_unsigned. lia. } - assert (B: ltu y iwordsize = true). - { unfold ltu; rewrite A, unsigned_repr_wordsize. apply zlt_true; lia. } - rewrite shru_shl by auto. unfold ltu; rewrite zlt_false by lia. - rewrite sub_idem, shru_zero. f_equal. rewrite A; lia. -Qed. - -Theorem shr_shl: - forall x y z, ltu y iwordsize = true -> ltu z iwordsize = true -> - shr (shl x y) z = - if ltu z y then shl (sign_ext (zwordsize - unsigned y) x) (sub y z) - else sign_ext (zwordsize - unsigned z) (shr x (sub z y)). -Proof. - intros. apply ltu_iwordsize_inv in H; apply ltu_iwordsize_inv in H0. - unfold ltu. set (Y := unsigned y) in *; set (Z := unsigned z) in *. - apply same_bits_eq; intros. rewrite bits_shr by auto. fold Z. - rewrite bits_shl by (destruct (zlt (i + Z) zwordsize); lia). fold Y. - destruct (zlt Z Y). -- assert (A: unsigned (sub y z) = Y - Z). - { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } - rewrite bits_shl, A by lia. - destruct (zlt i (Y - Z)). -+ apply zlt_true. destruct (zlt (i + Z) zwordsize); lia. -+ rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). - rewrite bits_sign_ext by lia. f_equal. - destruct (zlt (i + Z) zwordsize). - rewrite zlt_true by lia. lia. - rewrite zlt_false by lia. lia. -- assert (A: unsigned (sub z y) = Z - Y). - { apply unsigned_repr. generalize wordsize_max_unsigned; lia. } - rewrite bits_sign_ext by lia. - rewrite bits_shr by (destruct (zlt i (zwordsize - Z)); lia). - rewrite A. rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). - f_equal. destruct (zlt i (zwordsize - Z)). -+ rewrite ! zlt_true by lia. lia. -+ rewrite ! zlt_false by lia. rewrite zlt_true by lia. lia. -Qed. - -Corollary sign_ext_shr_shl: - forall n x, - 0 < n < zwordsize -> - let y := repr (zwordsize - n) in - sign_ext n x = shr (shl x y) y. -Proof. - intros. - assert (A: unsigned y = zwordsize - n). - { unfold y. apply unsigned_repr. generalize wordsize_max_unsigned. lia. } - assert (B: ltu y iwordsize = true). - { unfold ltu; rewrite A, unsigned_repr_wordsize. apply zlt_true; lia. } - rewrite shr_shl by auto. unfold ltu; rewrite zlt_false by lia. - rewrite sub_idem, shr_zero. f_equal. rewrite A; lia. -Qed. - -(** [zero_ext n x] is the unique integer congruent to [x] modulo [2^n] - in the range [0...2^n-1]. *) - -Lemma zero_ext_range: - forall n x, 0 <= n < zwordsize -> 0 <= unsigned (zero_ext n x) < two_p n. -Proof. - intros. rewrite zero_ext_mod; auto. apply Z_mod_lt. apply two_p_gt_ZERO. lia. -Qed. - -Lemma eqmod_zero_ext: - forall n x, 0 <= n < zwordsize -> eqmod (two_p n) (unsigned (zero_ext n x)) (unsigned x). -Proof. - intros. rewrite zero_ext_mod; auto. apply eqmod_sym. apply eqmod_mod. - apply two_p_gt_ZERO. lia. -Qed. - -(** [sign_ext n x] is the unique integer congruent to [x] modulo [2^n] - in the range [-2^(n-1)...2^(n-1) - 1]. *) - -Lemma sign_ext_range: - forall n x, 0 < n < zwordsize -> -two_p (n-1) <= signed (sign_ext n x) < two_p (n-1). -Proof. - intros. rewrite sign_ext_shr_shl; auto. - set (X := shl x (repr (zwordsize - n))). - assert (two_p (n - 1) > 0) by (apply two_p_gt_ZERO; lia). - assert (unsigned (repr (zwordsize - n)) = zwordsize - n). - apply unsigned_repr. - split. lia. generalize wordsize_max_unsigned; lia. - rewrite shr_div_two_p. - rewrite signed_repr. - rewrite H1. - apply Zdiv_interval_1. - lia. lia. apply two_p_gt_ZERO; lia. - replace (- two_p (n - 1) * two_p (zwordsize - n)) - with (- (two_p (n - 1) * two_p (zwordsize - n))) by ring. - rewrite <- two_p_is_exp. - replace (n - 1 + (zwordsize - n)) with (zwordsize - 1) by lia. - rewrite <- half_modulus_power. - generalize (signed_range X). unfold min_signed, max_signed. lia. - lia. lia. - apply Zdiv_interval_2. apply signed_range. - generalize min_signed_neg; lia. - generalize max_signed_pos; lia. - rewrite H1. apply two_p_gt_ZERO. lia. -Qed. - -Lemma eqmod_sign_ext': - forall n x, 0 < n < zwordsize -> - eqmod (two_p n) (unsigned (sign_ext n x)) (unsigned x). -Proof. - intros. - set (N := Z.to_nat n). - assert (Z.of_nat N = n) by (apply Z2Nat.id; lia). - rewrite <- H0. rewrite <- two_power_nat_two_p. - apply eqmod_same_bits; intros. - rewrite H0 in H1. rewrite H0. - fold (testbit (sign_ext n x) i). rewrite bits_sign_ext. - rewrite zlt_true. auto. lia. lia. -Qed. - -Lemma eqmod_sign_ext: - forall n x, 0 < n < zwordsize -> - eqmod (two_p n) (signed (sign_ext n x)) (unsigned x). -Proof. - intros. apply eqmod_trans with (unsigned (sign_ext n x)). - apply eqmod_divides with modulus. apply eqm_signed_unsigned. - exists (two_p (zwordsize - n)). - unfold modulus. rewrite two_power_nat_two_p. fold zwordsize. - rewrite <- two_p_is_exp. f_equal. lia. lia. lia. - apply eqmod_sign_ext'; auto. -Qed. - -(** Combinations of shifts and zero/sign extensions *) - -Lemma shl_zero_ext: - forall n m x, 0 <= n -> - shl (zero_ext n x) m = zero_ext (n + unsigned m) (shl x m). -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_zero_ext, ! bits_shl by lia. - destruct (zlt i (unsigned m)). -- rewrite zlt_true by lia; auto. -- rewrite bits_zero_ext by lia. - destruct (zlt (i - unsigned m) n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. -Qed. - -Lemma shl_sign_ext: - forall n m x, 0 < n -> - shl (sign_ext n x) m = sign_ext (n + unsigned m) (shl x m). -Proof. - intros. generalize (unsigned_range m); intros. - apply same_bits_eq; intros. - rewrite bits_sign_ext, ! bits_shl by lia. - destruct (zlt i (n + unsigned m)). -- rewrite bits_shl by auto. destruct (zlt i (unsigned m)); auto. - rewrite bits_sign_ext by lia. f_equal. apply zlt_true. lia. -- rewrite zlt_false by lia. rewrite bits_shl by lia. rewrite zlt_false by lia. - rewrite bits_sign_ext by lia. f_equal. rewrite zlt_false by lia. lia. -Qed. - -Lemma shru_zero_ext: - forall n m x, 0 <= n -> - shru (zero_ext (n + unsigned m) x) m = zero_ext n (shru x m). -Proof. - intros. bit_solve. -- destruct (zlt (i + unsigned m) zwordsize). -* destruct (zlt i n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. -* destruct (zlt i n); auto. -- generalize (unsigned_range m); lia. -- lia. -Qed. - -Lemma shru_zero_ext_0: - forall n m x, n <= unsigned m -> - shru (zero_ext n x) m = zero. -Proof. - intros. bit_solve. -- destruct (zlt (i + unsigned m) zwordsize); auto. - apply zlt_false. lia. -- generalize (unsigned_range m); lia. -Qed. - -Lemma shr_sign_ext: - forall n m x, 0 < n -> n + unsigned m < zwordsize -> - shr (sign_ext (n + unsigned m) x) m = sign_ext n (shr x m). -Proof. - intros. generalize (unsigned_range m); intros. - apply same_bits_eq; intros. - rewrite bits_sign_ext, bits_shr by auto. - rewrite bits_sign_ext, bits_shr. -- f_equal. - destruct (zlt i n), (zlt (i + unsigned m) zwordsize). -+ apply zlt_true; lia. -+ apply zlt_true; lia. -+ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. -+ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. -- destruct (zlt i n); lia. -- destruct (zlt (i + unsigned m) zwordsize); lia. -Qed. - -Lemma zero_ext_shru_min: - forall s x n, ltu n iwordsize = true -> - zero_ext s (shru x n) = zero_ext (Z.min s (zwordsize - unsigned n)) (shru x n). -Proof. - intros. apply ltu_iwordsize_inv in H. - apply Z.min_case_strong; intros; auto. - bit_solve; try lia. - destruct (zlt i (zwordsize - unsigned n)). - rewrite zlt_true by lia. auto. - destruct (zlt i s); auto. rewrite zlt_false by lia; auto. -Qed. - -Lemma sign_ext_shr_min: - forall s x n, ltu n iwordsize = true -> - sign_ext s (shr x n) = sign_ext (Z.min s (zwordsize - unsigned n)) (shr x n). -Proof. - intros. apply ltu_iwordsize_inv in H. - rewrite Z.min_comm. - destruct (Z.min_spec (zwordsize - unsigned n) s) as [[A B] | [A B]]; rewrite B; auto. - apply same_bits_eq; intros. rewrite ! bits_sign_ext by auto. - destruct (zlt i (zwordsize - unsigned n)). - rewrite zlt_true by lia. auto. - assert (C: testbit (shr x n) (zwordsize - unsigned n - 1) = testbit x (zwordsize - 1)). - { rewrite bits_shr by lia. rewrite zlt_true by lia. f_equal; lia. } - rewrite C. destruct (zlt i s); rewrite bits_shr by lia. - rewrite zlt_false by lia. auto. - rewrite zlt_false by lia. auto. -Qed. - -Lemma shl_zero_ext_min: - forall s x n, ltu n iwordsize = true -> - shl (zero_ext s x) n = shl (zero_ext (Z.min s (zwordsize - unsigned n)) x) n. -Proof. - intros. apply ltu_iwordsize_inv in H. - apply Z.min_case_strong; intros; auto. - apply same_bits_eq; intros. rewrite ! bits_shl by auto. - destruct (zlt i (unsigned n)); auto. - rewrite ! bits_zero_ext by lia. - destruct (zlt (i - unsigned n) s). - rewrite zlt_true by lia; auto. - rewrite zlt_false by lia; auto. -Qed. - -Lemma shl_sign_ext_min: - forall s x n, ltu n iwordsize = true -> - shl (sign_ext s x) n = shl (sign_ext (Z.min s (zwordsize - unsigned n)) x) n. -Proof. - intros. apply ltu_iwordsize_inv in H. - rewrite Z.min_comm. - destruct (Z.min_spec (zwordsize - unsigned n) s) as [[A B] | [A B]]; rewrite B; auto. - apply same_bits_eq; intros. rewrite ! bits_shl by auto. - destruct (zlt i (unsigned n)); auto. - rewrite ! bits_sign_ext by lia. f_equal. - destruct (zlt (i - unsigned n) s). - rewrite zlt_true by lia; auto. - extlia. -Qed. - -(** ** Properties of [one_bits] (decomposition in sum of powers of two) *) - -Theorem one_bits_range: - forall x i, In i (one_bits x) -> ltu i iwordsize = true. -Proof. - assert (A: forall p, 0 <= p < zwordsize -> ltu (repr p) iwordsize = true). - intros. unfold ltu, iwordsize. apply zlt_true. - repeat rewrite unsigned_repr. tauto. - generalize wordsize_max_unsigned; lia. - generalize wordsize_max_unsigned; lia. - unfold one_bits. intros. - destruct (list_in_map_inv _ _ _ H) as [i0 [EQ IN]]. - subst i. apply A. apply Z_one_bits_range with (unsigned x); auto. -Qed. - -Fixpoint int_of_one_bits (l: list int) : int := - match l with - | nil => zero - | a :: b => add (shl one a) (int_of_one_bits b) - end. - -Theorem one_bits_decomp: - forall x, x = int_of_one_bits (one_bits x). -Proof. - intros. - transitivity (repr (powerserie (Z_one_bits wordsize (unsigned x) 0))). - transitivity (repr (unsigned x)). - auto with ints. decEq. apply Z_one_bits_powerserie. - auto with ints. - unfold one_bits. - generalize (Z_one_bits_range wordsize (unsigned x)). - generalize (Z_one_bits wordsize (unsigned x) 0). - induction l. - intros; reflexivity. - intros; simpl. rewrite <- IHl. unfold add. apply eqm_samerepr. - apply eqm_add. rewrite shl_mul_two_p. rewrite mul_commut. - rewrite mul_one. apply eqm_unsigned_repr_r. - rewrite unsigned_repr. auto with ints. - generalize (H a (in_eq _ _)). change (Z.of_nat wordsize) with zwordsize. - generalize wordsize_max_unsigned. lia. - auto with ints. - intros; apply H; auto with coqlib. -Qed. - -(** ** Properties of comparisons *) - -Theorem negate_cmp: - forall c x y, cmp (negate_comparison c) x y = negb (cmp c x y). -Proof. - intros. destruct c; simpl; try rewrite negb_elim; auto. -Qed. - -Theorem negate_cmpu: - forall c x y, cmpu (negate_comparison c) x y = negb (cmpu c x y). -Proof. - intros. destruct c; simpl; try rewrite negb_elim; auto. -Qed. - -Theorem swap_cmp: - forall c x y, cmp (swap_comparison c) x y = cmp c y x. -Proof. - intros. destruct c; simpl; auto. apply eq_sym. decEq. apply eq_sym. -Qed. - -Theorem swap_cmpu: - forall c x y, cmpu (swap_comparison c) x y = cmpu c y x. -Proof. - intros. destruct c; simpl; auto. apply eq_sym. decEq. apply eq_sym. -Qed. - -Lemma translate_eq: - forall x y d, - eq (add x d) (add y d) = eq x y. -Proof. - intros. unfold eq. case (zeq (unsigned x) (unsigned y)); intro. - unfold add. rewrite e. apply zeq_true. - apply zeq_false. unfold add. red; intro. apply n. - apply eqm_small_eq; auto with ints. - replace (unsigned x) with ((unsigned x + unsigned d) - unsigned d). - replace (unsigned y) with ((unsigned y + unsigned d) - unsigned d). - apply eqm_sub. apply eqm_trans with (unsigned (repr (unsigned x + unsigned d))). - eauto with ints. apply eqm_trans with (unsigned (repr (unsigned y + unsigned d))). - eauto with ints. eauto with ints. eauto with ints. - lia. lia. -Qed. - -Lemma translate_ltu: - forall x y d, - 0 <= unsigned x + unsigned d <= max_unsigned -> - 0 <= unsigned y + unsigned d <= max_unsigned -> - ltu (add x d) (add y d) = ltu x y. -Proof. - intros. unfold add. unfold ltu. - repeat rewrite unsigned_repr; auto. case (zlt (unsigned x) (unsigned y)); intro. - apply zlt_true. lia. - apply zlt_false. lia. -Qed. - -Theorem translate_cmpu: - forall c x y d, - 0 <= unsigned x + unsigned d <= max_unsigned -> - 0 <= unsigned y + unsigned d <= max_unsigned -> - cmpu c (add x d) (add y d) = cmpu c x y. -Proof. - intros. unfold cmpu. - rewrite translate_eq. repeat rewrite translate_ltu; auto. -Qed. - -Lemma translate_lt: - forall x y d, - min_signed <= signed x + signed d <= max_signed -> - min_signed <= signed y + signed d <= max_signed -> - lt (add x d) (add y d) = lt x y. -Proof. - intros. repeat rewrite add_signed. unfold lt. - repeat rewrite signed_repr; auto. case (zlt (signed x) (signed y)); intro. - apply zlt_true. lia. - apply zlt_false. lia. -Qed. - -Theorem translate_cmp: - forall c x y d, - min_signed <= signed x + signed d <= max_signed -> - min_signed <= signed y + signed d <= max_signed -> - cmp c (add x d) (add y d) = cmp c x y. -Proof. - intros. unfold cmp. - rewrite translate_eq. repeat rewrite translate_lt; auto. -Qed. - -Theorem notbool_isfalse_istrue: - forall x, is_false x -> is_true (notbool x). -Proof. - unfold is_false, is_true, notbool; intros; subst x. - rewrite eq_true. apply one_not_zero. -Qed. - -Theorem notbool_istrue_isfalse: - forall x, is_true x -> is_false (notbool x). -Proof. - unfold is_false, is_true, notbool; intros. - generalize (eq_spec x zero). case (eq x zero); intro. - contradiction. auto. -Qed. - -Theorem ltu_range_test: - forall x y, - ltu x y = true -> unsigned y <= max_signed -> - 0 <= signed x < unsigned y. -Proof. - intros. - unfold ltu in H. destruct (zlt (unsigned x) (unsigned y)); try discriminate. - rewrite signed_eq_unsigned. - generalize (unsigned_range x). lia. lia. -Qed. - -Theorem lt_sub_overflow: - forall x y, - xor (sub_overflow x y zero) (negative (sub x y)) = if lt x y then one else zero. -Proof. - intros. unfold negative, sub_overflow, lt. rewrite sub_signed. - rewrite signed_zero. rewrite Z.sub_0_r. - generalize (signed_range x) (signed_range y). - set (X := signed x); set (Y := signed y). intros RX RY. - unfold min_signed, max_signed in *. - generalize half_modulus_pos half_modulus_modulus; intros HM MM. - destruct (zle 0 (X - Y)). -- unfold proj_sumbool at 1; rewrite zle_true at 1 by lia. simpl. - rewrite (zlt_false _ X) by lia. - destruct (zlt (X - Y) half_modulus). - + unfold proj_sumbool; rewrite zle_true by lia. - rewrite signed_repr. rewrite zlt_false by lia. apply xor_idem. - unfold min_signed, max_signed; lia. - + unfold proj_sumbool; rewrite zle_false by lia. - replace (signed (repr (X - Y))) with (X - Y - modulus). - rewrite zlt_true by lia. apply xor_idem. - rewrite signed_repr_eq. replace ((X - Y) mod modulus) with (X - Y). - rewrite zlt_false; auto. - symmetry. apply Zmod_unique with 0; lia. -- unfold proj_sumbool at 2. rewrite zle_true at 1 by lia. rewrite andb_true_r. - rewrite (zlt_true _ X) by lia. - destruct (zlt (X - Y) (-half_modulus)). - + unfold proj_sumbool; rewrite zle_false by lia. - replace (signed (repr (X - Y))) with (X - Y + modulus). - rewrite zlt_false by lia. apply xor_zero. - rewrite signed_repr_eq. replace ((X - Y) mod modulus) with (X - Y + modulus). - rewrite zlt_true by lia; auto. - symmetry. apply Zmod_unique with (-1); lia. - + unfold proj_sumbool; rewrite zle_true by lia. - rewrite signed_repr. rewrite zlt_true by lia. apply xor_zero_l. - unfold min_signed, max_signed; lia. -Qed. - -Lemma signed_eq: - forall x y, eq x y = zeq (signed x) (signed y). -Proof. - intros. unfold eq. unfold proj_sumbool. - destruct (zeq (unsigned x) (unsigned y)); - destruct (zeq (signed x) (signed y)); auto. - elim n. unfold signed. rewrite e; auto. - elim n. apply eqm_small_eq; auto with ints. - eapply eqm_trans. apply eqm_sym. apply eqm_signed_unsigned. - rewrite e. apply eqm_signed_unsigned. -Qed. - -Lemma not_lt: - forall x y, negb (lt y x) = (lt x y || eq x y). -Proof. - intros. unfold lt. rewrite signed_eq. unfold proj_sumbool. - destruct (zlt (signed y) (signed x)). - rewrite zlt_false. rewrite zeq_false. auto. lia. lia. - destruct (zeq (signed x) (signed y)). - rewrite zlt_false. auto. lia. - rewrite zlt_true. auto. lia. -Qed. - -Lemma lt_not: - forall x y, lt y x = negb (lt x y) && negb (eq x y). -Proof. - intros. rewrite <- negb_orb. rewrite <- not_lt. rewrite negb_involutive. auto. -Qed. - -Lemma not_ltu: - forall x y, negb (ltu y x) = (ltu x y || eq x y). -Proof. - intros. unfold ltu, eq. - destruct (zlt (unsigned y) (unsigned x)). - rewrite zlt_false. rewrite zeq_false. auto. lia. lia. - destruct (zeq (unsigned x) (unsigned y)). - rewrite zlt_false. auto. lia. - rewrite zlt_true. auto. lia. -Qed. - -Lemma ltu_not: - forall x y, ltu y x = negb (ltu x y) && negb (eq x y). -Proof. - intros. rewrite <- negb_orb. rewrite <- not_ltu. rewrite negb_involutive. auto. -Qed. - -(** ** Non-overlapping test *) - -Definition no_overlap (ofs1: int) (sz1: Z) (ofs2: int) (sz2: Z) : bool := - let x1 := unsigned ofs1 in let x2 := unsigned ofs2 in - zlt (x1 + sz1) modulus && zlt (x2 + sz2) modulus - && (zle (x1 + sz1) x2 || zle (x2 + sz2) x1). - -Lemma no_overlap_sound: - forall ofs1 sz1 ofs2 sz2 base, - sz1 > 0 -> sz2 > 0 -> no_overlap ofs1 sz1 ofs2 sz2 = true -> - unsigned (add base ofs1) + sz1 <= unsigned (add base ofs2) - \/ unsigned (add base ofs2) + sz2 <= unsigned (add base ofs1). -Proof. - intros. - destruct (andb_prop _ _ H1). clear H1. - destruct (andb_prop _ _ H2). clear H2. - apply proj_sumbool_true in H1. - apply proj_sumbool_true in H4. - assert (unsigned ofs1 + sz1 <= unsigned ofs2 \/ unsigned ofs2 + sz2 <= unsigned ofs1). - destruct (orb_prop _ _ H3). left. eapply proj_sumbool_true; eauto. right. eapply proj_sumbool_true; eauto. - clear H3. - generalize (unsigned_range ofs1) (unsigned_range ofs2). intros P Q. - generalize (unsigned_add_either base ofs1) (unsigned_add_either base ofs2). - intros [C|C] [D|D]; lia. -Qed. - -(** ** Size of integers, in bits. *) - -Definition size (x: int) : Z := Zsize (unsigned x). - -Theorem size_zero: size zero = 0. -Proof. - unfold size; rewrite unsigned_zero; auto. -Qed. - -Theorem bits_size_1: - forall x, x = zero \/ testbit x (Z.pred (size x)) = true. -Proof. - intros. destruct (zeq (unsigned x) 0). - left. rewrite <- (repr_unsigned x). rewrite e; auto. - right. apply Ztestbit_size_1. generalize (unsigned_range x); lia. -Qed. - -Theorem bits_size_2: - forall x i, size x <= i -> testbit x i = false. -Proof. - intros. apply Ztestbit_size_2. generalize (unsigned_range x); lia. - fold (size x); lia. -Qed. - -Theorem size_range: - forall x, 0 <= size x <= zwordsize. -Proof. - intros; split. apply Zsize_pos. - destruct (bits_size_1 x). - subst x; unfold size; rewrite unsigned_zero; simpl. generalize wordsize_pos; lia. - destruct (zle (size x) zwordsize); auto. - rewrite bits_above in H. congruence. lia. -Qed. - -Theorem bits_size_3: - forall x n, - 0 <= n -> - (forall i, n <= i < zwordsize -> testbit x i = false) -> - size x <= n. -Proof. - intros. destruct (zle (size x) n). auto. - destruct (bits_size_1 x). - subst x. unfold size; rewrite unsigned_zero; assumption. - rewrite (H0 (Z.pred (size x))) in H1. congruence. - generalize (size_range x); lia. -Qed. - -Theorem bits_size_4: - forall x n, - 0 <= n -> - testbit x (Z.pred n) = true -> - (forall i, n <= i < zwordsize -> testbit x i = false) -> - size x = n. -Proof. - intros. - assert (size x <= n). - apply bits_size_3; auto. - destruct (zlt (size x) n). - rewrite bits_size_2 in H0. congruence. lia. - lia. -Qed. - -Theorem size_interval_1: - forall x, 0 <= unsigned x < two_p (size x). -Proof. - intros; apply Zsize_interval_1. generalize (unsigned_range x); lia. -Qed. - -Theorem size_interval_2: - forall x n, 0 <= n -> 0 <= unsigned x < two_p n -> n >= size x. -Proof. - intros. apply Zsize_interval_2; auto. -Qed. - -Theorem size_and: - forall a b, size (and a b) <= Z.min (size a) (size b). -Proof. - intros. - assert (0 <= Z.min (size a) (size b)). - generalize (size_range a) (size_range b). zify; lia. - apply bits_size_3. auto. intros. - rewrite bits_and by lia. - rewrite andb_false_iff. - generalize (bits_size_2 a i). - generalize (bits_size_2 b i). - zify; intuition. -Qed. - -Corollary and_interval: - forall a b, 0 <= unsigned (and a b) < two_p (Z.min (size a) (size b)). -Proof. - intros. - generalize (size_interval_1 (and a b)); intros. - assert (two_p (size (and a b)) <= two_p (Z.min (size a) (size b))). - apply two_p_monotone. split. generalize (size_range (and a b)); lia. - apply size_and. - lia. -Qed. - -Theorem size_or: - forall a b, size (or a b) = Z.max (size a) (size b). -Proof. - intros. generalize (size_range a) (size_range b); intros. - destruct (bits_size_1 a). - subst a. rewrite size_zero. rewrite or_zero_l. zify; lia. - destruct (bits_size_1 b). - subst b. rewrite size_zero. rewrite or_zero. zify; lia. - zify. destruct H3 as [[P Q] | [P Q]]; subst. - apply bits_size_4. tauto. rewrite bits_or. rewrite H2. apply orb_true_r. - lia. - intros. rewrite bits_or. rewrite !bits_size_2. auto. lia. lia. lia. - apply bits_size_4. tauto. rewrite bits_or. rewrite H1. apply orb_true_l. - destruct (zeq (size a) 0). unfold testbit in H1. rewrite Z.testbit_neg_r in H1. - congruence. lia. lia. - intros. rewrite bits_or. rewrite !bits_size_2. auto. lia. lia. lia. -Qed. - -Corollary or_interval: - forall a b, 0 <= unsigned (or a b) < two_p (Z.max (size a) (size b)). -Proof. - intros. rewrite <- size_or. apply size_interval_1. -Qed. - -Theorem size_xor: - forall a b, size (xor a b) <= Z.max (size a) (size b). -Proof. - intros. - assert (0 <= Z.max (size a) (size b)). - generalize (size_range a) (size_range b). zify; lia. - apply bits_size_3. auto. intros. - rewrite bits_xor. rewrite !bits_size_2. auto. - zify; lia. - zify; lia. - lia. -Qed. - -Corollary xor_interval: - forall a b, 0 <= unsigned (xor a b) < two_p (Z.max (size a) (size b)). -Proof. - intros. - generalize (size_interval_1 (xor a b)); intros. - assert (two_p (size (xor a b)) <= two_p (Z.max (size a) (size b))). - apply two_p_monotone. split. generalize (size_range (xor a b)); lia. - apply size_xor. - lia. -Qed. - -End Make. - -(** * Specialization to integers of size 8, 32, and 64 bits *) - -(* Module Wordsize_32. - Definition wordsize := 32%nat. - Remark wordsize_not_zero: wordsize <> 0%nat. - Proof. unfold wordsize; congruence. Qed. -End Wordsize_32. *) - - - -Section Int32. - Let wordsize32 := 32%nat. - Let wordsize_not_zero: wordsize32 <> 0%nat. - Proof. unfold wordsize32; congruence. Qed. - Instance WORDSIZE32 : WORDSIZE := { - wordsize := wordsize32; - wordsize_not_zero := wordsize_not_zero - }. - - Definition int32 := @int WORDSIZE32. - - Remark int_wordsize_divides_modulus: - Z.divide (Z.of_nat wordsize) modulus. - Proof. - exists (two_p (32-5)); reflexivity. - Qed. - -End Int32. - -Section Int8. - Let wordsize8 := 8%nat. - Let wordsize_not_zero: wordsize8 <> 0%nat. - Proof. unfold wordsize8; congruence. Qed. - Instance WORDSIZE8 : WORDSIZE := { - wordsize := wordsize8; - wordsize_not_zero := wordsize_not_zero - }. - Definition int8 := @int WORDSIZE8. - -End Int8. - -Section Int16. - Let wordsize16 := 16%nat. - Let wordsize_not_zero: wordsize16 <> 0%nat. - Proof. unfold wordsize16; congruence. Qed. - Instance WORDSIZE16 : WORDSIZE := { - wordsize := wordsize16; - wordsize_not_zero := wordsize_not_zero - }. - Definition int16 := @int WORDSIZE16. - -End Int16. - -Section Int64. - Let wordsize64 := 64%nat. - Let wordsize_not_zero: wordsize64 <> 0%nat. - Proof. unfold wordsize64; congruence. Qed. - Instance WORDSIZE64 : WORDSIZE := { - wordsize := wordsize64; - wordsize_not_zero := wordsize_not_zero - }. - - Definition int64 := @int WORDSIZE64. -End Int64. - - -Section Int128. - Let wordsize128 := 128%nat. - Let wordsize_not_zero: wordsize128 <> 0%nat. - Proof. unfold wordsize128; congruence. Qed. - Instance WORDSIZE128 : WORDSIZE := { - wordsize := wordsize128; - wordsize_not_zero := wordsize_not_zero - }. - - Definition int128 := @int WORDSIZE128. - -End Int128. - -(** Shifts with amount given as a 32-bit integer *) - -Section Shift64With32Bit. - -Existing Instance WORDSIZE64. - -Definition iwordsize': int32 := repr (@zwordsize WORDSIZE64). - -Definition shl' (x: int64) (y: int32): int64 := - repr (Z.shiftl (unsigned x) (@unsigned WORDSIZE32 y)). -Definition shru' (x: int64) (y: int32): int64 := - repr (Z.shiftr (unsigned x) (@unsigned WORDSIZE32 y)). -Definition shr' (x: int64) (y: int32): int64 := - repr (Z.shiftr (signed x) (@unsigned WORDSIZE32 y)). -Definition rol' (x: int64) (y: int32): int64 := - rol x (repr (@unsigned WORDSIZE32 y)). -Definition shrx' (x: int64) (y: int32): int64 := - divs x (shl' one y). -Definition shr_carry' (x: int64) (y: int32): int64 := - if lt x zero && negb (eq (and x (sub (shl' one y) one)) zero) - then one else zero. - -Lemma bits_shl': - forall x y i, - 0 <= i < zwordsize -> - testbit (shl' x y) i = - if zlt i (@unsigned WORDSIZE32 y) then false else testbit x (i - @unsigned WORDSIZE32 y). -Proof. - intros. unfold shl'. rewrite testbit_repr; auto. - destruct (zlt i (@unsigned WORDSIZE32 y)). - apply Z.shiftl_spec_low. auto. - apply Z.shiftl_spec_high. lia. lia. -Qed. - -Lemma bits_shru': - forall x y i, - 0 <= i < zwordsize -> - testbit (shru' x y) i = - if zlt (i + @unsigned WORDSIZE32 y) zwordsize then testbit x (i + @unsigned WORDSIZE32 y) else false. -Proof. - intros. unfold shru'. rewrite testbit_repr; auto. - rewrite Z.shiftr_spec. fold (testbit x (i + @unsigned WORDSIZE32 y)). - destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). - auto. - apply bits_above; auto. - lia. -Qed. - -Lemma bits_shr': - forall x y i, - 0 <= i < zwordsize -> - testbit (shr' x y) i = - testbit x (if zlt (i + @unsigned WORDSIZE32 y) zwordsize then i + @unsigned WORDSIZE32 y else zwordsize - 1). -Proof. - intros. unfold shr'. rewrite testbit_repr; auto. - rewrite Z.shiftr_spec. apply bits_signed. - generalize (@unsigned_range WORDSIZE32 y); lia. - lia. -Qed. - -Lemma shl'_mul_two_p: - forall x y, - shl' x y = mul x (repr (two_p (@unsigned WORDSIZE32 y))). -Proof. - intros. unfold shl', mul. apply eqm_samerepr. - rewrite Zshiftl_mul_two_p. apply eqm_mult. apply eqm_refl. apply eqm_unsigned_repr. - generalize (@unsigned_range WORDSIZE32 y); lia. -Qed. - -Lemma shl'_one_two_p: - forall y, shl' one y = repr (two_p (@unsigned WORDSIZE32 y)). -Proof. - intros. rewrite shl'_mul_two_p. rewrite mul_commut. rewrite mul_one. auto. -Qed. - -Theorem shl'_mul: - forall x y, - shl' x y = mul x (shl' one y). -Proof. - intros. rewrite shl'_one_two_p. apply shl'_mul_two_p. -Qed. - -Theorem shl'_zero: - forall x, shl' x (@zero WORDSIZE32) = x. -Proof. - intros. unfold shl'. rewrite (@unsigned_zero WORDSIZE32). unfold Z.shiftl. - apply repr_unsigned. -Qed. - -Theorem shru'_zero : - forall x, shru' x (@zero WORDSIZE32) = x. -Proof. - intros. unfold shru'. rewrite (@unsigned_zero WORDSIZE32). unfold Z.shiftr. - apply repr_unsigned. -Qed. - -Theorem shr'_zero : - forall x, shr' x (@zero WORDSIZE32) = x. -Proof. - intros. unfold shr'. rewrite (@unsigned_zero WORDSIZE32). unfold Z.shiftr. - apply repr_signed. -Qed. - -Theorem shrx'_zero: - forall x, shrx' x (@zero WORDSIZE32) = x. -Proof. - intros. change (shrx' x (@zero WORDSIZE32)) with (shrx x zero). apply shrx_zero. compute; auto. -Qed. - -Theorem shrx'_carry: - forall x y, - @ltu WORDSIZE32 y (@repr WORDSIZE32 63) = true -> - shrx' x y = add (shr' x y) (shr_carry' x y). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 (@repr WORDSIZE32 63)) with 63 in H. - set (y1 := repr (@unsigned WORDSIZE32 y)). - assert (U: unsigned y1 = @unsigned WORDSIZE32 y). - { apply unsigned_repr. assert (63 < max_unsigned) by reflexivity. lia. } - transitivity (shrx x y1). -- unfold shrx', shrx, shl', shl. rewrite U; auto. -- rewrite shrx_carry. -+ f_equal. - unfold shr, shr'. rewrite U; auto. - unfold shr_carry, shr_carry', shl, shl'. rewrite U; auto. -+ unfold ltu. apply zlt_true. rewrite U; tauto. -Qed. - -Theorem shrx'_shr_2: - forall x y, - @ltu WORDSIZE32 y (@repr WORDSIZE32 63) = true -> - shrx' x y = shr' (add x (shru' (shr' x (@repr WORDSIZE32 63)) (@sub WORDSIZE32 (@repr WORDSIZE32 64) y))) y. -Proof. - intros. - set (z := repr (@unsigned WORDSIZE32 y)). - apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 (@repr WORDSIZE32 63)) with 63 in H. - assert (N1: 63 < max_unsigned) by reflexivity. - assert (N2: 63 < @max_unsigned WORDSIZE32) by reflexivity. - assert (A: unsigned z = @unsigned WORDSIZE32 y). - { unfold z; apply unsigned_repr; lia. } - assert (B: unsigned (sub (repr 64) z) = @unsigned WORDSIZE32 (@sub WORDSIZE32 (@repr WORDSIZE32 64) y)). - { unfold z. unfold sub. - change (unsigned (repr 64)) with 64. - change (@unsigned WORDSIZE32 (@repr WORDSIZE32 64)) with 64. - rewrite (unsigned_repr (@unsigned WORDSIZE32 y)) by lia. - rewrite unsigned_repr by lia. rewrite (@unsigned_repr WORDSIZE32) by lia. - reflexivity. - } - unfold shrx', shr', shru', shl'. - rewrite <- A. - change (@unsigned WORDSIZE32 (@repr WORDSIZE32 63)) with (unsigned (repr 63)). - rewrite <- B. - apply (@shrx_shr_2 WORDSIZE64). - unfold ltu. apply zlt_true. change (unsigned z < 63). rewrite A; lia. -Qed. -(* -Remark int_ltu_2_inv: - forall y z, - @ltu WORDSIZE32 y iwordsize' = true -> - @ltu WORDSIZE32 z iwordsize' = true -> - @unsigned WORDSIZE32 (Int.add y z) <= @unsigned WORDSIZE32 iwordsize' -> - let y' := repr (@unsigned WORDSIZE32 y) in - let z' := repr (@unsigned WORDSIZE32 z) in - @unsigned WORDSIZE32 y = unsigned y' - /\ @unsigned WORDSIZE32 z = unsigned z' - /\ ltu y' iwordsize = true - /\ ltu z' iwordsize = true - /\ @unsigned WORDSIZE32 (Int.add y z) = unsigned (add y' z') - /\ add y' z' = repr (@unsigned WORDSIZE32 (Int.add y z)). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H. apply (@ltu_inv WORDSIZE32) in H0. - change (@unsigned WORDSIZE32 iwordsize') with 64 in *. - assert (128 < max_unsigned) by reflexivity. - assert (128 < @max_unsigned WORDSIZE32) by reflexivity. - assert (Y: unsigned y' = @unsigned WORDSIZE32 y) by (apply unsigned_repr; lia). - assert (Z: unsigned z' = @unsigned WORDSIZE32 z) by (apply unsigned_repr; lia). - assert (P: @unsigned WORDSIZE32 (Int.add y z) = unsigned (add y' z')). - { unfold Int.add. rewrite @unsigned WORDSIZE32_repr by lia. - unfold add. rewrite unsigned_repr by lia. congruence. } - intuition auto. - apply zlt_true. rewrite Y; auto. - apply zlt_true. rewrite Z; auto. - rewrite P. rewrite repr_unsigned. auto. -Qed. - -Theorem or_ror': - forall x y z, - @ltu WORDSIZE32 y iwordsize' = true -> - @ltu WORDSIZE32 z iwordsize' = true -> - Int.add y z = iwordsize' -> - ror x (repr (@unsigned WORDSIZE32 z)) = or (shl' x y) (shru' x z). -Proof. - intros. destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. rewrite H1; lia. - replace (shl' x y) with (shl x (repr (@unsigned WORDSIZE32 y))). - replace (shru' x z) with (shru x (repr (@unsigned WORDSIZE32 z))). - apply or_ror; auto. rewrite F, H1. reflexivity. - unfold shru, shru'; rewrite <- B; auto. - unfold shl, shl'; rewrite <- A; auto. -Qed. - -Theorem shl'_shl': - forall x y z, - @ltu WORDSIZE32 y iwordsize' = true -> - @ltu WORDSIZE32 z iwordsize' = true -> - @ltu WORDSIZE32 (Int.add y z) iwordsize' = true -> - shl' (shl' x y) z = shl' x (Int.add y z). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H1. - destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. lia. - set (y' := repr (@unsigned WORDSIZE32 y)) in *. - set (z' := repr (@unsigned WORDSIZE32 z)) in *. - replace (shl' x y) with (shl x y'). - replace (shl' (shl x y') z) with (shl (shl x y') z'). - replace (shl' x (Int.add y z)) with (shl x (add y' z')). - apply shl_shl; auto. apply zlt_true. rewrite <- E. - change (unsigned iwordsize) with zwordsize. tauto. - unfold shl, shl'. rewrite E; auto. - unfold shl at 1, shl'. rewrite <- B; auto. - unfold shl, shl'; rewrite <- A; auto. -Qed. - -Theorem shru'_shru': - forall x y z, - @ltu WORDSIZE32 y iwordsize' = true -> - @ltu WORDSIZE32 z iwordsize' = true -> - @ltu WORDSIZE32 (Int.add y z) iwordsize' = true -> - shru' (shru' x y) z = shru' x (Int.add y z). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H1. - destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. lia. - set (y' := repr (@unsigned WORDSIZE32 y)) in *. - set (z' := repr (@unsigned WORDSIZE32 z)) in *. - replace (shru' x y) with (shru x y'). - replace (shru' (shru x y') z) with (shru (shru x y') z'). - replace (shru' x (Int.add y z)) with (shru x (add y' z')). - apply shru_shru; auto. apply zlt_true. rewrite <- E. - change (unsigned iwordsize) with zwordsize. tauto. - unfold shru, shru'. rewrite E; auto. - unfold shru at 1, shru'. rewrite <- B; auto. - unfold shru, shru'; rewrite <- A; auto. -Qed. - -Theorem shr'_shr': - forall x y z, - @ltu WORDSIZE32 y iwordsize' = true -> - @ltu WORDSIZE32 z iwordsize' = true -> - @ltu WORDSIZE32 (Int.add y z) iwordsize' = true -> - shr' (shr' x y) z = shr' x (Int.add y z). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H1. - destruct (int_ltu_2_inv y z) as (A & B & C & D & E & F); auto. lia. - set (y' := repr (@unsigned WORDSIZE32 y)) in *. - set (z' := repr (@unsigned WORDSIZE32 z)) in *. - replace (shr' x y) with (shr x y'). - replace (shr' (shr x y') z) with (shr (shr x y') z'). - replace (shr' x (Int.add y z)) with (shr x (add y' z')). - apply shr_shr; auto. apply zlt_true. rewrite <- E. - change (unsigned iwordsize) with zwordsize. tauto. - unfold shr, shr'. rewrite E; auto. - unfold shr at 1, shr'. rewrite <- B; auto. - unfold shr, shr'; rewrite <- A; auto. -Qed. - -Theorem shru'_shl': - forall x y z, @ltu WORDSIZE32 y iwordsize' = true -> @ltu WORDSIZE32 z iwordsize' = true -> - shru' (shl' x y) z = - if @ltu WORDSIZE32 z y then shl' (zero_ext (zwordsize - @unsigned WORDSIZE32 y) x) (@sub WORDSIZE32 y z) - else zero_ext (zwordsize - @unsigned WORDSIZE32 z) (shru' x (@sub WORDSIZE32 z y)). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H; apply (@ltu_inv WORDSIZE32) in H0. - change (@unsigned WORDSIZE32 iwordsize') with zwordsize in *. - unfold @ltu WORDSIZE32. set (Y := @unsigned WORDSIZE32 y) in *; set (Z := @unsigned WORDSIZE32 z) in *. - apply same_bits_eq; intros. rewrite bits_shru' by auto. fold Z. - destruct (zlt Z Y). -- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 y z) = Y - Z). - { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } - symmetry; rewrite bits_shl', A by lia. - destruct (zlt (i + Z) zwordsize). -+ rewrite bits_shl' by lia. fold Y. - destruct (zlt i (Y - Z)); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. - rewrite bits_zero_ext by lia. rewrite zlt_true by lia. f_equal; lia. -+ rewrite bits_zero_ext by lia. rewrite ! zlt_false by lia. auto. -- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 z y) = Z - Y). - { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } - rewrite bits_zero_ext, bits_shru', A by lia. - destruct (zlt (i + Z) zwordsize); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. - rewrite bits_shl' by lia. fold Y. - destruct (zlt (i + Z) Y). -+ rewrite zlt_false by lia. auto. -+ rewrite zlt_true by lia. f_equal; lia. -Qed. - -Theorem shr'_shl': - forall x y z, @ltu WORDSIZE32 y iwordsize' = true -> @ltu WORDSIZE32 z iwordsize' = true -> - shr' (shl' x y) z = - if @ltu WORDSIZE32 z y then shl' (sign_ext (zwordsize - @unsigned WORDSIZE32 y) x) (@sub WORDSIZE32 y z) - else sign_ext (zwordsize - @unsigned WORDSIZE32 z) (shr' x (@sub WORDSIZE32 z y)). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H; apply (@ltu_inv WORDSIZE32) in H0. - change (@unsigned WORDSIZE32 iwordsize') with zwordsize in *. - unfold @ltu WORDSIZE32. set (Y := @unsigned WORDSIZE32 y) in *; set (Z := @unsigned WORDSIZE32 z) in *. - apply same_bits_eq; intros. rewrite bits_shr' by auto. fold Z. - rewrite bits_shl' by (destruct (zlt (i + Z) zwordsize); lia). fold Y. - destruct (zlt Z Y). -- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 y z) = Y - Z). - { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } - rewrite bits_shl', A by lia. - destruct (zlt i (Y - Z)). -+ apply zlt_true. destruct (zlt (i + Z) zwordsize); lia. -+ rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). - rewrite bits_sign_ext by lia. f_equal. - destruct (zlt (i + Z) zwordsize). - rewrite zlt_true by lia. lia. - rewrite zlt_false by lia. lia. -- assert (A: @unsigned WORDSIZE32 (@sub WORDSIZE32 z y) = Z - Y). - { apply @unsigned WORDSIZE32_repr. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. } - rewrite bits_sign_ext by lia. - rewrite bits_shr' by (destruct (zlt i (zwordsize - Z)); lia). - rewrite A. rewrite zlt_false by (destruct (zlt (i + Z) zwordsize); lia). - f_equal. destruct (zlt i (zwordsize - Z)). -+ rewrite ! zlt_true by lia. lia. -+ rewrite ! zlt_false by lia. rewrite zlt_true by lia. lia. -Qed. - -Lemma shl'_zero_ext: - forall n m x, 0 <= n -> - shl' (zero_ext n x) m = zero_ext (n + @unsigned WORDSIZE32 m) (shl' x m). -Proof. - intros. apply same_bits_eq; intros. - rewrite bits_zero_ext, ! bits_shl' by lia. - destruct (zlt i (@unsigned WORDSIZE32 m)). -- rewrite zlt_true by lia; auto. -- rewrite bits_zero_ext by lia. - destruct (zlt (i - @unsigned WORDSIZE32 m) n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. -Qed. - -Lemma shl'_sign_ext: - forall n m x, 0 < n -> - shl' (sign_ext n x) m = sign_ext (n + @unsigned WORDSIZE32 m) (shl' x m). -Proof. - intros. generalize (@unsigned_range WORDSIZE32 m); intros. - apply same_bits_eq; intros. - rewrite bits_sign_ext, ! bits_shl' by lia. - destruct (zlt i (n + @unsigned WORDSIZE32 m)). -- rewrite bits_shl' by auto. destruct (zlt i (@unsigned WORDSIZE32 m)); auto. - rewrite bits_sign_ext by lia. f_equal. apply zlt_true. lia. -- rewrite zlt_false by lia. rewrite bits_shl' by lia. rewrite zlt_false by lia. - rewrite bits_sign_ext by lia. f_equal. rewrite zlt_false by lia. lia. -Qed. - -Lemma shru'_zero_ext: - forall n m x, 0 <= n -> - shru' (zero_ext (n + @unsigned WORDSIZE32 m) x) m = zero_ext n (shru' x m). -Proof. - intros. generalize (@unsigned_range WORDSIZE32 m); intros. - bit_solve; [|lia]. rewrite bits_shru', bits_zero_ext, bits_shru' by lia. - destruct (zlt (i + @unsigned WORDSIZE32 m) zwordsize). -* destruct (zlt i n); [rewrite zlt_true by lia|rewrite zlt_false by lia]; auto. -* destruct (zlt i n); auto. -Qed. - -Lemma shru'_zero_ext_0: - forall n m x, n <= @unsigned WORDSIZE32 m -> - shru' (zero_ext n x) m = zero. -Proof. - intros. generalize (@unsigned_range WORDSIZE32 m); intros. - bit_solve. rewrite bits_shru', bits_zero_ext by lia. - destruct (zlt (i + @unsigned WORDSIZE32 m) zwordsize); auto. - apply zlt_false. lia. -Qed. - -Lemma shr'_sign_ext: - forall n m x, 0 < n -> n + @unsigned WORDSIZE32 m < zwordsize -> - shr' (sign_ext (n + @unsigned WORDSIZE32 m) x) m = sign_ext n (shr' x m). -Proof. - intros. generalize (@unsigned_range WORDSIZE32 m); intros. - apply same_bits_eq; intros. - rewrite bits_sign_ext, bits_shr' by auto. - rewrite bits_sign_ext, bits_shr'. -- f_equal. - destruct (zlt i n), (zlt (i + @unsigned WORDSIZE32 m) zwordsize). -+ apply zlt_true; lia. -+ apply zlt_true; lia. -+ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. -+ rewrite zlt_false by lia. rewrite zlt_true by lia. lia. -- destruct (zlt i n); lia. -- destruct (zlt (i + @unsigned WORDSIZE32 m) zwordsize); lia. -Qed. - -Lemma zero_ext_shru'_min: - forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> - zero_ext s (shru' x n) = zero_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) (shru' x n). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. - apply Z.min_case_strong; intros; auto. - bit_solve; try lia. rewrite ! bits_shru' by lia. - destruct (zlt i (zwordsize - @unsigned WORDSIZE32 n)). - rewrite zlt_true by lia. auto. - destruct (zlt i s); auto. rewrite zlt_false by lia; auto. -Qed. - -Lemma sign_ext_shr'_min: - forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> - sign_ext s (shr' x n) = sign_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) (shr' x n). -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. - rewrite Z.min_comm. - destruct (Z.min_spec (zwordsize - @unsigned WORDSIZE32 n) s) as [[A B] | [A B]]; rewrite B; auto. - apply same_bits_eq; intros. rewrite ! bits_sign_ext by auto. - destruct (zlt i (zwordsize - @unsigned WORDSIZE32 n)). - rewrite zlt_true by lia. auto. - assert (C: testbit (shr' x n) (zwordsize - @unsigned WORDSIZE32 n - 1) = testbit x (zwordsize - 1)). - { rewrite bits_shr' by lia. rewrite zlt_true by lia. f_equal; lia. } - rewrite C. destruct (zlt i s); rewrite bits_shr' by lia. - rewrite zlt_false by lia. auto. - rewrite zlt_false by lia. auto. -Qed. - -Lemma shl'_zero_ext_min: - forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> - shl' (zero_ext s x) n = shl' (zero_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) x) n. -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. - apply Z.min_case_strong; intros; auto. - apply same_bits_eq; intros. rewrite ! bits_shl' by auto. - destruct (zlt i (@unsigned WORDSIZE32 n)); auto. - rewrite ! bits_zero_ext by lia. - destruct (zlt (i - @unsigned WORDSIZE32 n) s). - rewrite zlt_true by lia; auto. - rewrite zlt_false by lia; auto. -Qed. - -Lemma shl'_sign_ext_min: - forall s x n, @ltu WORDSIZE32 n iwordsize' = true -> - shl' (sign_ext s x) n = shl' (sign_ext (Z.min s (zwordsize - @unsigned WORDSIZE32 n)) x) n. -Proof. - intros. apply (@ltu_inv WORDSIZE32) in H. change (@unsigned WORDSIZE32 iwordsize') with zwordsize in H. - rewrite Z.min_comm. - destruct (Z.min_spec (zwordsize - @unsigned WORDSIZE32 n) s) as [[A B] | [A B]]; rewrite B; auto. - apply same_bits_eq; intros. rewrite ! bits_shl' by auto. - destruct (zlt i (@unsigned WORDSIZE32 n)); auto. - rewrite ! bits_sign_ext by lia. f_equal. - destruct (zlt (i - @unsigned WORDSIZE32 n) s). - rewrite zlt_true by lia; auto. - extlia. -Qed. - -(** Powers of two with exponents given as 32-bit ints *) - -Definition one_bits' (x: int64) : list int32 := - List.map @repr WORDSIZE32 (Z_one_bits wordsize (unsigned x) 0). - -Definition is_power2' (x: int64) : option int32 := - match Z_one_bits wordsize (unsigned x) 0 with - | i :: nil => Some (@repr WORDSIZE32 i) - | _ => None - end. - -Theorem one_bits'_range: - forall x i, In i (one_bits' x) -> @ltu WORDSIZE32 i iwordsize' = true. -Proof. - intros. - destruct (list_in_map_inv _ _ _ H) as [i0 [EQ IN]]. - exploit Z_one_bits_range; eauto. fold zwordsize. intros R. - unfold @ltu WORDSIZE32. rewrite EQ. rewrite @unsigned WORDSIZE32_repr. - change (@unsigned WORDSIZE32 iwordsize') with zwordsize. apply zlt_true. lia. - assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. -Qed. - -Fixpoint int_of_one_bits' (l: list int32) : int64 := - match l with - | nil => zero - | a :: b => add (shl' one a) (int_of_one_bits' b) - end. - -Theorem one_bits'_decomp: - forall x, x = int_of_one_bits' (one_bits' x). -Proof. - assert (REC: forall l, - (forall i, In i l -> 0 <= i < zwordsize) -> - int_of_one_bits' (List.map @repr WORDSIZE32 l) = repr (powerserie l)). - { induction l; simpl; intros. - - auto. - - rewrite IHl by eauto. apply eqm_samerepr; apply eqm_add. - + rewrite shl'_one_two_p. rewrite @unsigned WORDSIZE32_repr. apply eqm_sym; apply eqm_unsigned_repr. - exploit (H a). auto. assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. lia. - + apply eqm_sym; apply eqm_unsigned_repr. - } - intros. rewrite <- (repr_unsigned x) at 1. unfold one_bits'. rewrite REC. - rewrite <- Z_one_bits_powerserie. auto. apply unsigned_range. - apply Z_one_bits_range. -Qed. - -Lemma is_power2'_rng: - forall n logn, - is_power2' n = Some logn -> - 0 <= @unsigned WORDSIZE32 logn < zwordsize. -Proof. - unfold is_power2'; intros n logn P2. - destruct (Z_one_bits wordsize (unsigned n) 0) as [ | i [ | ? ?]] eqn:B; inv P2. - assert (0 <= i < zwordsize). - { apply Z_one_bits_range with (unsigned n). rewrite B; auto with coqlib. } - rewrite @unsigned WORDSIZE32_repr. auto. - assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. - lia. -Qed. - -Theorem is_power2'_range: - forall n logn, - is_power2' n = Some logn -> @ltu WORDSIZE32 logn iwordsize' = true. -Proof. - intros. unfold @ltu WORDSIZE32. change (@unsigned WORDSIZE32 iwordsize') with zwordsize. - apply zlt_true. generalize (is_power2'_rng _ _ H). tauto. -Qed. - -Lemma is_power2'_correct: - forall n logn, - is_power2' n = Some logn -> - unsigned n = two_p (@unsigned WORDSIZE32 logn). -Proof. - unfold is_power2'; intros. - destruct (Z_one_bits wordsize (unsigned n) 0) as [ | i [ | ? ?]] eqn:B; inv H. - rewrite (Z_one_bits_powerserie wordsize (unsigned n)) by (apply unsigned_range). - rewrite @unsigned WORDSIZE32_repr. rewrite B; simpl. lia. - assert (0 <= i < zwordsize). - { apply Z_one_bits_range with (unsigned n). rewrite B; auto with coqlib. } - assert (zwordsize < @max_unsigned WORDSIZE32) by reflexivity. - lia. -Qed. - -Theorem mul_pow2': - forall x n logn, - is_power2' n = Some logn -> - mul x n = shl' x logn. -Proof. - intros. rewrite shl'_mul. f_equal. rewrite shl'_one_two_p. - rewrite <- (repr_unsigned n). f_equal. apply is_power2'_correct; auto. -Qed. - -Theorem divu_pow2': - forall x n logn, - is_power2' n = Some logn -> - divu x n = shru' x logn. -Proof. - intros. generalize (is_power2'_correct n logn H). intro. - symmetry. unfold divu. rewrite H0. unfold shru'. rewrite Zshiftr_div_two_p. auto. - eapply is_power2'_rng; eauto. -Qed. - -(** Decomposing 64-bit ints as pairs of 32-bit ints *) - -Definition loword (n: int64) : int32 := @repr WORDSIZE32 (unsigned n). - -Definition hiword (n: int64) : int32 := @repr WORDSIZE32 (unsigned (shru n (repr Int.zwordsize))). - -Definition ofwords (hi lo: int32) : int64 := - or (shl (repr (@unsigned WORDSIZE32 hi)) (repr Int.zwordsize)) (repr (@unsigned WORDSIZE32 lo)). - -Lemma bits_loword: - forall n i, 0 <= i < Int.zwordsize -> Int.testbit (loword n) i = testbit n i. -Proof. - intros. unfold loword. rewrite Int.testbit_repr; auto. -Qed. - -Lemma bits_hiword: - forall n i, 0 <= i < Int.zwordsize -> Int.testbit (hiword n) i = testbit n (i + Int.zwordsize). -Proof. - intros. unfold hiword. rewrite Int.testbit_repr; auto. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - fold (testbit (shru n (repr Int.zwordsize)) i). rewrite bits_shru. - change (unsigned (repr Int.zwordsize)) with Int.zwordsize. - apply zlt_true. lia. lia. -Qed. - -Lemma bits_ofwords: - forall hi lo i, 0 <= i < zwordsize -> - testbit (ofwords hi lo) i = - if zlt i Int.zwordsize then Int.testbit lo i else Int.testbit hi (i - Int.zwordsize). -Proof. - intros. unfold ofwords. rewrite bits_or; auto. rewrite bits_shl; auto. - change (unsigned (repr Int.zwordsize)) with Int.zwordsize. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - destruct (zlt i Int.zwordsize). - rewrite testbit_repr; auto. - rewrite !testbit_repr; auto. - fold (Int.testbit lo i). rewrite Int.bits_above. apply orb_false_r. auto. - lia. -Qed. - -Lemma lo_ofwords: - forall hi lo, loword (ofwords hi lo) = lo. -Proof. - intros. apply Int.same_bits_eq; intros. - rewrite bits_loword; auto. rewrite bits_ofwords. apply zlt_true. lia. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. lia. -Qed. - -Lemma hi_ofwords: - forall hi lo, hiword (ofwords hi lo) = hi. -Proof. - intros. apply Int.same_bits_eq; intros. - rewrite bits_hiword; auto. rewrite bits_ofwords. - rewrite zlt_false. f_equal. lia. lia. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. lia. -Qed. - -Lemma ofwords_recompose: - forall n, ofwords (hiword n) (loword n) = n. -Proof. - intros. apply same_bits_eq; intros. rewrite bits_ofwords; auto. - destruct (zlt i Int.zwordsize). - apply bits_loword. lia. - rewrite bits_hiword. f_equal. lia. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. lia. -Qed. - -Lemma ofwords_add: - forall lo hi, ofwords hi lo = repr (@unsigned WORDSIZE32 hi * two_p 32 + @unsigned WORDSIZE32 lo). -Proof. - intros. unfold ofwords. rewrite shifted_or_is_add. - apply eqm_samerepr. apply eqm_add. apply eqm_mult. - apply eqm_sym; apply eqm_unsigned_repr. - apply eqm_refl. - apply eqm_sym; apply eqm_unsigned_repr. - change Int.zwordsize with 32; change zwordsize with 64; lia. - rewrite unsigned_repr. generalize (@unsigned_range WORDSIZE32 lo). intros [A B]. exact B. - assert (@max_unsigned WORDSIZE32 < max_unsigned) by (compute; auto). - generalize (@unsigned_range WORDSIZE32_2 lo); lia. -Qed. - -Lemma ofwords_add': - forall lo hi, unsigned (ofwords hi lo) = @unsigned WORDSIZE32 hi * two_p 32 + @unsigned WORDSIZE32 lo. -Proof. - intros. rewrite ofwords_add. apply unsigned_repr. - generalize (@unsigned_range WORDSIZE32 hi) (@unsigned_range WORDSIZE32 lo). - change (two_p 32) with Int.modulus. - change Int.modulus with 4294967296. - change max_unsigned with 18446744073709551615. - lia. -Qed. - -Remark eqm_mul_2p32: - forall x y, Int.eqm x y -> eqm (x * two_p 32) (y * two_p 32). -Proof. - intros. destruct H as [k EQ]. exists k. rewrite EQ. - change Int.modulus with (two_p 32). - change modulus with (two_p 32 * two_p 32). - ring. -Qed. - -Lemma ofwords_add'': - forall lo hi, signed (ofwords hi lo) = Int.signed hi * two_p 32 + @unsigned WORDSIZE32 lo. -Proof. - intros. rewrite ofwords_add. - replace (repr (@unsigned WORDSIZE32 hi * two_p 32 + @unsigned WORDSIZE32 lo)) - with (repr (Int.signed hi * two_p 32 + @unsigned WORDSIZE32 lo)). - apply signed_repr. - generalize (Int.signed_range hi) (@unsigned_range WORDSIZE32 lo). - change (two_p 32) with Int.modulus. - change min_signed with (Int.min_signed * Int.modulus). - change max_signed with (Int.max_signed * Int.modulus + Int.modulus - 1). - change Int.modulus with 4294967296. - lia. - apply eqm_samerepr. apply eqm_add. apply eqm_mul_2p32. apply Int.eqm_signed_unsigned. apply eqm_refl. -Qed. - -(** Expressing 64-bit operations in terms of 32-bit operations *) - -Lemma decompose_bitwise_binop: - forall f f64 f32 xh xl yh yl, - (forall x y i, 0 <= i < zwordsize -> testbit (f64 x y) i = f (testbit x i) (testbit y i)) -> - (forall x y i, 0 <= i < Int.zwordsize -> Int.testbit (f32 x y) i = f (Int.testbit x i) (Int.testbit y i)) -> - f64 (ofwords xh xl) (ofwords yh yl) = ofwords (f32 xh yh) (f32 xl yl). -Proof. - intros. apply Int64.same_bits_eq; intros. - rewrite H by auto. rewrite ! bits_ofwords by auto. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - destruct (zlt i Int.zwordsize); rewrite H0 by lia; auto. -Qed. - -Lemma decompose_and: - forall xh xl yh yl, - and (ofwords xh xl) (ofwords yh yl) = ofwords (Int.and xh yh) (Int.and xl yl). -Proof. - intros. apply decompose_bitwise_binop with andb. - apply bits_and. apply Int.bits_and. -Qed. - -Lemma decompose_or: - forall xh xl yh yl, - or (ofwords xh xl) (ofwords yh yl) = ofwords (Int.or xh yh) (Int.or xl yl). -Proof. - intros. apply decompose_bitwise_binop with orb. - apply bits_or. apply Int.bits_or. -Qed. - -Lemma decompose_xor: - forall xh xl yh yl, - xor (ofwords xh xl) (ofwords yh yl) = ofwords (Int.xor xh yh) (Int.xor xl yl). -Proof. - intros. apply decompose_bitwise_binop with xorb. - apply bits_xor. apply Int.bits_xor. -Qed. - -Lemma decompose_not: - forall xh xl, - not (ofwords xh xl) = ofwords (Int.not xh) (Int.not xl). -Proof. - intros. unfold not, Int.not. rewrite <- decompose_xor. f_equal. - apply (Int64.eq_spec mone (ofwords Int.mone Int.mone)). -Qed. - -Lemma decompose_shl_1: - forall xh xl y, - 0 <= @unsigned WORDSIZE32 y < Int.zwordsize -> - shl' (ofwords xh xl) y = - ofwords (Int.or (Int.shl xh y) (Int.shru xl (@sub WORDSIZE32 Int.iwordsize y))) - (Int.shl xl y). -Proof. - intros. - assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize y) = Int.zwordsize - @unsigned WORDSIZE32 y). - { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. - rewrite @unsigned WORDSIZE32_repr_wordsize. generalize Int.wordsize_max_unsigned; lia. } - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - apply Int64.same_bits_eq; intros. - rewrite bits_shl' by auto. symmetry. rewrite bits_ofwords by auto. - destruct (zlt i Int.zwordsize). rewrite Int.bits_shl by lia. - destruct (zlt i (@unsigned WORDSIZE32 y)). auto. - rewrite bits_ofwords by lia. rewrite zlt_true by lia. auto. - rewrite zlt_false by lia. rewrite bits_ofwords by lia. - rewrite Int.bits_or by lia. rewrite Int.bits_shl by lia. - rewrite Int.bits_shru by lia. rewrite H0. - destruct (zlt (i - @unsigned WORDSIZE32 y) (Int.zwordsize)). - rewrite zlt_true by lia. rewrite zlt_true by lia. - rewrite orb_false_l. f_equal. lia. - rewrite zlt_false by lia. rewrite zlt_false by lia. - rewrite orb_false_r. f_equal. lia. -Qed. - -Lemma decompose_shl_2: - forall xh xl y, - Int.zwordsize <= @unsigned WORDSIZE32 y < zwordsize -> - shl' (ofwords xh xl) y = - ofwords (Int.shl xl (@sub WORDSIZE32 y Int.iwordsize)) (@zero WORDSIZE32). -Proof. - intros. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 y Int.iwordsize) = @unsigned WORDSIZE32 y - Int.zwordsize). - { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. - rewrite @unsigned WORDSIZE32_repr_wordsize. generalize (@unsigned_range WORDSIZE32_2 y). lia. } - apply Int64.same_bits_eq; intros. - rewrite bits_shl' by auto. symmetry. rewrite bits_ofwords by auto. - destruct (zlt i Int.zwordsize). rewrite zlt_true by lia. apply Int.bits_zero. - rewrite Int.bits_shl by lia. - destruct (zlt i (@unsigned WORDSIZE32 y)). - rewrite zlt_true by lia. auto. - rewrite zlt_false by lia. - rewrite bits_ofwords by lia. rewrite zlt_true by lia. f_equal. lia. -Qed. - -Lemma decompose_shru_1: - forall xh xl y, - 0 <= @unsigned WORDSIZE32 y < Int.zwordsize -> - shru' (ofwords xh xl) y = - ofwords (Int.shru xh y) - (Int.or (Int.shru xl y) (Int.shl xh (@sub WORDSIZE32 Int.iwordsize y))). -Proof. - intros. - assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize y) = Int.zwordsize - @unsigned WORDSIZE32 y). - { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. - rewrite @unsigned WORDSIZE32_repr_wordsize. generalize Int.wordsize_max_unsigned; lia. } - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - apply Int64.same_bits_eq; intros. - rewrite bits_shru' by auto. symmetry. rewrite bits_ofwords by auto. - destruct (zlt i Int.zwordsize). - rewrite zlt_true by lia. - rewrite bits_ofwords by lia. - rewrite Int.bits_or by lia. rewrite Int.bits_shl by lia. - rewrite Int.bits_shru by lia. rewrite H0. - destruct (zlt (i + @unsigned WORDSIZE32 y) (Int.zwordsize)). - rewrite zlt_true by lia. - rewrite orb_false_r. auto. - rewrite zlt_false by lia. - rewrite orb_false_l. f_equal. lia. - rewrite Int.bits_shru by lia. - destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). - rewrite bits_ofwords by lia. - rewrite zlt_true by lia. rewrite zlt_false by lia. f_equal. lia. - rewrite zlt_false by lia. auto. -Qed. - -Lemma decompose_shru_2: - forall xh xl y, - Int.zwordsize <= @unsigned WORDSIZE32 y < zwordsize -> - shru' (ofwords xh xl) y = - ofwords (@zero WORDSIZE32) (Int.shru xh (@sub WORDSIZE32 y Int.iwordsize)). -Proof. - intros. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 y Int.iwordsize) = @unsigned WORDSIZE32 y - Int.zwordsize). - { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. - rewrite @unsigned WORDSIZE32_repr_wordsize. generalize (@unsigned_range WORDSIZE32_2 y). lia. } - apply Int64.same_bits_eq; intros. - rewrite bits_shru' by auto. symmetry. rewrite bits_ofwords by auto. - destruct (zlt i Int.zwordsize). - rewrite Int.bits_shru by lia. rewrite H1. - destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). - rewrite zlt_true by lia. rewrite bits_ofwords by lia. - rewrite zlt_false by lia. f_equal; lia. - rewrite zlt_false by lia. auto. - rewrite zlt_false by lia. apply Int.bits_zero. -Qed. - -Lemma decompose_shr_1: - forall xh xl y, - 0 <= @unsigned WORDSIZE32 y < Int.zwordsize -> - shr' (ofwords xh xl) y = - ofwords (Int.shr xh y) - (Int.or (Int.shru xl y) (Int.shl xh (@sub WORDSIZE32 Int.iwordsize y))). -Proof. - intros. - assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize y) = Int.zwordsize - @unsigned WORDSIZE32 y). - { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. - rewrite @unsigned WORDSIZE32_repr_wordsize. generalize Int.wordsize_max_unsigned; lia. } - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - apply Int64.same_bits_eq; intros. - rewrite bits_shr' by auto. symmetry. rewrite bits_ofwords by auto. - destruct (zlt i Int.zwordsize). - rewrite zlt_true by lia. - rewrite bits_ofwords by lia. - rewrite Int.bits_or by lia. rewrite Int.bits_shl by lia. - rewrite Int.bits_shru by lia. rewrite H0. - destruct (zlt (i + @unsigned WORDSIZE32 y) (Int.zwordsize)). - rewrite zlt_true by lia. - rewrite orb_false_r. auto. - rewrite zlt_false by lia. - rewrite orb_false_l. f_equal. lia. - rewrite Int.bits_shr by lia. - destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). - rewrite bits_ofwords by lia. - rewrite zlt_true by lia. rewrite zlt_false by lia. f_equal. lia. - rewrite zlt_false by lia. rewrite bits_ofwords by lia. - rewrite zlt_false by lia. f_equal. -Qed. - -Lemma decompose_shr_2: - forall xh xl y, - Int.zwordsize <= @unsigned WORDSIZE32 y < zwordsize -> - shr' (ofwords xh xl) y = - ofwords (Int.shr xh (@sub WORDSIZE32 Int.iwordsize Int.one)) - (Int.shr xh (@sub WORDSIZE32 y Int.iwordsize)). -Proof. - intros. - assert (zwordsize = 2 * Int.zwordsize) by reflexivity. - assert (@unsigned WORDSIZE32 (@sub WORDSIZE32 y Int.iwordsize) = @unsigned WORDSIZE32 y - Int.zwordsize). - { unfold @sub WORDSIZE32. rewrite @unsigned WORDSIZE32_repr. auto. - rewrite @unsigned WORDSIZE32_repr_wordsize. generalize (@unsigned_range WORDSIZE32_2 y). lia. } - apply Int64.same_bits_eq; intros. - rewrite bits_shr' by auto. symmetry. rewrite bits_ofwords by auto. - destruct (zlt i Int.zwordsize). - rewrite Int.bits_shr by lia. rewrite H1. - destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize). - rewrite zlt_true by lia. rewrite bits_ofwords by lia. - rewrite zlt_false by lia. f_equal; lia. - rewrite zlt_false by lia. rewrite bits_ofwords by lia. - rewrite zlt_false by lia. auto. - rewrite Int.bits_shr by lia. - change (@unsigned WORDSIZE32 (@sub WORDSIZE32 Int.iwordsize Int.one)) with (Int.zwordsize - 1). - destruct (zlt (i + @unsigned WORDSIZE32 y) zwordsize); - rewrite bits_ofwords by lia. - symmetry. rewrite zlt_false by lia. f_equal. - destruct (zlt (i - Int.zwordsize + (Int.zwordsize - 1)) Int.zwordsize); lia. - symmetry. rewrite zlt_false by lia. f_equal. - destruct (zlt (i - Int.zwordsize + (Int.zwordsize - 1)) Int.zwordsize); lia. -Qed. - -Lemma decompose_add: - forall xh xl yh yl, - add (ofwords xh xl) (ofwords yh yl) = - ofwords (Int.add (Int.add xh yh) (Int.add_carry xl yl (@zero WORDSIZE32))) - (Int.add xl yl). -Proof. - intros. symmetry. rewrite ofwords_add. rewrite add_unsigned. - apply eqm_samerepr. - rewrite ! ofwords_add'. rewrite (@unsigned WORDSIZE32_add_carry xl yl). - set (cc := Int.add_carry xl yl (@zero WORDSIZE32)). - set (Xl := @unsigned WORDSIZE32 xl); set (Xh := @unsigned WORDSIZE32 xh); - set (Yl := @unsigned WORDSIZE32 yl); set (Yh := @unsigned WORDSIZE32 yh). - change Int.modulus with (two_p 32). - replace (Xh * two_p 32 + Xl + (Yh * two_p 32 + Yl)) - with ((Xh + Yh) * two_p 32 + (Xl + Yl)) by ring. - replace (@unsigned WORDSIZE32 (Int.add (Int.add xh yh) cc) * two_p 32 + - (Xl + Yl - @unsigned WORDSIZE32 cc * two_p 32)) - with ((@unsigned WORDSIZE32 (Int.add (Int.add xh yh) cc) - @unsigned WORDSIZE32 cc) * two_p 32 - + (Xl + Yl)) by ring. - apply eqm_add. 2: apply eqm_refl. apply eqm_mul_2p32. - replace (Xh + Yh) with ((Xh + Yh + @unsigned WORDSIZE32 cc) - @unsigned WORDSIZE32 cc) by ring. - apply Int.eqm_sub. 2: apply Int.eqm_refl. - apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. 2: apply Int.eqm_refl. - apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. -Qed. - -Lemma decompose_sub: - forall xh xl yh yl, - sub (ofwords xh xl) (ofwords yh yl) = - ofwords (@sub WORDSIZE32 (@sub WORDSIZE32 xh yh) (@sub WORDSIZE32_borrow xl yl (@zero WORDSIZE32))) - (@sub WORDSIZE32 xl yl). -Proof. - intros. symmetry. rewrite ofwords_add. - apply eqm_samerepr. - rewrite ! ofwords_add'. rewrite (@unsigned WORDSIZE32_sub_borrow xl yl). - set (bb := @sub WORDSIZE32_borrow xl yl (@zero WORDSIZE32)). - set (Xl := @unsigned WORDSIZE32 xl); set (Xh := @unsigned WORDSIZE32 xh); - set (Yl := @unsigned WORDSIZE32 yl); set (Yh := @unsigned WORDSIZE32 yh). - change Int.modulus with (two_p 32). - replace (Xh * two_p 32 + Xl - (Yh * two_p 32 + Yl)) - with ((Xh - Yh) * two_p 32 + (Xl - Yl)) by ring. - replace (@unsigned WORDSIZE32 (@sub WORDSIZE32 (@sub WORDSIZE32 xh yh) bb) * two_p 32 + - (Xl - Yl + @unsigned WORDSIZE32 bb * two_p 32)) - with ((@unsigned WORDSIZE32 (@sub WORDSIZE32 (@sub WORDSIZE32 xh yh) bb) + @unsigned WORDSIZE32 bb) * two_p 32 - + (Xl - Yl)) by ring. - apply eqm_add. 2: apply eqm_refl. apply eqm_mul_2p32. - replace (Xh - Yh) with ((Xh - Yh - @unsigned WORDSIZE32 bb) + @unsigned WORDSIZE32 bb) by ring. - apply Int.eqm_add. 2: apply Int.eqm_refl. - apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. 2: apply Int.eqm_refl. - apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. -Qed. - -Lemma decompose_sub': - forall xh xl yh yl, - sub (ofwords xh xl) (ofwords yh yl) = - ofwords (Int.add (Int.add xh (Int.not yh)) (Int.add_carry xl (Int.not yl) Int.one)) - (@sub WORDSIZE32 xl yl). -Proof. - intros. rewrite decompose_sub. f_equal. - rewrite @sub WORDSIZE32_borrow_add_carry by auto. - rewrite @sub WORDSIZE32_add_not_3. rewrite Int.xor_assoc. rewrite Int.xor_idem. - rewrite Int.xor_zero. auto. - rewrite Int.xor_zero_l. unfold Int.add_carry. - destruct (zlt (@unsigned WORDSIZE32 xl + @unsigned WORDSIZE32 (Int.not yl) + @unsigned WORDSIZE32 Int.one) Int.modulus); - compute; [right|left]; apply Int.mkint_eq; auto. -Qed. - -Definition mul' (x y: int32) : int64 := repr (@unsigned WORDSIZE32 x * @unsigned WORDSIZE32 y). - -Lemma mul'_mulhu: - forall x y, mul' x y = ofwords (Int.mulhu x y) (Int.mul x y). -Proof. - intros. - rewrite ofwords_add. unfold mul', Int.mulhu, Int.mul. - set (p := @unsigned WORDSIZE32 x * @unsigned WORDSIZE32 y). - set (ph := p / Int.modulus). set (pl := p mod Int.modulus). - transitivity (repr (ph * Int.modulus + pl)). -- f_equal. rewrite Z.mul_comm. apply Z_div_mod_eq. apply Int.modulus_pos. -- apply eqm_samerepr. apply eqm_add. apply eqm_mul_2p32. auto with ints. - rewrite @unsigned WORDSIZE32_repr_eq. apply eqm_refl. -Qed. - -Lemma decompose_mul: - forall xh xl yh yl, - mul (ofwords xh xl) (ofwords yh yl) = - ofwords (Int.add (Int.add (hiword (mul' xl yl)) (Int.mul xl yh)) (Int.mul xh yl)) - (loword (mul' xl yl)). -Proof. - intros. - set (pl := loword (mul' xl yl)); set (ph := hiword (mul' xl yl)). - assert (EQ0: unsigned (mul' xl yl) = @unsigned WORDSIZE32 ph * two_p 32 + @unsigned WORDSIZE32 pl). - { rewrite <- (ofwords_recompose (mul' xl yl)). apply ofwords_add'. } - symmetry. rewrite ofwords_add. unfold mul. rewrite !ofwords_add'. - set (XL := @unsigned WORDSIZE32 xl); set (XH := @unsigned WORDSIZE32 xh); - set (YL := @unsigned WORDSIZE32 yl); set (YH := @unsigned WORDSIZE32 yh). - set (PH := @unsigned WORDSIZE32 ph) in *. set (PL := @unsigned WORDSIZE32 pl) in *. - transitivity (repr (((PH + XL * YH) + XH * YL) * two_p 32 + PL)). - apply eqm_samerepr. apply eqm_add. 2: apply eqm_refl. - apply eqm_mul_2p32. - rewrite Int.add_unsigned. apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. - rewrite Int.add_unsigned. apply Int.eqm_unsigned_repr_l. apply Int.eqm_add. - apply Int.eqm_refl. - unfold Int.mul. apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. - unfold Int.mul. apply Int.eqm_unsigned_repr_l. apply Int.eqm_refl. - transitivity (repr (unsigned (mul' xl yl) + (XL * YH + XH * YL) * two_p 32)). - rewrite EQ0. f_equal. ring. - transitivity (repr ((XL * YL + (XL * YH + XH * YL) * two_p 32))). - apply eqm_samerepr. apply eqm_add. 2: apply eqm_refl. - unfold mul'. apply eqm_unsigned_repr_l. apply eqm_refl. - transitivity (repr (0 + (XL * YL + (XL * YH + XH * YL) * two_p 32))). - rewrite Z.add_0_l; auto. - transitivity (repr (XH * YH * (two_p 32 * two_p 32) + (XL * YL + (XL * YH + XH * YL) * two_p 32))). - apply eqm_samerepr. apply eqm_add. 2: apply eqm_refl. - change (two_p 32 * two_p 32) with modulus. exists (- XH * YH). ring. - f_equal. ring. -Qed. - -Lemma decompose_mul_2: - forall xh xl yh yl, - mul (ofwords xh xl) (ofwords yh yl) = - ofwords (Int.add (Int.add (Int.mulhu xl yl) (Int.mul xl yh)) (Int.mul xh yl)) - (Int.mul xl yl). -Proof. - intros. rewrite decompose_mul. rewrite mul'_mulhu. - rewrite hi_ofwords, lo_ofwords. auto. -Qed. - -Lemma decompose_ltu: - forall xh xl yh yl, - ltu (ofwords xh xl) (ofwords yh yl) = if Int.eq xh yh then @ltu WORDSIZE32 xl yl else @ltu WORDSIZE32 xh yh. -Proof. - intros. unfold ltu. rewrite ! ofwords_add'. unfold @ltu WORDSIZE32, Int.eq. - destruct (zeq (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). - rewrite e. destruct (zlt (@unsigned WORDSIZE32 xl) (@unsigned WORDSIZE32 yl)). - apply zlt_true; lia. - apply zlt_false; lia. - change (two_p 32) with Int.modulus. - generalize (@unsigned_range WORDSIZE32 xl) (@unsigned_range WORDSIZE32 yl). - change Int.modulus with 4294967296. intros. - destruct (zlt (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). - apply zlt_true; lia. - apply zlt_false; lia. -Qed. - -Lemma decompose_leu: - forall xh xl yh yl, - negb (ltu (ofwords yh yl) (ofwords xh xl)) = - if Int.eq xh yh then negb (@ltu WORDSIZE32 yl xl) else @ltu WORDSIZE32 xh yh. -Proof. - intros. rewrite decompose_ltu. rewrite Int.eq_sym. - unfold Int.eq. destruct (zeq (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). - auto. - unfold @ltu WORDSIZE32. destruct (zlt (@unsigned WORDSIZE32 xh) (@unsigned WORDSIZE32 yh)). - rewrite zlt_false by lia; auto. - rewrite zlt_true by lia; auto. -Qed. - -Lemma decompose_lt: - forall xh xl yh yl, - lt (ofwords xh xl) (ofwords yh yl) = if Int.eq xh yh then @ltu WORDSIZE32 xl yl else Int.lt xh yh. -Proof. - intros. unfold lt. rewrite ! ofwords_add''. rewrite Int.eq_signed. - destruct (zeq (Int.signed xh) (Int.signed yh)). - rewrite e. unfold @ltu WORDSIZE32. destruct (zlt (@unsigned WORDSIZE32 xl) (@unsigned WORDSIZE32 yl)). - apply zlt_true; lia. - apply zlt_false; lia. - change (two_p 32) with Int.modulus. - generalize (@unsigned_range WORDSIZE32 xl) (@unsigned_range WORDSIZE32 yl). - change Int.modulus with 4294967296. intros. - unfold Int.lt. destruct (zlt (Int.signed xh) (Int.signed yh)). - apply zlt_true; lia. - apply zlt_false; lia. -Qed. - -Lemma decompose_le: - forall xh xl yh yl, - negb (lt (ofwords yh yl) (ofwords xh xl)) = - if Int.eq xh yh then negb (@ltu WORDSIZE32 yl xl) else Int.lt xh yh. -Proof. - intros. rewrite decompose_lt. rewrite Int.eq_sym. - rewrite Int.eq_signed. destruct (zeq (Int.signed xh) (Int.signed yh)). - auto. - unfold Int.lt. destruct (zlt (Int.signed xh) (Int.signed yh)). - rewrite zlt_false by lia; auto. - rewrite zlt_true by lia; auto. -Qed. - -(** Utility proofs for mixed 32bit and 64bit arithmetic *) - -Remark int_unsigned_range: - forall x, 0 <= @unsigned WORDSIZE32 x <= max_unsigned. -Proof. - intros. - unfold max_unsigned. unfold modulus. - generalize (@unsigned_range WORDSIZE32 x). - unfold Int.modulus in *. - change (wordsize) with 64%nat in *. - change (Int.wordsize) with 32%nat in *. - unfold two_power_nat. simpl. - lia. -Qed. - -Remark int_unsigned_repr: - forall x, unsigned (repr (@unsigned WORDSIZE32 x)) = @unsigned WORDSIZE32 x. -Proof. - intros. rewrite unsigned_repr. auto. - apply int_unsigned_range. -Qed. - -Lemma int_sub_ltu: - forall x y, - @ltu WORDSIZE32 x y= true -> - @unsigned WORDSIZE32 (@sub WORDSIZE32 y x) = unsigned (sub (repr (@unsigned WORDSIZE32 y)) (repr (@unsigned WORDSIZE32 x))). -Proof. - intros. generalize (@sub WORDSIZE32_ltu x y H). intros. unfold @sub WORDSIZE32. unfold sub. - rewrite @unsigned WORDSIZE32_repr. rewrite unsigned_repr. - rewrite unsigned_repr by apply int_unsigned_range. rewrite int_unsigned_repr. reflexivity. - rewrite unsigned_repr by apply int_unsigned_range. - rewrite int_unsigned_repr. generalize (int_unsigned_range y). - lia. - generalize (@sub WORDSIZE32_ltu x y H). intros. - generalize (@unsigned_range WORDSIZE32_2 y). intros. lia. -Qed. - -End Int64. - -Strategy 0 [Wordsize_64.wordsize]. - -Notation int64 := Int64.int. - -Global Opaque @repr WORDSIZE32 Int64.repr Byte.repr. - -(** * Specialization to offsets in pointer values *) - -Module Wordsize_Ptrofs. - Definition wordsize := if Archi.ptr64 then 64%nat else 32%nat. - Remark wordsize_not_zero: wordsize <> 0%nat. - Proof. unfold wordsize; destruct Archi.ptr64; congruence. Qed. -End Wordsize_Ptrofs. - -Strategy opaque [Wordsize_Ptrofs.wordsize]. - -Module Ptrofs. - -Include Make(Wordsize_Ptrofs). - -Definition to_int (x: int): Int.int := @repr WORDSIZE32 (unsigned x). - -Definition to_int64 (x: int): Int64.int := Int64.repr (unsigned x). - -Definition of_int (x: Int.int) : int := repr (@unsigned WORDSIZE32 x). - -Definition of_intu := of_int. - -Definition of_ints (x: Int.int) : int := repr (Int.signed x). - -Definition of_int64 (x: Int64.int) : int := repr (Int64.unsigned x). - -Definition of_int64u := of_int64. - -Definition of_int64s (x: Int64.int) : int := repr (Int64.signed x). - -Section AGREE32. - -Hypothesis _32: Archi.ptr64 = false. - -Lemma modulus_eq32: modulus = Int.modulus. -Proof. - unfold modulus, wordsize. - change Wordsize_Ptrofs.wordsize with (if Archi.ptr64 then 64%nat else 32%nat). - rewrite _32. reflexivity. -Qed. - -Lemma eqm32: - forall x y, Int.eqm x y <-> eqm x y. -Proof. - intros. unfold Int.eqm, eqm. rewrite modulus_eq32; tauto. -Qed. - -Definition agree32 (a: Ptrofs.int) (b: Int.int) : Prop := - Ptrofs.unsigned a = @unsigned WORDSIZE32 b. - -Lemma agree32_repr: - forall i, agree32 (Ptrofs.repr i) (@repr WORDSIZE32 i). -Proof. - intros; red. rewrite Ptrofs.unsigned_repr_eq, @unsigned WORDSIZE32_repr_eq. - apply f_equal2. auto. apply modulus_eq32. -Qed. - -Lemma agree32_signed: - forall a b, agree32 a b -> Ptrofs.signed a = Int.signed b. -Proof. - unfold agree32; intros. unfold signed, Int.signed, half_modulus, Int.half_modulus. - rewrite modulus_eq32. rewrite H. auto. -Qed. - -Lemma agree32_of_int: - forall b, agree32 (of_int b) b. -Proof. - unfold of_int; intros. rewrite <- (@repr WORDSIZE32_unsigned b) at 2. apply agree32_repr. -Qed. - -Lemma agree32_of_ints: - forall b, agree32 (of_ints b) b. -Proof. - unfold of_int; intros. rewrite <- (@repr WORDSIZE32_signed b) at 2. apply agree32_repr. -Qed. - -Lemma agree32_of_int_eq: - forall a b, agree32 a b -> of_int b = a. -Proof. - unfold agree32, of_int; intros. rewrite <- H. apply repr_unsigned. -Qed. - -Lemma agree32_of_ints_eq: - forall a b, agree32 a b -> of_ints b = a. -Proof. - unfold of_ints; intros. erewrite <- agree32_signed by eauto. apply repr_signed. -Qed. - -Lemma agree32_to_int: - forall a, agree32 a (to_int a). -Proof. - unfold agree32, to_int; intros. rewrite <- (agree32_repr (unsigned a)). - rewrite repr_unsigned; auto. -Qed. - -Lemma agree32_to_int_eq: - forall a b, agree32 a b -> to_int a = b. -Proof. - unfold agree32, to_int; intros. rewrite H. apply @repr WORDSIZE32_unsigned. -Qed. - -Lemma agree32_neg: - forall a1 b1, agree32 a1 b1 -> agree32 (Ptrofs.neg a1) (Int.neg b1). -Proof. - unfold agree32, Ptrofs.neg, Int.neg; intros. rewrite H. apply agree32_repr. -Qed. - -Lemma agree32_add: - forall a1 b1 a2 b2, - agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.add a1 a2) (Int.add b1 b2). -Proof. - unfold agree32, Ptrofs.add, Int.add; intros. rewrite H, H0. apply agree32_repr. -Qed. - -Lemma agree32_sub: - forall a1 b1 a2 b2, - agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.sub a1 a2) (@sub WORDSIZE32 b1 b2). -Proof. - unfold agree32, Ptrofs.sub, @sub WORDSIZE32; intros. rewrite H, H0. apply agree32_repr. -Qed. - -Lemma agree32_mul: - forall a1 b1 a2 b2, - agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.mul a1 a2) (Int.mul b1 b2). -Proof. - unfold agree32, Ptrofs.mul, Int.mul; intros. rewrite H, H0. apply agree32_repr. -Qed. - -Lemma agree32_divs: - forall a1 b1 a2 b2, - agree32 a1 b1 -> agree32 a2 b2 -> agree32 (Ptrofs.divs a1 a2) (Int.divs b1 b2). -Proof. - intros; unfold agree32, Ptrofs.divs, Int.divs. - erewrite ! agree32_signed by eauto. apply agree32_repr. -Qed. - -Lemma of_int_to_int: - forall n, of_int (to_int n) = n. -Proof. - intros; unfold of_int, to_int. apply eqm_repr_eq. rewrite <- eqm32. - apply Int.eqm_sym; apply Int.eqm_unsigned_repr. -Qed. - -Lemma to_int_of_int: - forall n, to_int (of_int n) = n. -Proof. - intros; unfold of_int, to_int. rewrite unsigned_repr. apply @repr WORDSIZE32_unsigned. - unfold max_unsigned. rewrite modulus_eq32. destruct (@unsigned_range WORDSIZE32 n); lia. -Qed. - -End AGREE32. - -Section AGREE64. - -Hypothesis _64: Archi.ptr64 = true. - -Lemma modulus_eq64: modulus = Int64.modulus. -Proof. - unfold modulus, wordsize. - change Wordsize_Ptrofs.wordsize with (if Archi.ptr64 then 64%nat else 32%nat). - rewrite _64. reflexivity. -Qed. - -Lemma eqm64: - forall x y, Int64.eqm x y <-> eqm x y. -Proof. - intros. unfold Int64.eqm, eqm. rewrite modulus_eq64; tauto. -Qed. - -Definition agree64 (a: Ptrofs.int) (b: Int64.int) : Prop := - Ptrofs.unsigned a = Int64.unsigned b. - -Lemma agree64_repr: - forall i, agree64 (Ptrofs.repr i) (Int64.repr i). -Proof. - intros; red. rewrite Ptrofs.unsigned_repr_eq, Int64.unsigned_repr_eq. - apply f_equal2. auto. apply modulus_eq64. -Qed. - -Lemma agree64_signed: - forall a b, agree64 a b -> Ptrofs.signed a = Int64.signed b. -Proof. - unfold agree64; intros. unfold signed, Int64.signed, half_modulus, Int64.half_modulus. - rewrite modulus_eq64. rewrite H. auto. -Qed. - -Lemma agree64_of_int: - forall b, agree64 (of_int64 b) b. -Proof. - unfold of_int64; intros. rewrite <- (Int64.repr_unsigned b) at 2. apply agree64_repr. -Qed. - -Lemma agree64_of_int_eq: - forall a b, agree64 a b -> of_int64 b = a. -Proof. - unfold agree64, of_int64; intros. rewrite <- H. apply repr_unsigned. -Qed. - -Lemma agree64_to_int: - forall a, agree64 a (to_int64 a). -Proof. - unfold agree64, to_int64; intros. rewrite <- (agree64_repr (unsigned a)). - rewrite repr_unsigned; auto. -Qed. - -Lemma agree64_to_int_eq: - forall a b, agree64 a b -> to_int64 a = b. -Proof. - unfold agree64, to_int64; intros. rewrite H. apply Int64.repr_unsigned. -Qed. - -Lemma agree64_neg: - forall a1 b1, agree64 a1 b1 -> agree64 (Ptrofs.neg a1) (Int64.neg b1). -Proof. - unfold agree64, Ptrofs.neg, Int64.neg; intros. rewrite H. apply agree64_repr. -Qed. - -Lemma agree64_add: - forall a1 b1 a2 b2, - agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.add a1 a2) (Int64.add b1 b2). -Proof. - unfold agree64, Ptrofs.add, Int.add; intros. rewrite H, H0. apply agree64_repr. -Qed. - -Lemma agree64_sub: - forall a1 b1 a2 b2, - agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.sub a1 a2) (Int64.sub b1 b2). -Proof. - unfold agree64, Ptrofs.sub, @sub WORDSIZE32; intros. rewrite H, H0. apply agree64_repr. -Qed. - -Lemma agree64_mul: - forall a1 b1 a2 b2, - agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.mul a1 a2) (Int64.mul b1 b2). -Proof. - unfold agree64, Ptrofs.mul, Int.mul; intros. rewrite H, H0. apply agree64_repr. -Qed. - -Lemma agree64_divs: - forall a1 b1 a2 b2, - agree64 a1 b1 -> agree64 a2 b2 -> agree64 (Ptrofs.divs a1 a2) (Int64.divs b1 b2). -Proof. - intros; unfold agree64, Ptrofs.divs, Int64.divs. - erewrite ! agree64_signed by eauto. apply agree64_repr. -Qed. - -Lemma of_int64_to_int64: - forall n, of_int64 (to_int64 n) = n. -Proof. - intros; unfold of_int64, to_int64. apply eqm_repr_eq. rewrite <- eqm64. - apply Int64.eqm_sym; apply Int64.eqm_unsigned_repr. -Qed. - -Lemma to_int64_of_int64: - forall n, to_int64 (of_int64 n) = n. -Proof. - intros; unfold of_int64, to_int64. rewrite unsigned_repr. apply Int64.repr_unsigned. - unfold max_unsigned. rewrite modulus_eq64. destruct (Int64.unsigned_range n); lia. -Qed. - -End AGREE64. - -Global Hint Resolve - agree32_repr agree32_of_int agree32_of_ints agree32_of_int_eq agree32_of_ints_eq - agree32_to_int agree32_to_int_eq agree32_neg agree32_add agree32_sub agree32_mul agree32_divs - agree64_repr agree64_of_int agree64_of_int_eq - agree64_to_int agree64_to_int_eq agree64_neg agree64_add agree64_sub agree64_mul agree64_divs : ptrofs. - -End Ptrofs. - -Strategy 0 [Wordsize_Ptrofs.wordsize]. - -Notation ptrofs := Ptrofs.int. - -Global Opaque Ptrofs.repr. - -Global Hint Resolve - Int.modulus_pos Int.eqm_refl Int.eqm_refl2 Int.eqm_sym Int.eqm_trans - Int.eqm_small_eq Int.eqm_add Int.eqm_neg Int.eqm_sub Int.eqm_mult - Int.eqm_unsigned_repr Int.eqm_unsigned_repr_l Int.eqm_unsigned_repr_r - @unsigned_range WORDSIZE32 @unsigned_range WORDSIZE32_2 - @repr WORDSIZE32_unsigned @repr WORDSIZE32_signed @unsigned WORDSIZE32_repr : ints. - -Global Hint Resolve - Int64.modulus_pos Int64.eqm_refl Int64.eqm_refl2 Int64.eqm_sym Int64.eqm_trans - Int64.eqm_small_eq Int64.eqm_add Int64.eqm_neg Int64.eqm_sub Int64.eqm_mult - Int64.eqm_unsigned_repr Int64.eqm_unsigned_repr_l Int64.eqm_unsigned_repr_r - Int64.unsigned_range Int64.unsigned_range_2 - Int64.repr_unsigned Int64.repr_signed Int64.unsigned_repr : ints. - -Global Hint Resolve - Ptrofs.modulus_pos Ptrofs.eqm_refl Ptrofs.eqm_refl2 Ptrofs.eqm_sym Ptrofs.eqm_trans - Ptrofs.eqm_small_eq Ptrofs.eqm_add Ptrofs.eqm_neg Ptrofs.eqm_sub Ptrofs.eqm_mult - Ptrofs.eqm_unsigned_repr Ptrofs.eqm_unsigned_repr_l Ptrofs.eqm_unsigned_repr_r - Ptrofs.unsigned_range Ptrofs.unsigned_range_2 - Ptrofs.repr_unsigned Ptrofs.repr_signed Ptrofs.unsigned_repr : ints. *) - -End Shift64With32Bit. \ No newline at end of file From f21eebc4622643d0fab0b19fa89aa5431452a93f Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Mon, 8 Apr 2024 11:38:18 +0200 Subject: [PATCH 08/12] Setting up dune --- dune-project | 21 +++++++++++++++++++++ proof-libs/coq/coq/src/dune | 11 +++++++++++ 2 files changed, 32 insertions(+) create mode 100644 dune-project create mode 100644 proof-libs/coq/coq/src/dune diff --git a/dune-project b/dune-project new file mode 100644 index 000000000..811388526 --- /dev/null +++ b/dune-project @@ -0,0 +1,21 @@ +(lang dune 3.8) +(using coq 0.8) +(generate_opam_files true) +(name coq-hacspec) +(opam_file_location inside_opam_directory) + +(package + (name coq-hacspec) + (synopsis "A short synopsis") + (description "A longer description") + (maintainers "Lasse Letager Hansen") + (authors "Lasse Letager Hansen") + (depends + ocaml + dune + (base (>= "0.16.2")) + (coq (>= "8.18.0")) + coq-compcert + ) + (tags + (topics "to describe" your project))) diff --git a/proof-libs/coq/coq/src/dune b/proof-libs/coq/coq/src/dune new file mode 100644 index 000000000..ecc1a1daa --- /dev/null +++ b/proof-libs/coq/coq/src/dune @@ -0,0 +1,11 @@ +(coq.theory + (name Hacspec) ; -R flag + (package coq-hacspec) + (flags -w all) + (theories + compcert + Equations + ) + ; (libraries ) + ) +; (include_subdirs qualified) From 6b9227c32904c916d6d7a9835f07430f092f1713 Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Tue, 9 Apr 2024 18:47:51 +0200 Subject: [PATCH 09/12] Start adding tests, and use dune --- .github/workflows/coq-hacspec-lib.yml | 100 +++++++ dune-project | 3 + engine/backends/coq/coq/coq_backend.ml | 42 +-- engine/backends/coq/coq_ast.ml | 4 +- opam/coq-hacspec.opam | 31 ++ proof-libs/coq/coq/_CoqProject | 1 + proof-libs/coq/coq/src/Hacspec_Integers.v | 330 ++++++++++++---------- proof-libs/coq/coq/src/Hacspec_Lib.v | 76 +++-- proof-libs/coq/coq/src/Hacspec_TODO.v | 21 ++ proof-libs/coq/coq/src/Hacspec_lib.v | 272 +++++++++--------- proof-libs/coq/coq/src/QuickChickLib.v | 15 +- proof-libs/coq/coq/src/dune | 4 +- 12 files changed, 560 insertions(+), 339 deletions(-) create mode 100644 .github/workflows/coq-hacspec-lib.yml create mode 100644 opam/coq-hacspec.opam create mode 100644 proof-libs/coq/coq/src/Hacspec_TODO.v diff --git a/.github/workflows/coq-hacspec-lib.yml b/.github/workflows/coq-hacspec-lib.yml new file mode 100644 index 000000000..87caa29e2 --- /dev/null +++ b/.github/workflows/coq-hacspec-lib.yml @@ -0,0 +1,100 @@ + +name: Hacspec - Coq Lib + +on: + push: + branches: + - master + pull_request: + branches: + - '**' + +jobs: + build: + # the OS must be GNU/Linux to be able to use the docker-coq-action + runs-on: ubuntu-latest + strategy: + matrix: + image: + - 'coqorg/coq:8.18' + fail-fast: false + steps: + - uses: actions/checkout@v3 + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main + - name: Build + run: nix build -L + + - name: Install the toolchain + run: | + nix profile install nixpkgs#yq + nix profile install .#rustc + nix profile install . + - name: Install tomlq + run: cargo install --git https://github.com/Techcable/tomlq + + - name: Set up environment + run: | + echo "::group::Setting up problem matcher" + echo "::add-matcher::./.github/coq-errors.json" + echo "::endgroup::" + - name: Build Coq-Hacspec lib + uses: coq-community/docker-coq-action@v1 + with: + opam_file: 'opam/coq-hacspec.opam' + custom_image: ${{ matrix.image }} + + - name: Run Coq on Tests + working-directory: tests + run: | + paths=$(tomlq -r '.workspace.members | .[]' Cargo.toml) + for cratePath in $paths; do + crate=$(tomlq -r '.package.name' "$cratePath/Cargo.toml") + for skip in $SKIPLIST; do + if [[ "$skip" == "$crate" || "$skip" == "$crate-$backend" ]]; then + echo "⛔ $crate [$backend] (skipping)" + continue 2 + fi + done + for backend in coq; do + echo "::group::$crate [$backend]" + cargo hax -C -p "$crate" \; into "$backend" + coqc $cratePath/proofs/coq/extraction/*.v + echo "::endgroup::" + done + done + env: + SKIPLIST: | + enum-struct-variant + literals + slices + naming + if-let + enum-repr + pattern-or + side-effects + v1-lib + mut_arg + fnmut + mut-ref-functionalization + generics + loops + even + odd + never-type + attributes + attribute-opaque + raw-attributes + traits + reordering + nested-derefs + minimal + basic-structs + ping-pong + noise-kkpsk0 + fn-to-letfun + include-flag + recursion +# See also: +# https://github.com/coq-community/docker-coq-action#readme +# https://github.com/erikmd/docker-coq-github-action-demo diff --git a/dune-project b/dune-project index 811388526..2c8058a98 100644 --- a/dune-project +++ b/dune-project @@ -16,6 +16,9 @@ (base (>= "0.16.2")) (coq (>= "8.18.0")) coq-compcert + coq-coqprime + coq-quickchick ) (tags (topics "to describe" your project))) + diff --git a/engine/backends/coq/coq/coq_backend.ml b/engine/backends/coq/coq/coq_backend.ml index 5e04b85cc..783ba5f82 100644 --- a/engine/backends/coq/coq/coq_backend.ml +++ b/engine/backends/coq/coq/coq_backend.ml @@ -73,7 +73,7 @@ open AST module CoqLibrary : Library = struct module Notation = struct let int_repr (x : string) (i : string) : string = - "(@repr" ^ " " ^ "WORDSIZE" ^ x ^ " " ^ i ^ ")" + "(Int"^x^".repr" ^ " " ^ i ^ ")" let type_str : string = "Type" let bool_str : string = "bool" @@ -174,7 +174,7 @@ struct C.AST.Product (args_ty span args) | TApp { ident; args } -> C.AST.AppTy - (C.AST.NameTy (pglobal_ident ident ^ "_t"), args_ty span args) + (C.AST.NameTy (pglobal_ident ident), args_ty span args) | TArrow (inputs, output) -> List.fold_right ~init:(pty span output) ~f:(fun x y -> C.AST.Arrow (x, y)) @@ -390,7 +390,7 @@ struct | TyAlias { name; ty; _ } -> [ C.AST.Notation - ( "'" ^ pconcrete_ident name ^ "_t" ^ "'", + ( "'" ^ pconcrete_ident name ^ "'", C.AST.Type (pty span ty), None ); ] @@ -442,7 +442,7 @@ struct in [ C.AST.Notation - ( "'" ^ o.type_name ^ "_t" ^ "'", + ( "'" ^ o.type_name ^ "'", C.AST.Type (C.AST.NatMod ( o.type_of_canvas, @@ -454,8 +454,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.type_name ^ "_t"), - C.AST.NameTy (o.type_name ^ "_t") ) ); + ( C.AST.NameTy (o.type_name), + C.AST.NameTy (o.type_name) ) ); ] | "bytes" -> let open Hacspeclib_macro_parser in @@ -464,7 +464,7 @@ struct in [ C.AST.Notation - ( "'" ^ o.bytes_name ^ "_t" ^ "'", + ( "'" ^ o.bytes_name ^ "'", C.AST.Type (C.AST.ArrayTy ( C.AST.Int { size = C.AST.U8; signed = false }, @@ -475,8 +475,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.bytes_name ^ "_t"), - C.AST.NameTy (o.bytes_name ^ "_t") ) ); + ( C.AST.NameTy (o.bytes_name), + C.AST.NameTy (o.bytes_name) ) ); ] | "unsigned_public_integer" -> let open Hacspeclib_macro_parser in @@ -485,7 +485,7 @@ struct in [ C.AST.Notation - ( "'" ^ o.integer_name ^ "_t" ^ "'", + ( "'" ^ o.integer_name ^ "'", C.AST.Type (C.AST.ArrayTy ( C.AST.Int { size = C.AST.U8; signed = false }, @@ -496,8 +496,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.integer_name ^ "_t"), - C.AST.NameTy (o.integer_name ^ "_t") ) ); + ( C.AST.NameTy (o.integer_name), + C.AST.NameTy (o.integer_name) ) ); ] | "public_bytes" -> let open Hacspeclib_macro_parser in @@ -511,14 +511,14 @@ struct in [ C.AST.Notation - ("'" ^ o.bytes_name ^ "_t" ^ "'", C.AST.Type typ, None); + ("'" ^ o.bytes_name ^ "'", C.AST.Type typ, None); C.AST.Definition ( o.bytes_name, [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.bytes_name ^ "_t"), - C.AST.NameTy (o.bytes_name ^ "_t") ) ); + ( C.AST.NameTy (o.bytes_name), + C.AST.NameTy (o.bytes_name) ) ); ] | "array" -> let open Hacspeclib_macro_parser in @@ -541,7 +541,7 @@ struct in [ C.AST.Notation - ( "'" ^ o.array_name ^ "_t" ^ "'", + ( "'" ^ o.array_name ^ "'", C.AST.Type (C.AST.ArrayTy ( C.AST.Int { size = typ; signed = false }, @@ -552,8 +552,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.array_name ^ "_t"), - C.AST.NameTy (o.array_name ^ "_t") ) ); + ( C.AST.NameTy (o.array_name), + C.AST.NameTy (o.array_name) ) ); ] | _ -> unsupported ()) | _ -> unsupported ()) @@ -673,11 +673,13 @@ let string_of_items : AST.item list -> string = let hardcoded_coq_headers = "(* File automatically generated by Hacspec *)\n\ - From Hacspec Require Import Hacspec_Lib MachineIntegers.\n\ + From Hacspec Require Import Hacspec_Lib.\n\ From Coq Require Import ZArith.\n\ Import List.ListNotations.\n\ + Require Import Coq.Strings.String.\n\ Open Scope Z_scope.\n\ - Open Scope bool_scope.\n" + Open Scope bool_scope.\n\ + Open Scope hacspec_scope.\n" let translate _ (_bo : BackendOptions.t) (items : AST.item list) : Types.file list = diff --git a/engine/backends/coq/coq_ast.ml b/engine/backends/coq/coq_ast.ml index 1fd848982..d062bfa72 100644 --- a/engine/backends/coq/coq_ast.ml +++ b/engine/backends/coq/coq_ast.ml @@ -256,7 +256,7 @@ functor let literal_to_string (x : AST.literal) : string = match x with - | Const_string s -> s + | Const_string s -> "\"" ^ s ^ "\"%string" | Const_char c -> Int.to_string c (* TODO *) | Const_int (i, { size; _ }) -> Lib.Notation.int_repr (int_size_to_string size) i @@ -304,7 +304,7 @@ functor let rec term_to_string (x : AST.term) depth : string * bool = match x with | AST.UnitTerm -> ("tt", false) - | AST.Let { pattern = pat; value = bind; value_typ = typ; body = term; _ } + | AST.Let { pattern = AST.AscriptionPat (pat, _) | pat; value = bind; value_typ = typ; body = term; _ } -> (* TODO: propegate type definition *) let var_str = pat_to_string pat true depth in diff --git a/opam/coq-hacspec.opam b/opam/coq-hacspec.opam new file mode 100644 index 000000000..ef220caae --- /dev/null +++ b/opam/coq-hacspec.opam @@ -0,0 +1,31 @@ +# This file is generated by dune, edit dune-project instead +opam-version: "2.0" +synopsis: "A short synopsis" +description: "A longer description" +maintainer: ["Lasse Letager Hansen"] +authors: ["Lasse Letager Hansen"] +tags: ["topics" "to describe" "your" "project"] +depends: [ + "ocaml" + "dune" {>= "3.8"} + "base" {>= "0.16.2"} + "coq" {>= "8.18.0"} + "coq-compcert" + "coq-coqprime" + "coq-quickchick" + "odoc" {with-doc} +] +build: [ + ["dune" "subst"] {dev} + [ + "dune" + "build" + "-p" + name + "-j" + jobs + "@install" + "@runtest" {with-test} + "@doc" {with-doc} + ] +] diff --git a/proof-libs/coq/coq/_CoqProject b/proof-libs/coq/coq/_CoqProject index ff25a5d44..c9279aeb1 100644 --- a/proof-libs/coq/coq/_CoqProject +++ b/proof-libs/coq/coq/_CoqProject @@ -4,6 +4,7 @@ src/Hacspec_Types.v src/Hacspec_Integers.v +src/Hacspec_TODO.v src/Hacspec_Lib.v src/Hacspec_lib.v src/QuickChickLib.v diff --git a/proof-libs/coq/coq/src/Hacspec_Integers.v b/proof-libs/coq/coq/src/Hacspec_Integers.v index ed373dad7..17ae34a86 100644 --- a/proof-libs/coq/coq/src/Hacspec_Integers.v +++ b/proof-libs/coq/coq/src/Hacspec_Integers.v @@ -55,10 +55,12 @@ Qed. (*** Hacspec Integers *) -Module HacspecIntegers (WS : WORDSIZE). +Class MyAdd (A : Type) := myadd : A -> A -> A. +Infix ".+" := (myadd) (at level 77) : hacspec_scope. +Module HacspecIntegers (WS : WORDSIZE). + Include (Make WS). (**** Public integers *) - Include Make WS. Definition pub (n : Z) : int := repr n. @@ -78,8 +80,10 @@ Module HacspecIntegers (WS : WORDSIZE). Infix "shift_left" := (shift_left_) (at level 77) : hacspec_scope. Infix "shift_right" := (shift_right_) (at level 77) : hacspec_scope. + Instance MyAddInstance : MyAdd int := add. + Infix "%%" := Z.rem (at level 40, left associativity) : Z_scope. - Infix ".+" := (add) (at level 77) : hacspec_scope. + (* Infix ".+" := (add) (at level 77) : hacspec_scope. *) Infix ".-" := (sub) (at level 77) : hacspec_scope. Notation "-" := (neg) (at level 77) : hacspec_scope. Infix ".*" := (mul) (at level 77) : hacspec_scope. @@ -93,170 +97,170 @@ Module HacspecIntegers (WS : WORDSIZE). (* Definition zero := (@zero WORDSIZE32). *) Notation "A × B" := (prod A B) (at level 79, left associativity) : hacspec_scope. -(*** Uint size util *) + (*** Uint size util *) -(* If a natural number is in bound then a smaller natural number is still in bound *) -Lemma range_of_nat_succ : - forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. -Proof. lia. Qed. + (* If a natural number is in bound then a smaller natural number is still in bound *) + Lemma range_of_nat_succ : + forall i, (Z.pred 0 < Z.of_nat (S i) < modulus)%Z -> (Z.pred 0 < Z.of_nat i < modulus)%Z. + Proof. lia. Qed. -(* Conversion to equivalent bound *) -Lemma modulus_range_helper : - forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. -Proof. unfold max_unsigned. lia. Qed. + (* Conversion to equivalent bound *) + Lemma modulus_range_helper : + forall i, (Z.pred 0 < i < modulus)%Z -> (0 <= i <= max_unsigned)%Z. + Proof. unfold max_unsigned. lia. Qed. -Definition unsigned_repr_alt (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := - unsigned_repr a (modulus_range_helper a H). + Definition unsigned_repr_alt (a : Z) `((Z.pred 0 < a < modulus)%Z) : unsigned (repr a) = a := + unsigned_repr a (modulus_range_helper a H). -Theorem zero_always_modulus : (Z.pred 0 < 0 < modulus)%Z. -Proof. easy. Qed. + Theorem zero_always_modulus : (Z.pred 0 < 0 < modulus)%Z. + Proof. easy. Qed. -(* any uint_size can be .represented as a natural number and a bound *) -(* this is easier for proofs, however less efficient for computation *) -(* as Z uses a binary .representation *) -Theorem int_as_nat : - forall (us: int), - { n : nat | - us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < modulus)%Z}. -Proof. - destruct us as [intval intrange]. - exists (Z.to_nat intval). - rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). - - split. - - apply mkint_eq. - rewrite Z_mod_modulus_eq. - rewrite Z.mod_small. - + reflexivity. - + lia. - - apply intrange. -Qed. + (* any uint_size can be .represented as a natural number and a bound *) + (* this is easier for proofs, however less efficient for computation *) + (* as Z uses a binary .representation *) + Theorem int_as_nat : + forall (us: int), + { n : nat | + us = repr (Z.of_nat n) /\ (Z.pred 0 < Z.of_nat n < modulus)%Z}. + Proof. + destruct us as [intval intrange]. + exists (Z.to_nat intval). + rewrite Z2Nat.id by (apply Z.lt_pred_le ; apply intrange). -(* destruct int as you would a natural number *) -Definition destruct_int_as_nat (a : int) : forall (P : int -> Prop), + split. + - apply mkint_eq. + rewrite Z_mod_modulus_eq. + rewrite Z.mod_small. + + reflexivity. + + lia. + - apply intrange. + Qed. + + (* destruct int as you would a natural number *) + Definition destruct_int_as_nat (a : int) : forall (P : int -> Prop), forall (zero_case : P (repr 0)), forall (succ_case : forall (n : nat), (Z.pred 0 < Z.of_nat n < modulus)%Z -> P (repr (Z.of_nat n))), - P a. -Proof. - intros. - destruct (int_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. - destruct n. - - apply zero_case. - - apply succ_case. - apply yb. -Qed. - -Ltac destruct_int_as_nat a := - generalize dependent a ; - intros a ; - apply (destruct_int_as_nat a) ; [ pose proof (@unsigned_repr_alt 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt _ H)] ; intros. - -(* induction for int as you would do for a natural number *) -Definition induction_int_as_nat : - forall (P : int -> Prop), - (P (repr 0)) -> - (forall n, - (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus)%Z -> - P (repr (Z.of_nat n)) -> - P (repr (Z.succ (Z.of_nat n)))) -> - forall (a : int), P a. -Proof. - intros P H_zero H_ind a. - destruct (int_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. - induction n. - - apply H_zero. - - rewrite Nat2Z.inj_succ. - apply H_ind. - + rewrite <- Nat2Z.inj_succ. + P a. + Proof. + intros. + destruct (int_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + destruct n. + - apply zero_case. + - apply succ_case. apply yb. - + apply IHn. - lia. -Qed. - -Ltac induction_int_as_nat var := - generalize dependent var ; - intros var ; - apply induction_int_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt _ IH)] ; intros. - -(* conversion of usize to positive or zero and the respective bound *) -Theorem int_as_positive : - forall (us: int), - { pu : unit + positive | - match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus)%Z end + Qed. + + Ltac destruct_int_as_nat a := + generalize dependent a ; + intros a ; + apply (destruct_int_as_nat a) ; [ pose proof (@unsigned_repr_alt 0 zero_always_modulus) | let n := fresh in let H := fresh in intros n H ; pose proof (@unsigned_repr_alt _ H)] ; intros. + + (* induction for int as you would do for a natural number *) + Definition induction_int_as_nat : + forall (P : int -> Prop), + (P (repr 0)) -> + (forall n, + (Z.pred 0 < Z.succ (Z.of_nat n) < @modulus)%Z -> + P (repr (Z.of_nat n)) -> + P (repr (Z.succ (Z.of_nat n)))) -> + forall (a : int), P a. + Proof. + intros P H_zero H_ind a. + destruct (int_as_nat a) as [ n y ] ; destruct y as [ya yb] ; subst. + induction n. + - apply H_zero. + - rewrite Nat2Z.inj_succ. + apply H_ind. + + rewrite <- Nat2Z.inj_succ. + apply yb. + + apply IHn. + lia. + Qed. + + Ltac induction_int_as_nat var := + generalize dependent var ; + intros var ; + apply induction_int_as_nat with (a := var) ; [ pose proof (@unsigned_repr_alt 0 zero_always_modulus) | let n := fresh in let IH := fresh in intros n IH ; pose proof (@unsigned_repr_alt _ IH)] ; intros. + + (* conversion of usize to positive or zero and the respective bound *) + Theorem int_as_positive : + forall (us: int), + { pu : unit + positive | + match pu with inl u => us = repr Z0 | inr p => us = repr (Z.pos p) /\ (Z.pred 0 < Z.pos p < @modulus)%Z end }. -Proof. - destruct us as [intval intrange]. - destruct intval. - - exists (inl tt). apply mkint_eq. reflexivity. - - exists (inr p). - split. - + apply mkint_eq. - rewrite Z_mod_modulus_eq. - symmetry. - apply Zmod_small. + Proof. + destruct us as [intval intrange]. + destruct intval. + - exists (inl tt). apply mkint_eq. reflexivity. + - exists (inr p). + split. + + apply mkint_eq. + rewrite Z_mod_modulus_eq. + symmetry. + apply Zmod_small. + lia. + + apply intrange. + - exfalso. lia. - + apply intrange. - - exfalso. - lia. -Defined. - -(* destruction of int as positive *) -Definition destruct_int_as_positive (a : int) : forall (P : int -> Prop), - (P (repr 0)) -> - (forall b, (Z.pred 0 < Z.pos b < @modulus)%Z -> P (repr (Z.pos b))) -> - P a. -Proof. - intros P H_zero H_succ. - destruct (int_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. - - apply H_zero. - - apply H_succ. - apply yb. -Qed. - -Ltac destruct_int_as_positive a := - generalize dependent a ; - intros a ; - apply (destruct_int_as_positive a) ; intros. - -(* induction of int as positive *) -Definition induction_int_as_positive : - forall (P : int -> Prop), - (P (repr 0)) -> - (P (repr 1)) -> - (forall b, - (Z.pred 0 < Z.succ (Z.pos b) < @modulus)%Z -> - P (repr (Z.pos b)) -> - P (repr (Z.succ (Z.pos b)))) -> - forall (a : int), P a. -Proof. - intros P H_zero H_one H_ind a. - - destruct (int_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. - - apply H_zero. - - pose proof (pos_succ_b := positive_to_positive_succs b) - ; symmetry in pos_succ_b - ; rewrite pos_succ_b in * - ; clear pos_succ_b. - - generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). - - induction (Pos.to_nat b). - + contradiction. - + intros n_neq yb. - destruct n. - * apply H_one. - * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. - rewrite Pos2Z.inj_succ in *. - apply H_ind. - -- apply yb. - -- apply IHn. - lia. -Qed. - -Ltac induction_int_as_positive var := - generalize dependent var ; - intros var ; - apply induction_int_as_positive with (a := var) ; intros ; [ | | ]. + Defined. + + (* destruction of int as positive *) + Definition destruct_int_as_positive (a : int) : forall (P : int -> Prop), + (P (repr 0)) -> + (forall b, (Z.pred 0 < Z.pos b < @modulus)%Z -> P (repr (Z.pos b))) -> + P a. + Proof. + intros P H_zero H_succ. + destruct (int_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - apply H_succ. + apply yb. + Qed. + + Ltac destruct_int_as_positive a := + generalize dependent a ; + intros a ; + apply (destruct_int_as_positive a) ; intros. + + (* induction of int as positive *) + Definition induction_int_as_positive : + forall (P : int -> Prop), + (P (repr 0)) -> + (P (repr 1)) -> + (forall b, + (Z.pred 0 < Z.succ (Z.pos b) < @modulus)%Z -> + P (repr (Z.pos b)) -> + P (repr (Z.succ (Z.pos b)))) -> + forall (a : int), P a. + Proof. + intros P H_zero H_one H_ind a. + + destruct (int_as_positive a) as [ [ _ | b ] y ] ; [ subst | destruct y as [ya yb] ; subst ]. + - apply H_zero. + - pose proof (pos_succ_b := positive_to_positive_succs b) + ; symmetry in pos_succ_b + ; rewrite pos_succ_b in * + ; clear pos_succ_b. + + generalize dependent (Nat.neq_sym 0 (Pos.to_nat b) (Nat.lt_neq 0 (Pos.to_nat b) (Pos2Nat.is_pos b))). + + induction (Pos.to_nat b). + + contradiction. + + intros n_neq yb. + destruct n. + * apply H_one. + * rewrite (positive_is_succs _ (Nat.neq_succ_0 n) n_neq) in *. + rewrite Pos2Z.inj_succ in *. + apply H_ind. + -- apply yb. + -- apply IHn. + lia. + Qed. + + Ltac induction_int_as_positive var := + generalize dependent var ; + intros var ; + apply induction_int_as_positive with (a := var) ; intros ; [ | | ]. End HacspecIntegers. @@ -276,12 +280,24 @@ Module Int32 := HacspecIntegers Wordsize_32. Module Int64 := HacspecIntegers Wordsize_64. Module Int128 := HacspecIntegers Wordsize_128. +Import Int128. Export Int128. +Import Int64. Export Int64. +Import Int32. Export Int32. +Import Int16. Export Int16. +Import Int8. Export Int8. + Definition int8 := Int8.int. Definition int16 := Int16.int. Definition int32 := Int32.int. Definition int64 := Int64.int. Definition int128 := Int128.int. +(* Instance int8_add : MyAdd int8 := Int8.add. *) +(* Instance int16_add : MyAdd int16 := Int16.add. *) +(* Instance int32_add : MyAdd int32 := Int32.add. *) +(* Instance int64_add : MyAdd int64 := Int64.add. *) +(* Instance int128_add : MyAdd int128 := Int128.add. *) + (* CompCert integers' signedness is only interpreted through 'signed' and 'unsigned', and not in the representation. Therefore, uints are just names for their respective ints. *) @@ -343,3 +359,5 @@ Global Instance Z_Int_sizable : Int_sizable Z := { isize n := Int32.repr n; from_int_size n := Int32.signed n; }. + +Notation secret := id. diff --git a/proof-libs/coq/coq/src/Hacspec_Lib.v b/proof-libs/coq/coq/src/Hacspec_Lib.v index 24b0bb9ed..277174a92 100644 --- a/proof-libs/coq/coq/src/Hacspec_Lib.v +++ b/proof-libs/coq/coq/src/Hacspec_Lib.v @@ -14,9 +14,13 @@ Require Import Lia. Declare Scope hacspec_scope. -Require Import Hacspec_Types. -Require Import Hacspec_Integers. +From Hacspec Require Import Hacspec_Types. Export Hacspec_Types. +From Hacspec Require Import Hacspec_Integers. Export Hacspec_Integers. +From Hacspec Require Import Hacspec_TODO. Export Hacspec_TODO. +(* Notation *) + +Infix "'×" := prod (at level 100) : hacspec_scope. (*** Loops *) @@ -134,7 +138,9 @@ Proof. induction fuel ; intros. - reflexivity. - do 2 rewrite <- foldi__nat_move_S. - replace (S fuel + i)%nat with (fuel + (S i))%nat by (symmetry ; apply plus_Snm_nSm). + + Require Import PeanoNat. + replace (S fuel + i)%nat with (fuel + (S i))%nat by (symmetry ; apply plus_n_Sm). rewrite IHfuel. + reflexivity. + lia. @@ -320,10 +326,10 @@ Definition seq_new_ {A: Type} (init : A) (len: nat) : seq A := Definition seq_new {A: Type} `{Default A} (len: nat) : seq A := seq_new_ default len. -Fixpoint array_from_list (A: Type) (l: list A) : nseq A (length l) := +Fixpoint array_from_list {A: Type} (l: list A) : nseq A (length l) := match l return (nseq A (length l)) with | [] => VectorDef.nil A - | x :: xs => VectorDef.cons A x (length xs) (array_from_list A xs) + | x :: xs => VectorDef.cons A x (length xs) (array_from_list xs) end. (* match l, length l with *) @@ -910,22 +916,58 @@ Section Casting. cast n := GZnZ.val p n }. - (* Note: should be aware of typeclass resolution with int/uint since they are just aliases of each other currently *) - Global Instance cast_int8_to_uint32 : Cast int8 uint32 := { - cast n := Int32.repr (Int8.unsigned n) - }. - Global Instance cast_int8_to_int32 : Cast int8 int32 := { - cast n := Int32.repr (Int8.signed n) - }. - - Global Instance cast_uint8_to_uint32 : Cast uint8 uint32 := { - cast n := Int32.repr (Int8.unsigned n) - }. - (* Global Instance cast_int_to_nat `{WORDSIZE} : Cast int nat := { *) (* cast n := Z.to_nat (signed n) *) (* }. *) + Global Instance cast_int16_to_int8 : Cast int16 int8 := { + cast n := Int8.repr (Int16.unsigned n) + }. + + Global Instance cast_int32_to_int8 : Cast int32 int8 := { + cast n := Int8.repr (Int32.unsigned n) + }. + + Global Instance cast_int64_to_int8 : Cast int64 int8 := { + cast n := Int8.repr (Int64.unsigned n) + }. + + Global Instance cast_int8_to_int16 : Cast int8 int16 := { + cast n := Int16.repr (Int8.unsigned n) + }. + + Global Instance cast_int32_to_int16 : Cast int32 int16 := { + cast n := Int16.repr (Int32.unsigned n) + }. + + Global Instance cast_int64_to_int16 : Cast int64 int16 := { + cast n := Int16.repr (Int64.unsigned n) + }. + + Global Instance cast_int8_to_int32 : Cast int8 int32 := { + cast n := Int32.repr (Int8.unsigned n) + }. + + Global Instance cast_int16_to_int32 : Cast int16 int32 := { + cast n := Int32.repr (Int16.unsigned n) + }. + + Global Instance cast_int64_to_int32 : Cast int64 int32 := { + cast n := Int32.repr (Int64.unsigned n) + }. + + Global Instance cast_int8_to_int64 : Cast int8 int64 := { + cast n := Int64.repr (Int8.unsigned n) + }. + + Global Instance cast_int16_to_int64 : Cast int16 int64 := { + cast n := Int64.repr (Int16.unsigned n) + }. + + Global Instance cast_int32_to_int64 : Cast int32 int64 := { + cast n := Int64.repr (Int32.unsigned n) + }. + Close Scope hacspec_scope. End Casting. diff --git a/proof-libs/coq/coq/src/Hacspec_TODO.v b/proof-libs/coq/coq/src/Hacspec_TODO.v new file mode 100644 index 000000000..2bf1d3c42 --- /dev/null +++ b/proof-libs/coq/coq/src/Hacspec_TODO.v @@ -0,0 +1,21 @@ +Global Set Warnings "-ambiguous-paths". +Global Set Warnings "-uniform-inheritance". +Global Set Warnings "-auto-template". +Global Set Warnings "-disj-pattern-notation". + +From Coq Require Import ZArith List. +Import ListNotations. +(* Require Import IntTypes. *) + +(* Require Import MachineIntegers. *) From compcert Require Import Integers. +From Coqprime Require GZnZ. + +Require Import Lia. + +(*** TODO *) + +Declare Scope hacspec_scope. +Definition never_to_any {A} (f : False) : A. contradiction. Defined. +Definition panic_fmt {A} (x : A): False. Admitted. +Notation impl_2__new_const := id. +Notation unsize := id. diff --git a/proof-libs/coq/coq/src/Hacspec_lib.v b/proof-libs/coq/coq/src/Hacspec_lib.v index b274c7dd5..c1fef43c9 100644 --- a/proof-libs/coq/coq/src/Hacspec_lib.v +++ b/proof-libs/coq/coq/src/Hacspec_lib.v @@ -1,146 +1,146 @@ (* File automatically generated by Hacspec *) -From Hacspec Require Import Hacspec_Lib MachineIntegers. +From Hacspec Require Import Hacspec_Lib. +(* Require Import MachineIntegers. *) From compcert Require Import Integers. From Coq Require Import ZArith. Import List.ListNotations. Open Scope Z_scope. Open Scope bool_scope. -From Hacspec Require Export MachineIntegers. From Hacspec Require Export Hacspec_Lib. (** Should be moved to Hacspec_Lib.v **) -Definition int_xI {WS : WORDSIZE} (a : int) : int := MachineIntegers.add (MachineIntegers.mul a (repr 2)) MachineIntegers.one. -Definition int_xO {WS : WORDSIZE} (a : int) : int := MachineIntegers.mul a (repr 2). -Number Notation int Pos.of_num_int Pos.to_num_int (via positive mapping [[int_xI] => xI, [int_xO] => xO , [MachineIntegers.one] => xH]) : hacspec_scope. -Notation "0" := (repr O). -Notation U8_t := int8. -Notation U8 := id. -Notation U16_t := int16. -Notation U16 := id. -Notation U32_t := int32. -Notation U32 := id. -Notation U64_t := int64. -Notation U64 := id. -Notation U128_t := int128. -Notation U128 := id. - -Definition array_index {A: Type} `{Default A} {len : nat} (s: nseq A len) {WS} (i : @int WS) := array_index s (unsigned i). -Notation " x .[ a ]" := (array_index x a) (at level 40). -Definition array_upd {A: Type} {len : nat} (s: nseq A len) {WS} (i: @int WS) (new_v: A) : nseq A len := array_upd s (unsigned i) new_v. -Notation " x .[ i ]<- a" := (array_upd x i a) (at level 40). - -Class Addition A := add : A -> A -> A. -Notation "a .+ b" := (add a b). -Instance array_add_inst {ws : WORDSIZE} {len: nat} : Addition (nseq (@int ws) len) := { add a b := a array_add b }. -Instance int_add_inst {ws : WORDSIZE} : Addition (@int ws) := { add a b := MachineIntegers.add a b }. - -Class Subtraction A := sub : A -> A -> A. -Notation "a .- b" := (sub a b). -Instance array_sub_inst {ws : WORDSIZE} {len: nat} : Subtraction (nseq (@int ws) len) := { sub := array_join_map MachineIntegers.sub }. -Instance int_sub_inst {ws : WORDSIZE} : Subtraction (@int ws) := { sub a b := MachineIntegers.sub a b }. - -Class Multiplication A := mul : A -> A -> A. -Notation "a .* b" := (mul a b). -Instance array_mul_inst {ws : WORDSIZE} {len: nat} : Multiplication (nseq (@int ws) len) := { mul a b := a array_mul b }. -Instance int_mul_inst {ws : WORDSIZE} : Multiplication (@int ws) := { mul a b := MachineIntegers.mul a b }. - -Class Xor A := xor : A -> A -> A. -Notation "a .^ b" := (xor a b). - -Instance array_xor_inst {ws : WORDSIZE} {len: nat} : Xor (nseq (@int ws) len) := { xor a b := a array_xor b }. -Instance int_xor_inst {ws : WORDSIZE} : Xor (@int ws) := { xor a b := MachineIntegers.xor a b }. - -Definition new {A : Type} `{Default A} {len} : nseq A len := array_new_ default _. -Class array_or_seq A len := -{ as_seq : seq A ; as_nseq : nseq A len }. - -Arguments as_seq {_} {_} array_or_seq. -Arguments as_nseq {_} {_} array_or_seq. -Coercion as_seq : array_or_seq >-> seq. -Coercion as_nseq : array_or_seq >-> nseq. - -Instance nseq_array_or_seq {A len} (a : nseq A len) : array_or_seq A len := -{ as_seq := array_to_seq a ; as_nseq := a ; }. -Coercion nseq_array_or_seq : nseq >-> array_or_seq. - -Instance seq_array_or_seq {A} `{Default A} (a : seq A) : array_or_seq A (length a) := -{ as_seq := a ; as_nseq := array_from_seq _ a ; }. -Coercion seq_array_or_seq : seq >-> array_or_seq. - -Definition update {A : Type} `{Default A} {len slen} (s : nseq A len) {WS} (start : @int WS) (start_a : array_or_seq A slen) : nseq A len := -array_update (a := A) (len := len) s (unsigned start) (as_seq start_a). - -Definition to_le_U32s {A l} := array_to_le_uint32s (A := A) (l := l). -Axiom to_le_bytes : forall {ws : WORDSIZE} {len}, nseq (@int ws) len -> seq int8. -Definition from_seq {A : Type} `{Default A} {len slen} (s : array_or_seq A slen) : nseq A len := array_from_seq _ (as_seq s). - -Notation Seq_t := seq. -Notation len := (fun s => seq_len s : int32). - -Definition array_slice {a: Type} `{Default a} {len : nat} (input: nseq a len) {WS} (start: @int WS) (slice_len: @int WS) : seq a := slice (array_to_seq input) (unsigned start) (unsigned (start .+ slice_len)). -Notation slice := array_slice. -Definition seq_new {A: Type} `{Default A} {WS} (len: @int WS) : seq A := seq_new (unsigned len). -Notation new_seq := seq_new. -Notation num_exact_chunks := seq_num_exact_chunks. -Notation get_exact_chunk := seq_get_exact_chunk. -Definition set_chunk {a: Type} `{Default a} {len} (s: seq a) {WS} (chunk_len: @int WS) (chunk_num: @int WS) (chunk: array_or_seq a len) : seq a := seq_set_chunk s (unsigned chunk_len) (unsigned chunk_num) (as_seq chunk). -Definition set_exact_chunk {a} `{H : Default a} {len} s {WS} := @set_chunk a H len s WS. - Notation get_remainder_chunk := seq_get_remainder_chunk. -Notation "a <> b" := (negb (eqb a b)). - -Notation from_secret_literal := nat_mod_from_secret_literal. -Definition pow2 {m} (x : @int WORDSIZE32) := nat_mod_pow2 m (unsigned x). -Instance nat_mod_addition {n} : Addition (nat_mod n) := { add a b := a +% b }. -Instance nat_mod_subtraction {n} : Subtraction (nat_mod n) := { sub a b := a -% b }. -Instance nat_mod_multiplication {n} : Multiplication (nat_mod n) := { mul a b := a *% b }. -Definition from_slice {a: Type} `{Default a} {len slen} (x : array_or_seq a slen) {WS} (start: @int WS) (slice_len: @int WS) := array_from_slice default len (as_seq x) (unsigned start) (unsigned slice_len). -Notation zero := nat_mod_zero. -Notation to_byte_seq_le := nat_mod_to_byte_seq_le. -Notation U128_to_le_bytes := u128_to_le_bytes. -Notation U64_to_le_bytes := u64_to_le_bytes. - Notation from_byte_seq_le := nat_mod_from_byte_seq_le. -Definition from_literal {m} := nat_mod_from_literal m. -Notation inv := nat_mod_inv. -Notation update_start := array_update_start. -Notation pow := nat_mod_pow_self. -Notation bit := nat_mod_bit. - -Definition int_to_int {ws1 ws2} (i : @int ws1) : @int ws2 := repr (unsigned i). -Coercion int_to_int : int >-> int. -Notation push := seq_push. -Notation Build_secret := secret. -Notation "a -× b" := -(prod a b) (at level 80, right associativity) : hacspec_scope. -Notation Result_t := result. -Axiom TODO_name : Type. -Notation ONE := nat_mod_one. -Notation exp := nat_mod_exp. -Notation nat_mod := GZnZ.znz. -Instance nat_mod_znz_addition {n} : Addition (GZnZ.znz n) := { add a b := a +% b }. -Instance nat_mod_znz_subtraction {n} : Subtraction (GZnZ.znz n) := { sub a b := a -% b }. -Instance nat_mod_znz_multiplication {n} : Multiplication (GZnZ.znz n) := { mul a b := a *% b }. -Notation TWO := nat_mod_two. -Notation ne := (fun x y => negb (eqb x y)). -Notation eq := (eqb). -Notation rotate_right := (ror). -Notation to_be_U32s := array_to_be_uint32s. -Notation get_chunk := seq_get_chunk. -Notation num_chunks := seq_num_chunks. -Notation U64_to_be_bytes := uint64_to_be_bytes. -Notation to_be_bytes := array_to_be_bytes. -Notation U8_from_usize := uint8_from_usize. -Notation concat := seq_concat. -Notation declassify := id. -Notation U128_from_be_bytes := uint128_from_be_bytes. -Notation U128_to_be_bytes := uint128_to_be_bytes. -Notation slice_range := array_slice_range. -Notation truncate := seq_truncate. -Axiom array_to_be_uint64s : forall {A l}, nseq A l -> seq uint64. -Notation to_be_U64s := array_to_be_uint64s. -Notation classify := id. -Notation U64_from_U8 := uint64_from_uint8. -Fixpoint Build_Range_t (a b : nat) := (a,b). (* match (b - a)%nat with O => [] | S n => match b with | O => [] | S b' => Build_Range_t a b' ++ [b] end end. *) -Notation declassify_eq := eq. -Notation String_t := String.string. -(** end of: Should be moved to Hacspec_Lib.v **) +(* Definition int_xI {WS : WORDSIZE} (a : int) : int := MachineIntegers.add (MachineIntegers.mul a (repr 2)) MachineIntegers.one. *) +(* Definition int_xO {WS : WORDSIZE} (a : int) : int := MachineIntegers.mul a (repr 2). *) +(* Number Notation int Pos.of_num_int Pos.to_num_int (via positive mapping [[int_xI] => xI, [int_xO] => xO , [MachineIntegers.one] => xH]) : hacspec_scope. *) +(* Notation "0" := (repr O). *) +(* Notation U8_t := int8. *) +(* Notation U8 := id. *) +(* Notation U16_t := int16. *) +(* Notation U16 := id. *) +(* Notation U32_t := int32. *) +(* Notation U32 := id. *) +(* Notation U64_t := int64. *) +(* Notation U64 := id. *) +(* Notation U128_t := int128. *) +(* Notation U128 := id. *) + +(* Definition array_index {A: Type} `{Default A} {len : nat} (s: nseq A len) {WS} (i : @int WS) := array_index s (unsigned i). *) +(* Notation " x .[ a ]" := (array_index x a) (at level 40). *) +(* Definition array_upd {A: Type} {len : nat} (s: nseq A len) {WS} (i: @int WS) (new_v: A) : nseq A len := array_upd s (unsigned i) new_v. *) +(* Notation " x .[ i ]<- a" := (array_upd x i a) (at level 40). *) + +(* Class Addition A := add : A -> A -> A. *) +(* Notation "a .+ b" := (add a b). *) +(* Instance array_add_inst {ws : WORDSIZE} {len: nat} : Addition (nseq (@int ws) len) := { add a b := a array_add b }. *) +(* Instance int_add_inst {ws : WORDSIZE} : Addition (@int ws) := { add a b := MachineIntegers.add a b }. *) + +(* Class Subtraction A := sub : A -> A -> A. *) +(* Notation "a .- b" := (sub a b). *) +(* Instance array_sub_inst {ws : WORDSIZE} {len: nat} : Subtraction (nseq (@int ws) len) := { sub := array_join_map MachineIntegers.sub }. *) +(* Instance int_sub_inst {ws : WORDSIZE} : Subtraction (@int ws) := { sub a b := MachineIntegers.sub a b }. *) + +(* Class Multiplication A := mul : A -> A -> A. *) +(* Notation "a .* b" := (mul a b). *) +(* Instance array_mul_inst {ws : WORDSIZE} {len: nat} : Multiplication (nseq (@int ws) len) := { mul a b := a array_mul b }. *) +(* Instance int_mul_inst {ws : WORDSIZE} : Multiplication (@int ws) := { mul a b := MachineIntegers.mul a b }. *) + +(* Class Xor A := xor : A -> A -> A. *) +(* Notation "a .^ b" := (xor a b). *) + +(* Instance array_xor_inst {ws : WORDSIZE} {len: nat} : Xor (nseq (@int ws) len) := { xor a b := a array_xor b }. *) +(* Instance int_xor_inst {ws : WORDSIZE} : Xor (@int ws) := { xor a b := MachineIntegers.xor a b }. *) + +(* Definition new {A : Type} `{Default A} {len} : nseq A len := array_new_ default _. *) +(* Class array_or_seq A len := *) +(* { as_seq : seq A ; as_nseq : nseq A len }. *) + +(* Arguments as_seq {_} {_} array_or_seq. *) +(* Arguments as_nseq {_} {_} array_or_seq. *) +(* Coercion as_seq : array_or_seq >-> seq. *) +(* Coercion as_nseq : array_or_seq >-> nseq. *) + +(* Instance nseq_array_or_seq {A len} (a : nseq A len) : array_or_seq A len := *) +(* { as_seq := array_to_seq a ; as_nseq := a ; }. *) +(* Coercion nseq_array_or_seq : nseq >-> array_or_seq. *) + +(* Instance seq_array_or_seq {A} `{Default A} (a : seq A) : array_or_seq A (length a) := *) +(* { as_seq := a ; as_nseq := array_from_seq _ a ; }. *) +(* Coercion seq_array_or_seq : seq >-> array_or_seq. *) + +(* Definition update {A : Type} `{Default A} {len slen} (s : nseq A len) {WS} (start : @int WS) (start_a : array_or_seq A slen) : nseq A len := *) +(* array_update (a := A) (len := len) s (unsigned start) (as_seq start_a). *) + +(* Definition to_le_U32s {A l} := array_to_le_uint32s (A := A) (l := l). *) +(* Axiom to_le_bytes : forall {ws : WORDSIZE} {len}, nseq (@int ws) len -> seq int8. *) +(* Definition from_seq {A : Type} `{Default A} {len slen} (s : array_or_seq A slen) : nseq A len := array_from_seq _ (as_seq s). *) + +(* Notation Seq_t := seq. *) +(* Notation len := (fun s => seq_len s : int32). *) + +(* Definition array_slice {a: Type} `{Default a} {len : nat} (input: nseq a len) {WS} (start: @int WS) (slice_len: @int WS) : seq a := slice (array_to_seq input) (unsigned start) (unsigned (start .+ slice_len)). *) +(* Notation slice := array_slice. *) +(* Definition seq_new {A: Type} `{Default A} {WS} (len: @int WS) : seq A := seq_new (unsigned len). *) +(* Notation new_seq := seq_new. *) +(* Notation num_exact_chunks := seq_num_exact_chunks. *) +(* Notation get_exact_chunk := seq_get_exact_chunk. *) +(* Definition set_chunk {a: Type} `{Default a} {len} (s: seq a) {WS} (chunk_len: @int WS) (chunk_num: @int WS) (chunk: array_or_seq a len) : seq a := seq_set_chunk s (unsigned chunk_len) (unsigned chunk_num) (as_seq chunk). *) +(* Definition set_exact_chunk {a} `{H : Default a} {len} s {WS} := @set_chunk a H len s WS. *) +(* Notation get_remainder_chunk := seq_get_remainder_chunk. *) +(* Notation "a <> b" := (negb (eqb a b)). *) + +(* Notation from_secret_literal := nat_mod_from_secret_literal. *) +(* Definition pow2 {m} (x : @int WORDSIZE32) := nat_mod_pow2 m (unsigned x). *) +(* Instance nat_mod_addition {n} : Addition (nat_mod n) := { add a b := a +% b }. *) +(* Instance nat_mod_subtraction {n} : Subtraction (nat_mod n) := { sub a b := a -% b }. *) +(* Instance nat_mod_multiplication {n} : Multiplication (nat_mod n) := { mul a b := a *% b }. *) +(* Definition from_slice {a: Type} `{Default a} {len slen} (x : array_or_seq a slen) {WS} (start: @int WS) (slice_len: @int WS) := array_from_slice default len (as_seq x) (unsigned start) (unsigned slice_len). *) +(* Notation zero := nat_mod_zero. *) +(* Notation to_byte_seq_le := nat_mod_to_byte_seq_le. *) +(* Notation U128_to_le_bytes := u128_to_le_bytes. *) +(* Notation U64_to_le_bytes := u64_to_le_bytes. *) +(* Notation from_byte_seq_le := nat_mod_from_byte_seq_le. *) +(* Definition from_literal {m} := nat_mod_from_literal m. *) +(* Notation inv := nat_mod_inv. *) +(* Notation update_start := array_update_start. *) +(* Notation pow := nat_mod_pow_self. *) +(* Notation bit := nat_mod_bit. *) + +(* Definition int_to_int {ws1 ws2} (i : @int ws1) : @int ws2 := repr (unsigned i). *) +(* Coercion int_to_int : int >-> int. *) +(* Notation push := seq_push. *) +(* Notation Build_secret := secret. *) +(* Notation "a -× b" := *) +(* (prod a b) (at level 80, right associativity) : hacspec_scope. *) +(* Notation Result_t := result. *) +(* Axiom TODO_name : Type. *) +(* Notation ONE := nat_mod_one. *) +(* Notation exp := nat_mod_exp. *) +(* Notation nat_mod := GZnZ.znz. *) +(* Instance nat_mod_znz_addition {n} : Addition (GZnZ.znz n) := { add a b := a +% b }. *) +(* Instance nat_mod_znz_subtraction {n} : Subtraction (GZnZ.znz n) := { sub a b := a -% b }. *) +(* Instance nat_mod_znz_multiplication {n} : Multiplication (GZnZ.znz n) := { mul a b := a *% b }. *) +(* Notation TWO := nat_mod_two. *) +(* Notation ne := (fun x y => negb (eqb x y)). *) +(* Notation eq := (eqb). *) +(* Notation rotate_right := (ror). *) +(* Notation to_be_U32s := array_to_be_uint32s. *) +(* Notation get_chunk := seq_get_chunk. *) +(* Notation num_chunks := seq_num_chunks. *) +(* Notation U64_to_be_bytes := uint64_to_be_bytes. *) +(* Notation to_be_bytes := array_to_be_bytes. *) +(* Notation U8_from_usize := uint8_from_usize. *) +(* Notation concat := seq_concat. *) +(* Notation declassify := id. *) +(* Notation U128_from_be_bytes := uint128_from_be_bytes. *) +(* Notation U128_to_be_bytes := uint128_to_be_bytes. *) +(* Notation slice_range := array_slice_range. *) +(* Notation truncate := seq_truncate. *) +(* Axiom array_to_be_uint64s : forall {A l}, nseq A l -> seq uint64. *) +(* Notation to_be_U64s := array_to_be_uint64s. *) +(* Notation classify := id. *) +(* Notation U64_from_U8 := uint64_from_uint8. *) +(* Fixpoint Build_Range_t (a b : nat) := (a,b). (* match (b - a)%nat with O => [] | S n => match b with | O => [] | S b' => Build_Range_t a b' ++ [b] end end. *) *) +(* Notation declassify_eq := eq. *) +(* Notation String_t := String.string. *) +(* (** end of: Should be moved to Hacspec_Lib.v **) *) diff --git a/proof-libs/coq/coq/src/QuickChickLib.v b/proof-libs/coq/coq/src/QuickChickLib.v index 55e6dc8f3..b4853e718 100644 --- a/proof-libs/coq/coq/src/QuickChickLib.v +++ b/proof-libs/coq/coq/src/QuickChickLib.v @@ -1,11 +1,12 @@ -Require Import Hacspec_Lib MachineIntegers. +From compcert Require Import Integers. From Coq Require Import ZArith. Import List.ListNotations. Open Scope Z_scope. Open Scope bool_scope. -Open Scope hacspec_scope. From QuickChick Require Import QuickChick. Require Import Coq.Lists.List. +From Hacspec Require Import Hacspec_Lib. +Open Scope hacspec_scope. #[global] Instance show_unit : Show (unit) := Build_Show (unit) (fun _ => "tt"%string). Definition g_unit : G (unit) := returnGen tt. @@ -14,19 +15,19 @@ Definition g_unit : G (unit) := returnGen tt. #[global] Instance show_int8 : Show (int8) := Build_Show (int8) (fun x => show (int8_to_nat x)). Definition g_int8 : G (int8) := - bindGen (* arbitrary *) (choose (0,1000)) (fun x => returnGen (pub_u8 x)). + bindGen (* arbitrary *) (choose (0,1000)) (fun x => returnGen (Int8.repr x)). #[global] Instance gen_int8 : Gen (int8) := Build_Gen int8 g_int8. #[global] Instance show_int32 : Show (int32) := Build_Show (int32) (fun x => show (int32_to_nat x)). Definition g_int32 : G (int32) := (* restricted *) - bindGen (choose (0,1000)) (fun x => returnGen (pub_u32 x)). + bindGen (choose (0,1000)) (fun x => returnGen (Int32.repr x)). #[global] Instance gen_int32 : Gen (int32) := Build_Gen int32 g_int32. #[global] Instance show_int64 : Show (int64) := Build_Show (int64) (fun x => show (int64_to_nat x)). Definition g_int64 : G (int64) := - bindGen (* arbitrary *) (choose (0,1000)) (fun x => returnGen (pub_u64 x)). + bindGen (* arbitrary *) (choose (0,1000)) (fun x => returnGen (Int64.repr x)). #[global] Instance gen_int64 : Gen (int64) := Build_Gen int64 g_int64. #[global] Instance show_uint_size : Show (uint_size) := @@ -72,8 +73,8 @@ Proof. Defined. Definition g_nseq {A} `{Gen A} n : G (nseq A n). (* (usize *) intros. - apply (bindGen' (g_listOf_aux (arbitrary : G A) n)). - intros l sem. + apply (bindGen (g_listOf_aux (arbitrary : G A) n)). + intros l. apply returnGen. destruct l. diff --git a/proof-libs/coq/coq/src/dune b/proof-libs/coq/coq/src/dune index ecc1a1daa..d135007e3 100644 --- a/proof-libs/coq/coq/src/dune +++ b/proof-libs/coq/coq/src/dune @@ -3,8 +3,10 @@ (package coq-hacspec) (flags -w all) (theories + Flocq compcert - Equations + QuickChick mathcomp.ssreflect elpi HB ExtLib SimpleIO + Coqprime ) ; (libraries ) ) From 1885966778d5cc49ed684ecce88748bb373e648d Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Tue, 9 Apr 2024 18:58:42 +0200 Subject: [PATCH 10/12] fmt --- engine/backends/coq/coq/coq_backend.ml | 31 +++++++++++--------------- engine/backends/coq/coq_ast.ml | 10 +++++++-- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/engine/backends/coq/coq/coq_backend.ml b/engine/backends/coq/coq/coq_backend.ml index 783ba5f82..a7008b9d6 100644 --- a/engine/backends/coq/coq/coq_backend.ml +++ b/engine/backends/coq/coq/coq_backend.ml @@ -73,7 +73,7 @@ open AST module CoqLibrary : Library = struct module Notation = struct let int_repr (x : string) (i : string) : string = - "(Int"^x^".repr" ^ " " ^ i ^ ")" + "(Int" ^ x ^ ".repr" ^ " " ^ i ^ ")" let type_str : string = "Type" let bool_str : string = "bool" @@ -173,8 +173,7 @@ struct | TApp { ident = `TupleType n; args } when n >= 2 -> C.AST.Product (args_ty span args) | TApp { ident; args } -> - C.AST.AppTy - (C.AST.NameTy (pglobal_ident ident), args_ty span args) + C.AST.AppTy (C.AST.NameTy (pglobal_ident ident), args_ty span args) | TArrow (inputs, output) -> List.fold_right ~init:(pty span output) ~f:(fun x y -> C.AST.Arrow (x, y)) @@ -390,9 +389,7 @@ struct | TyAlias { name; ty; _ } -> [ C.AST.Notation - ( "'" ^ pconcrete_ident name ^ "'", - C.AST.Type (pty span ty), - None ); + ("'" ^ pconcrete_ident name ^ "'", C.AST.Type (pty span ty), None); ] (* record *) | Type { name; generics; variants = [ v ]; is_struct = true } -> @@ -454,8 +451,7 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.type_name), - C.AST.NameTy (o.type_name) ) ); + (C.AST.NameTy o.type_name, C.AST.NameTy o.type_name) ); ] | "bytes" -> let open Hacspeclib_macro_parser in @@ -475,8 +471,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.bytes_name), - C.AST.NameTy (o.bytes_name) ) ); + (C.AST.NameTy o.bytes_name, C.AST.NameTy o.bytes_name) + ); ] | "unsigned_public_integer" -> let open Hacspeclib_macro_parser in @@ -496,8 +492,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.integer_name), - C.AST.NameTy (o.integer_name) ) ); + ( C.AST.NameTy o.integer_name, + C.AST.NameTy o.integer_name ) ); ] | "public_bytes" -> let open Hacspeclib_macro_parser in @@ -510,15 +506,14 @@ struct (* int_of_string *) o.size ) in [ - C.AST.Notation - ("'" ^ o.bytes_name ^ "'", C.AST.Type typ, None); + C.AST.Notation ("'" ^ o.bytes_name ^ "'", C.AST.Type typ, None); C.AST.Definition ( o.bytes_name, [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.bytes_name), - C.AST.NameTy (o.bytes_name) ) ); + (C.AST.NameTy o.bytes_name, C.AST.NameTy o.bytes_name) + ); ] | "array" -> let open Hacspeclib_macro_parser in @@ -552,8 +547,8 @@ struct [], C.AST.Var "id", C.AST.Arrow - ( C.AST.NameTy (o.array_name), - C.AST.NameTy (o.array_name) ) ); + (C.AST.NameTy o.array_name, C.AST.NameTy o.array_name) + ); ] | _ -> unsupported ()) | _ -> unsupported ()) diff --git a/engine/backends/coq/coq_ast.ml b/engine/backends/coq/coq_ast.ml index d062bfa72..84fb0ab0c 100644 --- a/engine/backends/coq/coq_ast.ml +++ b/engine/backends/coq/coq_ast.ml @@ -304,8 +304,14 @@ functor let rec term_to_string (x : AST.term) depth : string * bool = match x with | AST.UnitTerm -> ("tt", false) - | AST.Let { pattern = AST.AscriptionPat (pat, _) | pat; value = bind; value_typ = typ; body = term; _ } - -> + | AST.Let + { + pattern = AST.AscriptionPat (pat, _) | pat; + value = bind; + value_typ = typ; + body = term; + _; + } -> (* TODO: propegate type definition *) let var_str = pat_to_string pat true depth in let expr_str = term_to_string_without_paren bind (depth + 1) in From 20faeb3aaf7e96d6deb5120bf312669fdced8c96 Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Tue, 9 Apr 2024 19:05:56 +0200 Subject: [PATCH 11/12] add file --- .github/coq-errors.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/coq-errors.json diff --git a/.github/coq-errors.json b/.github/coq-errors.json new file mode 100644 index 000000000..a52d73e5e --- /dev/null +++ b/.github/coq-errors.json @@ -0,0 +1,20 @@ +{ + "problemMatcher": [ + { + "owner": "coq", + "pattern": [ + { + "regexp": "^File \"([^\"].*)\", line (\\d+), characters (\\d+)-(\\d+):$", + "file": 1, + "line": 2, + "column": 3 + }, + { + "regexp": "^(Error|Warning): (.*)$", + "severity": 1, + "message": 2 + } + ] + } + ] +} From 2c468cad3afc90472efe4f0e00523913004e8f5a Mon Sep 17 00:00:00 2001 From: Lasse Letager Hansen Date: Mon, 7 Oct 2024 20:52:43 +0200 Subject: [PATCH 12/12] Fixing backend --- engine/backends/coq/coq/coq_backend.ml | 63 ++++++++++++++------------ engine/backends/coq/coq_ast.ml | 13 +++--- hax-lib-macros/src/lib.rs | 21 +++++++++ hax-lib/src/proc_macros.rs | 2 +- 4 files changed, 64 insertions(+), 35 deletions(-) diff --git a/engine/backends/coq/coq/coq_backend.ml b/engine/backends/coq/coq/coq_backend.ml index a7008b9d6..64ca727fd 100644 --- a/engine/backends/coq/coq/coq_backend.ml +++ b/engine/backends/coq/coq/coq_backend.ml @@ -106,17 +106,17 @@ struct id.definition else (* id.crate ^ "_" ^ *) - (* List.fold_left ~init:"" ~f:(fun x y -> x ^ "_" ^ y) *) + (* List.fold_left ~init:"" ~f:(fun x y -> x ^ "_" ^ y) id.path ^ *) id.definition let pglobal_ident (id : global_ident) : string = match id with - | `Projector (`Concrete cid) | `Concrete cid -> pconcrete_ident cid + | `Concrete cid -> pconcrete_ident cid + | `Projector (`Concrete cid) -> pconcrete_ident cid ^ "_ci" | `Primitive p_id -> primitive_to_string p_id | `TupleType _i -> "TODO (global ident) tuple type" | `TupleCons _i -> "TODO (global ident) tuple cons" - | `Projector (`TupleField _) | `TupleField _ -> - "TODO (global ident) tuple field" + | `Projector (`TupleField _) | `TupleField _ -> "TODO (global ident) tuple field" | _ -> . module TODOs_debug = struct @@ -167,7 +167,7 @@ struct | TBool -> C.AST.Bool | TChar -> __TODO_ty__ span "char" | TInt k -> C.AST.Int (pint_kind k) - | TStr -> __TODO_ty__ span "str" + | TStr -> C.AST.NameTy "string" | TApp { ident = `TupleType 0; args = [] } -> C.AST.Unit | TApp { ident = `TupleType 1; args = [ GType ty ] } -> pty span ty | TApp { ident = `TupleType n; args } when n >= 2 -> @@ -183,7 +183,11 @@ struct C.AST.ArrayTy (pty span typ, "TODO: Int.to_string length") | TSlice { ty; _ } -> C.AST.SliceTy (pty span ty) | TParam i -> C.AST.NameTy i.name - | TAssociatedType _ -> C.AST.WildTy + | TAssociatedType { impl = Self; item } -> C.AST.NameTy (U.Concrete_ident_view.to_definition_name item) + | TAssociatedType { impl = Dyn; item } -> __TODO_ty__ span "pty: Dyn" + | TAssociatedType { impl = Concrete _; item } -> __TODO_ty__ span "pty: Concrete" + | TAssociatedType { impl = LocalBound _; item } -> __TODO_ty__ span "pty: LocalBound" + | TAssociatedType { impl = goal; item } -> __TODO_ty__ span "pty: LocalBound" | TOpaque _ -> __TODO_ty__ span "pty: TAssociatedType/TOpaque" | _ -> . @@ -194,7 +198,7 @@ struct (match arg with | GLifetime _ -> __TODO_ty__ span "lifetime" | GType x -> pty span x - | GConst _ -> __TODO_ty__ span "const") + | GConst { typ } -> pty span typ) :: args_ty span xs | [] -> [] @@ -254,6 +258,7 @@ struct (c Core__ops__arith__Rem__rem, (2, [ ""; ".%"; "" ])); (c Core__ops__bit__Shl__shl, (2, [ ""; " shift_left "; "" ])); (c Core__ops__bit__Shr__shr, (2, [ ""; " shift_right "; "" ])); + (c Core__ops__bit__Not__not, (1, [ " negb "; "" ])); (* TODO: those two are not notations/operators at all, right? *) (* (c "secret_integers::rotate_left", (2, [ "rol "; " "; "" ])); *) (* (c "hacspec::lib::foldi", (4, [ "foldi "; " "; " "; " "; "" ])); *) @@ -275,7 +280,7 @@ struct let span = e.span in match e.e with | Literal l -> C.AST.Const (pliteral e.span l) - | LocalVar local_ident -> C.AST.NameTerm local_ident.name + | LocalVar local_ident -> C.AST.NameTerm (local_ident.name) | GlobalVar (`TupleCons 0) | Construct { constructor = `TupleCons 0; fields = []; _ } -> C.AST.UnitTerm @@ -297,8 +302,8 @@ struct (* __TODO_term__ span "GLOBAL APP?" *) | App { f; args; _ } -> let base = pexpr f in - let args = List.map ~f:pexpr args in - C.AST.App (base, args) + let args = List.map ~f:(fun x -> C.AST.TypedTerm (pexpr x, pty span x.typ)) args in + C.AST.TypedTerm (C.AST.App (base, args), pty span e.typ) | If { cond; then_; else_ } -> C.AST.If ( pexpr cond, @@ -340,8 +345,8 @@ struct | Construct { is_record = true; constructor; fields; _ } -> (* TODO: handle base *) C.AST.RecordConstructor - ( pglobal_ident constructor, - List.map ~f:(fun (f, e) -> (pglobal_ident f, pexpr e)) fields ) + ( "t_" ^ pglobal_ident constructor, + List.map ~f:(fun (f, e) -> (pglobal_ident constructor, pexpr e)) fields ) | Construct { is_record = false; constructor; fields = [ (_f, e) ]; _ } -> C.AST.App (C.AST.Var (pglobal_ident constructor), [ pexpr e ]) | Construct { constructor; _ } -> @@ -392,15 +397,13 @@ struct ("'" ^ pconcrete_ident name ^ "'", C.AST.Type (pty span ty), None); ] (* record *) - | Type { name; generics; variants = [ v ]; is_struct = true } -> + | Type { name; generics; variants = [ { arguments; is_record = true; _ } ]; is_struct = true } -> [ (* TODO: generics *) C.AST.Record ( U.Concrete_ident_view.to_definition_name name, List.map ~f:(pgeneric_param_as_argument span) generics.params, - List.map - ~f:(fun (x, y) -> C.AST.Named (x, y)) - (p_record_record span v.arguments) ); + List.map ~f:(fun (x, y) -> C.AST.Named (U.Concrete_ident_view.to_definition_name name ^ "_" ^ x, y)) (p_record_record span arguments) ); ] (* enum *) | Type { name; generics; variants; _ } -> @@ -573,7 +576,13 @@ struct match x.ti_v with | TIFn fn_ty -> pty span fn_ty | TIDefault _ -> . - | _ -> __TODO_ty__ span "field_ty" )) + | TIType impl_list -> + C.AST.TypeTy + (* C.AST.Product *) + (* (List.map *) + (* ~f:(fun { goal = { trait; args }; name } -> C.AST.NameTy (U.Concrete_ident_view.to_definition_name trait)) *) + (* impl_list) *) + )) items ); ] | Impl { generics; self_ty; of_trait = name, gen_vals; items } -> @@ -583,26 +592,24 @@ struct List.map ~f:(pgeneric_param_as_argument span) generics.params, pty span self_ty, args_ty span gen_vals, - List.map - ~f:(fun x -> - match x.ii_v with + List.fold_left ~init:[] + ~f:(fun y x -> + y @ (match x.ii_v with | IIFn { body; params } -> - ( U.Concrete_ident_view.to_definition_name x.ii_ident, + [( U.Concrete_ident_view.to_definition_name x.ii_ident, List.map ~f:(fun { pat; typ; _ } -> C.AST.Explicit (ppat pat, pty span typ)) params, pexpr body, - pty span body.typ ) - | _ -> - ( "todo_name", - [], - __TODO_term__ span "body", - __TODO_ty__ span "typ" )) + pty span body.typ )] + | IIType { typ; parent_bounds } -> + [] (* TODO: Is this just Self? *))) items ); ] + | _ -> . - and p_inductive span variants _parrent_name : C.AST.inductive_case list = + and p_inductive span variants parrent_name : C.AST.inductive_case list = List.map variants ~f:(fun { name; arguments; is_record; _ } -> if is_record then C.AST.InductiveCase diff --git a/engine/backends/coq/coq_ast.ml b/engine/backends/coq/coq_ast.ml index 84fb0ab0c..5e0b8f7e4 100644 --- a/engine/backends/coq/coq_ast.ml +++ b/engine/backends/coq/coq_ast.ml @@ -163,15 +163,15 @@ functor | AST.Product [] | AST.Unit -> (Lib.Notation.unit_str, false (* TODO: might need paren *)) | AST.TypeTy -> (Lib.Notation.type_str, false (* TODO: might need paren *)) - | AST.Int { size = AST.USize; _ } -> ("uint_size", false) - | AST.Int { size; _ } -> ("int" ^ int_size_to_string size, false) + | AST.Int { size = AST.USize; _ } -> ("t_usize", false) + | AST.Int { size; _ } -> ("t_u" ^ int_size_to_string size, false) | AST.NameTy s -> (s, false) | AST.RecordTy (name, _fields) -> (* [ AST.Record (name, fields) ] *) (name, false) | AST.Product l -> let ty_str = String.concat - ~sep:(" " ^ "×" ^ " ") + ~sep:(" " ^ "*" ^ " ") (* TODO, notations differ for SSProve '×' *) (List.map ~f:ty_to_string_without_paren l) in (ty_str, true) @@ -297,7 +297,7 @@ functor ^ ")" (* TODO: Should this be true of false? *) | AST.DisjunctivePat pats -> let f pat = pat_to_string pat true depth in - String.concat ~sep:" | " @@ List.map ~f pats + "(" ^ (String.concat ~sep:" | " @@ List.map ~f pats) ^ ")" and tick_if is_top_expr = if is_top_expr then "'" else "" @@ -370,8 +370,8 @@ functor ^ (if List.length args > 0 then " " else "") ^ String.concat ~sep:" " (List.map - ~f:(fun (n, t) -> - "(" ^ n ^ " " ^ ":=" ^ " " + ~f:(fun (_n, t) -> + "(" (* ^ n ^ " " ^ ":=" *) ^ " " ^ term_to_string_without_paren t depth ^ ")") args), @@ -423,6 +423,7 @@ functor ^ "]", true ) | AST.Array [] -> ("!TODO empty array!", false) + | AST.TypedTerm (AST.TypedTerm (e, t), _) -> term_to_string (AST.TypedTerm (e, t)) depth | AST.TypedTerm (e, t) -> ( term_to_string_without_paren e depth ^ " " ^ ":" ^ " " ^ ty_to_string_with_paren t, diff --git a/hax-lib-macros/src/lib.rs b/hax-lib-macros/src/lib.rs index 22261bf84..e81913c09 100644 --- a/hax-lib-macros/src/lib.rs +++ b/hax-lib-macros/src/lib.rs @@ -382,6 +382,27 @@ pub fn ensures(attr: pm::TokenStream, item: pm::TokenStream) -> pm::TokenStream .into() } +/// Exclude this item from the Hax translation. +#[proc_macro_error] +#[proc_macro_attribute] +pub fn interface(attr: pm::TokenStream, item: pm::TokenStream) -> pm::TokenStream { + let item: ItemFn = parse_macro_input!(item); + let ItemFn { + // The function signature + sig, + // The visibility specifier of this function + vis, + // The function block or body + block, + // Other attributes applied to this function + attrs, + } = item.clone(); + + quote! { + #(#attrs)* #vis #sig { todo!() } + }.into() +} + mod kw { syn::custom_keyword!(hax_lib); syn::custom_keyword!(decreases); diff --git a/hax-lib/src/proc_macros.rs b/hax-lib/src/proc_macros.rs index 866c7cfda..e5cf39666 100644 --- a/hax-lib/src/proc_macros.rs +++ b/hax-lib/src/proc_macros.rs @@ -2,7 +2,7 @@ //! proc-macro crate cannot export anything but procedural macros. pub use hax_lib_macros::{ - attributes, ensures, exclude, impl_fn_decoration, include, lemma, loop_invariant, opaque_type, + attributes, ensures, exclude, impl_fn_decoration, include, interface, lemma, loop_invariant, opaque_type, refinement_type, requires, trait_fn_decoration, };