From dc0a0f90c29d903b63ba450815dff21510d14047 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 20 May 2024 18:16:47 +0200 Subject: [PATCH 1/7] add dummy intrinsics file for extraction of avx2 --- polynomials-avx2/src/arithmetic.rs | 26 +- polynomials-avx2/src/compress.rs | 14 +- polynomials-avx2/src/intrinsics.rs | 3 + polynomials-avx2/src/intrinsics_extraction.rs | 300 ++++++++++++++++++ polynomials-avx2/src/lib.rs | 11 +- polynomials-avx2/src/ntt.rs | 26 +- polynomials-avx2/src/sampling.rs | 6 +- polynomials-avx2/src/serialize.rs | 28 +- 8 files changed, 361 insertions(+), 53 deletions(-) create mode 100644 polynomials-avx2/src/intrinsics_extraction.rs diff --git a/polynomials-avx2/src/arithmetic.rs b/polynomials-avx2/src/arithmetic.rs index e84e34211..fca9c36a7 100644 --- a/polynomials-avx2/src/arithmetic.rs +++ b/polynomials-avx2/src/arithmetic.rs @@ -1,38 +1,38 @@ -use crate::intrinsics::*; +use crate::*; use libcrux_traits::{FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}; #[inline(always)] -pub(crate) fn add(lhs: __m256i, rhs: __m256i) -> __m256i { +pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { mm256_add_epi16(lhs, rhs) } #[inline(always)] -pub(crate) fn sub(lhs: __m256i, rhs: __m256i) -> __m256i { +pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 { mm256_sub_epi16(lhs, rhs) } #[inline(always)] -pub(crate) fn multiply_by_constant(vector: __m256i, constant: i16) -> __m256i { +pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { mm256_mullo_epi16(vector, mm256_set1_epi16(constant)) } #[inline(always)] -pub(crate) fn bitwise_and_with_constant(vector: __m256i, constant: i16) -> __m256i { +pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 { mm256_and_si256(vector, mm256_set1_epi16(constant)) } #[inline(always)] -pub(crate) fn shift_right(vector: __m256i) -> __m256i { +pub(crate) fn shift_right(vector: Vec256) -> Vec256 { mm256_srai_epi16::<{ SHIFT_BY }>(vector) } #[inline(always)] -pub(crate) fn shift_left(vector: __m256i) -> __m256i { +pub(crate) fn shift_left(vector: Vec256) -> Vec256 { mm256_slli_epi16::<{ SHIFT_BY }>(vector) } #[inline(always)] -pub(crate) fn cond_subtract_3329(vector: __m256i) -> __m256i { +pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); // Compute v_i - Q and crate a mask from the sign bit of each of these @@ -50,7 +50,7 @@ const BARRETT_MULTIPLIER: i16 = 20159; /// See Section 3.2 of the implementation notes document for an explanation /// of this code. #[inline(always)] -pub(crate) fn barrett_reduce(vector: __m256i) -> __m256i { +pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { let t = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); let t = mm256_add_epi16(t, mm256_set1_epi16(512)); @@ -62,7 +62,7 @@ pub(crate) fn barrett_reduce(vector: __m256i) -> __m256i { } #[inline(always)] -pub(crate) fn montgomery_multiply_by_constant(vector: __m256i, constant: i16) -> __m256i { +pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { let constant = mm256_set1_epi16(constant); let value_low = mm256_mullo_epi16(vector, constant); @@ -78,7 +78,7 @@ pub(crate) fn montgomery_multiply_by_constant(vector: __m256i, constant: i16) -> } #[inline(always)] -pub(crate) fn montgomery_multiply_by_constants(v: __m256i, c: __m256i) -> __m256i { +pub(crate) fn montgomery_multiply_by_constants(v: Vec256, c: Vec256) -> Vec256 { let value_low = mm256_mullo_epi16(v, c); let k = mm256_mullo_epi16( @@ -93,7 +93,7 @@ pub(crate) fn montgomery_multiply_by_constants(v: __m256i, c: __m256i) -> __m256 } #[inline(always)] -pub(crate) fn montgomery_reduce_i32s(v: __m256i) -> __m256i { +pub(crate) fn montgomery_reduce_i32s(v: Vec256) -> Vec256 { let k = mm256_mullo_epi16( v, mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32), @@ -110,7 +110,7 @@ pub(crate) fn montgomery_reduce_i32s(v: __m256i) -> __m256i { } #[inline(always)] -pub(crate) fn montgomery_multiply_m128i_by_constants(v: __m128i, c: __m128i) -> __m128i { +pub(crate) fn montgomery_multiply_m128i_by_constants(v: Vec128, c: Vec128) -> Vec128 { let value_low = mm_mullo_epi16(v, c); let k = mm_mullo_epi16( diff --git a/polynomials-avx2/src/compress.rs b/polynomials-avx2/src/compress.rs index 4dcf7f326..1c3d106a7 100644 --- a/polynomials-avx2/src/compress.rs +++ b/polynomials-avx2/src/compress.rs @@ -1,4 +1,4 @@ -use crate::intrinsics::*; +use crate::*; use libcrux_traits::FIELD_MODULUS; // Multiply the 32-bit numbers contained in |lhs| and |rhs|, and store only @@ -8,7 +8,7 @@ use libcrux_traits::FIELD_MODULUS; // // TODO: Optimize this implementation if performance numbers suggest doing so. #[inline(always)] -fn mulhi_mm256_epi32(lhs: __m256i, rhs: __m256i) -> __m256i { +fn mulhi_mm256_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { let prod02 = mm256_mul_epu32(lhs, rhs); let prod13 = mm256_mul_epu32( mm256_shuffle_epi32::<0b11_11_01_01>(lhs), @@ -22,7 +22,7 @@ fn mulhi_mm256_epi32(lhs: __m256i, rhs: __m256i) -> __m256i { } #[inline(always)] -pub(crate) fn compress_message_coefficient(vector: __m256i) -> __m256i { +pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 { let field_modulus_halved = mm256_set1_epi16((FIELD_MODULUS - 1) / 2); let field_modulus_quartered = mm256_set1_epi16((FIELD_MODULUS - 1) / 4); @@ -38,8 +38,8 @@ pub(crate) fn compress_message_coefficient(vector: __m256i) -> __m256i { #[inline(always)] pub(crate) fn compress_ciphertext_coefficient( - vector: __m256i, -) -> __m256i { + vector: Vec256, +) -> Vec256 { let field_modulus_halved = mm256_set1_epi32(((FIELD_MODULUS as i32) - 1) / 2); let compression_factor = mm256_set1_epi32(10_321_340); let coefficient_bits_mask = mm256_set1_epi32((1 << COEFFICIENT_BITS) - 1); @@ -103,8 +103,8 @@ pub(crate) fn compress_ciphertext_coefficient( #[inline(always)] pub(crate) fn decompress_ciphertext_coefficient( - vector: __m256i, -) -> __m256i { + vector: Vec256, +) -> Vec256 { let field_modulus = mm256_set1_epi32(FIELD_MODULUS as i32); let two_pow_coefficient_bits = mm256_set1_epi32(1 << COEFFICIENT_BITS); diff --git a/polynomials-avx2/src/intrinsics.rs b/polynomials-avx2/src/intrinsics.rs index 071f13ddd..83ba39995 100644 --- a/polynomials-avx2/src/intrinsics.rs +++ b/polynomials-avx2/src/intrinsics.rs @@ -3,6 +3,9 @@ pub(crate) use core::arch::x86::*; #[cfg(target_arch = "x86_64")] pub(crate) use core::arch::x86_64::*; +pub(crate) type Vec256 = __m256i; +pub(crate) type Vec128 = __m128i; + pub(crate) fn mm256_storeu_si256(output: &mut [i16], vector: __m256i) { debug_assert_eq!(output.len(), 16); unsafe { diff --git a/polynomials-avx2/src/intrinsics_extraction.rs b/polynomials-avx2/src/intrinsics_extraction.rs new file mode 100644 index 000000000..58b2da876 --- /dev/null +++ b/polynomials-avx2/src/intrinsics_extraction.rs @@ -0,0 +1,300 @@ +#![allow(unused_variables)] + +pub(crate) type Vec256 = u8; +pub(crate) type Vec128 = u8; + +pub(crate) fn mm256_storeu_si256(output: &mut [i16], vector: Vec256) { + debug_assert_eq!(output.len(), 16); + unimplemented!() +} + +pub(crate) fn mm_storeu_si128(output: &mut [i16], vector: Vec128) { + debug_assert_eq!(output.len(), 8); + unimplemented!() +} + +pub(crate) fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { + debug_assert_eq!(output.len(), 16); + unimplemented!() +} + +pub(crate) fn mm_loadu_si128(input: &[u8]) -> Vec128 { + debug_assert_eq!(input.len(), 16); + unimplemented!() +} + +pub(crate) fn mm256_loadu_si256(input: &[i16]) -> Vec256 { + debug_assert_eq!(input.len(), 16); + unimplemented!() +} + +pub(crate) fn mm256_setzero_si256() -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm_set_epi8( + byte15: u8, + byte14: u8, + byte13: u8, + byte12: u8, + byte11: u8, + byte10: u8, + byte9: u8, + byte8: u8, + byte7: u8, + byte6: u8, + byte5: u8, + byte4: u8, + byte3: u8, + byte2: u8, + byte1: u8, + byte0: u8, +) -> Vec128 { + unimplemented!() +} + +pub(crate) fn mm256_set_epi8( + byte31: i8, + byte30: i8, + byte29: i8, + byte28: i8, + byte27: i8, + byte26: i8, + byte25: i8, + byte24: i8, + byte23: i8, + byte22: i8, + byte21: i8, + byte20: i8, + byte19: i8, + byte18: i8, + byte17: i8, + byte16: i8, + byte15: i8, + byte14: i8, + byte13: i8, + byte12: i8, + byte11: i8, + byte10: i8, + byte9: i8, + byte8: i8, + byte7: i8, + byte6: i8, + byte5: i8, + byte4: i8, + byte3: i8, + byte2: i8, + byte1: i8, + byte0: i8, +) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_set1_epi16(constant: i16) -> Vec256 { + unimplemented!() +} +pub(crate) fn mm256_set_epi16( + input15: i16, + input14: i16, + input13: i16, + input12: i16, + input11: i16, + input10: i16, + input9: i16, + input8: i16, + input7: i16, + input6: i16, + input5: i16, + input4: i16, + input3: i16, + input2: i16, + input1: i16, + input0: i16, +) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm_set1_epi16(constant: i16) -> Vec128 { + unimplemented!() +} + +pub(crate) fn mm256_set1_epi32(constant: i32) -> Vec256 { + unimplemented!() +} +pub(crate) fn mm256_set_epi32( + input7: i32, + input6: i32, + input5: i32, + input4: i32, + input3: i32, + input2: i32, + input1: i32, + input0: i32, +) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm_add_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} +pub(crate) fn mm256_add_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} +pub(crate) fn mm256_madd_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} +pub(crate) fn mm256_add_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} +pub(crate) fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} + +pub(crate) fn mm256_mullo_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm_mullo_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} + +pub(crate) fn mm256_cmpgt_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm_mulhi_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} + +pub(crate) fn mm256_mullo_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_mulhi_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_mul_epu32(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_and_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_srai_epi16(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); + unimplemented!() +} +pub(crate) fn mm256_srai_epi32(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 32); + unimplemented!() +} + +pub(crate) fn mm256_srli_epi16(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); + unimplemented!() +} +pub(crate) fn mm256_srli_epi32(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 32); + unimplemented!() +} + +pub(crate) fn mm256_srli_epi64(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); + unimplemented!() +} + +pub(crate) fn mm256_slli_epi16(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); + unimplemented!() +} + +pub(crate) fn mm256_slli_epi32(vector: Vec256) -> Vec256 { + debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 32); + unimplemented!() +} + +pub(crate) fn mm_shuffle_epi8(vector: Vec128, control: Vec128) -> Vec128 { + unimplemented!() +} +pub(crate) fn mm256_shuffle_epi8(vector: Vec256, control: Vec256) -> Vec256 { + unimplemented!() +} +pub(crate) fn mm256_shuffle_epi32(vector: Vec256) -> Vec256 { + debug_assert!(CONTROL >= 0 && CONTROL < 256); + unimplemented!() +} + +pub(crate) fn mm256_permute4x64_epi64(vector: Vec256) -> Vec256 { + debug_assert!(CONTROL >= 0 && CONTROL < 256); + unimplemented!() +} + +pub(crate) fn mm256_unpackhi_epi64(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_unpacklo_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_unpackhi_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_castsi256_si128(vector: Vec256) -> Vec128 { + unimplemented!() +} +pub(crate) fn mm256_castsi128_si256(vector: Vec128) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_cvtepi16_epi32(vector: Vec128) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm_packs_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} +pub(crate) fn mm256_packs_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_extracti128_si256(vector: Vec256) -> Vec128 { + debug_assert!(CONTROL == 0 || CONTROL == 1); + unimplemented!() +} + +pub(crate) fn mm256_inserti128_si256( + vector: Vec256, + vector_i128: Vec128, +) -> Vec256 { + debug_assert!(CONTROL == 0 || CONTROL == 1); + unimplemented!() +} + +pub(crate) fn mm256_blend_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + debug_assert!(CONTROL >= 0 && CONTROL < 256); + unimplemented!() +} + +pub(crate) fn mm_movemask_epi8(vector: Vec128) -> i32 { + unimplemented!() +} + +pub(crate) fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 { + unimplemented!() +} + +pub(crate) fn mm256_sllv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { + unimplemented!() +} diff --git a/polynomials-avx2/src/lib.rs b/polynomials-avx2/src/lib.rs index e24519afd..71166566b 100644 --- a/polynomials-avx2/src/lib.rs +++ b/polynomials-avx2/src/lib.rs @@ -1,10 +1,17 @@ -use crate::intrinsics::*; use libcrux_traits::Operations; #[cfg(test)] mod debug; +// When extracting F* or C, we don't want to extract this file. +#[cfg(not(any(eurydice, hax)))] mod intrinsics; +#[cfg(not(any(eurydice, hax)))] +pub(crate) use crate::intrinsics::*; +#[cfg(any(eurydice, hax))] +mod intrinsics_extraction; +#[cfg(any(eurydice, hax))] +pub(crate) use intrinsics_extraction::*; mod arithmetic; mod compress; @@ -15,7 +22,7 @@ mod serialize; #[derive(Clone, Copy)] pub struct SIMD256Vector { - elements: __m256i, + elements: Vec256, } #[inline(always)] diff --git a/polynomials-avx2/src/ntt.rs b/polynomials-avx2/src/ntt.rs index 238a3f433..d99a1b28b 100644 --- a/polynomials-avx2/src/ntt.rs +++ b/polynomials-avx2/src/ntt.rs @@ -1,15 +1,13 @@ -use crate::intrinsics::*; - -use crate::arithmetic; +use crate::*; #[inline(always)] pub(crate) fn ntt_layer_1_step( - vector: __m256i, + vector: Vec256, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> __m256i { +) -> Vec256 { let zetas = mm256_set_epi16( -zeta3, -zeta3, zeta3, zeta3, -zeta2, -zeta2, zeta2, zeta2, -zeta1, -zeta1, zeta1, zeta1, -zeta0, -zeta0, zeta0, zeta0, @@ -24,7 +22,7 @@ pub(crate) fn ntt_layer_1_step( } #[inline(always)] -pub(crate) fn ntt_layer_2_step(vector: __m256i, zeta0: i16, zeta1: i16) -> __m256i { +pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let zetas = mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, zeta0, zeta0, zeta0, zeta0, @@ -39,7 +37,7 @@ pub(crate) fn ntt_layer_2_step(vector: __m256i, zeta0: i16, zeta1: i16) -> __m25 } #[inline(always)] -pub(crate) fn ntt_layer_3_step(vector: __m256i, zeta: i16) -> __m256i { +pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let rhs = mm256_extracti128_si256::<1>(vector); let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta)); @@ -56,12 +54,12 @@ pub(crate) fn ntt_layer_3_step(vector: __m256i, zeta: i16) -> __m256i { #[inline(always)] pub(crate) fn inv_ntt_layer_1_step( - vector: __m256i, + vector: Vec256, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> __m256i { +) -> Vec256 { let lhs = mm256_shuffle_epi32::<0b11_11_01_01>(vector); let rhs = mm256_shuffle_epi32::<0b10_10_00_00>(vector); @@ -84,7 +82,7 @@ pub(crate) fn inv_ntt_layer_1_step( } #[inline(always)] -pub(crate) fn inv_ntt_layer_2_step(vector: __m256i, zeta0: i16, zeta1: i16) -> __m256i { +pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector); let rhs = mm256_permute4x64_epi64::<0b10_10_00_00>(vector); @@ -105,7 +103,7 @@ pub(crate) fn inv_ntt_layer_2_step(vector: __m256i, zeta0: i16, zeta1: i16) -> _ } #[inline(always)] -pub(crate) fn inv_ntt_layer_3_step(vector: __m256i, zeta: i16) -> __m256i { +pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let lhs = mm256_extracti128_si256::<1>(vector); let rhs = mm256_castsi256_si128(vector); @@ -123,13 +121,13 @@ pub(crate) fn inv_ntt_layer_3_step(vector: __m256i, zeta: i16) -> __m256i { #[inline(always)] pub(crate) fn ntt_multiply( - lhs: __m256i, - rhs: __m256i, + lhs: Vec256, + rhs: Vec256, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, -) -> __m256i { +) -> Vec256 { // Compute the first term of the product let shuffle_with = mm256_set_epi8( 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, diff --git a/polynomials-avx2/src/sampling.rs b/polynomials-avx2/src/sampling.rs index e7bd1f1c2..b4de11b48 100644 --- a/polynomials-avx2/src/sampling.rs +++ b/polynomials-avx2/src/sampling.rs @@ -1,6 +1,8 @@ -use crate::intrinsics::*; +use crate::{ + serialize::{deserialize_12, serialize_1}, + *, +}; -use crate::serialize::{deserialize_12, serialize_1}; use libcrux_traits::FIELD_MODULUS; const REJECTION_SAMPLE_SHUFFLE_TABLE: [[u8; 16]; 256] = [ diff --git a/polynomials-avx2/src/serialize.rs b/polynomials-avx2/src/serialize.rs index f2e544b9b..09234a55b 100644 --- a/polynomials-avx2/src/serialize.rs +++ b/polynomials-avx2/src/serialize.rs @@ -1,9 +1,7 @@ -use crate::intrinsics::*; - -use crate::{portable, SIMD256Vector}; +use crate::*; #[inline(always)] -pub(crate) fn serialize_1(vector: __m256i) -> [u8; 2] { +pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // We care only about the least significant bit in each lane, // move it to the most significant position to make it easier to work with. let lsb_to_msb = mm256_slli_epi16::<15>(vector); @@ -37,7 +35,7 @@ pub(crate) fn serialize_1(vector: __m256i) -> [u8; 2] { } #[inline(always)] -pub(crate) fn deserialize_1(bytes: &[u8]) -> __m256i { +pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { // We need to take each bit from the 2 bytes of input and put them // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, // duplicate them, and right-shift the 0th element by 0 bits, @@ -99,7 +97,7 @@ pub(crate) fn deserialize_1(bytes: &[u8]) -> __m256i { } #[inline(always)] -pub(crate) fn serialize_4(vector: __m256i) -> [u8; 8] { +pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; // If |vector| is laid out as follows: @@ -162,7 +160,7 @@ pub(crate) fn serialize_4(vector: __m256i) -> [u8; 8] { } #[inline(always)] -pub(crate) fn deserialize_4(bytes: &[u8]) -> __m256i { +pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { let shift_lsbs_to_msbs = mm256_set_epi16( 1 << 0, 1 << 4, @@ -208,7 +206,7 @@ pub(crate) fn deserialize_4(bytes: &[u8]) -> __m256i { } #[inline(always)] -pub(crate) fn serialize_5(vector: __m256i) -> [u8; 10] { +pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { let mut serialized = [0u8; 32]; let adjacent_2_combined = mm256_madd_epi16( @@ -256,7 +254,7 @@ pub(crate) fn serialize_5(vector: __m256i) -> [u8; 10] { } #[inline(always)] -pub(crate) fn deserialize_5(bytes: &[u8]) -> __m256i { +pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { let coefficients = mm_set_epi8( bytes[9], bytes[8], bytes[8], bytes[7], bytes[7], bytes[6], bytes[6], bytes[5], bytes[4], bytes[3], bytes[3], bytes[2], bytes[2], bytes[1], bytes[1], bytes[0], @@ -298,7 +296,7 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> __m256i { } #[inline(always)] -pub(crate) fn serialize_10(vector: __m256i) -> [u8; 20] { +pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { let mut serialized = [0u8; 32]; let adjacent_2_combined = mm256_madd_epi16( @@ -347,7 +345,7 @@ pub(crate) fn serialize_10(vector: __m256i) -> [u8; 20] { } #[inline(always)] -pub(crate) fn deserialize_10(bytes: &[u8]) -> __m256i { +pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 { let shift_lsbs_to_msbs = mm256_set_epi16( 1 << 0, 1 << 2, @@ -389,21 +387,21 @@ pub(crate) fn deserialize_10(bytes: &[u8]) -> __m256i { } #[inline(always)] -pub(crate) fn serialize_11(vector: __m256i) -> [u8; 22] { +pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { let input = portable::from_i16_array(crate::to_i16_array(SIMD256Vector { elements: vector })); portable::serialize_11(input) } #[inline(always)] -pub(crate) fn deserialize_11(bytes: &[u8]) -> __m256i { +pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { let output = portable::deserialize_11(bytes); crate::from_i16_array(&portable::to_i16_array(output)).elements } #[inline(always)] -pub(crate) fn serialize_12(vector: __m256i) -> [u8; 24] { +pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { let mut serialized = [0u8; 32]; let adjacent_2_combined = mm256_madd_epi16( @@ -450,7 +448,7 @@ pub(crate) fn serialize_12(vector: __m256i) -> [u8; 24] { } #[inline(always)] -pub(crate) fn deserialize_12(bytes: &[u8]) -> __m256i { +pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 { let shift_lsbs_to_msbs = mm256_set_epi16( 1 << 0, 1 << 4, From c90a3d0f79cd19d7d675a11ad8dff1c5a28ef99d Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 20 May 2024 18:22:46 +0200 Subject: [PATCH 2/7] F* extraction of poly-avx2 --- libcrux-ml-kem/hax.py | 30 +- .../Libcrux_polynomials_avx2.Arithmetic.fst | 159 ++ .../Libcrux_polynomials_avx2.Compress.fst | 192 ++ ...polynomials_avx2.Intrinsics_extraction.fst | 549 +++++ .../Libcrux_polynomials_avx2.Ntt.fst | 192 ++ .../Libcrux_polynomials_avx2.Portable.fst | 429 ++++ .../Libcrux_polynomials_avx2.Sampling.fst | 2111 +++++++++++++++++ .../Libcrux_polynomials_avx2.Serialize.fst | 557 +++++ .../extraction/Libcrux_polynomials_avx2.fst | 412 ++++ 9 files changed, 4624 insertions(+), 7 deletions(-) create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Arithmetic.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Compress.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Intrinsics_extraction.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Ntt.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Portable.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Sampling.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Serialize.fst create mode 100644 polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.fst diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index 3b98428b3..7acbbdfec 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -31,22 +31,38 @@ class extractAction(argparse.Action): def __call__(self, parser, args, values, option_string=None) -> None: # Extract platform and sha3 interfaces - include_str = "+:libcrux_sha3::** -libcrux_sha3::x4::internal::**" - interface_include = "+!**" + # include_str = "+:libcrux_sha3::** -libcrux_sha3::x4::internal::**" + # interface_include = "+!**" + # cargo_hax_into = [ + # "cargo", + # "hax", + # "into", + # "-i", + # include_str, + # "fstar", + # "--interfaces", + # interface_include, + # ] + # hax_env = {} + # shell( + # cargo_hax_into, + # cwd="../libcrux-sha3", + # env=hax_env, + # ) + + # Extract avx2 + # include_str = "+:libcrux_sha3::** -libcrux_sha3::x4::internal::**" + # interface_include = "+!**" cargo_hax_into = [ "cargo", "hax", "into", - "-i", - include_str, "fstar", - "--interfaces", - interface_include, ] hax_env = {} shell( cargo_hax_into, - cwd="../libcrux-sha3", + cwd="../polynomials-avx2", env=hax_env, ) diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Arithmetic.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Arithmetic.fst new file mode 100644 index 000000000..cd19825be --- /dev/null +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Arithmetic.fst @@ -0,0 +1,159 @@ +module Libcrux_polynomials_avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let v_BARRETT_MULTIPLIER: i16 = 20159s + +let add (lhs rhs: u8) : u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 lhs rhs + +let bitwise_and_with_constant (vector: u8) (constant: i16) : u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_and_si256 vector + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 constant <: u8) + +let multiply_by_constant (vector: u8) (constant: i16) : u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 vector + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 constant <: u8) + +let shift_left (v_SHIFT_BY: i32) (vector: u8) : u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_slli_epi16 v_SHIFT_BY vector + +let shift_right (v_SHIFT_BY: i32) (vector: u8) : u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_srai_epi16 v_SHIFT_BY vector + +/// See Section 3.2 of the implementation notes document for an explanation +/// of this code. +let barrett_reduce (vector: u8) : u8 = + let t:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mulhi_epi16 vector + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 v_BARRETT_MULTIPLIER <: u8) + in + let t:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 t + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 512s <: u8) + in + let quotient:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_srai_epi16 10l t in + let quotient_times_field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 quotient + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 Libcrux_traits.v_FIELD_MODULUS + + <: + u8) + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_sub_epi16 vector quotient_times_field_modulus + +let cond_subtract_3329_ (vector: u8) : u8 = + let field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 Libcrux_traits.v_FIELD_MODULUS + in + let vv_minus_field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_sub_epi16 vector field_modulus + in + let sign_mask:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_srai_epi16 15l vv_minus_field_modulus + in + let conditional_add_field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_and_si256 sign_mask field_modulus + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 vv_minus_field_modulus + conditional_add_field_modulus + +let montgomery_multiply_by_constant (vector: u8) (constant: i16) : u8 = + let constant:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 constant in + let value_low:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 vector constant + in + let k:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 value_low + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 (cast (Libcrux_traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u32) + <: + i16) + <: + u8) + in + let k_times_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mulhi_epi16 k + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 Libcrux_traits.v_FIELD_MODULUS + + <: + u8) + in + let value_high:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mulhi_epi16 vector constant + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_sub_epi16 value_high k_times_modulus + +let montgomery_multiply_by_constants (v c: u8) : u8 = + let value_low:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 v c in + let k:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 value_low + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 (cast (Libcrux_traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u32) + <: + i16) + <: + u8) + in + let k_times_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mulhi_epi16 k + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 Libcrux_traits.v_FIELD_MODULUS + + <: + u8) + in + let value_high:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mulhi_epi16 v c in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_sub_epi16 value_high k_times_modulus + +let montgomery_reduce_i32s (v: u8) : u8 = + let k:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 v + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi32 (cast (Libcrux_traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u32) + <: + i32) + <: + u8) + in + let k_times_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mulhi_epi16 k + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi32 (cast (Libcrux_traits.v_FIELD_MODULUS + <: + i16) + <: + i32) + <: + u8) + in + let value_high:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_srli_epi32 16l v in + let result:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_sub_epi16 value_high k_times_modulus + in + let result:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_slli_epi32 16l result in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_srai_epi32 16l result + +let sub (lhs rhs: u8) : u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_sub_epi16 lhs rhs + +let montgomery_multiply_m128i_by_constants (v c: u8) : u8 = + let value_low:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm_mullo_epi16 v c in + let k:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_mullo_epi16 value_low + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm_set1_epi16 (cast (Libcrux_traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u32) + <: + i16) + <: + u8) + in + let k_times_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_mulhi_epi16 k + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm_set1_epi16 Libcrux_traits.v_FIELD_MODULUS + <: + u8) + in + let value_high:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm_mulhi_epi16 v c in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_sub_epi16 value_high k_times_modulus diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Compress.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Compress.fst new file mode 100644 index 000000000..252e284a9 --- /dev/null +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Compress.fst @@ -0,0 +1,192 @@ +module Libcrux_polynomials_avx2.Compress +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) : u8 = + let field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi32 (cast (Libcrux_traits.v_FIELD_MODULUS + <: + i16) + <: + i32) + in + let two_pow_coefficient_bits:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi32 (1l <=. 0l <: bool) && (v_CONTROL <. 256l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: CONTROL >= 0 && CONTROL < 256" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_castsi128_si256 (vector: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_castsi256_si128 (vector: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_cmpgt_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_cvtepi16_epi32 (vector: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_extracti128_si256 (v_CONTROL: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_CONTROL =. 0l <: bool) || (v_CONTROL =. 1l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: CONTROL == 0 || CONTROL == 1" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_inserti128_si256 (v_CONTROL: i32) (vector vector_i128: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_CONTROL =. 0l <: bool) || (v_CONTROL =. 1l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: CONTROL == 0 || CONTROL == 1" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_loadu_si256 (input: t_Slice i16) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len input, sz 16 <: (usize & usize) with + | left_val, right_val -> + if ~.(left_val =. right_val <: bool) + then + let kind:Core.Panicking.t_AssertKind = + Core.Panicking.AssertKind_Eq <: Core.Panicking.t_AssertKind + in + Rust_primitives.Hax.never_to_any (Core.Panicking.assert_failed kind + left_val + right_val + (Core.Option.Option_None <: Core.Option.t_Option Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_madd_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_mul_epu32 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_mulhi_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_mullo_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_mullo_epi32 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_packs_epi32 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_CONTROL >=. 0l <: bool) && (v_CONTROL <. 256l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: CONTROL >= 0 && CONTROL < 256" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_permutevar8x32_epi32 (vector control: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_set1_epi16 (constant: i16) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_set1_epi32 (constant: i32) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_set_epi16 + (input15 input14 input13 input12 input11 input10 input9 input8 input7 input6 input5 input4 input3 input2 input1 input0: + i16) + : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_set_epi8 + (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + i8) + : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_setzero_si256 (_: Prims.unit) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_shuffle_epi32 (v_CONTROL: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_CONTROL >=. 0l <: bool) && (v_CONTROL <. 256l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: CONTROL >= 0 && CONTROL < 256" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_shuffle_epi8 (vector control: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_slli_epi16 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 16l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 16" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 32l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 32" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_sllv_epi32 (vector counts: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 16l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 16" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 32l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 32" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_srli_epi16 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 16l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 16" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 32l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 32" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_SHIFT_BY >=. 0l <: bool) && (v_SHIFT_BY <. 64l <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: SHIFT_BY >= 0 && SHIFT_BY < 64" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_storeu_si256 (output: t_Slice i16) (vector: u8) : t_Slice i16 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len output, sz 16 <: (usize & usize) with + | left_val, right_val -> + if ~.(left_val =. right_val <: bool) + then + let kind:Core.Panicking.t_AssertKind = + Core.Panicking.AssertKind_Eq <: Core.Panicking.t_AssertKind + in + Rust_primitives.Hax.never_to_any (Core.Panicking.assert_failed kind + left_val + right_val + (Core.Option.Option_None <: Core.Option.t_Option Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let hax_temp_output:Prims.unit = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + in + output + +let mm256_sub_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_unpackhi_epi32 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_unpackhi_epi64 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_unpacklo_epi32 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm256_xor_si256 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_add_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_loadu_si128 (input: t_Slice u8) : u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len input, sz 16 <: (usize & usize) with + | left_val, right_val -> + if ~.(left_val =. right_val <: bool) + then + let kind:Core.Panicking.t_AssertKind = + Core.Panicking.AssertKind_Eq <: Core.Panicking.t_AssertKind + in + Rust_primitives.Hax.never_to_any (Core.Panicking.assert_failed kind + left_val + right_val + (Core.Option.Option_None <: Core.Option.t_Option Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_movemask_epi8 (vector: u8) : i32 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_mulhi_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_mullo_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_packs_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_set1_epi16 (constant: i16) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_set_epi8 + (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + u8) + : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_shuffle_epi8 (vector control: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + +let mm_storeu_bytes_si128 (output: t_Slice u8) (vector: u8) : t_Slice u8 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len output, sz 16 <: (usize & usize) with + | left_val, right_val -> + if ~.(left_val =. right_val <: bool) + then + let kind:Core.Panicking.t_AssertKind = + Core.Panicking.AssertKind_Eq <: Core.Panicking.t_AssertKind + in + Rust_primitives.Hax.never_to_any (Core.Panicking.assert_failed kind + left_val + right_val + (Core.Option.Option_None <: Core.Option.t_Option Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let hax_temp_output:Prims.unit = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + in + output + +let mm_storeu_si128 (output: t_Slice i16) (vector: u8) : t_Slice i16 = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len output, sz 8 <: (usize & usize) with + | left_val, right_val -> + if ~.(left_val =. right_val <: bool) + then + let kind:Core.Panicking.t_AssertKind = + Core.Panicking.AssertKind_Eq <: Core.Panicking.t_AssertKind + in + Rust_primitives.Hax.never_to_any (Core.Panicking.assert_failed kind + left_val + right_val + (Core.Option.Option_None <: Core.Option.t_Option Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let hax_temp_output:Prims.unit = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) + in + output + +let mm_sub_epi16 (lhs rhs: u8) : u8 = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" + <: + Rust_primitives.Hax.t_Never) diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Ntt.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Ntt.fst new file mode 100644 index 000000000..5b788b5ad --- /dev/null +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Ntt.fst @@ -0,0 +1,192 @@ +module Libcrux_polynomials_avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let ntt_multiply__PERMUTE_WITH: i32 = 216l + +let inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) : u8 = + let lhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi32 160l vector in + let rhs:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 rhs + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (-1s) (-1s) 1s 1s (-1s) (-1s) + 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s + <: + u8) + in + let sum:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = + Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_by_constants sum + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 zeta3 zeta3 0s 0s zeta2 zeta2 + 0s 0s zeta1 zeta1 0s 0s zeta0 zeta0 0s 0s + <: + u8) + in + let sum:u8 = Libcrux_polynomials_avx2.Arithmetic.barrett_reduce sum in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_blend_epi16 204l sum sum_times_zetas + +let inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) : u8 = + let lhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_permute4x64_epi64 245l vector in + let rhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_permute4x64_epi64 160l vector in + let rhs:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi16 rhs + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (-1s) (-1s) (-1s) (-1s) 1s 1s + 1s 1s (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s + <: + u8) + in + let sum:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = + Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_by_constants sum + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 zeta1 zeta1 zeta1 zeta1 0s 0s + 0s 0s zeta0 zeta0 zeta0 zeta0 0s 0s 0s 0s + <: + u8) + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_blend_epi16 240l sum sum_times_zetas + +let inv_ntt_layer_3_step (vector: u8) (zeta: i16) : u8 = + let lhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm_sub_epi16 lhs rhs in + let upper_coefficients:u8 = + Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_m128i_by_constants upper_coefficients + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm_set1_epi16 zeta <: u8) + in + let combined:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi128_si256 lower_coefficients + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_inserti128_si256 1l + combined + upper_coefficients + +let ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) : u8 = + let zetas:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 + <: + i16) (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16) + (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16) + (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16) + (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 + in + let rhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi32 160l vector in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 lhs rhs + +let ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) : u8 = + let zetas:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 + <: + i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) + (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1 + (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) + (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0 + zeta0 + in + let rhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi32 238l vector in + let rhs:u8 = Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi32 68l vector in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi16 lhs rhs + +let ntt_layer_3_step (vector: u8) (zeta: i16) : u8 = + let rhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_extracti128_si256 1l vector in + let rhs:u8 = + Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm_set1_epi16 zeta <: u8) + in + let lhs:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm_sub_epi16 lhs rhs in + let combined:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi128_si256 lower_coefficients + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_inserti128_si256 1l + combined + upper_coefficients + +let ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) : u8 = + let shuffle_with:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi8 15y 14y 11y 10y 7y 6y 3y 2y 13y + 12y 9y 8y 5y 4y 1y 0y 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y + in + let lhs_shuffled:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi8 lhs shuffle_with + in + let lhs_shuffled:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_permute4x64_epi64 216l lhs_shuffled + in + let lhs_evens:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi256_si128 lhs_shuffled + in + let lhs_evens:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_cvtepi16_epi32 lhs_evens + in + let lhs_odds:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_extracti128_si256 1l lhs_shuffled + in + let lhs_odds:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_cvtepi16_epi32 lhs_odds in + let rhs_shuffled:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi8 rhs shuffle_with + in + let rhs_shuffled:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_permute4x64_epi64 216l rhs_shuffled + in + let rhs_evens:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi256_si128 rhs_shuffled + in + let rhs_evens:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_cvtepi16_epi32 rhs_evens + in + let rhs_odds:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_extracti128_si256 1l rhs_shuffled + in + let rhs_odds:u8 = Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_cvtepi16_epi32 rhs_odds in + let left:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi32 lhs_evens rhs_evens + in + let right:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi32 lhs_odds rhs_odds + in + let right:u8 = Libcrux_polynomials_avx2.Arithmetic.montgomery_reduce_i32s right in + let right:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_mullo_epi32 right + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi32 (Core.Ops.Arith.Neg.neg (cast ( + zeta3 <: i16) + <: + i32) + <: + i32) + (cast (zeta3 <: i16) <: i32) + (Core.Ops.Arith.Neg.neg (cast (zeta2 <: i16) <: i32) <: i32) + (cast (zeta2 <: i16) <: i32) + (Core.Ops.Arith.Neg.neg (cast (zeta1 <: i16) <: i32) <: i32) + (cast (zeta1 <: i16) <: i32) + (Core.Ops.Arith.Neg.neg (cast (zeta0 <: i16) <: i32) <: i32) + (cast (zeta0 <: i16) <: i32) + <: + u8) + in + let products_left:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_add_epi32 left right + in + let products_left:u8 = Libcrux_polynomials_avx2.Arithmetic.montgomery_reduce_i32s products_left in + let rhs_adjacent_swapped:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_shuffle_epi8 rhs + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi8 13y 12y 15y 14y 9y 8y 11y 10y + 5y 4y 7y 6y 1y 0y 3y 2y 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y + <: + u8) + in + let products_right:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_madd_epi16 lhs rhs_adjacent_swapped + in + let products_right:u8 = + Libcrux_polynomials_avx2.Arithmetic.montgomery_reduce_i32s products_right + in + let products_right:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_slli_epi32 16l products_right + in + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_blend_epi16 170l products_left products_right diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Portable.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Portable.fst new file mode 100644 index 000000000..541e25541 --- /dev/null +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Portable.fst @@ -0,0 +1,429 @@ +module Libcrux_polynomials_avx2.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +unfold +let t_FieldElement = i16 + +type t_PortableVector = { f_elements:t_Array i16 (sz 16) } + +let from_i16_array (array: t_Array i16 (sz 16)) : t_PortableVector = + { f_elements = array } <: t_PortableVector + +let serialize_11_ (v: t_PortableVector) : t_Array u8 (sz 22) = + let result:t_Array u8 (sz 22) = Rust_primitives.Hax.repeat 0uy (sz 22) in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + (cast (v.f_elements.[ sz 0 ] <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + (((cast ((v.f_elements.[ sz 1 ] <: i16) &. 31s <: i16) <: u8) <>! 8l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 2) + (((cast ((v.f_elements.[ sz 2 ] <: i16) &. 3s <: i16) <: u8) <>! 5l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 3) + (cast (((v.f_elements.[ sz 2 ] <: i16) >>! 2l <: i16) &. 255s <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 4) + (((cast ((v.f_elements.[ sz 3 ] <: i16) &. 127s <: i16) <: u8) <>! 10l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 5) + (((cast ((v.f_elements.[ sz 4 ] <: i16) &. 15s <: i16) <: u8) <>! 7l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 6) + (((cast ((v.f_elements.[ sz 5 ] <: i16) &. 1s <: i16) <: u8) <>! 4l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 7) + (cast (((v.f_elements.[ sz 5 ] <: i16) >>! 1l <: i16) &. 255s <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 8) + (((cast ((v.f_elements.[ sz 6 ] <: i16) &. 63s <: i16) <: u8) <>! 9l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 9) + (((cast ((v.f_elements.[ sz 7 ] <: i16) &. 7s <: i16) <: u8) <>! 6l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 10) + (cast ((v.f_elements.[ sz 7 ] <: i16) >>! 3l <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 11) + (cast (v.f_elements.[ sz 8 +! sz 0 <: usize ] <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 12) + (((cast ((v.f_elements.[ sz 8 +! sz 1 <: usize ] <: i16) &. 31s <: i16) <: u8) <>! 8l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 13) + (((cast ((v.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) &. 3s <: i16) <: u8) <>! 5l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 14) + (cast (((v.f_elements.[ sz 8 +! sz 2 <: usize ] <: i16) >>! 2l <: i16) &. 255s <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 15) + (((cast ((v.f_elements.[ sz 8 +! sz 3 <: usize ] <: i16) &. 127s <: i16) <: u8) <>! 10l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 16) + (((cast ((v.f_elements.[ sz 8 +! sz 4 <: usize ] <: i16) &. 15s <: i16) <: u8) <>! 7l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 17) + (((cast ((v.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) &. 1s <: i16) <: u8) <>! 4l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 18) + (cast (((v.f_elements.[ sz 8 +! sz 5 <: usize ] <: i16) >>! 1l <: i16) &. 255s <: i16) <: u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 19) + (((cast ((v.f_elements.[ sz 8 +! sz 6 <: usize ] <: i16) &. 63s <: i16) <: u8) <>! 9l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 20) + (((cast ((v.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) &. 7s <: i16) <: u8) <>! 6l <: i16) <: u8) + <: + u8) + in + let result:t_Array u8 (sz 22) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 21) + (cast ((v.f_elements.[ sz 8 +! sz 7 <: usize ] <: i16) >>! 3l <: i16) <: u8) + in + result + +let to_i16_array (v: t_PortableVector) : t_Array i16 (sz 16) = v.f_elements + +let zero (_: Prims.unit) : t_PortableVector = + { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector + +let deserialize_11_ (bytes: t_Slice u8) : t_PortableVector = + let result:t_PortableVector = zero () in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 0) + ((((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 7s <: i16) <>! 3l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 2) + (((((cast (bytes.[ sz 4 ] <: u8) <: i16) &. 1s <: i16) <>! 6l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 3) + ((((cast (bytes.[ sz 5 ] <: u8) <: i16) &. 15s <: i16) <>! 1l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 4) + ((((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 5) + (((((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 3s <: i16) <>! 7l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 6) + ((((cast (bytes.[ sz 9 ] <: u8) <: i16) &. 31s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 7) + (((cast (bytes.[ sz 10 ] <: u8) <: i16) <>! 5l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 8) + ((((cast (bytes.[ sz 11 +! sz 1 <: usize ] <: u8) <: i16) &. 7s <: i16) <>! 3l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 10) + (((((cast (bytes.[ sz 11 +! sz 4 <: usize ] <: u8) <: i16) &. 1s <: i16) <>! 6l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 11) + ((((cast (bytes.[ sz 11 +! sz 5 <: usize ] <: u8) <: i16) &. 15s <: i16) <>! 1l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 12) + ((((cast (bytes.[ sz 11 +! sz 6 <: usize ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 13) + (((((cast (bytes.[ sz 11 +! sz 8 <: usize ] <: u8) <: i16) &. 3s <: i16) <>! 7l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 14) + ((((cast (bytes.[ sz 11 +! sz 9 <: usize ] <: u8) <: i16) &. 31s <: i16) <>! 2l <: i16) + <: + i16) + } + <: + t_PortableVector + in + let result:t_PortableVector = + { + result with + f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_elements + (sz 15) + (((cast (bytes.[ sz 11 +! sz 10 <: usize ] <: u8) <: i16) <>! 5l <: i16) + <: + i16) + } + <: + t_PortableVector + in + result diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Sampling.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Sampling.fst new file mode 100644 index 000000000..65ce23750 --- /dev/null +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Sampling.fst @@ -0,0 +1,2111 @@ +module Libcrux_polynomials_avx2.Sampling +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let v_REJECTION_SAMPLE_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 256) = + let list = + [ + (let list = + [ + 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); + Rust_primitives.Hax.array_of_list 256 list + +let rejection_sample (input: t_Slice u8) (output: t_Slice i16) : (t_Slice i16 & usize) = + let field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set1_epi16 Libcrux_traits.v_FIELD_MODULUS + in + let potential_coefficients:u8 = Libcrux_polynomials_avx2.Serialize.deserialize_12_ input in + let compare_with_field_modulus:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_cmpgt_epi16 field_modulus + potential_coefficients + in + let good:t_Array u8 (sz 2) = + Libcrux_polynomials_avx2.Serialize.serialize_1_ compare_with_field_modulus + in + let lower_shuffles:t_Array u8 (sz 16) = + v_REJECTION_SAMPLE_SHUFFLE_TABLE.[ cast (good.[ sz 0 ] <: u8) <: usize ] + in + let lower_shuffles:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_loadu_si128 (Rust_primitives.unsize lower_shuffles + + <: + t_Slice u8) + in + let lower_coefficients:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_castsi256_si128 potential_coefficients + in + let lower_coefficients:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i16 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm_storeu_si128 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + lower_coefficients + <: + t_Slice i16) + in + let sampled_count:usize = + cast (Core.Num.impl__u8__count_ones (good.[ sz 0 ] <: u8) <: u32) <: usize + in + let upper_shuffles:t_Array u8 (sz 16) = + v_REJECTION_SAMPLE_SHUFFLE_TABLE.[ cast (good.[ sz 1 ] <: u8) <: usize ] + in + let upper_shuffles:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_loadu_si128 (Rust_primitives.unsize upper_shuffles + + <: + t_Slice u8) + in + let upper_coefficients:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_extracti128_si256 1l potential_coefficients + in + let upper_coefficients:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i16 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm_storeu_si128 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + upper_coefficients + <: + t_Slice i16) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__u8__count_ones (good.[ sz 1 ] <: u8) <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i16 & usize) diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Serialize.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Serialize.fst new file mode 100644 index 000000000..f951730a4 --- /dev/null +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.Serialize.fst @@ -0,0 +1,557 @@ +module Libcrux_polynomials_avx2.Serialize +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let deserialize_1_ (bytes: t_Slice u8) : u8 = + let coefficients:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) + <: + i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) + in + let shift_lsb_to_msb:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (1s <>! 8l <: i32) <: u8) + in + serialized + +let serialize_10_ (vector: u8) : t_Array u8 (sz 20) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let adjacent_2_combined:u8 = + Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_madd_epi16 vector + (Libcrux_polynomials_avx2.Intrinsics_extraction.mm256_set_epi16 (1s < true); + f_ZERO_post = (fun (_: Prims.unit) (out: t_SIMD256Vector) -> true); + f_ZERO = (fun (_: Prims.unit) -> zero ()); + f_to_i16_array_pre = (fun (v: t_SIMD256Vector) -> true); + f_to_i16_array_post = (fun (v: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true); + f_to_i16_array = (fun (v: t_SIMD256Vector) -> to_i16_array v); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); + f_from_i16_array_post = (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> true); + f_from_i16_array = (fun (array: t_Slice i16) -> from_i16_array array); + f_add_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> true); + f_add_post = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_add + = + (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> + { f_elements = Libcrux_polynomials_avx2.Arithmetic.add lhs.f_elements rhs.f_elements } + <: + t_SIMD256Vector); + f_sub_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> true); + f_sub_post = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_sub + = + (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> + { f_elements = Libcrux_polynomials_avx2.Arithmetic.sub lhs.f_elements rhs.f_elements } + <: + t_SIMD256Vector); + f_multiply_by_constant_pre = (fun (v: t_SIMD256Vector) (c: i16) -> true); + f_multiply_by_constant_post = (fun (v: t_SIMD256Vector) (c: i16) (out: t_SIMD256Vector) -> true); + f_multiply_by_constant + = + (fun (v: t_SIMD256Vector) (c: i16) -> + { f_elements = Libcrux_polynomials_avx2.Arithmetic.multiply_by_constant v.f_elements c } + <: + t_SIMD256Vector); + f_bitwise_and_with_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true); + f_bitwise_and_with_constant_post + = + (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true); + f_bitwise_and_with_constant + = + (fun (vector: t_SIMD256Vector) (constant: i16) -> + { + f_elements + = + Libcrux_polynomials_avx2.Arithmetic.bitwise_and_with_constant vector.f_elements constant + } + <: + t_SIMD256Vector); + f_shift_right_pre = (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> true); + f_shift_right_post + = + (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_shift_right + = + (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> + { + f_elements = Libcrux_polynomials_avx2.Arithmetic.shift_right v_SHIFT_BY vector.f_elements + } + <: + t_SIMD256Vector); + f_shift_left_pre = (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> true); + f_shift_left_post + = + (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_shift_left + = + (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> + { f_elements = Libcrux_polynomials_avx2.Arithmetic.shift_left v_SHIFT_BY vector.f_elements } + <: + t_SIMD256Vector); + f_cond_subtract_3329_pre = (fun (vector: t_SIMD256Vector) -> true); + f_cond_subtract_3329_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_cond_subtract_3329_ + = + (fun (vector: t_SIMD256Vector) -> + { f_elements = Libcrux_polynomials_avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } + <: + t_SIMD256Vector); + f_barrett_reduce_pre = (fun (vector: t_SIMD256Vector) -> true); + f_barrett_reduce_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_barrett_reduce + = + (fun (vector: t_SIMD256Vector) -> + { f_elements = Libcrux_polynomials_avx2.Arithmetic.barrett_reduce vector.f_elements } + <: + t_SIMD256Vector); + f_montgomery_multiply_by_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true); + f_montgomery_multiply_by_constant_post + = + (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true); + f_montgomery_multiply_by_constant + = + (fun (vector: t_SIMD256Vector) (constant: i16) -> + { + f_elements + = + Libcrux_polynomials_avx2.Arithmetic.montgomery_multiply_by_constant vector.f_elements + constant + } + <: + t_SIMD256Vector); + f_compress_1_pre = (fun (vector: t_SIMD256Vector) -> true); + f_compress_1_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_compress_1_ + = + (fun (vector: t_SIMD256Vector) -> + { + f_elements + = + Libcrux_polynomials_avx2.Compress.compress_message_coefficient vector.f_elements + } + <: + t_SIMD256Vector); + f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> true); + f_compress_post + = + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_compress + = + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> + { + f_elements + = + Libcrux_polynomials_avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS + vector.f_elements + } + <: + t_SIMD256Vector); + f_decompress_ciphertext_coefficient_pre + = + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> true); + f_decompress_ciphertext_coefficient_post + = + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); + f_decompress_ciphertext_coefficient + = + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> + { + f_elements + = + Libcrux_polynomials_avx2.Compress.decompress_ciphertext_coefficient v_COEFFICIENT_BITS + vector.f_elements + } + <: + t_SIMD256Vector); + f_ntt_layer_1_step_pre + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> true); + f_ntt_layer_1_step_post + = + (fun + (vector: t_SIMD256Vector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + (out: t_SIMD256Vector) + -> + true); + f_ntt_layer_1_step + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> + { + f_elements + = + Libcrux_polynomials_avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3 + } + <: + t_SIMD256Vector); + f_ntt_layer_2_step_pre = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> true); + f_ntt_layer_2_step_post + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> true); + f_ntt_layer_2_step + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> + { f_elements = Libcrux_polynomials_avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } + <: + t_SIMD256Vector); + f_ntt_layer_3_step_pre = (fun (vector: t_SIMD256Vector) (zeta: i16) -> true); + f_ntt_layer_3_step_post + = + (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> true); + f_ntt_layer_3_step + = + (fun (vector: t_SIMD256Vector) (zeta: i16) -> + { f_elements = Libcrux_polynomials_avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } + <: + t_SIMD256Vector); + f_inv_ntt_layer_1_step_pre + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> true); + f_inv_ntt_layer_1_step_post + = + (fun + (vector: t_SIMD256Vector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + (out: t_SIMD256Vector) + -> + true); + f_inv_ntt_layer_1_step + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> + { + f_elements + = + Libcrux_polynomials_avx2.Ntt.inv_ntt_layer_1_step vector.f_elements + zeta0 + zeta1 + zeta2 + zeta3 + } + <: + t_SIMD256Vector); + f_inv_ntt_layer_2_step_pre = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> true); + f_inv_ntt_layer_2_step_post + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> true); + f_inv_ntt_layer_2_step + = + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> + { + f_elements + = + Libcrux_polynomials_avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 + } + <: + t_SIMD256Vector); + f_inv_ntt_layer_3_step_pre = (fun (vector: t_SIMD256Vector) (zeta: i16) -> true); + f_inv_ntt_layer_3_step_post + = + (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> true); + f_inv_ntt_layer_3_step + = + (fun (vector: t_SIMD256Vector) (zeta: i16) -> + { f_elements = Libcrux_polynomials_avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } + <: + t_SIMD256Vector); + f_ntt_multiply_pre + = + (fun + (lhs: t_SIMD256Vector) + (rhs: t_SIMD256Vector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + true); + f_ntt_multiply_post + = + (fun + (lhs: t_SIMD256Vector) + (rhs: t_SIMD256Vector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + (out: t_SIMD256Vector) + -> + true); + f_ntt_multiply + = + (fun + (lhs: t_SIMD256Vector) + (rhs: t_SIMD256Vector) + (zeta0: i16) + (zeta1: i16) + (zeta2: i16) + (zeta3: i16) + -> + { + f_elements + = + Libcrux_polynomials_avx2.Ntt.ntt_multiply lhs.f_elements + rhs.f_elements + zeta0 + zeta1 + zeta2 + zeta3 + } + <: + t_SIMD256Vector); + f_serialize_1_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_1_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 2)) -> true); + f_serialize_1_ + = + (fun (vector: t_SIMD256Vector) -> + Libcrux_polynomials_avx2.Serialize.serialize_1_ vector.f_elements); + f_deserialize_1_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_1_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); + f_deserialize_1_ + = + (fun (bytes: t_Slice u8) -> + { f_elements = Libcrux_polynomials_avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector); + f_serialize_4_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_4_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 8)) -> true); + f_serialize_4_ + = + (fun (vector: t_SIMD256Vector) -> + Libcrux_polynomials_avx2.Serialize.serialize_4_ vector.f_elements); + f_deserialize_4_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_4_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); + f_deserialize_4_ + = + (fun (bytes: t_Slice u8) -> + { f_elements = Libcrux_polynomials_avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector); + f_serialize_5_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_5_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 10)) -> true); + f_serialize_5_ + = + (fun (vector: t_SIMD256Vector) -> + Libcrux_polynomials_avx2.Serialize.serialize_5_ vector.f_elements); + f_deserialize_5_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_5_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); + f_deserialize_5_ + = + (fun (bytes: t_Slice u8) -> + { f_elements = Libcrux_polynomials_avx2.Serialize.deserialize_5_ bytes } <: t_SIMD256Vector); + f_serialize_10_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_10_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 20)) -> true); + f_serialize_10_ + = + (fun (vector: t_SIMD256Vector) -> + Libcrux_polynomials_avx2.Serialize.serialize_10_ vector.f_elements); + f_deserialize_10_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_10_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); + f_deserialize_10_ + = + (fun (bytes: t_Slice u8) -> + { f_elements = Libcrux_polynomials_avx2.Serialize.deserialize_10_ bytes } <: t_SIMD256Vector + ); + f_serialize_11_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_11_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 22)) -> true); + f_serialize_11_ + = + (fun (vector: t_SIMD256Vector) -> + Libcrux_polynomials_avx2.Serialize.serialize_11_ vector.f_elements); + f_deserialize_11_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_11_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); + f_deserialize_11_ + = + (fun (bytes: t_Slice u8) -> + { f_elements = Libcrux_polynomials_avx2.Serialize.deserialize_11_ bytes } <: t_SIMD256Vector + ); + f_serialize_12_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_12_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 24)) -> true); + f_serialize_12_ + = + (fun (vector: t_SIMD256Vector) -> + Libcrux_polynomials_avx2.Serialize.serialize_12_ vector.f_elements); + f_deserialize_12_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_12_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); + f_deserialize_12_ + = + (fun (bytes: t_Slice u8) -> + { f_elements = Libcrux_polynomials_avx2.Serialize.deserialize_12_ bytes } <: t_SIMD256Vector + ); + f_rej_sample_pre = (fun (input: t_Slice u8) (output: t_Slice i16) -> true); + f_rej_sample_post + = + (fun (input: t_Slice u8) (output: t_Slice i16) (out1: (t_Slice i16 & usize)) -> true); + f_rej_sample + = + fun (input: t_Slice u8) (output: t_Slice i16) -> + let tmp0, out:(t_Slice i16 & usize) = + Libcrux_polynomials_avx2.Sampling.rejection_sample input output + in + let output:t_Slice i16 = tmp0 in + let hax_temp_output:usize = out in + output, hax_temp_output <: (t_Slice i16 & usize) + } From da5ed9df73cd4a4e91ae1ceb4e5bfb76268e4e8b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 10:39:42 +0200 Subject: [PATCH 3/7] move neon hash functions into sha3 for ml-kem --- libcrux-ml-kem/src/hash_functions.rs | 145 +--------------------- libcrux-sha3/src/lib.rs | 172 ++++++++++++++++++++++++++- 2 files changed, 170 insertions(+), 147 deletions(-) diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index cc00df6fd..d60d6e162 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -368,52 +368,13 @@ pub(crate) mod neon { fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - let mut out = [[0u8; LEN]; K]; - match K { - 2 => { - let (out0, out1) = out.split_at_mut(1); - x2::shake256(&input[0], &input[1], &mut out0[0], &mut out1[0]); - } - 3 => { - let mut extra = [0u8; LEN]; - let (out0, out12) = out.split_at_mut(1); - let (out1, out2) = out12.split_at_mut(1); - x2::shake256(&input[0], &input[1], &mut out0[0], &mut out1[0]); - x2::shake256(&input[2], &input[2], &mut out2[0], &mut extra); - } - 4 => { - let (out0, out123) = out.split_at_mut(1); - let (out1, out23) = out123.split_at_mut(1); - let (out2, out3) = out23.split_at_mut(1); - x2::shake256(&input[0], &input[1], &mut out0[0], &mut out1[0]); - x2::shake256(&input[2], &input[3], &mut out2[0], &mut out3[0]); - } - _ => unreachable!(), - } - out + x2::shake256xN(input) } fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { debug_assert!(K == 2 || K == 3 || K == 4); - let mut state = [ - x2::incremental::shake128_init(), - x2::incremental::shake128_init(), - ]; + let state = x2::incremental::shake128_absorb_finalxN(input); - match K { - 2 => { - x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); - } - 3 => { - x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); - x2::incremental::shake128_absorb_final(&mut state[1], &input[2], &input[2]); - } - _ => { - x2::incremental::shake128_absorb_final(&mut state[0], &input[0], &input[1]); - x2::incremental::shake128_absorb_final(&mut state[1], &input[2], &input[3]); - } - } - // _ => unreachable!("This function is only called with 2, 3, 4"), Self { shake128_state: state, } @@ -421,110 +382,12 @@ pub(crate) mod neon { fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - - let mut out = [[0u8; THREE_BLOCKS]; K]; - match K { - 2 => { - let (out0, out1) = out.split_at_mut(1); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state[0], - &mut out0[0], - &mut out1[0], - ); - } - 3 => { - let mut extra = [0u8; THREE_BLOCKS]; - let (out0, out12) = out.split_at_mut(1); - let (out1, out2) = out12.split_at_mut(1); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state[0], - &mut out0[0], - &mut out1[0], - ); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state[1], - &mut out2[0], - &mut extra, - ); - } - 4 => { - let (out0, out123) = out.split_at_mut(1); - let (out1, out23) = out123.split_at_mut(1); - let (out2, out3) = out23.split_at_mut(1); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state[0], - &mut out0[0], - &mut out1[0], - ); - x2::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state[1], - &mut out2[0], - &mut out3[0], - ); - } - _ => unreachable!("This function is only called with 2, 3, 4"), - } - out + x2::incremental::shake128_squeeze3xN(&mut self.shake128_state) } fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - - let mut out = [[0u8; BLOCK_SIZE]; K]; - match K { - 2 => { - let mut out0 = [0u8; BLOCK_SIZE]; - let mut out1 = [0u8; BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block( - &mut self.shake128_state[0], - &mut out0, - &mut out1, - ); - out[0] = out0; - out[1] = out1; - } - 3 => { - let mut out0 = [0u8; BLOCK_SIZE]; - let mut out1 = [0u8; BLOCK_SIZE]; - let mut out2 = [0u8; BLOCK_SIZE]; - let mut out3 = [0u8; BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block( - &mut self.shake128_state[0], - &mut out0, - &mut out1, - ); - x2::incremental::shake128_squeeze_next_block( - &mut self.shake128_state[1], - &mut out2, - &mut out3, - ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - } - 4 => { - let mut out0 = [0u8; BLOCK_SIZE]; - let mut out1 = [0u8; BLOCK_SIZE]; - let mut out2 = [0u8; BLOCK_SIZE]; - let mut out3 = [0u8; BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block( - &mut self.shake128_state[0], - &mut out0, - &mut out1, - ); - x2::incremental::shake128_squeeze_next_block( - &mut self.shake128_state[1], - &mut out2, - &mut out3, - ); - out[0] = out0; - out[1] = out1; - out[2] = out2; - out[3] = out3; - } - _ => unreachable!("This function is only called with 2, 3, 4"), - } - out + x2::incremental::shake128_squeezexN(&mut self.shake128_state) } } } diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index 563dd4716..80a07834a 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -349,6 +349,40 @@ pub mod neon { keccakx2::<136, 0x1fu8>([input0, input1], [out0, out1]); } + /// Run up to 4 SHAKE256 operations in parallel. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[allow(non_snake_case)] + pub fn shake256xN( + input: &[[u8; 33]; N], + ) -> [[u8; LEN]; N] { + debug_assert!(N == 2 || N == 3 || N == 4); + + let mut out = [[0u8; LEN]; N]; + match N { + 2 => { + let (out0, out1) = out.split_at_mut(1); + shake256(&input[0], &input[1], &mut out0[0], &mut out1[0]); + } + 3 => { + let mut extra = [0u8; LEN]; + let (out0, out12) = out.split_at_mut(1); + let (out1, out2) = out12.split_at_mut(1); + shake256(&input[0], &input[1], &mut out0[0], &mut out1[0]); + shake256(&input[2], &input[2], &mut out2[0], &mut extra); + } + 4 => { + let (out0, out123) = out.split_at_mut(1); + let (out1, out23) = out123.split_at_mut(1); + let (out2, out3) = out23.split_at_mut(1); + shake256(&input[0], &input[1], &mut out0[0], &mut out1[0]); + shake256(&input[2], &input[3], &mut out2[0], &mut out3[0]); + } + _ => unreachable!("Only 2, 3, or 4 are supported for N"), + } + out + } + /// An incremental API to perform 2 operations in parallel pub mod incremental { #[cfg(all(feature = "simd128", target_arch = "aarch64"))] @@ -390,8 +424,36 @@ pub mod neon { absorb_final::<2, core::arch::aarch64::uint64x2_t, 168, 0x1fu8>(s, [data0, data1]); } + /// Perform up to 4 absorbs at the same time, using two [`KeccakState2`]. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[allow(unused_variables, non_snake_case)] + pub fn shake128_absorb_finalxN( + input: [[u8; 34]; N], + ) -> [KeccakState2; 2] { + debug_assert!(N == 2 || N == 3 || N == 4); + let mut state = [shake128_init(), shake128_init()]; + + match N { + 2 => { + shake128_absorb_final(&mut state[0], &input[0], &input[1]); + } + 3 => { + shake128_absorb_final(&mut state[0], &input[0], &input[1]); + shake128_absorb_final(&mut state[1], &input[2], &input[2]); + } + 4 => { + shake128_absorb_final(&mut state[0], &input[0], &input[1]); + shake128_absorb_final(&mut state[1], &input[2], &input[3]); + } + _ => unreachable!("This function can only called be called with N = 2, 3, 4"), + } + + state + } + #[allow(unused_variables)] - pub fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_first_three_blocks( s: &mut KeccakState2, out0: &mut [u8], out1: &mut [u8], @@ -412,12 +474,63 @@ pub mod neon { ) } + /// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState2`]. + /// Each block is of size `LEN`. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[allow(unused_variables, non_snake_case)] + pub fn shake128_squeeze3xN( + state: &mut [KeccakState2; 2], + ) -> [[u8; LEN]; N] { + debug_assert!(N == 2 || N == 3 || N == 4); + + let mut out = [[0u8; LEN]; N]; + match N { + 2 => { + let (out0, out1) = out.split_at_mut(1); + shake128_squeeze_first_three_blocks( + &mut state[0], + &mut out0[0], + &mut out1[0], + ); + } + 3 => { + let mut extra = [0u8; LEN]; + let (out0, out12) = out.split_at_mut(1); + let (out1, out2) = out12.split_at_mut(1); + shake128_squeeze_first_three_blocks( + &mut state[0], + &mut out0[0], + &mut out1[0], + ); + shake128_squeeze_first_three_blocks( + &mut state[1], + &mut out2[0], + &mut extra, + ); + } + 4 => { + let (out0, out123) = out.split_at_mut(1); + let (out1, out23) = out123.split_at_mut(1); + let (out2, out3) = out23.split_at_mut(1); + shake128_squeeze_first_three_blocks( + &mut state[0], + &mut out0[0], + &mut out1[0], + ); + shake128_squeeze_first_three_blocks( + &mut state[1], + &mut out2[0], + &mut out3[0], + ); + } + _ => unreachable!("This function can only called be called with N = 2, 3, 4"), + } + out + } + #[allow(unused_variables)] - pub fn shake128_squeeze_next_block( - s: &mut KeccakState2, - out0: &mut [u8], - out1: &mut [u8], - ) { + fn shake128_squeeze_next_block(s: &mut KeccakState2, out0: &mut [u8], out1: &mut [u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); // XXX: These functions could alternatively implement the same with @@ -430,6 +543,53 @@ pub mod neon { #[cfg(all(feature = "simd128", target_arch = "aarch64"))] squeeze_next_block::<2, core::arch::aarch64::uint64x2_t, 168>(s, [out0, out1]) } + + /// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState2`]. + /// Each block is of size `LEN`. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[allow(unused_variables, non_snake_case)] + pub fn shake128_squeezexN( + state: &mut [KeccakState2; 2], + ) -> [[u8; LEN]; N] { + debug_assert!(N == 2 || N == 3 || N == 4); + + let mut out = [[0u8; LEN]; N]; + match N { + 2 => { + let mut out0 = [0u8; LEN]; + let mut out1 = [0u8; LEN]; + shake128_squeeze_next_block(&mut state[0], &mut out0, &mut out1); + out[0] = out0; + out[1] = out1; + } + 3 => { + let mut out0 = [0u8; LEN]; + let mut out1 = [0u8; LEN]; + let mut out2 = [0u8; LEN]; + let mut out3 = [0u8; LEN]; + shake128_squeeze_next_block(&mut state[0], &mut out0, &mut out1); + shake128_squeeze_next_block(&mut state[1], &mut out2, &mut out3); + out[0] = out0; + out[1] = out1; + out[2] = out2; + } + 4 => { + let mut out0 = [0u8; LEN]; + let mut out1 = [0u8; LEN]; + let mut out2 = [0u8; LEN]; + let mut out3 = [0u8; LEN]; + shake128_squeeze_next_block(&mut state[0], &mut out0, &mut out1); + shake128_squeeze_next_block(&mut state[1], &mut out2, &mut out3); + out[0] = out0; + out[1] = out1; + out[2] = out2; + out[3] = out3; + } + _ => unreachable!("This function is only called with N = 2, 3, 4"), + } + out + } } } } From 92257b7c962c3e884d160e0af7aedcea3a80d06c Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 11:03:17 +0200 Subject: [PATCH 4/7] inline hashing and avx2 hax extraction --- libcrux-ml-kem/src/hash_functions.rs | 183 +++----------------- libcrux-sha3/src/lib.rs | 245 ++++++++++++++++++++++++++- 2 files changed, 266 insertions(+), 162 deletions(-) diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index d60d6e162..f463042a2 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -59,24 +59,28 @@ pub(crate) mod portable { } impl Hash for PortableHash { + #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; portable::sha512(&mut digest, input); digest } + #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; portable::sha256(&mut digest, input); digest } + #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; portable::shake256(&mut digest, input); digest } + #[inline(always)] fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -87,6 +91,7 @@ pub(crate) mod portable { out } + #[inline(always)] fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { debug_assert!(K == 2 || K == 3 || K == 4); @@ -99,6 +104,7 @@ pub(crate) mod portable { } } + #[inline(always)] fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -109,6 +115,7 @@ pub(crate) mod portable { out } + #[inline(always)] fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -138,197 +145,53 @@ pub(crate) mod avx2 { } impl Hash for Simd256Hash { + #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; portable::sha512(&mut digest, input); digest } + #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; portable::sha256(&mut digest, input); digest } + #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; portable::shake256(&mut digest, input); digest } + #[inline(always)] fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - let mut out = [[0u8; LEN]; K]; - - match K { - 2 => { - let mut dummy_out0 = [0u8; LEN]; - let mut dummy_out1 = [0u8; LEN]; - let (out0, out1) = out.split_at_mut(1); - x4::shake256( - &input[0], - &input[1], - &input[0], - &input[0], - &mut out0[0], - &mut out1[0], - &mut dummy_out0, - &mut dummy_out1, - ); - } - 3 => { - let mut dummy_out0 = [0u8; LEN]; - let (out0, out12) = out.split_at_mut(1); - let (out1, out2) = out12.split_at_mut(1); - x4::shake256( - &input[0], - &input[1], - &input[2], - &input[0], - &mut out0[0], - &mut out1[0], - &mut out2[0], - &mut dummy_out0, - ); - } - 4 => { - let (out0, out123) = out.split_at_mut(1); - let (out1, out23) = out123.split_at_mut(1); - let (out2, out3) = out23.split_at_mut(1); - x4::shake256( - &input[0], - &input[1], - &input[2], - &input[3], - &mut out0[0], - &mut out1[0], - &mut out2[0], - &mut out3[0], - ); - } - _ => unreachable!("This function is only called with 2, 3, 4"), - } - out + x4::shake256xN(input) } + #[inline(always)] fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { debug_assert!(K == 2 || K == 3 || K == 4); - let mut state = x4::incremental::shake128_init(); - - match K { - 2 => { - x4::incremental::shake128_absorb_final( - &mut state, &input[0], &input[1], &input[0], &input[0], - ); - } - 3 => { - x4::incremental::shake128_absorb_final( - &mut state, &input[0], &input[1], &input[2], &input[0], - ); - } - 4 => { - x4::incremental::shake128_absorb_final( - &mut state, &input[0], &input[1], &input[2], &input[3], - ); - } - _ => unreachable!("This function is only called with 2, 3, 4"), - } + let state = x4::incremental::shake128_absorb_finalxN(input); + Self { shake128_state: state, } } + #[inline(always)] fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - - let mut out = [[0u8; THREE_BLOCKS]; K]; - match K { - 2 => { - let mut dummy_out0 = [0u8; THREE_BLOCKS]; - let mut dummy_out1 = [0u8; THREE_BLOCKS]; - let (out0, out1) = out.split_at_mut(1); - x4::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state, - &mut out0[0], - &mut out1[0], - &mut dummy_out0, - &mut dummy_out1, - ); - } - 3 => { - let mut dummy_out0 = [0u8; THREE_BLOCKS]; - let (out0, out12) = out.split_at_mut(1); - let (out1, out2) = out12.split_at_mut(1); - x4::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state, - &mut out0[0], - &mut out1[0], - &mut out2[0], - &mut dummy_out0, - ); - } - 4 => { - let (out0, out123) = out.split_at_mut(1); - let (out1, out23) = out123.split_at_mut(1); - let (out2, out3) = out23.split_at_mut(1); - x4::incremental::shake128_squeeze_first_three_blocks( - &mut self.shake128_state, - &mut out0[0], - &mut out1[0], - &mut out2[0], - &mut out3[0], - ); - } - _ => unreachable!("This function is only called with 2, 3, 4"), - } - out + x4::incremental::shake128_squeeze3xN(&mut self.shake128_state) } + #[inline(always)] fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - - let mut dummy_out0 = [0u8; BLOCK_SIZE]; - let mut dummy_out1 = [0u8; BLOCK_SIZE]; - - let mut out = [[0u8; BLOCK_SIZE]; K]; - - match K { - 2 => { - let (out0, out1) = out.split_at_mut(1); - x4::incremental::shake128_squeeze_next_block( - &mut self.shake128_state, - &mut out0[0], - &mut out1[0], - &mut dummy_out0, - &mut dummy_out1, - ); - } - 3 => { - let (out0, out12) = out.split_at_mut(1); - let (out1, out2) = out12.split_at_mut(1); - x4::incremental::shake128_squeeze_next_block( - &mut self.shake128_state, - &mut out0[0], - &mut out1[0], - &mut out2[0], - &mut dummy_out0, - ); - } - 4 => { - let (out0, out123) = out.split_at_mut(1); - let (out1, out23) = out123.split_at_mut(1); - let (out2, out3) = out23.split_at_mut(1); - x4::incremental::shake128_squeeze_next_block( - &mut self.shake128_state, - &mut out0[0], - &mut out1[0], - &mut out2[0], - &mut out3[0], - ); - } - _ => unreachable!("This function is only called with 2, 3, 4"), - } - out + x4::incremental::shake128_squeezexN(&mut self.shake128_state) } } } @@ -347,30 +210,34 @@ pub(crate) mod neon { } impl Hash for Simd128Hash { + #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; libcrux_sha3::neon::sha512(&mut digest, input); digest } + #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; libcrux_sha3::neon::sha256(&mut digest, input); digest } + #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; libcrux_sha3::neon::shake256(&mut digest, input); digest } + #[inline(always)] fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K] { debug_assert!(K == 2 || K == 3 || K == 4); - x2::shake256xN(input) } + #[inline(always)] fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { debug_assert!(K == 2 || K == 3 || K == 4); let state = x2::incremental::shake128_absorb_finalxN(input); @@ -380,11 +247,13 @@ pub(crate) mod neon { } } + #[inline(always)] fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); x2::incremental::shake128_squeeze3xN(&mut self.shake128_state) } + #[inline(always)] fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); x2::incremental::shake128_squeezexN(&mut self.shake128_state) diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index 80a07834a..2f311bc77 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -186,31 +186,37 @@ pub mod portable { } /// A portable SHA3 224 implementation. + #[inline(always)] pub fn sha224(digest: &mut [u8], data: &[u8]) { keccakx1::<144, 0x06u8>([data], [digest]); } /// A portable SHA3 256 implementation. + #[inline(always)] pub fn sha256(digest: &mut [u8], data: &[u8]) { keccakx1::<136, 0x06u8>([data], [digest]); } /// A portable SHA3 384 implementation. + #[inline(always)] pub fn sha384(digest: &mut [u8], data: &[u8]) { keccakx1::<104, 0x06u8>([data], [digest]); } /// A portable SHA3 512 implementation. + #[inline(always)] pub fn sha512(digest: &mut [u8], data: &[u8]) { keccakx1::<72, 0x06u8>([data], [digest]); } /// A portable SHAKE128 implementation. + #[inline(always)] pub fn shake128(digest: &mut [u8; LEN], data: &[u8]) { keccakx1::<168, 0x1fu8>([data], [digest]); } /// A portable SHAKE256 implementation. + #[inline(always)] pub fn shake256(digest: &mut [u8; LEN], data: &[u8]) { keccakx1::<136, 0x1fu8>([data], [digest]); } @@ -222,21 +228,25 @@ pub mod portable { use super::*; /// Initialise the SHAKE state. + #[inline(always)] pub fn shake128_init() -> KeccakState1 { KeccakState1::new() } /// Absorb + #[inline(always)] pub fn shake128_absorb_final(s: &mut KeccakState1, data0: &[u8]) { absorb_final::<1, u64, 168, 0x1fu8>(s, [data0]); } /// Squeeze three blocks + #[inline(always)] pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState1, out0: &mut [u8]) { squeeze_first_three_blocks::<1, u64, 168>(s, [out0]) } /// Squeeze another block + #[inline(always)] pub fn shake128_squeeze_next_block(s: &mut KeccakState1, out0: &mut [u8]) { squeeze_next_block::<1, u64, 168>(s, [out0]) } @@ -262,6 +272,7 @@ pub mod neon { /// A portable SHA3 224 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha224(digest: &mut [u8], data: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -274,6 +285,7 @@ pub mod neon { /// A portable SHA3 256 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha256(digest: &mut [u8], data: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -286,6 +298,7 @@ pub mod neon { /// A portable SHA3 384 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha384(digest: &mut [u8], data: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -298,6 +311,7 @@ pub mod neon { /// A portable SHA3 512 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha512(digest: &mut [u8], data: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -310,6 +324,7 @@ pub mod neon { /// A portable SHAKE128 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn shake128(digest: &mut [u8; LEN], data: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -322,6 +337,7 @@ pub mod neon { /// A portable SHAKE256 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn shake256(digest: &mut [u8; LEN], data: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -341,6 +357,7 @@ pub mod neon { /// /// Writes the two results into `out0` and `out1` #[allow(unused_variables)] + #[inline(always)] pub fn shake256(input0: &[u8], input1: &[u8], out0: &mut [u8], out1: &mut [u8]) { // TODO: make argument ordering consistent #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] @@ -353,6 +370,7 @@ pub mod neon { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(non_snake_case)] + #[inline(always)] pub fn shake256xN( input: &[[u8; 33]; N], ) -> [[u8; LEN]; N] { @@ -395,6 +413,8 @@ pub mod neon { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] pub type KeccakState2 = [crate::portable::KeccakState1; 2]; + /// Initialise the `KeccakState2`. + #[inline(always)] pub fn shake128_init() -> KeccakState2 { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -409,8 +429,9 @@ pub mod neon { KeccakState2::new() } + #[inline(always)] #[allow(unused_variables)] - pub fn shake128_absorb_final(s: &mut KeccakState2, data0: &[u8], data1: &[u8]) { + fn shake128_absorb_final(s: &mut KeccakState2, data0: &[u8], data1: &[u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); // XXX: These functions could alternatively implement the same with @@ -424,10 +445,12 @@ pub mod neon { absorb_final::<2, core::arch::aarch64::uint64x2_t, 168, 0x1fu8>(s, [data0, data1]); } - /// Perform up to 4 absorbs at the same time, using two [`KeccakState2`]. + /// Initialise the state and perform up to 4 absorbs at the same time, + /// using two [`KeccakState2`]. /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] + #[inline(always)] pub fn shake128_absorb_finalxN( input: [[u8; 34]; N], ) -> [KeccakState2; 2] { @@ -453,6 +476,7 @@ pub mod neon { } #[allow(unused_variables)] + #[inline(always)] fn shake128_squeeze_first_three_blocks( s: &mut KeccakState2, out0: &mut [u8], @@ -479,6 +503,7 @@ pub mod neon { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] + #[inline(always)] pub fn shake128_squeeze3xN( state: &mut [KeccakState2; 2], ) -> [[u8; LEN]; N] { @@ -530,6 +555,7 @@ pub mod neon { } #[allow(unused_variables)] + #[inline(always)] fn shake128_squeeze_next_block(s: &mut KeccakState2, out0: &mut [u8], out1: &mut [u8]) { #[cfg(not(all(feature = "simd128", target_arch = "aarch64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -549,6 +575,7 @@ pub mod neon { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] + #[inline(always)] pub fn shake128_squeezexN( state: &mut [KeccakState2; 2], ) -> [[u8; LEN]; N] { @@ -610,6 +637,7 @@ pub mod avx2 { /// Perform 4 SHAKE256 operations in parallel #[allow(unused_variables)] // TODO: decide if we want to fall back here + #[inline(always)] pub fn shake256( input0: &[u8], input1: &[u8], @@ -642,6 +670,68 @@ pub mod avx2 { ); } + /// Run up to 4 SHAKE256 operations in parallel. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[allow(unused_variables, non_snake_case)] + #[inline(always)] + pub fn shake256xN( + input: &[[u8; 33]; N], + ) -> [[u8; LEN]; N] { + debug_assert!(N == 2 || N == 3 || N == 4); + let mut out = [[0u8; LEN]; N]; + + match N { + 2 => { + let mut dummy_out0 = [0u8; LEN]; + let mut dummy_out1 = [0u8; LEN]; + let (out0, out1) = out.split_at_mut(1); + shake256( + &input[0], + &input[1], + &input[0], + &input[0], + &mut out0[0], + &mut out1[0], + &mut dummy_out0, + &mut dummy_out1, + ); + } + 3 => { + let mut dummy_out0 = [0u8; LEN]; + let (out0, out12) = out.split_at_mut(1); + let (out1, out2) = out12.split_at_mut(1); + shake256( + &input[0], + &input[1], + &input[2], + &input[0], + &mut out0[0], + &mut out1[0], + &mut out2[0], + &mut dummy_out0, + ); + } + 4 => { + let (out0, out123) = out.split_at_mut(1); + let (out1, out23) = out123.split_at_mut(1); + let (out2, out3) = out23.split_at_mut(1); + shake256( + &input[0], + &input[1], + &input[2], + &input[3], + &mut out0[0], + &mut out1[0], + &mut out2[0], + &mut out3[0], + ); + } + _ => unreachable!("This function must only be called with N = 2, 3, 4"), + } + out + } + /// An incremental API to perform 4 operations in parallel pub mod incremental { #[cfg(all(feature = "simd256", target_arch = "x86_64"))] @@ -659,6 +749,8 @@ pub mod avx2 { )))] pub type KeccakState4 = [crate::portable::KeccakState1; 4]; + /// Initialise the [`KeccakState4`]. + #[inline(always)] pub fn shake128_init() -> KeccakState4 { #[cfg(not(all(feature = "simd256", target_arch = "x86_64")))] unimplemented!("The target architecture does not support neon instructions."); @@ -682,8 +774,9 @@ pub mod avx2 { KeccakState4::new() } + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here - pub fn shake128_absorb_final( + fn shake128_absorb_final( s: &mut KeccakState4, data0: &[u8], data1: &[u8], @@ -721,8 +814,41 @@ pub mod avx2 { ); } + /// Initialise the state and perform up to 4 absorbs at the same time, + /// using two [`KeccakState4`]. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[inline(always)] + #[allow(unused_variables, non_snake_case)] + pub fn shake128_absorb_finalxN(input: [[u8; 34]; N]) -> KeccakState4 { + debug_assert!(N == 2 || N == 3 || N == 4); + let mut state = shake128_init(); + + match N { + 2 => { + shake128_absorb_final( + &mut state, &input[0], &input[1], &input[0], &input[0], + ); + } + 3 => { + shake128_absorb_final( + &mut state, &input[0], &input[1], &input[2], &input[0], + ); + } + 4 => { + shake128_absorb_final( + &mut state, &input[0], &input[1], &input[2], &input[3], + ); + } + _ => unreachable!("This function must only be called with N = 2, 3, 4"), + } + + state + } + + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here - pub fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_first_three_blocks( s: &mut KeccakState4, out0: &mut [u8], out1: &mut [u8], @@ -760,8 +886,63 @@ pub mod avx2 { ); } + /// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState4`]. + /// Each block is of size `LEN`. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[inline(always)] + #[allow(unused_variables, non_snake_case)] + pub fn shake128_squeeze3xN( + state: &mut KeccakState4, + ) -> [[u8; LEN]; N] { + debug_assert!(N == 2 || N == 3 || N == 4); + + let mut out = [[0u8; LEN]; N]; + match N { + 2 => { + let mut dummy_out0 = [0u8; LEN]; + let mut dummy_out1 = [0u8; LEN]; + let (out0, out1) = out.split_at_mut(1); + shake128_squeeze_first_three_blocks( + state, + &mut out0[0], + &mut out1[0], + &mut dummy_out0, + &mut dummy_out1, + ); + } + 3 => { + let mut dummy_out0 = [0u8; LEN]; + let (out0, out12) = out.split_at_mut(1); + let (out1, out2) = out12.split_at_mut(1); + shake128_squeeze_first_three_blocks( + state, + &mut out0[0], + &mut out1[0], + &mut out2[0], + &mut dummy_out0, + ); + } + 4 => { + let (out0, out123) = out.split_at_mut(1); + let (out1, out23) = out123.split_at_mut(1); + let (out2, out3) = out23.split_at_mut(1); + shake128_squeeze_first_three_blocks( + state, + &mut out0[0], + &mut out1[0], + &mut out2[0], + &mut out3[0], + ); + } + _ => unreachable!("This function must only be called with N = 2, 3, 4"), + } + out + } + + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here - pub fn shake128_squeeze_next_block( + fn shake128_squeeze_next_block( s: &mut KeccakState4, out0: &mut [u8], out1: &mut [u8], @@ -798,6 +979,60 @@ pub mod avx2 { [out0, out1, out2, out3], ); } + + /// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState4`]. + /// Each block is of size `LEN`. + /// + /// **PANICS** when `N` is not 2, 3, or 4. + #[allow(unused_variables, non_snake_case)] + #[inline(always)] + pub fn shake128_squeezexN( + state: &mut KeccakState4, + ) -> [[u8; LEN]; N] { + debug_assert!(N == 2 || N == 3 || N == 4); + + let mut out = [[0u8; LEN]; N]; + match N { + 2 => { + let mut dummy_out0 = [0u8; LEN]; + let mut dummy_out1 = [0u8; LEN]; + let (out0, out1) = out.split_at_mut(1); + shake128_squeeze_next_block( + state, + &mut out0[0], + &mut out1[0], + &mut dummy_out0, + &mut dummy_out1, + ); + } + 3 => { + let mut dummy_out0 = [0u8; LEN]; + let (out0, out12) = out.split_at_mut(1); + let (out1, out2) = out12.split_at_mut(1); + shake128_squeeze_next_block( + state, + &mut out0[0], + &mut out1[0], + &mut out2[0], + &mut dummy_out0, + ); + } + 4 => { + let (out0, out123) = out.split_at_mut(1); + let (out1, out23) = out123.split_at_mut(1); + let (out2, out3) = out23.split_at_mut(1); + shake128_squeeze_next_block( + state, + &mut out0[0], + &mut out1[0], + &mut out2[0], + &mut out3[0], + ); + } + _ => unreachable!("This function is only called with 2, 3, 4"), + } + out + } } } } From ad78b1037e567c14f7970b403b992de1a09584c4 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 11:07:40 +0200 Subject: [PATCH 5/7] changes for F* extraction --- libcrux-ml-kem/src/ind_cpa.rs | 11 ++++++++--- libcrux-ml-kem/src/sampling.rs | 6 ++++-- libcrux-sha3/src/generic_keccak.rs | 2 -- libcrux-sha3/src/traits.rs | 2 +- 4 files changed, 13 insertions(+), 8 deletions(-) diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs index 2271b9ed9..594f3088f 100644 --- a/libcrux-ml-kem/src/ind_cpa.rs +++ b/libcrux-ml-kem/src/ind_cpa.rs @@ -321,13 +321,18 @@ pub(crate) fn encrypt< let v = compute_ring_element_v(&t_as_ntt, &r_as_ntt, &error_2, &message_as_ring_element); let mut ciphertext = [0u8; CIPHERTEXT_SIZE]; - let (c1, c2) = ciphertext.split_at_mut(C1_LEN); // c_1 := Encode_{du}(Compress_q(u,d_u)) - compress_then_serialize_u::(u, c1); + compress_then_serialize_u::( + u, + &mut ciphertext[0..C1_LEN], + ); // c_2 := Encode_{dv}(Compress_q(v,d_v)) - compress_then_serialize_ring_element_v::(v, c2); + compress_then_serialize_ring_element_v::( + v, + &mut ciphertext[C1_LEN..], + ); ciphertext } diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs index 26e6ff216..c9e4b8ff9 100644 --- a/libcrux-ml-kem/src/sampling.rs +++ b/libcrux-ml-kem/src/sampling.rs @@ -53,8 +53,10 @@ fn sample_from_uniform_distribution_next> { pub st: [[T; 5]; 5], @@ -20,7 +19,6 @@ impl> Index for KeccakState { } } -#[allow(private_bounds)] // TODO: figure out visibility impl> KeccakState { /// Create a new Shake128 x4 state. #[inline(always)] diff --git a/libcrux-sha3/src/traits.rs b/libcrux-sha3/src/traits.rs index a499305e3..f8dc30c79 100644 --- a/libcrux-sha3/src/traits.rs +++ b/libcrux-sha3/src/traits.rs @@ -1,5 +1,5 @@ /// A trait for multiplexing implementations. -pub(crate) trait KeccakItem: Clone + Copy { +pub trait KeccakItem: Clone + Copy { fn zero() -> Self; fn xor5(a: Self, b: Self, c: Self, d: Self, e: Self) -> Self; fn rotate_left1_and_xor(a: Self, b: Self) -> Self; From 0c67a85b028f74bac401f6adf14581b2e05104e1 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 22 May 2024 11:11:44 +0200 Subject: [PATCH 6/7] updated F* --- .../extraction/Libcrux_ml_kem.Constants.fsti | 10 +- .../Libcrux_ml_kem.Hash_functions.Avx2.fsti | 145 +++++ .../Libcrux_ml_kem.Hash_functions.Neon.fsti | 148 +++++ ...ibcrux_ml_kem.Hash_functions.Portable.fsti | 283 +++++++++ .../Libcrux_ml_kem.Hash_functions.fst | 127 ---- .../Libcrux_ml_kem.Hash_functions.fsti | 74 ++- ..._ml_kem.fst => Libcrux_ml_kem.Ind_cca.fst} | 397 ++++++++----- ...l_kem.fsti => Libcrux_ml_kem.Ind_cca.fsti} | 51 +- .../extraction/Libcrux_ml_kem.Ind_cpa.fst | 289 ++++++---- .../extraction/Libcrux_ml_kem.Ind_cpa.fsti | 27 +- .../extraction/Libcrux_ml_kem.Invert_ntt.fst | 314 ++++++++++ .../extraction/Libcrux_ml_kem.Invert_ntt.fsti | 60 ++ .../extraction/Libcrux_ml_kem.Matrix.fst | 172 +++--- .../extraction/Libcrux_ml_kem.Matrix.fsti | 33 +- ...r1024.fst => Libcrux_ml_kem.Mlkem1024.fst} | 27 +- ...024.fsti => Libcrux_ml_kem.Mlkem1024.fsti} | 37 +- ...ber512.fst => Libcrux_ml_kem.Mlkem512.fst} | 26 +- ...r512.fsti => Libcrux_ml_kem.Mlkem512.fsti} | 37 +- ...ber768.fst => Libcrux_ml_kem.Mlkem768.fst} | 27 +- ...r768.fsti => Libcrux_ml_kem.Mlkem768.fsti} | 37 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fst | 473 ++++++++++++--- .../fstar/extraction/Libcrux_ml_kem.Ntt.fsti | 68 ++- .../extraction/Libcrux_ml_kem.Polynomial.fst | 545 ++---------------- .../extraction/Libcrux_ml_kem.Polynomial.fsti | 111 +--- .../extraction/Libcrux_ml_kem.Sampling.fst | 336 ++++++----- .../extraction/Libcrux_ml_kem.Sampling.fsti | 11 +- .../extraction/Libcrux_ml_kem.Serialize.fst | 406 ++++++------- .../extraction/Libcrux_ml_kem.Serialize.fsti | 11 +- .../fstar/extraction/Libcrux_ml_kem.Types.fst | 6 - .../extraction/Libcrux_ml_kem.Types.fsti | 23 +- .../extraction/Libcrux_polynomials_avx2.fst | 4 +- 31 files changed, 2612 insertions(+), 1703 deletions(-) create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti delete mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fst rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.fst => Libcrux_ml_kem.Ind_cca.fst} (53%) rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.fsti => Libcrux_ml_kem.Ind_cca.fsti} (82%) create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.Kyber1024.fst => Libcrux_ml_kem.Mlkem1024.fst} (59%) rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.Kyber1024.fsti => Libcrux_ml_kem.Mlkem1024.fsti} (80%) rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.Kyber512.fst => Libcrux_ml_kem.Mlkem512.fst} (59%) rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.Kyber512.fsti => Libcrux_ml_kem.Mlkem512.fsti} (80%) rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.Kyber768.fst => Libcrux_ml_kem.Mlkem768.fst} (59%) rename libcrux-ml-kem/proofs/fstar/extraction/{Libcrux_ml_kem.Kyber768.fsti => Libcrux_ml_kem.Mlkem768.fsti} (80%) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti index 1595f5594..775204a6c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti @@ -17,10 +17,14 @@ let v_BYTES_PER_RING_ELEMENT: usize = v_BITS_PER_RING_ELEMENT /! sz 8 let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = sz 32 -/// Field modulus: 3329 -let v_FIELD_MODULUS: i32 = 3329l +/// SHA3 512 digest size +let v_G_DIGEST_SIZE: usize = sz 64 +/// SHA3 256 digest size let v_H_DIGEST_SIZE: usize = sz 32 -/// PKE message size +/// The size of an ML-KEM shared secret. let v_SHARED_SECRET_SIZE: usize = sz 32 + +/// Field modulus: 3329 +let v__FIELD_MODULUS: i16 = 3329s diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti new file mode 100644 index 000000000..a1c8ed093 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -0,0 +1,145 @@ +module Libcrux_ml_kem.Hash_functions.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +/// The state. +/// It's only used for SHAKE128. +/// All other functions don't actually use any members. +type t_Simd256Hash = { + f_shake128_state:Libcrux_sha3.Generic_keccak.t_KeccakState (sz 4) Core.Core_arch.X86.t____m256i +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = + { + f_G_pre = (fun (input: t_Slice u8) -> true); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); + f_G + = + (fun (input: t_Slice u8) -> + let digest:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let digest:t_Array u8 (sz 64) = Libcrux_sha3.Portable.sha512 digest input in + digest); + f_H_pre = (fun (input: t_Slice u8) -> true); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); + f_H + = + (fun (input: t_Slice u8) -> + let digest:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let digest:t_Array u8 (sz 32) = Libcrux_sha3.Portable.sha256 digest input in + digest); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); + f_PRF + = + (fun (v_LEN: usize) (input: t_Slice u8) -> + let digest:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let digest:t_Array u8 v_LEN = Libcrux_sha3.Portable.shake256 v_LEN digest input in + digest); + f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true); + f_PRFxN_post + = + (fun + (v_LEN: usize) + (input: t_Array (t_Array u8 (sz 33)) v_K) + (out: t_Array (t_Array u8 v_LEN) v_K) + -> + true); + f_PRFxN + = + (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Libcrux_sha3.Avx2.X4.shake256xN v_LEN v_K input); + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post + = + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd256Hash) -> true); + f_shake128_init_absorb + = + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let state:Libcrux_sha3.Generic_keccak.t_KeccakState (sz 4) Core.Core_arch.X86.t____m256i = + Libcrux_sha3.Avx2.X4.Incremental.shake128_absorb_finalxN v_K input + in + { f_shake128_state = state } <: t_Simd256Hash); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_three_blocks_post + = + (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); + f_shake128_squeeze_three_blocks + = + (fun (self: t_Simd256Hash) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let tmp0, out:(Libcrux_sha3.Generic_keccak.t_KeccakState (sz 4) + Core.Core_arch.X86.t____m256i & + t_Array (t_Array u8 (sz 504)) v_K) = + Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze3xN (sz 504) v_K self.f_shake128_state + in + let self:t_Simd256Hash = { self with f_shake128_state = tmp0 } <: t_Simd256Hash in + let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in + self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)); + f_shake128_squeeze_block_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_block_post + = + (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); + f_shake128_squeeze_block + = + fun (self: t_Simd256Hash) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let tmp0, out:(Libcrux_sha3.Generic_keccak.t_KeccakState (sz 4) Core.Core_arch.X86.t____m256i & + t_Array (t_Array u8 (sz 168)) v_K) = + Libcrux_sha3.Avx2.X4.Incremental.shake128_squeezexN (sz 168) v_K self.f_shake128_state + in + let self:t_Simd256Hash = { self with f_shake128_state = tmp0 } <: t_Simd256Hash in + let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in + self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) + } diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti new file mode 100644 index 000000000..9b65ef28b --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -0,0 +1,148 @@ +module Libcrux_ml_kem.Hash_functions.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +/// The state. +/// It's only used for SHAKE128. +/// All other functions don't actually use any members. +type t_Simd128Hash = { + f_shake128_state:t_Array (t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) (sz 2)) + (sz 2) +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = + { + f_G_pre = (fun (input: t_Slice u8) -> true); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); + f_G + = + (fun (input: t_Slice u8) -> + let digest:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let digest:t_Array u8 (sz 64) = Libcrux_sha3.Neon.sha512 digest input in + digest); + f_H_pre = (fun (input: t_Slice u8) -> true); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); + f_H + = + (fun (input: t_Slice u8) -> + let digest:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let digest:t_Array u8 (sz 32) = Libcrux_sha3.Neon.sha256 digest input in + digest); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); + f_PRF + = + (fun (v_LEN: usize) (input: t_Slice u8) -> + let digest:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let digest:t_Array u8 v_LEN = Libcrux_sha3.Neon.shake256 v_LEN digest input in + digest); + f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true); + f_PRFxN_post + = + (fun + (v_LEN: usize) + (input: t_Array (t_Array u8 (sz 33)) v_K) + (out: t_Array (t_Array u8 v_LEN) v_K) + -> + true); + f_PRFxN + = + (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + Libcrux_sha3.Neon.X2.shake256xN v_LEN v_K input); + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post + = + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd128Hash) -> true); + f_shake128_init_absorb + = + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let state:t_Array (t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) (sz 2)) + (sz 2) = + Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_finalxN v_K input + in + { f_shake128_state = state } <: t_Simd128Hash); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_three_blocks_post + = + (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); + f_shake128_squeeze_three_blocks + = + (fun (self: t_Simd128Hash) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let tmp0, out:(t_Array + (t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) (sz 2)) (sz 2) & + t_Array (t_Array u8 (sz 504)) v_K) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze3xN (sz 504) v_K self.f_shake128_state + in + let self:t_Simd128Hash = { self with f_shake128_state = tmp0 } <: t_Simd128Hash in + let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in + self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)); + f_shake128_squeeze_block_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_block_post + = + (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); + f_shake128_squeeze_block + = + fun (self: t_Simd128Hash) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let tmp0, out:(t_Array (t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) (sz 2)) + (sz 2) & + t_Array (t_Array u8 (sz 168)) v_K) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeezexN (sz 168) v_K self.f_shake128_state + in + let self:t_Simd128Hash = { self with f_shake128_state = tmp0 } <: t_Simd128Hash in + let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in + self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) + } diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti new file mode 100644 index 000000000..8e0d569e7 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -0,0 +1,283 @@ +module Libcrux_ml_kem.Hash_functions.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +/// The state. +/// It's only used for SHAKE128. +/// All other functions don't actually use any members. +type t_PortableHash (v_K: usize) = { + f_shake128_state:t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) v_K +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K = + { + f_G_pre = (fun (input: t_Slice u8) -> true); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); + f_G + = + (fun (input: t_Slice u8) -> + let digest:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let digest:t_Array u8 (sz 64) = Libcrux_sha3.Portable.sha512 digest input in + digest); + f_H_pre = (fun (input: t_Slice u8) -> true); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); + f_H + = + (fun (input: t_Slice u8) -> + let digest:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let digest:t_Array u8 (sz 32) = Libcrux_sha3.Portable.sha256 digest input in + digest); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); + f_PRF + = + (fun (v_LEN: usize) (input: t_Slice u8) -> + let digest:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let digest:t_Array u8 v_LEN = Libcrux_sha3.Portable.shake256 v_LEN digest input in + digest); + f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true); + f_PRFxN_post + = + (fun + (v_LEN: usize) + (input: t_Array (t_Array u8 (sz 33)) v_K) + (out1: t_Array (t_Array u8 v_LEN) v_K) + -> + true); + f_PRFxN + = + (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let out:t_Array (t_Array u8 v_LEN) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy v_LEN <: t_Array u8 v_LEN) v_K + in + let out:t_Array (t_Array u8 v_LEN) v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + out + (fun out i -> + let out:t_Array (t_Array u8 v_LEN) v_K = out in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + (Libcrux_sha3.Portable.shake256 v_LEN + (out.[ i ] <: t_Array u8 v_LEN) + (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 33)) <: t_Slice u8) + <: + t_Array u8 v_LEN) + <: + t_Array (t_Array u8 v_LEN) v_K) + in + out); + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post + = + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_PortableHash v_K) -> true); + f_shake128_init_absorb + = + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let state:t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) v_K = + Rust_primitives.Hax.repeat (Libcrux_sha3.Portable.Incremental.shake128_init () + <: + Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) + v_K + in + let state:t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + state + (fun state i -> + let state:t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) v_K = + state + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + i + (Libcrux_sha3.Portable.Incremental.shake128_absorb_final (state.[ i ] + <: + Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) + (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) + <: + Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) + <: + t_Array (Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) v_K) + in + { f_shake128_state = state } <: t_PortableHash v_K); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_three_blocks_post + = + (fun + (self: t_PortableHash v_K) + (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)) + -> + true); + f_shake128_squeeze_three_blocks + = + (fun (self: t_PortableHash v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let out:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504) + ) + v_K + in + let out, self:(t_Array (t_Array u8 (sz 504)) v_K & t_PortableHash v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (out, self <: (t_Array (t_Array u8 (sz 504)) v_K & t_PortableHash v_K)) + (fun temp_0_ i -> + let out, self:(t_Array (t_Array u8 (sz 504)) v_K & t_PortableHash v_K) = temp_0_ in + let i:usize = i in + let tmp0, tmp1:(Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64 & + t_Array u8 (sz 504)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_three_blocks (self + .f_shake128_state.[ i ] + <: + Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) + (out.[ i ] <: t_Array u8 (sz 504)) + in + let self:t_PortableHash v_K = + { + self with + f_shake128_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self + .f_shake128_state + i + tmp0 + } + <: + t_PortableHash v_K + in + let out:t_Array (t_Array u8 (sz 504)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i tmp1 + in + out, self <: (t_Array (t_Array u8 (sz 504)) v_K & t_PortableHash v_K)) + in + let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in + self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)); + f_shake128_squeeze_block_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_block_post + = + (fun + (self: t_PortableHash v_K) + (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)) + -> + true); + f_shake128_squeeze_block + = + fun (self: t_PortableHash v_K) -> + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" + + <: + Rust_primitives.Hax.t_Never) + in + () + in + let out:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) + v_K + in + let out, self:(t_Array (t_Array u8 (sz 168)) v_K & t_PortableHash v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (out, self <: (t_Array (t_Array u8 (sz 168)) v_K & t_PortableHash v_K)) + (fun temp_0_ i -> + let out, self:(t_Array (t_Array u8 (sz 168)) v_K & t_PortableHash v_K) = temp_0_ in + let i:usize = i in + let tmp0, tmp1:(Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64 & + t_Array u8 (sz 168)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ + i ] + <: + Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64) + (out.[ i ] <: t_Array u8 (sz 168)) + in + let self:t_PortableHash v_K = + { + self with + f_shake128_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_shake128_state + i + tmp0 + } + <: + t_PortableHash v_K + in + let out:t_Array (t_Array u8 (sz 168)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i tmp1 + in + out, self <: (t_Array (t_Array u8 (sz 168)) v_K & t_PortableHash v_K)) + in + let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in + self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) + } diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fst deleted file mode 100644 index ab33c84ba..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fst +++ /dev/null @@ -1,127 +0,0 @@ -module Libcrux_ml_kem.Hash_functions -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -let free_state (xof_state: Libcrux_sha3.X4.t_Shake128StateX4) = - let _:Prims.unit = Libcrux_sha3.X4.impl__Shake128StateX4__free_memory xof_state in - () - -let v_H (input: t_Slice u8) = Libcrux_sha3.sha256 input - -let v_G (input: t_Slice u8) = Libcrux_sha3.sha512 input - -let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux_sha3.shake256 v_LEN input - -let squeeze_block (v_K: usize) (xof_state: Libcrux_sha3.X4.t_Shake128StateX4) = - let tmp0, out1:(Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux_sha3.X4.impl__Shake128StateX4__squeeze_blocks (sz 168) v_K xof_state - in - let xof_state:Libcrux_sha3.X4.t_Shake128StateX4 = tmp0 in - let (output: t_Array (t_Array u8 (sz 168)) v_K):t_Array (t_Array u8 (sz 168)) v_K = out1 in - let out:t_Array (t_Array u8 (sz 168)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 168) <: t_Array u8 (sz 168)) v_K - in - let out:t_Array (t_Array u8 (sz 168)) v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - out - (fun out i -> - let out:t_Array (t_Array u8 (sz 168)) v_K = out in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (output.[ i ] <: t_Array u8 (sz 168)) - <: - t_Array (t_Array u8 (sz 168)) v_K) - in - let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in - xof_state, hax_temp_output - <: - (Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) v_K) - -let squeeze_three_blocks (v_K: usize) (xof_state: Libcrux_sha3.X4.t_Shake128StateX4) = - let tmp0, out1:(Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) v_K) = - Libcrux_sha3.X4.impl__Shake128StateX4__squeeze_blocks (sz 504) v_K xof_state - in - let xof_state:Libcrux_sha3.X4.t_Shake128StateX4 = tmp0 in - let (output: t_Array (t_Array u8 (sz 504)) v_K):t_Array (t_Array u8 (sz 504)) v_K = out1 in - let out:t_Array (t_Array u8 (sz 504)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 504) <: t_Array u8 (sz 504)) v_K - in - let out:t_Array (t_Array u8 (sz 504)) v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - out - (fun out i -> - let out:t_Array (t_Array u8 (sz 504)) v_K = out in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (output.[ i ] <: t_Array u8 (sz 504)) - <: - t_Array (t_Array u8 (sz 504)) v_K) - in - let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in - xof_state, hax_temp_output - <: - (Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) v_K) - -let absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - if ~.((v_K =. sz 2 <: bool) || (v_K =. sz 3 <: bool) || (v_K =. sz 4 <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: K == 2 || K == 3 || K == 4" - - <: - Rust_primitives.Hax.t_Never) - in - () - in - let state:Libcrux_sha3.X4.t_Shake128StateX4 = Libcrux_sha3.X4.impl__Shake128StateX4__new () in - let (data: t_Array (t_Slice u8) v_K):t_Array (t_Slice u8) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.unsize (let list = [0uy] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - t_Slice u8) - v_K - in - let data:t_Array (t_Slice u8) v_K = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - data - (fun data i -> - let data:t_Array (t_Slice u8) v_K = data in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize data - i - (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) - <: - t_Array (t_Slice u8) v_K) - in - let state:Libcrux_sha3.X4.t_Shake128StateX4 = - Libcrux_sha3.X4.impl__Shake128StateX4__absorb_final v_K state data - in - state diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti index 78f3192cc..6c37b4454 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti @@ -3,31 +3,55 @@ module Libcrux_ml_kem.Hash_functions open Core open FStar.Mul +/// Abstraction for the hashing, to pick the fastest version depending on the +/// platform features available. +/// There are 3 instantiations of this trait right now, using the libcrux-sha3 crate. +/// - AVX2 +/// - NEON +/// - Portable +class t_Hash (v_Self: Type) (v_K: usize) = { + f_G_pre:t_Slice u8 -> bool; + f_G_post:t_Slice u8 -> t_Array u8 (sz 64) -> bool; + f_G:x0: t_Slice u8 + -> Prims.Pure (t_Array u8 (sz 64)) (f_G_pre x0) (fun result -> f_G_post x0 result); + f_H_pre:t_Slice u8 -> bool; + f_H_post:t_Slice u8 -> t_Array u8 (sz 32) -> bool; + f_H:x0: t_Slice u8 + -> Prims.Pure (t_Array u8 (sz 32)) (f_H_pre x0) (fun result -> f_H_post x0 result); + f_PRF_pre:v_LEN: usize -> t_Slice u8 -> bool; + f_PRF_post:v_LEN: usize -> t_Slice u8 -> t_Array u8 v_LEN -> bool; + f_PRF:v_LEN: usize -> x0: t_Slice u8 + -> Prims.Pure (t_Array u8 v_LEN) (f_PRF_pre v_LEN x0) (fun result -> f_PRF_post v_LEN x0 result); + f_PRFxN_pre:v_LEN: usize -> t_Array (t_Array u8 (sz 33)) v_K -> bool; + f_PRFxN_post:v_LEN: usize -> t_Array (t_Array u8 (sz 33)) v_K -> t_Array (t_Array u8 v_LEN) v_K + -> bool; + f_PRFxN:v_LEN: usize -> x0: t_Array (t_Array u8 (sz 33)) v_K + -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) + (f_PRFxN_pre v_LEN x0) + (fun result -> f_PRFxN_post v_LEN x0 result); + f_shake128_init_absorb_pre:t_Array (t_Array u8 (sz 34)) v_K -> bool; + f_shake128_init_absorb_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> bool; + f_shake128_init_absorb:x0: t_Array (t_Array u8 (sz 34)) v_K + -> Prims.Pure v_Self + (f_shake128_init_absorb_pre x0) + (fun result -> f_shake128_init_absorb_post x0 result); + f_shake128_squeeze_three_blocks_pre:v_Self -> bool; + f_shake128_squeeze_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) + -> bool; + f_shake128_squeeze_three_blocks:x0: v_Self + -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 504)) v_K) + (f_shake128_squeeze_three_blocks_pre x0) + (fun result -> f_shake128_squeeze_three_blocks_post x0 result); + f_shake128_squeeze_block_pre:v_Self -> bool; + f_shake128_squeeze_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> bool; + f_shake128_squeeze_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 168)) v_K) + (f_shake128_squeeze_block_pre x0) + (fun result -> f_shake128_squeeze_block_post x0 result) +} + +/// The SHA3 block size. let v_BLOCK_SIZE: usize = sz 168 +/// The size of 3 SHA3 blocks. let v_THREE_BLOCKS: usize = v_BLOCK_SIZE *! sz 3 - -/// Free the memory of the state. -/// **NOTE:** That this needs to be done manually for now. -val free_state (xof_state: Libcrux_sha3.X4.t_Shake128StateX4) - : Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True) - -val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - -val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) - -val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) - -val squeeze_block (v_K: usize) (xof_state: Libcrux_sha3.X4.t_Shake128StateX4) - : Prims.Pure (Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) v_K) - Prims.l_True - (fun _ -> Prims.l_True) - -val squeeze_three_blocks (v_K: usize) (xof_state: Libcrux_sha3.X4.t_Shake128StateX4) - : Prims.Pure (Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) v_K) - Prims.l_True - (fun _ -> Prims.l_True) - -val absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) - : Prims.Pure Libcrux_sha3.X4.t_Shake128StateX4 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst similarity index 53% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.fst rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index c0f4a994a..9b5b0ea1c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -1,10 +1,14 @@ -module Libcrux_ml_kem +module Libcrux_ml_kem.Ind_cca #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let serialize_kem_secret_key - (v_SERIALIZED_KEY_LEN: usize) + (v_K v_SERIALIZED_KEY_LEN: usize) + (#v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (private_key public_key implicit_rejection_value: t_Slice u8) = let out:t_Array u8 v_SERIALIZED_KEY_LEN = Rust_primitives.Hax.repeat 0uy v_SERIALIZED_KEY_LEN in @@ -71,7 +75,7 @@ let serialize_kem_secret_key Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (Rust_primitives.unsize (Libcrux_ml_kem.Hash_functions.v_H public_key + (Rust_primitives.unsize (Libcrux_ml_kem.Hash_functions.f_H v_K public_key <: t_Array u8 (sz 32)) <: @@ -106,16 +110,86 @@ let serialize_kem_secret_key in out +let validate_public_key_generic + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_PUBLIC_KEY_SIZE + v_K + (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeTo usize ] + <: + t_Slice u8) + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + deserialized_pk + (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + in + public_key =. public_key_serialized + +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Rust_primitives.Hax.Control_flow_monad.Mexception.run (if + true && true && (Libcrux_platform.Platform.simd256_support () <: bool) + then + let! hoist2:Rust_primitives.Hax.t_Never = + Core.Ops.Control_flow.ControlFlow_Break + (validate_public_key_generic v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key) + <: + Core.Ops.Control_flow.t_ControlFlow bool Rust_primitives.Hax.t_Never + in + Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist2) + <: + Core.Ops.Control_flow.t_ControlFlow bool bool + else + Core.Ops.Control_flow.ControlFlow_Continue + (if false && false && (Libcrux_platform.Platform.simd128_support () <: bool) + then + validate_public_key_generic v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + <: + bool + else + validate_public_key_generic v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + <: + bool) + <: + Core.Ops.Control_flow.t_ControlFlow bool bool) + let decapsulate_generic (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = - Libcrux_ml_kem.Types.impl_12__split_at v_SECRET_KEY_SIZE secret_key v_CPA_SECRET_KEY_SIZE + Libcrux_ml_kem.Types.impl_12__split_at v_SECRET_KEY_SIZE private_key v_CPA_SECRET_KEY_SIZE in let ind_cpa_public_key, secret_key:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at secret_key v_PUBLIC_KEY_SIZE @@ -153,7 +227,7 @@ let decapsulate_generic t_Slice u8) in let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) + Libcrux_ml_kem.Hash_functions.f_G v_K (Rust_primitives.unsize to_hash <: t_Slice u8) in let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) @@ -181,7 +255,7 @@ let decapsulate_generic t_Slice u8) in let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.v_PRF (sz 32) (Rust_primitives.unsize to_hash <: t_Slice u8) + Libcrux_ml_kem.Hash_functions.f_PRF v_K (sz 32) (Rust_primitives.unsize to_hash <: t_Slice u8) in let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE @@ -201,33 +275,65 @@ let decapsulate_generic let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - if Libcrux_platform.Platform.simd256_support () - then - decapsulate_generic v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE - v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE secret_key ciphertext - else - if Libcrux_platform.Platform.simd128_support () - then - decapsulate_generic v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE - v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE secret_key ciphertext - else - decapsulate_generic v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE - v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE secret_key ciphertext + Rust_primitives.Hax.Control_flow_monad.Mexception.run (if + true && true && (Libcrux_platform.Platform.simd256_support () <: bool) + then + let! hoist3:Rust_primitives.Hax.t_Never = + Core.Ops.Control_flow.ControlFlow_Break + (decapsulate_generic v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE + v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext) + <: + Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) Rust_primitives.Hax.t_Never + in + Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist3) + <: + Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) (t_Array u8 (sz 32)) + else + Core.Ops.Control_flow.ControlFlow_Continue + (if false && false && (Libcrux_platform.Platform.simd128_support () <: bool) + then + let! hoist4:Rust_primitives.Hax.t_Never = + Core.Ops.Control_flow.ControlFlow_Break + (decapsulate_generic v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE + v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext) + <: + Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) Rust_primitives.Hax.t_Never + in + Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist4) + <: + Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) (t_Array u8 (sz 32)) + else + Core.Ops.Control_flow.ControlFlow_Continue + (decapsulate_generic v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE + v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext + <: + t_Array u8 (sz 32)) + <: + Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) (t_Array u8 (sz 32))) + <: + Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) + (Core.Ops.Control_flow.t_ControlFlow (t_Array u8 (sz 32)) (t_Array u8 (sz 32)))) let encapsulate_generic (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = @@ -247,8 +353,8 @@ let encapsulate_generic Core.Ops.Range.t_RangeFrom usize ] <: t_Slice u8) - (Rust_primitives.unsize (Libcrux_ml_kem.Hash_functions.v_H (Rust_primitives.unsize (Libcrux_ml_kem.Types.impl_18__as_slice - v_PUBLIC_KEY_SIZE + (Rust_primitives.unsize (Libcrux_ml_kem.Hash_functions.f_H v_K + (Rust_primitives.unsize (Libcrux_ml_kem.Types.impl_18__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -262,7 +368,7 @@ let encapsulate_generic t_Slice u8) in let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.v_G (Rust_primitives.unsize to_hash <: t_Slice u8) + Libcrux_ml_kem.Hash_functions.f_G v_K (Rust_primitives.unsize to_hash <: t_Slice u8) in let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) @@ -292,63 +398,72 @@ let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = - if Libcrux_platform.Platform.simd256_support () - then - encapsulate_generic v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness - else - if Libcrux_platform.Platform.simd128_support () - then - encapsulate_generic v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness - else - encapsulate_generic v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness - -let validate_public_key_generic - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_PUBLIC_KEY_SIZE - v_K - (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + Rust_primitives.Hax.Control_flow_monad.Mexception.run (if + true && true && (Libcrux_platform.Platform.simd256_support () <: bool) + then + let! hoist5:Rust_primitives.Hax.t_Never = + Core.Ops.Control_flow.ControlFlow_Break + (encapsulate_generic v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + public_key randomness) <: - Core.Ops.Range.t_RangeTo usize ] + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Rust_primitives.Hax.t_Never + in + Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist5) <: - t_Slice u8) - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - deserialized_pk - (public_key.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize ] + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + else + Core.Ops.Control_flow.ControlFlow_Continue + (if false && false && (Libcrux_platform.Platform.simd128_support () <: bool) + then + let! hoist6:Rust_primitives.Hax.t_Never = + Core.Ops.Control_flow.ControlFlow_Break + (encapsulate_generic v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + public_key randomness) + <: + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Rust_primitives.Hax.t_Never + in + Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist6) + <: + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + else + Core.Ops.Control_flow.ControlFlow_Continue + (encapsulate_generic v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + public_key randomness + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))) + <: + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))) <: - t_Slice u8) - in - public_key =. public_key_serialized - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - if Libcrux_platform.Platform.simd256_support () - then validate_public_key_generic v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key - else validate_public_key_generic v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)))) let generate_keypair_generic (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (ind_cpa_keypair_randomness implicit_rejection_value: t_Slice u8) = let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & @@ -362,7 +477,8 @@ let generate_keypair_generic ind_cpa_keypair_randomness in let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = - serialize_kem_secret_key v_PRIVATE_KEY_SIZE + serialize_kem_secret_key v_K + v_PRIVATE_KEY_SIZE (Rust_primitives.unsize ind_cpa_private_key <: t_Slice u8) (Rust_primitives.unsize public_key <: t_Slice u8) implicit_rejection_value @@ -381,51 +497,68 @@ let generate_keypair usize) (randomness: t_Array u8 (sz 64)) = - let ind_cpa_keypair_randomness:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE - } - <: - Core.Ops.Range.t_Range usize ] - in - let implicit_rejection_value:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE - } - <: - Core.Ops.Range.t_RangeFrom usize ] - in - if Libcrux_platform.Platform.simd256_support () - then - generate_keypair_generic v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - ind_cpa_keypair_randomness - implicit_rejection_value - else - if Libcrux_platform.Platform.simd128_support () - then - generate_keypair_generic v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - ind_cpa_keypair_randomness - implicit_rejection_value - else - generate_keypair_generic v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - ind_cpa_keypair_randomness - implicit_rejection_value + Rust_primitives.Hax.Control_flow_monad.Mexception.run (let ind_cpa_keypair_randomness:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE + } + <: + Core.Ops.Range.t_Range usize ] + in + let implicit_rejection_value:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + in + if true && true && Libcrux_platform.Platform.simd256_support () + then + let! hoist7:Rust_primitives.Hax.t_Never = + Core.Ops.Control_flow.ControlFlow_Break + (generate_keypair_generic v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + ind_cpa_keypair_randomness + implicit_rejection_value) + <: + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Rust_primitives.Hax.t_Never + in + Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist7) + <: + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + else + Core.Ops.Control_flow.ControlFlow_Continue + (if false && false && Libcrux_platform.Platform.simd128_support () + then + generate_keypair_generic v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + ind_cpa_keypair_randomness + implicit_rejection_value + else + generate_keypair_generic v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + ind_cpa_keypair_randomness + implicit_rejection_value) + <: + Core.Ops.Control_flow.t_ControlFlow + (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti similarity index 82% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.fsti rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 04d135f5d..0b669d301 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -1,8 +1,10 @@ -module Libcrux_ml_kem +module Libcrux_ml_kem.Ind_cca #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul +/// An ML-KEM shared secret. +/// A byte array of size [`SHARED_SECRET_SIZE`]. unfold let t_MlKemSharedSecret = t_Array u8 (sz 32) @@ -16,31 +18,47 @@ let v_KEY_GENERATION_SEED_SIZE: usize = /// Serialize the secret key. val serialize_kem_secret_key - (v_SERIALIZED_KEY_LEN: usize) + (v_K v_SERIALIZED_KEY_LEN: usize) + (#v_Hasher: Type) + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (private_key public_key implicit_rejection_value: t_Slice u8) : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key_generic + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val decapsulate_generic (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate_generic (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) @@ -56,23 +74,12 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -val validate_public_key_generic - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - val generate_keypair_generic (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (ind_cpa_keypair_randomness implicit_rejection_value: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) Prims.l_True diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index 40d746788..97b66b4f4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -39,20 +39,24 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = let sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) = let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let domain_separator, error_1_, prf_input:(u8 & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - t_Array u8 (sz 33)) = + let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in + let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K @@ -61,63 +65,78 @@ let sample_ring_element_cbd Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - (domain_separator, error_1_, prf_input - <: - (u8 & t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - t_Array u8 (sz 33))) + (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K)) (fun temp_0_ i -> - let domain_separator, error_1_, prf_input:(u8 & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - t_Array u8 (sz 33)) = - temp_0_ - in + let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in let i:usize = i in - let prf_input:t_Array u8 (sz 33) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input - (sz 32) - domain_separator + let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_inputs + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (prf_inputs.[ i ] + <: + t_Array u8 (sz 33)) + (sz 32) + domain_separator + <: + t_Array u8 (sz 33)) in let domain_separator:u8 = domain_separator +! 1uy in - let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = - Libcrux_ml_kem.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE - (Rust_primitives.unsize prf_input <: t_Slice u8) - in + domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K)) + in + let (prf_outputs: t_Array (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K):t_Array + (t_Array u8 v_ETA2_RANDOMNESS_SIZE) v_K = + Libcrux_ml_kem.Hash_functions.f_PRFxN v_K v_ETA2_RANDOMNESS_SIZE prf_inputs + in + let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + error_1_ + (fun error_1_ i -> let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_ - i - (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2 - (Rust_primitives.unsize prf_output <: t_Slice u8) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + error_1_ in - domain_separator, error_1_, prf_input + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize error_1_ + i + (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA2 + (Rust_primitives.unsize (prf_outputs.[ i ] <: t_Array u8 v_ETA2_RANDOMNESS_SIZE) + <: + t_Slice u8) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: - (u8 & t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - t_Array u8 (sz 33))) - in - let hax_temp_output:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - error_1_ + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in - prf_input, domain_separator, hax_temp_output + error_1_, domain_separator <: - (t_Array u8 (sz 33) & u8 & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) let sample_vector_cbd_then_ntt (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) = let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = + let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in + let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K @@ -126,41 +145,63 @@ let sample_vector_cbd_then_ntt Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - (domain_separator, prf_input, re_as_ntt - <: - (u8 & t_Array u8 (sz 33) & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) + (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K)) (fun temp_0_ i -> - let domain_separator, prf_input, re_as_ntt:(u8 & t_Array u8 (sz 33) & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - temp_0_ - in + let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in let i:usize = i in - let prf_input:t_Array u8 (sz 33) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input - (sz 32) - domain_separator + let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_inputs + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (prf_inputs.[ i ] + <: + t_Array u8 (sz 33)) + (sz 32) + domain_separator + <: + t_Array u8 (sz 33)) in let domain_separator:u8 = domain_separator +! 1uy in - let (prf_output: t_Array u8 v_ETA_RANDOMNESS_SIZE):t_Array u8 v_ETA_RANDOMNESS_SIZE = - Libcrux_ml_kem.Hash_functions.v_PRF v_ETA_RANDOMNESS_SIZE - (Rust_primitives.unsize prf_input <: t_Slice u8) + domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K)) + in + let (prf_outputs: t_Array (t_Array u8 v_ETA_RANDOMNESS_SIZE) v_K):t_Array + (t_Array u8 v_ETA_RANDOMNESS_SIZE) v_K = + Libcrux_ml_kem.Hash_functions.f_PRFxN v_K v_ETA_RANDOMNESS_SIZE prf_inputs + in + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + re_as_ntt + (fun re_as_ntt i -> + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + re_as_ntt in - let r:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA - (Rust_primitives.unsize prf_output <: t_Slice u8) + let i:usize = i in + let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_as_ntt + i + (Libcrux_ml_kem.Sampling.sample_from_binomial_distribution v_ETA + (Rust_primitives.unsize (prf_outputs.[ i ] <: t_Array u8 v_ETA_RANDOMNESS_SIZE) + <: + t_Slice u8) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_as_ntt i - (Libcrux_ml_kem.Ntt.ntt_binomially_sampled_ring_element r + (Libcrux_ml_kem.Ntt.ntt_binomially_sampled_ring_element (re_as_ntt.[ i ] + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - domain_separator, prf_input, re_as_ntt - <: - (u8 & t_Array u8 (sz 33) & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) + re_as_ntt) in re_as_ntt, domain_separator <: @@ -171,9 +212,9 @@ let compress_then_serialize_u (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (out: t_Slice u8) = - let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let out:t_Array u8 v_OUT_LEN = + let out, hax_temp_output:t_Slice u8 = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate (Core.Iter.Traits.Collect.f_into_iter input <: @@ -189,7 +230,7 @@ let compress_then_serialize_u )) out (fun out temp_1_ -> - let out:t_Array u8 v_OUT_LEN = out in + let out:t_Slice u8 = out in let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = temp_1_ in @@ -221,7 +262,7 @@ let compress_then_serialize_u <: t_Slice u8) <: - t_Array u8 v_OUT_LEN) + t_Slice u8) in out @@ -232,10 +273,12 @@ let deserialize_then_decompress_u (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) = let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate @@ -259,14 +302,19 @@ let deserialize_then_decompress_u u_as_ntt in let i, u_bytes:(usize & t_Slice u8) = temp_1_ in - let u:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR - u_bytes + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR + u_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt i - (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR u + (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -277,8 +325,11 @@ let deserialize_then_decompress_u let encrypt (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (public_key: t_Slice u8) (message: t_Array u8 (sz 32)) (randomness: t_Slice u8) @@ -309,18 +360,17 @@ let encrypt u8) = sample_vector_cbd_then_ntt v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE prf_input 0uy in - let tmp0, tmp1, out:(t_Array u8 (sz 33) & u8 & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = + let error_1_, domain_separator:(t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = sample_ring_element_cbd v_K v_ETA2_RANDOMNESS_SIZE v_ETA2 prf_input domain_separator in - let prf_input:t_Array u8 (sz 33) = tmp0 in - let domain_separator:u8 = tmp1 in - let error_1_:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = out in let prf_input:t_Array u8 (sz 33) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize prf_input (sz 32) domain_separator in let (prf_output: t_Array u8 v_ETA2_RANDOMNESS_SIZE):t_Array u8 v_ETA2_RANDOMNESS_SIZE = - Libcrux_ml_kem.Hash_functions.v_PRF v_ETA2_RANDOMNESS_SIZE + Libcrux_ml_kem.Hash_functions.f_PRF v_K + v_ETA2_RANDOMNESS_SIZE (Rust_primitives.unsize prf_input <: t_Slice u8) in let error_2_:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = @@ -340,26 +390,34 @@ let encrypt error_2_ message_as_ring_element in - let c1:t_Array u8 v_C1_LEN = - compress_then_serialize_u v_K v_C1_LEN v_U_COMPRESSION_FACTOR v_BLOCK_LEN u - in - let c2:t_Array u8 v_C2_LEN = - Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR - v_C2_LEN - v - in - let (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE):t_Array u8 v_CIPHERTEXT_SIZE = - into_padded_array v_CIPHERTEXT_SIZE (Rust_primitives.unsize c1 <: t_Slice u8) + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Rust_primitives.Hax.repeat 0uy v_CIPHERTEXT_SIZE in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range ciphertext + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_C1_LEN } + <: + Core.Ops.Range.t_Range usize) + (compress_then_serialize_u v_K + v_C1_LEN + v_U_COMPRESSION_FACTOR + v_BLOCK_LEN + u + (ciphertext.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_C1_LEN } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) in let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from ciphertext ({ Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } - <: - Core.Ops.Range.t_RangeFrom usize ] + (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_v v_V_COMPRESSION_FACTOR + v_C2_LEN + v + (ciphertext.[ { Core.Ops.Range.f_start = v_C1_LEN } <: Core.Ops.Range.t_RangeFrom usize ] <: t_Slice u8) - (Core.Array.impl_23__as_slice v_C2_LEN c2 <: t_Slice u8) <: t_Slice u8) in @@ -372,10 +430,12 @@ let deserialize_secret_key (secret_key: t_Slice u8) = let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate @@ -550,11 +610,14 @@ let serialize_public_key let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (key_generation_seed: t_Slice u8) = - let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.v_G key_generation_seed in + let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G v_K key_generation_seed in let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at (Rust_primitives.unsize hashed <: t_Slice u8) (sz 32) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index cc1e41340..ca613d980 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -10,13 +10,12 @@ val into_padded_array (v_LEN: usize) (slice: t_Slice u8) /// Sample a vector of ring elements from a centered binomial distribution. val sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) - : Prims.Pure - (t_Array u8 (sz 33) & u8 & - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) Prims.l_True (fun _ -> Prims.l_True) @@ -24,8 +23,9 @@ val sample_ring_element_cbd /// convert them into their NTT representations. val sample_vector_cbd_then_ntt (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) @@ -38,7 +38,8 @@ val compress_then_serialize_u (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Call [`deserialize_then_decompress_ring_element_u`] on each ring element /// in the `ciphertext`. @@ -89,8 +90,9 @@ val deserialize_then_decompress_u val encrypt (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (public_key: t_Slice u8) (message: t_Array u8 (sz 32)) (randomness: t_Slice u8) @@ -186,8 +188,9 @@ val serialize_public_key val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (key_generation_seed: t_Slice u8) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst new file mode 100644 index 000000000..68da4db0b --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -0,0 +1,314 @@ +module Libcrux_ml_kem.Invert_ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let inv_ntt_layer_int_vec_step_reduce + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (a b: v_Vector) + (zeta_r: i16) + = + let a_minus_b:v_Vector = Libcrux_traits.f_sub b a in + let a:v_Vector = Libcrux_traits.f_barrett_reduce (Libcrux_traits.f_add a b <: v_Vector) in + let b:v_Vector = Libcrux_traits.f_montgomery_multiply_fe_by_fer a_minus_b zeta_r in + a, b <: (v_Vector & v_Vector) + +let invert_ntt_at_layer_1_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer: usize) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & + usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + round + (Libcrux_traits.f_inv_ntt_layer_1_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ + round ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize + ] + <: + i16) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let zeta_i:usize = zeta_i -! sz 3 in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let invert_ntt_at_layer_2_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer: usize) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & + usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + round + (Libcrux_traits.f_inv_ntt_layer_2_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ + round ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let zeta_i:usize = zeta_i -! sz 1 in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let invert_ntt_at_layer_3_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer: usize) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & + usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + round + (Libcrux_traits.f_inv_ntt_layer_3_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ + round ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let invert_ntt_at_layer_4_plus + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (layer: usize) + = + let step:usize = sz 1 <>! layer <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let offset:usize = (round *! step <: usize) *! sz 2 in + let offset_vec:usize = offset /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in + let step_vec:usize = step /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = offset_vec; + Core.Ops.Range.f_end = offset_vec +! step_vec <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + re + (fun re j -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let j:usize = j in + let x, y:(v_Vector & v_Vector) = + inv_ntt_layer_int_vec_step_reduce (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ + j ] + <: + v_Vector) + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + j + x + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + (j +! step_vec <: usize) + y + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) + in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let invert_ntt_montgomery + (v_K: usize) + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + let zeta_i:usize = Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_1_ zeta_i re (sz 1) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_2_ zeta_i re (sz 2) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_3_ zeta_i re (sz 3) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_4_plus zeta_i re (sz 4) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_4_plus zeta_i re (sz 5) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_4_plus zeta_i re (sz 6) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + invert_ntt_at_layer_4_plus zeta_i re (sz 7) + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce re + <: + (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + re diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti new file mode 100644 index 000000000..a000597eb --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti @@ -0,0 +1,60 @@ +module Libcrux_ml_kem.Invert_ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +val inv_ntt_layer_int_vec_step_reduce + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (a b: v_Vector) + (zeta_r: i16) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_3_ + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_4_plus + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (layer: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_montgomery + (v_K: usize) + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index 43ac4b277..f12b7df16 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -13,10 +13,12 @@ let compute_As_plus_e t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate @@ -91,10 +93,10 @@ let compute_As_plus_e let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl__add_standard_error_reduce (error_as_ntt.[ i ] + (Libcrux_ml_kem.Polynomial.impl__add_standard_error_reduce (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -102,49 +104,6 @@ let compute_As_plus_e in result -let compute_message - (v_K: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl__ZERO () - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - result - (fun result i -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - let i:usize = i in - let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl__ntt_multiply (secret_as_ntt.[ i ] - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl__add_to_ring_element v_K result product - in - result) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Ntt.invert_ntt_montgomery v_K result - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl__subtract_reduce v result - in - result - let compute_ring_element_v (v_K: usize) (#v_Vector: Type) @@ -180,7 +139,7 @@ let compute_ring_element_v result) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Ntt.invert_ntt_montgomery v_K result + Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Libcrux_ml_kem.Polynomial.impl__add_message_error_reduce error_2_ message result @@ -196,10 +155,12 @@ let compute_vector_u (r_as_ntt error_1_: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate @@ -274,7 +235,7 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Ntt.invert_ntt_montgomery v_K + (Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) @@ -282,10 +243,10 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl__add_error_reduce (error_1_.[ i ] + (Libcrux_ml_kem.Polynomial.impl__add_error_reduce (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -293,22 +254,72 @@ let compute_vector_u in result -let sample_matrix_A +let compute_message (v_K: usize) (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO () + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + result + (fun result i -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + let i:usize = i in + let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ntt_multiply (secret_as_ntt.[ i ] + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element v_K result product + in + result) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K result + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__subtract_reduce v result + in + result + +let sample_matrix_A + (v_K: usize) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (seed: t_Array u8 (sz 34)) (transpose: bool) = let v_A_transpose:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - v_K + Core.Array.from_fn v_K + (fun v__i -> + let v__i:usize = v__i in + Core.Array.from_fn v_K + (fun v__j -> + let v__j:usize = v__j in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in let v_A_transpose:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = @@ -368,21 +379,28 @@ let sample_matrix_A let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Libcrux_ml_kem.Sampling.sample_from_xof v_K seeds in - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_K - } + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate + (Core.Iter.Traits.Collect.f_into_iter sampled + <: + Core.Array.Iter.t_IntoIter + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) <: - Core.Ops.Range.t_Range usize) + Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Array.Iter.t_IntoIter + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) <: - Core.Ops.Range.t_Range usize) + Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Array.Iter.t_IntoIter + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)) v_A_transpose - (fun v_A_transpose j -> + (fun v_A_transpose temp_1_ -> let v_A_transpose:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = v_A_transpose in - let j:usize = j in + let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in if transpose then let v_A_transpose:t_Array @@ -395,9 +413,7 @@ let sample_matrix_A t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K ) i - (sampled.[ j ] - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + sample <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in @@ -413,9 +429,7 @@ let sample_matrix_A t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K ) j - (sampled.[ j ] - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + sample <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 15f8cb746..959f17ca0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -16,21 +16,6 @@ val compute_As_plus_e Prims.l_True (fun _ -> Prims.l_True) -/// The following functions compute various expressions involving -/// vectors and matrices. The computation of these expressions has been -/// abstracted away into these functions in order to save on loop iterations. -/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) -val compute_message - (v_K: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message val compute_ring_element_v (v_K: usize) @@ -54,10 +39,26 @@ val compute_vector_u Prims.l_True (fun _ -> Prims.l_True) -val sample_matrix_A +/// The following functions compute various expressions involving +/// vectors and matrices. The computation of these expressions has been +/// abstracted away into these functions in order to save on loop iterations. +/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) +val compute_message (v_K: usize) (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_matrix_A + (v_K: usize) + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (seed: t_Array u8 (sz 34)) (transpose: bool) : Prims.Pure diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst similarity index 59% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber1024.fst rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index 7d512c222..c7a2eaafa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -1,25 +1,19 @@ -module Libcrux_ml_kem.Kyber1024 +module Libcrux_ml_kem.Mlkem1024 #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let decapsulate - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) = - Libcrux_ml_kem.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) - (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) - (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + Libcrux_ml_kem.Ind_cca.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) + (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) private_key + ciphertext let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = if - Libcrux_ml_kem.validate_public_key (sz 4) + Libcrux_ml_kem.Ind_cca.validate_public_key (sz 4) (sz 1536) (sz 1568) public_key.Libcrux_ml_kem.Types.f_value @@ -32,8 +26,15 @@ let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) + (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.generate_keypair (sz 4) + Libcrux_ml_kem.Ind_cca.generate_keypair (sz 4) (sz 1536) (sz 3168) (sz 1568) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti similarity index 80% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber1024.fsti rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index 608268fbc..34785554b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -1,4 +1,4 @@ -module Libcrux_ml_kem.Kyber1024 +module Libcrux_ml_kem.Mlkem1024 #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -62,22 +62,37 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ +/// An ML-KEM 1024 Ciphertext unfold let t_MlKem1024Ciphertext = Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) +/// An ML-KEM 1024 Private key unfold let t_MlKem1024PrivateKey = Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) -unfold -let t_MlKem1024PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) - /// Decapsulate ML-KEM 1024 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. val decapsulate - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// An ML-KEM 1024 Public key +unfold +let t_MlKem1024PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) + +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) + Prims.l_True + (fun _ -> Prims.l_True) + /// Encapsulate ML-KEM 1024 +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem1024PublicKey`] and [`SHARED_SECRET_SIZE`] +/// bytes of `randomness`. val encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (randomness: t_Array u8 (sz 32)) @@ -85,14 +100,14 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))) - Prims.l_True - (fun _ -> Prims.l_True) +/// Am ML-KEM 1024 Key pair +unfold +let t_MlKem1024KeyPair = Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) /// Generate ML-KEM 1024 Key Pair +/// Generate an ML-KEM key pair. The input is a byte array of size +/// [`KEY_GENERATION_SEED_SIZE`]. +/// This function returns an [`MlKem1024KeyPair`]. val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst similarity index 59% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber512.fst rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index 3f26eaa91..520065dfa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -1,25 +1,18 @@ -module Libcrux_ml_kem.Kyber512 +module Libcrux_ml_kem.Mlkem512 #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let decapsulate - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) = - Libcrux_ml_kem.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) - (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) - (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + Libcrux_ml_kem.Ind_cca.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) private_key ciphertext let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = if - Libcrux_ml_kem.validate_public_key (sz 2) + Libcrux_ml_kem.Ind_cca.validate_public_key (sz 2) (sz 768) (sz 800) public_key.Libcrux_ml_kem.Types.f_value @@ -30,8 +23,15 @@ let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8 else Core.Option.Option_None <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) + (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.generate_keypair (sz 2) + Libcrux_ml_kem.Ind_cca.generate_keypair (sz 2) (sz 768) (sz 1632) (sz 800) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti similarity index 80% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber512.fsti rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index 15bf68470..da84a9270 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -1,4 +1,4 @@ -module Libcrux_ml_kem.Kyber512 +module Libcrux_ml_kem.Mlkem512 #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -62,22 +62,37 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ +/// An ML-KEM 512 Ciphertext unfold let t_MlKem512Ciphertext = Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) +/// An ML-KEM 512 Private key unfold let t_MlKem512PrivateKey = Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) -unfold -let t_MlKem512PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) - /// Decapsulate ML-KEM 512 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. val decapsulate - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// An ML-KEM 512 Public key +unfold +let t_MlKem512PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) + +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) + Prims.l_True + (fun _ -> Prims.l_True) + /// Encapsulate ML-KEM 512 +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] +/// bytes of `randomness`. val encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (randomness: t_Array u8 (sz 32)) @@ -85,14 +100,14 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))) - Prims.l_True - (fun _ -> Prims.l_True) +/// Am ML-KEM 512 Key pair +unfold +let t_MlKem512KeyPair = Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) /// Generate ML-KEM 512 Key Pair +/// Generate an ML-KEM key pair. The input is a byte array of size +/// [`KEY_GENERATION_SEED_SIZE`]. +/// This function returns an [`MlKem512KeyPair`]. val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst similarity index 59% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber768.fst rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 3a5a5d92c..dd9dd13cf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -1,25 +1,19 @@ -module Libcrux_ml_kem.Kyber768 +module Libcrux_ml_kem.Mlkem768 #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let decapsulate - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) = - Libcrux_ml_kem.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext - -let encapsulate - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) - (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + Libcrux_ml_kem.Ind_cca.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) + (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) private_key + ciphertext let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = if - Libcrux_ml_kem.validate_public_key (sz 3) + Libcrux_ml_kem.Ind_cca.validate_public_key (sz 3) (sz 1152) (sz 1184) public_key.Libcrux_ml_kem.Types.f_value @@ -32,8 +26,15 @@ let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 <: Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) +let encapsulate + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) + (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) = - Libcrux_ml_kem.generate_keypair (sz 3) + Libcrux_ml_kem.Ind_cca.generate_keypair (sz 3) (sz 1152) (sz 2400) (sz 1184) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti similarity index 80% rename from libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber768.fsti rename to libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index d9cfee6b4..06774d878 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Kyber768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -1,4 +1,4 @@ -module Libcrux_ml_kem.Kyber768 +module Libcrux_ml_kem.Mlkem768 #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -62,22 +62,37 @@ let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_ let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ +/// An ML-KEM 768 Ciphertext unfold let t_MlKem768Ciphertext = Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) +/// An ML-KEM 768 Private key unfold let t_MlKem768PrivateKey = Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) -unfold -let t_MlKem768PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) - /// Decapsulate ML-KEM 768 +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. val decapsulate - (secret_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// An ML-KEM 768 Public key +unfold +let t_MlKem768PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) + +/// Validate a public key. +/// Returns `Some(public_key)` if valid, and `None` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) + Prims.l_True + (fun _ -> Prims.l_True) + /// Encapsulate ML-KEM 768 +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] +/// bytes of `randomness`. val encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (randomness: t_Array u8 (sz 32)) @@ -85,14 +100,14 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Validate a public key. -/// Returns `Some(public_key)` if valid, and `None` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Core.Option.t_Option (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))) - Prims.l_True - (fun _ -> Prims.l_True) +/// Am ML-KEM 768 Key pair +unfold +let t_MlKem768KeyPair = Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) /// Generate ML-KEM 768 Key Pair +/// Generate an ML-KEM key pair. The input is a byte array of size +/// [`KEY_GENERATION_SEED_SIZE`]. +/// This function returns an [`MlKem768KeyPair`]. val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index 96bd2a256..228560bc0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -3,131 +3,440 @@ module Libcrux_ml_kem.Ntt open Core open FStar.Mul -let invert_ntt_montgomery - (v_K: usize) +let ntt_layer_int_vec_step (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (a b: v_Vector) + (zeta_r: i16) + = + let t:v_Vector = Libcrux_traits.f_montgomery_multiply_fe_by_fer b zeta_r in + let b:v_Vector = Libcrux_traits.f_sub a t in + let a:v_Vector = Libcrux_traits.f_add a t in + a, b <: (v_Vector & v_Vector) + +let ntt_at_layer_1_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer v__initial_coefficient_bound: usize) = - let zeta_i:usize = Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_1_ zeta_i re (sz 1) - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_2_ zeta_i re (sz 2) + let (re, zeta_i), hax_temp_output:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & + usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + round + (Libcrux_traits.f_ntt_layer_1_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round + ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize + ] + <: + i16) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let zeta_i:usize = zeta_i +! sz 3 in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_3_plus zeta_i re (sz 3) + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let ntt_at_layer_2_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer v__initial_coefficient_bound: usize) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & + usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + round + (Libcrux_traits.f_ntt_layer_2_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round + ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let zeta_i:usize = zeta_i +! sz 1 in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_3_plus zeta_i re (sz 4) + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let ntt_at_layer_3_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer v__initial_coefficient_bound: usize) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & + usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + round + (Libcrux_traits.f_ntt_layer_3_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round + ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_3_plus zeta_i re (sz 5) + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let ntt_at_layer_4_plus + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (layer v__initial_coefficient_bound: usize) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if ~.(layer >=. sz 4 <: bool) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: layer >= 4" + <: + Rust_primitives.Hax.t_Never) + in + () in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_3_plus zeta_i re (sz 6) + let step:usize = sz 1 <>! layer <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let offset:usize = (round *! step <: usize) *! sz 2 in + let offset_vec:usize = offset /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in + let step_vec:usize = step /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = offset_vec; + Core.Ops.Range.f_end = offset_vec +! step_vec <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + re + (fun re j -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let j:usize = j in + let x, y:(v_Vector & v_Vector) = + ntt_layer_int_vec_step (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] + <: + v_Vector) + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] + <: + v_Vector) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + j + x + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + (j +! step_vec <: usize) + y + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) + in + re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.invert_ntt_at_layer_3_plus zeta_i re (sz 7) + zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +let ntt_at_layer_7_ + (#v_Vector: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in + let re, hax_temp_output:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = step + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + re + (fun re j -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let j:usize = j in + let t:v_Vector = + Libcrux_traits.f_multiply_by_constant (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! + step + <: + usize ] + <: + v_Vector) + (-1600s) + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + (j +! step <: usize) + (Libcrux_traits.f_sub (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] <: v_Vector + ) + t + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + j + (Libcrux_traits.f_add (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j ] <: v_Vector + ) + t + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce re + re -let ntt_vector_u - (v_VECTOR_U_COMPRESSION_FACTOR: usize) +let ntt_binomially_sampled_ring_element (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let zeta_i:usize = sz 0 in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 7) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = ntt_at_layer_7_ re in + let zeta_i:usize = sz 1 in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 6) (sz 3) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 6) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 5) (sz 3) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 5) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 4) (sz 3) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 4) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_3_ zeta_i re (sz 3) (sz 3) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 3) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_2_ zeta_i re (sz 2) (sz 3) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_2_ zeta_i re (sz 2) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_1_ zeta_i re (sz 1) (sz 3) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_1_ zeta_i re (sz 1) (sz 3328) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce re + <: + (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce re + re -let ntt_binomially_sampled_ring_element +let ntt_vector_u + (v_VECTOR_U_COMPRESSION_FACTOR: usize) (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.ntt_at_layer_7_ re + let zeta_i:usize = sz 0 in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 7) (sz 3328) in - let zeta_i:usize = sz 1 in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 6) (sz 3) + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 6) (sz 3328) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 5) (sz 3) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 5) (sz 3328) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 4) (sz 3) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_4_plus zeta_i re (sz 4) (sz 3328) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_3_plus zeta_i re (sz 3) (sz 3) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_3_ zeta_i re (sz 3) (sz 3328) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_2_ zeta_i re (sz 2) (sz 3) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_2_ zeta_i re (sz 2) (sz 3328) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - let tmp0, out:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - Libcrux_ml_kem.Polynomial.ntt_at_layer_1_ zeta_i re (sz 1) (sz 3) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + ntt_at_layer_1_ zeta_i re (sz 1) (sz 3328) in let zeta_i:usize = tmp0 in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = out in - Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce re + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in + let _:Prims.unit = () in + let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce re + <: + (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + re diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti index 4adc978ce..8d23fbd07 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti @@ -3,24 +3,54 @@ module Libcrux_ml_kem.Ntt open Core open FStar.Mul -/// Use the Gentleman-Sande butterfly to invert, in-place, the NTT representation -/// of a `KyberPolynomialRingElement`. The coefficients of the output -/// ring element are in the Montgomery domain. -val invert_ntt_montgomery - (v_K: usize) +val ntt_layer_int_vec_step (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} + (a b: v_Vector) + (zeta_r: i16) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer v__initial_coefficient_bound: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Use the Cooley–Tukey butterfly to compute an in-place NTT representation -/// of a `KyberPolynomialRingElement`. -/// This function operates on the ring element that partly constitutes -/// the ciphertext. -val ntt_vector_u - (v_VECTOR_U_COMPRESSION_FACTOR: usize) +val ntt_at_layer_2_ + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer v__initial_coefficient_bound: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_3_ + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (v__layer v__initial_coefficient_bound: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_4_plus + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (zeta_i: usize) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (layer v__initial_coefficient_bound: usize) + : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_7_ (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) @@ -28,11 +58,6 @@ val ntt_vector_u Prims.l_True (fun _ -> Prims.l_True) -/// Use the Cooley–Tukey butterfly to compute an in-place NTT representation -/// of a `KyberPolynomialRingElement`. -/// This function operates only on those which were produced by binomial -/// sampling, and thus those which have small coefficients. The small -/// coefficients let us skip the first round of Montgomery reductions. val ntt_binomially_sampled_ring_element (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} @@ -40,3 +65,12 @@ val ntt_binomially_sampled_ring_element : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_vector_u + (v_VECTOR_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type) + {| i1: Libcrux_traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 34cf069b5..3644f27f6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -3,53 +3,21 @@ module Libcrux_ml_kem.Polynomial open Core open FStar.Mul -let inv_ntt_layer_int_vec_step - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (a b: v_Vector) - (zeta_r: i32) - = - let a_minus_b:v_Vector = Libcrux_traits.f_sub b a in - let a:v_Vector = Libcrux_traits.f_add a b in - let b:v_Vector = Libcrux_traits.f_montgomery_multiply_fe_by_fer a_minus_b zeta_r in - a, b <: (v_Vector & v_Vector) - -let ntt_layer_7_int_vec_step - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (a b: v_Vector) - = - let t:v_Vector = Libcrux_traits.f_multiply_by_constant b (-1600l) in - let b:v_Vector = Libcrux_traits.f_sub a t in - let a:v_Vector = Libcrux_traits.f_add a t in - a, b <: (v_Vector & v_Vector) - -let ntt_layer_int_vec_step - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (a b: v_Vector) - (zeta_r: i32) - = - let t:v_Vector = Libcrux_traits.f_montgomery_multiply_fe_by_fer b zeta_r in - let b:v_Vector = Libcrux_traits.f_sub a t in - let a:v_Vector = Libcrux_traits.f_add a t in - a, b <: (v_Vector & v_Vector) - let impl__ZERO (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (_: Prims.unit) = - { f_coefficients = Rust_primitives.Hax.repeat (Libcrux_traits.f_ZERO () <: v_Vector) (sz 32) } + { f_coefficients = Rust_primitives.Hax.repeat (Libcrux_traits.f_ZERO () <: v_Vector) (sz 16) } <: t_PolynomialRingElement v_Vector let impl__add_error_reduce (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) - (self result: t_PolynomialRingElement v_Vector) + (self error: t_PolynomialRingElement v_Vector) = - let result:t_PolynomialRingElement v_Vector = + let self, hax_temp_output:t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_VECTORS_IN_RING_ELEMENT @@ -58,28 +26,23 @@ let impl__add_error_reduce Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - result - (fun result j -> - let result:t_PolynomialRingElement v_Vector = result in + self + (fun self j -> + let self:t_PolynomialRingElement v_Vector = self in let j:usize = j in let coefficient_normal_form:v_Vector = - Libcrux_traits.f_montgomery_reduce (Libcrux_traits.f_multiply_by_constant (result - .f_coefficients.[ j ] - <: - v_Vector) - 1441l - <: - v_Vector) + Libcrux_traits.f_montgomery_multiply_by_constant (self.f_coefficients.[ j ] <: v_Vector) + 1441s in - let result:t_PolynomialRingElement v_Vector = + let self:t_PolynomialRingElement v_Vector = { - result with + self with f_coefficients = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients j (Libcrux_traits.f_barrett_reduce (Libcrux_traits.f_add coefficient_normal_form - (self.f_coefficients.[ j ] <: v_Vector) + (error.f_coefficients.[ j ] <: v_Vector) <: v_Vector) <: @@ -88,9 +51,9 @@ let impl__add_error_reduce <: t_PolynomialRingElement v_Vector in - result) + self) in - result + self let impl__add_message_error_reduce (#v_Vector: Type) @@ -111,13 +74,10 @@ let impl__add_message_error_reduce let result:t_PolynomialRingElement v_Vector = result in let i:usize = i in let coefficient_normal_form:v_Vector = - Libcrux_traits.f_montgomery_reduce (Libcrux_traits.f_multiply_by_constant (result - .f_coefficients.[ i ] - <: - v_Vector) - 1441l + Libcrux_traits.f_montgomery_multiply_by_constant (result.f_coefficients.[ i ] <: v_Vector) + 1441s in let result:t_PolynomialRingElement v_Vector = { @@ -146,9 +106,9 @@ let impl__add_message_error_reduce let impl__add_standard_error_reduce (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) - (self result: t_PolynomialRingElement v_Vector) + (self error: t_PolynomialRingElement v_Vector) = - let result:t_PolynomialRingElement v_Vector = + let self, hax_temp_output:t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_VECTORS_IN_RING_ELEMENT @@ -157,22 +117,22 @@ let impl__add_standard_error_reduce Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - result - (fun result j -> - let result:t_PolynomialRingElement v_Vector = result in + self + (fun self j -> + let self:t_PolynomialRingElement v_Vector = self in let j:usize = j in let coefficient_normal_form:v_Vector = - Libcrux_traits.f_to_standard_domain (result.f_coefficients.[ j ] <: v_Vector) + Libcrux_traits.f_to_standard_domain (self.f_coefficients.[ j ] <: v_Vector) in - let result:t_PolynomialRingElement v_Vector = + let self:t_PolynomialRingElement v_Vector = { - result with + self with f_coefficients = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients j (Libcrux_traits.f_barrett_reduce (Libcrux_traits.f_add coefficient_normal_form - (self.f_coefficients.[ j ] <: v_Vector) + (error.f_coefficients.[ j ] <: v_Vector) <: v_Vector) <: @@ -181,9 +141,9 @@ let impl__add_standard_error_reduce <: t_PolynomialRingElement v_Vector in - result) + self) in - result + self let impl__add_to_ring_element (#v_Vector: Type) @@ -191,7 +151,7 @@ let impl__add_to_ring_element (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) (self rhs: t_PolynomialRingElement v_Vector) = - let self:t_PolynomialRingElement v_Vector = + let self, hax_temp_output:t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end @@ -219,17 +179,17 @@ let impl__add_to_ring_element <: v_Vector) <: - t_Array v_Vector (sz 32) + t_Array v_Vector (sz 16) } <: t_PolynomialRingElement v_Vector) in self -let impl__from_i32_array +let impl__from_i16_array (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) - (a: t_Array i32 (sz 256)) + (a: t_Slice i16) = let result:t_PolynomialRingElement v_Vector = impl__ZERO () in let result:t_PolynomialRingElement v_Vector = @@ -251,29 +211,22 @@ let impl__from_i32_array = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients i - (Libcrux_traits.f_from_i32_array (Core.Result.impl__unwrap (Core.Convert.f_try_into (a.[ - { - Core.Ops.Range.f_start - = - i *! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i32) - <: - Core.Result.t_Result (t_Array i32 (sz 8)) Core.Array.t_TryFromSliceError) + (Libcrux_traits.f_from_i16_array (a.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR <: usize + } + <: + Core.Ops.Range.t_Range usize ] <: - t_Array i32 (sz 8)) + t_Slice i16) <: v_Vector) <: - t_Array v_Vector (sz 32) + t_Array v_Vector (sz 16) } <: t_PolynomialRingElement v_Vector) @@ -307,16 +260,26 @@ let impl__ntt_multiply i (Libcrux_traits.f_ntt_multiply (self.f_coefficients.[ i ] <: v_Vector) (rhs.f_coefficients.[ i ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! (sz 2 *! i <: usize) <: usize ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 2 *! i <: usize) <: usize) +! sz 1 + (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! (sz 4 *! i <: usize) <: usize ] <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize ] <: - i32) + i16) <: v_Vector) <: - t_Array v_Vector (sz 32) + t_Array v_Vector (sz 16) } <: t_PolynomialRingElement v_Vector) @@ -328,7 +291,7 @@ let impl__poly_barrett_reduce (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) (self: t_PolynomialRingElement v_Vector) = - let self:t_PolynomialRingElement v_Vector = + let self, hax_temp_output:t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_VECTORS_IN_RING_ELEMENT @@ -349,7 +312,7 @@ let impl__poly_barrett_reduce i (Libcrux_traits.f_barrett_reduce (self.f_coefficients.[ i ] <: v_Vector) <: v_Vector) <: - t_Array v_Vector (sz 32) + t_Array v_Vector (sz 16) } <: t_PolynomialRingElement v_Vector) @@ -375,13 +338,8 @@ let impl__subtract_reduce let b:t_PolynomialRingElement v_Vector = b in let i:usize = i in let coefficient_normal_form:v_Vector = - Libcrux_traits.f_montgomery_reduce (Libcrux_traits.f_multiply_by_constant (b - .f_coefficients.[ i ] - <: - v_Vector) - 1441l - <: - v_Vector) + Libcrux_traits.f_montgomery_multiply_by_constant (b.f_coefficients.[ i ] <: v_Vector) + 1441s in let b:t_PolynomialRingElement v_Vector = { @@ -405,382 +363,3 @@ let impl__subtract_reduce b) in b - -let invert_ntt_at_layer_1_ - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer: usize) - = - let zeta_i:usize = zeta_i -! sz 1 in - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 32 - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - (re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - round - (Libcrux_traits.f_inv_ntt_layer_1_step (re.f_coefficients.[ round ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - let zeta_i:usize = zeta_i -! sz 2 in - re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - in - let zeta_i:usize = zeta_i +! sz 1 in - let hax_temp_output:t_PolynomialRingElement v_Vector = re in - zeta_i, hax_temp_output <: (usize & t_PolynomialRingElement v_Vector) - -let invert_ntt_at_layer_2_ - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer: usize) - = - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 32 - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - (re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i -! sz 1 in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - round - (Libcrux_traits.f_inv_ntt_layer_2_step (re.f_coefficients.[ round ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - in - let hax_temp_output:t_PolynomialRingElement v_Vector = re in - zeta_i, hax_temp_output <: (usize & t_PolynomialRingElement v_Vector) - -let invert_ntt_at_layer_3_plus - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (layer: usize) - = - let step:usize = sz 1 <>! layer <: usize - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - (re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i -! sz 1 in - let offset:usize = (round *! step <: usize) *! sz 2 in - let offset_vec:usize = offset /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in - let step_vec:usize = step /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in - let re:t_PolynomialRingElement v_Vector = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = offset_vec; - Core.Ops.Range.f_end = offset_vec +! step_vec <: usize - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - re - (fun re j -> - let re:t_PolynomialRingElement v_Vector = re in - let j:usize = j in - let x, y:(v_Vector & v_Vector) = - inv_ntt_layer_int_vec_step (re.f_coefficients.[ j ] <: v_Vector) - (re.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - j - x - } - <: - t_PolynomialRingElement v_Vector - in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - (j +! step_vec <: usize) - y - } - <: - t_PolynomialRingElement v_Vector - in - re) - in - re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - in - let hax_temp_output:t_PolynomialRingElement v_Vector = re in - zeta_i, hax_temp_output <: (usize & t_PolynomialRingElement v_Vector) - -let ntt_at_layer_1_ - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer v__initial_coefficient_bound: usize) - = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 32 - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - (re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - round - (Libcrux_traits.f_ntt_layer_1_step (re.f_coefficients.[ round ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - let zeta_i:usize = zeta_i +! sz 2 in - re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - in - let zeta_i:usize = zeta_i -! sz 1 in - let hax_temp_output:t_PolynomialRingElement v_Vector = re in - zeta_i, hax_temp_output <: (usize & t_PolynomialRingElement v_Vector) - -let ntt_at_layer_2_ - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer v__initial_coefficient_bound: usize) - = - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 32 - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - (re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - round - (Libcrux_traits.f_ntt_layer_2_step (re.f_coefficients.[ round ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - in - let hax_temp_output:t_PolynomialRingElement v_Vector = re in - zeta_i, hax_temp_output <: (usize & t_PolynomialRingElement v_Vector) - -let ntt_at_layer_3_plus - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (layer v__initial_coefficient_bound: usize) - = - let _:Prims.unit = - if true - then - let _:Prims.unit = - if ~.(layer >=. sz 3 <: bool) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: layer >= 3" - <: - Rust_primitives.Hax.t_Never) - in - () - in - let step:usize = sz 1 <>! layer <: usize - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - (re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let offset:usize = (round *! step <: usize) *! sz 2 in - let offset_vec:usize = offset /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in - let step_vec:usize = step /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR in - let re:t_PolynomialRingElement v_Vector = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = offset_vec; - Core.Ops.Range.f_end = offset_vec +! step_vec <: usize - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - re - (fun re j -> - let re:t_PolynomialRingElement v_Vector = re in - let j:usize = j in - let x, y:(v_Vector & v_Vector) = - ntt_layer_int_vec_step (re.f_coefficients.[ j ] <: v_Vector) - (re.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - j - x - } - <: - t_PolynomialRingElement v_Vector - in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - (j +! step_vec <: usize) - y - } - <: - t_PolynomialRingElement v_Vector - in - re) - in - re, zeta_i <: (t_PolynomialRingElement v_Vector & usize)) - in - let hax_temp_output:t_PolynomialRingElement v_Vector = re in - zeta_i, hax_temp_output <: (usize & t_PolynomialRingElement v_Vector) - -let ntt_at_layer_7_ - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) - (re: t_PolynomialRingElement v_Vector) - = - let step:usize = v_VECTORS_IN_RING_ELEMENT /! sz 2 in - let re:t_PolynomialRingElement v_Vector = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = step - } - <: - Core.Ops.Range.t_Range usize) - <: - Core.Ops.Range.t_Range usize) - re - (fun re j -> - let re:t_PolynomialRingElement v_Vector = re in - let j:usize = j in - let x, y:(v_Vector & v_Vector) = - ntt_layer_7_int_vec_step (re.f_coefficients.[ j ] <: v_Vector) - (re.f_coefficients.[ j +! step <: usize ] <: v_Vector) - in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients j x - } - <: - t_PolynomialRingElement v_Vector - in - let re:t_PolynomialRingElement v_Vector = - { - re with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re.f_coefficients - (j +! step <: usize) - y - } - <: - t_PolynomialRingElement v_Vector - in - re) - in - re diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index fe0c5ce7c..3e4da8720 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -3,51 +3,31 @@ module Libcrux_ml_kem.Polynomial open Core open FStar.Mul -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 128) = +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = let list = [ - (-1044l); (-758l); (-359l); (-1517l); 1493l; 1422l; 287l; 202l; (-171l); 622l; 1577l; 182l; - 962l; (-1202l); (-1474l); 1468l; 573l; (-1325l); 264l; 383l; (-829l); 1458l; (-1602l); (-130l); - (-681l); 1017l; 732l; 608l; (-1542l); 411l; (-205l); (-1571l); 1223l; 652l; (-552l); 1015l; - (-1293l); 1491l; (-282l); (-1544l); 516l; (-8l); (-320l); (-666l); (-1618l); (-1162l); 126l; - 1469l; (-853l); (-90l); (-271l); 830l; 107l; (-1421l); (-247l); (-951l); (-398l); 961l; - (-1508l); (-725l); 448l; (-1065l); 677l; (-1275l); (-1103l); 430l; 555l; 843l; (-1251l); 871l; - 1550l; 105l; 422l; 587l; 177l; (-235l); (-291l); (-460l); 1574l; 1653l; (-246l); 778l; 1159l; - (-147l); (-777l); 1483l; (-602l); 1119l; (-1590l); 644l; (-872l); 349l; 418l; 329l; (-156l); - (-75l); 817l; 1097l; 603l; 610l; 1322l; (-1285l); (-1465l); 384l; (-1215l); (-136l); 1218l; - (-1335l); (-874l); 220l; (-1187l); (-1659l); (-1185l); (-1530l); (-1278l); 794l; (-1510l); - (-854l); (-870l); 478l; (-108l); (-308l); 996l; 991l; 958l; (-1460l); 1522l; 1628l + (-1044s); (-758s); (-359s); (-1517s); 1493s; 1422s; 287s; 202s; (-171s); 622s; 1577s; 182s; + 962s; (-1202s); (-1474s); 1468s; 573s; (-1325s); 264s; 383s; (-829s); 1458s; (-1602s); (-130s); + (-681s); 1017s; 732s; 608s; (-1542s); 411s; (-205s); (-1571s); 1223s; 652s; (-552s); 1015s; + (-1293s); 1491s; (-282s); (-1544s); 516s; (-8s); (-320s); (-666s); (-1618s); (-1162s); 126s; + 1469s; (-853s); (-90s); (-271s); 830s; 107s; (-1421s); (-247s); (-951s); (-398s); 961s; + (-1508s); (-725s); 448s; (-1065s); 677s; (-1275s); (-1103s); 430s; 555s; 843s; (-1251s); 871s; + 1550s; 105s; 422s; 587s; 177s; (-235s); (-291s); (-460s); 1574s; 1653s; (-246s); 778s; 1159s; + (-147s); (-777s); 1483s; (-602s); 1119s; (-1590s); 644s; (-872s); 349s; 418s; 329s; (-156s); + (-75s); 817s; 1097s; 603s; 610s; 1322s; (-1285s); (-1465s); 384s; (-1215s); (-136s); 1218s; + (-1335s); (-874s); 220s; (-1187s); (-1659s); (-1185s); (-1530s); (-1278s); 794s; (-1510s); + (-854s); (-870s); 478s; (-108s); (-308s); 996s; 991s; 958s; (-1460s); 1522s; 1628s ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128); Rust_primitives.Hax.array_of_list 128 list -val inv_ntt_layer_int_vec_step - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (a b: v_Vector) - (zeta_r: i32) - : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_layer_7_int_vec_step - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (a b: v_Vector) - : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_layer_int_vec_step - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (a b: v_Vector) - (zeta_r: i32) - : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) - let v_VECTORS_IN_RING_ELEMENT: usize = Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! Libcrux_traits.v_FIELD_ELEMENTS_IN_VECTOR type t_PolynomialRingElement (v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} = { - f_coefficients:t_Array v_Vector (sz 32) + f_coefficients:t_Array v_Vector (sz 16) } val impl__ZERO: #v_Vector: Type -> {| i1: Libcrux_traits.t_Operations v_Vector |} -> Prims.unit @@ -56,7 +36,7 @@ val impl__ZERO: #v_Vector: Type -> {| i1: Libcrux_traits.t_Operations v_Vector | val impl__add_error_reduce (#v_Vector: Type) {| i2: Libcrux_traits.t_Operations v_Vector |} - (self result: t_PolynomialRingElement v_Vector) + (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) val impl__add_message_error_reduce @@ -68,7 +48,7 @@ val impl__add_message_error_reduce val impl__add_standard_error_reduce (#v_Vector: Type) {| i2: Libcrux_traits.t_Operations v_Vector |} - (self result: t_PolynomialRingElement v_Vector) + (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise @@ -80,10 +60,10 @@ val impl__add_to_ring_element (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl__from_i32_array +val impl__from_i16_array (#v_Vector: Type) {| i2: Libcrux_traits.t_Operations v_Vector |} - (a: t_Array i32 (sz 256)) + (a: t_Slice i16) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Given two `KyberPolynomialRingElement`s in their NTT representations, @@ -123,60 +103,3 @@ val impl__subtract_reduce {| i2: Libcrux_traits.t_Operations v_Vector |} (self b: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_1_ - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer: usize) - : Prims.Pure (usize & t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_2_ - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer: usize) - : Prims.Pure (usize & t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_3_plus - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (layer: usize) - : Prims.Pure (usize & t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Represents an intermediate polynomial splitting step in the NTT. All -/// resulting coefficients are in the normal domain since the zetas have been -/// multiplied by MONTGOMERY_R. -val ntt_at_layer_1_ - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer v__initial_coefficient_bound: usize) - : Prims.Pure (usize & t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_2_ - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (v__layer v__initial_coefficient_bound: usize) - : Prims.Pure (usize & t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_3_plus - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (zeta_i: usize) - (re: t_PolynomialRingElement v_Vector) - (layer v__initial_coefficient_bound: usize) - : Prims.Pure (usize & t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_7_ - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} - (re: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 1ac23de3a..7c18a83f4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -4,14 +4,14 @@ open Core open FStar.Mul let sample_from_uniform_distribution_next + (#v_Vector: Type) (v_K v_N: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (randomness: t_Array (t_Array u8 v_N) v_K) (sampled_coefficients: t_Array usize v_K) - (out: t_Array (t_Array i32 (sz 256)) v_K) + (out: t_Array (t_Array i16 (sz 272)) v_K) = - let done:bool = true in - let done, out, sampled_coefficients:(bool & t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K - ) = + let out, sampled_coefficients:(t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K @@ -20,127 +20,136 @@ let sample_from_uniform_distribution_next Core.Ops.Range.t_Range usize) <: Core.Ops.Range.t_Range usize) - (done, out, sampled_coefficients - <: - (bool & t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K)) + (out, sampled_coefficients <: (t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K)) (fun temp_0_ i -> - let done, out, sampled_coefficients:(bool & t_Array (t_Array i32 (sz 256)) v_K & - t_Array usize v_K) = + let out, sampled_coefficients:(t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K) = temp_0_ in let i:usize = i in - let out, sampled_coefficients:(t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks - (Rust_primitives.unsize (randomness.[ i ] <: t_Array u8 v_N) <: t_Slice u8) - (sz 3) - <: - Core.Slice.Iter.t_Chunks u8) - <: - Core.Slice.Iter.t_Chunks u8) - (out, sampled_coefficients <: (t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K) - ) - (fun temp_0_ bytes -> - let out, sampled_coefficients:(t_Array (t_Array i32 (sz 256)) v_K & - t_Array usize v_K) = - temp_0_ + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_N /! sz 24 <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (out, sampled_coefficients <: (t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K)) + (fun temp_0_ r -> + let out, sampled_coefficients:(t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K) = + temp_0_ + in + let r:usize = r in + if + (sampled_coefficients.[ i ] <: usize) <. + Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + bool + then + let tmp0, out1:(t_Slice i16 & usize) = + Libcrux_traits.f_rej_sample ((randomness.[ i ] <: t_Array u8 v_N).[ { + Core.Ops.Range.f_start = r *! sz 24 <: usize; + Core.Ops.Range.f_end = (r *! sz 24 <: usize) +! sz 24 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + ((out.[ i ] <: t_Array i16 (sz 272)).[ { + Core.Ops.Range.f_start = sampled_coefficients.[ i ] <: usize; + Core.Ops.Range.f_end + = + (sampled_coefficients.[ i ] <: usize) +! sz 16 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) in - let bytes:t_Slice u8 = bytes in - let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in - let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in - let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in - let d1:i32 = ((b2 &. 15l <: i32) <>! 4l <: i32) in - let out, sampled_coefficients:(t_Array (t_Array i32 (sz 256)) v_K & - t_Array usize v_K) = - if - d1 <. Libcrux_ml_kem.Constants.v_FIELD_MODULUS && - (sampled_coefficients.[ i ] <: usize) <. - Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let out:t_Array (t_Array i32 (sz 256)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out.[ i ] - <: - t_Array i32 (sz 256)) - (sampled_coefficients.[ i ] <: usize) - d1 + let out:t_Array (t_Array i16 (sz 272)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_range (out.[ i ] <: - t_Array i32 (sz 256)) - in - out, - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients - i - ((sampled_coefficients.[ i ] <: usize) +! sz 1 <: usize) - <: - (t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K) - else - out, sampled_coefficients - <: - (t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K) + t_Array i16 (sz 272)) + ({ + Core.Ops.Range.f_start = sampled_coefficients.[ i ] <: usize; + Core.Ops.Range.f_end + = + (sampled_coefficients.[ i ] <: usize) +! sz 16 <: usize + } + <: + Core.Ops.Range.t_Range usize) + tmp0 + <: + t_Array i16 (sz 272)) in - if - d2 <. Libcrux_ml_kem.Constants.v_FIELD_MODULUS && - (sampled_coefficients.[ i ] <: usize) <. - Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - let out:t_Array (t_Array i32 (sz 256)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (out.[ i ] - <: - t_Array i32 (sz 256)) - (sampled_coefficients.[ i ] <: usize) - d2 - <: - t_Array i32 (sz 256)) - in - let sampled_coefficients:t_Array usize v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients - i - ((sampled_coefficients.[ i ] <: usize) +! sz 1 <: usize) - in - out, sampled_coefficients - <: - (t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K) - else - out, sampled_coefficients - <: - (t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K)) - in + let sampled:usize = out1 in + let sampled_coefficients:t_Array usize v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients + i + ((sampled_coefficients.[ i ] <: usize) +! sampled <: usize) + in + out, sampled_coefficients + <: + (t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K) + else + out, sampled_coefficients + <: + (t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K)) + <: + (t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K)) + in + let done:bool = true in + let done, sampled_coefficients:(bool & t_Array usize v_K) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } + <: + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + (done, sampled_coefficients <: (bool & t_Array usize v_K)) + (fun temp_0_ i -> + let done, sampled_coefficients:(bool & t_Array usize v_K) = temp_0_ in + let i:usize = i in if - (sampled_coefficients.[ i ] <: usize) <. + (sampled_coefficients.[ i ] <: usize) >=. Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - then - false, out, sampled_coefficients - <: - (bool & t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K) - else - done, out, sampled_coefficients <: - (bool & t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K)) + bool + then + let sampled_coefficients:t_Array usize v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_coefficients + i + Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + in + done, sampled_coefficients <: (bool & t_Array usize v_K) + else false, sampled_coefficients <: (bool & t_Array usize v_K)) in let hax_temp_output:bool = done in sampled_coefficients, out, hax_temp_output <: - (t_Array usize v_K & t_Array (t_Array i32 (sz 256)) v_K & bool) + (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) let sample_from_binomial_distribution_2_ (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let sampled_i32s:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in - let sampled_i32s:t_Array i32 (sz 256) = + let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in + let sampled_i16s:t_Array i16 (sz 256) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate (Core.Slice.impl__chunks_exact randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) - sampled_i32s - (fun sampled_i32s temp_1_ -> - let sampled_i32s:t_Array i32 (sz 256) = sampled_i32s in + sampled_i16s + (fun sampled_i16s temp_1_ -> + let sampled_i16s:t_Array i16 (sz 256) = sampled_i16s in let chunk_number, byte_chunk:(usize & t_Slice u8) = temp_1_ in let (random_bits_as_u32: u32):u32 = (((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |. @@ -167,44 +176,45 @@ let sample_from_binomial_distribution_2_ Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range u32)) <: Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range u32)) - sampled_i32s - (fun sampled_i32s outcome_set -> - let sampled_i32s:t_Array i32 (sz 256) = sampled_i32s in + sampled_i16s + (fun sampled_i16s outcome_set -> + let sampled_i16s:t_Array i16 (sz 256) = sampled_i16s in let outcome_set:u32 = outcome_set in - let outcome_1_:i32 = - cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 3ul <: u32) <: i32 + let outcome_1_:i16 = + cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 3ul <: u32) <: i16 in - let outcome_2_:i32 = + let outcome_2_:i16 = cast ((coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) &. 3ul <: u32) <: - i32 + i16 in let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in - let sampled_i32s:t_Array i32 (sz 256) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i32s + let sampled_i16s:t_Array i16 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s ((sz 8 *! chunk_number <: usize) +! offset <: usize) - (outcome_1_ -! outcome_2_ <: i32) + (outcome_1_ -! outcome_2_ <: i16) in - sampled_i32s)) + sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl__from_i32_array sampled_i32s + Libcrux_ml_kem.Polynomial.impl__from_i16_array (Rust_primitives.unsize sampled_i16s <: t_Slice i16 + ) let sample_from_binomial_distribution_3_ (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let sampled_i32s:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in - let sampled_i32s:t_Array i32 (sz 256) = + let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in + let sampled_i16s:t_Array i16 (sz 256) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate (Core.Slice.impl__chunks_exact randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) - sampled_i32s - (fun sampled_i32s temp_1_ -> - let sampled_i32s:t_Array i32 (sz 256) = sampled_i32s in + sampled_i16s + (fun sampled_i16s temp_1_ -> + let sampled_i16s:t_Array i16 (sz 256) = sampled_i16s in let chunk_number, byte_chunk:(usize & t_Slice u8) = temp_1_ in let (random_bits_as_u24: u32):u32 = ((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |. @@ -226,27 +236,28 @@ let sample_from_binomial_distribution_3_ Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range i32)) <: Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range i32)) - sampled_i32s - (fun sampled_i32s outcome_set -> - let sampled_i32s:t_Array i32 (sz 256) = sampled_i32s in + sampled_i16s + (fun sampled_i16s outcome_set -> + let sampled_i16s:t_Array i16 (sz 256) = sampled_i16s in let outcome_set:i32 = outcome_set in - let outcome_1_:i32 = - cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 7ul <: u32) <: i32 + let outcome_1_:i16 = + cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 7ul <: u32) <: i16 in - let outcome_2_:i32 = + let outcome_2_:i16 = cast ((coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) &. 7ul <: u32) <: - i32 + i16 in let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in - let sampled_i32s:t_Array i32 (sz 256) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i32s + let sampled_i16s:t_Array i16 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s ((sz 4 *! chunk_number <: usize) +! offset <: usize) - (outcome_1_ -! outcome_2_ <: i32) + (outcome_1_ -! outcome_2_ <: i16) in - sampled_i32s)) + sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl__from_i32_array sampled_i32s + Libcrux_ml_kem.Polynomial.impl__from_i16_array (Rust_primitives.unsize sampled_i16s <: t_Slice i16 + ) let sample_from_binomial_distribution (v_ETA: usize) @@ -265,65 +276,76 @@ let sample_from_binomial_distribution let sample_from_xof (v_K: usize) - (#v_Vector: Type) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) + (#v_Vector #v_Hasher: Type) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (seeds: t_Array (t_Array u8 (sz 34)) v_K) = let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = Rust_primitives.Hax.repeat (sz 0) v_K in - let (out: t_Array (t_Array i32 (sz 256)) v_K):t_Array (t_Array i32 (sz 256)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) v_K - in - let xof_state:Libcrux_sha3.X4.t_Shake128StateX4 = - Libcrux_ml_kem.Hash_functions.absorb v_K seeds + let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K in - let tmp0, out1:(Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 504)) v_K) = - Libcrux_ml_kem.Hash_functions.squeeze_three_blocks v_K xof_state + let xof_state:v_Hasher = Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb v_K seeds in + let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_three_blocks v_K xof_state in - let xof_state:Libcrux_sha3.X4.t_Shake128StateX4 = tmp0 in + let xof_state:v_Hasher = tmp0 in let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in - let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i32 (sz 256)) v_K & bool) = + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = sample_from_uniform_distribution_next v_K (sz 504) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in - let out:t_Array (t_Array i32 (sz 256)) v_K = tmp1 in + let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in let done:bool = out1 in - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i32 (sz 256)) v_K & + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & - Libcrux_sha3.X4.t_Shake128StateX4) = + v_Hasher) = Rust_primitives.f_while_loop (fun temp_0_ -> - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i32 (sz 256)) v_K & + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & - Libcrux_sha3.X4.t_Shake128StateX4) = + v_Hasher) = temp_0_ in ~.done <: bool) (done, out, sampled_coefficients, xof_state <: - (bool & t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K & - Libcrux_sha3.X4.t_Shake128StateX4)) + (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) (fun temp_0_ -> - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i32 (sz 256)) v_K & + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & - Libcrux_sha3.X4.t_Shake128StateX4) = + v_Hasher) = temp_0_ in - let tmp0, out1:(Libcrux_sha3.X4.t_Shake128StateX4 & t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux_ml_kem.Hash_functions.squeeze_block v_K xof_state + let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_block v_K xof_state in - let xof_state:Libcrux_sha3.X4.t_Shake128StateX4 = tmp0 in + let xof_state:v_Hasher = tmp0 in let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in - let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i32 (sz 256)) v_K & bool) = + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = sample_from_uniform_distribution_next v_K (sz 168) randomness sampled_coefficients out in let sampled_coefficients:t_Array usize v_K = tmp0 in - let out:t_Array (t_Array i32 (sz 256)) v_K = tmp1 in + let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in let done:bool = out1 in done, out, sampled_coefficients, xof_state <: - (bool & t_Array (t_Array i32 (sz 256)) v_K & t_Array usize v_K & - Libcrux_sha3.X4.t_Shake128StateX4)) + (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) in - let _:Prims.unit = Libcrux_ml_kem.Hash_functions.free_state xof_state in - Core.Array.impl_23__map v_K out Libcrux_ml_kem.Polynomial.impl__from_i32_array + Core.Array.impl_23__map v_K + out + (fun s -> + let s:t_Array i16 (sz 272) = s in + Libcrux_ml_kem.Polynomial.impl__from_i16_array (s.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 256 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti index a458bb957..52b52d986 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti @@ -37,11 +37,13 @@ open FStar.Mul /// The NIST FIPS 203 standard can be found at /// . val sample_from_uniform_distribution_next + (#v_Vector: Type) (v_K v_N: usize) + {| i1: Libcrux_traits.t_Operations v_Vector |} (randomness: t_Array (t_Array u8 v_N) v_K) (sampled_coefficients: t_Array usize v_K) - (out: t_Array (t_Array i32 (sz 256)) v_K) - : Prims.Pure (t_Array usize v_K & t_Array (t_Array i32 (sz 256)) v_K & bool) + (out: t_Array (t_Array i16 (sz 272)) v_K) + : Prims.Pure (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) Prims.l_True (fun _ -> Prims.l_True) @@ -110,8 +112,9 @@ val sample_from_binomial_distribution val sample_from_xof (v_K: usize) - (#v_Vector: Type) - {| i1: Libcrux_traits.t_Operations v_Vector |} + (#v_Vector #v_Hasher: Type) + {| i2: Libcrux_traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (seeds: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) Prims.l_True diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index e0bf211c2..916404d64 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -32,56 +32,26 @@ let compress_then_serialize_10_ <: v_Vector) in - let bytes:t_Array u8 (sz 10) = Libcrux_traits.f_serialize_10_ coefficient in + let bytes:t_Array u8 (sz 20) = Libcrux_traits.f_serialize_10_ coefficient in let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 10 *! i <: usize) - (bytes.[ sz 0 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 1 <: usize) - (bytes.[ sz 1 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 2 <: usize) - (bytes.[ sz 2 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 3 <: usize) - (bytes.[ sz 3 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 4 <: usize) - (bytes.[ sz 4 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 5 <: usize) - (bytes.[ sz 5 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 6 <: usize) - (bytes.[ sz 6 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 7 <: usize) - (bytes.[ sz 7 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 8 <: usize) - (bytes.[ sz 8 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 10 *! i <: usize) +! sz 9 <: usize) - (bytes.[ sz 9 ] <: u8) + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 20 *! i <: usize; + Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (serialized.[ { + Core.Ops.Range.f_start = sz 20 *! i <: usize; + Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Rust_primitives.unsize bytes <: t_Slice u8) + <: + t_Slice u8) in serialized) in @@ -116,74 +86,38 @@ let compress_then_serialize_11_ <: v_Vector) in - let bytes:t_Array u8 (sz 11) = Libcrux_traits.f_serialize_11_ coefficient in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 11 *! i <: usize) - (bytes.[ sz 0 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 1 <: usize) - (bytes.[ sz 1 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 2 <: usize) - (bytes.[ sz 2 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 3 <: usize) - (bytes.[ sz 3 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 4 <: usize) - (bytes.[ sz 4 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 5 <: usize) - (bytes.[ sz 5 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 6 <: usize) - (bytes.[ sz 6 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 7 <: usize) - (bytes.[ sz 7 ] <: u8) - in + let bytes:t_Array u8 (sz 22) = Libcrux_traits.f_serialize_11_ coefficient in let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 8 <: usize) - (bytes.[ sz 8 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 9 <: usize) - (bytes.[ sz 9 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 11 *! i <: usize) +! sz 10 <: usize) - (bytes.[ sz 10 ] <: u8) + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 22 *! i <: usize; + Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (serialized.[ { + Core.Ops.Range.f_start = sz 22 *! i <: usize; + Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Rust_primitives.unsize bytes <: t_Slice u8) + <: + t_Slice u8) in serialized) in serialized let compress_then_serialize_4_ - (v_OUT_LEN: usize) (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let serialized:t_Array u8 v_OUT_LEN = + let serialized, hax_temp_output:t_Slice u8 = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT @@ -194,7 +128,7 @@ let compress_then_serialize_4_ Core.Ops.Range.t_Range usize) serialized (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in + let serialized:t_Slice u8 = serialized in let i:usize = i in let coefficient:v_Vector = Libcrux_traits.f_compress 4l @@ -205,39 +139,38 @@ let compress_then_serialize_4_ <: v_Vector) in - let bytes:t_Array u8 (sz 4) = Libcrux_traits.f_serialize_4_ coefficient in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 4 *! i <: usize) - (bytes.[ sz 0 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 4 *! i <: usize) +! sz 1 <: usize) - (bytes.[ sz 1 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 4 *! i <: usize) +! sz 2 <: usize) - (bytes.[ sz 2 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 4 *! i <: usize) +! sz 3 <: usize) - (bytes.[ sz 3 ] <: u8) + let bytes:t_Array u8 (sz 8) = Libcrux_traits.f_serialize_4_ coefficient in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 8 *! i <: usize; + Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (serialized.[ { + Core.Ops.Range.f_start = sz 8 *! i <: usize; + Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Rust_primitives.unsize bytes <: t_Slice u8) + <: + t_Slice u8) in serialized) in serialized let compress_then_serialize_5_ - (v_OUT_LEN: usize) (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) = - let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let serialized:t_Array u8 v_OUT_LEN = + let serialized, hax_temp_output:t_Slice u8 = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT @@ -248,7 +181,7 @@ let compress_then_serialize_5_ Core.Ops.Range.t_Range usize) serialized (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in + let serialized:t_Slice u8 = serialized in let i:usize = i in let coefficients:v_Vector = Libcrux_traits.f_compress 5l @@ -259,31 +192,26 @@ let compress_then_serialize_5_ <: v_Vector) in - let bytes5:t_Array u8 (sz 5) = Libcrux_traits.f_serialize_5_ coefficients in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 5 *! i <: usize) - (bytes5.[ sz 0 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 1 <: usize) - (bytes5.[ sz 1 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - (bytes5.[ sz 2 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 3 <: usize) - (bytes5.[ sz 3 ] <: u8) - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 4 <: usize) - (bytes5.[ sz 4 ] <: u8) + let bytes:t_Array u8 (sz 10) = Libcrux_traits.f_serialize_5_ coefficients in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 10 *! i <: usize; + Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (serialized.[ { + Core.Ops.Range.f_start = sz 10 *! i <: usize; + Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Rust_primitives.unsize bytes <: t_Slice u8) + <: + t_Slice u8) in serialized) in @@ -298,7 +226,7 @@ let compress_then_serialize_message let serialized:t_Array u8 (sz 32) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 32 + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize) @@ -315,10 +243,26 @@ let compress_then_serialize_message v_Vector) in let coefficient_compressed:v_Vector = Libcrux_traits.f_compress_1_ coefficient in + let bytes:t_Array u8 (sz 2) = Libcrux_traits.f_serialize_1_ coefficient_compressed in let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - i - (Libcrux_traits.f_serialize_1_ coefficient_compressed <: u8) + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Rust_primitives.unsize bytes <: t_Slice u8) + <: + t_Slice u8) in serialized) in @@ -344,15 +288,22 @@ let compress_then_serialize_ring_element_v (#v_Vector: Type) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (out: t_Slice u8) = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 4ul -> compress_then_serialize_4_ v_OUT_LEN re - | 5ul -> compress_then_serialize_5_ v_OUT_LEN re - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let out, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 4ul -> compress_then_serialize_4_ re out, () <: (t_Slice u8 & Prims.unit) + | 5ul -> compress_then_serialize_5_ re out, () <: (t_Slice u8 & Prims.unit) + | _ -> + out, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + out let deserialize_then_decompress_10_ (#v_Vector: Type) @@ -364,7 +315,7 @@ let deserialize_then_decompress_10_ in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact serialized (sz 10) <: Core.Slice.Iter.t_ChunksExact u8) + (Core.Slice.impl__chunks_exact serialized (sz 20) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: @@ -382,7 +333,7 @@ let deserialize_then_decompress_10_ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_traits.f_decompress 10l coefficient <: v_Vector) + (Libcrux_traits.f_decompress_ciphertext_coefficient 10l coefficient <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector @@ -401,7 +352,7 @@ let deserialize_then_decompress_11_ in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact serialized (sz 11) <: Core.Slice.Iter.t_ChunksExact u8) + (Core.Slice.impl__chunks_exact serialized (sz 22) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: @@ -419,7 +370,7 @@ let deserialize_then_decompress_11_ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_traits.f_decompress 11l coefficient <: v_Vector) + (Libcrux_traits.f_decompress_ciphertext_coefficient 11l coefficient <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector @@ -438,7 +389,7 @@ let deserialize_then_decompress_4_ in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact serialized (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) + (Core.Slice.impl__chunks_exact serialized (sz 8) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: @@ -456,7 +407,7 @@ let deserialize_then_decompress_4_ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_traits.f_decompress 4l coefficient <: v_Vector) + (Libcrux_traits.f_decompress_ciphertext_coefficient 4l coefficient <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector @@ -475,7 +426,7 @@ let deserialize_then_decompress_5_ in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact serialized (sz 5) <: Core.Slice.Iter.t_ChunksExact u8) + (Core.Slice.impl__chunks_exact serialized (sz 10) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: @@ -505,7 +456,7 @@ let deserialize_then_decompress_5_ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_traits.f_decompress 5l + (Libcrux_traits.f_decompress_ciphertext_coefficient 5l (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -528,7 +479,7 @@ let deserialize_then_decompress_message let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 32 + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize) @@ -539,7 +490,14 @@ let deserialize_then_decompress_message let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i:usize = i in let coefficient_compressed:v_Vector = - Libcrux_traits.f_deserialize_1_ (serialized.[ i ] <: u8) + Libcrux_traits.f_deserialize_1_ (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -598,7 +556,7 @@ let deserialize_to_reduced_ring_element in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact serialized (sz 12) <: Core.Slice.Iter.t_ChunksExact u8) + (Core.Slice.impl__chunks_exact serialized (sz 24) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: @@ -632,10 +590,12 @@ let deserialize_ring_elements_reduced (public_key: t_Slice u8) = let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K + Core.Array.from_fn v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl__ZERO () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate @@ -674,7 +634,7 @@ let deserialize_to_uncompressed_ring_element in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate - (Core.Slice.impl__chunks_exact serialized (sz 12) <: Core.Slice.Iter.t_ChunksExact u8) + (Core.Slice.impl__chunks_exact serialized (sz 24) <: Core.Slice.Iter.t_ChunksExact u8) <: Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) <: @@ -692,7 +652,7 @@ let deserialize_to_uncompressed_ring_element i (Libcrux_traits.f_deserialize_12_ bytes <: v_Vector) <: - t_Array v_Vector (sz 32) + t_Array v_Vector (sz 16) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) @@ -724,66 +684,26 @@ let serialize_uncompressed_ring_element <: v_Vector) in - let bytes:t_Array u8 (sz 12) = Libcrux_traits.f_serialize_12_ coefficient in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 12 *! i <: usize) - (bytes.[ sz 0 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 1 <: usize) - (bytes.[ sz 1 ] <: u8) - in + let bytes:t_Array u8 (sz 24) = Libcrux_traits.f_serialize_12_ coefficient in let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 2 <: usize) - (bytes.[ sz 2 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 3 <: usize) - (bytes.[ sz 3 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 4 <: usize) - (bytes.[ sz 4 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 5 <: usize) - (bytes.[ sz 5 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 6 <: usize) - (bytes.[ sz 6 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 7 <: usize) - (bytes.[ sz 7 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 8 <: usize) - (bytes.[ sz 8 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 9 <: usize) - (bytes.[ sz 9 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 10 <: usize) - (bytes.[ sz 10 ] <: u8) - in - let serialized:t_Array u8 (sz 384) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 12 *! i <: usize) +! sz 11 <: usize) - (bytes.[ sz 11 ] <: u8) + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 24 *! i <: usize; + Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice (serialized.[ { + Core.Ops.Range.f_start = sz 24 *! i <: usize; + Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Rust_primitives.unsize bytes <: t_Slice u8) + <: + t_Slice u8) in serialized) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 5786b8a5f..aa98844c8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -18,18 +18,18 @@ val compress_then_serialize_11_ : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_4_ - (v_OUT_LEN: usize) (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_5_ - (v_OUT_LEN: usize) (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_message (#v_Vector: Type) @@ -49,7 +49,8 @@ val compress_then_serialize_ring_element_v (#v_Vector: Type) {| i1: Libcrux_traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_10_ (#v_Vector: Type) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 73dbc3411..2520d935c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -5,22 +5,16 @@ open FStar.Mul let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value -let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = v_SIZE - let impl_6__split_at (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) (mid: usize) = Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid let impl_12__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value -let impl_12__len (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = v_SIZE - let impl_12__split_at (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) (mid: usize) = Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid let impl_18__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value -let impl_18__len (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = v_SIZE - let impl_18__split_at (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) (mid: usize) = Core.Slice.impl__split_at (Rust_primitives.unsize self.f_value <: t_Slice u8) mid diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index 2de0ab7bb..e53c97941 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -3,6 +3,7 @@ module Libcrux_ml_kem.Types open Core open FStar.Mul +///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] @@ -40,15 +41,15 @@ let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip f_from = fun (value: t_MlKemCiphertext v_SIZE) -> value.f_value } +/// A reference to the raw byte slice. val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - +/// Split this value and return the raw byte slices. val impl_6__split_at (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) (mid: usize) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +///An ML-KEM Private key type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] @@ -86,15 +87,15 @@ let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPr f_from = fun (value: t_MlKemPrivateKey v_SIZE) -> value.f_value } +/// A reference to the raw byte slice. val impl_12__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val impl_12__len (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - +/// Split this value and return the raw byte slices. val impl_12__split_at (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) (mid: usize) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +///An ML-KEM Public key type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] @@ -132,12 +133,11 @@ let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu f_from = fun (value: t_MlKemPublicKey v_SIZE) -> value.f_value } +/// A reference to the raw byte slice. val impl_18__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val impl_18__len (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - +/// Split this value and return the raw byte slices. val impl_18__split_at (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) (mid: usize) : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) @@ -225,6 +225,7 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE } +/// Create a new [`MlKemKeyPair`] from the secret and public key. val impl__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) @@ -242,21 +243,25 @@ val impl__new Prims.l_True (fun _ -> Prims.l_True) +/// Get a reference to the raw public key bytes. val impl__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// Get a reference to the [`MlKemPrivateKey`]. val impl__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// Get a reference to the [`MlKemPublicKey`]. val impl__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// Get a reference to the raw private key bytes. val impl__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) diff --git a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.fst b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.fst index da299df1a..c808ca3e2 100644 --- a/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.fst +++ b/polynomials-avx2/proofs/fstar/extraction/Libcrux_polynomials_avx2.fst @@ -34,8 +34,8 @@ let zero (_: Prims.unit) : t_SIMD256Vector = [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_traits.t_Operations t_SIMD256Vector = { - _super_14285531652857523276 = FStar.Tactics.Typeclasses.solve; - _super_10391689928755043351 = FStar.Tactics.Typeclasses.solve; + _super_957087622381469234 = FStar.Tactics.Typeclasses.solve; + _super_2101570567305961368 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = (fun (_: Prims.unit) (out: t_SIMD256Vector) -> true); f_ZERO = (fun (_: Prims.unit) -> zero ()); From 76ab582c79998d5ef77e6e6b6d287c6b1ff0106d Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Thu, 23 May 2024 09:21:28 +0200 Subject: [PATCH 7/7] portable rejection sampling for neon for now --- .github/workflows/mlkem.yml | 14 ++++++++++++- polynomials-aarch64/src/lib.rs | 30 +++++++++++++++++++++++++-- polynomials-aarch64/src/neon.rs | 10 ++++----- polynomials-aarch64/src/rejsample.rs | 13 +++++++----- polynomials-aarch64/src/simd128ops.rs | 5 +---- 5 files changed, 55 insertions(+), 17 deletions(-) diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index 13c639a43..fe43c3025 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -84,6 +84,11 @@ jobs: if: ${{ matrix.os == 'macos-latest' }} run: RUSTDOCFLAGS=-Zsanitizer=address RUSTFLAGS=-Zsanitizer=address cargo +nightly test --release --target aarch64-apple-darwin + # - name: ⬆ Upload build + # uses: ./.github/actions/upload_artifacts + # with: + # name: build_${{ matrix.os }}_${{ matrix.bits }} + # We get false positives here. # TODO: Figure out what is going on here # - name: 🏃🏻 Asan Linux @@ -123,7 +128,6 @@ jobs: cargo test --verbose $RUST_TARGET_FLAG - name: 🏃🏻‍♀️ Test Release - if: ${{ matrix.os != 'macos-latest' }} run: | cargo clean cargo test --verbose --release $RUST_TARGET_FLAG @@ -195,6 +199,14 @@ jobs: echo "RUST_TARGET_FLAG=--target=i686-unknown-linux-gnu" > $GITHUB_ENV if: ${{ matrix.bits == 32 && matrix.os == 'ubuntu-latest' }} + # - name: 🔨 Build + # run: cargo build --benches + + # - name: ⬆ Upload build + # uses: ./.github/actions/upload_artifacts + # with: + # name: benchmarks_${{ matrix.os }}_${{ matrix.bits }} + # Benchmarks ... - name: 🏃🏻‍♀️ Benchmarks diff --git a/polynomials-aarch64/src/lib.rs b/polynomials-aarch64/src/lib.rs index a37953217..c8ddb2440 100644 --- a/polynomials-aarch64/src/lib.rs +++ b/polynomials-aarch64/src/lib.rs @@ -3,7 +3,7 @@ use libcrux_traits::Operations; mod neon; -mod rejsample; +// mod rejsample; mod simd128ops; pub use simd128ops::SIMD128Vector; @@ -158,6 +158,32 @@ impl Operations for SIMD128Vector { } fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { - rejsample::rej_sample(a, out) + // FIXME: The code in rejsample fails on the CI machines. + // We need to understand why and fix it before using it. + // We use the portable version in the meantime. + rej_sample(a, out) } } + +#[inline(always)] +pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize { + let mut sampled = 0; + for bytes in a.chunks(3) { + let b1 = bytes[0] as i16; + let b2 = bytes[1] as i16; + let b3 = bytes[2] as i16; + + let d1 = ((b2 & 0xF) << 8) | b1; + let d2 = (b3 << 4) | (b2 >> 4); + + if d1 < libcrux_traits::FIELD_MODULUS && sampled < 16 { + result[sampled] = d1; + sampled += 1 + } + if d2 < libcrux_traits::FIELD_MODULUS && sampled < 16 { + result[sampled] = d2; + sampled += 1 + } + } + sampled +} diff --git a/polynomials-aarch64/src/neon.rs b/polynomials-aarch64/src/neon.rs index d0454cfef..88157fdf3 100644 --- a/polynomials-aarch64/src/neon.rs +++ b/polynomials-aarch64/src/neon.rs @@ -8,12 +8,12 @@ pub(crate) fn _vdupq_n_s16(i: i16) -> int16x8_t { #[inline(always)] pub(crate) fn _vst1q_s16(out: &mut [i16], v: int16x8_t) { - unsafe { vst1q_s16(out.as_mut_ptr() as *mut i16, v) } + unsafe { vst1q_s16(out.as_mut_ptr(), v) } } #[inline(always)] pub(crate) fn _vld1q_s16(array: &[i16]) -> int16x8_t { - unsafe { vld1q_s16(array.as_ptr() as *const i16) } + unsafe { vld1q_s16(array.as_ptr()) } } #[inline(always)] @@ -193,7 +193,7 @@ pub(crate) fn _vmlal_high_s16(a: int32x4_t, b: int16x8_t, c: int16x8_t) -> int32 } #[inline(always)] pub(crate) fn _vld1q_u8(ptr: &[u8]) -> uint8x16_t { - unsafe { vld1q_u8(ptr.as_ptr() as *const u8) } + unsafe { vld1q_u8(ptr.as_ptr()) } } #[inline(always)] pub(crate) fn _vreinterpretq_u8_s16(a: int16x8_t) -> uint8x16_t { @@ -254,7 +254,7 @@ pub(super) fn _vreinterpretq_u8_s64(a: int64x2_t) -> uint8x16_t { #[inline(always)] pub(super) fn _vst1q_u8(out: &mut [u8], v: uint8x16_t) { - unsafe { vst1q_u8(out.as_mut_ptr() as *mut u8, v) } + unsafe { vst1q_u8(out.as_mut_ptr(), v) } } #[inline(always)] pub(crate) fn _vdupq_n_u16(value: u16) -> uint16x8_t { @@ -270,7 +270,7 @@ pub(crate) fn _vreinterpretq_u16_u8(a: uint8x16_t) -> uint16x8_t { } #[inline(always)] pub(crate) fn _vld1q_u16(ptr: &[u16]) -> uint16x8_t { - unsafe { vld1q_u16(ptr.as_ptr() as *const u16) } + unsafe { vld1q_u16(ptr.as_ptr()) } } #[inline(always)] pub(crate) fn _vcleq_s16(a: int16x8_t, b: int16x8_t) -> uint16x8_t { diff --git a/polynomials-aarch64/src/rejsample.rs b/polynomials-aarch64/src/rejsample.rs index b25fc0f42..64e64a0dc 100644 --- a/polynomials-aarch64/src/rejsample.rs +++ b/polynomials-aarch64/src/rejsample.rs @@ -776,18 +776,21 @@ pub(crate) fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { let input = super::simd128ops::deserialize_12(a); let mask0 = _vcleq_s16(input.low, fm); let mask1 = _vcleq_s16(input.high, fm); - let used0 = _vaddvq_u16(_vandq_u16(mask0, bits)); - let used1 = _vaddvq_u16(_vandq_u16(mask1, bits)); + let masked = _vandq_u16(mask0, bits); + let used0 = _vaddvq_u16(masked); + let masked = _vandq_u16(mask1, bits); + let used1 = _vaddvq_u16(masked); let pick0 = used0.count_ones(); let pick1 = used1.count_ones(); - let index_vec0 = _vld1q_u8(&IDX_TABLE[used0 as usize]); + // XXX: the indices used0 and used1 must be < 256. + let index_vec0 = _vld1q_u8(&IDX_TABLE[(used0 as u8) as usize]); let shifted0 = _vreinterpretq_s16_u8(_vqtbl1q_u8(_vreinterpretq_u8_s16(input.low), index_vec0)); - let index_vec1 = _vld1q_u8(&IDX_TABLE[used1 as usize]); + let index_vec1 = _vld1q_u8(&IDX_TABLE[(used1 as u8) as usize]); let shifted1 = _vreinterpretq_s16_u8(_vqtbl1q_u8(_vreinterpretq_u8_s16(input.high), index_vec1)); - let idx0 = pick0 as usize; + let idx0 = usize::try_from(pick0).unwrap(); _vst1q_s16(&mut out[0..8], shifted0); _vst1q_s16(&mut out[idx0..idx0 + 8], shifted1); (pick0 + pick1) as usize diff --git a/polynomials-aarch64/src/simd128ops.rs b/polynomials-aarch64/src/simd128ops.rs index 79be6f4af..7244d58b9 100644 --- a/polynomials-aarch64/src/simd128ops.rs +++ b/polynomials-aarch64/src/simd128ops.rs @@ -848,8 +848,5 @@ pub(crate) fn deserialize_12(v: &[u8]) -> SIMD128Vector { let shifted1 = _vshlq_u16(moved1, shift_vec); let high = _vreinterpretq_s16_u16(_vandq_u16(shifted1, mask12)); - SIMD128Vector { - low: low, - high: high, - } + SIMD128Vector { low, high } }