diff --git a/CMakeLists.txt b/CMakeLists.txt
index 25999e58..958c4cd1 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -477,10 +477,11 @@ if(ENABLE_TESTS)
             target_compile_options(${TEST_NAME} PRIVATE /std:c++20)
         endif(MSVC)
 
-        add_dependencies(${TEST_NAME} hacl hacl_cpu_features)
+        add_dependencies(${TEST_NAME} hacl libcrux_static hacl_cpu_features)
         target_link_libraries(${TEST_NAME} PRIVATE
             gtest_main
             hacl_static
+            libcrux_static
             hacl_cpu_features
             nlohmann_json::nlohmann_json
         )
@@ -513,7 +514,7 @@ if(ENABLE_TESTS)
                 target_compile_options(${TEST_NAME} PRIVATE /std:c++20)
             endif(MSVC)
 
-            add_dependencies(${TEST_NAME} hacl hacl_cpu_features)
+            add_dependencies(${TEST_NAME} hacl libcrux_static hacl_cpu_features)
             target_link_libraries(${TEST_NAME} PRIVATE
                 gtest_main
                 hacl_cpu_features
@@ -553,7 +554,8 @@ if(ENABLE_BENCHMARKS)
     FetchContent_Populate(benchmark
         GIT_REPOSITORY  https://github.com/google/benchmark.git
         # The latest release 1.7.1 is broken due to https://github.com/google/benchmark/pull/1517
-        GIT_TAG         b177433f3ee2513b1075140c723d73ab8901790f
+        # But also: need the fix for https://github.com/google/benchmark/pull/1669
+        GIT_TAG         bc946b919cac6f25a199a526da571638cfde109f
     )
     add_subdirectory(${benchmark_SOURCE_DIR} ${benchmark_BINARY_DIR})
 
@@ -591,9 +593,10 @@ if(ENABLE_BENCHMARKS)
             target_compile_options(${BENCH_NAME} PRIVATE /std:c++20)
         endif(NOT MSVC)
 
-        add_dependencies(${BENCH_NAME} hacl hacl_cpu_features)
+        add_dependencies(${BENCH_NAME} hacl libcrux_static hacl_cpu_features)
         target_link_libraries(${BENCH_NAME} PRIVATE
             hacl_static
+            libcrux_static
             ecckiila
             blake2
             digestif
@@ -620,7 +623,7 @@ if(ENABLE_BENCHMARKS)
 
             target_compile_definitions(${BENCH_NAME} PUBLIC NO_OPENSSL)
 
-            add_dependencies(${BENCH_NAME} hacl hacl_cpu_features)
+            add_dependencies(${BENCH_NAME} hacl libcrux_static hacl_cpu_features)
             target_link_libraries(${BENCH_NAME} PRIVATE
                 hacl_cpu_features
                 benchmark::benchmark
diff --git a/README.md b/README.md
index def4d399..521b08b1 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,28 @@ $ ./mach build --test
 
 ... to build HACL Packages and run the tests. All actions are driven by [mach]. See `./mach --help` for details.
 
+### MSVC Build
+
+The hacl-packages build is designed for non-MSVC compilers.
+Building with MSVC can be achieved as follows.
+
+
+<details>
+  <summary><b>MSVC Build</b></summary>
+
+```powershell
+# Setup build directory
+mkdir build
+cp config\default_config_msvc.cmake build\config.cmake
+cp config\default_config_msvc.h build\config.h
+
+# Build
+cmake -B build -DBUILD_LIBCRUX=1 -G "Visual Studio 17 2022" -A x64 -DUSE_MSVC=1 -DENABLE_TESTS=ON -DENABLE_BENCHMARKS=ON
+# Use --config Release to build in release mode
+cmake --build build
+```
+</details>
+
 ## Platform support
 
 The HACL Packages are supported based on the following tiers.
diff --git a/config/config.json b/config/config.json
index 63623672..32017d86 100644
--- a/config/config.json
+++ b/config/config.json
@@ -347,7 +347,13 @@
                 "file": "Libcrux_Kem_Kyber_Kyber768.c"
             },
             {
-                "file": "libcrux_kyber.c"
+                "file": "libcrux_kyber512.c"
+            },
+            {
+                "file": "libcrux_kyber768.c"
+            },
+            {
+                "file": "libcrux_kyber1024.c"
             },
             {
                 "file": "libcrux_hacl_glue.c"
diff --git a/config/default_config.cmake b/config/default_config.cmake
index d8ccfb6f..5efc99c7 100644
--- a/config/default_config.cmake
+++ b/config/default_config.cmake
@@ -445,6 +445,7 @@ set(BENCHMARK_SOURCES
 	${PROJECT_SOURCE_DIR}/benchmarks/drbg.cc
 	${PROJECT_SOURCE_DIR}/benchmarks/hmac.cc
 	${PROJECT_SOURCE_DIR}/benchmarks/rsapss.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/kyber.cc
 )
 set(VALE_SOURCES_osx
 	${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-darwin.S
@@ -476,6 +477,11 @@ set(VALE_SOURCES_msvc
 )
 set(LIBCRUX_SOURCES
 	${PROJECT_SOURCE_DIR}/libcrux/src/Libcrux_Kem_Kyber_Kyber768.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_kyber512.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_kyber768.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_kyber1024.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_hacl_glue.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/core.c
 )
 set(ALGORITHM_TEST_FILES
 	TEST_FILES_detection
diff --git a/config/default_config_msvc.cmake b/config/default_config_msvc.cmake
new file mode 100644
index 00000000..5950b095
--- /dev/null
+++ b/config/default_config_msvc.cmake
@@ -0,0 +1,578 @@
+set(SOURCES_std
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_NaCl.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Salsa20.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_MAC_Poly1305.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Curve25519_51.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HMAC_DRBG.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HMAC.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_SHA2.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_Blake2s.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_Blake2b.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Ed25519.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_EC_Ed25519.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_Base.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Lib_Memzero0.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum256_32.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum32.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum4096_32.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_GenericField32.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_AEAD_Chacha20Poly1305.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Chacha20.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Chacha20_Vec32.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_P256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_K256_ECDSA.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_EC_K256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_FFDHE.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_SHA3.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_SHA1.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_MD5.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HKDF.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_RSAPSS.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve51_CP32_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve51_CP32_SHA512.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_P256_CP32_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Frodo1344.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Frodo_KEM.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Lib_RandomBuffer_System.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Frodo640.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Frodo976.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Frodo64.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_DRBG.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Lib_RandomBuffer_System.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_HMAC.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_Hash.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_AutoConfig2.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Lib_Memzero0.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_Ed25519.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_Curve25519.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_HKDF.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_Cipher.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_Chacha20Poly1305.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_Poly1305.c
+	${PROJECT_SOURCE_DIR}/src/msvc/EverCrypt_AEAD.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_SHA3_Scalar.c
+)
+set(SOURCES_vec256
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_Blake2b_Simd256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Chacha20_Vec256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_MAC_Poly1305_Simd256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_SHA2_Vec256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HKDF_Blake2b_256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HMAC_Blake2b_256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve51_CP256_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve51_CP256_SHA512.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_P256_CP256_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_SHA3_Simd256.c
+)
+set(SOURCES_vec128
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Hash_Blake2s_Simd128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum4096.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Bignum64.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_GenericField64.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Chacha20_Vec128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_MAC_Poly1305_Simd128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_SHA2_Vec128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HKDF_Blake2s_128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HMAC_Blake2s_128.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve51_CP128_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve51_CP128_SHA512.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_P256_CP128_SHA256.c
+)
+set(SOURCES_m32
+	
+)
+set(SOURCES_vale
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_Curve25519_64.c
+)
+set(SOURCES_vec128_vale
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve64_CP128_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve64_CP128_SHA512.c
+)
+set(SOURCES_vec256_vale
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve64_CP256_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve64_CP256_SHA512.c
+)
+set(SOURCES_std_vale
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve64_CP32_SHA256.c
+	${PROJECT_SOURCE_DIR}/src/msvc/Hacl_HPKE_Curve64_CP32_SHA512.c
+)
+set(INCLUDES
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_NaCl.h
+	${PROJECT_SOURCE_DIR}/karamel/include/krml/internal/types.h
+	${PROJECT_SOURCE_DIR}/karamel/include/krml/lowstar_endianness.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/FStar_UInt128.h
+	${PROJECT_SOURCE_DIR}/karamel/include/krml/internal/compat.h
+	${PROJECT_SOURCE_DIR}/karamel/include/krml/internal/target.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/LowStar_Endianness.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Salsa20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_MAC_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Streaming_Types.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Krmllib.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Curve25519_51.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Krmllib.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Krmllib.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC_DRBG.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2s.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2b.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_SHA2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_SHA2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Ed25519_PrecompTable.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Curve25519_51.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Bignum25519_51.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Curve25519_51.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Bignum_Base.h
+	${PROJECT_SOURCE_DIR}/include/msvc/lib_intrinsics.h
+	${PROJECT_SOURCE_DIR}/build/config.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_IntTypes_Intrinsics.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_IntTypes_Intrinsics_128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_EC_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Base.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_Blake2b.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Impl_Blake2_Constants.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2b.h
+	${PROJECT_SOURCE_DIR}/include/msvc/lib_memzero0.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_Blake2s.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2s.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2b_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/libintvector.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2s_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum256_32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Bignum.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Bignum.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum4096_32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum4096.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_GenericField32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_GenericField64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_AEAD_Chacha20Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_MAC_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_MAC_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20_Vec32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Chacha20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Chacha20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20_Vec128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_MAC_Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_MAC_Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20_Vec256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_MAC_Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_MAC_Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Curve25519_64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Vale.h
+	${PROJECT_SOURCE_DIR}/include/msvc/curve25519-inline.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_P256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_P256_PrecompTable.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_P256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_K256_ECDSA.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_K256_PrecompTable.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Bignum_K256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_K256_ECDSA.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_EC_K256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_FFDHE.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Spec.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Impl_FFDHE_Constants.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_SHA3.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_SHA3.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_SHA2_Vec128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_SHA2_Types.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_SHA2_Vec256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_SHA1.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_SHA1.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_MD5.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_MD5.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HKDF.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HKDF_Blake2s_128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC_Blake2s_128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2s_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HKDF_Blake2b_256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC_Blake2b_256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2b_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_RSAPSS.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo1344.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA3.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Spec.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Spec.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Frodo_KEM.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Lib_RandomBuffer_System.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo640.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo976.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_DRBG.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/EverCrypt_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/EverCrypt_Hash.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../EverCrypt_Hash.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Error.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_AutoConfig2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../EverCrypt_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Curve25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_HKDF.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Cipher.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Chacha20Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_MAC_Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_MAC_Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_AEAD.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/Hacl_Hash_SHA3_Scalar.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA3_Scalar.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA3_Simd256.h
+)
+set(PUBLIC_INCLUDES
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_NaCl.h
+	${PROJECT_SOURCE_DIR}/karamel/include/krml/lowstar_endianness.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/FStar_UInt128.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal/LowStar_Endianness.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Salsa20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_MAC_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Streaming_Types.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Krmllib.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Curve25519_51.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Krmllib.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC_DRBG.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2s.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2b.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_SHA2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Curve25519_51.h
+	${PROJECT_SOURCE_DIR}/include/msvc/lib_intrinsics.h
+	${PROJECT_SOURCE_DIR}/build/config.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_IntTypes_Intrinsics.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_IntTypes_Intrinsics_128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_EC_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Base.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2b.h
+	${PROJECT_SOURCE_DIR}/include/msvc/lib_memzero0.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2s.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2b_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/libintvector.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_Blake2s_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum256_32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Bignum.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum4096_32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum4096.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Bignum64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_GenericField32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_GenericField64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_AEAD_Chacha20Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_MAC_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20_Vec32.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Chacha20.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20_Vec128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_MAC_Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_AEAD_Chacha20Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Chacha20_Vec256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_MAC_Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Curve25519_64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/curve25519-inline.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_P256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_K256_ECDSA.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_EC_K256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_FFDHE.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Spec.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_SHA3.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_SHA2_Vec128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_SHA2_Vec256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_SHA1.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Hash_MD5.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HKDF.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HKDF_Blake2s_128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC_Blake2s_128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2s_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HKDF_Blake2b_256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HMAC_Blake2b_256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_Blake2b_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_RSAPSS.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP128_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP128_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP256_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP256_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP32_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve64_CP32_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP256_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP256_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_P256_CP256_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP128_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP128_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP32_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_Curve51_CP32_SHA512.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_P256_CP128_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_HPKE_P256_CP32_SHA256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo1344.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA3.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../Hacl_Spec.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Lib_RandomBuffer_System.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo640.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo976.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Frodo64.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_DRBG.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../EverCrypt_Hash.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Error.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_AutoConfig2.h
+	${PROJECT_SOURCE_DIR}/include/msvc/internal/../EverCrypt_HMAC.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Ed25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Curve25519.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_HKDF.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Cipher.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Chacha20Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_Poly1305.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_MAC_Poly1305_Simd256.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_MAC_Poly1305_Simd128.h
+	${PROJECT_SOURCE_DIR}/include/msvc/EverCrypt_AEAD.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA3_Scalar.h
+	${PROJECT_SOURCE_DIR}/include/msvc/Hacl_Hash_SHA3_Simd256.h
+)
+set(ALGORITHMS
+	nacl
+	salsa20
+	aesgcm
+	drbg
+	ed25519
+	blake2
+	bignum
+	generic-field
+	chacha20poly1305
+	curve25519
+	p256
+	k256
+	ffdh
+	sha3
+	sha2
+	sha1
+	md5
+	hmac
+	hkdf
+	rsapss
+	hpke
+	frodo
+	sha3-mb
+)
+set(INCLUDE_PATHS
+	${PROJECT_SOURCE_DIR}/include/msvc
+	${PROJECT_SOURCE_DIR}/build
+	${PROJECT_SOURCE_DIR}/karamel/include
+	${PROJECT_SOURCE_DIR}/karamel/krmllib/dist/minimal
+	${PROJECT_SOURCE_DIR}/vale/include
+	${PROJECT_SOURCE_DIR}/libcrux/include
+)
+set(TEST_SOURCES
+	${PROJECT_SOURCE_DIR}/tests/detection.cc
+	${PROJECT_SOURCE_DIR}/tests/bignum.cc
+	${PROJECT_SOURCE_DIR}/tests/generic_field.cc
+	${PROJECT_SOURCE_DIR}/tests/blake2b.cc
+	${PROJECT_SOURCE_DIR}/tests/blake2s.cc
+	${PROJECT_SOURCE_DIR}/tests/p256_ecdh.cc
+	${PROJECT_SOURCE_DIR}/tests/p256_ecdsa.cc
+	${PROJECT_SOURCE_DIR}/tests/k256_ecdh.cc
+	${PROJECT_SOURCE_DIR}/tests/k256_ecdsa.cc
+	${PROJECT_SOURCE_DIR}/tests/chacha20poly1305.cc
+	${PROJECT_SOURCE_DIR}/tests/ed25519.cc
+	${PROJECT_SOURCE_DIR}/tests/x25519.cc
+	${PROJECT_SOURCE_DIR}/tests/rsapss.cc
+	${PROJECT_SOURCE_DIR}/tests/hkdf.cc
+	${PROJECT_SOURCE_DIR}/tests/poly1305.cc
+	${PROJECT_SOURCE_DIR}/tests/hmac.cc
+	${PROJECT_SOURCE_DIR}/tests/drbg.cc
+	${PROJECT_SOURCE_DIR}/tests/md5.cc
+	${PROJECT_SOURCE_DIR}/tests/sha1.cc
+	${PROJECT_SOURCE_DIR}/tests/sha2.cc
+	${PROJECT_SOURCE_DIR}/tests/sha3.cc
+	${PROJECT_SOURCE_DIR}/tests/nacl.cc
+	${PROJECT_SOURCE_DIR}/tests/evercrypt.cc
+	${PROJECT_SOURCE_DIR}/tests/aead.cc
+	${PROJECT_SOURCE_DIR}/tests/kyber.cc
+)
+set(BENCHMARK_SOURCES
+	${PROJECT_SOURCE_DIR}/benchmarks/blake.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/chacha20.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/chacha20poly1305.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/x25519.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/ed25519.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/nacl.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/p256.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/sha1.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/sha2.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/sha3.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/k256.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/kdf.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/drbg.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/hmac.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/rsapss.cc
+	${PROJECT_SOURCE_DIR}/benchmarks/kyber.cc
+)
+set(VALE_SOURCES_osx
+	${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-darwin.S
+	${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-darwin.S
+	${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-darwin.S
+	${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-darwin.S
+	${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-darwin.S
+)
+set(VALE_SOURCES_linux
+	${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-linux.S
+	${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-linux.S
+	${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-linux.S
+	${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-linux.S
+	${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-linux.S
+)
+set(VALE_SOURCES_mingw
+	${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-mingw.S
+	${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-mingw.S
+	${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-mingw.S
+	${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-mingw.S
+	${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-mingw.S
+)
+set(VALE_SOURCES_msvc
+	${PROJECT_SOURCE_DIR}/vale/src/cpuid-x86_64-msvc.asm
+	${PROJECT_SOURCE_DIR}/vale/src/sha256-x86_64-msvc.asm
+	${PROJECT_SOURCE_DIR}/vale/src/aesgcm-x86_64-msvc.asm
+	${PROJECT_SOURCE_DIR}/vale/src/curve25519-x86_64-msvc.asm
+	${PROJECT_SOURCE_DIR}/vale/src/poly1305-x86_64-msvc.asm
+)
+set(LIBCRUX_SOURCES
+	${PROJECT_SOURCE_DIR}/libcrux/src/Libcrux_Kem_Kyber_Kyber768.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_kyber512.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_kyber768.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_kyber1024.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/libcrux_hacl_glue.c
+	${PROJECT_SOURCE_DIR}/libcrux/src/core.c
+)
+set(ALGORITHM_TEST_FILES
+	TEST_FILES_detection
+	TEST_FILES_bignum
+	TEST_FILES_generic_field
+	TEST_FILES_blake2
+	TEST_FILES_p256
+	TEST_FILES_k256
+	TEST_FILES_chacha20poly1305
+	TEST_FILES_ed25519
+	TEST_FILES_curve25519
+	TEST_FILES_rsapss
+	TEST_FILES_hkdf
+	TEST_FILES_poly1305
+	TEST_FILES_hmac
+	TEST_FILES_drbg
+	TEST_FILES_md5
+	TEST_FILES_sha1
+	TEST_FILES_sha2
+	TEST_FILES_sha3
+	TEST_FILES_nacl
+	TEST_FILES_evercrypt
+	TEST_FILES_aead
+	TEST_FILES_kyber
+)
+set(TEST_FILES_detection
+	detection.cc
+)
+set(TEST_FILES_bignum
+	bignum.cc
+)
+set(TEST_FILES_generic_field
+	generic_field.cc
+)
+set(TEST_FILES_blake2
+	blake2b.cc
+	blake2s.cc
+)
+set(TEST_FILES_p256
+	p256_ecdh.cc
+	p256_ecdsa.cc
+)
+set(TEST_FILES_k256
+	k256_ecdh.cc
+	k256_ecdsa.cc
+)
+set(TEST_FILES_chacha20poly1305
+	chacha20poly1305.cc
+)
+set(TEST_FILES_ed25519
+	ed25519.cc
+)
+set(TEST_FILES_curve25519
+	x25519.cc
+)
+set(TEST_FILES_rsapss
+	rsapss.cc
+)
+set(TEST_FILES_hkdf
+	hkdf.cc
+)
+set(TEST_FILES_poly1305
+	poly1305.cc
+)
+set(TEST_FILES_hmac
+	hmac.cc
+)
+set(TEST_FILES_drbg
+	drbg.cc
+)
+set(TEST_FILES_md5
+	md5.cc
+)
+set(TEST_FILES_sha1
+	sha1.cc
+)
+set(TEST_FILES_sha2
+	sha2.cc
+)
+set(TEST_FILES_sha3
+	sha3.cc
+)
+set(TEST_FILES_nacl
+	nacl.cc
+)
+set(TEST_FILES_evercrypt
+	evercrypt.cc
+)
+set(TEST_FILES_aead
+	aead.cc
+)
+set(TEST_FILES_kyber
+	kyber.cc
+)
diff --git a/config/default_config_msvc.h b/config/default_config_msvc.h
new file mode 100644
index 00000000..6b537545
--- /dev/null
+++ b/config/default_config_msvc.h
@@ -0,0 +1,33 @@
+// DO NOT EDIT THIS HEADER FILE. IT IS AUTO GENERATED BY CMAKE.
+// Global HACL configuration file.
+// The variables in here get populated by CMake
+
+// HACL version information
+#define HACL_VERSION_MAJOR 0
+#define HACL_VERSION_MINOR 1
+#define HACL_VERSION_PATCH 0
+#define HACL_VERSION_TWEAK alpha.1
+
+// Configure platform and features
+#define TARGET_ARCHITECTURE_ID_UNKNOWN 0
+#define TARGET_ARCHITECTURE_ID_X86 1
+#define TARGET_ARCHITECTURE_ID_X64 2
+#define TARGET_ARCHITECTURE_ID_ARM32 3
+#define TARGET_ARCHITECTURE_ID_ARM64 4
+#define TARGET_ARCHITECTURE_ID_SYSTEMZ 5
+#define TARGET_ARCHITECTURE_ID_POWERPC64 6
+
+#define TARGET_ARCHITECTURE 2
+
+#define HACL_CAN_COMPILE_VEC128 1
+#define HACL_CAN_COMPILE_VEC256 1
+#define HACL_CAN_COMPILE_UINT128 1
+#define HACL_CAN_COMPILE_VALE 1
+#define LINUX_NO_EXPLICIT_BZERO 1
+
+#ifndef HACL_CAN_COMPILE_VEC128
+    #define Lib_IntVector_Intrinsics_vec128 void *
+#endif
+#ifndef HACL_CAN_COMPILE_VEC256
+    #define Lib_IntVector_Intrinsics_vec256 void *
+#endif
diff --git a/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h b/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h
index cd1448dd..6ff658f5 100644
--- a/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h
+++ b/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h
@@ -217,7 +217,7 @@ static const uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
 
 inline static uint64_t
 FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) {
-  return (hi << s) + (lo >> FStar_UInt128_u32_64 - s);
+  return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
 }
 
 inline static uint64_t
@@ -241,7 +241,7 @@ inline static FStar_UInt128_uint128
 FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) {
   FStar_UInt128_uint128 lit;
   lit.low = (uint64_t)0U;
-  lit.high = a.low << s - FStar_UInt128_u32_64;
+  lit.high = a.low << (s - FStar_UInt128_u32_64);
   return lit;
 }
 
@@ -267,7 +267,7 @@ FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) {
 
 inline static uint64_t
 FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) {
-  return (lo >> s) + (hi << FStar_UInt128_u32_64 - s);
+  return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
 }
 
 inline static uint64_t
@@ -290,7 +290,7 @@ FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) {
 inline static FStar_UInt128_uint128
 FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) {
   FStar_UInt128_uint128 lit;
-  lit.low = a.high >> s - FStar_UInt128_u32_64;
+  lit.low = a.high >> (s - FStar_UInt128_u32_64);
   lit.high = (uint64_t)0U;
   return lit;
 }
@@ -488,7 +488,7 @@ FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y) {
           u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), w3);
   lit.high =
           x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) +
-          (u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_) >>
+          ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >>
            FStar_UInt128_u32_32);
   return lit;
 }
diff --git a/libcrux/include/core.h b/libcrux/include/core.h
index 73918cdd..462ce5d7 100644
--- a/libcrux/include/core.h
+++ b/libcrux/include/core.h
@@ -1,19 +1,18 @@
 /* 
   This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
-  KaRaMeL invocation: /Users/franziskus/repos/eurydice//eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
-  F* version: a32b316e
-  KaRaMeL version: abb38e1d
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
  */
 
 #ifndef __core_H
 #define __core_H
 
-#include "eurydice_glue.h"
-
-#define core_option_None 0
-#define core_option_Some 1
+#if defined(__cplusplus)
+extern "C" {
+#endif
 
-typedef uint8_t core_option_Option__size_t_tags;
+#include "eurydice_glue.h"
 
 typedef struct core_ops_range_Range__size_t_s
 {
@@ -22,6 +21,18 @@ typedef struct core_ops_range_Range__size_t_s
 }
 core_ops_range_Range__size_t;
 
+extern uint8_t Eurydice_bitand_pv_u8(uint8_t *x, uint8_t y);
+
+extern uint8_t Eurydice_shr_pv_u8(uint8_t *x, int32_t y);
+
+#define core_option_None 0
+#define core_option_Some 1
+
+typedef uint8_t core_option_Option__size_t_tags;
+
+#if defined(__cplusplus)
+}
+#endif
 
 #define __core_H_DEFINED
 #endif
diff --git a/libcrux/include/eurydice_glue.h b/libcrux/include/eurydice_glue.h
index edeeec63..c8b0825d 100644
--- a/libcrux/include/eurydice_glue.h
+++ b/libcrux/include/eurydice_glue.h
@@ -1,5 +1,9 @@
 #pragma once
 
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
 #include <inttypes.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -61,6 +65,7 @@ typedef struct
 }
 result_tryfromslice_flexible;
 
+// See note in karamel/lib/Inlining.ml if you change this
 #define Eurydice_slice_to_array2(dst, src, _, t_arr, _ret_t) Eurydice_slice_to_array3((result_tryfromslice_flexible *)dst, src, sizeof(t_arr))
 
 static inline void Eurydice_slice_to_array3(result_tryfromslice_flexible *dst, Eurydice_slice src, size_t sz) {
@@ -103,6 +108,7 @@ static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) { return (*p) >>
 
 #define core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next Eurydice_range_iter_next
 
+// See note in karamel/lib/Inlining.ml if you change this
 #define Eurydice_into_iter(x, t, _ret_t) (x)
 #define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter Eurydice_into_iter
 
@@ -209,3 +215,6 @@ typedef struct {
 
 #define EURYDICE_REPLACE(ptr, new_v, t) ({ t old_v = *ptr; *ptr = new_v; old_v; })
 
+#if defined(__cplusplus)
+}
+#endif
diff --git a/libcrux/include/internal/core.h b/libcrux/include/internal/core.h
index 22761ec2..1e1c0fc1 100644
--- a/libcrux/include/internal/core.h
+++ b/libcrux/include/internal/core.h
@@ -1,46 +1,32 @@
 /* 
   This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
-  KaRaMeL invocation: /Users/franziskus/repos/eurydice//eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
-  F* version: a32b316e
-  KaRaMeL version: abb38e1d
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
  */
 
 #ifndef __internal_core_H
 #define __internal_core_H
 
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
 #include "../core.h"
 #include "eurydice_glue.h"
 
 static inline int64_t
 core_convert_num___core__convert__From_i32__for_i64__59__from(int32_t x0);
 
-typedef struct core_option_Option__size_t_s
-{
-  core_option_Option__size_t_tags tag;
-  size_t f0;
-}
-core_option_Option__size_t;
-
 static inline uint16_t core_num__u16_7__wrapping_add(uint16_t x0, uint16_t x1);
 
 static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x0, uint8_t x1);
 
 #define CORE_NUM__U32_8__BITS (32U)
 
-typedef struct core_option_Option__uint32_t_s
-{
-  core_option_Option__size_t_tags tag;
-  uint32_t f0;
+#if defined(__cplusplus)
 }
-core_option_Option__uint32_t;
-
-typedef struct core_option_Option__int32_t_s
-{
-  core_option_Option__size_t_tags tag;
-  int32_t f0;
-}
-core_option_Option__int32_t;
-
+#endif
 
 #define __internal_core_H_DEFINED
 #endif
diff --git a/libcrux/include/internal/libcrux_kyber768.h b/libcrux/include/internal/libcrux_kyber768.h
new file mode 100644
index 00000000..72480351
--- /dev/null
+++ b/libcrux/include/internal/libcrux_kyber768.h
@@ -0,0 +1,105 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#ifndef __internal_libcrux_kyber768_H
+#define __internal_libcrux_kyber768_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "internal/libcrux_kyber_common.h"
+#include "../libcrux_kyber768.h"
+#include "eurydice_glue.h"
+
+typedef struct core_option_Option__Eurydice_slice_uint8_t_s
+{
+  core_option_Option__size_t_tags tag;
+  Eurydice_slice f0;
+}
+core_option_Option__Eurydice_slice_uint8_t;
+
+void
+libcrux_kyber_ind_cpa_into_padded_array___34size_t(Eurydice_slice slice, uint8_t ret[34U]);
+
+void
+libcrux_kyber_ind_cpa_into_padded_array___33size_t(Eurydice_slice slice, uint8_t ret[33U]);
+
+void libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_slice input, uint8_t ret[128U]);
+
+void
+libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(
+  Eurydice_slice randomness,
+  int32_t ret[256U]
+);
+
+typedef struct K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t_s
+{
+  Eurydice_slice fst;
+  Eurydice_slice snd;
+}
+K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t;
+
+#define core_result_Ok 0
+#define core_result_Err 1
+
+typedef uint8_t core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags;
+
+typedef struct core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_s
+{
+  core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag;
+  union {
+    uint8_t case_Ok[32U];
+    core_array_TryFromSliceError case_Err;
+  }
+  val;
+}
+core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError;
+
+void
+core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError(
+  core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError self,
+  uint8_t ret[32U]
+);
+
+void
+libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_slice slice, uint8_t ret[64U]);
+
+void
+libcrux_kyber_serialize_compress_then_serialize_ring_element_u___10size_t_320size_t(
+  int32_t re[256U],
+  uint8_t ret[320U]
+);
+
+void
+libcrux_kyber_serialize_compress_then_serialize_ring_element_v___4size_t_128size_t(
+  int32_t re[256U],
+  uint8_t ret[128U]
+);
+
+void
+libcrux_kyber_serialize_deserialize_then_decompress_ring_element_u___10size_t(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+);
+
+void libcrux_kyber_ntt_ntt_vector_u___10size_t(int32_t re[256U], int32_t ret[256U]);
+
+void
+libcrux_kyber_serialize_deserialize_then_decompress_ring_element_v___4size_t(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+);
+
+void libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_slice input, uint8_t ret[32U]);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __internal_libcrux_kyber768_H_DEFINED
+#endif
diff --git a/libcrux/include/internal/libcrux_kyber_common.h b/libcrux/include/internal/libcrux_kyber_common.h
new file mode 100644
index 00000000..b69cd5fb
--- /dev/null
+++ b/libcrux/include/internal/libcrux_kyber_common.h
@@ -0,0 +1,1285 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#ifndef __internal_libcrux_kyber_common_H
+#define __internal_libcrux_kyber_common_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "internal/core.h"
+#include "libcrux_digest.h"
+#include "core.h"
+#include "eurydice_glue.h"
+#include "libcrux_hacl_glue.h"
+
+#define LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS ((int32_t)3329)
+
+#define LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U)
+
+#define LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U)
+
+#define LIBCRUX_KYBER_CONSTANTS_BITS_PER_RING_ELEMENT (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)12U)
+
+#define LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT (LIBCRUX_KYBER_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U)
+
+#define LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE ((size_t)32U)
+
+#define LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE ((size_t)32U)
+
+#define LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_SHIFT (16U)
+
+static inline uint32_t
+libcrux_kyber_arithmetic_get_n_least_significant_bits(uint8_t n, uint32_t value)
+{
+  return value & ((1U << (uint32_t)n) - 1U);
+}
+
+#define LIBCRUX_KYBER_ARITHMETIC_BARRETT_SHIFT ((int64_t)26)
+
+#define LIBCRUX_KYBER_ARITHMETIC_BARRETT_R ((int64_t)1 << (uint32_t)LIBCRUX_KYBER_ARITHMETIC_BARRETT_SHIFT)
+
+#define LIBCRUX_KYBER_ARITHMETIC_BARRETT_MULTIPLIER ((int64_t)20159)
+
+static inline int32_t libcrux_kyber_arithmetic_barrett_reduce(int32_t value)
+{
+  int64_t
+  t =
+    core_convert_num___core__convert__From_i32__for_i64__59__from(value)
+    * LIBCRUX_KYBER_ARITHMETIC_BARRETT_MULTIPLIER
+    + (LIBCRUX_KYBER_ARITHMETIC_BARRETT_R >> 1U);
+  int32_t quotient = (int32_t)(t >> (uint32_t)LIBCRUX_KYBER_ARITHMETIC_BARRETT_SHIFT);
+  return value - quotient * LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS;
+}
+
+#define LIBCRUX_KYBER_ARITHMETIC_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R (62209U)
+
+static inline int32_t libcrux_kyber_arithmetic_montgomery_reduce(int32_t value)
+{
+  uint32_t
+  t =
+    libcrux_kyber_arithmetic_get_n_least_significant_bits(LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_SHIFT,
+      (uint32_t)value)
+    * LIBCRUX_KYBER_ARITHMETIC_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R;
+  int16_t
+  k =
+    (int16_t)libcrux_kyber_arithmetic_get_n_least_significant_bits(LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_SHIFT,
+      t);
+  int32_t k_times_modulus = (int32_t)k * LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS;
+  int32_t c = k_times_modulus >> (uint32_t)LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_SHIFT;
+  int32_t value_high = value >> (uint32_t)LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_SHIFT;
+  return value_high - c;
+}
+
+static inline int32_t
+libcrux_kyber_arithmetic_montgomery_multiply_fe_by_fer(int32_t fe, int32_t fer)
+{
+  return libcrux_kyber_arithmetic_montgomery_reduce(fe * fer);
+}
+
+#define LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS ((int32_t)1353)
+
+static inline int32_t libcrux_kyber_arithmetic_to_standard_domain(int32_t mfe)
+{
+  return
+    libcrux_kyber_arithmetic_montgomery_reduce(mfe
+      * LIBCRUX_KYBER_ARITHMETIC_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
+}
+
+static inline uint16_t libcrux_kyber_arithmetic_to_unsigned_representative(int32_t fe)
+{
+  return (uint16_t)(fe + (LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS & fe >> 31U));
+}
+
+static const
+int32_t
+libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO[256U] = { 0U };
+
+static inline uint8_t libcrux_kyber_compress_compress_message_coefficient(uint16_t fe)
+{
+  int16_t shifted = (int16_t)1664 - (int16_t)fe;
+  int16_t mask = shifted >> 15U;
+  int16_t shifted_to_positive = mask ^ shifted;
+  int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832;
+  return (uint8_t)(shifted_positive_in_range >> 15U & (int16_t)1);
+}
+
+static inline int32_t
+libcrux_kyber_compress_compress_ciphertext_coefficient(uint8_t coefficient_bits, uint16_t fe)
+{
+  uint64_t compressed = (uint64_t)fe << (uint32_t)coefficient_bits;
+  compressed = compressed + 1664ULL;
+  compressed = compressed * 10321340ULL;
+  compressed = compressed >> 35U;
+  return
+    (int32_t)libcrux_kyber_arithmetic_get_n_least_significant_bits(coefficient_bits,
+      (uint32_t)compressed);
+}
+
+static inline int32_t libcrux_kyber_compress_decompress_message_coefficient(int32_t fe)
+{
+  return -fe & (LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS + (int32_t)1) / (int32_t)2;
+}
+
+static inline int32_t
+libcrux_kyber_compress_decompress_ciphertext_coefficient(uint8_t coefficient_bits, int32_t fe)
+{
+  uint32_t decompressed = (uint32_t)fe * (uint32_t)LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS;
+  decompressed = (decompressed << 1U) + (1U << (uint32_t)coefficient_bits);
+  decompressed = decompressed >> (uint32_t)((uint32_t)coefficient_bits + 1U);
+  return (int32_t)decompressed;
+}
+
+static inline uint8_t libcrux_kyber_constant_time_ops_is_non_zero(uint8_t value)
+{
+  uint16_t value0 = (uint16_t)value;
+  uint16_t uu____0 = value0;
+  uint16_t
+  result =
+    (((uint32_t)uu____0 | (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) & 0xFFFFU)
+    >> 8U
+    & 1U;
+  return (uint8_t)result;
+}
+
+static inline void
+libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(
+  Eurydice_slice lhs,
+  Eurydice_slice rhs,
+  uint8_t selector,
+  uint8_t ret[32U]
+)
+{
+  uint8_t
+  mask = core_num__u8_6__wrapping_sub(libcrux_kyber_constant_time_ops_is_non_zero(selector), 1U);
+  uint8_t out[32U] = { 0U };
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0 = (uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t) & (uint32_t)mask;
+    uint8_t *uu____1 = &Eurydice_slice_index(rhs, i0, uint8_t, uint8_t);
+    out[i0] = (uint32_t)uu____0 | ((uint32_t)uu____1[0U] & (uint32_t)~mask);
+  }
+  memcpy(ret, out, (size_t)32U * sizeof (uint8_t));
+}
+
+static inline void libcrux_kyber_hash_functions_G(Eurydice_slice input, uint8_t ret[64U])
+{
+  uint8_t ret0[64U];
+  libcrux_digest_sha3_512(input, ret0);
+  memcpy(ret, ret0, (size_t)64U * sizeof (uint8_t));
+}
+
+static inline void libcrux_kyber_hash_functions_H(Eurydice_slice input, uint8_t ret[32U])
+{
+  uint8_t ret0[32U];
+  libcrux_digest_sha3_256(input, ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static inline void
+libcrux_kyber_hash_functions_free_state(
+  libcrux_digest_incremental_x4_Shake128StateX4 xof_state
+)
+{
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__free_memory(xof_state);
+}
+
+typedef struct K___uint8_t_uint8_t_uint8_t_s
+{
+  uint8_t fst;
+  uint8_t snd;
+  uint8_t thd;
+}
+K___uint8_t_uint8_t_uint8_t;
+
+static inline K___uint8_t_uint8_t_uint8_t
+libcrux_kyber_serialize_compress_coefficients_3(uint16_t coefficient1, uint16_t coefficient2)
+{
+  uint8_t coef1 = (uint8_t)((uint32_t)coefficient1 & 255U);
+  uint8_t coef2 = (uint8_t)((uint32_t)coefficient1 >> 8U | ((uint32_t)coefficient2 & 15U) << 4U);
+  uint8_t coef3 = (uint8_t)((uint32_t)coefficient2 >> 4U & 255U);
+  return ((K___uint8_t_uint8_t_uint8_t){ .fst = coef1, .snd = coef2, .thd = coef3 });
+}
+
+static inline void
+libcrux_kyber_serialize_serialize_uncompressed_ring_element(
+  int32_t re[256U],
+  uint8_t ret[384U]
+)
+{
+  uint8_t serialized[384U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)2U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)2U,
+            .end = i0 * (size_t)2U + (size_t)2U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint16_t
+    coefficient1 =
+      libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+          (size_t)0U,
+          int32_t,
+          int32_t));
+    uint16_t
+    coefficient2 =
+      libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+          (size_t)1U,
+          int32_t,
+          int32_t));
+    K___uint8_t_uint8_t_uint8_t
+    uu____0 = libcrux_kyber_serialize_compress_coefficients_3(coefficient1, coefficient2);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    serialized[(size_t)3U * i0] = coef1;
+    serialized[(size_t)3U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)3U * i0 + (size_t)2U] = coef3;
+  }
+  memcpy(ret, serialized, (size_t)384U * sizeof (uint8_t));
+}
+
+static inline void
+libcrux_kyber_sampling_sample_from_binomial_distribution_2(
+  Eurydice_slice randomness,
+  int32_t ret[256U]
+)
+{
+  int32_t sampled[256U];
+  memcpy(sampled,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    < core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)4U;
+    i0++)
+  {
+    size_t chunk_number = i0;
+    Eurydice_slice
+    byte_chunk =
+      Eurydice_slice_subslice(randomness,
+        (
+          (core_ops_range_Range__size_t){
+            .start = chunk_number * (size_t)4U,
+            .end = chunk_number * (size_t)4U + (size_t)4U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint32_t uu____0 = (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, uint8_t);
+    uint32_t
+    uu____1 =
+      uu____0
+      | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, uint8_t) << 8U;
+    uint32_t
+    uu____2 =
+      uu____1
+      | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, uint8_t) << 16U;
+    uint32_t
+    random_bits_as_u32 =
+      uu____2
+      | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, uint8_t) << 24U;
+    uint32_t even_bits = random_bits_as_u32 & 1431655765U;
+    uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U;
+    uint32_t coin_toss_outcomes = even_bits + odd_bits;
+    for (uint32_t i = 0U; i < CORE_NUM__U32_8__BITS / 4U; i++)
+    {
+      uint32_t outcome_set = i;
+      uint32_t outcome_set0 = outcome_set * 4U;
+      int32_t outcome_1 = (int32_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 3U);
+      int32_t outcome_2 = (int32_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U);
+      size_t offset = (size_t)(outcome_set0 >> 2U);
+      sampled[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
+    }
+  }
+  memcpy(ret, sampled, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_sampling_sample_from_binomial_distribution_3(
+  Eurydice_slice randomness,
+  int32_t ret[256U]
+)
+{
+  int32_t sampled[256U];
+  memcpy(sampled,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    < core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)3U;
+    i0++)
+  {
+    size_t chunk_number = i0;
+    Eurydice_slice
+    byte_chunk =
+      Eurydice_slice_subslice(randomness,
+        (
+          (core_ops_range_Range__size_t){
+            .start = chunk_number * (size_t)3U,
+            .end = chunk_number * (size_t)3U + (size_t)3U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint32_t uu____0 = (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, uint8_t);
+    uint32_t
+    uu____1 =
+      uu____0
+      | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, uint8_t) << 8U;
+    uint32_t
+    random_bits_as_u24 =
+      uu____1
+      | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, uint8_t) << 16U;
+    uint32_t first_bits = random_bits_as_u24 & 2396745U;
+    uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U;
+    uint32_t third_bits = random_bits_as_u24 >> 2U & 2396745U;
+    uint32_t coin_toss_outcomes = first_bits + second_bits + third_bits;
+    for (int32_t i = (int32_t)0; i < (int32_t)24 / (int32_t)6; i++)
+    {
+      int32_t outcome_set = i;
+      int32_t outcome_set0 = outcome_set * (int32_t)6;
+      int32_t outcome_1 = (int32_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 7U);
+      int32_t
+      outcome_2 = (int32_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + (int32_t)3) & 7U);
+      size_t offset = (size_t)(outcome_set0 / (int32_t)6);
+      sampled[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
+    }
+  }
+  memcpy(ret, sampled, (size_t)256U * sizeof (int32_t));
+}
+
+static const
+int32_t
+libcrux_kyber_ntt_ZETAS_TIMES_MONTGOMERY_R[128U] =
+  {
+    (int32_t)-1044, (int32_t)-758, (int32_t)-359, (int32_t)-1517, (int32_t)1493, (int32_t)1422,
+    (int32_t)287, (int32_t)202, (int32_t)-171, (int32_t)622, (int32_t)1577, (int32_t)182,
+    (int32_t)962, (int32_t)-1202, (int32_t)-1474, (int32_t)1468, (int32_t)573, (int32_t)-1325,
+    (int32_t)264, (int32_t)383, (int32_t)-829, (int32_t)1458, (int32_t)-1602, (int32_t)-130,
+    (int32_t)-681, (int32_t)1017, (int32_t)732, (int32_t)608, (int32_t)-1542, (int32_t)411,
+    (int32_t)-205, (int32_t)-1571, (int32_t)1223, (int32_t)652, (int32_t)-552, (int32_t)1015,
+    (int32_t)-1293, (int32_t)1491, (int32_t)-282, (int32_t)-1544, (int32_t)516, (int32_t)-8,
+    (int32_t)-320, (int32_t)-666, (int32_t)-1618, (int32_t)-1162, (int32_t)126, (int32_t)1469,
+    (int32_t)-853, (int32_t)-90, (int32_t)-271, (int32_t)830, (int32_t)107, (int32_t)-1421,
+    (int32_t)-247, (int32_t)-951, (int32_t)-398, (int32_t)961, (int32_t)-1508, (int32_t)-725,
+    (int32_t)448, (int32_t)-1065, (int32_t)677, (int32_t)-1275, (int32_t)-1103, (int32_t)430,
+    (int32_t)555, (int32_t)843, (int32_t)-1251, (int32_t)871, (int32_t)1550, (int32_t)105,
+    (int32_t)422, (int32_t)587, (int32_t)177, (int32_t)-235, (int32_t)-291, (int32_t)-460,
+    (int32_t)1574, (int32_t)1653, (int32_t)-246, (int32_t)778, (int32_t)1159, (int32_t)-147,
+    (int32_t)-777, (int32_t)1483, (int32_t)-602, (int32_t)1119, (int32_t)-1590, (int32_t)644,
+    (int32_t)-872, (int32_t)349, (int32_t)418, (int32_t)329, (int32_t)-156, (int32_t)-75,
+    (int32_t)817, (int32_t)1097, (int32_t)603, (int32_t)610, (int32_t)1322, (int32_t)-1285,
+    (int32_t)-1465, (int32_t)384, (int32_t)-1215, (int32_t)-136, (int32_t)1218, (int32_t)-1335,
+    (int32_t)-874, (int32_t)220, (int32_t)-1187, (int32_t)-1659, (int32_t)-1185, (int32_t)-1530,
+    (int32_t)-1278, (int32_t)794, (int32_t)-1510, (int32_t)-854, (int32_t)-870, (int32_t)478,
+    (int32_t)-108, (int32_t)-308, (int32_t)996, (int32_t)991, (int32_t)958, (int32_t)-1460,
+    (int32_t)1522, (int32_t)1628
+  };
+
+static inline void
+libcrux_kyber_ntt_ntt_at_layer(
+  size_t *zeta_i,
+  int32_t re[256U],
+  size_t layer,
+  size_t _initial_coefficient_bound,
+  int32_t ret[256U]
+)
+{
+  size_t step = (size_t)1U << (uint32_t)layer;
+  for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++)
+  {
+    size_t round = i0;
+    zeta_i[0U] = zeta_i[0U] + (size_t)1U;
+    size_t offset = round * step * (size_t)2U;
+    for (size_t i = offset; i < offset + step; i++)
+    {
+      size_t j = i;
+      int32_t
+      t =
+        libcrux_kyber_arithmetic_montgomery_multiply_fe_by_fer(re[j + step],
+          libcrux_kyber_ntt_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+      re[j + step] = re[j] - t;
+      re[j] = re[j] + t;
+    }
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_ntt_ntt_at_layer_3(
+  size_t *zeta_i,
+  int32_t re[256U],
+  size_t layer,
+  int32_t ret[256U]
+)
+{
+  int32_t ret0[256U];
+  libcrux_kyber_ntt_ntt_at_layer(zeta_i, re, layer, (size_t)3U, ret0);
+  memcpy(ret, ret0, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_ntt_ntt_binomially_sampled_ring_element(int32_t re[256U], int32_t ret[256U])
+{
+  size_t zeta_i = (size_t)1U;
+  for (size_t i = (size_t)0U; i < (size_t)128U; i++)
+  {
+    size_t j = i;
+    int32_t t = re[j + (size_t)128U] * (int32_t)-1600;
+    re[j + (size_t)128U] = re[j] - t;
+    re[j] = re[j] + t;
+  }
+  libcrux_kyber_ntt_ntt_at_layer_3(&zeta_i, re, (size_t)6U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3(&zeta_i, re, (size_t)5U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3(&zeta_i, re, (size_t)4U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3(&zeta_i, re, (size_t)3U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3(&zeta_i, re, (size_t)2U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3(&zeta_i, re, (size_t)1U, re);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(re[i0]);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+typedef struct K___int32_t_int32_t_s
+{
+  int32_t fst;
+  int32_t snd;
+}
+K___int32_t_int32_t;
+
+static inline K___int32_t_int32_t
+libcrux_kyber_ntt_ntt_multiply_binomials(
+  K___int32_t_int32_t _,
+  K___int32_t_int32_t _0,
+  int32_t zeta
+)
+{
+  int32_t a0 = _.fst;
+  int32_t a1 = _.snd;
+  int32_t b0 = _0.fst;
+  int32_t b1 = _0.snd;
+  int32_t uu____0 = a0 * b0;
+  int32_t
+  uu____1 =
+    libcrux_kyber_arithmetic_montgomery_reduce(uu____0
+      + libcrux_kyber_arithmetic_montgomery_reduce(a1 * b1) * zeta);
+  return
+    (
+      (K___int32_t_int32_t){
+        .fst = uu____1,
+        .snd = libcrux_kyber_arithmetic_montgomery_reduce(a0 * b1 + a1 * b0)
+      }
+    );
+}
+
+static inline void
+libcrux_kyber_ntt_ntt_multiply(int32_t (*lhs)[256U], int32_t (*rhs)[256U], int32_t ret[256U])
+{
+  int32_t out[256U];
+  memcpy(out,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)4U;
+    i++)
+  {
+    size_t i0 = i;
+    K___int32_t_int32_t lit0;
+    lit0.fst = lhs[0U][(size_t)4U * i0];
+    lit0.snd = lhs[0U][(size_t)4U * i0 + (size_t)1U];
+    K___int32_t_int32_t lit1;
+    lit1.fst = rhs[0U][(size_t)4U * i0];
+    lit1.snd = rhs[0U][(size_t)4U * i0 + (size_t)1U];
+    K___int32_t_int32_t
+    product =
+      libcrux_kyber_ntt_ntt_multiply_binomials(lit0,
+        lit1,
+        libcrux_kyber_ntt_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + i0]);
+    out[(size_t)4U * i0] = product.fst;
+    out[(size_t)4U * i0 + (size_t)1U] = product.snd;
+    K___int32_t_int32_t lit2;
+    lit2.fst = lhs[0U][(size_t)4U * i0 + (size_t)2U];
+    lit2.snd = lhs[0U][(size_t)4U * i0 + (size_t)3U];
+    K___int32_t_int32_t lit;
+    lit.fst = rhs[0U][(size_t)4U * i0 + (size_t)2U];
+    lit.snd = rhs[0U][(size_t)4U * i0 + (size_t)3U];
+    K___int32_t_int32_t
+    product0 =
+      libcrux_kyber_ntt_ntt_multiply_binomials(lit2,
+        lit,
+        -libcrux_kyber_ntt_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + i0]);
+    out[(size_t)4U * i0 + (size_t)2U] = product0.fst;
+    out[(size_t)4U * i0 + (size_t)3U] = product0.snd;
+  }
+  memcpy(ret, out, (size_t)256U * sizeof (int32_t));
+}
+
+typedef struct K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_s
+{
+  uint8_t fst;
+  uint8_t snd;
+  uint8_t thd;
+  uint8_t f3;
+  uint8_t f4;
+}
+K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t;
+
+static inline K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+libcrux_kyber_serialize_compress_coefficients_10(
+  int32_t coefficient1,
+  int32_t coefficient2,
+  int32_t coefficient3,
+  int32_t coefficient4
+)
+{
+  uint8_t coef1 = (uint8_t)(coefficient1 & (int32_t)255);
+  uint8_t
+  coef2 =
+    (uint32_t)(uint8_t)(coefficient2 & (int32_t)63)
+    << 2U
+    | (uint32_t)(uint8_t)(coefficient1 >> 8U & (int32_t)3);
+  uint8_t
+  coef3 =
+    (uint32_t)(uint8_t)(coefficient3 & (int32_t)15)
+    << 4U
+    | (uint32_t)(uint8_t)(coefficient2 >> 6U & (int32_t)15);
+  uint8_t
+  coef4 =
+    (uint32_t)(uint8_t)(coefficient4 & (int32_t)3)
+    << 6U
+    | (uint32_t)(uint8_t)(coefficient3 >> 4U & (int32_t)63);
+  uint8_t coef5 = (uint8_t)(coefficient4 >> 2U & (int32_t)255);
+  return
+    (
+      (K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t){
+        .fst = coef1,
+        .snd = coef2,
+        .thd = coef3,
+        .f3 = coef4,
+        .f4 = coef5
+      }
+    );
+}
+
+typedef struct
+K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_s
+{
+  uint8_t fst;
+  uint8_t snd;
+  uint8_t thd;
+  uint8_t f3;
+  uint8_t f4;
+  uint8_t f5;
+  uint8_t f6;
+  uint8_t f7;
+  uint8_t f8;
+  uint8_t f9;
+  uint8_t f10;
+}
+K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t;
+
+static inline K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+libcrux_kyber_serialize_compress_coefficients_11(
+  int32_t coefficient1,
+  int32_t coefficient2,
+  int32_t coefficient3,
+  int32_t coefficient4,
+  int32_t coefficient5,
+  int32_t coefficient6,
+  int32_t coefficient7,
+  int32_t coefficient8
+)
+{
+  uint8_t coef1 = (uint8_t)coefficient1;
+  uint8_t
+  coef2 =
+    (uint32_t)(uint8_t)(coefficient2 & (int32_t)31)
+    << 3U
+    | (uint32_t)(uint8_t)(coefficient1 >> 8U);
+  uint8_t
+  coef3 =
+    (uint32_t)(uint8_t)(coefficient3 & (int32_t)3)
+    << 6U
+    | (uint32_t)(uint8_t)(coefficient2 >> 5U);
+  uint8_t coef4 = (uint8_t)(coefficient3 >> 2U & (int32_t)255);
+  uint8_t
+  coef5 =
+    (uint32_t)(uint8_t)(coefficient4 & (int32_t)127)
+    << 1U
+    | (uint32_t)(uint8_t)(coefficient3 >> 10U);
+  uint8_t
+  coef6 =
+    (uint32_t)(uint8_t)(coefficient5 & (int32_t)15)
+    << 4U
+    | (uint32_t)(uint8_t)(coefficient4 >> 7U);
+  uint8_t
+  coef7 =
+    (uint32_t)(uint8_t)(coefficient6 & (int32_t)1)
+    << 7U
+    | (uint32_t)(uint8_t)(coefficient5 >> 4U);
+  uint8_t coef8 = (uint8_t)(coefficient6 >> 1U & (int32_t)255);
+  uint8_t
+  coef9 =
+    (uint32_t)(uint8_t)(coefficient7 & (int32_t)63)
+    << 2U
+    | (uint32_t)(uint8_t)(coefficient6 >> 9U);
+  uint8_t
+  coef10 =
+    (uint32_t)(uint8_t)(coefficient8 & (int32_t)7)
+    << 5U
+    | (uint32_t)(uint8_t)(coefficient7 >> 6U);
+  uint8_t coef11 = (uint8_t)(coefficient8 >> 3U);
+  return
+    (
+      (K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t){
+        .fst = coef1,
+        .snd = coef2,
+        .thd = coef3,
+        .f3 = coef4,
+        .f4 = coef5,
+        .f5 = coef6,
+        .f6 = coef7,
+        .f7 = coef8,
+        .f8 = coef9,
+        .f9 = coef10,
+        .f10 = coef11
+      }
+    );
+}
+
+static inline void
+libcrux_kyber_ntt_invert_ntt_at_layer(
+  size_t *zeta_i,
+  int32_t re[256U],
+  size_t layer,
+  int32_t ret[256U]
+)
+{
+  size_t step = (size_t)1U << (uint32_t)layer;
+  for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++)
+  {
+    size_t round = i0;
+    zeta_i[0U] = zeta_i[0U] - (size_t)1U;
+    size_t offset = round * step * (size_t)2U;
+    for (size_t i = offset; i < offset + step; i++)
+    {
+      size_t j = i;
+      int32_t a_minus_b = re[j + step] - re[j];
+      re[j] = re[j] + re[j + step];
+      int32_t
+      uu____0 =
+        libcrux_kyber_arithmetic_montgomery_reduce(a_minus_b
+          * libcrux_kyber_ntt_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
+      re[j + step] = uu____0;
+    }
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_then_decompress_message(
+  uint8_t serialized[32U],
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)32U,
+          serialized,
+          uint8_t,
+          Eurydice_slice),
+        uint8_t,
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    uint8_t byte = serialized[i1];
+    for (size_t i = (size_t)0U; i < (size_t)8U; i++)
+    {
+      size_t j = i;
+      int32_t coefficient_compressed = (int32_t)((uint32_t)byte >> (uint32_t)j & 1U);
+      int32_t
+      uu____0 = libcrux_kyber_compress_decompress_message_coefficient(coefficient_compressed);
+      re[(size_t)8U * i1 + j] = uu____0;
+    }
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+libcrux_kyber_serialize_compress_coefficients_5(
+  uint8_t coefficient2,
+  uint8_t coefficient1,
+  uint8_t coefficient4,
+  uint8_t coefficient3,
+  uint8_t coefficient5,
+  uint8_t coefficient7,
+  uint8_t coefficient6,
+  uint8_t coefficient8
+)
+{
+  uint8_t coef1 = ((uint32_t)coefficient2 & 7U) << 5U | (uint32_t)coefficient1;
+  uint8_t
+  coef2 =
+    (((uint32_t)coefficient4 & 1U) << 7U | (uint32_t)coefficient3 << 2U)
+    | (uint32_t)coefficient2 >> 3U;
+  uint8_t coef3 = ((uint32_t)coefficient5 & 15U) << 4U | (uint32_t)coefficient4 >> 1U;
+  uint8_t
+  coef4 =
+    (((uint32_t)coefficient7 & 3U) << 6U | (uint32_t)coefficient6 << 1U)
+    | (uint32_t)coefficient5 >> 4U;
+  uint8_t coef5 = (uint32_t)coefficient8 << 3U | (uint32_t)coefficient7 >> 2U;
+  return
+    (
+      (K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t){
+        .fst = coef1,
+        .snd = coef2,
+        .thd = coef3,
+        .f3 = coef4,
+        .f4 = coef5
+      }
+    );
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_to_reduced_ring_element(
+  Eurydice_slice ring_element,
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    < core_slice___Slice_T___len(ring_element, uint8_t, size_t) / (size_t)3U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    bytes =
+      Eurydice_slice_subslice(ring_element,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)3U,
+            .end = i0 * (size_t)3U + (size_t)3U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t byte1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+    int32_t byte2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+    int32_t byte3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+    re[(size_t)2U * i0] = (byte2 & (int32_t)15) << 8U | (byte1 & (int32_t)255);
+    int32_t tmp = re[(size_t)2U * i0] % (int32_t)3329;
+    re[(size_t)2U * i0] = tmp;
+    re[(size_t)2U * i0 + (size_t)1U] = byte3 << 4U | (byte2 >> 4U & (int32_t)15);
+    int32_t tmp0 = re[(size_t)2U * i0 + (size_t)1U] % (int32_t)3329;
+    re[(size_t)2U * i0 + (size_t)1U] = tmp0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+typedef struct K___int32_t_int32_t_int32_t_int32_t_s
+{
+  int32_t fst;
+  int32_t snd;
+  int32_t thd;
+  int32_t f3;
+}
+K___int32_t_int32_t_int32_t_int32_t;
+
+static inline K___int32_t_int32_t_int32_t_int32_t
+libcrux_kyber_serialize_decompress_coefficients_10(
+  int32_t byte2,
+  int32_t byte1,
+  int32_t byte3,
+  int32_t byte4,
+  int32_t byte5
+)
+{
+  int32_t coefficient1 = (byte2 & (int32_t)3) << 8U | (byte1 & (int32_t)255);
+  int32_t coefficient2 = (byte3 & (int32_t)15) << 6U | byte2 >> 2U;
+  int32_t coefficient3 = (byte4 & (int32_t)63) << 4U | byte3 >> 4U;
+  int32_t coefficient4 = byte5 << 2U | byte4 >> 6U;
+  return
+    (
+      (K___int32_t_int32_t_int32_t_int32_t){
+        .fst = coefficient1,
+        .snd = coefficient2,
+        .thd = coefficient3,
+        .f3 = coefficient4
+      }
+    );
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_then_decompress_10(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)5U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    bytes =
+      Eurydice_slice_subslice(serialized,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)5U,
+            .end = i0 * (size_t)5U + (size_t)5U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t byte1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+    int32_t byte2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+    int32_t byte3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+    int32_t byte4 = (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t);
+    int32_t byte5 = (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t);
+    K___int32_t_int32_t_int32_t_int32_t
+    uu____0 = libcrux_kyber_serialize_decompress_coefficients_10(byte2, byte1, byte3, byte4, byte5);
+    int32_t coefficient1 = uu____0.fst;
+    int32_t coefficient2 = uu____0.snd;
+    int32_t coefficient3 = uu____0.thd;
+    int32_t coefficient4 = uu____0.f3;
+    int32_t uu____1 = libcrux_kyber_compress_decompress_ciphertext_coefficient(10U, coefficient1);
+    re[(size_t)4U * i0] = uu____1;
+    int32_t uu____2 = libcrux_kyber_compress_decompress_ciphertext_coefficient(10U, coefficient2);
+    re[(size_t)4U * i0 + (size_t)1U] = uu____2;
+    int32_t uu____3 = libcrux_kyber_compress_decompress_ciphertext_coefficient(10U, coefficient3);
+    re[(size_t)4U * i0 + (size_t)2U] = uu____3;
+    int32_t uu____4 = libcrux_kyber_compress_decompress_ciphertext_coefficient(10U, coefficient4);
+    re[(size_t)4U * i0 + (size_t)3U] = uu____4;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+typedef struct K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_s
+{
+  int32_t fst;
+  int32_t snd;
+  int32_t thd;
+  int32_t f3;
+  int32_t f4;
+  int32_t f5;
+  int32_t f6;
+  int32_t f7;
+}
+K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t;
+
+static inline K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
+libcrux_kyber_serialize_decompress_coefficients_11(
+  int32_t byte2,
+  int32_t byte1,
+  int32_t byte3,
+  int32_t byte5,
+  int32_t byte4,
+  int32_t byte6,
+  int32_t byte7,
+  int32_t byte9,
+  int32_t byte8,
+  int32_t byte10,
+  int32_t byte11
+)
+{
+  int32_t coefficient1 = (byte2 & (int32_t)7) << 8U | byte1;
+  int32_t coefficient2 = (byte3 & (int32_t)63) << 5U | byte2 >> 3U;
+  int32_t coefficient3 = ((byte5 & (int32_t)1) << 10U | byte4 << 2U) | byte3 >> 6U;
+  int32_t coefficient4 = (byte6 & (int32_t)15) << 7U | byte5 >> 1U;
+  int32_t coefficient5 = (byte7 & (int32_t)127) << 4U | byte6 >> 4U;
+  int32_t coefficient6 = ((byte9 & (int32_t)3) << 9U | byte8 << 1U) | byte7 >> 7U;
+  int32_t coefficient7 = (byte10 & (int32_t)31) << 6U | byte9 >> 2U;
+  int32_t coefficient8 = byte11 << 3U | byte10 >> 5U;
+  return
+    (
+      (K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t){
+        .fst = coefficient1,
+        .snd = coefficient2,
+        .thd = coefficient3,
+        .f3 = coefficient4,
+        .f4 = coefficient5,
+        .f5 = coefficient6,
+        .f6 = coefficient7,
+        .f7 = coefficient8
+      }
+    );
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_then_decompress_11(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)11U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    bytes =
+      Eurydice_slice_subslice(serialized,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)11U,
+            .end = i0 * (size_t)11U + (size_t)11U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t byte1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+    int32_t byte2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+    int32_t byte3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+    int32_t byte4 = (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t);
+    int32_t byte5 = (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t);
+    int32_t byte6 = (int32_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t);
+    int32_t byte7 = (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t);
+    int32_t byte8 = (int32_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t);
+    int32_t byte9 = (int32_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t);
+    int32_t byte10 = (int32_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t);
+    int32_t byte11 = (int32_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, uint8_t);
+    K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
+    uu____0 =
+      libcrux_kyber_serialize_decompress_coefficients_11(byte2,
+        byte1,
+        byte3,
+        byte5,
+        byte4,
+        byte6,
+        byte7,
+        byte9,
+        byte8,
+        byte10,
+        byte11);
+    int32_t coefficient1 = uu____0.fst;
+    int32_t coefficient2 = uu____0.snd;
+    int32_t coefficient3 = uu____0.thd;
+    int32_t coefficient4 = uu____0.f3;
+    int32_t coefficient5 = uu____0.f4;
+    int32_t coefficient6 = uu____0.f5;
+    int32_t coefficient7 = uu____0.f6;
+    int32_t coefficient8 = uu____0.f7;
+    int32_t uu____1 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient1);
+    re[(size_t)8U * i0] = uu____1;
+    int32_t uu____2 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient2);
+    re[(size_t)8U * i0 + (size_t)1U] = uu____2;
+    int32_t uu____3 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient3);
+    re[(size_t)8U * i0 + (size_t)2U] = uu____3;
+    int32_t uu____4 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient4);
+    re[(size_t)8U * i0 + (size_t)3U] = uu____4;
+    int32_t uu____5 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient5);
+    re[(size_t)8U * i0 + (size_t)4U] = uu____5;
+    int32_t uu____6 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient6);
+    re[(size_t)8U * i0 + (size_t)5U] = uu____6;
+    int32_t uu____7 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient7);
+    re[(size_t)8U * i0 + (size_t)6U] = uu____7;
+    int32_t uu____8 = libcrux_kyber_compress_decompress_ciphertext_coefficient(11U, coefficient8);
+    re[(size_t)8U * i0 + (size_t)7U] = uu____8;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_ntt_ntt_at_layer_3328(
+  size_t *zeta_i,
+  int32_t re[256U],
+  size_t layer,
+  int32_t ret[256U]
+)
+{
+  int32_t ret0[256U];
+  libcrux_kyber_ntt_ntt_at_layer(zeta_i, re, layer, (size_t)3328U, ret0);
+  memcpy(ret, ret0, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_to_uncompressed_ring_element(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)3U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    bytes =
+      Eurydice_slice_subslice(serialized,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)3U,
+            .end = i0 * (size_t)3U + (size_t)3U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t byte1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+    int32_t byte2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+    int32_t byte3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+    re[(size_t)2U * i0] = (byte2 & (int32_t)15) << 8U | (byte1 & (int32_t)255);
+    re[(size_t)2U * i0 + (size_t)1U] = byte3 << 4U | (byte2 >> 4U & (int32_t)15);
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline K___int32_t_int32_t
+libcrux_kyber_serialize_decompress_coefficients_4(uint8_t *byte)
+{
+  int32_t coefficient1 = (int32_t)Eurydice_bitand_pv_u8(byte, 15U);
+  int32_t coefficient2 = (int32_t)((uint32_t)Eurydice_shr_pv_u8(byte, (int32_t)4) & 15U);
+  return ((K___int32_t_int32_t){ .fst = coefficient1, .snd = coefficient2 });
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_then_decompress_4(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t); i++)
+  {
+    size_t i0 = i;
+    uint8_t *byte = &Eurydice_slice_index(serialized, i0, uint8_t, uint8_t);
+    K___int32_t_int32_t uu____0 = libcrux_kyber_serialize_decompress_coefficients_4(byte);
+    int32_t coefficient1 = uu____0.fst;
+    int32_t coefficient2 = uu____0.snd;
+    int32_t uu____1 = libcrux_kyber_compress_decompress_ciphertext_coefficient(4U, coefficient1);
+    re[(size_t)2U * i0] = uu____1;
+    int32_t uu____2 = libcrux_kyber_compress_decompress_ciphertext_coefficient(4U, coefficient2);
+    re[(size_t)2U * i0 + (size_t)1U] = uu____2;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
+libcrux_kyber_serialize_decompress_coefficients_5(
+  int32_t byte1,
+  int32_t byte2,
+  int32_t byte3,
+  int32_t byte4,
+  int32_t byte5
+)
+{
+  int32_t coefficient1 = byte1 & (int32_t)31;
+  int32_t coefficient2 = (byte2 & (int32_t)3) << 3U | byte1 >> 5U;
+  int32_t coefficient3 = byte2 >> 2U & (int32_t)31;
+  int32_t coefficient4 = (byte3 & (int32_t)15) << 1U | byte2 >> 7U;
+  int32_t coefficient5 = (byte4 & (int32_t)1) << 4U | byte3 >> 4U;
+  int32_t coefficient6 = byte4 >> 1U & (int32_t)31;
+  int32_t coefficient7 = (byte5 & (int32_t)7) << 2U | byte4 >> 6U;
+  int32_t coefficient8 = byte5 >> 3U;
+  return
+    (
+      (K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t){
+        .fst = coefficient1,
+        .snd = coefficient2,
+        .thd = coefficient3,
+        .f3 = coefficient4,
+        .f4 = coefficient5,
+        .f5 = coefficient6,
+        .f6 = coefficient7,
+        .f7 = coefficient8
+      }
+    );
+}
+
+static inline void
+libcrux_kyber_serialize_deserialize_then_decompress_5(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t re[256U];
+  memcpy(re,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)5U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    bytes =
+      Eurydice_slice_subslice(serialized,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)5U,
+            .end = i0 * (size_t)5U + (size_t)5U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t byte1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+    int32_t byte2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+    int32_t byte3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+    int32_t byte4 = (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t);
+    int32_t byte5 = (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t);
+    K___int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
+    uu____0 = libcrux_kyber_serialize_decompress_coefficients_5(byte1, byte2, byte3, byte4, byte5);
+    int32_t coefficient1 = uu____0.fst;
+    int32_t coefficient2 = uu____0.snd;
+    int32_t coefficient3 = uu____0.thd;
+    int32_t coefficient4 = uu____0.f3;
+    int32_t coefficient5 = uu____0.f4;
+    int32_t coefficient6 = uu____0.f5;
+    int32_t coefficient7 = uu____0.f6;
+    int32_t coefficient8 = uu____0.f7;
+    int32_t uu____1 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient1);
+    re[(size_t)8U * i0] = uu____1;
+    int32_t uu____2 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient2);
+    re[(size_t)8U * i0 + (size_t)1U] = uu____2;
+    int32_t uu____3 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient3);
+    re[(size_t)8U * i0 + (size_t)2U] = uu____3;
+    int32_t uu____4 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient4);
+    re[(size_t)8U * i0 + (size_t)3U] = uu____4;
+    int32_t uu____5 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient5);
+    re[(size_t)8U * i0 + (size_t)4U] = uu____5;
+    int32_t uu____6 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient6);
+    re[(size_t)8U * i0 + (size_t)5U] = uu____6;
+    int32_t uu____7 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient7);
+    re[(size_t)8U * i0 + (size_t)6U] = uu____7;
+    int32_t uu____8 = libcrux_kyber_compress_decompress_ciphertext_coefficient(5U, coefficient8);
+    re[(size_t)8U * i0 + (size_t)7U] = uu____8;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+libcrux_kyber_serialize_compress_then_serialize_message(int32_t re[256U], uint8_t ret[32U])
+{
+  uint8_t serialized[32U] = { 0U };
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)8U;
+    i0++)
+  {
+    size_t i1 = i0;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i1 * (size_t)8U,
+            .end = i1 * (size_t)8U + (size_t)8U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(coefficients, int32_t, size_t); i++)
+    {
+      size_t j = i;
+      int32_t *coefficient = &Eurydice_slice_index(coefficients, j, int32_t, int32_t);
+      uint16_t coefficient0 = libcrux_kyber_arithmetic_to_unsigned_representative(coefficient[0U]);
+      uint8_t
+      coefficient_compressed = libcrux_kyber_compress_compress_message_coefficient(coefficient0);
+      size_t uu____0 = i1;
+      serialized[uu____0] =
+        (uint32_t)serialized[uu____0]
+        | (uint32_t)coefficient_compressed << (uint32_t)j;
+    }
+  }
+  memcpy(ret, serialized, (size_t)32U * sizeof (uint8_t));
+}
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __internal_libcrux_kyber_common_H_DEFINED
+#endif
diff --git a/libcrux/include/libcrux_digest.h b/libcrux/include/libcrux_digest.h
index 1764499a..3d10d12e 100644
--- a/libcrux/include/libcrux_digest.h
+++ b/libcrux/include/libcrux_digest.h
@@ -1,13 +1,17 @@
 /* 
   This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
-  KaRaMeL invocation: /Users/franziskus/repos/eurydice//eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
-  F* version: a32b316e
-  KaRaMeL version: abb38e1d
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
  */
 
 #ifndef __libcrux_digest_H
 #define __libcrux_digest_H
 
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
 #include "eurydice_glue.h"
 #include "libcrux_hacl_glue.h"
 
@@ -19,6 +23,26 @@ extern void libcrux_digest_sha3_256(Eurydice_slice x0, uint8_t x1[32U]);
 
 extern void libcrux_digest_shake256_(size_t x0, Eurydice_slice x1, uint8_t *x2);
 
+extern libcrux_digest_incremental_x4_Shake128StateX4
+libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__new(void);
+
+#define libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final(x_0, x_1, x_2, _ret_t) libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final_(x_0, x_1, x_2)
+
+extern void
+libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final_(
+  size_t x0,
+  libcrux_digest_incremental_x4_Shake128StateX4 *x1,
+  Eurydice_slice *x2
+);
+
+extern void
+libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__free_memory(
+  libcrux_digest_incremental_x4_Shake128StateX4 x0
+);
+
+#if defined(__cplusplus)
+}
+#endif
 
 #define __libcrux_digest_H_DEFINED
 #endif
diff --git a/libcrux/include/libcrux_hacl_glue.h b/libcrux/include/libcrux_hacl_glue.h
index 7f7ba34b..26e90478 100644
--- a/libcrux/include/libcrux_hacl_glue.h
+++ b/libcrux/include/libcrux_hacl_glue.h
@@ -2,6 +2,11 @@
 
 #pragma once
 
+#if defined(__cplusplus)
+extern "C"
+{
+#endif
+
 #include "Eurydice.h"
 
 #include <stdint.h>
@@ -31,15 +36,21 @@ extern void
 libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks_f(
   libcrux_digest_incremental_x4_Shake128StateX4* xof_state,
   size_t block_len,
-  uint8_t* output);
+  size_t num,
+  uint8_t *output);
 
 #define libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks( \
-  num_blocks, num, xof_state, output, c)                                                                 \
+  block_len, num, xof_state, output, c)                                                                 \
   libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks_f(     \
-    xof_state, num_blocks, (uint8_t*)output[0])
+    xof_state, block_len, num, (uint8_t *) output)
 
+// The last parameter should be x1[k] but Eurydice issues a prototype that has lost the length information.
 void
 libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final_(
   size_t k,
   libcrux_digest_incremental_x4_Shake128StateX4* x0,
-  Eurydice_slice x1[3U]);
+  Eurydice_slice *x1);
+
+#if defined(__cplusplus)
+}
+#endif
diff --git a/libcrux/include/libcrux_kyber.h b/libcrux/include/libcrux_kyber.h
deleted file mode 100644
index 56483138..00000000
--- a/libcrux/include/libcrux_kyber.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
-  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
-  KaRaMeL invocation: /Users/franziskus/repos/eurydice//eurydice --config
-  ../../kyber-c.yaml ../libcrux_kyber.llbc F* version: a32b316e KaRaMeL version:
-  abb38e1d
- */
-
-#ifndef __libcrux_kyber_H
-#define __libcrux_kyber_H
-
-#include "Eurydice.h"
-#include "core.h"
-#include "eurydice_glue.h"
-#include "libcrux_digest.h"
-
-#define LIBCRUX_KYBER_KYBER768_RANK_768 ((size_t)3U)
-
-#define LIBCRUX_KYBER_KYBER768_RANKED_BYTES_PER_RING_ELEMENT_768               \
-  (LIBCRUX_KYBER_KYBER768_RANK_768 * BITS_PER_RING_ELEMENT / (size_t)8U)
-
-#define LIBCRUX_KYBER_KYBER768_T_AS_NTT_ENCODED_SIZE_768                       \
-  (LIBCRUX_KYBER_KYBER768_RANK_768 * COEFFICIENTS_IN_RING_ELEMENT *            \
-   BITS_PER_COEFFICIENT / (size_t)8U)
-
-#define LIBCRUX_KYBER_KYBER768_VECTOR_U_COMPRESSION_FACTOR_768 ((size_t)10U)
-
-#define LIBCRUX_KYBER_KYBER768_C1_BLOCK_SIZE_768                               \
-  (COEFFICIENTS_IN_RING_ELEMENT *                                              \
-   LIBCRUX_KYBER_KYBER768_VECTOR_U_COMPRESSION_FACTOR_768 / (size_t)8U)
-
-#define LIBCRUX_KYBER_KYBER768_C1_SIZE_768                                     \
-  (LIBCRUX_KYBER_KYBER768_C1_BLOCK_SIZE_768 * LIBCRUX_KYBER_KYBER768_RANK_768)
-
-#define LIBCRUX_KYBER_KYBER768_VECTOR_V_COMPRESSION_FACTOR_768 ((size_t)4U)
-
-#define LIBCRUX_KYBER_KYBER768_C2_SIZE_768                                     \
-  (COEFFICIENTS_IN_RING_ELEMENT *                                              \
-   LIBCRUX_KYBER_KYBER768_VECTOR_V_COMPRESSION_FACTOR_768 / (size_t)8U)
-
-#define LIBCRUX_KYBER_KYBER768_CPA_PKE_SECRET_KEY_SIZE_768                     \
-  (LIBCRUX_KYBER_KYBER768_RANK_768 * COEFFICIENTS_IN_RING_ELEMENT *            \
-   BITS_PER_COEFFICIENT / (size_t)8U)
-
-#define LIBCRUX_KYBER_KYBER768_CPA_PKE_PUBLIC_KEY_SIZE_768                     \
-  (LIBCRUX_KYBER_KYBER768_T_AS_NTT_ENCODED_SIZE_768 + (size_t)32U)
-
-#define LIBCRUX_KYBER_KYBER768_CPA_PKE_CIPHERTEXT_SIZE_768                     \
-  (LIBCRUX_KYBER_KYBER768_C1_SIZE_768 + LIBCRUX_KYBER_KYBER768_C2_SIZE_768)
-
-#define LIBCRUX_KYBER_KYBER768_SECRET_KEY_SIZE_768                             \
-  (LIBCRUX_KYBER_KYBER768_CPA_PKE_SECRET_KEY_SIZE_768 +                        \
-   LIBCRUX_KYBER_KYBER768_CPA_PKE_PUBLIC_KEY_SIZE_768 + H_DIGEST_SIZE +        \
-   SHARED_SECRET_SIZE)
-
-#define LIBCRUX_KYBER_KYBER768_ETA1 ((size_t)2U)
-
-#define LIBCRUX_KYBER_KYBER768_ETA1_RANDOMNESS_SIZE                            \
-  (LIBCRUX_KYBER_KYBER768_ETA1 * (size_t)64U)
-
-#define LIBCRUX_KYBER_KYBER768_ETA2 ((size_t)2U)
-
-#define LIBCRUX_KYBER_KYBER768_ETA2_RANDOMNESS_SIZE                            \
-  (LIBCRUX_KYBER_KYBER768_ETA2 * (size_t)64U)
-
-#define LIBCRUX_KYBER_KYBER768_IMPLICIT_REJECTION_HASH_INPUT_SIZE              \
-  (SHARED_SECRET_SIZE + LIBCRUX_KYBER_KYBER768_CPA_PKE_CIPHERTEXT_SIZE_768)
-
-typedef uint8_t libcrux_kyber_types_MlKemPublicKey___1184size_t[1184U];
-
-typedef struct
-  core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t___s
-{
-  core_option_Option__size_t_tags tag;
-  libcrux_kyber_types_MlKemPublicKey___1184size_t f0;
-} core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__;
-
-core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__
-libcrux_kyber_kyber768_validate_public_key(uint8_t public_key[1184U]);
-
-typedef struct libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t_s
-{
-  uint8_t sk[2400U];
-  uint8_t pk[1184U];
-} libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t;
-
-libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
-libcrux_kyber_kyber768_generate_key_pair(uint8_t randomness[64U]);
-
-typedef struct
-  K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t__s
-{
-  uint8_t fst[1088U];
-  uint8_t snd[32U];
-} K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_;
-
-K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_
-  libcrux_kyber_kyber768_encapsulate(uint8_t (*public_key)[1184U],
-                                     uint8_t randomness[32U]);
-
-void libcrux_kyber_kyber768_decapsulate(uint8_t (*secret_key)[2400U],
-                                        uint8_t (*ciphertext)[1088U],
-                                        uint8_t ret[32U]);
-
-extern libcrux_digest_incremental_x4_Shake128StateX4
-libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__new(
-  void);
-
-#define libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final( \
-  x_0, x_1, x_2, _ret_t)                                                                               \
-  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final_(      \
-    x_0, x_1, x_2)
-
-extern void
-libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final_(
-  size_t x0,
-  libcrux_digest_incremental_x4_Shake128StateX4* x1,
-  Eurydice_slice x2[3U]);
-
-extern void
-libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__free_memory(
-  libcrux_digest_incremental_x4_Shake128StateX4 x0);
-
-#define __libcrux_kyber_H_DEFINED
-#endif
diff --git a/libcrux/include/libcrux_kyber1024.h b/libcrux/include/libcrux_kyber1024.h
new file mode 100644
index 00000000..bc66dbd9
--- /dev/null
+++ b/libcrux/include/libcrux_kyber1024.h
@@ -0,0 +1,125 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#ifndef __libcrux_kyber1024_H
+#define __libcrux_kyber1024_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "libcrux_digest.h"
+#include "core.h"
+#include "eurydice_glue.h"
+
+#define LIBCRUX_KYBER_KYBER1024_RANK_1024 ((size_t)4U)
+
+#define LIBCRUX_KYBER_KYBER1024_RANKED_BYTES_PER_RING_ELEMENT_1024 (LIBCRUX_KYBER_KYBER1024_RANK_1024 * LIBCRUX_KYBER_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER1024_T_AS_NTT_ENCODED_SIZE_1024 (LIBCRUX_KYBER_KYBER1024_RANK_1024 * LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER1024_VECTOR_U_COMPRESSION_FACTOR_1024 ((size_t)11U)
+
+#define LIBCRUX_KYBER_KYBER1024_C1_BLOCK_SIZE_1024 (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_KYBER1024_VECTOR_U_COMPRESSION_FACTOR_1024 / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER1024_C1_SIZE_1024 (LIBCRUX_KYBER_KYBER1024_C1_BLOCK_SIZE_1024 * LIBCRUX_KYBER_KYBER1024_RANK_1024)
+
+#define LIBCRUX_KYBER_KYBER1024_VECTOR_V_COMPRESSION_FACTOR_1024 ((size_t)5U)
+
+#define LIBCRUX_KYBER_KYBER1024_C2_SIZE_1024 (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_KYBER1024_VECTOR_V_COMPRESSION_FACTOR_1024 / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER1024_CPA_PKE_SECRET_KEY_SIZE_1024 (LIBCRUX_KYBER_KYBER1024_RANK_1024 * LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER1024_CPA_PKE_PUBLIC_KEY_SIZE_1024 (LIBCRUX_KYBER_KYBER1024_T_AS_NTT_ENCODED_SIZE_1024 + (size_t)32U)
+
+#define LIBCRUX_KYBER_KYBER1024_CPA_PKE_CIPHERTEXT_SIZE_1024 (LIBCRUX_KYBER_KYBER1024_C1_SIZE_1024 + LIBCRUX_KYBER_KYBER1024_C2_SIZE_1024)
+
+#define LIBCRUX_KYBER_KYBER1024_SECRET_KEY_SIZE_1024 (LIBCRUX_KYBER_KYBER1024_CPA_PKE_SECRET_KEY_SIZE_1024 + LIBCRUX_KYBER_KYBER1024_CPA_PKE_PUBLIC_KEY_SIZE_1024 + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE + LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE)
+
+#define LIBCRUX_KYBER_KYBER1024_ETA1 ((size_t)2U)
+
+#define LIBCRUX_KYBER_KYBER1024_ETA1_RANDOMNESS_SIZE (LIBCRUX_KYBER_KYBER1024_ETA1 * (size_t)64U)
+
+#define LIBCRUX_KYBER_KYBER1024_ETA2 ((size_t)2U)
+
+#define LIBCRUX_KYBER_KYBER1024_ETA2_RANDOMNESS_SIZE (LIBCRUX_KYBER_KYBER1024_ETA2 * (size_t)64U)
+
+#define LIBCRUX_KYBER_KYBER1024_IMPLICIT_REJECTION_HASH_INPUT_SIZE (LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE + LIBCRUX_KYBER_KYBER1024_CPA_PKE_CIPHERTEXT_SIZE_1024)
+
+typedef uint8_t libcrux_kyber_types_MlKemPublicKey___1568size_t[1568U];
+
+typedef struct core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t___s
+{
+  core_option_Option__size_t_tags tag;
+  libcrux_kyber_types_MlKemPublicKey___1568size_t f0;
+}
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t__;
+
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t__
+libcrux_kyber_kyber1024_validate_public_key(uint8_t public_key[1568U]);
+
+typedef struct libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t_s
+{
+  uint8_t sk[3168U];
+  uint8_t pk[1568U];
+}
+libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t;
+
+libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t
+libcrux_kyber_kyber1024_generate_key_pair(uint8_t randomness[64U]);
+
+typedef struct libcrux_kyber_MlKemState___4size_t_s
+{
+  int32_t secret_as_ntt[4U][256U];
+  int32_t t_as_ntt[4U][256U];
+  int32_t a_transpose[4U][4U][256U];
+  uint8_t rej[32U];
+  uint8_t ind_cpa_public_key_hash[32U];
+}
+libcrux_kyber_MlKemState___4size_t;
+
+typedef struct
+K___libcrux_kyber_MlKemState__4size_t___libcrux_kyber_types_MlKemPublicKey__1568size_t___s
+{
+  libcrux_kyber_MlKemState___4size_t fst;
+  uint8_t snd[1568U];
+}
+K___libcrux_kyber_MlKemState__4size_t___libcrux_kyber_types_MlKemPublicKey__1568size_t__;
+
+K___libcrux_kyber_MlKemState__4size_t___libcrux_kyber_types_MlKemPublicKey__1568size_t__
+libcrux_kyber_kyber1024_generate_key_pair_unpacked(uint8_t randomness[64U]);
+
+typedef struct K___libcrux_kyber_types_MlKemCiphertext__1568size_t___uint8_t_32size_t__s
+{
+  uint8_t fst[1568U];
+  uint8_t snd[32U];
+}
+K___libcrux_kyber_types_MlKemCiphertext__1568size_t___uint8_t_32size_t_;
+
+K___libcrux_kyber_types_MlKemCiphertext__1568size_t___uint8_t_32size_t_
+libcrux_kyber_kyber1024_encapsulate(uint8_t (*public_key)[1568U], uint8_t randomness[32U]);
+
+void
+libcrux_kyber_kyber1024_decapsulate(
+  uint8_t (*secret_key)[3168U],
+  uint8_t (*ciphertext)[1568U],
+  uint8_t ret[32U]
+);
+
+void
+libcrux_kyber_kyber1024_decapsulate_unpacked(
+  libcrux_kyber_MlKemState___4size_t *state,
+  uint8_t (*ciphertext)[1568U],
+  uint8_t ret[32U]
+);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_kyber1024_H_DEFINED
+#endif
diff --git a/libcrux/include/libcrux_kyber512.h b/libcrux/include/libcrux_kyber512.h
new file mode 100644
index 00000000..0f154241
--- /dev/null
+++ b/libcrux/include/libcrux_kyber512.h
@@ -0,0 +1,125 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#ifndef __libcrux_kyber512_H
+#define __libcrux_kyber512_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "libcrux_digest.h"
+#include "core.h"
+#include "eurydice_glue.h"
+
+#define LIBCRUX_KYBER_KYBER512_RANK_512 ((size_t)2U)
+
+#define LIBCRUX_KYBER_KYBER512_RANKED_BYTES_PER_RING_ELEMENT_512 (LIBCRUX_KYBER_KYBER512_RANK_512 * LIBCRUX_KYBER_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER512_T_AS_NTT_ENCODED_SIZE_512 (LIBCRUX_KYBER_KYBER512_RANK_512 * LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER512_VECTOR_U_COMPRESSION_FACTOR_512 ((size_t)10U)
+
+#define LIBCRUX_KYBER_KYBER512_C1_BLOCK_SIZE_512 (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_KYBER512_VECTOR_U_COMPRESSION_FACTOR_512 / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER512_C1_SIZE_512 (LIBCRUX_KYBER_KYBER512_C1_BLOCK_SIZE_512 * LIBCRUX_KYBER_KYBER512_RANK_512)
+
+#define LIBCRUX_KYBER_KYBER512_VECTOR_V_COMPRESSION_FACTOR_512 ((size_t)4U)
+
+#define LIBCRUX_KYBER_KYBER512_C2_SIZE_512 (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_KYBER512_VECTOR_V_COMPRESSION_FACTOR_512 / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER512_CPA_PKE_SECRET_KEY_SIZE_512 (LIBCRUX_KYBER_KYBER512_RANK_512 * LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER512_CPA_PKE_PUBLIC_KEY_SIZE_512 (LIBCRUX_KYBER_KYBER512_T_AS_NTT_ENCODED_SIZE_512 + (size_t)32U)
+
+#define LIBCRUX_KYBER_KYBER512_CPA_PKE_CIPHERTEXT_SIZE_512 (LIBCRUX_KYBER_KYBER512_C1_SIZE_512 + LIBCRUX_KYBER_KYBER512_C2_SIZE_512)
+
+#define LIBCRUX_KYBER_KYBER512_SECRET_KEY_SIZE_512 (LIBCRUX_KYBER_KYBER512_CPA_PKE_SECRET_KEY_SIZE_512 + LIBCRUX_KYBER_KYBER512_CPA_PKE_PUBLIC_KEY_SIZE_512 + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE + LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE)
+
+#define LIBCRUX_KYBER_KYBER512_ETA1 ((size_t)3U)
+
+#define LIBCRUX_KYBER_KYBER512_ETA1_RANDOMNESS_SIZE (LIBCRUX_KYBER_KYBER512_ETA1 * (size_t)64U)
+
+#define LIBCRUX_KYBER_KYBER512_ETA2 ((size_t)2U)
+
+#define LIBCRUX_KYBER_KYBER512_ETA2_RANDOMNESS_SIZE (LIBCRUX_KYBER_KYBER512_ETA2 * (size_t)64U)
+
+#define LIBCRUX_KYBER_KYBER512_IMPLICIT_REJECTION_HASH_INPUT_SIZE (LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE + LIBCRUX_KYBER_KYBER512_CPA_PKE_CIPHERTEXT_SIZE_512)
+
+typedef uint8_t libcrux_kyber_types_MlKemPublicKey___800size_t[800U];
+
+typedef struct core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t___s
+{
+  core_option_Option__size_t_tags tag;
+  libcrux_kyber_types_MlKemPublicKey___800size_t f0;
+}
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t__;
+
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t__
+libcrux_kyber_kyber512_validate_public_key(uint8_t public_key[800U]);
+
+typedef struct libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t_s
+{
+  uint8_t sk[1632U];
+  uint8_t pk[800U];
+}
+libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t;
+
+libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t
+libcrux_kyber_kyber512_generate_key_pair(uint8_t randomness[64U]);
+
+typedef struct libcrux_kyber_MlKemState___2size_t_s
+{
+  int32_t secret_as_ntt[2U][256U];
+  int32_t t_as_ntt[2U][256U];
+  int32_t a_transpose[2U][2U][256U];
+  uint8_t rej[32U];
+  uint8_t ind_cpa_public_key_hash[32U];
+}
+libcrux_kyber_MlKemState___2size_t;
+
+typedef struct
+K___libcrux_kyber_MlKemState__2size_t___libcrux_kyber_types_MlKemPublicKey__800size_t___s
+{
+  libcrux_kyber_MlKemState___2size_t fst;
+  uint8_t snd[800U];
+}
+K___libcrux_kyber_MlKemState__2size_t___libcrux_kyber_types_MlKemPublicKey__800size_t__;
+
+K___libcrux_kyber_MlKemState__2size_t___libcrux_kyber_types_MlKemPublicKey__800size_t__
+libcrux_kyber_kyber512_generate_key_pair_unpacked(uint8_t randomness[64U]);
+
+typedef struct K___libcrux_kyber_types_MlKemCiphertext__768size_t___uint8_t_32size_t__s
+{
+  uint8_t fst[768U];
+  uint8_t snd[32U];
+}
+K___libcrux_kyber_types_MlKemCiphertext__768size_t___uint8_t_32size_t_;
+
+K___libcrux_kyber_types_MlKemCiphertext__768size_t___uint8_t_32size_t_
+libcrux_kyber_kyber512_encapsulate(uint8_t (*public_key)[800U], uint8_t randomness[32U]);
+
+void
+libcrux_kyber_kyber512_decapsulate(
+  uint8_t (*secret_key)[1632U],
+  uint8_t (*ciphertext)[768U],
+  uint8_t ret[32U]
+);
+
+void
+libcrux_kyber_kyber512_decapsulate_unpacked(
+  libcrux_kyber_MlKemState___2size_t *state,
+  uint8_t (*ciphertext)[768U],
+  uint8_t ret[32U]
+);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_kyber512_H_DEFINED
+#endif
diff --git a/libcrux/include/libcrux_kyber768.h b/libcrux/include/libcrux_kyber768.h
new file mode 100644
index 00000000..42a9afcc
--- /dev/null
+++ b/libcrux/include/libcrux_kyber768.h
@@ -0,0 +1,125 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#ifndef __libcrux_kyber768_H
+#define __libcrux_kyber768_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "libcrux_digest.h"
+#include "core.h"
+#include "eurydice_glue.h"
+
+#define LIBCRUX_KYBER_KYBER768_RANK_768 ((size_t)3U)
+
+#define LIBCRUX_KYBER_KYBER768_RANKED_BYTES_PER_RING_ELEMENT_768 (LIBCRUX_KYBER_KYBER768_RANK_768 * LIBCRUX_KYBER_CONSTANTS_BITS_PER_RING_ELEMENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER768_T_AS_NTT_ENCODED_SIZE_768 (LIBCRUX_KYBER_KYBER768_RANK_768 * LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER768_VECTOR_U_COMPRESSION_FACTOR_768 ((size_t)10U)
+
+#define LIBCRUX_KYBER_KYBER768_C1_BLOCK_SIZE_768 (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_KYBER768_VECTOR_U_COMPRESSION_FACTOR_768 / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER768_C1_SIZE_768 (LIBCRUX_KYBER_KYBER768_C1_BLOCK_SIZE_768 * LIBCRUX_KYBER_KYBER768_RANK_768)
+
+#define LIBCRUX_KYBER_KYBER768_VECTOR_V_COMPRESSION_FACTOR_768 ((size_t)4U)
+
+#define LIBCRUX_KYBER_KYBER768_C2_SIZE_768 (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_KYBER768_VECTOR_V_COMPRESSION_FACTOR_768 / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER768_CPA_PKE_SECRET_KEY_SIZE_768 (LIBCRUX_KYBER_KYBER768_RANK_768 * LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * LIBCRUX_KYBER_CONSTANTS_BITS_PER_COEFFICIENT / (size_t)8U)
+
+#define LIBCRUX_KYBER_KYBER768_CPA_PKE_PUBLIC_KEY_SIZE_768 (LIBCRUX_KYBER_KYBER768_T_AS_NTT_ENCODED_SIZE_768 + (size_t)32U)
+
+#define LIBCRUX_KYBER_KYBER768_CPA_PKE_CIPHERTEXT_SIZE_768 (LIBCRUX_KYBER_KYBER768_C1_SIZE_768 + LIBCRUX_KYBER_KYBER768_C2_SIZE_768)
+
+#define LIBCRUX_KYBER_KYBER768_SECRET_KEY_SIZE_768 (LIBCRUX_KYBER_KYBER768_CPA_PKE_SECRET_KEY_SIZE_768 + LIBCRUX_KYBER_KYBER768_CPA_PKE_PUBLIC_KEY_SIZE_768 + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE + LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE)
+
+#define LIBCRUX_KYBER_KYBER768_ETA1 ((size_t)2U)
+
+#define LIBCRUX_KYBER_KYBER768_ETA1_RANDOMNESS_SIZE (LIBCRUX_KYBER_KYBER768_ETA1 * (size_t)64U)
+
+#define LIBCRUX_KYBER_KYBER768_ETA2 ((size_t)2U)
+
+#define LIBCRUX_KYBER_KYBER768_ETA2_RANDOMNESS_SIZE (LIBCRUX_KYBER_KYBER768_ETA2 * (size_t)64U)
+
+#define LIBCRUX_KYBER_KYBER768_IMPLICIT_REJECTION_HASH_INPUT_SIZE (LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE + LIBCRUX_KYBER_KYBER768_CPA_PKE_CIPHERTEXT_SIZE_768)
+
+typedef uint8_t libcrux_kyber_types_MlKemPublicKey___1184size_t[1184U];
+
+typedef struct core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t___s
+{
+  core_option_Option__size_t_tags tag;
+  libcrux_kyber_types_MlKemPublicKey___1184size_t f0;
+}
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__;
+
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__
+libcrux_kyber_kyber768_validate_public_key(uint8_t public_key[1184U]);
+
+typedef struct libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t_s
+{
+  uint8_t sk[2400U];
+  uint8_t pk[1184U];
+}
+libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t;
+
+libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
+libcrux_kyber_kyber768_generate_key_pair(uint8_t randomness[64U]);
+
+typedef struct libcrux_kyber_MlKemState___3size_t_s
+{
+  int32_t secret_as_ntt[3U][256U];
+  int32_t t_as_ntt[3U][256U];
+  int32_t a_transpose[3U][3U][256U];
+  uint8_t rej[32U];
+  uint8_t ind_cpa_public_key_hash[32U];
+}
+libcrux_kyber_MlKemState___3size_t;
+
+typedef struct
+K___libcrux_kyber_MlKemState__3size_t___libcrux_kyber_types_MlKemPublicKey__1184size_t___s
+{
+  libcrux_kyber_MlKemState___3size_t fst;
+  uint8_t snd[1184U];
+}
+K___libcrux_kyber_MlKemState__3size_t___libcrux_kyber_types_MlKemPublicKey__1184size_t__;
+
+K___libcrux_kyber_MlKemState__3size_t___libcrux_kyber_types_MlKemPublicKey__1184size_t__
+libcrux_kyber_kyber768_generate_key_pair_unpacked(uint8_t randomness[64U]);
+
+typedef struct K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t__s
+{
+  uint8_t fst[1088U];
+  uint8_t snd[32U];
+}
+K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_;
+
+K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_
+libcrux_kyber_kyber768_encapsulate(uint8_t (*public_key)[1184U], uint8_t randomness[32U]);
+
+void
+libcrux_kyber_kyber768_decapsulate(
+  uint8_t (*secret_key)[2400U],
+  uint8_t (*ciphertext)[1088U],
+  uint8_t ret[32U]
+);
+
+void
+libcrux_kyber_kyber768_decapsulate_unpacked(
+  libcrux_kyber_MlKemState___3size_t *state,
+  uint8_t (*ciphertext)[1088U],
+  uint8_t ret[32U]
+);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_kyber768_H_DEFINED
+#endif
diff --git a/libcrux/src/Libcrux_Kem_Kyber_Kyber768.c b/libcrux/src/Libcrux_Kem_Kyber_Kyber768.c
index 1a72d344..e5094c1d 100644
--- a/libcrux/src/Libcrux_Kem_Kyber_Kyber768.c
+++ b/libcrux/src/Libcrux_Kem_Kyber_Kyber768.c
@@ -1,7 +1,7 @@
 #include <string.h>
 
 #include "Libcrux_Kem_Kyber_Kyber768.h"
-#include "libcrux_kyber.h"
+#include "libcrux_kyber768.h"
 
 void
 Libcrux_Kyber768_GenerateKeyPair(uint8_t* pk,
diff --git a/libcrux/src/core.c b/libcrux/src/core.c
index 6f2656d1..97af1c05 100644
--- a/libcrux/src/core.c
+++ b/libcrux/src/core.c
@@ -1,12 +1,34 @@
 /* 
   This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
-  KaRaMeL invocation: /Users/franziskus/repos/eurydice//eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
-  F* version: a32b316e
-  KaRaMeL version: abb38e1d
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
  */
 
 #include "internal/core.h"
 
+typedef size_t RangeTo__size_t;
+
 typedef size_t RangeFrom__size_t;
 
-typedef size_t RangeTo__size_t;
+typedef struct Option__size_t_s
+{
+  core_option_Option__size_t_tags tag;
+  size_t f0;
+}
+Option__size_t;
+
+typedef struct Option__uint32_t_s
+{
+  core_option_Option__size_t_tags tag;
+  uint32_t f0;
+}
+Option__uint32_t;
+
+typedef struct Option__int32_t_s
+{
+  core_option_Option__size_t_tags tag;
+  int32_t f0;
+}
+Option__int32_t;
+
diff --git a/libcrux/src/libcrux_hacl_glue.c b/libcrux/src/libcrux_hacl_glue.c
index 6b2716c7..42f53b4a 100644
--- a/libcrux/src/libcrux_hacl_glue.c
+++ b/libcrux/src/libcrux_hacl_glue.c
@@ -1,7 +1,7 @@
 #include "libcrux_hacl_glue.h"
 #include "Hacl_Hash_SHA3.h"
 #include "libcrux_digest.h"
-#include "libcrux_kyber.h"
+#include "libcrux_kyber768.h"
 #include "libcrux_platform.h"
 
 #ifdef HACL_CAN_COMPILE_VEC256
@@ -10,12 +10,17 @@
 #endif
 #include "Hacl_Hash_SHA3_Scalar.h"
 
+static int evercrypt_initialized = false;
+
 bool
 libcrux_platform_simd256_support(void)
 {
-  // TODO: Replace this with HACL platform support.
 #ifdef HACL_CAN_COMPILE_VEC256
-  EverCrypt_AutoConfig2_init();
+  // TODO: call runtime CPU detection to detect whether the target machine does have AVX2
+  if (!evercrypt_initialized) {
+    EverCrypt_AutoConfig2_init();
+    evercrypt_initialized = true;
+  }
   return EverCrypt_AutoConfig2_has_avx2();
 #endif
   return false;
@@ -52,8 +57,7 @@ libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4_
 #ifdef HACL_CAN_COMPILE_VEC256
   if (libcrux_platform_simd256_support()) {
     return (libcrux_digest_incremental_x4_Shake128StateX4){
-      .x4 =
-        (Lib_IntVector_Intrinsics_vec256*)Hacl_Hash_SHA3_Simd256_state_malloc(),
+      .x4 = Hacl_Hash_SHA3_Simd256_state_malloc(),
       .st0 = NULL,
       .st1 = NULL,
       .st2 = NULL,
@@ -82,23 +86,31 @@ libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4_
 inline void
 libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final_(
   size_t k,
-  libcrux_digest_incremental_x4_Shake128StateX4* x0,
-  Eurydice_slice x1[3U])
+  libcrux_digest_incremental_x4_Shake128StateX4* state,
+  //Eurydice_slice x1[k])
+  Eurydice_slice *x1)
 {
-  (void)k;
 #ifdef HACL_CAN_COMPILE_VEC256
   if (libcrux_platform_simd256_support()) {
     Hacl_Hash_SHA3_Simd256_shake128_absorb_final(
-      x0->x4, x1[0].ptr, x1[1].ptr, x1[2].ptr, x1[0].ptr, x1[0].len);
+      state->x4, x1[0].ptr, x1[1].ptr, x1[2 % k].ptr, x1[3 % k].ptr, x1[0].len);
   } else {
-    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(x0->st0, x1[0].ptr, x1[0].len);
-    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(x0->st1, x1[1].ptr, x1[1].len);
-    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(x0->st2, x1[2].ptr, x1[2].len);
+    // This function requires that the data be no longer than a partial block,
+    // meaning we can safely downcast into a uint32_t.
+    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st0, x1[0].ptr, (uint32_t) x1[0].len);
+    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st1, x1[1].ptr, (uint32_t) x1[1].len);
+    if (k >= 3)
+      Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st2, x1[2].ptr, (uint32_t) x1[2].len);
+    if (k >= 4)
+      Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st3, x1[3].ptr, (uint32_t) x1[3].len);
   }
 #else
-  Hacl_Hash_SHA3_Scalar_shake128_absorb_final(x0->st0, x1[0].ptr, x1[0].len);
-  Hacl_Hash_SHA3_Scalar_shake128_absorb_final(x0->st1, x1[1].ptr, x1[1].len);
-  Hacl_Hash_SHA3_Scalar_shake128_absorb_final(x0->st2, x1[2].ptr, x1[2].len);
+  Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st0, x1[0].ptr, (uint32_t) x1[0].len);
+  Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st1, x1[1].ptr, (uint32_t) x1[1].len);
+  if (k >= 3)
+    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st2, x1[2].ptr, (uint32_t) x1[2].len);
+  if (k >= 4)
+    Hacl_Hash_SHA3_Scalar_shake128_absorb_final(state->st3, x1[3].ptr, (uint32_t) x1[3].len);
 #endif
 }
 
@@ -106,31 +118,37 @@ inline void
 libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks_f(
   libcrux_digest_incremental_x4_Shake128StateX4* x1,
   size_t block_len,
-  uint8_t* output)
+  size_t num,
+  uint8_t *output)
 {
 #ifdef HACL_CAN_COMPILE_VEC256
   if (libcrux_platform_simd256_support()) {
-    uint8_t* tmp = KRML_HOST_MALLOC(block_len);
+    // FIXME: the API does not allow aliased inputs -- discuss with Mamone
+    uint8_t* tmp1 = KRML_HOST_MALLOC(block_len);
+    uint8_t* tmp2 = KRML_HOST_MALLOC(block_len);
     Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks(x1->x4,
-                                                    output,
-                                                    output + block_len,
-                                                    output + 2 * block_len,
-                                                    tmp,
+                                                    output + 0 * block_len,
+                                                    output + 1 * block_len,
+                                                    num >= 3 ? output + 2 * block_len : tmp1,
+                                                    num >= 4 ? output + 3 * block_len : tmp2,
                                                     block_len);
-    free(tmp);
+    free(tmp1);
+    free(tmp2);
   } else {
-    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st0, output, block_len);
-    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(
-      x1->st1, output + block_len, block_len);
-    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(
-      x1->st2, output + 2 * block_len, block_len);
+    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st0, output + 0 * block_len, block_len);
+    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st1, output + 1 * block_len, block_len);
+    if (num >= 3)
+      Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st2, output + 2 * block_len, block_len);
+    if (num >= 4)
+      Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st3, output + 3 * block_len, block_len);
   }
 #else
-  Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st0, output, block_len);
-  Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(
-    x1->st1, output + block_len, block_len);
-  Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(
-    x1->st2, output + 2 * block_len, block_len);
+  Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st0, output + 0 * block_len, block_len);
+  Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st1, output + 1 * block_len, block_len);
+  if (num >= 3)
+    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st2, output + 2 * block_len, block_len);
+  if (num >= 4)
+    Hacl_Hash_SHA3_Scalar_shake128_squeeze_nblocks(x1->st3, output + 3 * block_len, block_len);
 #endif
 }
 
diff --git a/libcrux/src/libcrux_kyber.c b/libcrux/src/libcrux_kyber.c
deleted file mode 100644
index 5048f56b..00000000
--- a/libcrux/src/libcrux_kyber.c
+++ /dev/null
@@ -1,3561 +0,0 @@
-/*
-  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
-  KaRaMeL invocation: /Users/franziskus/repos/eurydice//eurydice --config
-  ../../kyber-c.yaml ../libcrux_kyber.llbc F* version: a32b316e KaRaMeL version:
-  abb38e1d
- */
-
-#include "internal/libcrux_kyber.h"
-
-#include "internal/core.h"
-#include "libcrux_hacl_glue.h"
-
-#define FIELD_MODULUS ((int32_t)3329)
-
-#define BITS_PER_COEFFICIENT ((size_t)12U)
-
-#define COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U)
-
-#define BITS_PER_RING_ELEMENT (COEFFICIENTS_IN_RING_ELEMENT * (size_t)12U)
-
-#define BYTES_PER_RING_ELEMENT (BITS_PER_RING_ELEMENT / (size_t)8U)
-
-#define SHARED_SECRET_SIZE ((size_t)32U)
-
-#define CPA_PKE_KEY_GENERATION_SEED_SIZE ((size_t)32U)
-
-#define H_DIGEST_SIZE ((size_t)32U)
-
-#define MONTGOMERY_SHIFT (16U)
-
-static uint32_t
-get_n_least_significant_bits(uint8_t n, uint32_t value)
-{
-  return value & ((1U << (uint32_t)n) - 1U);
-}
-
-#define BARRETT_SHIFT ((int64_t)26)
-
-#define BARRETT_R ((int64_t)1 << (uint32_t)BARRETT_SHIFT)
-
-#define BARRETT_MULTIPLIER ((int64_t)20159)
-
-static int32_t
-barrett_reduce(int32_t value)
-{
-  int64_t t =
-    core_convert_num___core__convert__From_i32__for_i64__59__from(value) *
-      BARRETT_MULTIPLIER +
-    (BARRETT_R >> 1U);
-  int32_t quotient = (int32_t)(t >> (uint32_t)BARRETT_SHIFT);
-  return value - quotient * FIELD_MODULUS;
-}
-
-#define INVERSE_OF_MODULUS_MOD_MONTGOMERY_R (62209U)
-
-static int32_t
-montgomery_reduce(int32_t value)
-{
-  uint32_t t = get_n_least_significant_bits(MONTGOMERY_SHIFT, (uint32_t)value) *
-               INVERSE_OF_MODULUS_MOD_MONTGOMERY_R;
-  int16_t k = (int16_t)get_n_least_significant_bits(MONTGOMERY_SHIFT, t);
-  int32_t k_times_modulus = (int32_t)k * FIELD_MODULUS;
-  int32_t c = k_times_modulus >> (uint32_t)MONTGOMERY_SHIFT;
-  int32_t value_high = value >> (uint32_t)MONTGOMERY_SHIFT;
-  return value_high - c;
-}
-
-static int32_t
-montgomery_multiply_fe_by_fer(int32_t fe, int32_t fer)
-{
-  return montgomery_reduce(fe * fer);
-}
-
-#define MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS ((int32_t)1353)
-
-static int32_t
-to_standard_domain(int32_t mfe)
-{
-  return montgomery_reduce(mfe * MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS);
-}
-
-static uint16_t
-to_unsigned_representative(int32_t fe)
-{
-  return (uint16_t)(fe + (FIELD_MODULUS & fe >> 31U));
-}
-
-typedef int32_t PolynomialRingElement[256U];
-
-static const int32_t ZERO[256U] = { 0U };
-
-static uint8_t
-compress_message_coefficient(uint16_t fe)
-{
-  int16_t shifted = (int16_t)1664 - (int16_t)fe;
-  int16_t mask = shifted >> 15U;
-  int16_t shifted_to_positive = mask ^ shifted;
-  int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832;
-  return (uint8_t)(shifted_positive_in_range >> 15U & (int16_t)1);
-}
-
-static int32_t
-compress_ciphertext_coefficient(uint8_t coefficient_bits, uint16_t fe)
-{
-  uint64_t compressed = (uint64_t)fe << (uint32_t)coefficient_bits;
-  compressed = compressed + 1664ULL;
-  compressed = compressed * 10321340ULL;
-  compressed = compressed >> 35U;
-  return (int32_t)get_n_least_significant_bits(coefficient_bits,
-                                               (uint32_t)compressed);
-}
-
-static int32_t
-decompress_message_coefficient(int32_t fe)
-{
-  return -fe & (FIELD_MODULUS + (int32_t)1) / (int32_t)2;
-}
-
-static int32_t
-decompress_ciphertext_coefficient(uint8_t coefficient_bits, int32_t fe)
-{
-  uint32_t decompressed = (uint32_t)fe * (uint32_t)FIELD_MODULUS;
-  decompressed = (decompressed << 1U) + (1U << (uint32_t)coefficient_bits);
-  decompressed = decompressed >> (uint32_t)((uint32_t)coefficient_bits + 1U);
-  return (int32_t)decompressed;
-}
-
-static uint8_t
-is_non_zero(uint8_t value)
-{
-  uint16_t value0 = (uint16_t)value;
-  uint16_t uu____0 = value0;
-  uint16_t result = (((uint32_t)uu____0 |
-                      (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) &
-                     0xFFFFU) >>
-                      8U &
-                    1U;
-  return (uint8_t)result;
-}
-
-static void
-select_shared_secret_in_constant_time(Eurydice_slice lhs,
-                                      Eurydice_slice rhs,
-                                      uint8_t selector,
-                                      uint8_t ret[32U])
-{
-  uint8_t mask = core_num__u8_6__wrapping_sub(is_non_zero(selector), 1U);
-  uint8_t out[32U] = { 0U };
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = SHARED_SECRET_SIZE }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      uint8_t uu____1 =
-        (uint32_t)Eurydice_slice_index(lhs, i, uint8_t, uint8_t) &
-        (uint32_t)mask;
-      uint8_t* uu____2 = &Eurydice_slice_index(rhs, i, uint8_t, uint8_t);
-      out[i] = (uint32_t)uu____1 | ((uint32_t)uu____2[0U] & (uint32_t)~mask);
-    }
-  }
-  uint8_t uu____3[32U];
-  memcpy(uu____3, out, (size_t)32U * sizeof(uint8_t));
-  memcpy(ret, uu____3, (size_t)32U * sizeof(uint8_t));
-}
-
-static void
-G(Eurydice_slice input, uint8_t ret[64U])
-{
-  uint8_t ret0[64U];
-  libcrux_digest_sha3_512(input, ret0);
-  memcpy(ret, ret0, (size_t)64U * sizeof(uint8_t));
-}
-
-static void
-H(Eurydice_slice input, uint8_t ret[32U])
-{
-  uint8_t ret0[32U];
-  libcrux_digest_sha3_256(input, ret0);
-  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
-}
-
-static void
-free_state(libcrux_digest_incremental_x4_Shake128StateX4 xof_state)
-{
-  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__free_memory(
-    xof_state);
-}
-
-typedef struct __uint8_t_uint8_t_uint8_t_s
-{
-  uint8_t fst;
-  uint8_t snd;
-  uint8_t thd;
-} __uint8_t_uint8_t_uint8_t;
-
-static __uint8_t_uint8_t_uint8_t
-compress_coefficients_3(uint16_t coefficient1, uint16_t coefficient2)
-{
-  uint8_t coef1 = (uint8_t)((uint32_t)coefficient1 & 255U);
-  uint8_t coef2 = (uint8_t)((uint32_t)coefficient1 >> 8U |
-                            ((uint32_t)coefficient2 & 15U) << 4U);
-  uint8_t coef3 = (uint8_t)((uint32_t)coefficient2 >> 4U & 255U);
-  return (
-    (__uint8_t_uint8_t_uint8_t){ .fst = coef1, .snd = coef2, .thd = coef3 });
-}
-
-static void
-serialize_uncompressed_ring_element(int32_t re[256U], uint8_t ret[384U])
-{
-  uint8_t serialized[384U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end =
-    core_slice___Slice_T___len(
-      Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
-      int32_t,
-      size_t) /
-    (size_t)2U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice coefficients = Eurydice_array_to_subslice(
-        (size_t)256U,
-        re,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)2U,
-                                         .end = i * (size_t)2U + (size_t)2U }),
-        int32_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint16_t coefficient1 = to_unsigned_representative(
-        Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t));
-      uint16_t coefficient2 = to_unsigned_representative(
-        Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t));
-      __uint8_t_uint8_t_uint8_t uu____1 =
-        compress_coefficients_3(coefficient1, coefficient2);
-      uint8_t coef1 = uu____1.fst;
-      uint8_t coef2 = uu____1.snd;
-      uint8_t coef3 = uu____1.thd;
-      serialized[(size_t)3U * i] = coef1;
-      serialized[(size_t)3U * i + (size_t)1U] = coef2;
-      serialized[(size_t)3U * i + (size_t)2U] = coef3;
-    }
-  }
-  uint8_t uu____2[384U];
-  memcpy(uu____2, serialized, (size_t)384U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)384U * sizeof(uint8_t));
-}
-
-static void
-deserialize_to_uncompressed_ring_element(Eurydice_slice serialized,
-                                         int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(serialized, uint8_t, size_t) /
-               (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice bytes = Eurydice_slice_subslice(
-        serialized,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)3U,
-                                         .end = i * (size_t)3U + (size_t)3U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t byte1 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-      int32_t byte2 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-      int32_t byte3 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-      re[(size_t)2U * i] = (byte2 & (int32_t)15) << 8U | (byte1 & (int32_t)255);
-      re[(size_t)2U * i + (size_t)1U] =
-        byte3 << 4U | (byte2 >> 4U & (int32_t)15);
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-sample_from_binomial_distribution_2(Eurydice_slice randomness,
-                                    int32_t ret[256U])
-{
-  int32_t sampled[256U];
-  memcpy(sampled, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(randomness, uint8_t, size_t) /
-               (size_t)4U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t chunk_number = uu____0.f0;
-      Eurydice_slice byte_chunk = Eurydice_slice_subslice(
-        randomness,
-        ((core_ops_range_Range__size_t){ .start = chunk_number * (size_t)4U,
-                                         .end = chunk_number * (size_t)4U +
-                                                (size_t)4U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint32_t uu____1 = (uint32_t)Eurydice_slice_index(
-        byte_chunk, (size_t)0U, uint8_t, uint8_t);
-      uint32_t uu____2 =
-        uu____1 |
-        (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, uint8_t)
-          << 8U;
-      uint32_t uu____3 =
-        uu____2 |
-        (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, uint8_t)
-          << 16U;
-      uint32_t random_bits_as_u32 =
-        uu____3 |
-        (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, uint8_t)
-          << 24U;
-      uint32_t even_bits = random_bits_as_u32 & 1431655765U;
-      uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U;
-      uint32_t coin_toss_outcomes = even_bits + odd_bits;
-      core_ops_range_Range__uint32_t iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__uint32_t){
-            .start = 0U, .end = CORE_NUM__U32_8__BITS / 4U }),
-          core_ops_range_Range__uint32_t,
-          core_ops_range_Range__uint32_t);
-      while (true) {
-        core_option_Option__uint32_t uu____4 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter, uint32_t, core_option_Option__uint32_t);
-        if (uu____4.tag == core_option_None) {
-          break;
-        } else {
-          uint32_t outcome_set = uu____4.f0;
-          uint32_t outcome_set0 = outcome_set * 4U;
-          int32_t outcome_1 =
-            (int32_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 3U);
-          int32_t outcome_2 =
-            (int32_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U);
-          size_t offset = (size_t)(outcome_set0 >> 2U);
-          sampled[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2;
-        }
-      }
-    }
-  }
-  memcpy(ret, sampled, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-sample_from_binomial_distribution_3(Eurydice_slice randomness,
-                                    int32_t ret[256U])
-{
-  int32_t sampled[256U];
-  memcpy(sampled, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(randomness, uint8_t, size_t) /
-               (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t chunk_number = uu____0.f0;
-      Eurydice_slice byte_chunk = Eurydice_slice_subslice(
-        randomness,
-        ((core_ops_range_Range__size_t){ .start = chunk_number * (size_t)3U,
-                                         .end = chunk_number * (size_t)3U +
-                                                (size_t)3U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint32_t uu____1 = (uint32_t)Eurydice_slice_index(
-        byte_chunk, (size_t)0U, uint8_t, uint8_t);
-      uint32_t uu____2 =
-        uu____1 |
-        (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, uint8_t)
-          << 8U;
-      uint32_t random_bits_as_u24 =
-        uu____2 |
-        (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, uint8_t)
-          << 16U;
-      uint32_t first_bits = random_bits_as_u24 & 2396745U;
-      uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U;
-      uint32_t third_bits = random_bits_as_u24 >> 2U & 2396745U;
-      uint32_t coin_toss_outcomes = first_bits + second_bits + third_bits;
-      core_ops_range_Range__int32_t iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__int32_t){ .start = (int32_t)0,
-                                            .end = (int32_t)24 / (int32_t)6 }),
-          core_ops_range_Range__int32_t,
-          core_ops_range_Range__int32_t);
-      while (true) {
-        core_option_Option__int32_t uu____3 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter, int32_t, core_option_Option__int32_t);
-        if (uu____3.tag == core_option_None) {
-          break;
-        } else {
-          int32_t outcome_set = uu____3.f0;
-          int32_t outcome_set0 = outcome_set * (int32_t)6;
-          int32_t outcome_1 =
-            (int32_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 7U);
-          int32_t outcome_2 =
-            (int32_t)(coin_toss_outcomes >>
-                        (uint32_t)(outcome_set0 + (int32_t)3) &
-                      7U);
-          size_t offset = (size_t)(outcome_set0 / (int32_t)6);
-          sampled[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2;
-        }
-      }
-    }
-  }
-  memcpy(ret, sampled, (size_t)256U * sizeof(int32_t));
-}
-
-static const int32_t ZETAS_TIMES_MONTGOMERY_R[128U] = {
-  (int32_t)-1044, (int32_t)-758,  (int32_t)-359,  (int32_t)-1517,
-  (int32_t)1493,  (int32_t)1422,  (int32_t)287,   (int32_t)202,
-  (int32_t)-171,  (int32_t)622,   (int32_t)1577,  (int32_t)182,
-  (int32_t)962,   (int32_t)-1202, (int32_t)-1474, (int32_t)1468,
-  (int32_t)573,   (int32_t)-1325, (int32_t)264,   (int32_t)383,
-  (int32_t)-829,  (int32_t)1458,  (int32_t)-1602, (int32_t)-130,
-  (int32_t)-681,  (int32_t)1017,  (int32_t)732,   (int32_t)608,
-  (int32_t)-1542, (int32_t)411,   (int32_t)-205,  (int32_t)-1571,
-  (int32_t)1223,  (int32_t)652,   (int32_t)-552,  (int32_t)1015,
-  (int32_t)-1293, (int32_t)1491,  (int32_t)-282,  (int32_t)-1544,
-  (int32_t)516,   (int32_t)-8,    (int32_t)-320,  (int32_t)-666,
-  (int32_t)-1618, (int32_t)-1162, (int32_t)126,   (int32_t)1469,
-  (int32_t)-853,  (int32_t)-90,   (int32_t)-271,  (int32_t)830,
-  (int32_t)107,   (int32_t)-1421, (int32_t)-247,  (int32_t)-951,
-  (int32_t)-398,  (int32_t)961,   (int32_t)-1508, (int32_t)-725,
-  (int32_t)448,   (int32_t)-1065, (int32_t)677,   (int32_t)-1275,
-  (int32_t)-1103, (int32_t)430,   (int32_t)555,   (int32_t)843,
-  (int32_t)-1251, (int32_t)871,   (int32_t)1550,  (int32_t)105,
-  (int32_t)422,   (int32_t)587,   (int32_t)177,   (int32_t)-235,
-  (int32_t)-291,  (int32_t)-460,  (int32_t)1574,  (int32_t)1653,
-  (int32_t)-246,  (int32_t)778,   (int32_t)1159,  (int32_t)-147,
-  (int32_t)-777,  (int32_t)1483,  (int32_t)-602,  (int32_t)1119,
-  (int32_t)-1590, (int32_t)644,   (int32_t)-872,  (int32_t)349,
-  (int32_t)418,   (int32_t)329,   (int32_t)-156,  (int32_t)-75,
-  (int32_t)817,   (int32_t)1097,  (int32_t)603,   (int32_t)610,
-  (int32_t)1322,  (int32_t)-1285, (int32_t)-1465, (int32_t)384,
-  (int32_t)-1215, (int32_t)-136,  (int32_t)1218,  (int32_t)-1335,
-  (int32_t)-874,  (int32_t)220,   (int32_t)-1187, (int32_t)-1659,
-  (int32_t)-1185, (int32_t)-1530, (int32_t)-1278, (int32_t)794,
-  (int32_t)-1510, (int32_t)-854,  (int32_t)-870,  (int32_t)478,
-  (int32_t)-108,  (int32_t)-308,  (int32_t)996,   (int32_t)991,
-  (int32_t)958,   (int32_t)-1460, (int32_t)1522,  (int32_t)1628
-};
-
-static void
-ntt_at_layer(size_t* zeta_i, int32_t re[256U], size_t layer, int32_t ret[256U])
-{
-  size_t step = (size_t)1U << (uint32_t)layer;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U, .end = (size_t)128U >> (uint32_t)layer }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t round = uu____0.f0;
-      zeta_i[0U] = zeta_i[0U] + (size_t)1U;
-      size_t offset = round * step * (size_t)2U;
-      core_ops_range_Range__size_t iter0 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){ .start = offset,
-                                           .end = offset + step }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____1 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter0, size_t, core_option_Option__size_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____1.f0;
-          int32_t t = montgomery_multiply_fe_by_fer(
-            re[j + step], ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
-          re[j + step] = re[j] - t;
-          re[j] = re[j] + t;
-        }
-      }
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-ntt_at_layer_3(size_t* zeta_i,
-               int32_t re[256U],
-               size_t layer,
-               int32_t ret[256U])
-{
-  int32_t ret0[256U];
-  ntt_at_layer(zeta_i, re, layer, ret0);
-  memcpy(ret, ret0, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-ntt_binomially_sampled_ring_element(int32_t re[256U], int32_t ret[256U])
-{
-  size_t zeta_i = (size_t)1U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)128U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t j = uu____0.f0;
-      int32_t t = re[j + (size_t)128U] * (int32_t)-1600;
-      re[j + (size_t)128U] = re[j] - t;
-      re[j] = re[j] + t;
-    }
-  }
-  ntt_at_layer_3(&zeta_i, re, (size_t)6U, re);
-  ntt_at_layer_3(&zeta_i, re, (size_t)5U, re);
-  ntt_at_layer_3(&zeta_i, re, (size_t)4U, re);
-  ntt_at_layer_3(&zeta_i, re, (size_t)3U, re);
-  ntt_at_layer_3(&zeta_i, re, (size_t)2U, re);
-  ntt_at_layer_3(&zeta_i, re, (size_t)1U, re);
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = COEFFICIENTS_IN_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____1 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____1.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____1.f0;
-      int32_t uu____2 = barrett_reduce(re[i]);
-      re[i] = uu____2;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-typedef struct __int32_t_int32_t_s
-{
-  int32_t fst;
-  int32_t snd;
-} __int32_t_int32_t;
-
-static __int32_t_int32_t
-ntt_multiply_binomials(__int32_t_int32_t _, __int32_t_int32_t _0, int32_t zeta)
-{
-  int32_t a0 = _.fst;
-  int32_t a1 = _.snd;
-  int32_t b0 = _0.fst;
-  int32_t b1 = _0.snd;
-  int32_t uu____0 = a0 * b0;
-  int32_t uu____1 =
-    montgomery_reduce(uu____0 + montgomery_reduce(a1 * b1) * zeta);
-  return ((__int32_t_int32_t){ .fst = uu____1,
-                               .snd = montgomery_reduce(a0 * b1 + a1 * b0) });
-}
-
-static void
-ntt_multiply(int32_t (*lhs)[256U], int32_t (*rhs)[256U], int32_t ret[256U])
-{
-  int32_t out[256U];
-  memcpy(out, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = COEFFICIENTS_IN_RING_ELEMENT /
-                                              (size_t)4U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      __int32_t_int32_t lit0;
-      lit0.fst = lhs[0U][(size_t)4U * i];
-      lit0.snd = lhs[0U][(size_t)4U * i + (size_t)1U];
-      __int32_t_int32_t lit1;
-      lit1.fst = rhs[0U][(size_t)4U * i];
-      lit1.snd = rhs[0U][(size_t)4U * i + (size_t)1U];
-      __int32_t_int32_t product = ntt_multiply_binomials(
-        lit0, lit1, ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + i]);
-      out[(size_t)4U * i] = product.fst;
-      out[(size_t)4U * i + (size_t)1U] = product.snd;
-      __int32_t_int32_t lit2;
-      lit2.fst = lhs[0U][(size_t)4U * i + (size_t)2U];
-      lit2.snd = lhs[0U][(size_t)4U * i + (size_t)3U];
-      __int32_t_int32_t lit;
-      lit.fst = rhs[0U][(size_t)4U * i + (size_t)2U];
-      lit.snd = rhs[0U][(size_t)4U * i + (size_t)3U];
-      __int32_t_int32_t product0 = ntt_multiply_binomials(
-        lit2, lit, -ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + i]);
-      out[(size_t)4U * i + (size_t)2U] = product0.fst;
-      out[(size_t)4U * i + (size_t)3U] = product0.snd;
-    }
-  }
-  memcpy(ret, out, (size_t)256U * sizeof(int32_t));
-}
-
-typedef struct __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_s
-{
-  uint8_t fst;
-  uint8_t snd;
-  uint8_t thd;
-  uint8_t f3;
-  uint8_t f4;
-} __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t;
-
-static __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
-compress_coefficients_10(int32_t coefficient1,
-                         int32_t coefficient2,
-                         int32_t coefficient3,
-                         int32_t coefficient4)
-{
-  uint8_t coef1 = (uint8_t)(coefficient1 & (int32_t)255);
-  uint8_t coef2 = (uint32_t)(uint8_t)(coefficient2 & (int32_t)63) << 2U |
-                  (uint32_t)(uint8_t)(coefficient1 >> 8U & (int32_t)3);
-  uint8_t coef3 = (uint32_t)(uint8_t)(coefficient3 & (int32_t)15) << 4U |
-                  (uint32_t)(uint8_t)(coefficient2 >> 6U & (int32_t)15);
-  uint8_t coef4 = (uint32_t)(uint8_t)(coefficient4 & (int32_t)3) << 6U |
-                  (uint32_t)(uint8_t)(coefficient3 >> 4U & (int32_t)63);
-  uint8_t coef5 = (uint8_t)(coefficient4 >> 2U & (int32_t)255);
-  return ((__uint8_t_uint8_t_uint8_t_uint8_t_uint8_t){
-    .fst = coef1, .snd = coef2, .thd = coef3, .f3 = coef4, .f4 = coef5 });
-}
-
-typedef struct
-  __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_s
-{
-  uint8_t fst;
-  uint8_t snd;
-  uint8_t thd;
-  uint8_t f3;
-  uint8_t f4;
-  uint8_t f5;
-  uint8_t f6;
-  uint8_t f7;
-  uint8_t f8;
-  uint8_t f9;
-  uint8_t f10;
-} __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t;
-
-static __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
-compress_coefficients_11(int32_t coefficient1,
-                         int32_t coefficient2,
-                         int32_t coefficient3,
-                         int32_t coefficient4,
-                         int32_t coefficient5,
-                         int32_t coefficient6,
-                         int32_t coefficient7,
-                         int32_t coefficient8)
-{
-  uint8_t coef1 = (uint8_t)coefficient1;
-  uint8_t coef2 = (uint32_t)(uint8_t)(coefficient2 & (int32_t)31) << 3U |
-                  (uint32_t)(uint8_t)(coefficient1 >> 8U);
-  uint8_t coef3 = (uint32_t)(uint8_t)(coefficient3 & (int32_t)3) << 6U |
-                  (uint32_t)(uint8_t)(coefficient2 >> 5U);
-  uint8_t coef4 = (uint8_t)(coefficient3 >> 2U & (int32_t)255);
-  uint8_t coef5 = (uint32_t)(uint8_t)(coefficient4 & (int32_t)127) << 1U |
-                  (uint32_t)(uint8_t)(coefficient3 >> 10U);
-  uint8_t coef6 = (uint32_t)(uint8_t)(coefficient5 & (int32_t)15) << 4U |
-                  (uint32_t)(uint8_t)(coefficient4 >> 7U);
-  uint8_t coef7 = (uint32_t)(uint8_t)(coefficient6 & (int32_t)1) << 7U |
-                  (uint32_t)(uint8_t)(coefficient5 >> 4U);
-  uint8_t coef8 = (uint8_t)(coefficient6 >> 1U & (int32_t)255);
-  uint8_t coef9 = (uint32_t)(uint8_t)(coefficient7 & (int32_t)63) << 2U |
-                  (uint32_t)(uint8_t)(coefficient6 >> 9U);
-  uint8_t coef10 = (uint32_t)(uint8_t)(coefficient8 & (int32_t)7) << 5U |
-                   (uint32_t)(uint8_t)(coefficient7 >> 6U);
-  uint8_t coef11 = (uint8_t)(coefficient8 >> 3U);
-  return ((
-    __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t){
-    .fst = coef1,
-    .snd = coef2,
-    .thd = coef3,
-    .f3 = coef4,
-    .f4 = coef5,
-    .f5 = coef6,
-    .f6 = coef7,
-    .f7 = coef8,
-    .f8 = coef9,
-    .f9 = coef10,
-    .f10 = coef11 });
-}
-
-static void
-invert_ntt_at_layer(size_t* zeta_i,
-                    int32_t re[256U],
-                    size_t layer,
-                    int32_t ret[256U])
-{
-  size_t step = (size_t)1U << (uint32_t)layer;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U, .end = (size_t)128U >> (uint32_t)layer }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t round = uu____0.f0;
-      zeta_i[0U] = zeta_i[0U] - (size_t)1U;
-      size_t offset = round * step * (size_t)2U;
-      core_ops_range_Range__size_t iter0 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){ .start = offset,
-                                           .end = offset + step }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____1 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter0, size_t, core_option_Option__size_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____1.f0;
-          int32_t a_minus_b = re[j + step] - re[j];
-          re[j] = re[j] + re[j + step];
-          int32_t uu____2 =
-            montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);
-          re[j + step] = uu____2;
-        }
-      }
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-deserialize_then_decompress_message(uint8_t serialized[32U], int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end = core_slice___Slice_T___len(
-    Eurydice_array_to_slice((size_t)32U, serialized, uint8_t, Eurydice_slice),
-    uint8_t,
-    size_t);
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      uint8_t byte = serialized[i];
-      core_ops_range_Range__size_t iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                           .end = (size_t)8U }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____1 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter, size_t, core_option_Option__size_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____1.f0;
-          int32_t coefficient_compressed =
-            (int32_t)((uint32_t)byte >> (uint32_t)j & 1U);
-          int32_t uu____2 =
-            decompress_message_coefficient(coefficient_compressed);
-          re[(size_t)8U * i + j] = uu____2;
-        }
-      }
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
-compress_coefficients_5(uint8_t coefficient2,
-                        uint8_t coefficient1,
-                        uint8_t coefficient4,
-                        uint8_t coefficient3,
-                        uint8_t coefficient5,
-                        uint8_t coefficient7,
-                        uint8_t coefficient6,
-                        uint8_t coefficient8)
-{
-  uint8_t coef1 = ((uint32_t)coefficient2 & 7U) << 5U | (uint32_t)coefficient1;
-  uint8_t coef2 =
-    (((uint32_t)coefficient4 & 1U) << 7U | (uint32_t)coefficient3 << 2U) |
-    (uint32_t)coefficient2 >> 3U;
-  uint8_t coef3 =
-    ((uint32_t)coefficient5 & 15U) << 4U | (uint32_t)coefficient4 >> 1U;
-  uint8_t coef4 =
-    (((uint32_t)coefficient7 & 3U) << 6U | (uint32_t)coefficient6 << 1U) |
-    (uint32_t)coefficient5 >> 4U;
-  uint8_t coef5 = (uint32_t)coefficient8 << 3U | (uint32_t)coefficient7 >> 2U;
-  return ((__uint8_t_uint8_t_uint8_t_uint8_t_uint8_t){
-    .fst = coef1, .snd = coef2, .thd = coef3, .f3 = coef4, .f4 = coef5 });
-}
-
-typedef struct __int32_t_int32_t_int32_t_int32_t_s
-{
-  int32_t fst;
-  int32_t snd;
-  int32_t thd;
-  int32_t f3;
-} __int32_t_int32_t_int32_t_int32_t;
-
-static __int32_t_int32_t_int32_t_int32_t
-decompress_coefficients_10(int32_t byte2,
-                           int32_t byte1,
-                           int32_t byte3,
-                           int32_t byte4,
-                           int32_t byte5)
-{
-  int32_t coefficient1 = (byte2 & (int32_t)3) << 8U | (byte1 & (int32_t)255);
-  int32_t coefficient2 = (byte3 & (int32_t)15) << 6U | byte2 >> 2U;
-  int32_t coefficient3 = (byte4 & (int32_t)63) << 4U | byte3 >> 4U;
-  int32_t coefficient4 = byte5 << 2U | byte4 >> 6U;
-  return ((__int32_t_int32_t_int32_t_int32_t){ .fst = coefficient1,
-                                               .snd = coefficient2,
-                                               .thd = coefficient3,
-                                               .f3 = coefficient4 });
-}
-
-static void
-deserialize_then_decompress_10(Eurydice_slice serialized, int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(serialized, uint8_t, size_t) /
-               (size_t)5U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice bytes = Eurydice_slice_subslice(
-        serialized,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)5U,
-                                         .end = i * (size_t)5U + (size_t)5U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t byte1 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-      int32_t byte2 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-      int32_t byte3 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-      int32_t byte4 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t);
-      int32_t byte5 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t);
-      __int32_t_int32_t_int32_t_int32_t uu____1 =
-        decompress_coefficients_10(byte2, byte1, byte3, byte4, byte5);
-      int32_t coefficient1 = uu____1.fst;
-      int32_t coefficient2 = uu____1.snd;
-      int32_t coefficient3 = uu____1.thd;
-      int32_t coefficient4 = uu____1.f3;
-      int32_t uu____2 = decompress_ciphertext_coefficient(10U, coefficient1);
-      re[(size_t)4U * i] = uu____2;
-      int32_t uu____3 = decompress_ciphertext_coefficient(10U, coefficient2);
-      re[(size_t)4U * i + (size_t)1U] = uu____3;
-      int32_t uu____4 = decompress_ciphertext_coefficient(10U, coefficient3);
-      re[(size_t)4U * i + (size_t)2U] = uu____4;
-      int32_t uu____5 = decompress_ciphertext_coefficient(10U, coefficient4);
-      re[(size_t)4U * i + (size_t)3U] = uu____5;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-typedef struct
-  __int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_s
-{
-  int32_t fst;
-  int32_t snd;
-  int32_t thd;
-  int32_t f3;
-  int32_t f4;
-  int32_t f5;
-  int32_t f6;
-  int32_t f7;
-} __int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t;
-
-static __int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
-decompress_coefficients_11(int32_t byte2,
-                           int32_t byte1,
-                           int32_t byte3,
-                           int32_t byte5,
-                           int32_t byte4,
-                           int32_t byte6,
-                           int32_t byte7,
-                           int32_t byte9,
-                           int32_t byte8,
-                           int32_t byte10,
-                           int32_t byte11)
-{
-  int32_t coefficient1 = (byte2 & (int32_t)7) << 8U | byte1;
-  int32_t coefficient2 = (byte3 & (int32_t)63) << 5U | byte2 >> 3U;
-  int32_t coefficient3 =
-    ((byte5 & (int32_t)1) << 10U | byte4 << 2U) | byte3 >> 6U;
-  int32_t coefficient4 = (byte6 & (int32_t)15) << 7U | byte5 >> 1U;
-  int32_t coefficient5 = (byte7 & (int32_t)127) << 4U | byte6 >> 4U;
-  int32_t coefficient6 =
-    ((byte9 & (int32_t)3) << 9U | byte8 << 1U) | byte7 >> 7U;
-  int32_t coefficient7 = (byte10 & (int32_t)31) << 6U | byte9 >> 2U;
-  int32_t coefficient8 = byte11 << 3U | byte10 >> 5U;
-  return ((__int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t){
-    .fst = coefficient1,
-    .snd = coefficient2,
-    .thd = coefficient3,
-    .f3 = coefficient4,
-    .f4 = coefficient5,
-    .f5 = coefficient6,
-    .f6 = coefficient7,
-    .f7 = coefficient8 });
-}
-
-static void
-deserialize_then_decompress_11(Eurydice_slice serialized, int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(serialized, uint8_t, size_t) /
-               (size_t)11U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice bytes = Eurydice_slice_subslice(
-        serialized,
-        ((core_ops_range_Range__size_t){
-          .start = i * (size_t)11U, .end = i * (size_t)11U + (size_t)11U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t byte1 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-      int32_t byte2 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-      int32_t byte3 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-      int32_t byte4 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t);
-      int32_t byte5 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t);
-      int32_t byte6 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t);
-      int32_t byte7 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t);
-      int32_t byte8 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t);
-      int32_t byte9 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t);
-      int32_t byte10 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t);
-      int32_t byte11 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, uint8_t);
-      __int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
-        uu____1 = decompress_coefficients_11(byte2,
-                                             byte1,
-                                             byte3,
-                                             byte5,
-                                             byte4,
-                                             byte6,
-                                             byte7,
-                                             byte9,
-                                             byte8,
-                                             byte10,
-                                             byte11);
-      int32_t coefficient1 = uu____1.fst;
-      int32_t coefficient2 = uu____1.snd;
-      int32_t coefficient3 = uu____1.thd;
-      int32_t coefficient4 = uu____1.f3;
-      int32_t coefficient5 = uu____1.f4;
-      int32_t coefficient6 = uu____1.f5;
-      int32_t coefficient7 = uu____1.f6;
-      int32_t coefficient8 = uu____1.f7;
-      int32_t uu____2 = decompress_ciphertext_coefficient(11U, coefficient1);
-      re[(size_t)8U * i] = uu____2;
-      int32_t uu____3 = decompress_ciphertext_coefficient(11U, coefficient2);
-      re[(size_t)8U * i + (size_t)1U] = uu____3;
-      int32_t uu____4 = decompress_ciphertext_coefficient(11U, coefficient3);
-      re[(size_t)8U * i + (size_t)2U] = uu____4;
-      int32_t uu____5 = decompress_ciphertext_coefficient(11U, coefficient4);
-      re[(size_t)8U * i + (size_t)3U] = uu____5;
-      int32_t uu____6 = decompress_ciphertext_coefficient(11U, coefficient5);
-      re[(size_t)8U * i + (size_t)4U] = uu____6;
-      int32_t uu____7 = decompress_ciphertext_coefficient(11U, coefficient6);
-      re[(size_t)8U * i + (size_t)5U] = uu____7;
-      int32_t uu____8 = decompress_ciphertext_coefficient(11U, coefficient7);
-      re[(size_t)8U * i + (size_t)6U] = uu____8;
-      int32_t uu____9 = decompress_ciphertext_coefficient(11U, coefficient8);
-      re[(size_t)8U * i + (size_t)7U] = uu____9;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-ntt_at_layer_3328(size_t* zeta_i,
-                  int32_t re[256U],
-                  size_t layer,
-                  int32_t ret[256U])
-{
-  int32_t ret0[256U];
-  ntt_at_layer(zeta_i, re, layer, ret0);
-  memcpy(ret, ret0, (size_t)256U * sizeof(int32_t));
-}
-
-static __int32_t_int32_t
-decompress_coefficients_4(uint8_t* byte)
-{
-  int32_t coefficient1 = (int32_t)Eurydice_bitand_pv_u8(byte, 15U);
-  int32_t coefficient2 =
-    (int32_t)((uint32_t)Eurydice_shr_pv_u8(byte, (int32_t)4) & 15U);
-  return ((__int32_t_int32_t){ .fst = coefficient1, .snd = coefficient2 });
-}
-
-static void
-deserialize_then_decompress_4(Eurydice_slice serialized, int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(serialized, uint8_t, size_t) }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      uint8_t* byte = &Eurydice_slice_index(serialized, i, uint8_t, uint8_t);
-      __int32_t_int32_t uu____1 = decompress_coefficients_4(byte);
-      int32_t coefficient1 = uu____1.fst;
-      int32_t coefficient2 = uu____1.snd;
-      int32_t uu____2 = decompress_ciphertext_coefficient(4U, coefficient1);
-      re[(size_t)2U * i] = uu____2;
-      int32_t uu____3 = decompress_ciphertext_coefficient(4U, coefficient2);
-      re[(size_t)2U * i + (size_t)1U] = uu____3;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static __int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
-decompress_coefficients_5(int32_t byte1,
-                          int32_t byte2,
-                          int32_t byte3,
-                          int32_t byte4,
-                          int32_t byte5)
-{
-  int32_t coefficient1 = byte1 & (int32_t)31;
-  int32_t coefficient2 = (byte2 & (int32_t)3) << 3U | byte1 >> 5U;
-  int32_t coefficient3 = byte2 >> 2U & (int32_t)31;
-  int32_t coefficient4 = (byte3 & (int32_t)15) << 1U | byte2 >> 7U;
-  int32_t coefficient5 = (byte4 & (int32_t)1) << 4U | byte3 >> 4U;
-  int32_t coefficient6 = byte4 >> 1U & (int32_t)31;
-  int32_t coefficient7 = (byte5 & (int32_t)7) << 2U | byte4 >> 6U;
-  int32_t coefficient8 = byte5 >> 3U;
-  return ((__int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t){
-    .fst = coefficient1,
-    .snd = coefficient2,
-    .thd = coefficient3,
-    .f3 = coefficient4,
-    .f4 = coefficient5,
-    .f5 = coefficient6,
-    .f6 = coefficient7,
-    .f7 = coefficient8 });
-}
-
-static void
-deserialize_then_decompress_5(Eurydice_slice serialized, int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(serialized, uint8_t, size_t) /
-               (size_t)5U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice bytes = Eurydice_slice_subslice(
-        serialized,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)5U,
-                                         .end = i * (size_t)5U + (size_t)5U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t byte1 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-      int32_t byte2 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-      int32_t byte3 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-      int32_t byte4 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t);
-      int32_t byte5 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t);
-      __int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t_int32_t
-        uu____1 = decompress_coefficients_5(byte1, byte2, byte3, byte4, byte5);
-      int32_t coefficient1 = uu____1.fst;
-      int32_t coefficient2 = uu____1.snd;
-      int32_t coefficient3 = uu____1.thd;
-      int32_t coefficient4 = uu____1.f3;
-      int32_t coefficient5 = uu____1.f4;
-      int32_t coefficient6 = uu____1.f5;
-      int32_t coefficient7 = uu____1.f6;
-      int32_t coefficient8 = uu____1.f7;
-      int32_t uu____2 = decompress_ciphertext_coefficient(5U, coefficient1);
-      re[(size_t)8U * i] = uu____2;
-      int32_t uu____3 = decompress_ciphertext_coefficient(5U, coefficient2);
-      re[(size_t)8U * i + (size_t)1U] = uu____3;
-      int32_t uu____4 = decompress_ciphertext_coefficient(5U, coefficient3);
-      re[(size_t)8U * i + (size_t)2U] = uu____4;
-      int32_t uu____5 = decompress_ciphertext_coefficient(5U, coefficient4);
-      re[(size_t)8U * i + (size_t)3U] = uu____5;
-      int32_t uu____6 = decompress_ciphertext_coefficient(5U, coefficient5);
-      re[(size_t)8U * i + (size_t)4U] = uu____6;
-      int32_t uu____7 = decompress_ciphertext_coefficient(5U, coefficient6);
-      re[(size_t)8U * i + (size_t)5U] = uu____7;
-      int32_t uu____8 = decompress_ciphertext_coefficient(5U, coefficient7);
-      re[(size_t)8U * i + (size_t)6U] = uu____8;
-      int32_t uu____9 = decompress_ciphertext_coefficient(5U, coefficient8);
-      re[(size_t)8U * i + (size_t)7U] = uu____9;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-compress_then_serialize_message(int32_t re[256U], uint8_t ret[32U])
-{
-  uint8_t serialized[32U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end =
-    core_slice___Slice_T___len(
-      Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
-      int32_t,
-      size_t) /
-    (size_t)8U;
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice coefficients = Eurydice_array_to_subslice(
-        (size_t)256U,
-        re,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)8U,
-                                         .end = i * (size_t)8U + (size_t)8U }),
-        int32_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      core_ops_range_Range__size_t iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){
-            .start = (size_t)0U,
-            .end = core_slice___Slice_T___len(coefficients, int32_t, size_t) }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____1 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter, size_t, core_option_Option__size_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____1.f0;
-          int32_t* coefficient =
-            &Eurydice_slice_index(coefficients, j, int32_t, int32_t);
-          uint16_t coefficient0 = to_unsigned_representative(coefficient[0U]);
-          uint8_t coefficient_compressed =
-            compress_message_coefficient(coefficient0);
-          size_t uu____2 = i;
-          serialized[uu____2] = (uint32_t)serialized[uu____2] |
-                                (uint32_t)coefficient_compressed << (uint32_t)j;
-        }
-      }
-    }
-  }
-  uint8_t uu____3[32U];
-  memcpy(uu____3, serialized, (size_t)32U * sizeof(uint8_t));
-  memcpy(ret, uu____3, (size_t)32U * sizeof(uint8_t));
-}
-
-static void
-deserialize_to_reduced_ring_element(Eurydice_slice ring_element,
-                                    int32_t ret[256U])
-{
-  int32_t re[256U];
-  memcpy(re, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(ring_element, uint8_t, size_t) /
-               (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice bytes = Eurydice_slice_subslice(
-        ring_element,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)3U,
-                                         .end = i * (size_t)3U + (size_t)3U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t byte1 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-      int32_t byte2 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-      int32_t byte3 =
-        (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-      re[(size_t)2U * i] = (byte2 & (int32_t)15) << 8U | (byte1 & (int32_t)255);
-      int32_t tmp = re[(size_t)2U * i] % (int32_t)3329;
-      re[(size_t)2U * i] = tmp;
-      re[(size_t)2U * i + (size_t)1U] =
-        byte3 << 4U | (byte2 >> 4U & (int32_t)15);
-      int32_t tmp0 = re[(size_t)2U * i + (size_t)1U] % (int32_t)3329;
-      re[(size_t)2U * i + (size_t)1U] = tmp0;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-deserialize_ring_elements_reduced___1184size_t_3size_t(
-  Eurydice_slice public_key,
-  int32_t ret[3U][256U])
-{
-  int32_t deserialized_pk[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(deserialized_pk[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(public_key, uint8_t, size_t) /
-               BYTES_PER_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice ring_element = Eurydice_slice_subslice(
-        public_key,
-        ((core_ops_range_Range__size_t){ .start = i * BYTES_PER_RING_ELEMENT,
-                                         .end = i * BYTES_PER_RING_ELEMENT +
-                                                BYTES_PER_RING_ELEMENT }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t uu____1[256U];
-      deserialize_to_reduced_ring_element(ring_element, uu____1);
-      memcpy(deserialized_pk[i], uu____1, (size_t)256U * sizeof(int32_t));
-    }
-  }
-  int32_t uu____2[3U][256U];
-  memcpy(uu____2, deserialized_pk, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-serialize_secret_key___3size_t_1152size_t(int32_t key[3U][256U],
-                                          uint8_t ret[1152U])
-{
-  uint8_t out[1152U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end = core_slice___Slice_T___len(
-    Eurydice_array_to_slice((size_t)3U, key, int32_t[256U], Eurydice_slice),
-    int32_t[256U],
-    size_t);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t re[256U];
-      memcpy(re, key[i], (size_t)256U * sizeof(int32_t));
-      Eurydice_slice uu____1 = Eurydice_array_to_subslice(
-        (size_t)1152U,
-        out,
-        ((core_ops_range_Range__size_t){ .start = i * BYTES_PER_RING_ELEMENT,
-                                         .end = (i + (size_t)1U) *
-                                                BYTES_PER_RING_ELEMENT }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint8_t ret0[384U];
-      serialize_uncompressed_ring_element(re, ret0);
-      core_slice___Slice_T___copy_from_slice(
-        uu____1,
-        Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice),
-        uint8_t,
-        void*);
-    }
-  }
-  uint8_t uu____2[1152U];
-  memcpy(uu____2, out, (size_t)1152U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)1152U * sizeof(uint8_t));
-}
-
-static void
-serialize_public_key___3size_t_1152size_t_1184size_t(int32_t t_as_ntt[3U][256U],
-                                                     Eurydice_slice seed_for_a,
-                                                     uint8_t ret[1184U])
-{
-  uint8_t public_key_serialized[1184U] = { 0U };
-  Eurydice_slice uu____0 =
-    Eurydice_array_to_subslice((size_t)1184U,
-                               public_key_serialized,
-                               ((core_ops_range_Range__size_t){
-                                 .start = (size_t)0U, .end = (size_t)1152U }),
-                               uint8_t,
-                               core_ops_range_Range__size_t,
-                               Eurydice_slice);
-  int32_t uu____1[3U][256U];
-  memcpy(uu____1, t_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t ret0[1152U];
-  serialize_secret_key___3size_t_1152size_t(uu____1, ret0);
-  core_slice___Slice_T___copy_from_slice(
-    uu____0,
-    Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice),
-    uint8_t,
-    void*);
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice_from((size_t)1184U,
-                                    public_key_serialized,
-                                    (size_t)1152U,
-                                    uint8_t,
-                                    size_t,
-                                    Eurydice_slice),
-    seed_for_a,
-    uint8_t,
-    void*);
-  uint8_t uu____2[1184U];
-  memcpy(uu____2, public_key_serialized, (size_t)1184U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)1184U * sizeof(uint8_t));
-}
-
-static bool
-validate_public_key___3size_t_1152size_t_1184size_t(uint8_t* public_key)
-{
-  int32_t deserialized_pk[3U][256U];
-  deserialize_ring_elements_reduced___1184size_t_3size_t(
-    Eurydice_array_to_subslice_to((size_t)1184U,
-                                  public_key,
-                                  (size_t)1152U,
-                                  uint8_t,
-                                  size_t,
-                                  Eurydice_slice),
-    deserialized_pk);
-  int32_t uu____0[3U][256U];
-  memcpy(uu____0, deserialized_pk, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t public_key_serialized[1184U];
-  serialize_public_key___3size_t_1152size_t_1184size_t(
-    uu____0,
-    Eurydice_array_to_subslice_from((size_t)1184U,
-                                    public_key,
-                                    (size_t)1152U,
-                                    uint8_t,
-                                    size_t,
-                                    Eurydice_slice),
-    public_key_serialized);
-  return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq(
-    (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool);
-}
-
-core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__
-libcrux_kyber_kyber768_validate_public_key(uint8_t public_key[1184U])
-{
-  core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__ uu____0;
-  if (validate_public_key___3size_t_1152size_t_1184size_t(public_key)) {
-    core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__ lit;
-    lit.tag = core_option_Some;
-    memcpy(lit.f0, public_key, (size_t)1184U * sizeof(uint8_t));
-    uu____0 = lit;
-  } else {
-    uu____0 =
-      ((core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__){
-        .tag = core_option_None });
-  }
-  return uu____0;
-}
-
-static libcrux_digest_incremental_x4_Shake128StateX4
-absorb___3size_t(uint8_t input[3U][34U])
-{
-  libcrux_digest_incremental_x4_Shake128StateX4 state =
-    libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__new();
-  Eurydice_slice data[3U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    uint8_t buf[1U] = { 0U };
-    data[i] = Eurydice_array_to_slice((size_t)1U, buf, uint8_t, Eurydice_slice);
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice uu____1 =
-        Eurydice_array_to_slice((size_t)34U, input[i], uint8_t, Eurydice_slice);
-      data[i] = uu____1;
-    }
-  }
-  libcrux_digest_incremental_x4_Shake128StateX4* uu____2 = &state;
-  Eurydice_slice uu____3[3U];
-  memcpy(uu____3, data, (size_t)3U * sizeof(Eurydice_slice));
-  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final(
-    (size_t)3U, uu____2, uu____3, void*);
-  return state;
-}
-
-static void
-squeeze_three_blocks___3size_t(
-  libcrux_digest_incremental_x4_Shake128StateX4* xof_state,
-  uint8_t ret[3U][504U])
-{
-  uint8_t output[3U][504U];
-  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks(
-    (size_t)504U, (size_t)3U, xof_state, output, void*);
-  uint8_t out[3U][504U] = { { 0U } };
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      uint8_t uu____1[504U];
-      memcpy(uu____1, output[i], (size_t)504U * sizeof(uint8_t));
-      memcpy(out[i], uu____1, (size_t)504U * sizeof(uint8_t));
-    }
-  }
-  uint8_t uu____2[3U][504U];
-  memcpy(uu____2, out, (size_t)3U * sizeof(uint8_t[504U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(uint8_t[504U]));
-}
-
-static bool
-sample_from_uniform_distribution_next___3size_t_504size_t(
-  uint8_t randomness[3U][504U],
-  size_t* sampled_coefficients,
-  int32_t (*out)[256U])
-{
-  bool done = true;
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      core_slice_iter_Chunks iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          core_slice___Slice_T___chunks(
-            Eurydice_array_to_slice(
-              (size_t)504U, randomness[i], uint8_t, Eurydice_slice),
-            (size_t)3U,
-            uint8_t,
-            core_slice_iter_Chunks),
-          core_slice_iter_Chunks,
-          core_slice_iter_Chunks);
-      while (true) {
-        core_option_Option__Eurydice_slice_uint8_t uu____1 =
-          core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(
-            &iter, uint8_t, core_option_Option__Eurydice_slice_uint8_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          Eurydice_slice bytes = uu____1.f0;
-          int32_t b1 =
-            (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-          int32_t b2 =
-            (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-          int32_t b3 =
-            (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-          int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
-          int32_t d2 = b3 << 4U | b2 >> 4U;
-          bool uu____2;
-          if (d1 < FIELD_MODULUS) {
-            uu____2 = sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT;
-          } else {
-            uu____2 = false;
-          }
-          if (uu____2) {
-            out[i][sampled_coefficients[i]] = d1;
-            size_t uu____3 = i;
-            sampled_coefficients[uu____3] =
-              sampled_coefficients[uu____3] + (size_t)1U;
-          }
-          bool uu____4;
-          if (d2 < FIELD_MODULUS) {
-            uu____4 = sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT;
-          } else {
-            uu____4 = false;
-          }
-          if (uu____4) {
-            out[i][sampled_coefficients[i]] = d2;
-            size_t uu____5 = i;
-            sampled_coefficients[uu____5] =
-              sampled_coefficients[uu____5] + (size_t)1U;
-          }
-        }
-      }
-      if (sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT) {
-        done = false;
-      }
-    }
-  }
-  return done;
-}
-
-static void
-squeeze_block___3size_t(
-  libcrux_digest_incremental_x4_Shake128StateX4* xof_state,
-  uint8_t ret[3U][168U])
-{
-  uint8_t output[3U][168U];
-  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks(
-    (size_t)168U, (size_t)3U, xof_state, output, void*);
-  uint8_t out[3U][168U] = { { 0U } };
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      uint8_t uu____1[168U];
-      memcpy(uu____1, output[i], (size_t)168U * sizeof(uint8_t));
-      memcpy(out[i], uu____1, (size_t)168U * sizeof(uint8_t));
-    }
-  }
-  uint8_t uu____2[3U][168U];
-  memcpy(uu____2, out, (size_t)3U * sizeof(uint8_t[168U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(uint8_t[168U]));
-}
-
-static bool
-sample_from_uniform_distribution_next___3size_t_168size_t(
-  uint8_t randomness[3U][168U],
-  size_t* sampled_coefficients,
-  int32_t (*out)[256U])
-{
-  bool done = true;
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      core_slice_iter_Chunks iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          core_slice___Slice_T___chunks(
-            Eurydice_array_to_slice(
-              (size_t)168U, randomness[i], uint8_t, Eurydice_slice),
-            (size_t)3U,
-            uint8_t,
-            core_slice_iter_Chunks),
-          core_slice_iter_Chunks,
-          core_slice_iter_Chunks);
-      while (true) {
-        core_option_Option__Eurydice_slice_uint8_t uu____1 =
-          core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(
-            &iter, uint8_t, core_option_Option__Eurydice_slice_uint8_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          Eurydice_slice bytes = uu____1.f0;
-          int32_t b1 =
-            (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
-          int32_t b2 =
-            (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
-          int32_t b3 =
-            (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
-          int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
-          int32_t d2 = b3 << 4U | b2 >> 4U;
-          bool uu____2;
-          if (d1 < FIELD_MODULUS) {
-            uu____2 = sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT;
-          } else {
-            uu____2 = false;
-          }
-          if (uu____2) {
-            out[i][sampled_coefficients[i]] = d1;
-            size_t uu____3 = i;
-            sampled_coefficients[uu____3] =
-              sampled_coefficients[uu____3] + (size_t)1U;
-          }
-          bool uu____4;
-          if (d2 < FIELD_MODULUS) {
-            uu____4 = sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT;
-          } else {
-            uu____4 = false;
-          }
-          if (uu____4) {
-            out[i][sampled_coefficients[i]] = d2;
-            size_t uu____5 = i;
-            sampled_coefficients[uu____5] =
-              sampled_coefficients[uu____5] + (size_t)1U;
-          }
-        }
-      }
-      if (sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT) {
-        done = false;
-      }
-    }
-  }
-  return done;
-}
-
-static void
-sample_from_xof___3size_t(uint8_t seeds[3U][34U], int32_t ret[3U][256U])
-{
-  size_t sampled_coefficients[3U] = { 0U };
-  int32_t out[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(out[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  uint8_t uu____0[3U][34U];
-  memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U]));
-  libcrux_digest_incremental_x4_Shake128StateX4 xof_state =
-    absorb___3size_t(uu____0);
-  uint8_t randomness0[3U][504U];
-  squeeze_three_blocks___3size_t(&xof_state, randomness0);
-  uint8_t uu____1[3U][504U];
-  memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U]));
-  bool done = sample_from_uniform_distribution_next___3size_t_504size_t(
-    uu____1, sampled_coefficients, out);
-  while (true) {
-    if (!!done) {
-      break;
-    }
-    uint8_t randomness[3U][168U];
-    squeeze_block___3size_t(&xof_state, randomness);
-    uint8_t uu____2[3U][168U];
-    memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U]));
-    done = sample_from_uniform_distribution_next___3size_t_168size_t(
-      uu____2, sampled_coefficients, out);
-  }
-  free_state(xof_state);
-  int32_t uu____3[3U][256U];
-  memcpy(uu____3, out, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____3, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-sample_matrix_A___3size_t(uint8_t seed[34U],
-                          bool transpose,
-                          int32_t ret[3U][3U][256U])
-{
-  int32_t A_transpose[3U][3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(A_transpose[i][0U], ZERO, (size_t)256U * sizeof(int32_t));
-    memcpy(A_transpose[i][1U], ZERO, (size_t)256U * sizeof(int32_t));
-    memcpy(A_transpose[i][2U], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i0 = uu____0.f0;
-      uint8_t uu____1[34U];
-      memcpy(uu____1, seed, (size_t)34U * sizeof(uint8_t));
-      uint8_t seeds[3U][34U];
-      for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-        memcpy(seeds[i], uu____1, (size_t)34U * sizeof(uint8_t));
-      }
-      core_ops_range_Range__size_t iter1 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                           .end = (size_t)3U }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____2 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter1, size_t, core_option_Option__size_t);
-        if (uu____2.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____2.f0;
-          seeds[j][32U] = (uint8_t)i0;
-          seeds[j][33U] = (uint8_t)j;
-        }
-      }
-      uint8_t uu____3[3U][34U];
-      memcpy(uu____3, seeds, (size_t)3U * sizeof(uint8_t[34U]));
-      int32_t sampled[3U][256U];
-      sample_from_xof___3size_t(uu____3, sampled);
-      core_ops_range_Range__size_t iter =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                           .end = (size_t)3U }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____4 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter, size_t, core_option_Option__size_t);
-        if (uu____4.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____4.f0;
-          if (transpose) {
-            memcpy(
-              A_transpose[j][i0], sampled[j], (size_t)256U * sizeof(int32_t));
-          } else {
-            memcpy(
-              A_transpose[i0][j], sampled[j], (size_t)256U * sizeof(int32_t));
-          }
-        }
-      }
-    }
-  }
-  int32_t uu____5[3U][3U][256U];
-  memcpy(uu____5, A_transpose, (size_t)3U * sizeof(int32_t[3U][256U]));
-  memcpy(ret, uu____5, (size_t)3U * sizeof(int32_t[3U][256U]));
-}
-
-static void
-into_padded_array___34size_t(Eurydice_slice slice, uint8_t ret[34U])
-{
-  uint8_t out[34U] = { 0U };
-  uint8_t* uu____0 = out;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)34U,
-      uu____0,
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(slice, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    slice,
-    uint8_t,
-    void*);
-  uint8_t uu____1[34U];
-  memcpy(uu____1, out, (size_t)34U * sizeof(uint8_t));
-  memcpy(ret, uu____1, (size_t)34U * sizeof(uint8_t));
-}
-
-static void
-into_padded_array___33size_t(Eurydice_slice slice, uint8_t ret[33U])
-{
-  uint8_t out[33U] = { 0U };
-  uint8_t* uu____0 = out;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)33U,
-      uu____0,
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(slice, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    slice,
-    uint8_t,
-    void*);
-  uint8_t uu____1[33U];
-  memcpy(uu____1, out, (size_t)33U * sizeof(uint8_t));
-  memcpy(ret, uu____1, (size_t)33U * sizeof(uint8_t));
-}
-
-static void
-PRF___128size_t(Eurydice_slice input, uint8_t ret[128U])
-{
-  uint8_t ret0[128U];
-  libcrux_digest_shake256((size_t)128U, input, ret0, void*);
-  memcpy(ret, ret0, (size_t)128U * sizeof(uint8_t));
-}
-
-static void
-sample_from_binomial_distribution___2size_t(Eurydice_slice randomness,
-                                            int32_t ret[256U])
-{
-  int32_t uu____0[256U];
-  sample_from_binomial_distribution_2(randomness, uu____0);
-  memcpy(ret, uu____0, (size_t)256U * sizeof(int32_t));
-}
-
-typedef struct
-  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t_s
-{
-  int32_t fst[3U][256U];
-  uint8_t snd;
-} __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t;
-
-static __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t
-sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(uint8_t prf_input[33U],
-                                                       uint8_t domain_separator)
-{
-  int32_t re_as_ntt[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(re_as_ntt[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      prf_input[32U] = domain_separator;
-      domain_separator = (uint32_t)domain_separator + 1U;
-      uint8_t prf_output[128U];
-      PRF___128size_t(Eurydice_array_to_slice(
-                        (size_t)33U, prf_input, uint8_t, Eurydice_slice),
-                      prf_output);
-      int32_t r[256U];
-      sample_from_binomial_distribution___2size_t(
-        Eurydice_array_to_slice(
-          (size_t)128U, prf_output, uint8_t, Eurydice_slice),
-        r);
-      int32_t uu____1[256U];
-      ntt_binomially_sampled_ring_element(r, uu____1);
-      memcpy(re_as_ntt[i], uu____1, (size_t)256U * sizeof(int32_t));
-    }
-  }
-  int32_t uu____2[3U][256U];
-  memcpy(uu____2, re_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t lit;
-  memcpy(lit.fst, uu____2, (size_t)3U * sizeof(int32_t[256U]));
-  lit.snd = domain_separator;
-  return lit;
-}
-
-static void
-add_to_ring_element___3size_t(int32_t lhs[256U],
-                              int32_t (*rhs)[256U],
-                              int32_t ret[256U])
-{
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end = core_slice___Slice_T___len(
-    Eurydice_array_to_slice((size_t)256U, lhs, int32_t, Eurydice_slice),
-    int32_t,
-    size_t);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      size_t uu____1 = i;
-      lhs[uu____1] = lhs[uu____1] + rhs[0U][i];
-    }
-  }
-  memcpy(ret, lhs, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-compute_As_plus_e___3size_t(int32_t (*matrix_A)[3U][256U],
-                            int32_t (*s_as_ntt)[256U],
-                            int32_t (*error_as_ntt)[256U],
-                            int32_t ret[3U][256U])
-{
-  int32_t result[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(result[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t lit0;
-  lit0.start = (size_t)0U;
-  lit0.end = core_slice___Slice_T___len(
-    Eurydice_array_to_slice(
-      (size_t)3U, matrix_A, Eurydice_error_t_cg_array, Eurydice_slice),
-    int32_t[3U][256U],
-    size_t);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit0, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t(*row)[256U] = matrix_A[i];
-      core_ops_range_Range__size_t lit;
-      lit.start = (size_t)0U;
-      lit.end = core_slice___Slice_T___len(
-        Eurydice_array_to_slice((size_t)3U, row, int32_t[256U], Eurydice_slice),
-        int32_t[256U],
-        size_t);
-      core_ops_range_Range__size_t iter0 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____1 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter0, size_t, core_option_Option__size_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____1.f0;
-          int32_t(*matrix_element)[256U] = &row[j];
-          int32_t product[256U];
-          ntt_multiply(matrix_element, &s_as_ntt[j], product);
-          int32_t uu____2[256U];
-          add_to_ring_element___3size_t(result[i], &product, uu____2);
-          memcpy(result[i], uu____2, (size_t)256U * sizeof(int32_t));
-        }
-      }
-      core_ops_range_Range__size_t iter1 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){
-            .start = (size_t)0U, .end = COEFFICIENTS_IN_RING_ELEMENT }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____3 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter1, size_t, core_option_Option__size_t);
-        if (uu____3.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____3.f0;
-          int32_t coefficient_normal_form = to_standard_domain(result[i][j]);
-          int32_t uu____4 =
-            barrett_reduce(coefficient_normal_form + error_as_ntt[i][j]);
-          result[i][j] = uu____4;
-        }
-      }
-    }
-  }
-  int32_t uu____5[3U][256U];
-  memcpy(uu____5, result, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____5, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-typedef struct __uint8_t_1152size_t__uint8_t_1184size_t__s
-{
-  uint8_t fst[1152U];
-  uint8_t snd[1184U];
-} __uint8_t_1152size_t__uint8_t_1184size_t_;
-
-static __uint8_t_1152size_t__uint8_t_1184size_t_
-generate_keypair___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t(
-  Eurydice_slice key_generation_seed)
-{
-  uint8_t hashed[64U];
-  G(key_generation_seed, hashed);
-  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 =
-    core_slice___Slice_T___split_at(
-      Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice),
-      (size_t)32U,
-      uint8_t,
-      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
-  Eurydice_slice seed_for_A = uu____0.fst;
-  Eurydice_slice seed_for_secret_and_error = uu____0.snd;
-  int32_t A_transpose[3U][3U][256U];
-  uint8_t ret[34U];
-  into_padded_array___34size_t(seed_for_A, ret);
-  sample_matrix_A___3size_t(ret, true, A_transpose);
-  uint8_t prf_input[33U];
-  into_padded_array___33size_t(seed_for_secret_and_error, prf_input);
-  uint8_t uu____1[33U];
-  memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t));
-  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t uu____2 =
-    sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(uu____1, 0U);
-  int32_t secret_as_ntt[3U][256U];
-  memcpy(secret_as_ntt, uu____2.fst, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t domain_separator = uu____2.snd;
-  uint8_t uu____3[33U];
-  memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t));
-  int32_t error_as_ntt[3U][256U];
-  memcpy(error_as_ntt,
-         sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(
-           uu____3, domain_separator)
-           .fst,
-         (size_t)3U * sizeof(int32_t[256U]));
-  int32_t t_as_ntt[3U][256U];
-  compute_As_plus_e___3size_t(
-    A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt);
-  int32_t uu____4[3U][256U];
-  memcpy(uu____4, t_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t public_key_serialized[1184U];
-  serialize_public_key___3size_t_1152size_t_1184size_t(
-    uu____4, seed_for_A, public_key_serialized);
-  int32_t uu____5[3U][256U];
-  memcpy(uu____5, secret_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t secret_key_serialized[1152U];
-  serialize_secret_key___3size_t_1152size_t(uu____5, secret_key_serialized);
-  uint8_t uu____6[1152U];
-  memcpy(uu____6, secret_key_serialized, (size_t)1152U * sizeof(uint8_t));
-  uint8_t uu____7[1184U];
-  memcpy(uu____7, public_key_serialized, (size_t)1184U * sizeof(uint8_t));
-  __uint8_t_1152size_t__uint8_t_1184size_t_ lit;
-  memcpy(lit.fst, uu____6, (size_t)1152U * sizeof(uint8_t));
-  memcpy(lit.snd, uu____7, (size_t)1184U * sizeof(uint8_t));
-  return lit;
-}
-
-static void
-serialize_kem_secret_key___2400size_t(Eurydice_slice private_key,
-                                      Eurydice_slice public_key,
-                                      Eurydice_slice implicit_rejection_value,
-                                      uint8_t ret[2400U])
-{
-  uint8_t out[2400U] = { 0U };
-  size_t pointer = (size_t)0U;
-  uint8_t* uu____0 = out;
-  size_t uu____1 = pointer;
-  size_t uu____2 = pointer;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)2400U,
-      uu____0,
-      ((core_ops_range_Range__size_t){
-        .start = uu____1,
-        .end =
-          uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    private_key,
-    uint8_t,
-    void*);
-  pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t);
-  uint8_t* uu____3 = out;
-  size_t uu____4 = pointer;
-  size_t uu____5 = pointer;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)2400U,
-      uu____3,
-      ((core_ops_range_Range__size_t){
-        .start = uu____4,
-        .end =
-          uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    public_key,
-    uint8_t,
-    void*);
-  pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t);
-  Eurydice_slice uu____6 = Eurydice_array_to_subslice(
-    (size_t)2400U,
-    out,
-    ((core_ops_range_Range__size_t){ .start = pointer,
-                                     .end = pointer + H_DIGEST_SIZE }),
-    uint8_t,
-    core_ops_range_Range__size_t,
-    Eurydice_slice);
-  uint8_t ret0[32U];
-  H(public_key, ret0);
-  core_slice___Slice_T___copy_from_slice(
-    uu____6,
-    Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice),
-    uint8_t,
-    void*);
-  pointer = pointer + H_DIGEST_SIZE;
-  uint8_t* uu____7 = out;
-  size_t uu____8 = pointer;
-  size_t uu____9 = pointer;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)2400U,
-      uu____7,
-      ((core_ops_range_Range__size_t){
-        .start = uu____8,
-        .end = uu____9 + core_slice___Slice_T___len(
-                           implicit_rejection_value, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    implicit_rejection_value,
-    uint8_t,
-    void*);
-  uint8_t uu____10[2400U];
-  memcpy(uu____10, out, (size_t)2400U * sizeof(uint8_t));
-  memcpy(ret, uu____10, (size_t)2400U * sizeof(uint8_t));
-}
-
-typedef uint8_t MlKemPrivateKey___2400size_t[2400U];
-
-static void
-from___2400size_t(uint8_t value[2400U], uint8_t ret[2400U])
-{
-  uint8_t uu____0[2400U];
-  memcpy(uu____0, value, (size_t)2400U * sizeof(uint8_t));
-  memcpy(ret, uu____0, (size_t)2400U * sizeof(uint8_t));
-}
-
-static libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
-from___2400size_t_1184size_t(uint8_t sk[2400U], uint8_t pk[1184U])
-{
-  libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t lit;
-  memcpy(lit.sk, sk, (size_t)2400U * sizeof(uint8_t));
-  memcpy(lit.pk, pk, (size_t)1184U * sizeof(uint8_t));
-  return lit;
-}
-
-static libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
-generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t(
-  uint8_t randomness[64U])
-{
-  Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice(
-    (size_t)64U,
-    randomness,
-    ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                     .end = CPA_PKE_KEY_GENERATION_SEED_SIZE }),
-    uint8_t,
-    core_ops_range_Range__size_t,
-    Eurydice_slice);
-  Eurydice_slice implicit_rejection_value =
-    Eurydice_array_to_subslice_from((size_t)64U,
-                                    randomness,
-                                    CPA_PKE_KEY_GENERATION_SEED_SIZE,
-                                    uint8_t,
-                                    size_t,
-                                    Eurydice_slice);
-  __uint8_t_1152size_t__uint8_t_1184size_t_ uu____0 =
-    generate_keypair___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t(
-      ind_cpa_keypair_randomness);
-  uint8_t ind_cpa_private_key[1152U];
-  memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t));
-  uint8_t public_key[1184U];
-  memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t));
-  Eurydice_slice uu____1 = Eurydice_array_to_slice(
-    (size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice);
-  uint8_t secret_key_serialized[2400U];
-  serialize_kem_secret_key___2400size_t(
-    uu____1,
-    Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, Eurydice_slice),
-    implicit_rejection_value,
-    secret_key_serialized);
-  uint8_t uu____2[2400U];
-  memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof(uint8_t));
-  uint8_t private_key[2400U];
-  from___2400size_t(uu____2, private_key);
-  uint8_t uu____3[2400U];
-  memcpy(uu____3, private_key, (size_t)2400U * sizeof(uint8_t));
-  uint8_t uu____4[1184U];
-  memcpy(uu____4, public_key, (size_t)1184U * sizeof(uint8_t));
-  return from___2400size_t_1184size_t(uu____3, uu____4);
-}
-
-libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
-libcrux_kyber_kyber768_generate_key_pair(uint8_t randomness[64U])
-{
-  uint8_t uu____0[64U];
-  memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t));
-  return generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t(
-    uu____0);
-}
-
-static void
-into_padded_array___64size_t(Eurydice_slice slice, uint8_t ret[64U])
-{
-  uint8_t out[64U] = { 0U };
-  uint8_t* uu____0 = out;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)64U,
-      uu____0,
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(slice, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    slice,
-    uint8_t,
-    void*);
-  uint8_t uu____1[64U];
-  memcpy(uu____1, out, (size_t)64U * sizeof(uint8_t));
-  memcpy(ret, uu____1, (size_t)64U * sizeof(uint8_t));
-}
-
-static uint8_t*
-as_slice___1184size_t(uint8_t (*self)[1184U])
-{
-  return self[0U];
-}
-
-static void
-deserialize_public_key___3size_t(Eurydice_slice public_key,
-                                 int32_t ret[3U][256U])
-{
-  int32_t t_as_ntt[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(t_as_ntt[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(public_key, uint8_t, size_t) /
-               BYTES_PER_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice t_as_ntt_bytes = Eurydice_slice_subslice(
-        public_key,
-        ((core_ops_range_Range__size_t){ .start = i * BYTES_PER_RING_ELEMENT,
-                                         .end = i * BYTES_PER_RING_ELEMENT +
-                                                BYTES_PER_RING_ELEMENT }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t uu____1[256U];
-      deserialize_to_uncompressed_ring_element(t_as_ntt_bytes, uu____1);
-      memcpy(t_as_ntt[i], uu____1, (size_t)256U * sizeof(int32_t));
-    }
-  }
-  int32_t uu____2[3U][256U];
-  memcpy(uu____2, t_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-sample_ring_element_cbd___3size_t_128size_t_2size_t(uint8_t* prf_input,
-                                                    uint8_t* domain_separator,
-                                                    int32_t ret[3U][256U])
-{
-  int32_t error_1[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(error_1[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      prf_input[32U] = domain_separator[0U];
-      domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
-      uint8_t prf_output[128U];
-      PRF___128size_t(Eurydice_array_to_slice(
-                        (size_t)33U, prf_input, uint8_t, Eurydice_slice),
-                      prf_output);
-      int32_t uu____1[256U];
-      sample_from_binomial_distribution___2size_t(
-        Eurydice_array_to_slice(
-          (size_t)128U, prf_output, uint8_t, Eurydice_slice),
-        uu____1);
-      memcpy(error_1[i], uu____1, (size_t)256U * sizeof(int32_t));
-    }
-  }
-  int32_t uu____2[3U][256U];
-  memcpy(uu____2, error_1, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-invert_ntt_montgomery___3size_t(int32_t re[256U], int32_t ret[256U])
-{
-  size_t zeta_i = COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
-  invert_ntt_at_layer(&zeta_i, re, (size_t)1U, re);
-  invert_ntt_at_layer(&zeta_i, re, (size_t)2U, re);
-  invert_ntt_at_layer(&zeta_i, re, (size_t)3U, re);
-  invert_ntt_at_layer(&zeta_i, re, (size_t)4U, re);
-  invert_ntt_at_layer(&zeta_i, re, (size_t)5U, re);
-  invert_ntt_at_layer(&zeta_i, re, (size_t)6U, re);
-  invert_ntt_at_layer(&zeta_i, re, (size_t)7U, re);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)2U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t uu____1 = barrett_reduce(re[i]);
-      re[i] = uu____1;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-compute_vector_u___3size_t(int32_t (*a_as_ntt)[3U][256U],
-                           int32_t (*r_as_ntt)[256U],
-                           int32_t (*error_1)[256U],
-                           int32_t ret[3U][256U])
-{
-  int32_t result[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(result[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t lit0;
-  lit0.start = (size_t)0U;
-  lit0.end = core_slice___Slice_T___len(
-    Eurydice_array_to_slice(
-      (size_t)3U, a_as_ntt, Eurydice_error_t_cg_array, Eurydice_slice),
-    int32_t[3U][256U],
-    size_t);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit0, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t(*row)[256U] = a_as_ntt[i];
-      core_ops_range_Range__size_t lit;
-      lit.start = (size_t)0U;
-      lit.end = core_slice___Slice_T___len(
-        Eurydice_array_to_slice((size_t)3U, row, int32_t[256U], Eurydice_slice),
-        int32_t[256U],
-        size_t);
-      core_ops_range_Range__size_t iter0 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____1 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter0, size_t, core_option_Option__size_t);
-        if (uu____1.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____1.f0;
-          int32_t(*a_element)[256U] = &row[j];
-          int32_t product[256U];
-          ntt_multiply(a_element, &r_as_ntt[j], product);
-          int32_t uu____2[256U];
-          add_to_ring_element___3size_t(result[i], &product, uu____2);
-          memcpy(result[i], uu____2, (size_t)256U * sizeof(int32_t));
-        }
-      }
-      int32_t uu____3[256U];
-      invert_ntt_montgomery___3size_t(result[i], uu____3);
-      memcpy(result[i], uu____3, (size_t)256U * sizeof(int32_t));
-      core_ops_range_Range__size_t iter1 =
-        core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-          ((core_ops_range_Range__size_t){
-            .start = (size_t)0U, .end = COEFFICIENTS_IN_RING_ELEMENT }),
-          core_ops_range_Range__size_t,
-          core_ops_range_Range__size_t);
-      while (true) {
-        core_option_Option__size_t uu____4 =
-          core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-            &iter1, size_t, core_option_Option__size_t);
-        if (uu____4.tag == core_option_None) {
-          break;
-        } else {
-          size_t j = uu____4.f0;
-          int32_t coefficient_normal_form =
-            montgomery_reduce(result[i][j] * (int32_t)1441);
-          int32_t uu____5 =
-            barrett_reduce(coefficient_normal_form + error_1[i][j]);
-          result[i][j] = uu____5;
-        }
-      }
-    }
-  }
-  int32_t uu____6[3U][256U];
-  memcpy(uu____6, result, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____6, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-compute_ring_element_v___3size_t(int32_t (*t_as_ntt)[256U],
-                                 int32_t (*r_as_ntt)[256U],
-                                 int32_t (*error_2)[256U],
-                                 int32_t (*message)[256U],
-                                 int32_t ret[256U])
-{
-  int32_t result[256U];
-  memcpy(result, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t product[256U];
-      ntt_multiply(&t_as_ntt[i], &r_as_ntt[i], product);
-      add_to_ring_element___3size_t(result, &product, result);
-    }
-  }
-  invert_ntt_montgomery___3size_t(result, result);
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = COEFFICIENTS_IN_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____1 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____1.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____1.f0;
-      int32_t coefficient_normal_form =
-        montgomery_reduce(result[i] * (int32_t)1441);
-      int32_t uu____2 = barrett_reduce(coefficient_normal_form +
-                                       error_2[0U][i] + message[0U][i]);
-      result[i] = uu____2;
-    }
-  }
-  memcpy(ret, result, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-compress_then_serialize_10___320size_t(int32_t re[256U], uint8_t ret[320U])
-{
-  uint8_t serialized[320U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end =
-    core_slice___Slice_T___len(
-      Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
-      int32_t,
-      size_t) /
-    (size_t)4U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice coefficients = Eurydice_array_to_subslice(
-        (size_t)256U,
-        re,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)4U,
-                                         .end = i * (size_t)4U + (size_t)4U }),
-        int32_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t coefficient1 = compress_ciphertext_coefficient(
-        10U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t)));
-      int32_t coefficient2 = compress_ciphertext_coefficient(
-        10U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t)));
-      int32_t coefficient3 = compress_ciphertext_coefficient(
-        10U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t)));
-      int32_t coefficient4 = compress_ciphertext_coefficient(
-        10U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t)));
-      __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t uu____1 =
-        compress_coefficients_10(
-          coefficient1, coefficient2, coefficient3, coefficient4);
-      uint8_t coef1 = uu____1.fst;
-      uint8_t coef2 = uu____1.snd;
-      uint8_t coef3 = uu____1.thd;
-      uint8_t coef4 = uu____1.f3;
-      uint8_t coef5 = uu____1.f4;
-      serialized[(size_t)5U * i] = coef1;
-      serialized[(size_t)5U * i + (size_t)1U] = coef2;
-      serialized[(size_t)5U * i + (size_t)2U] = coef3;
-      serialized[(size_t)5U * i + (size_t)3U] = coef4;
-      serialized[(size_t)5U * i + (size_t)4U] = coef5;
-    }
-  }
-  uint8_t uu____2[320U];
-  memcpy(uu____2, serialized, (size_t)320U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)320U * sizeof(uint8_t));
-}
-
-static void
-compress_then_serialize_11___320size_t(int32_t re[256U], uint8_t ret[320U])
-{
-  uint8_t serialized[320U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end =
-    core_slice___Slice_T___len(
-      Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
-      int32_t,
-      size_t) /
-    (size_t)8U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice coefficients = Eurydice_array_to_subslice(
-        (size_t)256U,
-        re,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)8U,
-                                         .end = i * (size_t)8U + (size_t)8U }),
-        int32_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t coefficient1 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t)));
-      int32_t coefficient2 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t)));
-      int32_t coefficient3 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t)));
-      int32_t coefficient4 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t)));
-      int32_t coefficient5 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)4U, int32_t, int32_t)));
-      int32_t coefficient6 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)5U, int32_t, int32_t)));
-      int32_t coefficient7 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)6U, int32_t, int32_t)));
-      int32_t coefficient8 = compress_ciphertext_coefficient(
-        11U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)7U, int32_t, int32_t)));
-      __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
-        uu____1 = compress_coefficients_11(coefficient1,
-                                           coefficient2,
-                                           coefficient3,
-                                           coefficient4,
-                                           coefficient5,
-                                           coefficient6,
-                                           coefficient7,
-                                           coefficient8);
-      uint8_t coef1 = uu____1.fst;
-      uint8_t coef2 = uu____1.snd;
-      uint8_t coef3 = uu____1.thd;
-      uint8_t coef4 = uu____1.f3;
-      uint8_t coef5 = uu____1.f4;
-      uint8_t coef6 = uu____1.f5;
-      uint8_t coef7 = uu____1.f6;
-      uint8_t coef8 = uu____1.f7;
-      uint8_t coef9 = uu____1.f8;
-      uint8_t coef10 = uu____1.f9;
-      uint8_t coef11 = uu____1.f10;
-      serialized[(size_t)11U * i] = coef1;
-      serialized[(size_t)11U * i + (size_t)1U] = coef2;
-      serialized[(size_t)11U * i + (size_t)2U] = coef3;
-      serialized[(size_t)11U * i + (size_t)3U] = coef4;
-      serialized[(size_t)11U * i + (size_t)4U] = coef5;
-      serialized[(size_t)11U * i + (size_t)5U] = coef6;
-      serialized[(size_t)11U * i + (size_t)6U] = coef7;
-      serialized[(size_t)11U * i + (size_t)7U] = coef8;
-      serialized[(size_t)11U * i + (size_t)8U] = coef9;
-      serialized[(size_t)11U * i + (size_t)9U] = coef10;
-      serialized[(size_t)11U * i + (size_t)10U] = coef11;
-    }
-  }
-  uint8_t uu____2[320U];
-  memcpy(uu____2, serialized, (size_t)320U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)320U * sizeof(uint8_t));
-}
-
-static void
-compress_then_serialize_ring_element_u___10size_t_320size_t(int32_t re[256U],
-                                                            uint8_t ret[320U])
-{
-  uint8_t uu____0[320U];
-  compress_then_serialize_10___320size_t(re, uu____0);
-  memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t));
-}
-
-static void
-compress_then_serialize_u___3size_t_960size_t_10size_t_320size_t(
-  int32_t input[3U][256U],
-  uint8_t ret[960U])
-{
-  uint8_t out[960U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end = core_slice___Slice_T___len(
-    Eurydice_array_to_slice((size_t)3U, input, int32_t[256U], Eurydice_slice),
-    int32_t[256U],
-    size_t);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t re[256U];
-      memcpy(re, input[i], (size_t)256U * sizeof(int32_t));
-      Eurydice_slice uu____1 = Eurydice_array_to_subslice(
-        (size_t)960U,
-        out,
-        ((core_ops_range_Range__size_t){
-          .start = i * ((size_t)960U / (size_t)3U),
-          .end = (i + (size_t)1U) * ((size_t)960U / (size_t)3U) }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint8_t ret0[320U];
-      compress_then_serialize_ring_element_u___10size_t_320size_t(re, ret0);
-      core_slice___Slice_T___copy_from_slice(
-        uu____1,
-        Eurydice_array_to_slice((size_t)320U, ret0, uint8_t, Eurydice_slice),
-        uint8_t,
-        void*);
-    }
-  }
-  uint8_t uu____2[960U];
-  memcpy(uu____2, out, (size_t)960U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)960U * sizeof(uint8_t));
-}
-
-static void
-compress_then_serialize_4___128size_t(int32_t re[256U], uint8_t ret[128U])
-{
-  uint8_t serialized[128U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end =
-    core_slice___Slice_T___len(
-      Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
-      int32_t,
-      size_t) /
-    (size_t)2U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice coefficients = Eurydice_array_to_subslice(
-        (size_t)256U,
-        re,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)2U,
-                                         .end = i * (size_t)2U + (size_t)2U }),
-        int32_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint8_t coefficient1 = (uint8_t)compress_ciphertext_coefficient(
-        4U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t)));
-      uint8_t coefficient2 = (uint8_t)compress_ciphertext_coefficient(
-        4U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t)));
-      serialized[i] = (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1;
-    }
-  }
-  uint8_t uu____1[128U];
-  memcpy(uu____1, serialized, (size_t)128U * sizeof(uint8_t));
-  memcpy(ret, uu____1, (size_t)128U * sizeof(uint8_t));
-}
-
-static void
-compress_then_serialize_5___128size_t(int32_t re[256U], uint8_t ret[128U])
-{
-  uint8_t serialized[128U] = { 0U };
-  core_ops_range_Range__size_t lit;
-  lit.start = (size_t)0U;
-  lit.end =
-    core_slice___Slice_T___len(
-      Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
-      int32_t,
-      size_t) /
-    (size_t)8U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      lit, core_ops_range_Range__size_t, core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice coefficients = Eurydice_array_to_subslice(
-        (size_t)256U,
-        re,
-        ((core_ops_range_Range__size_t){ .start = i * (size_t)8U,
-                                         .end = i * (size_t)8U + (size_t)8U }),
-        int32_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      uint8_t coefficient1 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)0U, int32_t, int32_t)));
-      uint8_t coefficient2 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)1U, int32_t, int32_t)));
-      uint8_t coefficient3 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)2U, int32_t, int32_t)));
-      uint8_t coefficient4 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)3U, int32_t, int32_t)));
-      uint8_t coefficient5 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)4U, int32_t, int32_t)));
-      uint8_t coefficient6 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)5U, int32_t, int32_t)));
-      uint8_t coefficient7 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)6U, int32_t, int32_t)));
-      uint8_t coefficient8 = (uint8_t)compress_ciphertext_coefficient(
-        5U,
-        to_unsigned_representative(
-          Eurydice_slice_index(coefficients, (size_t)7U, int32_t, int32_t)));
-      __uint8_t_uint8_t_uint8_t_uint8_t_uint8_t uu____1 =
-        compress_coefficients_5(coefficient2,
-                                coefficient1,
-                                coefficient4,
-                                coefficient3,
-                                coefficient5,
-                                coefficient7,
-                                coefficient6,
-                                coefficient8);
-      uint8_t coef1 = uu____1.fst;
-      uint8_t coef2 = uu____1.snd;
-      uint8_t coef3 = uu____1.thd;
-      uint8_t coef4 = uu____1.f3;
-      uint8_t coef5 = uu____1.f4;
-      serialized[(size_t)5U * i] = coef1;
-      serialized[(size_t)5U * i + (size_t)1U] = coef2;
-      serialized[(size_t)5U * i + (size_t)2U] = coef3;
-      serialized[(size_t)5U * i + (size_t)3U] = coef4;
-      serialized[(size_t)5U * i + (size_t)4U] = coef5;
-    }
-  }
-  uint8_t uu____2[128U];
-  memcpy(uu____2, serialized, (size_t)128U * sizeof(uint8_t));
-  memcpy(ret, uu____2, (size_t)128U * sizeof(uint8_t));
-}
-
-static void
-compress_then_serialize_ring_element_v___4size_t_128size_t(int32_t re[256U],
-                                                           uint8_t ret[128U])
-{
-  uint8_t uu____0[128U];
-  compress_then_serialize_4___128size_t(re, uu____0);
-  memcpy(ret, uu____0, (size_t)128U * sizeof(uint8_t));
-}
-
-static void
-into_padded_array___1088size_t(Eurydice_slice slice, uint8_t ret[1088U])
-{
-  uint8_t out[1088U] = { 0U };
-  uint8_t* uu____0 = out;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)1088U,
-      uu____0,
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(slice, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    slice,
-    uint8_t,
-    void*);
-  uint8_t uu____1[1088U];
-  memcpy(uu____1, out, (size_t)1088U * sizeof(uint8_t));
-  memcpy(ret, uu____1, (size_t)1088U * sizeof(uint8_t));
-}
-
-static void
-encrypt___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
-  Eurydice_slice public_key,
-  uint8_t message[32U],
-  Eurydice_slice randomness,
-  uint8_t ret[1088U])
-{
-  int32_t t_as_ntt[3U][256U];
-  deserialize_public_key___3size_t(
-    Eurydice_slice_subslice_to(
-      public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice),
-    t_as_ntt);
-  Eurydice_slice seed = Eurydice_slice_subslice_from(
-    public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice);
-  int32_t A_transpose[3U][3U][256U];
-  uint8_t ret0[34U];
-  into_padded_array___34size_t(seed, ret0);
-  sample_matrix_A___3size_t(ret0, false, A_transpose);
-  uint8_t prf_input[33U];
-  into_padded_array___33size_t(randomness, prf_input);
-  uint8_t uu____0[33U];
-  memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t));
-  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t uu____1 =
-    sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(uu____0, 0U);
-  int32_t r_as_ntt[3U][256U];
-  memcpy(r_as_ntt, uu____1.fst, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t domain_separator = uu____1.snd;
-  int32_t error_1[3U][256U];
-  sample_ring_element_cbd___3size_t_128size_t_2size_t(
-    prf_input, &domain_separator, error_1);
-  prf_input[32U] = domain_separator;
-  uint8_t prf_output[128U];
-  PRF___128size_t(
-    Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice),
-    prf_output);
-  int32_t error_2[256U];
-  sample_from_binomial_distribution___2size_t(
-    Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, Eurydice_slice),
-    error_2);
-  int32_t u[3U][256U];
-  compute_vector_u___3size_t(A_transpose, r_as_ntt, error_1, u);
-  uint8_t uu____2[32U];
-  memcpy(uu____2, message, (size_t)32U * sizeof(uint8_t));
-  int32_t message_as_ring_element[256U];
-  deserialize_then_decompress_message(uu____2, message_as_ring_element);
-  int32_t v[256U];
-  compute_ring_element_v___3size_t(
-    t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element, v);
-  int32_t uu____3[3U][256U];
-  memcpy(uu____3, u, (size_t)3U * sizeof(int32_t[256U]));
-  uint8_t c1[960U];
-  compress_then_serialize_u___3size_t_960size_t_10size_t_320size_t(uu____3, c1);
-  uint8_t c2[128U];
-  compress_then_serialize_ring_element_v___4size_t_128size_t(v, c2);
-  uint8_t ciphertext[1088U];
-  into_padded_array___1088size_t(
-    Eurydice_array_to_slice((size_t)960U, c1, uint8_t, Eurydice_slice),
-    ciphertext);
-  Eurydice_slice uu____4 = Eurydice_array_to_subslice_from(
-    (size_t)1088U, ciphertext, (size_t)960U, uint8_t, size_t, Eurydice_slice);
-  core_slice___Slice_T___copy_from_slice(
-    uu____4,
-    core_array___Array_T__N__23__as_slice(
-      (size_t)128U, c2, uint8_t, Eurydice_slice),
-    uint8_t,
-    void*);
-  uint8_t uu____5[1088U];
-  memcpy(uu____5, ciphertext, (size_t)1088U * sizeof(uint8_t));
-  memcpy(ret, uu____5, (size_t)1088U * sizeof(uint8_t));
-}
-
-typedef uint8_t MlKemCiphertext___1088size_t[1088U];
-
-static K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_
-encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
-  uint8_t (*public_key)[1184U],
-  uint8_t randomness[32U])
-{
-  uint8_t to_hash[64U];
-  into_padded_array___64size_t(
-    Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice),
-    to_hash);
-  Eurydice_slice uu____0 = Eurydice_array_to_subslice_from(
-    (size_t)64U, to_hash, H_DIGEST_SIZE, uint8_t, size_t, Eurydice_slice);
-  uint8_t ret[32U];
-  H(Eurydice_array_to_slice((size_t)1184U,
-                            as_slice___1184size_t(public_key),
-                            uint8_t,
-                            Eurydice_slice),
-    ret);
-  core_slice___Slice_T___copy_from_slice(
-    uu____0,
-    Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice),
-    uint8_t,
-    void*);
-  uint8_t hashed[64U];
-  G(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice),
-    hashed);
-  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 =
-    core_slice___Slice_T___split_at(
-      Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice),
-      SHARED_SECRET_SIZE,
-      uint8_t,
-      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
-  Eurydice_slice shared_secret = uu____1.fst;
-  Eurydice_slice pseudorandomness = uu____1.snd;
-  Eurydice_slice uu____2 = Eurydice_array_to_slice(
-    (size_t)1184U, as_slice___1184size_t(public_key), uint8_t, Eurydice_slice);
-  uint8_t uu____3[32U];
-  memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t));
-  uint8_t ciphertext[1088U];
-  encrypt___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
-    uu____2, uu____3, pseudorandomness, ciphertext);
-  uint8_t shared_secret_array[32U] = { 0U };
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_slice(
-      (size_t)32U, shared_secret_array, uint8_t, Eurydice_slice),
-    shared_secret,
-    uint8_t,
-    void*);
-  uint8_t uu____4[1088U];
-  memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t));
-  uint8_t uu____5[1088U];
-  memcpy(uu____5, uu____4, (size_t)1088U * sizeof(uint8_t));
-  uint8_t uu____6[32U];
-  memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t));
-  K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_ lit;
-  memcpy(lit.fst, uu____5, (size_t)1088U * sizeof(uint8_t));
-  memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t));
-  return lit;
-}
-
-K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_
-libcrux_kyber_kyber768_encapsulate(uint8_t (*public_key)[1184U],
-                                   uint8_t randomness[32U])
-{
-  uint8_t(*uu____0)[1184U] = public_key;
-  uint8_t uu____1[32U];
-  memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t));
-  return encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
-    uu____0, uu____1);
-}
-
-static K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
-split_at___2400size_t(uint8_t (*self)[2400U], size_t mid)
-{
-  return core_slice___Slice_T___split_at(
-    Eurydice_array_to_slice((size_t)2400U, self[0U], uint8_t, Eurydice_slice),
-    mid,
-    uint8_t,
-    K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
-}
-
-static void
-deserialize_then_decompress_ring_element_u___10size_t(Eurydice_slice serialized,
-                                                      int32_t ret[256U])
-{
-  int32_t uu____0[256U];
-  deserialize_then_decompress_10(serialized, uu____0);
-  memcpy(ret, uu____0, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-ntt_vector_u___10size_t(int32_t re[256U], int32_t ret[256U])
-{
-  size_t zeta_i = (size_t)0U;
-  ntt_at_layer_3328(&zeta_i, re, (size_t)7U, re);
-  ntt_at_layer_3328(&zeta_i, re, (size_t)6U, re);
-  ntt_at_layer_3328(&zeta_i, re, (size_t)5U, re);
-  ntt_at_layer_3328(&zeta_i, re, (size_t)4U, re);
-  ntt_at_layer_3328(&zeta_i, re, (size_t)3U, re);
-  ntt_at_layer_3328(&zeta_i, re, (size_t)2U, re);
-  ntt_at_layer_3328(&zeta_i, re, (size_t)1U, re);
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = COEFFICIENTS_IN_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t uu____1 = barrett_reduce(re[i]);
-      re[i] = uu____1;
-    }
-  }
-  memcpy(ret, re, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-deserialize_then_decompress_u___3size_t_1088size_t_10size_t(
-  uint8_t* ciphertext,
-  int32_t ret[3U][256U])
-{
-  int32_t u_as_ntt[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(u_as_ntt[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(
-                 Eurydice_array_to_slice(
-                   (size_t)1088U, ciphertext, uint8_t, Eurydice_slice),
-                 uint8_t,
-                 size_t) /
-               (COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U) }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice u_bytes = Eurydice_array_to_subslice(
-        (size_t)1088U,
-        ciphertext,
-        ((core_ops_range_Range__size_t){
-          .start =
-            i * (COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U),
-          .end = i * (COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U) +
-                 COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t u[256U];
-      deserialize_then_decompress_ring_element_u___10size_t(u_bytes, u);
-      int32_t uu____1[256U];
-      ntt_vector_u___10size_t(u, uu____1);
-      memcpy(u_as_ntt[i], uu____1, (size_t)256U * sizeof(int32_t));
-    }
-  }
-  int32_t uu____2[3U][256U];
-  memcpy(uu____2, u_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-deserialize_then_decompress_ring_element_v___4size_t(Eurydice_slice serialized,
-                                                     int32_t ret[256U])
-{
-  int32_t uu____0[256U];
-  deserialize_then_decompress_4(serialized, uu____0);
-  memcpy(ret, uu____0, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-deserialize_secret_key___3size_t(Eurydice_slice secret_key,
-                                 int32_t ret[3U][256U])
-{
-  int32_t secret_as_ntt[3U][256U];
-  for (size_t i = (size_t)0U; i < (size_t)3U; i++) {
-    memcpy(secret_as_ntt[i], ZERO, (size_t)256U * sizeof(int32_t));
-  }
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(secret_key, uint8_t, size_t) /
-               BYTES_PER_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      Eurydice_slice secret_bytes = Eurydice_slice_subslice(
-        secret_key,
-        ((core_ops_range_Range__size_t){ .start = i * BYTES_PER_RING_ELEMENT,
-                                         .end = i * BYTES_PER_RING_ELEMENT +
-                                                BYTES_PER_RING_ELEMENT }),
-        uint8_t,
-        core_ops_range_Range__size_t,
-        Eurydice_slice);
-      int32_t uu____1[256U];
-      deserialize_to_uncompressed_ring_element(secret_bytes, uu____1);
-      memcpy(secret_as_ntt[i], uu____1, (size_t)256U * sizeof(int32_t));
-    }
-  }
-  int32_t uu____2[3U][256U];
-  memcpy(uu____2, secret_as_ntt, (size_t)3U * sizeof(int32_t[256U]));
-  memcpy(ret, uu____2, (size_t)3U * sizeof(int32_t[256U]));
-}
-
-static void
-compute_message___3size_t(int32_t (*v)[256U],
-                          int32_t (*secret_as_ntt)[256U],
-                          int32_t (*u_as_ntt)[256U],
-                          int32_t ret[256U])
-{
-  int32_t result[256U];
-  memcpy(result, ZERO, (size_t)256U * sizeof(int32_t));
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)3U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      int32_t product[256U];
-      ntt_multiply(&secret_as_ntt[i], &u_as_ntt[i], product);
-      add_to_ring_element___3size_t(result, &product, result);
-    }
-  }
-  invert_ntt_montgomery___3size_t(result, result);
-  core_ops_range_Range__size_t iter0 =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = COEFFICIENTS_IN_RING_ELEMENT }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____1 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter0, size_t, core_option_Option__size_t);
-    if (uu____1.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____1.f0;
-      int32_t coefficient_normal_form =
-        montgomery_reduce(result[i] * (int32_t)1441);
-      int32_t uu____2 = barrett_reduce(v[0U][i] - coefficient_normal_form);
-      result[i] = uu____2;
-    }
-  }
-  memcpy(ret, result, (size_t)256U * sizeof(int32_t));
-}
-
-static void
-decrypt___3size_t_1088size_t_960size_t_10size_t_4size_t(
-  Eurydice_slice secret_key,
-  uint8_t* ciphertext,
-  uint8_t ret[32U])
-{
-  int32_t u_as_ntt[3U][256U];
-  deserialize_then_decompress_u___3size_t_1088size_t_10size_t(ciphertext,
-                                                              u_as_ntt);
-  int32_t v[256U];
-  deserialize_then_decompress_ring_element_v___4size_t(
-    Eurydice_array_to_subslice_from(
-      (size_t)1088U, ciphertext, (size_t)960U, uint8_t, size_t, Eurydice_slice),
-    v);
-  int32_t secret_as_ntt[3U][256U];
-  deserialize_secret_key___3size_t(secret_key, secret_as_ntt);
-  int32_t message[256U];
-  compute_message___3size_t(&v, secret_as_ntt, u_as_ntt, message);
-  uint8_t ret0[32U];
-  compress_then_serialize_message(message, ret0);
-  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
-}
-
-static void
-into_padded_array___1120size_t(Eurydice_slice slice, uint8_t ret[1120U])
-{
-  uint8_t out[1120U] = { 0U };
-  uint8_t* uu____0 = out;
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice(
-      (size_t)1120U,
-      uu____0,
-      ((core_ops_range_Range__size_t){
-        .start = (size_t)0U,
-        .end = core_slice___Slice_T___len(slice, uint8_t, size_t) }),
-      uint8_t,
-      core_ops_range_Range__size_t,
-      Eurydice_slice),
-    slice,
-    uint8_t,
-    void*);
-  uint8_t uu____1[1120U];
-  memcpy(uu____1, out, (size_t)1120U * sizeof(uint8_t));
-  memcpy(ret, uu____1, (size_t)1120U * sizeof(uint8_t));
-}
-
-static Eurydice_slice
-as_ref___1088size_t(uint8_t (*self)[1088U])
-{
-  return Eurydice_array_to_slice(
-    (size_t)1088U, self[0U], uint8_t, Eurydice_slice);
-}
-
-static void
-PRF___32size_t(Eurydice_slice input, uint8_t ret[32U])
-{
-  uint8_t ret0[32U];
-  libcrux_digest_shake256((size_t)32U, input, ret0, void*);
-  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
-}
-
-static uint8_t
-compare_ciphertexts_in_constant_time___1088size_t(Eurydice_slice lhs,
-                                                  Eurydice_slice rhs)
-{
-  uint8_t r = 0U;
-  core_ops_range_Range__size_t iter =
-    core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(
-      ((core_ops_range_Range__size_t){ .start = (size_t)0U,
-                                       .end = (size_t)1088U }),
-      core_ops_range_Range__size_t,
-      core_ops_range_Range__size_t);
-  while (true) {
-    core_option_Option__size_t uu____0 =
-      core_iter_range___core__iter__traits__iterator__Iterator_for_core__ops__range__Range_A___3__next(
-        &iter, size_t, core_option_Option__size_t);
-    if (uu____0.tag == core_option_None) {
-      break;
-    } else {
-      size_t i = uu____0.f0;
-      uint8_t uu____1 = Eurydice_slice_index(lhs, i, uint8_t, uint8_t);
-      r = (uint32_t)r | ((uint32_t)uu____1 ^ (uint32_t)Eurydice_slice_index(
-                                               rhs, i, uint8_t, uint8_t));
-    }
-  }
-  return is_non_zero(r);
-}
-
-static void
-decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t(
-  uint8_t (*secret_key)[2400U],
-  uint8_t (*ciphertext)[1088U],
-  uint8_t ret[32U])
-{
-  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 =
-    split_at___2400size_t(secret_key, (size_t)1152U);
-  Eurydice_slice ind_cpa_secret_key = uu____0.fst;
-  Eurydice_slice secret_key0 = uu____0.snd;
-  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 =
-    core_slice___Slice_T___split_at(
-      secret_key0,
-      (size_t)1184U,
-      uint8_t,
-      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
-  Eurydice_slice ind_cpa_public_key = uu____1.fst;
-  Eurydice_slice secret_key1 = uu____1.snd;
-  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____2 =
-    core_slice___Slice_T___split_at(
-      secret_key1,
-      H_DIGEST_SIZE,
-      uint8_t,
-      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
-  Eurydice_slice ind_cpa_public_key_hash = uu____2.fst;
-  Eurydice_slice implicit_rejection_value = uu____2.snd;
-  uint8_t decrypted[32U];
-  decrypt___3size_t_1088size_t_960size_t_10size_t_4size_t(
-    ind_cpa_secret_key, ciphertext[0U], decrypted);
-  uint8_t to_hash0[64U];
-  into_padded_array___64size_t(
-    Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice),
-    to_hash0);
-  core_slice___Slice_T___copy_from_slice(
-    Eurydice_array_to_subslice_from((size_t)64U,
-                                    to_hash0,
-                                    SHARED_SECRET_SIZE,
-                                    uint8_t,
-                                    size_t,
-                                    Eurydice_slice),
-    ind_cpa_public_key_hash,
-    uint8_t,
-    void*);
-  uint8_t hashed[64U];
-  G(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice),
-    hashed);
-  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____3 =
-    core_slice___Slice_T___split_at(
-      Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice),
-      SHARED_SECRET_SIZE,
-      uint8_t,
-      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
-  Eurydice_slice shared_secret = uu____3.fst;
-  Eurydice_slice pseudorandomness = uu____3.snd;
-  uint8_t to_hash[1120U];
-  into_padded_array___1120size_t(implicit_rejection_value, to_hash);
-  Eurydice_slice uu____4 = Eurydice_array_to_subslice_from((size_t)1120U,
-                                                           to_hash,
-                                                           SHARED_SECRET_SIZE,
-                                                           uint8_t,
-                                                           size_t,
-                                                           Eurydice_slice);
-  core_slice___Slice_T___copy_from_slice(
-    uu____4, as_ref___1088size_t(ciphertext), uint8_t, void*);
-  uint8_t implicit_rejection_shared_secret[32U];
-  PRF___32size_t(
-    Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice),
-    implicit_rejection_shared_secret);
-  Eurydice_slice uu____5 = ind_cpa_public_key;
-  uint8_t uu____6[32U];
-  memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t));
-  uint8_t expected_ciphertext[1088U];
-  encrypt___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
-    uu____5, uu____6, pseudorandomness, expected_ciphertext);
-  Eurydice_slice uu____7 = as_ref___1088size_t(ciphertext);
-  uint8_t selector = compare_ciphertexts_in_constant_time___1088size_t(
-    uu____7,
-    Eurydice_array_to_slice(
-      (size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice));
-  Eurydice_slice uu____8 = shared_secret;
-  uint8_t ret0[32U];
-  select_shared_secret_in_constant_time(
-    uu____8,
-    Eurydice_array_to_slice(
-      (size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
-    selector,
-    ret0);
-  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
-}
-
-void
-libcrux_kyber_kyber768_decapsulate(uint8_t (*secret_key)[2400U],
-                                   uint8_t (*ciphertext)[1088U],
-                                   uint8_t ret[32U])
-{
-  uint8_t ret0[32U];
-  decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t(
-    secret_key, ciphertext, ret0);
-  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
-}
diff --git a/libcrux/src/libcrux_kyber1024.c b/libcrux/src/libcrux_kyber1024.c
new file mode 100644
index 00000000..851c9256
--- /dev/null
+++ b/libcrux/src/libcrux_kyber1024.c
@@ -0,0 +1,2396 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#include "libcrux_kyber1024.h"
+
+#include "internal/libcrux_kyber_common.h"
+#include "internal/libcrux_kyber768.h"
+#include "libcrux_hacl_glue.h"
+
+static inline void
+deserialize_ring_elements_reduced___1568size_t_4size_t(
+  Eurydice_slice public_key,
+  int32_t ret[4U][256U]
+)
+{
+  int32_t deserialized_pk[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(deserialized_pk[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(public_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    ring_element =
+      Eurydice_slice_subslice(public_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_reduced_ring_element(ring_element, uu____0);
+    memcpy(deserialized_pk[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, deserialized_pk, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void
+serialize_secret_key___4size_t_1536size_t(int32_t key[4U][256U], uint8_t ret[1536U])
+{
+  uint8_t out[1536U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)4U,
+          key,
+          int32_t [256U],
+          Eurydice_slice),
+        int32_t [256U],
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    int32_t re[256U];
+    memcpy(re, key[i0], (size_t)256U * sizeof (int32_t));
+    Eurydice_slice
+    uu____0 =
+      Eurydice_array_to_subslice((size_t)1536U,
+        out,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = (i0 + (size_t)1U) * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t ret0[384U];
+    libcrux_kyber_serialize_serialize_uncompressed_ring_element(re, ret0);
+    core_slice___Slice_T___copy_from_slice(uu____0,
+      Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice),
+      uint8_t,
+      void *);
+  }
+  memcpy(ret, out, (size_t)1536U * sizeof (uint8_t));
+}
+
+static inline void
+serialize_public_key___4size_t_1536size_t_1568size_t(
+  int32_t t_as_ntt[4U][256U],
+  Eurydice_slice seed_for_a,
+  uint8_t ret[1568U]
+)
+{
+  uint8_t public_key_serialized[1568U] = { 0U };
+  Eurydice_slice
+  uu____0 =
+    Eurydice_array_to_subslice((size_t)1568U,
+      public_key_serialized,
+      ((core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)1536U }),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  int32_t uu____1[4U][256U];
+  memcpy(uu____1, t_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t ret0[1536U];
+  serialize_secret_key___4size_t_1536size_t(uu____1, ret0);
+  core_slice___Slice_T___copy_from_slice(uu____0,
+    Eurydice_array_to_slice((size_t)1536U, ret0, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)1568U,
+      public_key_serialized,
+      (size_t)1536U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    seed_for_a,
+    uint8_t,
+    void *);
+  memcpy(ret, public_key_serialized, (size_t)1568U * sizeof (uint8_t));
+}
+
+static bool validate_public_key___4size_t_1536size_t_1568size_t(uint8_t *public_key)
+{
+  int32_t deserialized_pk[4U][256U];
+  deserialize_ring_elements_reduced___1568size_t_4size_t(Eurydice_array_to_subslice_to((size_t)1568U,
+      public_key,
+      (size_t)1536U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    deserialized_pk);
+  int32_t uu____0[4U][256U];
+  memcpy(uu____0, deserialized_pk, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t public_key_serialized[1568U];
+  serialize_public_key___4size_t_1536size_t_1568size_t(uu____0,
+    Eurydice_array_to_subslice_from((size_t)1568U,
+      public_key,
+      (size_t)1536U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    public_key_serialized);
+  return
+    core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq((size_t)1568U,
+      public_key,
+      public_key_serialized,
+      uint8_t,
+      uint8_t,
+      bool);
+}
+
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t__
+libcrux_kyber_kyber1024_validate_public_key(uint8_t public_key[1568U])
+{
+  core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t__ uu____0;
+  if (validate_public_key___4size_t_1536size_t_1568size_t(public_key))
+  {
+    core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t__ lit;
+    lit.tag = core_option_Some;
+    memcpy(lit.f0, public_key, (size_t)1568U * sizeof (uint8_t));
+    uu____0 = lit;
+  }
+  else
+  {
+    uu____0 =
+      (
+        (core_option_Option__libcrux_kyber_types_MlKemPublicKey__1568size_t__){
+          .tag = core_option_None
+        }
+      );
+  }
+  return uu____0;
+}
+
+static inline libcrux_digest_incremental_x4_Shake128StateX4
+absorb___4size_t(uint8_t input[4U][34U])
+{
+  libcrux_digest_incremental_x4_Shake128StateX4
+  state = libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__new();
+  Eurydice_slice data[4U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    uint8_t buf[1U] = { 0U };
+    data[i] = Eurydice_array_to_slice((size_t)1U, buf, uint8_t, Eurydice_slice);
+  }
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    uu____0 = Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, Eurydice_slice);
+    data[i0] = uu____0;
+  }
+  libcrux_digest_incremental_x4_Shake128StateX4 *uu____1 = &state;
+  Eurydice_slice uu____2[4U];
+  memcpy(uu____2, data, (size_t)4U * sizeof (Eurydice_slice));
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final((size_t)4U,
+    uu____1,
+    uu____2,
+    void *);
+  return state;
+}
+
+static inline void
+squeeze_three_blocks___4size_t(
+  libcrux_digest_incremental_x4_Shake128StateX4 *xof_state,
+  uint8_t ret[4U][504U]
+)
+{
+  uint8_t output[4U][504U];
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks((size_t)504U,
+    (size_t)4U,
+    xof_state,
+    output,
+    void *);
+  uint8_t out[4U][504U] = { { 0U } };
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0[504U];
+    memcpy(uu____0, output[i0], (size_t)504U * sizeof (uint8_t));
+    memcpy(out[i0], uu____0, (size_t)504U * sizeof (uint8_t));
+  }
+  memcpy(ret, out, (size_t)4U * sizeof (uint8_t [504U]));
+}
+
+static bool
+sample_from_uniform_distribution_next___4size_t_504size_t(
+  uint8_t randomness[4U][504U],
+  size_t *sampled_coefficients,
+  int32_t (*out)[256U]
+)
+{
+  bool done = true;
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    core_slice_iter_Chunks
+    iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(core_slice___Slice_T___chunks(Eurydice_array_to_slice((size_t)504U,
+            randomness[i0],
+            uint8_t,
+            Eurydice_slice),
+          (size_t)3U,
+          uint8_t,
+          core_slice_iter_Chunks),
+        core_slice_iter_Chunks,
+        core_slice_iter_Chunks);
+    while (true)
+    {
+      core_option_Option__Eurydice_slice_uint8_t
+      uu____0 =
+        core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(&iter,
+          uint8_t,
+          core_option_Option__Eurydice_slice_uint8_t);
+      if (uu____0.tag == core_option_None)
+      {
+        break;
+      }
+      else
+      {
+        Eurydice_slice bytes = uu____0.f0;
+        int32_t b1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+        int32_t b2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+        int32_t b3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+        int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
+        int32_t d2 = b3 << 4U | b2 >> 4U;
+        bool uu____1;
+        if (d1 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____1 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____1 = false;
+        }
+        if (uu____1)
+        {
+          out[i0][sampled_coefficients[i0]] = d1;
+          size_t uu____2 = i0;
+          sampled_coefficients[uu____2] = sampled_coefficients[uu____2] + (size_t)1U;
+        }
+        bool uu____3;
+        if (d2 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____3 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____3 = false;
+        }
+        if (uu____3)
+        {
+          out[i0][sampled_coefficients[i0]] = d2;
+          size_t uu____4 = i0;
+          sampled_coefficients[uu____4] = sampled_coefficients[uu____4] + (size_t)1U;
+        }
+      }
+    }
+    if (sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT)
+    {
+      done = false;
+    }
+  }
+  return done;
+}
+
+static inline void
+squeeze_block___4size_t(
+  libcrux_digest_incremental_x4_Shake128StateX4 *xof_state,
+  uint8_t ret[4U][168U]
+)
+{
+  uint8_t output[4U][168U];
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks((size_t)168U,
+    (size_t)4U,
+    xof_state,
+    output,
+    void *);
+  uint8_t out[4U][168U] = { { 0U } };
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0[168U];
+    memcpy(uu____0, output[i0], (size_t)168U * sizeof (uint8_t));
+    memcpy(out[i0], uu____0, (size_t)168U * sizeof (uint8_t));
+  }
+  memcpy(ret, out, (size_t)4U * sizeof (uint8_t [168U]));
+}
+
+static bool
+sample_from_uniform_distribution_next___4size_t_168size_t(
+  uint8_t randomness[4U][168U],
+  size_t *sampled_coefficients,
+  int32_t (*out)[256U]
+)
+{
+  bool done = true;
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    core_slice_iter_Chunks
+    iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(core_slice___Slice_T___chunks(Eurydice_array_to_slice((size_t)168U,
+            randomness[i0],
+            uint8_t,
+            Eurydice_slice),
+          (size_t)3U,
+          uint8_t,
+          core_slice_iter_Chunks),
+        core_slice_iter_Chunks,
+        core_slice_iter_Chunks);
+    while (true)
+    {
+      core_option_Option__Eurydice_slice_uint8_t
+      uu____0 =
+        core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(&iter,
+          uint8_t,
+          core_option_Option__Eurydice_slice_uint8_t);
+      if (uu____0.tag == core_option_None)
+      {
+        break;
+      }
+      else
+      {
+        Eurydice_slice bytes = uu____0.f0;
+        int32_t b1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+        int32_t b2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+        int32_t b3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+        int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
+        int32_t d2 = b3 << 4U | b2 >> 4U;
+        bool uu____1;
+        if (d1 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____1 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____1 = false;
+        }
+        if (uu____1)
+        {
+          out[i0][sampled_coefficients[i0]] = d1;
+          size_t uu____2 = i0;
+          sampled_coefficients[uu____2] = sampled_coefficients[uu____2] + (size_t)1U;
+        }
+        bool uu____3;
+        if (d2 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____3 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____3 = false;
+        }
+        if (uu____3)
+        {
+          out[i0][sampled_coefficients[i0]] = d2;
+          size_t uu____4 = i0;
+          sampled_coefficients[uu____4] = sampled_coefficients[uu____4] + (size_t)1U;
+        }
+      }
+    }
+    if (sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT)
+    {
+      done = false;
+    }
+  }
+  return done;
+}
+
+static void sample_from_xof___4size_t(uint8_t seeds[4U][34U], int32_t ret[4U][256U])
+{
+  size_t sampled_coefficients[4U] = { 0U };
+  int32_t out[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(out[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  uint8_t uu____0[4U][34U];
+  memcpy(uu____0, seeds, (size_t)4U * sizeof (uint8_t [34U]));
+  libcrux_digest_incremental_x4_Shake128StateX4 xof_state = absorb___4size_t(uu____0);
+  uint8_t randomness0[4U][504U];
+  squeeze_three_blocks___4size_t(&xof_state, randomness0);
+  uint8_t uu____1[4U][504U];
+  memcpy(uu____1, randomness0, (size_t)4U * sizeof (uint8_t [504U]));
+  bool
+  done =
+    sample_from_uniform_distribution_next___4size_t_504size_t(uu____1,
+      sampled_coefficients,
+      out);
+  while (true)
+  {
+    if (!!done)
+    {
+      break;
+    }
+    uint8_t randomness[4U][168U];
+    squeeze_block___4size_t(&xof_state, randomness);
+    uint8_t uu____2[4U][168U];
+    memcpy(uu____2, randomness, (size_t)4U * sizeof (uint8_t [168U]));
+    done =
+      sample_from_uniform_distribution_next___4size_t_168size_t(uu____2,
+        sampled_coefficients,
+        out);
+  }
+  libcrux_kyber_hash_functions_free_state(xof_state);
+  memcpy(ret, out, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void
+sample_matrix_A___4size_t(uint8_t seed[34U], bool transpose, int32_t ret[4U][4U][256U])
+{
+  int32_t A_transpose[4U][4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(A_transpose[i][0U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+    memcpy(A_transpose[i][1U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+    memcpy(A_transpose[i][2U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+    memcpy(A_transpose[i][3U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)4U; i0++)
+  {
+    size_t i1 = i0;
+    uint8_t uu____0[34U];
+    memcpy(uu____0, seed, (size_t)34U * sizeof (uint8_t));
+    uint8_t seeds[4U][34U];
+    for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+    {
+      memcpy(seeds[i], uu____0, (size_t)34U * sizeof (uint8_t));
+    }
+    for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+    {
+      size_t j = i;
+      seeds[j][32U] = (uint8_t)i1;
+      seeds[j][33U] = (uint8_t)j;
+    }
+    uint8_t uu____1[4U][34U];
+    memcpy(uu____1, seeds, (size_t)4U * sizeof (uint8_t [34U]));
+    int32_t sampled[4U][256U];
+    sample_from_xof___4size_t(uu____1, sampled);
+    for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+    {
+      size_t j = i;
+      if (transpose)
+      {
+        memcpy(A_transpose[j][i1], sampled[j], (size_t)256U * sizeof (int32_t));
+      }
+      else
+      {
+        memcpy(A_transpose[i1][j], sampled[j], (size_t)256U * sizeof (int32_t));
+      }
+    }
+  }
+  memcpy(ret, A_transpose, (size_t)4U * sizeof (int32_t [4U][256U]));
+}
+
+typedef struct __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__uint8_t_s
+{
+  int32_t fst[4U][256U];
+  uint8_t snd;
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__uint8_t;
+
+static inline __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__uint8_t
+sample_vector_cbd_then_ntt___4size_t_2size_t_128size_t(
+  uint8_t prf_input[33U],
+  uint8_t domain_separator
+)
+{
+  int32_t re_as_ntt[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(re_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    prf_input[32U] = domain_separator;
+    domain_separator = (uint32_t)domain_separator + 1U;
+    uint8_t prf_output[128U];
+    libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+        prf_input,
+        uint8_t,
+        Eurydice_slice),
+      prf_output);
+    int32_t r[256U];
+    libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+        prf_output,
+        uint8_t,
+        Eurydice_slice),
+      r);
+    int32_t uu____0[256U];
+    libcrux_kyber_ntt_ntt_binomially_sampled_ring_element(r, uu____0);
+    memcpy(re_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  int32_t uu____1[4U][256U];
+  memcpy(uu____1, re_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__uint8_t lit;
+  memcpy(lit.fst, uu____1, (size_t)4U * sizeof (int32_t [256U]));
+  lit.snd = domain_separator;
+  return lit;
+}
+
+static void
+add_to_ring_element___4size_t(int32_t lhs[256U], int32_t (*rhs)[256U], int32_t ret[256U])
+{
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, lhs, int32_t, Eurydice_slice),
+        int32_t,
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    size_t uu____0 = i0;
+    lhs[uu____0] = lhs[uu____0] + rhs[0U][i0];
+  }
+  memcpy(ret, lhs, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_As_plus_e___4size_t(
+  int32_t (*matrix_A)[4U][256U],
+  int32_t (*s_as_ntt)[256U],
+  int32_t (*error_as_ntt)[256U],
+  int32_t ret[4U][256U]
+)
+{
+  int32_t result[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(result[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)4U,
+          matrix_A,
+          Eurydice_error_t_cg_array,
+          Eurydice_slice),
+        int32_t [4U][256U],
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    int32_t (*row)[256U] = matrix_A[i1];
+    for
+    (size_t
+      i = (size_t)0U;
+      i
+      <
+        core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)4U,
+            row,
+            int32_t [256U],
+            Eurydice_slice),
+          int32_t [256U],
+          size_t);
+      i++)
+    {
+      size_t j = i;
+      int32_t (*matrix_element)[256U] = &row[j];
+      int32_t product[256U];
+      libcrux_kyber_ntt_ntt_multiply(matrix_element, &s_as_ntt[j], product);
+      int32_t uu____0[256U];
+      add_to_ring_element___4size_t(result[i1], &product, uu____0);
+      memcpy(result[i1], uu____0, (size_t)256U * sizeof (int32_t));
+    }
+    for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+    {
+      size_t j = i;
+      int32_t coefficient_normal_form = libcrux_kyber_arithmetic_to_standard_domain(result[i1][j]);
+      int32_t
+      uu____1 =
+        libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form + error_as_ntt[i1][j]);
+      result[i1][j] = uu____1;
+    }
+  }
+  memcpy(ret, result, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+typedef struct
+__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__s
+{
+  int32_t fst[4U][256U];
+  int32_t snd[4U][256U];
+  int32_t thd[4U][4U][256U];
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t_;
+
+typedef struct
+__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__uint8_t_1568size_t__s
+{
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t_
+  fst;
+  uint8_t snd[1568U];
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__uint8_t_1568size_t_;
+
+static __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__uint8_t_1568size_t_
+generate_keypair_unpacked___4size_t_1568size_t_1536size_t_2size_t_128size_t(
+  Eurydice_slice key_generation_seed
+)
+{
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(key_generation_seed, hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      (size_t)32U,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice seed_for_secret_and_error = uu____0.snd;
+  int32_t a_transpose[4U][4U][256U];
+  uint8_t ret[34U];
+  libcrux_kyber_ind_cpa_into_padded_array___34size_t(seed_for_A, ret);
+  sample_matrix_A___4size_t(ret, true, a_transpose);
+  uint8_t prf_input[33U];
+  libcrux_kyber_ind_cpa_into_padded_array___33size_t(seed_for_secret_and_error, prf_input);
+  uint8_t uu____1[33U];
+  memcpy(uu____1, prf_input, (size_t)33U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__uint8_t
+  uu____2 = sample_vector_cbd_then_ntt___4size_t_2size_t_128size_t(uu____1, 0U);
+  int32_t secret_as_ntt[4U][256U];
+  memcpy(secret_as_ntt, uu____2.fst, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t domain_separator = uu____2.snd;
+  uint8_t uu____3[33U];
+  memcpy(uu____3, prf_input, (size_t)33U * sizeof (uint8_t));
+  int32_t error_as_ntt[4U][256U];
+  memcpy(error_as_ntt,
+    sample_vector_cbd_then_ntt___4size_t_2size_t_128size_t(uu____3, domain_separator).fst,
+    (size_t)4U * sizeof (int32_t [256U]));
+  int32_t t_as_ntt[4U][256U];
+  compute_As_plus_e___4size_t(a_transpose, secret_as_ntt, error_as_ntt, t_as_ntt);
+  int32_t uu____4[4U][256U];
+  memcpy(uu____4, t_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t public_key_serialized[1568U];
+  serialize_public_key___4size_t_1536size_t_1568size_t(uu____4,
+    seed_for_A,
+    public_key_serialized);
+  for (size_t i0 = (size_t)0U; i0 < (size_t)4U; i0++)
+  {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)256U; i++)
+    {
+      size_t j = i;
+      uint16_t uu____5 = libcrux_kyber_arithmetic_to_unsigned_representative(secret_as_ntt[i1][j]);
+      secret_as_ntt[i1][j] = (int32_t)uu____5;
+      uint16_t uu____6 = libcrux_kyber_arithmetic_to_unsigned_representative(t_as_ntt[i1][j]);
+      t_as_ntt[i1][j] = (int32_t)uu____6;
+    }
+  }
+  int32_t a_matrix[4U][4U][256U];
+  memcpy(a_matrix, a_transpose, (size_t)4U * sizeof (int32_t [4U][256U]));
+  for (size_t i0 = (size_t)0U; i0 < (size_t)4U; i0++)
+  {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+    {
+      size_t j = i;
+      memcpy(a_matrix[i1][j], a_transpose[j][i1], (size_t)256U * sizeof (int32_t));
+    }
+  }
+  int32_t uu____7[4U][256U];
+  memcpy(uu____7, secret_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t uu____8[4U][256U];
+  memcpy(uu____8, t_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t uu____9[4U][4U][256U];
+  memcpy(uu____9, a_matrix, (size_t)4U * sizeof (int32_t [4U][256U]));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t_
+  uu____10;
+  memcpy(uu____10.fst, uu____7, (size_t)4U * sizeof (int32_t [256U]));
+  memcpy(uu____10.snd, uu____8, (size_t)4U * sizeof (int32_t [256U]));
+  memcpy(uu____10.thd, uu____9, (size_t)4U * sizeof (int32_t [4U][256U]));
+  uint8_t uu____11[1568U];
+  memcpy(uu____11, public_key_serialized, (size_t)1568U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__uint8_t_1568size_t_
+  lit;
+  lit.fst = uu____10;
+  memcpy(lit.snd, uu____11, (size_t)1568U * sizeof (uint8_t));
+  return lit;
+}
+
+typedef struct __uint8_t_1536size_t__uint8_t_1568size_t__s
+{
+  uint8_t fst[1536U];
+  uint8_t snd[1568U];
+}
+__uint8_t_1536size_t__uint8_t_1568size_t_;
+
+static __uint8_t_1536size_t__uint8_t_1568size_t_
+generate_keypair___4size_t_1536size_t_1568size_t_1536size_t_2size_t_128size_t(
+  Eurydice_slice key_generation_seed
+)
+{
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__uint8_t_1568size_t_
+  uu____0 =
+    generate_keypair_unpacked___4size_t_1568size_t_1536size_t_2size_t_128size_t(key_generation_seed);
+  int32_t secret_as_ntt[4U][256U];
+  memcpy(secret_as_ntt, uu____0.fst.fst, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t _t_as_ntt[4U][256U];
+  memcpy(_t_as_ntt, uu____0.fst.snd, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t _a_transpose[4U][4U][256U];
+  memcpy(_a_transpose, uu____0.fst.thd, (size_t)4U * sizeof (int32_t [4U][256U]));
+  uint8_t public_key_serialized[1568U];
+  memcpy(public_key_serialized, uu____0.snd, (size_t)1568U * sizeof (uint8_t));
+  int32_t uu____1[4U][256U];
+  memcpy(uu____1, secret_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t secret_key_serialized[1536U];
+  serialize_secret_key___4size_t_1536size_t(uu____1, secret_key_serialized);
+  uint8_t uu____2[1536U];
+  memcpy(uu____2, secret_key_serialized, (size_t)1536U * sizeof (uint8_t));
+  uint8_t uu____3[1568U];
+  memcpy(uu____3, public_key_serialized, (size_t)1568U * sizeof (uint8_t));
+  __uint8_t_1536size_t__uint8_t_1568size_t_ lit;
+  memcpy(lit.fst, uu____2, (size_t)1536U * sizeof (uint8_t));
+  memcpy(lit.snd, uu____3, (size_t)1568U * sizeof (uint8_t));
+  return lit;
+}
+
+static inline void
+serialize_kem_secret_key___3168size_t(
+  Eurydice_slice private_key,
+  Eurydice_slice public_key,
+  Eurydice_slice implicit_rejection_value,
+  uint8_t ret[3168U]
+)
+{
+  uint8_t out[3168U] = { 0U };
+  size_t pointer = (size_t)0U;
+  uint8_t *uu____0 = out;
+  size_t uu____1 = pointer;
+  size_t uu____2 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)3168U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____1,
+          .end = uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    private_key,
+    uint8_t,
+    void *);
+  pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t);
+  uint8_t *uu____3 = out;
+  size_t uu____4 = pointer;
+  size_t uu____5 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)3168U,
+      uu____3,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____4,
+          .end = uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    public_key,
+    uint8_t,
+    void *);
+  pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t);
+  Eurydice_slice
+  uu____6 =
+    Eurydice_array_to_subslice((size_t)3168U,
+      out,
+      (
+        (core_ops_range_Range__size_t){
+          .start = pointer,
+          .end = pointer + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  uint8_t ret0[32U];
+  libcrux_kyber_hash_functions_H(public_key, ret0);
+  core_slice___Slice_T___copy_from_slice(uu____6,
+    Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  pointer = pointer + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE;
+  uint8_t *uu____7 = out;
+  size_t uu____8 = pointer;
+  size_t uu____9 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)3168U,
+      uu____7,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____8,
+          .end = uu____9 + core_slice___Slice_T___len(implicit_rejection_value, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    implicit_rejection_value,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)3168U * sizeof (uint8_t));
+}
+
+typedef uint8_t MlKemPrivateKey___3168size_t[3168U];
+
+static void from___3168size_t(uint8_t value[3168U], uint8_t ret[3168U])
+{
+  uint8_t uu____0[3168U];
+  memcpy(uu____0, value, (size_t)3168U * sizeof (uint8_t));
+  memcpy(ret, uu____0, (size_t)3168U * sizeof (uint8_t));
+}
+
+static libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t
+from___3168size_t_1568size_t(uint8_t sk[3168U], uint8_t pk[1568U])
+{
+  libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t lit;
+  memcpy(lit.sk, sk, (size_t)3168U * sizeof (uint8_t));
+  memcpy(lit.pk, pk, (size_t)1568U * sizeof (uint8_t));
+  return lit;
+}
+
+static libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t
+generate_keypair___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t(
+  uint8_t randomness[64U]
+)
+{
+  Eurydice_slice
+  ind_cpa_keypair_randomness =
+    Eurydice_array_to_subslice((size_t)64U,
+      randomness,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      randomness,
+      LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  __uint8_t_1536size_t__uint8_t_1568size_t_
+  uu____0 =
+    generate_keypair___4size_t_1536size_t_1568size_t_1536size_t_2size_t_128size_t(ind_cpa_keypair_randomness);
+  uint8_t ind_cpa_private_key[1536U];
+  memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1536U * sizeof (uint8_t));
+  uint8_t public_key[1568U];
+  memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof (uint8_t));
+  Eurydice_slice
+  uu____1 = Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t, Eurydice_slice);
+  uint8_t secret_key_serialized[3168U];
+  serialize_kem_secret_key___3168size_t(uu____1,
+    Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t, Eurydice_slice),
+    implicit_rejection_value,
+    secret_key_serialized);
+  uint8_t uu____2[3168U];
+  memcpy(uu____2, secret_key_serialized, (size_t)3168U * sizeof (uint8_t));
+  uint8_t private_key[3168U];
+  from___3168size_t(uu____2, private_key);
+  uint8_t uu____3[3168U];
+  memcpy(uu____3, private_key, (size_t)3168U * sizeof (uint8_t));
+  uint8_t uu____4[1568U];
+  memcpy(uu____4, public_key, (size_t)1568U * sizeof (uint8_t));
+  return from___3168size_t_1568size_t(uu____3, uu____4);
+}
+
+libcrux_kyber_types_MlKemKeyPair___3168size_t_1568size_t
+libcrux_kyber_kyber1024_generate_key_pair(uint8_t randomness[64U])
+{
+  uint8_t uu____0[64U];
+  memcpy(uu____0, randomness, (size_t)64U * sizeof (uint8_t));
+  return
+    generate_keypair___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t(uu____0);
+}
+
+static void from___1568size_t(uint8_t value[1568U], uint8_t ret[1568U])
+{
+  uint8_t uu____0[1568U];
+  memcpy(uu____0, value, (size_t)1568U * sizeof (uint8_t));
+  memcpy(ret, uu____0, (size_t)1568U * sizeof (uint8_t));
+}
+
+static K___libcrux_kyber_MlKemState__4size_t___libcrux_kyber_types_MlKemPublicKey__1568size_t__
+generate_keypair_unpacked___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t(
+  uint8_t randomness[64U]
+)
+{
+  Eurydice_slice
+  ind_cpa_keypair_randomness =
+    Eurydice_array_to_subslice((size_t)64U,
+      randomness,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      randomness,
+      LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t____libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__4size_t__uint8_t_1568size_t_
+  uu____0 =
+    generate_keypair_unpacked___4size_t_1568size_t_1536size_t_2size_t_128size_t(ind_cpa_keypair_randomness);
+  int32_t secret_as_ntt[4U][256U];
+  memcpy(secret_as_ntt, uu____0.fst.fst, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t t_as_ntt[4U][256U];
+  memcpy(t_as_ntt, uu____0.fst.snd, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t a_transpose[4U][4U][256U];
+  memcpy(a_transpose, uu____0.fst.thd, (size_t)4U * sizeof (int32_t [4U][256U]));
+  uint8_t ind_cpa_public_key[1568U];
+  memcpy(ind_cpa_public_key, uu____0.snd, (size_t)1568U * sizeof (uint8_t));
+  uint8_t ind_cpa_public_key_hash[32U];
+  libcrux_kyber_hash_functions_H(Eurydice_array_to_slice((size_t)1568U,
+      ind_cpa_public_key,
+      uint8_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash);
+  uint8_t rej[32U];
+  core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst;
+  Eurydice_slice_to_array2(&dst,
+    implicit_rejection_value,
+    Eurydice_slice,
+    uint8_t [32U],
+    void *);
+  core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError(dst,
+    rej);
+  uint8_t uu____1[1568U];
+  memcpy(uu____1, ind_cpa_public_key, (size_t)1568U * sizeof (uint8_t));
+  uint8_t pubkey[1568U];
+  from___1568size_t(uu____1, pubkey);
+  int32_t uu____2[4U][256U];
+  memcpy(uu____2, secret_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t uu____3[4U][256U];
+  memcpy(uu____3, t_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+  int32_t uu____4[4U][4U][256U];
+  memcpy(uu____4, a_transpose, (size_t)4U * sizeof (int32_t [4U][256U]));
+  uint8_t uu____5[32U];
+  memcpy(uu____5, rej, (size_t)32U * sizeof (uint8_t));
+  uint8_t uu____6[32U];
+  memcpy(uu____6, ind_cpa_public_key_hash, (size_t)32U * sizeof (uint8_t));
+  K___libcrux_kyber_MlKemState__4size_t___libcrux_kyber_types_MlKemPublicKey__1568size_t__ lit;
+  memcpy(lit.fst.secret_as_ntt, uu____2, (size_t)4U * sizeof (int32_t [256U]));
+  memcpy(lit.fst.t_as_ntt, uu____3, (size_t)4U * sizeof (int32_t [256U]));
+  memcpy(lit.fst.a_transpose, uu____4, (size_t)4U * sizeof (int32_t [4U][256U]));
+  memcpy(lit.fst.rej, uu____5, (size_t)32U * sizeof (uint8_t));
+  memcpy(lit.fst.ind_cpa_public_key_hash, uu____6, (size_t)32U * sizeof (uint8_t));
+  memcpy(lit.snd, pubkey, (size_t)1568U * sizeof (uint8_t));
+  return lit;
+}
+
+K___libcrux_kyber_MlKemState__4size_t___libcrux_kyber_types_MlKemPublicKey__1568size_t__
+libcrux_kyber_kyber1024_generate_key_pair_unpacked(uint8_t randomness[64U])
+{
+  uint8_t uu____0[64U];
+  memcpy(uu____0, randomness, (size_t)64U * sizeof (uint8_t));
+  return
+    generate_keypair_unpacked___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t(uu____0);
+}
+
+static uint8_t *as_slice___1568size_t(uint8_t (*self)[1568U])
+{
+  return self[0U];
+}
+
+static inline void
+deserialize_ring_elements_reduced___1536size_t_4size_t(
+  Eurydice_slice public_key,
+  int32_t ret[4U][256U]
+)
+{
+  int32_t deserialized_pk[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(deserialized_pk[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(public_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    ring_element =
+      Eurydice_slice_subslice(public_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_reduced_ring_element(ring_element, uu____0);
+    memcpy(deserialized_pk[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, deserialized_pk, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void
+sample_ring_element_cbd___4size_t_128size_t_2size_t(
+  uint8_t *prf_input,
+  uint8_t *domain_separator,
+  int32_t ret[4U][256U]
+)
+{
+  int32_t error_1[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(error_1[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    prf_input[32U] = domain_separator[0U];
+    domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
+    uint8_t prf_output[128U];
+    libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+        prf_input,
+        uint8_t,
+        Eurydice_slice),
+      prf_output);
+    int32_t uu____0[256U];
+    libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+        prf_output,
+        uint8_t,
+        Eurydice_slice),
+      uu____0);
+    memcpy(error_1[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, error_1, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void invert_ntt_montgomery___4size_t(int32_t re[256U], int32_t ret[256U])
+{
+  size_t zeta_i = LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)1U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)2U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)3U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)4U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)5U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)6U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)7U, re);
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(re[i0]);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_vector_u___4size_t(
+  int32_t (*a_as_ntt)[4U][256U],
+  int32_t (*r_as_ntt)[256U],
+  int32_t (*error_1)[256U],
+  int32_t ret[4U][256U]
+)
+{
+  int32_t result[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(result[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)4U,
+          a_as_ntt,
+          Eurydice_error_t_cg_array,
+          Eurydice_slice),
+        int32_t [4U][256U],
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    int32_t (*row)[256U] = a_as_ntt[i1];
+    for
+    (size_t
+      i = (size_t)0U;
+      i
+      <
+        core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)4U,
+            row,
+            int32_t [256U],
+            Eurydice_slice),
+          int32_t [256U],
+          size_t);
+      i++)
+    {
+      size_t j = i;
+      int32_t (*a_element)[256U] = &row[j];
+      int32_t product[256U];
+      libcrux_kyber_ntt_ntt_multiply(a_element, &r_as_ntt[j], product);
+      int32_t uu____0[256U];
+      add_to_ring_element___4size_t(result[i1], &product, uu____0);
+      memcpy(result[i1], uu____0, (size_t)256U * sizeof (int32_t));
+    }
+    int32_t uu____1[256U];
+    invert_ntt_montgomery___4size_t(result[i1], uu____1);
+    memcpy(result[i1], uu____1, (size_t)256U * sizeof (int32_t));
+    for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+    {
+      size_t j = i;
+      int32_t
+      coefficient_normal_form =
+        libcrux_kyber_arithmetic_montgomery_reduce(result[i1][j] * (int32_t)1441);
+      int32_t
+      uu____2 = libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form + error_1[i1][j]);
+      result[i1][j] = uu____2;
+    }
+  }
+  memcpy(ret, result, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void
+compute_ring_element_v___4size_t(
+  int32_t (*t_as_ntt)[256U],
+  int32_t (*r_as_ntt)[256U],
+  int32_t (*error_2)[256U],
+  int32_t (*message)[256U],
+  int32_t ret[256U]
+)
+{
+  int32_t result[256U];
+  memcpy(result,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    int32_t product[256U];
+    libcrux_kyber_ntt_ntt_multiply(&t_as_ntt[i0], &r_as_ntt[i0], product);
+    add_to_ring_element___4size_t(result, &product, result);
+  }
+  invert_ntt_montgomery___4size_t(result, result);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t
+    coefficient_normal_form =
+      libcrux_kyber_arithmetic_montgomery_reduce(result[i0] * (int32_t)1441);
+    int32_t
+    uu____0 =
+      libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form
+        + error_2[0U][i0]
+        + message[0U][i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(ret, result, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void compress_then_serialize_10___352size_t(int32_t re[256U], uint8_t ret[352U])
+{
+  uint8_t serialized[352U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)4U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)4U,
+            .end = i0 * (size_t)4U + (size_t)4U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t
+    coefficient1 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient2 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient3 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)2U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient4 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)3U,
+            int32_t,
+            int32_t)));
+    K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+    uu____0 =
+      libcrux_kyber_serialize_compress_coefficients_10(coefficient1,
+        coefficient2,
+        coefficient3,
+        coefficient4);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    uint8_t coef4 = uu____0.f3;
+    uint8_t coef5 = uu____0.f4;
+    serialized[(size_t)5U * i0] = coef1;
+    serialized[(size_t)5U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)5U * i0 + (size_t)2U] = coef3;
+    serialized[(size_t)5U * i0 + (size_t)3U] = coef4;
+    serialized[(size_t)5U * i0 + (size_t)4U] = coef5;
+  }
+  memcpy(ret, serialized, (size_t)352U * sizeof (uint8_t));
+}
+
+static inline void compress_then_serialize_11___352size_t(int32_t re[256U], uint8_t ret[352U])
+{
+  uint8_t serialized[352U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)8U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)8U,
+            .end = i0 * (size_t)8U + (size_t)8U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t
+    coefficient1 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient2 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient3 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)2U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient4 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)3U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient5 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)4U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient6 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)5U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient7 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)6U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient8 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)7U,
+            int32_t,
+            int32_t)));
+    K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+    uu____0 =
+      libcrux_kyber_serialize_compress_coefficients_11(coefficient1,
+        coefficient2,
+        coefficient3,
+        coefficient4,
+        coefficient5,
+        coefficient6,
+        coefficient7,
+        coefficient8);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    uint8_t coef4 = uu____0.f3;
+    uint8_t coef5 = uu____0.f4;
+    uint8_t coef6 = uu____0.f5;
+    uint8_t coef7 = uu____0.f6;
+    uint8_t coef8 = uu____0.f7;
+    uint8_t coef9 = uu____0.f8;
+    uint8_t coef10 = uu____0.f9;
+    uint8_t coef11 = uu____0.f10;
+    serialized[(size_t)11U * i0] = coef1;
+    serialized[(size_t)11U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)11U * i0 + (size_t)2U] = coef3;
+    serialized[(size_t)11U * i0 + (size_t)3U] = coef4;
+    serialized[(size_t)11U * i0 + (size_t)4U] = coef5;
+    serialized[(size_t)11U * i0 + (size_t)5U] = coef6;
+    serialized[(size_t)11U * i0 + (size_t)6U] = coef7;
+    serialized[(size_t)11U * i0 + (size_t)7U] = coef8;
+    serialized[(size_t)11U * i0 + (size_t)8U] = coef9;
+    serialized[(size_t)11U * i0 + (size_t)9U] = coef10;
+    serialized[(size_t)11U * i0 + (size_t)10U] = coef11;
+  }
+  memcpy(ret, serialized, (size_t)352U * sizeof (uint8_t));
+}
+
+static inline void
+compress_then_serialize_ring_element_u___11size_t_352size_t(
+  int32_t re[256U],
+  uint8_t ret[352U]
+)
+{
+  uint8_t uu____0[352U];
+  compress_then_serialize_11___352size_t(re, uu____0);
+  memcpy(ret, uu____0, (size_t)352U * sizeof (uint8_t));
+}
+
+static void
+compress_then_serialize_u___4size_t_1408size_t_11size_t_352size_t(
+  int32_t input[4U][256U],
+  uint8_t ret[1408U]
+)
+{
+  uint8_t out[1408U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)4U,
+          input,
+          int32_t [256U],
+          Eurydice_slice),
+        int32_t [256U],
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    int32_t re[256U];
+    memcpy(re, input[i0], (size_t)256U * sizeof (int32_t));
+    Eurydice_slice
+    uu____0 =
+      Eurydice_array_to_subslice((size_t)1408U,
+        out,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * ((size_t)1408U / (size_t)4U),
+            .end = (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U)
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t ret0[352U];
+    compress_then_serialize_ring_element_u___11size_t_352size_t(re, ret0);
+    core_slice___Slice_T___copy_from_slice(uu____0,
+      Eurydice_array_to_slice((size_t)352U, ret0, uint8_t, Eurydice_slice),
+      uint8_t,
+      void *);
+  }
+  memcpy(ret, out, (size_t)1408U * sizeof (uint8_t));
+}
+
+static inline void compress_then_serialize_4___160size_t(int32_t re[256U], uint8_t ret[160U])
+{
+  uint8_t serialized[160U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)2U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)2U,
+            .end = i0 * (size_t)2U + (size_t)2U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t
+    coefficient1 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(4U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient2 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(4U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    serialized[i0] = (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1;
+  }
+  memcpy(ret, serialized, (size_t)160U * sizeof (uint8_t));
+}
+
+static inline void compress_then_serialize_5___160size_t(int32_t re[256U], uint8_t ret[160U])
+{
+  uint8_t serialized[160U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)8U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)8U,
+            .end = i0 * (size_t)8U + (size_t)8U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t
+    coefficient1 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient2 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient3 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)2U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient4 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)3U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient5 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)4U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient6 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)5U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient7 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)6U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient8 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)7U,
+            int32_t,
+            int32_t)));
+    K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+    uu____0 =
+      libcrux_kyber_serialize_compress_coefficients_5(coefficient2,
+        coefficient1,
+        coefficient4,
+        coefficient3,
+        coefficient5,
+        coefficient7,
+        coefficient6,
+        coefficient8);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    uint8_t coef4 = uu____0.f3;
+    uint8_t coef5 = uu____0.f4;
+    serialized[(size_t)5U * i0] = coef1;
+    serialized[(size_t)5U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)5U * i0 + (size_t)2U] = coef3;
+    serialized[(size_t)5U * i0 + (size_t)3U] = coef4;
+    serialized[(size_t)5U * i0 + (size_t)4U] = coef5;
+  }
+  memcpy(ret, serialized, (size_t)160U * sizeof (uint8_t));
+}
+
+static inline void
+compress_then_serialize_ring_element_v___5size_t_160size_t(int32_t re[256U], uint8_t ret[160U])
+{
+  uint8_t uu____0[160U];
+  compress_then_serialize_5___160size_t(re, uu____0);
+  memcpy(ret, uu____0, (size_t)160U * sizeof (uint8_t));
+}
+
+static inline void into_padded_array___1568size_t(Eurydice_slice slice, uint8_t ret[1568U])
+{
+  uint8_t out[1568U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1568U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)1568U * sizeof (uint8_t));
+}
+
+static void
+encrypt_unpacked___4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(
+  int32_t (*t_as_ntt)[256U],
+  int32_t (*a_transpose)[4U][256U],
+  uint8_t message[32U],
+  Eurydice_slice randomness,
+  uint8_t ret[1568U]
+)
+{
+  uint8_t prf_input[33U];
+  libcrux_kyber_ind_cpa_into_padded_array___33size_t(randomness, prf_input);
+  uint8_t uu____0[33U];
+  memcpy(uu____0, prf_input, (size_t)33U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_4size_t__uint8_t
+  uu____1 = sample_vector_cbd_then_ntt___4size_t_2size_t_128size_t(uu____0, 0U);
+  int32_t r_as_ntt[4U][256U];
+  memcpy(r_as_ntt, uu____1.fst, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t domain_separator = uu____1.snd;
+  int32_t error_1[4U][256U];
+  sample_ring_element_cbd___4size_t_128size_t_2size_t(prf_input, &domain_separator, error_1);
+  prf_input[32U] = domain_separator;
+  uint8_t prf_output[128U];
+  libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+      prf_input,
+      uint8_t,
+      Eurydice_slice),
+    prf_output);
+  int32_t error_2[256U];
+  libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+      prf_output,
+      uint8_t,
+      Eurydice_slice),
+    error_2);
+  int32_t u[4U][256U];
+  compute_vector_u___4size_t(a_transpose, r_as_ntt, error_1, u);
+  uint8_t uu____2[32U];
+  memcpy(uu____2, message, (size_t)32U * sizeof (uint8_t));
+  int32_t message_as_ring_element[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_message(uu____2, message_as_ring_element);
+  int32_t v[256U];
+  compute_ring_element_v___4size_t(t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element, v);
+  int32_t uu____3[4U][256U];
+  memcpy(uu____3, u, (size_t)4U * sizeof (int32_t [256U]));
+  uint8_t c1[1408U];
+  compress_then_serialize_u___4size_t_1408size_t_11size_t_352size_t(uu____3, c1);
+  uint8_t c2[160U];
+  compress_then_serialize_ring_element_v___5size_t_160size_t(v, c2);
+  uint8_t ciphertext[1568U];
+  into_padded_array___1568size_t(Eurydice_array_to_slice((size_t)1408U,
+      c1,
+      uint8_t,
+      Eurydice_slice),
+    ciphertext);
+  Eurydice_slice
+  uu____4 =
+    Eurydice_array_to_subslice_from((size_t)1568U,
+      ciphertext,
+      (size_t)1408U,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____4,
+    core_array___Array_T__N__23__as_slice((size_t)160U, c2, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  memcpy(ret, ciphertext, (size_t)1568U * sizeof (uint8_t));
+}
+
+static void
+encrypt___4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(
+  Eurydice_slice public_key,
+  uint8_t message[32U],
+  Eurydice_slice randomness,
+  uint8_t ret[1568U]
+)
+{
+  int32_t t_as_ntt[4U][256U];
+  deserialize_ring_elements_reduced___1536size_t_4size_t(Eurydice_slice_subslice_to(public_key,
+      (size_t)1536U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    t_as_ntt);
+  Eurydice_slice
+  seed = Eurydice_slice_subslice_from(public_key, (size_t)1536U, uint8_t, size_t, Eurydice_slice);
+  int32_t a_transpose[4U][4U][256U];
+  uint8_t ret0[34U];
+  libcrux_kyber_ind_cpa_into_padded_array___34size_t(seed, ret0);
+  sample_matrix_A___4size_t(ret0, false, a_transpose);
+  int32_t (*uu____0)[256U] = t_as_ntt;
+  int32_t (*uu____1)[4U][256U] = a_transpose;
+  uint8_t uu____2[32U];
+  memcpy(uu____2, message, (size_t)32U * sizeof (uint8_t));
+  uint8_t ret1[1568U];
+  encrypt_unpacked___4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(uu____0,
+    uu____1,
+    uu____2,
+    randomness,
+    ret1);
+  memcpy(ret, ret1, (size_t)1568U * sizeof (uint8_t));
+}
+
+typedef uint8_t MlKemCiphertext___1568size_t[1568U];
+
+static K___libcrux_kyber_types_MlKemCiphertext__1568size_t___uint8_t_32size_t_
+encapsulate___4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(
+  uint8_t (*public_key)[1568U],
+  uint8_t randomness[32U]
+)
+{
+  uint8_t to_hash[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      randomness,
+      uint8_t,
+      Eurydice_slice),
+    to_hash);
+  Eurydice_slice
+  uu____0 =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  uint8_t ret[32U];
+  libcrux_kyber_hash_functions_H(Eurydice_array_to_slice((size_t)1568U,
+      as_slice___1568size_t(public_key),
+      uint8_t,
+      Eurydice_slice),
+    ret);
+  core_slice___Slice_T___copy_from_slice(uu____0,
+    Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____1 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____1.fst;
+  Eurydice_slice pseudorandomness = uu____1.snd;
+  Eurydice_slice
+  uu____2 =
+    Eurydice_array_to_slice((size_t)1568U,
+      as_slice___1568size_t(public_key),
+      uint8_t,
+      Eurydice_slice);
+  uint8_t uu____3[32U];
+  memcpy(uu____3, randomness, (size_t)32U * sizeof (uint8_t));
+  uint8_t ciphertext[1568U];
+  encrypt___4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(uu____2,
+    uu____3,
+    pseudorandomness,
+    ciphertext);
+  uint8_t shared_secret_array[32U] = { 0U };
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_slice((size_t)32U,
+      shared_secret_array,
+      uint8_t,
+      Eurydice_slice),
+    shared_secret,
+    uint8_t,
+    void *);
+  uint8_t uu____4[1568U];
+  memcpy(uu____4, ciphertext, (size_t)1568U * sizeof (uint8_t));
+  uint8_t uu____5[1568U];
+  memcpy(uu____5, uu____4, (size_t)1568U * sizeof (uint8_t));
+  uint8_t uu____6[32U];
+  memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof (uint8_t));
+  K___libcrux_kyber_types_MlKemCiphertext__1568size_t___uint8_t_32size_t_ lit;
+  memcpy(lit.fst, uu____5, (size_t)1568U * sizeof (uint8_t));
+  memcpy(lit.snd, uu____6, (size_t)32U * sizeof (uint8_t));
+  return lit;
+}
+
+K___libcrux_kyber_types_MlKemCiphertext__1568size_t___uint8_t_32size_t_
+libcrux_kyber_kyber1024_encapsulate(uint8_t (*public_key)[1568U], uint8_t randomness[32U])
+{
+  uint8_t (*uu____0)[1568U] = public_key;
+  uint8_t uu____1[32U];
+  memcpy(uu____1, randomness, (size_t)32U * sizeof (uint8_t));
+  return
+    encapsulate___4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(uu____0,
+      uu____1);
+}
+
+static K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+split_at___3168size_t(uint8_t (*self)[3168U], size_t mid)
+{
+  return
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)3168U,
+        self[0U],
+        uint8_t,
+        Eurydice_slice),
+      mid,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+}
+
+static inline void
+deserialize_secret_key___4size_t(Eurydice_slice secret_key, int32_t ret[4U][256U])
+{
+  int32_t secret_as_ntt[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(secret_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(secret_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    secret_bytes =
+      Eurydice_slice_subslice(secret_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_uncompressed_ring_element(secret_bytes, uu____0);
+    memcpy(secret_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, secret_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void
+deserialize_then_decompress_ring_element_u___11size_t(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t uu____0[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_11(serialized, uu____0);
+  memcpy(ret, uu____0, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void ntt_vector_u___11size_t(int32_t re[256U], int32_t ret[256U])
+{
+  size_t zeta_i = (size_t)0U;
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)7U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)6U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)5U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)4U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)3U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)2U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)1U, re);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(re[i0]);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+deserialize_then_decompress_u___4size_t_1568size_t_11size_t(
+  uint8_t *ciphertext,
+  int32_t ret[4U][256U]
+)
+{
+  int32_t u_as_ntt[4U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    memcpy(u_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)1568U,
+          ciphertext,
+          uint8_t,
+          Eurydice_slice),
+        uint8_t,
+        size_t)
+      / (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U);
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    u_bytes =
+      Eurydice_array_to_subslice((size_t)1568U,
+        ciphertext,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0
+            * (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U),
+            .end = i0
+            * (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U)
+            + LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t u[256U];
+    deserialize_then_decompress_ring_element_u___11size_t(u_bytes, u);
+    int32_t uu____0[256U];
+    ntt_vector_u___11size_t(u, uu____0);
+    memcpy(u_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, u_as_ntt, (size_t)4U * sizeof (int32_t [256U]));
+}
+
+static inline void
+deserialize_then_decompress_ring_element_v___5size_t(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t uu____0[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_5(serialized, uu____0);
+  memcpy(ret, uu____0, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_message___4size_t(
+  int32_t (*v)[256U],
+  int32_t (*secret_as_ntt)[256U],
+  int32_t (*u_as_ntt)[256U],
+  int32_t ret[256U]
+)
+{
+  int32_t result[256U];
+  memcpy(result,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < (size_t)4U; i++)
+  {
+    size_t i0 = i;
+    int32_t product[256U];
+    libcrux_kyber_ntt_ntt_multiply(&secret_as_ntt[i0], &u_as_ntt[i0], product);
+    add_to_ring_element___4size_t(result, &product, result);
+  }
+  invert_ntt_montgomery___4size_t(result, result);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t
+    coefficient_normal_form =
+      libcrux_kyber_arithmetic_montgomery_reduce(result[i0] * (int32_t)1441);
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(v[0U][i0] - coefficient_normal_form);
+    result[i0] = uu____0;
+  }
+  memcpy(ret, result, (size_t)256U * sizeof (int32_t));
+}
+
+static void
+decrypt_unpacked___4size_t_1568size_t_1408size_t_11size_t_5size_t(
+  int32_t (*secret_as_ntt)[256U],
+  uint8_t *ciphertext,
+  uint8_t ret[32U]
+)
+{
+  int32_t u_as_ntt[4U][256U];
+  deserialize_then_decompress_u___4size_t_1568size_t_11size_t(ciphertext, u_as_ntt);
+  int32_t v[256U];
+  deserialize_then_decompress_ring_element_v___5size_t(Eurydice_array_to_subslice_from((size_t)1568U,
+      ciphertext,
+      (size_t)1408U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    v);
+  int32_t message[256U];
+  compute_message___4size_t(&v, secret_as_ntt, u_as_ntt, message);
+  uint8_t ret0[32U];
+  libcrux_kyber_serialize_compress_then_serialize_message(message, ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static void
+decrypt___4size_t_1568size_t_1408size_t_11size_t_5size_t(
+  Eurydice_slice secret_key,
+  uint8_t *ciphertext,
+  uint8_t ret[32U]
+)
+{
+  int32_t secret_as_ntt[4U][256U];
+  deserialize_secret_key___4size_t(secret_key, secret_as_ntt);
+  uint8_t ret0[32U];
+  decrypt_unpacked___4size_t_1568size_t_1408size_t_11size_t_5size_t(secret_as_ntt,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static inline void into_padded_array___1600size_t(Eurydice_slice slice, uint8_t ret[1600U])
+{
+  uint8_t out[1600U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1600U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)1600U * sizeof (uint8_t));
+}
+
+static Eurydice_slice as_ref___1568size_t(uint8_t (*self)[1568U])
+{
+  return Eurydice_array_to_slice((size_t)1568U, self[0U], uint8_t, Eurydice_slice);
+}
+
+static uint8_t
+compare_ciphertexts_in_constant_time___1568size_t(Eurydice_slice lhs, Eurydice_slice rhs)
+{
+  uint8_t r = 0U;
+  for (size_t i = (size_t)0U; i < (size_t)1568U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0 = Eurydice_slice_index(lhs, i0, uint8_t, uint8_t);
+    r =
+      (uint32_t)r
+      | ((uint32_t)uu____0 ^ (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t));
+  }
+  return libcrux_kyber_constant_time_ops_is_non_zero(r);
+}
+
+static void
+decapsulate___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t(
+  uint8_t (*secret_key)[3168U],
+  uint8_t (*ciphertext)[1568U],
+  uint8_t ret[32U]
+)
+{
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 = split_at___3168size_t(secret_key, (size_t)1536U);
+  Eurydice_slice ind_cpa_secret_key = uu____0.fst;
+  Eurydice_slice secret_key0 = uu____0.snd;
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____1 =
+    core_slice___Slice_T___split_at(secret_key0,
+      (size_t)1568U,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice ind_cpa_public_key = uu____1.fst;
+  Eurydice_slice secret_key1 = uu____1.snd;
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____2 =
+    core_slice___Slice_T___split_at(secret_key1,
+      LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice ind_cpa_public_key_hash = uu____2.fst;
+  Eurydice_slice implicit_rejection_value = uu____2.snd;
+  uint8_t decrypted[32U];
+  decrypt___4size_t_1568size_t_1408size_t_11size_t_5size_t(ind_cpa_secret_key,
+    ciphertext[0U],
+    decrypted);
+  uint8_t to_hash0[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      decrypted,
+      uint8_t,
+      Eurydice_slice),
+    to_hash0);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash0,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash,
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash0,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____3 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____3.fst;
+  Eurydice_slice pseudorandomness = uu____3.snd;
+  uint8_t to_hash[1600U];
+  into_padded_array___1600size_t(implicit_rejection_value, to_hash);
+  Eurydice_slice
+  uu____4 =
+    Eurydice_array_to_subslice_from((size_t)1600U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____4,
+    as_ref___1568size_t(ciphertext),
+    uint8_t,
+    void *);
+  uint8_t implicit_rejection_shared_secret[32U];
+  libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_array_to_slice((size_t)1600U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    implicit_rejection_shared_secret);
+  Eurydice_slice uu____5 = ind_cpa_public_key;
+  uint8_t uu____6[32U];
+  memcpy(uu____6, decrypted, (size_t)32U * sizeof (uint8_t));
+  uint8_t expected_ciphertext[1568U];
+  encrypt___4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(uu____5,
+    uu____6,
+    pseudorandomness,
+    expected_ciphertext);
+  Eurydice_slice uu____7 = as_ref___1568size_t(ciphertext);
+  uint8_t
+  selector =
+    compare_ciphertexts_in_constant_time___1568size_t(uu____7,
+      Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, Eurydice_slice));
+  Eurydice_slice uu____8 = shared_secret;
+  uint8_t ret0[32U];
+  libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(uu____8,
+    Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
+    selector,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_kyber1024_decapsulate(
+  uint8_t (*secret_key)[3168U],
+  uint8_t (*ciphertext)[1568U],
+  uint8_t ret[32U]
+)
+{
+  uint8_t ret0[32U];
+  decapsulate___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t(secret_key,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static void
+decapsulate_unpacked___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t(
+  libcrux_kyber_MlKemState___4size_t *state,
+  uint8_t (*ciphertext)[1568U],
+  uint8_t ret[32U]
+)
+{
+  int32_t (*secret_as_ntt)[256U] = state->secret_as_ntt;
+  int32_t (*t_as_ntt)[256U] = state->t_as_ntt;
+  int32_t (*a_transpose)[4U][256U] = state->a_transpose;
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_slice((size_t)32U,
+      state->rej,
+      uint8_t,
+      Eurydice_slice);
+  Eurydice_slice
+  ind_cpa_public_key_hash =
+    Eurydice_array_to_slice((size_t)32U,
+      state->ind_cpa_public_key_hash,
+      uint8_t,
+      Eurydice_slice);
+  uint8_t decrypted[32U];
+  decrypt_unpacked___4size_t_1568size_t_1408size_t_11size_t_5size_t(secret_as_ntt,
+    ciphertext[0U],
+    decrypted);
+  uint8_t to_hash0[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      decrypted,
+      uint8_t,
+      Eurydice_slice),
+    to_hash0);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash0,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash,
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash0,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____0.fst;
+  Eurydice_slice pseudorandomness = uu____0.snd;
+  uint8_t to_hash[1600U];
+  into_padded_array___1600size_t(implicit_rejection_value, to_hash);
+  Eurydice_slice
+  uu____1 =
+    Eurydice_array_to_subslice_from((size_t)1600U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____1,
+    as_ref___1568size_t(ciphertext),
+    uint8_t,
+    void *);
+  uint8_t implicit_rejection_shared_secret[32U];
+  libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_array_to_slice((size_t)1600U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    implicit_rejection_shared_secret);
+  int32_t (*uu____2)[256U] = t_as_ntt;
+  int32_t (*uu____3)[4U][256U] = a_transpose;
+  uint8_t uu____4[32U];
+  memcpy(uu____4, decrypted, (size_t)32U * sizeof (uint8_t));
+  uint8_t expected_ciphertext[1568U];
+  encrypt_unpacked___4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t(uu____2,
+    uu____3,
+    uu____4,
+    pseudorandomness,
+    expected_ciphertext);
+  Eurydice_slice uu____5 = as_ref___1568size_t(ciphertext);
+  uint8_t
+  selector =
+    compare_ciphertexts_in_constant_time___1568size_t(uu____5,
+      Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, Eurydice_slice));
+  Eurydice_slice uu____6 = shared_secret;
+  uint8_t ret0[32U];
+  libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(uu____6,
+    Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
+    selector,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_kyber1024_decapsulate_unpacked(
+  libcrux_kyber_MlKemState___4size_t *state,
+  uint8_t (*ciphertext)[1568U],
+  uint8_t ret[32U]
+)
+{
+  uint8_t ret0[32U];
+  decapsulate_unpacked___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t(state,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
diff --git a/libcrux/src/libcrux_kyber512.c b/libcrux/src/libcrux_kyber512.c
new file mode 100644
index 00000000..610611ea
--- /dev/null
+++ b/libcrux/src/libcrux_kyber512.c
@@ -0,0 +1,1989 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#include "libcrux_kyber512.h"
+
+#include "internal/libcrux_kyber_common.h"
+#include "internal/libcrux_kyber768.h"
+#include "libcrux_hacl_glue.h"
+
+static inline void
+deserialize_ring_elements_reduced___800size_t_2size_t(
+  Eurydice_slice public_key,
+  int32_t ret[2U][256U]
+)
+{
+  int32_t deserialized_pk[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(deserialized_pk[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(public_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    ring_element =
+      Eurydice_slice_subslice(public_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_reduced_ring_element(ring_element, uu____0);
+    memcpy(deserialized_pk[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, deserialized_pk, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void
+serialize_secret_key___2size_t_768size_t(int32_t key[2U][256U], uint8_t ret[768U])
+{
+  uint8_t out[768U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)2U,
+          key,
+          int32_t [256U],
+          Eurydice_slice),
+        int32_t [256U],
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    int32_t re[256U];
+    memcpy(re, key[i0], (size_t)256U * sizeof (int32_t));
+    Eurydice_slice
+    uu____0 =
+      Eurydice_array_to_subslice((size_t)768U,
+        out,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = (i0 + (size_t)1U) * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t ret0[384U];
+    libcrux_kyber_serialize_serialize_uncompressed_ring_element(re, ret0);
+    core_slice___Slice_T___copy_from_slice(uu____0,
+      Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice),
+      uint8_t,
+      void *);
+  }
+  memcpy(ret, out, (size_t)768U * sizeof (uint8_t));
+}
+
+static inline void
+serialize_public_key___2size_t_768size_t_800size_t(
+  int32_t t_as_ntt[2U][256U],
+  Eurydice_slice seed_for_a,
+  uint8_t ret[800U]
+)
+{
+  uint8_t public_key_serialized[800U] = { 0U };
+  Eurydice_slice
+  uu____0 =
+    Eurydice_array_to_subslice((size_t)800U,
+      public_key_serialized,
+      ((core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)768U }),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  int32_t uu____1[2U][256U];
+  memcpy(uu____1, t_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t ret0[768U];
+  serialize_secret_key___2size_t_768size_t(uu____1, ret0);
+  core_slice___Slice_T___copy_from_slice(uu____0,
+    Eurydice_array_to_slice((size_t)768U, ret0, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)800U,
+      public_key_serialized,
+      (size_t)768U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    seed_for_a,
+    uint8_t,
+    void *);
+  memcpy(ret, public_key_serialized, (size_t)800U * sizeof (uint8_t));
+}
+
+static bool validate_public_key___2size_t_768size_t_800size_t(uint8_t *public_key)
+{
+  int32_t deserialized_pk[2U][256U];
+  deserialize_ring_elements_reduced___800size_t_2size_t(Eurydice_array_to_subslice_to((size_t)800U,
+      public_key,
+      (size_t)768U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    deserialized_pk);
+  int32_t uu____0[2U][256U];
+  memcpy(uu____0, deserialized_pk, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t public_key_serialized[800U];
+  serialize_public_key___2size_t_768size_t_800size_t(uu____0,
+    Eurydice_array_to_subslice_from((size_t)800U,
+      public_key,
+      (size_t)768U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    public_key_serialized);
+  return
+    core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq((size_t)800U,
+      public_key,
+      public_key_serialized,
+      uint8_t,
+      uint8_t,
+      bool);
+}
+
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t__
+libcrux_kyber_kyber512_validate_public_key(uint8_t public_key[800U])
+{
+  core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t__ uu____0;
+  if (validate_public_key___2size_t_768size_t_800size_t(public_key))
+  {
+    core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t__ lit;
+    lit.tag = core_option_Some;
+    memcpy(lit.f0, public_key, (size_t)800U * sizeof (uint8_t));
+    uu____0 = lit;
+  }
+  else
+  {
+    uu____0 =
+      (
+        (core_option_Option__libcrux_kyber_types_MlKemPublicKey__800size_t__){
+          .tag = core_option_None
+        }
+      );
+  }
+  return uu____0;
+}
+
+static inline libcrux_digest_incremental_x4_Shake128StateX4
+absorb___2size_t(uint8_t input[2U][34U])
+{
+  libcrux_digest_incremental_x4_Shake128StateX4
+  state = libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__new();
+  Eurydice_slice data[2U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    uint8_t buf[1U] = { 0U };
+    data[i] = Eurydice_array_to_slice((size_t)1U, buf, uint8_t, Eurydice_slice);
+  }
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    uu____0 = Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, Eurydice_slice);
+    data[i0] = uu____0;
+  }
+  libcrux_digest_incremental_x4_Shake128StateX4 *uu____1 = &state;
+  Eurydice_slice uu____2[2U];
+  memcpy(uu____2, data, (size_t)2U * sizeof (Eurydice_slice));
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final((size_t)2U,
+    uu____1,
+    uu____2,
+    void *);
+  return state;
+}
+
+static inline void
+squeeze_three_blocks___2size_t(
+  libcrux_digest_incremental_x4_Shake128StateX4 *xof_state,
+  uint8_t ret[2U][504U]
+)
+{
+  uint8_t output[2U][504U];
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks((size_t)504U,
+    (size_t)2U,
+    xof_state,
+    output,
+    void *);
+  uint8_t out[2U][504U] = { { 0U } };
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0[504U];
+    memcpy(uu____0, output[i0], (size_t)504U * sizeof (uint8_t));
+    memcpy(out[i0], uu____0, (size_t)504U * sizeof (uint8_t));
+  }
+  memcpy(ret, out, (size_t)2U * sizeof (uint8_t [504U]));
+}
+
+static bool
+sample_from_uniform_distribution_next___2size_t_504size_t(
+  uint8_t randomness[2U][504U],
+  size_t *sampled_coefficients,
+  int32_t (*out)[256U]
+)
+{
+  bool done = true;
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    core_slice_iter_Chunks
+    iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(core_slice___Slice_T___chunks(Eurydice_array_to_slice((size_t)504U,
+            randomness[i0],
+            uint8_t,
+            Eurydice_slice),
+          (size_t)3U,
+          uint8_t,
+          core_slice_iter_Chunks),
+        core_slice_iter_Chunks,
+        core_slice_iter_Chunks);
+    while (true)
+    {
+      core_option_Option__Eurydice_slice_uint8_t
+      uu____0 =
+        core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(&iter,
+          uint8_t,
+          core_option_Option__Eurydice_slice_uint8_t);
+      if (uu____0.tag == core_option_None)
+      {
+        break;
+      }
+      else
+      {
+        Eurydice_slice bytes = uu____0.f0;
+        int32_t b1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+        int32_t b2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+        int32_t b3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+        int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
+        int32_t d2 = b3 << 4U | b2 >> 4U;
+        bool uu____1;
+        if (d1 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____1 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____1 = false;
+        }
+        if (uu____1)
+        {
+          out[i0][sampled_coefficients[i0]] = d1;
+          size_t uu____2 = i0;
+          sampled_coefficients[uu____2] = sampled_coefficients[uu____2] + (size_t)1U;
+        }
+        bool uu____3;
+        if (d2 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____3 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____3 = false;
+        }
+        if (uu____3)
+        {
+          out[i0][sampled_coefficients[i0]] = d2;
+          size_t uu____4 = i0;
+          sampled_coefficients[uu____4] = sampled_coefficients[uu____4] + (size_t)1U;
+        }
+      }
+    }
+    if (sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT)
+    {
+      done = false;
+    }
+  }
+  return done;
+}
+
+static inline void
+squeeze_block___2size_t(
+  libcrux_digest_incremental_x4_Shake128StateX4 *xof_state,
+  uint8_t ret[2U][168U]
+)
+{
+  uint8_t output[2U][168U];
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks((size_t)168U,
+    (size_t)2U,
+    xof_state,
+    output,
+    void *);
+  uint8_t out[2U][168U] = { { 0U } };
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0[168U];
+    memcpy(uu____0, output[i0], (size_t)168U * sizeof (uint8_t));
+    memcpy(out[i0], uu____0, (size_t)168U * sizeof (uint8_t));
+  }
+  memcpy(ret, out, (size_t)2U * sizeof (uint8_t [168U]));
+}
+
+static bool
+sample_from_uniform_distribution_next___2size_t_168size_t(
+  uint8_t randomness[2U][168U],
+  size_t *sampled_coefficients,
+  int32_t (*out)[256U]
+)
+{
+  bool done = true;
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    core_slice_iter_Chunks
+    iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(core_slice___Slice_T___chunks(Eurydice_array_to_slice((size_t)168U,
+            randomness[i0],
+            uint8_t,
+            Eurydice_slice),
+          (size_t)3U,
+          uint8_t,
+          core_slice_iter_Chunks),
+        core_slice_iter_Chunks,
+        core_slice_iter_Chunks);
+    while (true)
+    {
+      core_option_Option__Eurydice_slice_uint8_t
+      uu____0 =
+        core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(&iter,
+          uint8_t,
+          core_option_Option__Eurydice_slice_uint8_t);
+      if (uu____0.tag == core_option_None)
+      {
+        break;
+      }
+      else
+      {
+        Eurydice_slice bytes = uu____0.f0;
+        int32_t b1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+        int32_t b2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+        int32_t b3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+        int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
+        int32_t d2 = b3 << 4U | b2 >> 4U;
+        bool uu____1;
+        if (d1 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____1 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____1 = false;
+        }
+        if (uu____1)
+        {
+          out[i0][sampled_coefficients[i0]] = d1;
+          size_t uu____2 = i0;
+          sampled_coefficients[uu____2] = sampled_coefficients[uu____2] + (size_t)1U;
+        }
+        bool uu____3;
+        if (d2 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____3 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____3 = false;
+        }
+        if (uu____3)
+        {
+          out[i0][sampled_coefficients[i0]] = d2;
+          size_t uu____4 = i0;
+          sampled_coefficients[uu____4] = sampled_coefficients[uu____4] + (size_t)1U;
+        }
+      }
+    }
+    if (sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT)
+    {
+      done = false;
+    }
+  }
+  return done;
+}
+
+static void sample_from_xof___2size_t(uint8_t seeds[2U][34U], int32_t ret[2U][256U])
+{
+  size_t sampled_coefficients[2U] = { 0U };
+  int32_t out[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(out[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  uint8_t uu____0[2U][34U];
+  memcpy(uu____0, seeds, (size_t)2U * sizeof (uint8_t [34U]));
+  libcrux_digest_incremental_x4_Shake128StateX4 xof_state = absorb___2size_t(uu____0);
+  uint8_t randomness0[2U][504U];
+  squeeze_three_blocks___2size_t(&xof_state, randomness0);
+  uint8_t uu____1[2U][504U];
+  memcpy(uu____1, randomness0, (size_t)2U * sizeof (uint8_t [504U]));
+  bool
+  done =
+    sample_from_uniform_distribution_next___2size_t_504size_t(uu____1,
+      sampled_coefficients,
+      out);
+  while (true)
+  {
+    if (!!done)
+    {
+      break;
+    }
+    uint8_t randomness[2U][168U];
+    squeeze_block___2size_t(&xof_state, randomness);
+    uint8_t uu____2[2U][168U];
+    memcpy(uu____2, randomness, (size_t)2U * sizeof (uint8_t [168U]));
+    done =
+      sample_from_uniform_distribution_next___2size_t_168size_t(uu____2,
+        sampled_coefficients,
+        out);
+  }
+  libcrux_kyber_hash_functions_free_state(xof_state);
+  memcpy(ret, out, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void
+sample_matrix_A___2size_t(uint8_t seed[34U], bool transpose, int32_t ret[2U][2U][256U])
+{
+  int32_t A_transpose[2U][2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(A_transpose[i][0U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+    memcpy(A_transpose[i][1U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)2U; i0++)
+  {
+    size_t i1 = i0;
+    uint8_t uu____0[34U];
+    memcpy(uu____0, seed, (size_t)34U * sizeof (uint8_t));
+    uint8_t seeds[2U][34U];
+    for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+    {
+      memcpy(seeds[i], uu____0, (size_t)34U * sizeof (uint8_t));
+    }
+    for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+    {
+      size_t j = i;
+      seeds[j][32U] = (uint8_t)i1;
+      seeds[j][33U] = (uint8_t)j;
+    }
+    uint8_t uu____1[2U][34U];
+    memcpy(uu____1, seeds, (size_t)2U * sizeof (uint8_t [34U]));
+    int32_t sampled[2U][256U];
+    sample_from_xof___2size_t(uu____1, sampled);
+    for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+    {
+      size_t j = i;
+      if (transpose)
+      {
+        memcpy(A_transpose[j][i1], sampled[j], (size_t)256U * sizeof (int32_t));
+      }
+      else
+      {
+        memcpy(A_transpose[i1][j], sampled[j], (size_t)256U * sizeof (int32_t));
+      }
+    }
+  }
+  memcpy(ret, A_transpose, (size_t)2U * sizeof (int32_t [2U][256U]));
+}
+
+static void PRF___192size_t(Eurydice_slice input, uint8_t ret[192U])
+{
+  uint8_t ret0[192U];
+  libcrux_digest_shake256((size_t)192U, input, ret0, void *);
+  memcpy(ret, ret0, (size_t)192U * sizeof (uint8_t));
+}
+
+static inline void
+sample_from_binomial_distribution___3size_t(Eurydice_slice randomness, int32_t ret[256U])
+{
+  int32_t uu____0[256U];
+  libcrux_kyber_sampling_sample_from_binomial_distribution_3(randomness, uu____0);
+  memcpy(ret, uu____0, (size_t)256U * sizeof (int32_t));
+}
+
+typedef struct __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__uint8_t_s
+{
+  int32_t fst[2U][256U];
+  uint8_t snd;
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__uint8_t;
+
+static inline __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__uint8_t
+sample_vector_cbd_then_ntt___2size_t_3size_t_192size_t(
+  uint8_t prf_input[33U],
+  uint8_t domain_separator
+)
+{
+  int32_t re_as_ntt[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(re_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    prf_input[32U] = domain_separator;
+    domain_separator = (uint32_t)domain_separator + 1U;
+    uint8_t prf_output[192U];
+    PRF___192size_t(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice),
+      prf_output);
+    int32_t r[256U];
+    sample_from_binomial_distribution___3size_t(Eurydice_array_to_slice((size_t)192U,
+        prf_output,
+        uint8_t,
+        Eurydice_slice),
+      r);
+    int32_t uu____0[256U];
+    libcrux_kyber_ntt_ntt_binomially_sampled_ring_element(r, uu____0);
+    memcpy(re_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  int32_t uu____1[2U][256U];
+  memcpy(uu____1, re_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__uint8_t lit;
+  memcpy(lit.fst, uu____1, (size_t)2U * sizeof (int32_t [256U]));
+  lit.snd = domain_separator;
+  return lit;
+}
+
+static void
+add_to_ring_element___2size_t(int32_t lhs[256U], int32_t (*rhs)[256U], int32_t ret[256U])
+{
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, lhs, int32_t, Eurydice_slice),
+        int32_t,
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    size_t uu____0 = i0;
+    lhs[uu____0] = lhs[uu____0] + rhs[0U][i0];
+  }
+  memcpy(ret, lhs, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_As_plus_e___2size_t(
+  int32_t (*matrix_A)[2U][256U],
+  int32_t (*s_as_ntt)[256U],
+  int32_t (*error_as_ntt)[256U],
+  int32_t ret[2U][256U]
+)
+{
+  int32_t result[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(result[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)2U,
+          matrix_A,
+          Eurydice_error_t_cg_array,
+          Eurydice_slice),
+        int32_t [2U][256U],
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    int32_t (*row)[256U] = matrix_A[i1];
+    for
+    (size_t
+      i = (size_t)0U;
+      i
+      <
+        core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)2U,
+            row,
+            int32_t [256U],
+            Eurydice_slice),
+          int32_t [256U],
+          size_t);
+      i++)
+    {
+      size_t j = i;
+      int32_t (*matrix_element)[256U] = &row[j];
+      int32_t product[256U];
+      libcrux_kyber_ntt_ntt_multiply(matrix_element, &s_as_ntt[j], product);
+      int32_t uu____0[256U];
+      add_to_ring_element___2size_t(result[i1], &product, uu____0);
+      memcpy(result[i1], uu____0, (size_t)256U * sizeof (int32_t));
+    }
+    for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+    {
+      size_t j = i;
+      int32_t coefficient_normal_form = libcrux_kyber_arithmetic_to_standard_domain(result[i1][j]);
+      int32_t
+      uu____1 =
+        libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form + error_as_ntt[i1][j]);
+      result[i1][j] = uu____1;
+    }
+  }
+  memcpy(ret, result, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+typedef struct
+__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__s
+{
+  int32_t fst[2U][256U];
+  int32_t snd[2U][256U];
+  int32_t thd[2U][2U][256U];
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t_;
+
+typedef struct
+__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__uint8_t_800size_t__s
+{
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t_
+  fst;
+  uint8_t snd[800U];
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__uint8_t_800size_t_;
+
+static __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__uint8_t_800size_t_
+generate_keypair_unpacked___2size_t_800size_t_768size_t_3size_t_192size_t(
+  Eurydice_slice key_generation_seed
+)
+{
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(key_generation_seed, hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      (size_t)32U,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice seed_for_secret_and_error = uu____0.snd;
+  int32_t a_transpose[2U][2U][256U];
+  uint8_t ret[34U];
+  libcrux_kyber_ind_cpa_into_padded_array___34size_t(seed_for_A, ret);
+  sample_matrix_A___2size_t(ret, true, a_transpose);
+  uint8_t prf_input[33U];
+  libcrux_kyber_ind_cpa_into_padded_array___33size_t(seed_for_secret_and_error, prf_input);
+  uint8_t uu____1[33U];
+  memcpy(uu____1, prf_input, (size_t)33U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__uint8_t
+  uu____2 = sample_vector_cbd_then_ntt___2size_t_3size_t_192size_t(uu____1, 0U);
+  int32_t secret_as_ntt[2U][256U];
+  memcpy(secret_as_ntt, uu____2.fst, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t domain_separator = uu____2.snd;
+  uint8_t uu____3[33U];
+  memcpy(uu____3, prf_input, (size_t)33U * sizeof (uint8_t));
+  int32_t error_as_ntt[2U][256U];
+  memcpy(error_as_ntt,
+    sample_vector_cbd_then_ntt___2size_t_3size_t_192size_t(uu____3, domain_separator).fst,
+    (size_t)2U * sizeof (int32_t [256U]));
+  int32_t t_as_ntt[2U][256U];
+  compute_As_plus_e___2size_t(a_transpose, secret_as_ntt, error_as_ntt, t_as_ntt);
+  int32_t uu____4[2U][256U];
+  memcpy(uu____4, t_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t public_key_serialized[800U];
+  serialize_public_key___2size_t_768size_t_800size_t(uu____4, seed_for_A, public_key_serialized);
+  for (size_t i0 = (size_t)0U; i0 < (size_t)2U; i0++)
+  {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)256U; i++)
+    {
+      size_t j = i;
+      uint16_t uu____5 = libcrux_kyber_arithmetic_to_unsigned_representative(secret_as_ntt[i1][j]);
+      secret_as_ntt[i1][j] = (int32_t)uu____5;
+      uint16_t uu____6 = libcrux_kyber_arithmetic_to_unsigned_representative(t_as_ntt[i1][j]);
+      t_as_ntt[i1][j] = (int32_t)uu____6;
+    }
+  }
+  int32_t a_matrix[2U][2U][256U];
+  memcpy(a_matrix, a_transpose, (size_t)2U * sizeof (int32_t [2U][256U]));
+  for (size_t i0 = (size_t)0U; i0 < (size_t)2U; i0++)
+  {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+    {
+      size_t j = i;
+      memcpy(a_matrix[i1][j], a_transpose[j][i1], (size_t)256U * sizeof (int32_t));
+    }
+  }
+  int32_t uu____7[2U][256U];
+  memcpy(uu____7, secret_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t uu____8[2U][256U];
+  memcpy(uu____8, t_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t uu____9[2U][2U][256U];
+  memcpy(uu____9, a_matrix, (size_t)2U * sizeof (int32_t [2U][256U]));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t_
+  uu____10;
+  memcpy(uu____10.fst, uu____7, (size_t)2U * sizeof (int32_t [256U]));
+  memcpy(uu____10.snd, uu____8, (size_t)2U * sizeof (int32_t [256U]));
+  memcpy(uu____10.thd, uu____9, (size_t)2U * sizeof (int32_t [2U][256U]));
+  uint8_t uu____11[800U];
+  memcpy(uu____11, public_key_serialized, (size_t)800U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__uint8_t_800size_t_
+  lit;
+  lit.fst = uu____10;
+  memcpy(lit.snd, uu____11, (size_t)800U * sizeof (uint8_t));
+  return lit;
+}
+
+typedef struct __uint8_t_768size_t__uint8_t_800size_t__s
+{
+  uint8_t fst[768U];
+  uint8_t snd[800U];
+}
+__uint8_t_768size_t__uint8_t_800size_t_;
+
+static __uint8_t_768size_t__uint8_t_800size_t_
+generate_keypair___2size_t_768size_t_800size_t_768size_t_3size_t_192size_t(
+  Eurydice_slice key_generation_seed
+)
+{
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__uint8_t_800size_t_
+  uu____0 =
+    generate_keypair_unpacked___2size_t_800size_t_768size_t_3size_t_192size_t(key_generation_seed);
+  int32_t secret_as_ntt[2U][256U];
+  memcpy(secret_as_ntt, uu____0.fst.fst, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t _t_as_ntt[2U][256U];
+  memcpy(_t_as_ntt, uu____0.fst.snd, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t _a_transpose[2U][2U][256U];
+  memcpy(_a_transpose, uu____0.fst.thd, (size_t)2U * sizeof (int32_t [2U][256U]));
+  uint8_t public_key_serialized[800U];
+  memcpy(public_key_serialized, uu____0.snd, (size_t)800U * sizeof (uint8_t));
+  int32_t uu____1[2U][256U];
+  memcpy(uu____1, secret_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t secret_key_serialized[768U];
+  serialize_secret_key___2size_t_768size_t(uu____1, secret_key_serialized);
+  uint8_t uu____2[768U];
+  memcpy(uu____2, secret_key_serialized, (size_t)768U * sizeof (uint8_t));
+  uint8_t uu____3[800U];
+  memcpy(uu____3, public_key_serialized, (size_t)800U * sizeof (uint8_t));
+  __uint8_t_768size_t__uint8_t_800size_t_ lit;
+  memcpy(lit.fst, uu____2, (size_t)768U * sizeof (uint8_t));
+  memcpy(lit.snd, uu____3, (size_t)800U * sizeof (uint8_t));
+  return lit;
+}
+
+static inline void
+serialize_kem_secret_key___1632size_t(
+  Eurydice_slice private_key,
+  Eurydice_slice public_key,
+  Eurydice_slice implicit_rejection_value,
+  uint8_t ret[1632U]
+)
+{
+  uint8_t out[1632U] = { 0U };
+  size_t pointer = (size_t)0U;
+  uint8_t *uu____0 = out;
+  size_t uu____1 = pointer;
+  size_t uu____2 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1632U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____1,
+          .end = uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    private_key,
+    uint8_t,
+    void *);
+  pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t);
+  uint8_t *uu____3 = out;
+  size_t uu____4 = pointer;
+  size_t uu____5 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1632U,
+      uu____3,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____4,
+          .end = uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    public_key,
+    uint8_t,
+    void *);
+  pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t);
+  Eurydice_slice
+  uu____6 =
+    Eurydice_array_to_subslice((size_t)1632U,
+      out,
+      (
+        (core_ops_range_Range__size_t){
+          .start = pointer,
+          .end = pointer + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  uint8_t ret0[32U];
+  libcrux_kyber_hash_functions_H(public_key, ret0);
+  core_slice___Slice_T___copy_from_slice(uu____6,
+    Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  pointer = pointer + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE;
+  uint8_t *uu____7 = out;
+  size_t uu____8 = pointer;
+  size_t uu____9 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1632U,
+      uu____7,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____8,
+          .end = uu____9 + core_slice___Slice_T___len(implicit_rejection_value, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    implicit_rejection_value,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)1632U * sizeof (uint8_t));
+}
+
+typedef uint8_t MlKemPrivateKey___1632size_t[1632U];
+
+static void from___1632size_t(uint8_t value[1632U], uint8_t ret[1632U])
+{
+  uint8_t uu____0[1632U];
+  memcpy(uu____0, value, (size_t)1632U * sizeof (uint8_t));
+  memcpy(ret, uu____0, (size_t)1632U * sizeof (uint8_t));
+}
+
+static libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t
+from___1632size_t_800size_t(uint8_t sk[1632U], uint8_t pk[800U])
+{
+  libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t lit;
+  memcpy(lit.sk, sk, (size_t)1632U * sizeof (uint8_t));
+  memcpy(lit.pk, pk, (size_t)800U * sizeof (uint8_t));
+  return lit;
+}
+
+static libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t
+generate_keypair___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t(
+  uint8_t randomness[64U]
+)
+{
+  Eurydice_slice
+  ind_cpa_keypair_randomness =
+    Eurydice_array_to_subslice((size_t)64U,
+      randomness,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      randomness,
+      LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  __uint8_t_768size_t__uint8_t_800size_t_
+  uu____0 =
+    generate_keypair___2size_t_768size_t_800size_t_768size_t_3size_t_192size_t(ind_cpa_keypair_randomness);
+  uint8_t ind_cpa_private_key[768U];
+  memcpy(ind_cpa_private_key, uu____0.fst, (size_t)768U * sizeof (uint8_t));
+  uint8_t public_key[800U];
+  memcpy(public_key, uu____0.snd, (size_t)800U * sizeof (uint8_t));
+  Eurydice_slice
+  uu____1 = Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t, Eurydice_slice);
+  uint8_t secret_key_serialized[1632U];
+  serialize_kem_secret_key___1632size_t(uu____1,
+    Eurydice_array_to_slice((size_t)800U, public_key, uint8_t, Eurydice_slice),
+    implicit_rejection_value,
+    secret_key_serialized);
+  uint8_t uu____2[1632U];
+  memcpy(uu____2, secret_key_serialized, (size_t)1632U * sizeof (uint8_t));
+  uint8_t private_key[1632U];
+  from___1632size_t(uu____2, private_key);
+  uint8_t uu____3[1632U];
+  memcpy(uu____3, private_key, (size_t)1632U * sizeof (uint8_t));
+  uint8_t uu____4[800U];
+  memcpy(uu____4, public_key, (size_t)800U * sizeof (uint8_t));
+  return from___1632size_t_800size_t(uu____3, uu____4);
+}
+
+libcrux_kyber_types_MlKemKeyPair___1632size_t_800size_t
+libcrux_kyber_kyber512_generate_key_pair(uint8_t randomness[64U])
+{
+  uint8_t uu____0[64U];
+  memcpy(uu____0, randomness, (size_t)64U * sizeof (uint8_t));
+  return
+    generate_keypair___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t(uu____0);
+}
+
+static void from___800size_t(uint8_t value[800U], uint8_t ret[800U])
+{
+  uint8_t uu____0[800U];
+  memcpy(uu____0, value, (size_t)800U * sizeof (uint8_t));
+  memcpy(ret, uu____0, (size_t)800U * sizeof (uint8_t));
+}
+
+static K___libcrux_kyber_MlKemState__2size_t___libcrux_kyber_types_MlKemPublicKey__800size_t__
+generate_keypair_unpacked___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t(
+  uint8_t randomness[64U]
+)
+{
+  Eurydice_slice
+  ind_cpa_keypair_randomness =
+    Eurydice_array_to_subslice((size_t)64U,
+      randomness,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      randomness,
+      LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t____libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__2size_t__uint8_t_800size_t_
+  uu____0 =
+    generate_keypair_unpacked___2size_t_800size_t_768size_t_3size_t_192size_t(ind_cpa_keypair_randomness);
+  int32_t secret_as_ntt[2U][256U];
+  memcpy(secret_as_ntt, uu____0.fst.fst, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t t_as_ntt[2U][256U];
+  memcpy(t_as_ntt, uu____0.fst.snd, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t a_transpose[2U][2U][256U];
+  memcpy(a_transpose, uu____0.fst.thd, (size_t)2U * sizeof (int32_t [2U][256U]));
+  uint8_t ind_cpa_public_key[800U];
+  memcpy(ind_cpa_public_key, uu____0.snd, (size_t)800U * sizeof (uint8_t));
+  uint8_t ind_cpa_public_key_hash[32U];
+  libcrux_kyber_hash_functions_H(Eurydice_array_to_slice((size_t)800U,
+      ind_cpa_public_key,
+      uint8_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash);
+  uint8_t rej[32U];
+  core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst;
+  Eurydice_slice_to_array2(&dst,
+    implicit_rejection_value,
+    Eurydice_slice,
+    uint8_t [32U],
+    void *);
+  core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError(dst,
+    rej);
+  uint8_t uu____1[800U];
+  memcpy(uu____1, ind_cpa_public_key, (size_t)800U * sizeof (uint8_t));
+  uint8_t pubkey[800U];
+  from___800size_t(uu____1, pubkey);
+  int32_t uu____2[2U][256U];
+  memcpy(uu____2, secret_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t uu____3[2U][256U];
+  memcpy(uu____3, t_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+  int32_t uu____4[2U][2U][256U];
+  memcpy(uu____4, a_transpose, (size_t)2U * sizeof (int32_t [2U][256U]));
+  uint8_t uu____5[32U];
+  memcpy(uu____5, rej, (size_t)32U * sizeof (uint8_t));
+  uint8_t uu____6[32U];
+  memcpy(uu____6, ind_cpa_public_key_hash, (size_t)32U * sizeof (uint8_t));
+  K___libcrux_kyber_MlKemState__2size_t___libcrux_kyber_types_MlKemPublicKey__800size_t__ lit;
+  memcpy(lit.fst.secret_as_ntt, uu____2, (size_t)2U * sizeof (int32_t [256U]));
+  memcpy(lit.fst.t_as_ntt, uu____3, (size_t)2U * sizeof (int32_t [256U]));
+  memcpy(lit.fst.a_transpose, uu____4, (size_t)2U * sizeof (int32_t [2U][256U]));
+  memcpy(lit.fst.rej, uu____5, (size_t)32U * sizeof (uint8_t));
+  memcpy(lit.fst.ind_cpa_public_key_hash, uu____6, (size_t)32U * sizeof (uint8_t));
+  memcpy(lit.snd, pubkey, (size_t)800U * sizeof (uint8_t));
+  return lit;
+}
+
+K___libcrux_kyber_MlKemState__2size_t___libcrux_kyber_types_MlKemPublicKey__800size_t__
+libcrux_kyber_kyber512_generate_key_pair_unpacked(uint8_t randomness[64U])
+{
+  uint8_t uu____0[64U];
+  memcpy(uu____0, randomness, (size_t)64U * sizeof (uint8_t));
+  return
+    generate_keypair_unpacked___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t(uu____0);
+}
+
+static uint8_t *as_slice___800size_t(uint8_t (*self)[800U])
+{
+  return self[0U];
+}
+
+static inline void
+deserialize_ring_elements_reduced___768size_t_2size_t(
+  Eurydice_slice public_key,
+  int32_t ret[2U][256U]
+)
+{
+  int32_t deserialized_pk[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(deserialized_pk[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(public_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    ring_element =
+      Eurydice_slice_subslice(public_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_reduced_ring_element(ring_element, uu____0);
+    memcpy(deserialized_pk[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, deserialized_pk, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void
+sample_ring_element_cbd___2size_t_128size_t_2size_t(
+  uint8_t *prf_input,
+  uint8_t *domain_separator,
+  int32_t ret[2U][256U]
+)
+{
+  int32_t error_1[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(error_1[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    prf_input[32U] = domain_separator[0U];
+    domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
+    uint8_t prf_output[128U];
+    libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+        prf_input,
+        uint8_t,
+        Eurydice_slice),
+      prf_output);
+    int32_t uu____0[256U];
+    libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+        prf_output,
+        uint8_t,
+        Eurydice_slice),
+      uu____0);
+    memcpy(error_1[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, error_1, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void invert_ntt_montgomery___2size_t(int32_t re[256U], int32_t ret[256U])
+{
+  size_t zeta_i = LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)1U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)2U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)3U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)4U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)5U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)6U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)7U, re);
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(re[i0]);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_vector_u___2size_t(
+  int32_t (*a_as_ntt)[2U][256U],
+  int32_t (*r_as_ntt)[256U],
+  int32_t (*error_1)[256U],
+  int32_t ret[2U][256U]
+)
+{
+  int32_t result[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(result[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)2U,
+          a_as_ntt,
+          Eurydice_error_t_cg_array,
+          Eurydice_slice),
+        int32_t [2U][256U],
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    int32_t (*row)[256U] = a_as_ntt[i1];
+    for
+    (size_t
+      i = (size_t)0U;
+      i
+      <
+        core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)2U,
+            row,
+            int32_t [256U],
+            Eurydice_slice),
+          int32_t [256U],
+          size_t);
+      i++)
+    {
+      size_t j = i;
+      int32_t (*a_element)[256U] = &row[j];
+      int32_t product[256U];
+      libcrux_kyber_ntt_ntt_multiply(a_element, &r_as_ntt[j], product);
+      int32_t uu____0[256U];
+      add_to_ring_element___2size_t(result[i1], &product, uu____0);
+      memcpy(result[i1], uu____0, (size_t)256U * sizeof (int32_t));
+    }
+    int32_t uu____1[256U];
+    invert_ntt_montgomery___2size_t(result[i1], uu____1);
+    memcpy(result[i1], uu____1, (size_t)256U * sizeof (int32_t));
+    for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+    {
+      size_t j = i;
+      int32_t
+      coefficient_normal_form =
+        libcrux_kyber_arithmetic_montgomery_reduce(result[i1][j] * (int32_t)1441);
+      int32_t
+      uu____2 = libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form + error_1[i1][j]);
+      result[i1][j] = uu____2;
+    }
+  }
+  memcpy(ret, result, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void
+compute_ring_element_v___2size_t(
+  int32_t (*t_as_ntt)[256U],
+  int32_t (*r_as_ntt)[256U],
+  int32_t (*error_2)[256U],
+  int32_t (*message)[256U],
+  int32_t ret[256U]
+)
+{
+  int32_t result[256U];
+  memcpy(result,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    int32_t product[256U];
+    libcrux_kyber_ntt_ntt_multiply(&t_as_ntt[i0], &r_as_ntt[i0], product);
+    add_to_ring_element___2size_t(result, &product, result);
+  }
+  invert_ntt_montgomery___2size_t(result, result);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t
+    coefficient_normal_form =
+      libcrux_kyber_arithmetic_montgomery_reduce(result[i0] * (int32_t)1441);
+    int32_t
+    uu____0 =
+      libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form
+        + error_2[0U][i0]
+        + message[0U][i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(ret, result, (size_t)256U * sizeof (int32_t));
+}
+
+static void
+compress_then_serialize_u___2size_t_640size_t_10size_t_320size_t(
+  int32_t input[2U][256U],
+  uint8_t ret[640U]
+)
+{
+  uint8_t out[640U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)2U,
+          input,
+          int32_t [256U],
+          Eurydice_slice),
+        int32_t [256U],
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    int32_t re[256U];
+    memcpy(re, input[i0], (size_t)256U * sizeof (int32_t));
+    Eurydice_slice
+    uu____0 =
+      Eurydice_array_to_subslice((size_t)640U,
+        out,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * ((size_t)640U / (size_t)2U),
+            .end = (i0 + (size_t)1U) * ((size_t)640U / (size_t)2U)
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t ret0[320U];
+    libcrux_kyber_serialize_compress_then_serialize_ring_element_u___10size_t_320size_t(re, ret0);
+    core_slice___Slice_T___copy_from_slice(uu____0,
+      Eurydice_array_to_slice((size_t)320U, ret0, uint8_t, Eurydice_slice),
+      uint8_t,
+      void *);
+  }
+  memcpy(ret, out, (size_t)640U * sizeof (uint8_t));
+}
+
+static inline void into_padded_array___768size_t(Eurydice_slice slice, uint8_t ret[768U])
+{
+  uint8_t out[768U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)768U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)768U * sizeof (uint8_t));
+}
+
+static void
+encrypt_unpacked___2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(
+  int32_t (*t_as_ntt)[256U],
+  int32_t (*a_transpose)[2U][256U],
+  uint8_t message[32U],
+  Eurydice_slice randomness,
+  uint8_t ret[768U]
+)
+{
+  uint8_t prf_input[33U];
+  libcrux_kyber_ind_cpa_into_padded_array___33size_t(randomness, prf_input);
+  uint8_t uu____0[33U];
+  memcpy(uu____0, prf_input, (size_t)33U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_2size_t__uint8_t
+  uu____1 = sample_vector_cbd_then_ntt___2size_t_3size_t_192size_t(uu____0, 0U);
+  int32_t r_as_ntt[2U][256U];
+  memcpy(r_as_ntt, uu____1.fst, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t domain_separator = uu____1.snd;
+  int32_t error_1[2U][256U];
+  sample_ring_element_cbd___2size_t_128size_t_2size_t(prf_input, &domain_separator, error_1);
+  prf_input[32U] = domain_separator;
+  uint8_t prf_output[128U];
+  libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+      prf_input,
+      uint8_t,
+      Eurydice_slice),
+    prf_output);
+  int32_t error_2[256U];
+  libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+      prf_output,
+      uint8_t,
+      Eurydice_slice),
+    error_2);
+  int32_t u[2U][256U];
+  compute_vector_u___2size_t(a_transpose, r_as_ntt, error_1, u);
+  uint8_t uu____2[32U];
+  memcpy(uu____2, message, (size_t)32U * sizeof (uint8_t));
+  int32_t message_as_ring_element[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_message(uu____2, message_as_ring_element);
+  int32_t v[256U];
+  compute_ring_element_v___2size_t(t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element, v);
+  int32_t uu____3[2U][256U];
+  memcpy(uu____3, u, (size_t)2U * sizeof (int32_t [256U]));
+  uint8_t c1[640U];
+  compress_then_serialize_u___2size_t_640size_t_10size_t_320size_t(uu____3, c1);
+  uint8_t c2[128U];
+  libcrux_kyber_serialize_compress_then_serialize_ring_element_v___4size_t_128size_t(v, c2);
+  uint8_t ciphertext[768U];
+  into_padded_array___768size_t(Eurydice_array_to_slice((size_t)640U,
+      c1,
+      uint8_t,
+      Eurydice_slice),
+    ciphertext);
+  Eurydice_slice
+  uu____4 =
+    Eurydice_array_to_subslice_from((size_t)768U,
+      ciphertext,
+      (size_t)640U,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____4,
+    core_array___Array_T__N__23__as_slice((size_t)128U, c2, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  memcpy(ret, ciphertext, (size_t)768U * sizeof (uint8_t));
+}
+
+static void
+encrypt___2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(
+  Eurydice_slice public_key,
+  uint8_t message[32U],
+  Eurydice_slice randomness,
+  uint8_t ret[768U]
+)
+{
+  int32_t t_as_ntt[2U][256U];
+  deserialize_ring_elements_reduced___768size_t_2size_t(Eurydice_slice_subslice_to(public_key,
+      (size_t)768U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    t_as_ntt);
+  Eurydice_slice
+  seed = Eurydice_slice_subslice_from(public_key, (size_t)768U, uint8_t, size_t, Eurydice_slice);
+  int32_t a_transpose[2U][2U][256U];
+  uint8_t ret0[34U];
+  libcrux_kyber_ind_cpa_into_padded_array___34size_t(seed, ret0);
+  sample_matrix_A___2size_t(ret0, false, a_transpose);
+  int32_t (*uu____0)[256U] = t_as_ntt;
+  int32_t (*uu____1)[2U][256U] = a_transpose;
+  uint8_t uu____2[32U];
+  memcpy(uu____2, message, (size_t)32U * sizeof (uint8_t));
+  uint8_t ret1[768U];
+  encrypt_unpacked___2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(uu____0,
+    uu____1,
+    uu____2,
+    randomness,
+    ret1);
+  memcpy(ret, ret1, (size_t)768U * sizeof (uint8_t));
+}
+
+typedef uint8_t MlKemCiphertext___768size_t[768U];
+
+static K___libcrux_kyber_types_MlKemCiphertext__768size_t___uint8_t_32size_t_
+encapsulate___2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(
+  uint8_t (*public_key)[800U],
+  uint8_t randomness[32U]
+)
+{
+  uint8_t to_hash[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      randomness,
+      uint8_t,
+      Eurydice_slice),
+    to_hash);
+  Eurydice_slice
+  uu____0 =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  uint8_t ret[32U];
+  libcrux_kyber_hash_functions_H(Eurydice_array_to_slice((size_t)800U,
+      as_slice___800size_t(public_key),
+      uint8_t,
+      Eurydice_slice),
+    ret);
+  core_slice___Slice_T___copy_from_slice(uu____0,
+    Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____1 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____1.fst;
+  Eurydice_slice pseudorandomness = uu____1.snd;
+  Eurydice_slice
+  uu____2 =
+    Eurydice_array_to_slice((size_t)800U,
+      as_slice___800size_t(public_key),
+      uint8_t,
+      Eurydice_slice);
+  uint8_t uu____3[32U];
+  memcpy(uu____3, randomness, (size_t)32U * sizeof (uint8_t));
+  uint8_t ciphertext[768U];
+  encrypt___2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(uu____2,
+    uu____3,
+    pseudorandomness,
+    ciphertext);
+  uint8_t shared_secret_array[32U] = { 0U };
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_slice((size_t)32U,
+      shared_secret_array,
+      uint8_t,
+      Eurydice_slice),
+    shared_secret,
+    uint8_t,
+    void *);
+  uint8_t uu____4[768U];
+  memcpy(uu____4, ciphertext, (size_t)768U * sizeof (uint8_t));
+  uint8_t uu____5[768U];
+  memcpy(uu____5, uu____4, (size_t)768U * sizeof (uint8_t));
+  uint8_t uu____6[32U];
+  memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof (uint8_t));
+  K___libcrux_kyber_types_MlKemCiphertext__768size_t___uint8_t_32size_t_ lit;
+  memcpy(lit.fst, uu____5, (size_t)768U * sizeof (uint8_t));
+  memcpy(lit.snd, uu____6, (size_t)32U * sizeof (uint8_t));
+  return lit;
+}
+
+K___libcrux_kyber_types_MlKemCiphertext__768size_t___uint8_t_32size_t_
+libcrux_kyber_kyber512_encapsulate(uint8_t (*public_key)[800U], uint8_t randomness[32U])
+{
+  uint8_t (*uu____0)[800U] = public_key;
+  uint8_t uu____1[32U];
+  memcpy(uu____1, randomness, (size_t)32U * sizeof (uint8_t));
+  return
+    encapsulate___2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(uu____0,
+      uu____1);
+}
+
+static K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+split_at___1632size_t(uint8_t (*self)[1632U], size_t mid)
+{
+  return
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)1632U,
+        self[0U],
+        uint8_t,
+        Eurydice_slice),
+      mid,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+}
+
+static inline void
+deserialize_secret_key___2size_t(Eurydice_slice secret_key, int32_t ret[2U][256U])
+{
+  int32_t secret_as_ntt[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(secret_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(secret_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    secret_bytes =
+      Eurydice_slice_subslice(secret_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_uncompressed_ring_element(secret_bytes, uu____0);
+    memcpy(secret_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, secret_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void
+deserialize_then_decompress_u___2size_t_768size_t_10size_t(
+  uint8_t *ciphertext,
+  int32_t ret[2U][256U]
+)
+{
+  int32_t u_as_ntt[2U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    memcpy(u_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)768U,
+          ciphertext,
+          uint8_t,
+          Eurydice_slice),
+        uint8_t,
+        size_t)
+      / (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U);
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    u_bytes =
+      Eurydice_array_to_subslice((size_t)768U,
+        ciphertext,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0
+            * (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U),
+            .end = i0
+            * (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U)
+            + LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t u[256U];
+    libcrux_kyber_serialize_deserialize_then_decompress_ring_element_u___10size_t(u_bytes, u);
+    int32_t uu____0[256U];
+    libcrux_kyber_ntt_ntt_vector_u___10size_t(u, uu____0);
+    memcpy(u_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, u_as_ntt, (size_t)2U * sizeof (int32_t [256U]));
+}
+
+static inline void
+compute_message___2size_t(
+  int32_t (*v)[256U],
+  int32_t (*secret_as_ntt)[256U],
+  int32_t (*u_as_ntt)[256U],
+  int32_t ret[256U]
+)
+{
+  int32_t result[256U];
+  memcpy(result,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    int32_t product[256U];
+    libcrux_kyber_ntt_ntt_multiply(&secret_as_ntt[i0], &u_as_ntt[i0], product);
+    add_to_ring_element___2size_t(result, &product, result);
+  }
+  invert_ntt_montgomery___2size_t(result, result);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t
+    coefficient_normal_form =
+      libcrux_kyber_arithmetic_montgomery_reduce(result[i0] * (int32_t)1441);
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(v[0U][i0] - coefficient_normal_form);
+    result[i0] = uu____0;
+  }
+  memcpy(ret, result, (size_t)256U * sizeof (int32_t));
+}
+
+static void
+decrypt_unpacked___2size_t_768size_t_640size_t_10size_t_4size_t(
+  int32_t (*secret_as_ntt)[256U],
+  uint8_t *ciphertext,
+  uint8_t ret[32U]
+)
+{
+  int32_t u_as_ntt[2U][256U];
+  deserialize_then_decompress_u___2size_t_768size_t_10size_t(ciphertext, u_as_ntt);
+  int32_t v[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_ring_element_v___4size_t(Eurydice_array_to_subslice_from((size_t)768U,
+      ciphertext,
+      (size_t)640U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    v);
+  int32_t message[256U];
+  compute_message___2size_t(&v, secret_as_ntt, u_as_ntt, message);
+  uint8_t ret0[32U];
+  libcrux_kyber_serialize_compress_then_serialize_message(message, ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static void
+decrypt___2size_t_768size_t_640size_t_10size_t_4size_t(
+  Eurydice_slice secret_key,
+  uint8_t *ciphertext,
+  uint8_t ret[32U]
+)
+{
+  int32_t secret_as_ntt[2U][256U];
+  deserialize_secret_key___2size_t(secret_key, secret_as_ntt);
+  uint8_t ret0[32U];
+  decrypt_unpacked___2size_t_768size_t_640size_t_10size_t_4size_t(secret_as_ntt,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static inline void into_padded_array___800size_t(Eurydice_slice slice, uint8_t ret[800U])
+{
+  uint8_t out[800U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)800U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)800U * sizeof (uint8_t));
+}
+
+static Eurydice_slice as_ref___768size_t(uint8_t (*self)[768U])
+{
+  return Eurydice_array_to_slice((size_t)768U, self[0U], uint8_t, Eurydice_slice);
+}
+
+static uint8_t
+compare_ciphertexts_in_constant_time___768size_t(Eurydice_slice lhs, Eurydice_slice rhs)
+{
+  uint8_t r = 0U;
+  for (size_t i = (size_t)0U; i < (size_t)768U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0 = Eurydice_slice_index(lhs, i0, uint8_t, uint8_t);
+    r =
+      (uint32_t)r
+      | ((uint32_t)uu____0 ^ (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t));
+  }
+  return libcrux_kyber_constant_time_ops_is_non_zero(r);
+}
+
+static void
+decapsulate___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t(
+  uint8_t (*secret_key)[1632U],
+  uint8_t (*ciphertext)[768U],
+  uint8_t ret[32U]
+)
+{
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 = split_at___1632size_t(secret_key, (size_t)768U);
+  Eurydice_slice ind_cpa_secret_key = uu____0.fst;
+  Eurydice_slice secret_key0 = uu____0.snd;
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____1 =
+    core_slice___Slice_T___split_at(secret_key0,
+      (size_t)800U,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice ind_cpa_public_key = uu____1.fst;
+  Eurydice_slice secret_key1 = uu____1.snd;
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____2 =
+    core_slice___Slice_T___split_at(secret_key1,
+      LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice ind_cpa_public_key_hash = uu____2.fst;
+  Eurydice_slice implicit_rejection_value = uu____2.snd;
+  uint8_t decrypted[32U];
+  decrypt___2size_t_768size_t_640size_t_10size_t_4size_t(ind_cpa_secret_key,
+    ciphertext[0U],
+    decrypted);
+  uint8_t to_hash0[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      decrypted,
+      uint8_t,
+      Eurydice_slice),
+    to_hash0);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash0,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash,
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash0,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____3 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____3.fst;
+  Eurydice_slice pseudorandomness = uu____3.snd;
+  uint8_t to_hash[800U];
+  into_padded_array___800size_t(implicit_rejection_value, to_hash);
+  Eurydice_slice
+  uu____4 =
+    Eurydice_array_to_subslice_from((size_t)800U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____4,
+    as_ref___768size_t(ciphertext),
+    uint8_t,
+    void *);
+  uint8_t implicit_rejection_shared_secret[32U];
+  libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_array_to_slice((size_t)800U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    implicit_rejection_shared_secret);
+  Eurydice_slice uu____5 = ind_cpa_public_key;
+  uint8_t uu____6[32U];
+  memcpy(uu____6, decrypted, (size_t)32U * sizeof (uint8_t));
+  uint8_t expected_ciphertext[768U];
+  encrypt___2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(uu____5,
+    uu____6,
+    pseudorandomness,
+    expected_ciphertext);
+  Eurydice_slice uu____7 = as_ref___768size_t(ciphertext);
+  uint8_t
+  selector =
+    compare_ciphertexts_in_constant_time___768size_t(uu____7,
+      Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, Eurydice_slice));
+  Eurydice_slice uu____8 = shared_secret;
+  uint8_t ret0[32U];
+  libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(uu____8,
+    Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
+    selector,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_kyber512_decapsulate(
+  uint8_t (*secret_key)[1632U],
+  uint8_t (*ciphertext)[768U],
+  uint8_t ret[32U]
+)
+{
+  uint8_t ret0[32U];
+  decapsulate___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t(secret_key,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static void
+decapsulate_unpacked___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t(
+  libcrux_kyber_MlKemState___2size_t *state,
+  uint8_t (*ciphertext)[768U],
+  uint8_t ret[32U]
+)
+{
+  int32_t (*secret_as_ntt)[256U] = state->secret_as_ntt;
+  int32_t (*t_as_ntt)[256U] = state->t_as_ntt;
+  int32_t (*a_transpose)[2U][256U] = state->a_transpose;
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_slice((size_t)32U,
+      state->rej,
+      uint8_t,
+      Eurydice_slice);
+  Eurydice_slice
+  ind_cpa_public_key_hash =
+    Eurydice_array_to_slice((size_t)32U,
+      state->ind_cpa_public_key_hash,
+      uint8_t,
+      Eurydice_slice);
+  uint8_t decrypted[32U];
+  decrypt_unpacked___2size_t_768size_t_640size_t_10size_t_4size_t(secret_as_ntt,
+    ciphertext[0U],
+    decrypted);
+  uint8_t to_hash0[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      decrypted,
+      uint8_t,
+      Eurydice_slice),
+    to_hash0);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash0,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash,
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash0,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____0.fst;
+  Eurydice_slice pseudorandomness = uu____0.snd;
+  uint8_t to_hash[800U];
+  into_padded_array___800size_t(implicit_rejection_value, to_hash);
+  Eurydice_slice
+  uu____1 =
+    Eurydice_array_to_subslice_from((size_t)800U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____1,
+    as_ref___768size_t(ciphertext),
+    uint8_t,
+    void *);
+  uint8_t implicit_rejection_shared_secret[32U];
+  libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_array_to_slice((size_t)800U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    implicit_rejection_shared_secret);
+  int32_t (*uu____2)[256U] = t_as_ntt;
+  int32_t (*uu____3)[2U][256U] = a_transpose;
+  uint8_t uu____4[32U];
+  memcpy(uu____4, decrypted, (size_t)32U * sizeof (uint8_t));
+  uint8_t expected_ciphertext[768U];
+  encrypt_unpacked___2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t(uu____2,
+    uu____3,
+    uu____4,
+    pseudorandomness,
+    expected_ciphertext);
+  Eurydice_slice uu____5 = as_ref___768size_t(ciphertext);
+  uint8_t
+  selector =
+    compare_ciphertexts_in_constant_time___768size_t(uu____5,
+      Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, Eurydice_slice));
+  Eurydice_slice uu____6 = shared_secret;
+  uint8_t ret0[32U];
+  libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(uu____6,
+    Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
+    selector,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_kyber512_decapsulate_unpacked(
+  libcrux_kyber_MlKemState___2size_t *state,
+  uint8_t (*ciphertext)[768U],
+  uint8_t ret[32U]
+)
+{
+  uint8_t ret0[32U];
+  decapsulate_unpacked___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t(state,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
diff --git a/libcrux/src/libcrux_kyber768.c b/libcrux/src/libcrux_kyber768.c
new file mode 100644
index 00000000..537fd3d4
--- /dev/null
+++ b/libcrux/src/libcrux_kyber768.c
@@ -0,0 +1,2502 @@
+/* 
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: ../../../eurydice/eurydice --config ../../kyber-c.yaml ../libcrux_kyber.llbc
+  F* version: b5cb71b8
+  KaRaMeL version: 1282f04f
+ */
+
+#include "internal/libcrux_kyber768.h"
+
+#include "internal/libcrux_kyber_common.h"
+#include "libcrux_hacl_glue.h"
+
+static inline void
+deserialize_ring_elements_reduced___1184size_t_3size_t(
+  Eurydice_slice public_key,
+  int32_t ret[3U][256U]
+)
+{
+  int32_t deserialized_pk[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(deserialized_pk[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(public_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    ring_element =
+      Eurydice_slice_subslice(public_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_reduced_ring_element(ring_element, uu____0);
+    memcpy(deserialized_pk[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, deserialized_pk, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+static inline void
+serialize_secret_key___3size_t_1152size_t(int32_t key[3U][256U], uint8_t ret[1152U])
+{
+  uint8_t out[1152U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)3U,
+          key,
+          int32_t [256U],
+          Eurydice_slice),
+        int32_t [256U],
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    int32_t re[256U];
+    memcpy(re, key[i0], (size_t)256U * sizeof (int32_t));
+    Eurydice_slice
+    uu____0 =
+      Eurydice_array_to_subslice((size_t)1152U,
+        out,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = (i0 + (size_t)1U) * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t ret0[384U];
+    libcrux_kyber_serialize_serialize_uncompressed_ring_element(re, ret0);
+    core_slice___Slice_T___copy_from_slice(uu____0,
+      Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice),
+      uint8_t,
+      void *);
+  }
+  memcpy(ret, out, (size_t)1152U * sizeof (uint8_t));
+}
+
+static inline void
+serialize_public_key___3size_t_1152size_t_1184size_t(
+  int32_t t_as_ntt[3U][256U],
+  Eurydice_slice seed_for_a,
+  uint8_t ret[1184U]
+)
+{
+  uint8_t public_key_serialized[1184U] = { 0U };
+  Eurydice_slice
+  uu____0 =
+    Eurydice_array_to_subslice((size_t)1184U,
+      public_key_serialized,
+      ((core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)1152U }),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  int32_t uu____1[3U][256U];
+  memcpy(uu____1, t_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t ret0[1152U];
+  serialize_secret_key___3size_t_1152size_t(uu____1, ret0);
+  core_slice___Slice_T___copy_from_slice(uu____0,
+    Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)1184U,
+      public_key_serialized,
+      (size_t)1152U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    seed_for_a,
+    uint8_t,
+    void *);
+  memcpy(ret, public_key_serialized, (size_t)1184U * sizeof (uint8_t));
+}
+
+static bool validate_public_key___3size_t_1152size_t_1184size_t(uint8_t *public_key)
+{
+  int32_t deserialized_pk[3U][256U];
+  deserialize_ring_elements_reduced___1184size_t_3size_t(Eurydice_array_to_subslice_to((size_t)1184U,
+      public_key,
+      (size_t)1152U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    deserialized_pk);
+  int32_t uu____0[3U][256U];
+  memcpy(uu____0, deserialized_pk, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t public_key_serialized[1184U];
+  serialize_public_key___3size_t_1152size_t_1184size_t(uu____0,
+    Eurydice_array_to_subslice_from((size_t)1184U,
+      public_key,
+      (size_t)1152U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    public_key_serialized);
+  return
+    core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq((size_t)1184U,
+      public_key,
+      public_key_serialized,
+      uint8_t,
+      uint8_t,
+      bool);
+}
+
+core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__
+libcrux_kyber_kyber768_validate_public_key(uint8_t public_key[1184U])
+{
+  core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__ uu____0;
+  if (validate_public_key___3size_t_1152size_t_1184size_t(public_key))
+  {
+    core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__ lit;
+    lit.tag = core_option_Some;
+    memcpy(lit.f0, public_key, (size_t)1184U * sizeof (uint8_t));
+    uu____0 = lit;
+  }
+  else
+  {
+    uu____0 =
+      (
+        (core_option_Option__libcrux_kyber_types_MlKemPublicKey__1184size_t__){
+          .tag = core_option_None
+        }
+      );
+  }
+  return uu____0;
+}
+
+static inline libcrux_digest_incremental_x4_Shake128StateX4
+absorb___3size_t(uint8_t input[3U][34U])
+{
+  libcrux_digest_incremental_x4_Shake128StateX4
+  state = libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__new();
+  Eurydice_slice data[3U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    uint8_t buf[1U] = { 0U };
+    data[i] = Eurydice_array_to_slice((size_t)1U, buf, uint8_t, Eurydice_slice);
+  }
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    uu____0 = Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, Eurydice_slice);
+    data[i0] = uu____0;
+  }
+  libcrux_digest_incremental_x4_Shake128StateX4 *uu____1 = &state;
+  Eurydice_slice uu____2[3U];
+  memcpy(uu____2, data, (size_t)3U * sizeof (Eurydice_slice));
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__absorb_final((size_t)3U,
+    uu____1,
+    uu____2,
+    void *);
+  return state;
+}
+
+static inline void
+squeeze_three_blocks___3size_t(
+  libcrux_digest_incremental_x4_Shake128StateX4 *xof_state,
+  uint8_t ret[3U][504U]
+)
+{
+  uint8_t output[3U][504U];
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks((size_t)504U,
+    (size_t)3U,
+    xof_state,
+    output,
+    void *);
+  uint8_t out[3U][504U] = { { 0U } };
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0[504U];
+    memcpy(uu____0, output[i0], (size_t)504U * sizeof (uint8_t));
+    memcpy(out[i0], uu____0, (size_t)504U * sizeof (uint8_t));
+  }
+  memcpy(ret, out, (size_t)3U * sizeof (uint8_t [504U]));
+}
+
+static bool
+sample_from_uniform_distribution_next___3size_t_504size_t(
+  uint8_t randomness[3U][504U],
+  size_t *sampled_coefficients,
+  int32_t (*out)[256U]
+)
+{
+  bool done = true;
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    core_slice_iter_Chunks
+    iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(core_slice___Slice_T___chunks(Eurydice_array_to_slice((size_t)504U,
+            randomness[i0],
+            uint8_t,
+            Eurydice_slice),
+          (size_t)3U,
+          uint8_t,
+          core_slice_iter_Chunks),
+        core_slice_iter_Chunks,
+        core_slice_iter_Chunks);
+    while (true)
+    {
+      core_option_Option__Eurydice_slice_uint8_t
+      uu____0 =
+        core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(&iter,
+          uint8_t,
+          core_option_Option__Eurydice_slice_uint8_t);
+      if (uu____0.tag == core_option_None)
+      {
+        break;
+      }
+      else
+      {
+        Eurydice_slice bytes = uu____0.f0;
+        int32_t b1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+        int32_t b2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+        int32_t b3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+        int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
+        int32_t d2 = b3 << 4U | b2 >> 4U;
+        bool uu____1;
+        if (d1 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____1 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____1 = false;
+        }
+        if (uu____1)
+        {
+          out[i0][sampled_coefficients[i0]] = d1;
+          size_t uu____2 = i0;
+          sampled_coefficients[uu____2] = sampled_coefficients[uu____2] + (size_t)1U;
+        }
+        bool uu____3;
+        if (d2 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____3 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____3 = false;
+        }
+        if (uu____3)
+        {
+          out[i0][sampled_coefficients[i0]] = d2;
+          size_t uu____4 = i0;
+          sampled_coefficients[uu____4] = sampled_coefficients[uu____4] + (size_t)1U;
+        }
+      }
+    }
+    if (sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT)
+    {
+      done = false;
+    }
+  }
+  return done;
+}
+
+static inline void
+squeeze_block___3size_t(
+  libcrux_digest_incremental_x4_Shake128StateX4 *xof_state,
+  uint8_t ret[3U][168U]
+)
+{
+  uint8_t output[3U][168U];
+  libcrux_digest_incremental_x4__libcrux__digest__incremental_x4__Shake128StateX4__squeeze_blocks((size_t)168U,
+    (size_t)3U,
+    xof_state,
+    output,
+    void *);
+  uint8_t out[3U][168U] = { { 0U } };
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0[168U];
+    memcpy(uu____0, output[i0], (size_t)168U * sizeof (uint8_t));
+    memcpy(out[i0], uu____0, (size_t)168U * sizeof (uint8_t));
+  }
+  memcpy(ret, out, (size_t)3U * sizeof (uint8_t [168U]));
+}
+
+static bool
+sample_from_uniform_distribution_next___3size_t_168size_t(
+  uint8_t randomness[3U][168U],
+  size_t *sampled_coefficients,
+  int32_t (*out)[256U]
+)
+{
+  bool done = true;
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    core_slice_iter_Chunks
+    iter =
+      core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter(core_slice___Slice_T___chunks(Eurydice_array_to_slice((size_t)168U,
+            randomness[i0],
+            uint8_t,
+            Eurydice_slice),
+          (size_t)3U,
+          uint8_t,
+          core_slice_iter_Chunks),
+        core_slice_iter_Chunks,
+        core_slice_iter_Chunks);
+    while (true)
+    {
+      core_option_Option__Eurydice_slice_uint8_t
+      uu____0 =
+        core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next(&iter,
+          uint8_t,
+          core_option_Option__Eurydice_slice_uint8_t);
+      if (uu____0.tag == core_option_None)
+      {
+        break;
+      }
+      else
+      {
+        Eurydice_slice bytes = uu____0.f0;
+        int32_t b1 = (int32_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t);
+        int32_t b2 = (int32_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t);
+        int32_t b3 = (int32_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t);
+        int32_t d1 = (b2 & (int32_t)15) << 8U | b1;
+        int32_t d2 = b3 << 4U | b2 >> 4U;
+        bool uu____1;
+        if (d1 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____1 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____1 = false;
+        }
+        if (uu____1)
+        {
+          out[i0][sampled_coefficients[i0]] = d1;
+          size_t uu____2 = i0;
+          sampled_coefficients[uu____2] = sampled_coefficients[uu____2] + (size_t)1U;
+        }
+        bool uu____3;
+        if (d2 < LIBCRUX_KYBER_CONSTANTS_FIELD_MODULUS)
+        {
+          uu____3 = sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT;
+        }
+        else
+        {
+          uu____3 = false;
+        }
+        if (uu____3)
+        {
+          out[i0][sampled_coefficients[i0]] = d2;
+          size_t uu____4 = i0;
+          sampled_coefficients[uu____4] = sampled_coefficients[uu____4] + (size_t)1U;
+        }
+      }
+    }
+    if (sampled_coefficients[i0] < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT)
+    {
+      done = false;
+    }
+  }
+  return done;
+}
+
+static void sample_from_xof___3size_t(uint8_t seeds[3U][34U], int32_t ret[3U][256U])
+{
+  size_t sampled_coefficients[3U] = { 0U };
+  int32_t out[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(out[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  uint8_t uu____0[3U][34U];
+  memcpy(uu____0, seeds, (size_t)3U * sizeof (uint8_t [34U]));
+  libcrux_digest_incremental_x4_Shake128StateX4 xof_state = absorb___3size_t(uu____0);
+  uint8_t randomness0[3U][504U];
+  squeeze_three_blocks___3size_t(&xof_state, randomness0);
+  uint8_t uu____1[3U][504U];
+  memcpy(uu____1, randomness0, (size_t)3U * sizeof (uint8_t [504U]));
+  bool
+  done =
+    sample_from_uniform_distribution_next___3size_t_504size_t(uu____1,
+      sampled_coefficients,
+      out);
+  while (true)
+  {
+    if (!!done)
+    {
+      break;
+    }
+    uint8_t randomness[3U][168U];
+    squeeze_block___3size_t(&xof_state, randomness);
+    uint8_t uu____2[3U][168U];
+    memcpy(uu____2, randomness, (size_t)3U * sizeof (uint8_t [168U]));
+    done =
+      sample_from_uniform_distribution_next___3size_t_168size_t(uu____2,
+        sampled_coefficients,
+        out);
+  }
+  libcrux_kyber_hash_functions_free_state(xof_state);
+  memcpy(ret, out, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+static inline void
+sample_matrix_A___3size_t(uint8_t seed[34U], bool transpose, int32_t ret[3U][3U][256U])
+{
+  int32_t A_transpose[3U][3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(A_transpose[i][0U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+    memcpy(A_transpose[i][1U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+    memcpy(A_transpose[i][2U],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++)
+  {
+    size_t i1 = i0;
+    uint8_t uu____0[34U];
+    memcpy(uu____0, seed, (size_t)34U * sizeof (uint8_t));
+    uint8_t seeds[3U][34U];
+    for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+    {
+      memcpy(seeds[i], uu____0, (size_t)34U * sizeof (uint8_t));
+    }
+    for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+    {
+      size_t j = i;
+      seeds[j][32U] = (uint8_t)i1;
+      seeds[j][33U] = (uint8_t)j;
+    }
+    uint8_t uu____1[3U][34U];
+    memcpy(uu____1, seeds, (size_t)3U * sizeof (uint8_t [34U]));
+    int32_t sampled[3U][256U];
+    sample_from_xof___3size_t(uu____1, sampled);
+    for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+    {
+      size_t j = i;
+      if (transpose)
+      {
+        memcpy(A_transpose[j][i1], sampled[j], (size_t)256U * sizeof (int32_t));
+      }
+      else
+      {
+        memcpy(A_transpose[i1][j], sampled[j], (size_t)256U * sizeof (int32_t));
+      }
+    }
+  }
+  memcpy(ret, A_transpose, (size_t)3U * sizeof (int32_t [3U][256U]));
+}
+
+void libcrux_kyber_ind_cpa_into_padded_array___34size_t(Eurydice_slice slice, uint8_t ret[34U])
+{
+  uint8_t out[34U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)34U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)34U * sizeof (uint8_t));
+}
+
+void libcrux_kyber_ind_cpa_into_padded_array___33size_t(Eurydice_slice slice, uint8_t ret[33U])
+{
+  uint8_t out[33U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)33U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)33U * sizeof (uint8_t));
+}
+
+void libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_slice input, uint8_t ret[128U])
+{
+  uint8_t ret0[128U];
+  libcrux_digest_shake256((size_t)128U, input, ret0, void *);
+  memcpy(ret, ret0, (size_t)128U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(
+  Eurydice_slice randomness,
+  int32_t ret[256U]
+)
+{
+  int32_t uu____0[256U];
+  libcrux_kyber_sampling_sample_from_binomial_distribution_2(randomness, uu____0);
+  memcpy(ret, uu____0, (size_t)256U * sizeof (int32_t));
+}
+
+typedef struct __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t_s
+{
+  int32_t fst[3U][256U];
+  uint8_t snd;
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t;
+
+static inline __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t
+sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(
+  uint8_t prf_input[33U],
+  uint8_t domain_separator
+)
+{
+  int32_t re_as_ntt[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(re_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    prf_input[32U] = domain_separator;
+    domain_separator = (uint32_t)domain_separator + 1U;
+    uint8_t prf_output[128U];
+    libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+        prf_input,
+        uint8_t,
+        Eurydice_slice),
+      prf_output);
+    int32_t r[256U];
+    libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+        prf_output,
+        uint8_t,
+        Eurydice_slice),
+      r);
+    int32_t uu____0[256U];
+    libcrux_kyber_ntt_ntt_binomially_sampled_ring_element(r, uu____0);
+    memcpy(re_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  int32_t uu____1[3U][256U];
+  memcpy(uu____1, re_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t lit;
+  memcpy(lit.fst, uu____1, (size_t)3U * sizeof (int32_t [256U]));
+  lit.snd = domain_separator;
+  return lit;
+}
+
+static void
+add_to_ring_element___3size_t(int32_t lhs[256U], int32_t (*rhs)[256U], int32_t ret[256U])
+{
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, lhs, int32_t, Eurydice_slice),
+        int32_t,
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    size_t uu____0 = i0;
+    lhs[uu____0] = lhs[uu____0] + rhs[0U][i0];
+  }
+  memcpy(ret, lhs, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_As_plus_e___3size_t(
+  int32_t (*matrix_A)[3U][256U],
+  int32_t (*s_as_ntt)[256U],
+  int32_t (*error_as_ntt)[256U],
+  int32_t ret[3U][256U]
+)
+{
+  int32_t result[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(result[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)3U,
+          matrix_A,
+          Eurydice_error_t_cg_array,
+          Eurydice_slice),
+        int32_t [3U][256U],
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    int32_t (*row)[256U] = matrix_A[i1];
+    for
+    (size_t
+      i = (size_t)0U;
+      i
+      <
+        core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)3U,
+            row,
+            int32_t [256U],
+            Eurydice_slice),
+          int32_t [256U],
+          size_t);
+      i++)
+    {
+      size_t j = i;
+      int32_t (*matrix_element)[256U] = &row[j];
+      int32_t product[256U];
+      libcrux_kyber_ntt_ntt_multiply(matrix_element, &s_as_ntt[j], product);
+      int32_t uu____0[256U];
+      add_to_ring_element___3size_t(result[i1], &product, uu____0);
+      memcpy(result[i1], uu____0, (size_t)256U * sizeof (int32_t));
+    }
+    for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+    {
+      size_t j = i;
+      int32_t coefficient_normal_form = libcrux_kyber_arithmetic_to_standard_domain(result[i1][j]);
+      int32_t
+      uu____1 =
+        libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form + error_as_ntt[i1][j]);
+      result[i1][j] = uu____1;
+    }
+  }
+  memcpy(ret, result, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+typedef struct
+__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__s
+{
+  int32_t fst[3U][256U];
+  int32_t snd[3U][256U];
+  int32_t thd[3U][3U][256U];
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t_;
+
+typedef struct
+__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__uint8_t_1184size_t__s
+{
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t_
+  fst;
+  uint8_t snd[1184U];
+}
+__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__uint8_t_1184size_t_;
+
+static __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__uint8_t_1184size_t_
+generate_keypair_unpacked___3size_t_1184size_t_1152size_t_2size_t_128size_t(
+  Eurydice_slice key_generation_seed
+)
+{
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(key_generation_seed, hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      (size_t)32U,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice seed_for_A = uu____0.fst;
+  Eurydice_slice seed_for_secret_and_error = uu____0.snd;
+  int32_t a_transpose[3U][3U][256U];
+  uint8_t ret[34U];
+  libcrux_kyber_ind_cpa_into_padded_array___34size_t(seed_for_A, ret);
+  sample_matrix_A___3size_t(ret, true, a_transpose);
+  uint8_t prf_input[33U];
+  libcrux_kyber_ind_cpa_into_padded_array___33size_t(seed_for_secret_and_error, prf_input);
+  uint8_t uu____1[33U];
+  memcpy(uu____1, prf_input, (size_t)33U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t
+  uu____2 = sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(uu____1, 0U);
+  int32_t secret_as_ntt[3U][256U];
+  memcpy(secret_as_ntt, uu____2.fst, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t domain_separator = uu____2.snd;
+  uint8_t uu____3[33U];
+  memcpy(uu____3, prf_input, (size_t)33U * sizeof (uint8_t));
+  int32_t error_as_ntt[3U][256U];
+  memcpy(error_as_ntt,
+    sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(uu____3, domain_separator).fst,
+    (size_t)3U * sizeof (int32_t [256U]));
+  int32_t t_as_ntt[3U][256U];
+  compute_As_plus_e___3size_t(a_transpose, secret_as_ntt, error_as_ntt, t_as_ntt);
+  int32_t uu____4[3U][256U];
+  memcpy(uu____4, t_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t public_key_serialized[1184U];
+  serialize_public_key___3size_t_1152size_t_1184size_t(uu____4,
+    seed_for_A,
+    public_key_serialized);
+  for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++)
+  {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)256U; i++)
+    {
+      size_t j = i;
+      uint16_t uu____5 = libcrux_kyber_arithmetic_to_unsigned_representative(secret_as_ntt[i1][j]);
+      secret_as_ntt[i1][j] = (int32_t)uu____5;
+      uint16_t uu____6 = libcrux_kyber_arithmetic_to_unsigned_representative(t_as_ntt[i1][j]);
+      t_as_ntt[i1][j] = (int32_t)uu____6;
+    }
+  }
+  int32_t a_matrix[3U][3U][256U];
+  memcpy(a_matrix, a_transpose, (size_t)3U * sizeof (int32_t [3U][256U]));
+  for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++)
+  {
+    size_t i1 = i0;
+    for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+    {
+      size_t j = i;
+      memcpy(a_matrix[i1][j], a_transpose[j][i1], (size_t)256U * sizeof (int32_t));
+    }
+  }
+  int32_t uu____7[3U][256U];
+  memcpy(uu____7, secret_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t uu____8[3U][256U];
+  memcpy(uu____8, t_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t uu____9[3U][3U][256U];
+  memcpy(uu____9, a_matrix, (size_t)3U * sizeof (int32_t [3U][256U]));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t_
+  uu____10;
+  memcpy(uu____10.fst, uu____7, (size_t)3U * sizeof (int32_t [256U]));
+  memcpy(uu____10.snd, uu____8, (size_t)3U * sizeof (int32_t [256U]));
+  memcpy(uu____10.thd, uu____9, (size_t)3U * sizeof (int32_t [3U][256U]));
+  uint8_t uu____11[1184U];
+  memcpy(uu____11, public_key_serialized, (size_t)1184U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__uint8_t_1184size_t_
+  lit;
+  lit.fst = uu____10;
+  memcpy(lit.snd, uu____11, (size_t)1184U * sizeof (uint8_t));
+  return lit;
+}
+
+typedef struct __uint8_t_1152size_t__uint8_t_1184size_t__s
+{
+  uint8_t fst[1152U];
+  uint8_t snd[1184U];
+}
+__uint8_t_1152size_t__uint8_t_1184size_t_;
+
+static __uint8_t_1152size_t__uint8_t_1184size_t_
+generate_keypair___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t(
+  Eurydice_slice key_generation_seed
+)
+{
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__uint8_t_1184size_t_
+  uu____0 =
+    generate_keypair_unpacked___3size_t_1184size_t_1152size_t_2size_t_128size_t(key_generation_seed);
+  int32_t secret_as_ntt[3U][256U];
+  memcpy(secret_as_ntt, uu____0.fst.fst, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t _t_as_ntt[3U][256U];
+  memcpy(_t_as_ntt, uu____0.fst.snd, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t _a_transpose[3U][3U][256U];
+  memcpy(_a_transpose, uu____0.fst.thd, (size_t)3U * sizeof (int32_t [3U][256U]));
+  uint8_t public_key_serialized[1184U];
+  memcpy(public_key_serialized, uu____0.snd, (size_t)1184U * sizeof (uint8_t));
+  int32_t uu____1[3U][256U];
+  memcpy(uu____1, secret_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t secret_key_serialized[1152U];
+  serialize_secret_key___3size_t_1152size_t(uu____1, secret_key_serialized);
+  uint8_t uu____2[1152U];
+  memcpy(uu____2, secret_key_serialized, (size_t)1152U * sizeof (uint8_t));
+  uint8_t uu____3[1184U];
+  memcpy(uu____3, public_key_serialized, (size_t)1184U * sizeof (uint8_t));
+  __uint8_t_1152size_t__uint8_t_1184size_t_ lit;
+  memcpy(lit.fst, uu____2, (size_t)1152U * sizeof (uint8_t));
+  memcpy(lit.snd, uu____3, (size_t)1184U * sizeof (uint8_t));
+  return lit;
+}
+
+static inline void
+serialize_kem_secret_key___2400size_t(
+  Eurydice_slice private_key,
+  Eurydice_slice public_key,
+  Eurydice_slice implicit_rejection_value,
+  uint8_t ret[2400U]
+)
+{
+  uint8_t out[2400U] = { 0U };
+  size_t pointer = (size_t)0U;
+  uint8_t *uu____0 = out;
+  size_t uu____1 = pointer;
+  size_t uu____2 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)2400U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____1,
+          .end = uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    private_key,
+    uint8_t,
+    void *);
+  pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t);
+  uint8_t *uu____3 = out;
+  size_t uu____4 = pointer;
+  size_t uu____5 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)2400U,
+      uu____3,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____4,
+          .end = uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    public_key,
+    uint8_t,
+    void *);
+  pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t);
+  Eurydice_slice
+  uu____6 =
+    Eurydice_array_to_subslice((size_t)2400U,
+      out,
+      (
+        (core_ops_range_Range__size_t){
+          .start = pointer,
+          .end = pointer + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  uint8_t ret0[32U];
+  libcrux_kyber_hash_functions_H(public_key, ret0);
+  core_slice___Slice_T___copy_from_slice(uu____6,
+    Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  pointer = pointer + LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE;
+  uint8_t *uu____7 = out;
+  size_t uu____8 = pointer;
+  size_t uu____9 = pointer;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)2400U,
+      uu____7,
+      (
+        (core_ops_range_Range__size_t){
+          .start = uu____8,
+          .end = uu____9 + core_slice___Slice_T___len(implicit_rejection_value, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    implicit_rejection_value,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)2400U * sizeof (uint8_t));
+}
+
+typedef uint8_t MlKemPrivateKey___2400size_t[2400U];
+
+static void from___2400size_t(uint8_t value[2400U], uint8_t ret[2400U])
+{
+  uint8_t uu____0[2400U];
+  memcpy(uu____0, value, (size_t)2400U * sizeof (uint8_t));
+  memcpy(ret, uu____0, (size_t)2400U * sizeof (uint8_t));
+}
+
+static libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
+from___2400size_t_1184size_t(uint8_t sk[2400U], uint8_t pk[1184U])
+{
+  libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t lit;
+  memcpy(lit.sk, sk, (size_t)2400U * sizeof (uint8_t));
+  memcpy(lit.pk, pk, (size_t)1184U * sizeof (uint8_t));
+  return lit;
+}
+
+static libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
+generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t(
+  uint8_t randomness[64U]
+)
+{
+  Eurydice_slice
+  ind_cpa_keypair_randomness =
+    Eurydice_array_to_subslice((size_t)64U,
+      randomness,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      randomness,
+      LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  __uint8_t_1152size_t__uint8_t_1184size_t_
+  uu____0 =
+    generate_keypair___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t(ind_cpa_keypair_randomness);
+  uint8_t ind_cpa_private_key[1152U];
+  memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof (uint8_t));
+  uint8_t public_key[1184U];
+  memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof (uint8_t));
+  Eurydice_slice
+  uu____1 = Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice);
+  uint8_t secret_key_serialized[2400U];
+  serialize_kem_secret_key___2400size_t(uu____1,
+    Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, Eurydice_slice),
+    implicit_rejection_value,
+    secret_key_serialized);
+  uint8_t uu____2[2400U];
+  memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof (uint8_t));
+  uint8_t private_key[2400U];
+  from___2400size_t(uu____2, private_key);
+  uint8_t uu____3[2400U];
+  memcpy(uu____3, private_key, (size_t)2400U * sizeof (uint8_t));
+  uint8_t uu____4[1184U];
+  memcpy(uu____4, public_key, (size_t)1184U * sizeof (uint8_t));
+  return from___2400size_t_1184size_t(uu____3, uu____4);
+}
+
+libcrux_kyber_types_MlKemKeyPair___2400size_t_1184size_t
+libcrux_kyber_kyber768_generate_key_pair(uint8_t randomness[64U])
+{
+  uint8_t uu____0[64U];
+  memcpy(uu____0, randomness, (size_t)64U * sizeof (uint8_t));
+  return
+    generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t(uu____0);
+}
+
+void
+core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError(
+  core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError self,
+  uint8_t ret[32U]
+)
+{
+  if (self.tag == core_result_Ok)
+  {
+    uint8_t f0[32U];
+    memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof (uint8_t));
+    memcpy(ret, f0, (size_t)32U * sizeof (uint8_t));
+  }
+  else
+  {
+    KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "unwrap not Ok");
+    KRML_HOST_EXIT(255U);
+  }
+}
+
+static void from___1184size_t(uint8_t value[1184U], uint8_t ret[1184U])
+{
+  uint8_t uu____0[1184U];
+  memcpy(uu____0, value, (size_t)1184U * sizeof (uint8_t));
+  memcpy(ret, uu____0, (size_t)1184U * sizeof (uint8_t));
+}
+
+static K___libcrux_kyber_MlKemState__3size_t___libcrux_kyber_types_MlKemPublicKey__1184size_t__
+generate_keypair_unpacked___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t(
+  uint8_t randomness[64U]
+)
+{
+  Eurydice_slice
+  ind_cpa_keypair_randomness =
+    Eurydice_array_to_subslice((size_t)64U,
+      randomness,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice);
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      randomness,
+      LIBCRUX_KYBER_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t____libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__3size_t__uint8_t_1184size_t_
+  uu____0 =
+    generate_keypair_unpacked___3size_t_1184size_t_1152size_t_2size_t_128size_t(ind_cpa_keypair_randomness);
+  int32_t secret_as_ntt[3U][256U];
+  memcpy(secret_as_ntt, uu____0.fst.fst, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t t_as_ntt[3U][256U];
+  memcpy(t_as_ntt, uu____0.fst.snd, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t a_transpose[3U][3U][256U];
+  memcpy(a_transpose, uu____0.fst.thd, (size_t)3U * sizeof (int32_t [3U][256U]));
+  uint8_t ind_cpa_public_key[1184U];
+  memcpy(ind_cpa_public_key, uu____0.snd, (size_t)1184U * sizeof (uint8_t));
+  uint8_t ind_cpa_public_key_hash[32U];
+  libcrux_kyber_hash_functions_H(Eurydice_array_to_slice((size_t)1184U,
+      ind_cpa_public_key,
+      uint8_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash);
+  uint8_t rej[32U];
+  core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst;
+  Eurydice_slice_to_array2(&dst,
+    implicit_rejection_value,
+    Eurydice_slice,
+    uint8_t [32U],
+    void *);
+  core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError(dst,
+    rej);
+  uint8_t uu____1[1184U];
+  memcpy(uu____1, ind_cpa_public_key, (size_t)1184U * sizeof (uint8_t));
+  uint8_t pubkey[1184U];
+  from___1184size_t(uu____1, pubkey);
+  int32_t uu____2[3U][256U];
+  memcpy(uu____2, secret_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t uu____3[3U][256U];
+  memcpy(uu____3, t_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+  int32_t uu____4[3U][3U][256U];
+  memcpy(uu____4, a_transpose, (size_t)3U * sizeof (int32_t [3U][256U]));
+  uint8_t uu____5[32U];
+  memcpy(uu____5, rej, (size_t)32U * sizeof (uint8_t));
+  uint8_t uu____6[32U];
+  memcpy(uu____6, ind_cpa_public_key_hash, (size_t)32U * sizeof (uint8_t));
+  K___libcrux_kyber_MlKemState__3size_t___libcrux_kyber_types_MlKemPublicKey__1184size_t__ lit;
+  memcpy(lit.fst.secret_as_ntt, uu____2, (size_t)3U * sizeof (int32_t [256U]));
+  memcpy(lit.fst.t_as_ntt, uu____3, (size_t)3U * sizeof (int32_t [256U]));
+  memcpy(lit.fst.a_transpose, uu____4, (size_t)3U * sizeof (int32_t [3U][256U]));
+  memcpy(lit.fst.rej, uu____5, (size_t)32U * sizeof (uint8_t));
+  memcpy(lit.fst.ind_cpa_public_key_hash, uu____6, (size_t)32U * sizeof (uint8_t));
+  memcpy(lit.snd, pubkey, (size_t)1184U * sizeof (uint8_t));
+  return lit;
+}
+
+K___libcrux_kyber_MlKemState__3size_t___libcrux_kyber_types_MlKemPublicKey__1184size_t__
+libcrux_kyber_kyber768_generate_key_pair_unpacked(uint8_t randomness[64U])
+{
+  uint8_t uu____0[64U];
+  memcpy(uu____0, randomness, (size_t)64U * sizeof (uint8_t));
+  return
+    generate_keypair_unpacked___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t(uu____0);
+}
+
+void libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_slice slice, uint8_t ret[64U])
+{
+  uint8_t out[64U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)64U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)64U * sizeof (uint8_t));
+}
+
+static uint8_t *as_slice___1184size_t(uint8_t (*self)[1184U])
+{
+  return self[0U];
+}
+
+static inline void
+deserialize_ring_elements_reduced___1152size_t_3size_t(
+  Eurydice_slice public_key,
+  int32_t ret[3U][256U]
+)
+{
+  int32_t deserialized_pk[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(deserialized_pk[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(public_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    ring_element =
+      Eurydice_slice_subslice(public_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_reduced_ring_element(ring_element, uu____0);
+    memcpy(deserialized_pk[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, deserialized_pk, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+static inline void
+sample_ring_element_cbd___3size_t_128size_t_2size_t(
+  uint8_t *prf_input,
+  uint8_t *domain_separator,
+  int32_t ret[3U][256U]
+)
+{
+  int32_t error_1[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(error_1[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    prf_input[32U] = domain_separator[0U];
+    domain_separator[0U] = (uint32_t)domain_separator[0U] + 1U;
+    uint8_t prf_output[128U];
+    libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+        prf_input,
+        uint8_t,
+        Eurydice_slice),
+      prf_output);
+    int32_t uu____0[256U];
+    libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+        prf_output,
+        uint8_t,
+        Eurydice_slice),
+      uu____0);
+    memcpy(error_1[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, error_1, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+static inline void invert_ntt_montgomery___3size_t(int32_t re[256U], int32_t ret[256U])
+{
+  size_t zeta_i = LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U;
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)1U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)2U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)3U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)4U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)5U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)6U, re);
+  libcrux_kyber_ntt_invert_ntt_at_layer(&zeta_i, re, (size_t)7U, re);
+  for (size_t i = (size_t)0U; i < (size_t)2U; i++)
+  {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(re[i0]);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_vector_u___3size_t(
+  int32_t (*a_as_ntt)[3U][256U],
+  int32_t (*r_as_ntt)[256U],
+  int32_t (*error_1)[256U],
+  int32_t ret[3U][256U]
+)
+{
+  int32_t result[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(result[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i0 = (size_t)0U;
+    i0
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)3U,
+          a_as_ntt,
+          Eurydice_error_t_cg_array,
+          Eurydice_slice),
+        int32_t [3U][256U],
+        size_t);
+    i0++)
+  {
+    size_t i1 = i0;
+    int32_t (*row)[256U] = a_as_ntt[i1];
+    for
+    (size_t
+      i = (size_t)0U;
+      i
+      <
+        core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)3U,
+            row,
+            int32_t [256U],
+            Eurydice_slice),
+          int32_t [256U],
+          size_t);
+      i++)
+    {
+      size_t j = i;
+      int32_t (*a_element)[256U] = &row[j];
+      int32_t product[256U];
+      libcrux_kyber_ntt_ntt_multiply(a_element, &r_as_ntt[j], product);
+      int32_t uu____0[256U];
+      add_to_ring_element___3size_t(result[i1], &product, uu____0);
+      memcpy(result[i1], uu____0, (size_t)256U * sizeof (int32_t));
+    }
+    int32_t uu____1[256U];
+    invert_ntt_montgomery___3size_t(result[i1], uu____1);
+    memcpy(result[i1], uu____1, (size_t)256U * sizeof (int32_t));
+    for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+    {
+      size_t j = i;
+      int32_t
+      coefficient_normal_form =
+        libcrux_kyber_arithmetic_montgomery_reduce(result[i1][j] * (int32_t)1441);
+      int32_t
+      uu____2 = libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form + error_1[i1][j]);
+      result[i1][j] = uu____2;
+    }
+  }
+  memcpy(ret, result, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+static inline void
+compute_ring_element_v___3size_t(
+  int32_t (*t_as_ntt)[256U],
+  int32_t (*r_as_ntt)[256U],
+  int32_t (*error_2)[256U],
+  int32_t (*message)[256U],
+  int32_t ret[256U]
+)
+{
+  int32_t result[256U];
+  memcpy(result,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    int32_t product[256U];
+    libcrux_kyber_ntt_ntt_multiply(&t_as_ntt[i0], &r_as_ntt[i0], product);
+    add_to_ring_element___3size_t(result, &product, result);
+  }
+  invert_ntt_montgomery___3size_t(result, result);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t
+    coefficient_normal_form =
+      libcrux_kyber_arithmetic_montgomery_reduce(result[i0] * (int32_t)1441);
+    int32_t
+    uu____0 =
+      libcrux_kyber_arithmetic_barrett_reduce(coefficient_normal_form
+        + error_2[0U][i0]
+        + message[0U][i0]);
+    result[i0] = uu____0;
+  }
+  memcpy(ret, result, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void compress_then_serialize_10___320size_t(int32_t re[256U], uint8_t ret[320U])
+{
+  uint8_t serialized[320U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)4U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)4U,
+            .end = i0 * (size_t)4U + (size_t)4U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t
+    coefficient1 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient2 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient3 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)2U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient4 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(10U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)3U,
+            int32_t,
+            int32_t)));
+    K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+    uu____0 =
+      libcrux_kyber_serialize_compress_coefficients_10(coefficient1,
+        coefficient2,
+        coefficient3,
+        coefficient4);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    uint8_t coef4 = uu____0.f3;
+    uint8_t coef5 = uu____0.f4;
+    serialized[(size_t)5U * i0] = coef1;
+    serialized[(size_t)5U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)5U * i0 + (size_t)2U] = coef3;
+    serialized[(size_t)5U * i0 + (size_t)3U] = coef4;
+    serialized[(size_t)5U * i0 + (size_t)4U] = coef5;
+  }
+  memcpy(ret, serialized, (size_t)320U * sizeof (uint8_t));
+}
+
+static inline void compress_then_serialize_11___320size_t(int32_t re[256U], uint8_t ret[320U])
+{
+  uint8_t serialized[320U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)8U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)8U,
+            .end = i0 * (size_t)8U + (size_t)8U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t
+    coefficient1 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient2 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient3 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)2U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient4 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)3U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient5 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)4U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient6 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)5U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient7 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)6U,
+            int32_t,
+            int32_t)));
+    int32_t
+    coefficient8 =
+      libcrux_kyber_compress_compress_ciphertext_coefficient(11U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)7U,
+            int32_t,
+            int32_t)));
+    K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+    uu____0 =
+      libcrux_kyber_serialize_compress_coefficients_11(coefficient1,
+        coefficient2,
+        coefficient3,
+        coefficient4,
+        coefficient5,
+        coefficient6,
+        coefficient7,
+        coefficient8);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    uint8_t coef4 = uu____0.f3;
+    uint8_t coef5 = uu____0.f4;
+    uint8_t coef6 = uu____0.f5;
+    uint8_t coef7 = uu____0.f6;
+    uint8_t coef8 = uu____0.f7;
+    uint8_t coef9 = uu____0.f8;
+    uint8_t coef10 = uu____0.f9;
+    uint8_t coef11 = uu____0.f10;
+    serialized[(size_t)11U * i0] = coef1;
+    serialized[(size_t)11U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)11U * i0 + (size_t)2U] = coef3;
+    serialized[(size_t)11U * i0 + (size_t)3U] = coef4;
+    serialized[(size_t)11U * i0 + (size_t)4U] = coef5;
+    serialized[(size_t)11U * i0 + (size_t)5U] = coef6;
+    serialized[(size_t)11U * i0 + (size_t)6U] = coef7;
+    serialized[(size_t)11U * i0 + (size_t)7U] = coef8;
+    serialized[(size_t)11U * i0 + (size_t)8U] = coef9;
+    serialized[(size_t)11U * i0 + (size_t)9U] = coef10;
+    serialized[(size_t)11U * i0 + (size_t)10U] = coef11;
+  }
+  memcpy(ret, serialized, (size_t)320U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_serialize_compress_then_serialize_ring_element_u___10size_t_320size_t(
+  int32_t re[256U],
+  uint8_t ret[320U]
+)
+{
+  uint8_t uu____0[320U];
+  compress_then_serialize_10___320size_t(re, uu____0);
+  memcpy(ret, uu____0, (size_t)320U * sizeof (uint8_t));
+}
+
+static void
+compress_then_serialize_u___3size_t_960size_t_10size_t_320size_t(
+  int32_t input[3U][256U],
+  uint8_t ret[960U]
+)
+{
+  uint8_t out[960U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)3U,
+          input,
+          int32_t [256U],
+          Eurydice_slice),
+        int32_t [256U],
+        size_t);
+    i++)
+  {
+    size_t i0 = i;
+    int32_t re[256U];
+    memcpy(re, input[i0], (size_t)256U * sizeof (int32_t));
+    Eurydice_slice
+    uu____0 =
+      Eurydice_array_to_subslice((size_t)960U,
+        out,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * ((size_t)960U / (size_t)3U),
+            .end = (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U)
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t ret0[320U];
+    libcrux_kyber_serialize_compress_then_serialize_ring_element_u___10size_t_320size_t(re, ret0);
+    core_slice___Slice_T___copy_from_slice(uu____0,
+      Eurydice_array_to_slice((size_t)320U, ret0, uint8_t, Eurydice_slice),
+      uint8_t,
+      void *);
+  }
+  memcpy(ret, out, (size_t)960U * sizeof (uint8_t));
+}
+
+static inline void compress_then_serialize_4___128size_t(int32_t re[256U], uint8_t ret[128U])
+{
+  uint8_t serialized[128U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)2U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)2U,
+            .end = i0 * (size_t)2U + (size_t)2U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t
+    coefficient1 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(4U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient2 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(4U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    serialized[i0] = (uint32_t)coefficient2 << 4U | (uint32_t)coefficient1;
+  }
+  memcpy(ret, serialized, (size_t)128U * sizeof (uint8_t));
+}
+
+static inline void compress_then_serialize_5___128size_t(int32_t re[256U], uint8_t ret[128U])
+{
+  uint8_t serialized[128U] = { 0U };
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)256U, re, int32_t, Eurydice_slice),
+        int32_t,
+        size_t)
+      / (size_t)8U;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    coefficients =
+      Eurydice_array_to_subslice((size_t)256U,
+        re,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * (size_t)8U,
+            .end = i0 * (size_t)8U + (size_t)8U
+          }
+        ),
+        int32_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    uint8_t
+    coefficient1 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)0U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient2 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)1U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient3 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)2U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient4 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)3U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient5 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)4U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient6 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)5U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient7 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)6U,
+            int32_t,
+            int32_t)));
+    uint8_t
+    coefficient8 =
+      (uint8_t)libcrux_kyber_compress_compress_ciphertext_coefficient(5U,
+        libcrux_kyber_arithmetic_to_unsigned_representative(Eurydice_slice_index(coefficients,
+            (size_t)7U,
+            int32_t,
+            int32_t)));
+    K___uint8_t_uint8_t_uint8_t_uint8_t_uint8_t
+    uu____0 =
+      libcrux_kyber_serialize_compress_coefficients_5(coefficient2,
+        coefficient1,
+        coefficient4,
+        coefficient3,
+        coefficient5,
+        coefficient7,
+        coefficient6,
+        coefficient8);
+    uint8_t coef1 = uu____0.fst;
+    uint8_t coef2 = uu____0.snd;
+    uint8_t coef3 = uu____0.thd;
+    uint8_t coef4 = uu____0.f3;
+    uint8_t coef5 = uu____0.f4;
+    serialized[(size_t)5U * i0] = coef1;
+    serialized[(size_t)5U * i0 + (size_t)1U] = coef2;
+    serialized[(size_t)5U * i0 + (size_t)2U] = coef3;
+    serialized[(size_t)5U * i0 + (size_t)3U] = coef4;
+    serialized[(size_t)5U * i0 + (size_t)4U] = coef5;
+  }
+  memcpy(ret, serialized, (size_t)128U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_serialize_compress_then_serialize_ring_element_v___4size_t_128size_t(
+  int32_t re[256U],
+  uint8_t ret[128U]
+)
+{
+  uint8_t uu____0[128U];
+  compress_then_serialize_4___128size_t(re, uu____0);
+  memcpy(ret, uu____0, (size_t)128U * sizeof (uint8_t));
+}
+
+static inline void into_padded_array___1088size_t(Eurydice_slice slice, uint8_t ret[1088U])
+{
+  uint8_t out[1088U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1088U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)1088U * sizeof (uint8_t));
+}
+
+static void
+encrypt_unpacked___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
+  int32_t (*t_as_ntt)[256U],
+  int32_t (*a_transpose)[3U][256U],
+  uint8_t message[32U],
+  Eurydice_slice randomness,
+  uint8_t ret[1088U]
+)
+{
+  uint8_t prf_input[33U];
+  libcrux_kyber_ind_cpa_into_padded_array___33size_t(randomness, prf_input);
+  uint8_t uu____0[33U];
+  memcpy(uu____0, prf_input, (size_t)33U * sizeof (uint8_t));
+  __libcrux_kyber_arithmetic_PolynomialRingElement_3size_t__uint8_t
+  uu____1 = sample_vector_cbd_then_ntt___3size_t_2size_t_128size_t(uu____0, 0U);
+  int32_t r_as_ntt[3U][256U];
+  memcpy(r_as_ntt, uu____1.fst, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t domain_separator = uu____1.snd;
+  int32_t error_1[3U][256U];
+  sample_ring_element_cbd___3size_t_128size_t_2size_t(prf_input, &domain_separator, error_1);
+  prf_input[32U] = domain_separator;
+  uint8_t prf_output[128U];
+  libcrux_kyber_hash_functions_PRF___128size_t(Eurydice_array_to_slice((size_t)33U,
+      prf_input,
+      uint8_t,
+      Eurydice_slice),
+    prf_output);
+  int32_t error_2[256U];
+  libcrux_kyber_sampling_sample_from_binomial_distribution___2size_t(Eurydice_array_to_slice((size_t)128U,
+      prf_output,
+      uint8_t,
+      Eurydice_slice),
+    error_2);
+  int32_t u[3U][256U];
+  compute_vector_u___3size_t(a_transpose, r_as_ntt, error_1, u);
+  uint8_t uu____2[32U];
+  memcpy(uu____2, message, (size_t)32U * sizeof (uint8_t));
+  int32_t message_as_ring_element[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_message(uu____2, message_as_ring_element);
+  int32_t v[256U];
+  compute_ring_element_v___3size_t(t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element, v);
+  int32_t uu____3[3U][256U];
+  memcpy(uu____3, u, (size_t)3U * sizeof (int32_t [256U]));
+  uint8_t c1[960U];
+  compress_then_serialize_u___3size_t_960size_t_10size_t_320size_t(uu____3, c1);
+  uint8_t c2[128U];
+  libcrux_kyber_serialize_compress_then_serialize_ring_element_v___4size_t_128size_t(v, c2);
+  uint8_t ciphertext[1088U];
+  into_padded_array___1088size_t(Eurydice_array_to_slice((size_t)960U,
+      c1,
+      uint8_t,
+      Eurydice_slice),
+    ciphertext);
+  Eurydice_slice
+  uu____4 =
+    Eurydice_array_to_subslice_from((size_t)1088U,
+      ciphertext,
+      (size_t)960U,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____4,
+    core_array___Array_T__N__23__as_slice((size_t)128U, c2, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  memcpy(ret, ciphertext, (size_t)1088U * sizeof (uint8_t));
+}
+
+static void
+encrypt___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
+  Eurydice_slice public_key,
+  uint8_t message[32U],
+  Eurydice_slice randomness,
+  uint8_t ret[1088U]
+)
+{
+  int32_t t_as_ntt[3U][256U];
+  deserialize_ring_elements_reduced___1152size_t_3size_t(Eurydice_slice_subslice_to(public_key,
+      (size_t)1152U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    t_as_ntt);
+  Eurydice_slice
+  seed = Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice);
+  int32_t a_transpose[3U][3U][256U];
+  uint8_t ret0[34U];
+  libcrux_kyber_ind_cpa_into_padded_array___34size_t(seed, ret0);
+  sample_matrix_A___3size_t(ret0, false, a_transpose);
+  int32_t (*uu____0)[256U] = t_as_ntt;
+  int32_t (*uu____1)[3U][256U] = a_transpose;
+  uint8_t uu____2[32U];
+  memcpy(uu____2, message, (size_t)32U * sizeof (uint8_t));
+  uint8_t ret1[1088U];
+  encrypt_unpacked___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(uu____0,
+    uu____1,
+    uu____2,
+    randomness,
+    ret1);
+  memcpy(ret, ret1, (size_t)1088U * sizeof (uint8_t));
+}
+
+typedef uint8_t MlKemCiphertext___1088size_t[1088U];
+
+static K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_
+encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(
+  uint8_t (*public_key)[1184U],
+  uint8_t randomness[32U]
+)
+{
+  uint8_t to_hash[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      randomness,
+      uint8_t,
+      Eurydice_slice),
+    to_hash);
+  Eurydice_slice
+  uu____0 =
+    Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  uint8_t ret[32U];
+  libcrux_kyber_hash_functions_H(Eurydice_array_to_slice((size_t)1184U,
+      as_slice___1184size_t(public_key),
+      uint8_t,
+      Eurydice_slice),
+    ret);
+  core_slice___Slice_T___copy_from_slice(uu____0,
+    Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice),
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____1 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____1.fst;
+  Eurydice_slice pseudorandomness = uu____1.snd;
+  Eurydice_slice
+  uu____2 =
+    Eurydice_array_to_slice((size_t)1184U,
+      as_slice___1184size_t(public_key),
+      uint8_t,
+      Eurydice_slice);
+  uint8_t uu____3[32U];
+  memcpy(uu____3, randomness, (size_t)32U * sizeof (uint8_t));
+  uint8_t ciphertext[1088U];
+  encrypt___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(uu____2,
+    uu____3,
+    pseudorandomness,
+    ciphertext);
+  uint8_t shared_secret_array[32U] = { 0U };
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_slice((size_t)32U,
+      shared_secret_array,
+      uint8_t,
+      Eurydice_slice),
+    shared_secret,
+    uint8_t,
+    void *);
+  uint8_t uu____4[1088U];
+  memcpy(uu____4, ciphertext, (size_t)1088U * sizeof (uint8_t));
+  uint8_t uu____5[1088U];
+  memcpy(uu____5, uu____4, (size_t)1088U * sizeof (uint8_t));
+  uint8_t uu____6[32U];
+  memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof (uint8_t));
+  K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_ lit;
+  memcpy(lit.fst, uu____5, (size_t)1088U * sizeof (uint8_t));
+  memcpy(lit.snd, uu____6, (size_t)32U * sizeof (uint8_t));
+  return lit;
+}
+
+K___libcrux_kyber_types_MlKemCiphertext__1088size_t___uint8_t_32size_t_
+libcrux_kyber_kyber768_encapsulate(uint8_t (*public_key)[1184U], uint8_t randomness[32U])
+{
+  uint8_t (*uu____0)[1184U] = public_key;
+  uint8_t uu____1[32U];
+  memcpy(uu____1, randomness, (size_t)32U * sizeof (uint8_t));
+  return
+    encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(uu____0,
+      uu____1);
+}
+
+static K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+split_at___2400size_t(uint8_t (*self)[2400U], size_t mid)
+{
+  return
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)2400U,
+        self[0U],
+        uint8_t,
+        Eurydice_slice),
+      mid,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+}
+
+static inline void
+deserialize_secret_key___3size_t(Eurydice_slice secret_key, int32_t ret[3U][256U])
+{
+  int32_t secret_as_ntt[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(secret_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(secret_key,
+        uint8_t,
+        size_t)
+      / LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT;
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    secret_bytes =
+      Eurydice_slice_subslice(secret_key,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0 * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT,
+            .end = i0
+            * LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+            + LIBCRUX_KYBER_CONSTANTS_BYTES_PER_RING_ELEMENT
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t uu____0[256U];
+    libcrux_kyber_serialize_deserialize_to_uncompressed_ring_element(secret_bytes, uu____0);
+    memcpy(secret_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, secret_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+void
+libcrux_kyber_serialize_deserialize_then_decompress_ring_element_u___10size_t(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t uu____0[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_10(serialized, uu____0);
+  memcpy(ret, uu____0, (size_t)256U * sizeof (int32_t));
+}
+
+void libcrux_kyber_ntt_ntt_vector_u___10size_t(int32_t re[256U], int32_t ret[256U])
+{
+  size_t zeta_i = (size_t)0U;
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)7U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)6U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)5U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)4U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)3U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)2U, re);
+  libcrux_kyber_ntt_ntt_at_layer_3328(&zeta_i, re, (size_t)1U, re);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(re[i0]);
+    re[i0] = uu____0;
+  }
+  memcpy(ret, re, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+deserialize_then_decompress_u___3size_t_1088size_t_10size_t(
+  uint8_t *ciphertext,
+  int32_t ret[3U][256U]
+)
+{
+  int32_t u_as_ntt[3U][256U];
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    memcpy(u_as_ntt[i],
+      libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+      (size_t)256U * sizeof (int32_t));
+  }
+  for
+  (size_t
+    i = (size_t)0U;
+    i
+    <
+      core_slice___Slice_T___len(Eurydice_array_to_slice((size_t)1088U,
+          ciphertext,
+          uint8_t,
+          Eurydice_slice),
+        uint8_t,
+        size_t)
+      / (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U);
+    i++)
+  {
+    size_t i0 = i;
+    Eurydice_slice
+    u_bytes =
+      Eurydice_array_to_subslice((size_t)1088U,
+        ciphertext,
+        (
+          (core_ops_range_Range__size_t){
+            .start = i0
+            * (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U),
+            .end = i0
+            * (LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U)
+            + LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U
+          }
+        ),
+        uint8_t,
+        core_ops_range_Range__size_t,
+        Eurydice_slice);
+    int32_t u[256U];
+    libcrux_kyber_serialize_deserialize_then_decompress_ring_element_u___10size_t(u_bytes, u);
+    int32_t uu____0[256U];
+    libcrux_kyber_ntt_ntt_vector_u___10size_t(u, uu____0);
+    memcpy(u_as_ntt[i0], uu____0, (size_t)256U * sizeof (int32_t));
+  }
+  memcpy(ret, u_as_ntt, (size_t)3U * sizeof (int32_t [256U]));
+}
+
+void
+libcrux_kyber_serialize_deserialize_then_decompress_ring_element_v___4size_t(
+  Eurydice_slice serialized,
+  int32_t ret[256U]
+)
+{
+  int32_t uu____0[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_4(serialized, uu____0);
+  memcpy(ret, uu____0, (size_t)256U * sizeof (int32_t));
+}
+
+static inline void
+compute_message___3size_t(
+  int32_t (*v)[256U],
+  int32_t (*secret_as_ntt)[256U],
+  int32_t (*u_as_ntt)[256U],
+  int32_t ret[256U]
+)
+{
+  int32_t result[256U];
+  memcpy(result,
+    libcrux_kyber_arithmetic__libcrux_kyber__arithmetic__PolynomialRingElement__ZERO,
+    (size_t)256U * sizeof (int32_t));
+  for (size_t i = (size_t)0U; i < (size_t)3U; i++)
+  {
+    size_t i0 = i;
+    int32_t product[256U];
+    libcrux_kyber_ntt_ntt_multiply(&secret_as_ntt[i0], &u_as_ntt[i0], product);
+    add_to_ring_element___3size_t(result, &product, result);
+  }
+  invert_ntt_montgomery___3size_t(result, result);
+  for (size_t i = (size_t)0U; i < LIBCRUX_KYBER_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; i++)
+  {
+    size_t i0 = i;
+    int32_t
+    coefficient_normal_form =
+      libcrux_kyber_arithmetic_montgomery_reduce(result[i0] * (int32_t)1441);
+    int32_t uu____0 = libcrux_kyber_arithmetic_barrett_reduce(v[0U][i0] - coefficient_normal_form);
+    result[i0] = uu____0;
+  }
+  memcpy(ret, result, (size_t)256U * sizeof (int32_t));
+}
+
+static void
+decrypt_unpacked___3size_t_1088size_t_960size_t_10size_t_4size_t(
+  int32_t (*secret_as_ntt)[256U],
+  uint8_t *ciphertext,
+  uint8_t ret[32U]
+)
+{
+  int32_t u_as_ntt[3U][256U];
+  deserialize_then_decompress_u___3size_t_1088size_t_10size_t(ciphertext, u_as_ntt);
+  int32_t v[256U];
+  libcrux_kyber_serialize_deserialize_then_decompress_ring_element_v___4size_t(Eurydice_array_to_subslice_from((size_t)1088U,
+      ciphertext,
+      (size_t)960U,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    v);
+  int32_t message[256U];
+  compute_message___3size_t(&v, secret_as_ntt, u_as_ntt, message);
+  uint8_t ret0[32U];
+  libcrux_kyber_serialize_compress_then_serialize_message(message, ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static void
+decrypt___3size_t_1088size_t_960size_t_10size_t_4size_t(
+  Eurydice_slice secret_key,
+  uint8_t *ciphertext,
+  uint8_t ret[32U]
+)
+{
+  int32_t secret_as_ntt[3U][256U];
+  deserialize_secret_key___3size_t(secret_key, secret_as_ntt);
+  uint8_t ret0[32U];
+  decrypt_unpacked___3size_t_1088size_t_960size_t_10size_t_4size_t(secret_as_ntt,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static inline void into_padded_array___1120size_t(Eurydice_slice slice, uint8_t ret[1120U])
+{
+  uint8_t out[1120U] = { 0U };
+  uint8_t *uu____0 = out;
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice((size_t)1120U,
+      uu____0,
+      (
+        (core_ops_range_Range__size_t){
+          .start = (size_t)0U,
+          .end = core_slice___Slice_T___len(slice, uint8_t, size_t)
+        }
+      ),
+      uint8_t,
+      core_ops_range_Range__size_t,
+      Eurydice_slice),
+    slice,
+    uint8_t,
+    void *);
+  memcpy(ret, out, (size_t)1120U * sizeof (uint8_t));
+}
+
+static Eurydice_slice as_ref___1088size_t(uint8_t (*self)[1088U])
+{
+  return Eurydice_array_to_slice((size_t)1088U, self[0U], uint8_t, Eurydice_slice);
+}
+
+void libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_slice input, uint8_t ret[32U])
+{
+  uint8_t ret0[32U];
+  libcrux_digest_shake256((size_t)32U, input, ret0, void *);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static uint8_t
+compare_ciphertexts_in_constant_time___1088size_t(Eurydice_slice lhs, Eurydice_slice rhs)
+{
+  uint8_t r = 0U;
+  for (size_t i = (size_t)0U; i < (size_t)1088U; i++)
+  {
+    size_t i0 = i;
+    uint8_t uu____0 = Eurydice_slice_index(lhs, i0, uint8_t, uint8_t);
+    r =
+      (uint32_t)r
+      | ((uint32_t)uu____0 ^ (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t));
+  }
+  return libcrux_kyber_constant_time_ops_is_non_zero(r);
+}
+
+static void
+decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t(
+  uint8_t (*secret_key)[2400U],
+  uint8_t (*ciphertext)[1088U],
+  uint8_t ret[32U]
+)
+{
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 = split_at___2400size_t(secret_key, (size_t)1152U);
+  Eurydice_slice ind_cpa_secret_key = uu____0.fst;
+  Eurydice_slice secret_key0 = uu____0.snd;
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____1 =
+    core_slice___Slice_T___split_at(secret_key0,
+      (size_t)1184U,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice ind_cpa_public_key = uu____1.fst;
+  Eurydice_slice secret_key1 = uu____1.snd;
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____2 =
+    core_slice___Slice_T___split_at(secret_key1,
+      LIBCRUX_KYBER_CONSTANTS_H_DIGEST_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice ind_cpa_public_key_hash = uu____2.fst;
+  Eurydice_slice implicit_rejection_value = uu____2.snd;
+  uint8_t decrypted[32U];
+  decrypt___3size_t_1088size_t_960size_t_10size_t_4size_t(ind_cpa_secret_key,
+    ciphertext[0U],
+    decrypted);
+  uint8_t to_hash0[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      decrypted,
+      uint8_t,
+      Eurydice_slice),
+    to_hash0);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash0,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash,
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash0,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____3 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____3.fst;
+  Eurydice_slice pseudorandomness = uu____3.snd;
+  uint8_t to_hash[1120U];
+  into_padded_array___1120size_t(implicit_rejection_value, to_hash);
+  Eurydice_slice
+  uu____4 =
+    Eurydice_array_to_subslice_from((size_t)1120U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____4,
+    as_ref___1088size_t(ciphertext),
+    uint8_t,
+    void *);
+  uint8_t implicit_rejection_shared_secret[32U];
+  libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_array_to_slice((size_t)1120U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    implicit_rejection_shared_secret);
+  Eurydice_slice uu____5 = ind_cpa_public_key;
+  uint8_t uu____6[32U];
+  memcpy(uu____6, decrypted, (size_t)32U * sizeof (uint8_t));
+  uint8_t expected_ciphertext[1088U];
+  encrypt___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(uu____5,
+    uu____6,
+    pseudorandomness,
+    expected_ciphertext);
+  Eurydice_slice uu____7 = as_ref___1088size_t(ciphertext);
+  uint8_t
+  selector =
+    compare_ciphertexts_in_constant_time___1088size_t(uu____7,
+      Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice));
+  Eurydice_slice uu____8 = shared_secret;
+  uint8_t ret0[32U];
+  libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(uu____8,
+    Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
+    selector,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_kyber768_decapsulate(
+  uint8_t (*secret_key)[2400U],
+  uint8_t (*ciphertext)[1088U],
+  uint8_t ret[32U]
+)
+{
+  uint8_t ret0[32U];
+  decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t(secret_key,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+static void
+decapsulate_unpacked___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t(
+  libcrux_kyber_MlKemState___3size_t *state,
+  uint8_t (*ciphertext)[1088U],
+  uint8_t ret[32U]
+)
+{
+  int32_t (*secret_as_ntt)[256U] = state->secret_as_ntt;
+  int32_t (*t_as_ntt)[256U] = state->t_as_ntt;
+  int32_t (*a_transpose)[3U][256U] = state->a_transpose;
+  Eurydice_slice
+  implicit_rejection_value =
+    Eurydice_array_to_slice((size_t)32U,
+      state->rej,
+      uint8_t,
+      Eurydice_slice);
+  Eurydice_slice
+  ind_cpa_public_key_hash =
+    Eurydice_array_to_slice((size_t)32U,
+      state->ind_cpa_public_key_hash,
+      uint8_t,
+      Eurydice_slice);
+  uint8_t decrypted[32U];
+  decrypt_unpacked___3size_t_1088size_t_960size_t_10size_t_4size_t(secret_as_ntt,
+    ciphertext[0U],
+    decrypted);
+  uint8_t to_hash0[64U];
+  libcrux_kyber_ind_cpa_into_padded_array___64size_t(Eurydice_array_to_slice((size_t)32U,
+      decrypted,
+      uint8_t,
+      Eurydice_slice),
+    to_hash0);
+  core_slice___Slice_T___copy_from_slice(Eurydice_array_to_subslice_from((size_t)64U,
+      to_hash0,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice),
+    ind_cpa_public_key_hash,
+    uint8_t,
+    void *);
+  uint8_t hashed[64U];
+  libcrux_kyber_hash_functions_G(Eurydice_array_to_slice((size_t)64U,
+      to_hash0,
+      uint8_t,
+      Eurydice_slice),
+    hashed);
+  K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t
+  uu____0 =
+    core_slice___Slice_T___split_at(Eurydice_array_to_slice((size_t)64U,
+        hashed,
+        uint8_t,
+        Eurydice_slice),
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t);
+  Eurydice_slice shared_secret = uu____0.fst;
+  Eurydice_slice pseudorandomness = uu____0.snd;
+  uint8_t to_hash[1120U];
+  into_padded_array___1120size_t(implicit_rejection_value, to_hash);
+  Eurydice_slice
+  uu____1 =
+    Eurydice_array_to_subslice_from((size_t)1120U,
+      to_hash,
+      LIBCRUX_KYBER_CONSTANTS_SHARED_SECRET_SIZE,
+      uint8_t,
+      size_t,
+      Eurydice_slice);
+  core_slice___Slice_T___copy_from_slice(uu____1,
+    as_ref___1088size_t(ciphertext),
+    uint8_t,
+    void *);
+  uint8_t implicit_rejection_shared_secret[32U];
+  libcrux_kyber_hash_functions_PRF___32size_t(Eurydice_array_to_slice((size_t)1120U,
+      to_hash,
+      uint8_t,
+      Eurydice_slice),
+    implicit_rejection_shared_secret);
+  int32_t (*uu____2)[256U] = t_as_ntt;
+  int32_t (*uu____3)[3U][256U] = a_transpose;
+  uint8_t uu____4[32U];
+  memcpy(uu____4, decrypted, (size_t)32U * sizeof (uint8_t));
+  uint8_t expected_ciphertext[1088U];
+  encrypt_unpacked___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t(uu____2,
+    uu____3,
+    uu____4,
+    pseudorandomness,
+    expected_ciphertext);
+  Eurydice_slice uu____5 = as_ref___1088size_t(ciphertext);
+  uint8_t
+  selector =
+    compare_ciphertexts_in_constant_time___1088size_t(uu____5,
+      Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice));
+  Eurydice_slice uu____6 = shared_secret;
+  uint8_t ret0[32U];
+  libcrux_kyber_constant_time_ops_select_shared_secret_in_constant_time(uu____6,
+    Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice),
+    selector,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
+void
+libcrux_kyber_kyber768_decapsulate_unpacked(
+  libcrux_kyber_MlKemState___3size_t *state,
+  uint8_t (*ciphertext)[1088U],
+  uint8_t ret[32U]
+)
+{
+  uint8_t ret0[32U];
+  decapsulate_unpacked___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t(state,
+    ciphertext,
+    ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof (uint8_t));
+}
+
diff --git a/libcrux/standalone-kyber.sh b/libcrux/standalone-kyber.sh
new file mode 100755
index 00000000..1efb77fa
--- /dev/null
+++ b/libcrux/standalone-kyber.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -e
+set -o pipefail
+
+mkdir -p hacl
+# SHA3, hash interface
+cp ../src/Hacl_Hash_SHA3.c hacl/
+cp ../include/Hacl_Hash_SHA3.h include/
+cp ../include/internal/Hacl_Hash_SHA3.h include/internal/
+# SHA3, AVX2 implementation
+cp ../src/Hacl_Hash_SHA3_Simd256.c hacl/
+cp ../include/Hacl_Hash_SHA3_Simd256.h include/
+# SHA3, scalar implementation
+cp ../src/Hacl_Hash_SHA3_Scalar.c hacl/
+cp ../include/Hacl_Hash_SHA3_Scalar.h include/
+cp ../include/internal/Hacl_Hash_SHA3_Scalar.h include/internal/
+# Auxiliary
+cp ../include/Hacl_Streaming_Types.h include/
+cp ../include/libintvector.h include/
+touch include/LowStar_Ignore.h
+# krmllib
+cp -r ../karamel/include/* include/
+cp -r ../karamel/krmllib/dist/minimal/* include/
+
+tar cjvf standalone-kyber-$(date '+%Y%m%d%H%M').tar.bz2 --exclude "src/Libcrux_Kem_Kyber_Kyber768.c" --exclude "mitch-and-sam.sh" --exclude '*.tar.bz2' --exclude 'a.out' *