diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst
index e23020d49..bfaed9cba 100644
--- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fst
@@ -4,215 +4,217 @@ open Core
open FStar.Mul
assume
-val v__vaddq_s16': lhs: u8 -> rhs: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_s16': i: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vaddq_s16 = v__vaddq_s16'
+let v__vdupq_n_s16 = v__vdupq_n_s16'
assume
-val v__vaddq_u32': compressed: u8 -> half: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_u64': i: u64 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vaddq_u32 = v__vaddq_u32'
+let v__vdupq_n_u64 = v__vdupq_n_u64'
assume
-val v__vaddv_u16': a: u8 -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_s16': out: t_Slice i16 -> v: u8
+ -> Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
-let v__vaddv_u16 = v__vaddv_u16'
+let v__vst1q_s16 = v__vst1q_s16'
assume
-val v__vaddvq_s16': a: u8 -> Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_s16': array: t_Slice i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vaddvq_s16 = v__vaddvq_s16'
+let v__vld1q_s16 = v__vld1q_s16'
assume
-val v__vaddvq_u16': a: u8 -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_bytes_u64': array: t_Slice u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vaddvq_u16 = v__vaddvq_u16'
+let v__vld1q_bytes_u64 = v__vld1q_bytes_u64'
assume
-val v__vandq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_u64': array: t_Slice u64 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vandq_s16 = v__vandq_s16'
+let v__vld1q_u64 = v__vld1q_u64'
assume
-val v__vandq_u16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_u64': out: t_Slice u64 -> v: u8
+ -> Prims.Pure (t_Slice u64) Prims.l_True (fun _ -> Prims.l_True)
-let v__vandq_u16 = v__vandq_u16'
+let v__vst1q_u64 = v__vst1q_u64'
assume
-val v__vandq_u32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_bytes_u64': out: t_Slice u8 -> v: u8
+ -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-let v__vandq_u32 = v__vandq_u32'
+let v__vst1q_bytes_u64 = v__vst1q_bytes_u64'
assume
-val v__vbicq_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddq_s16': lhs: u8 -> rhs: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vbicq_u64 = v__vbicq_u64'
+let v__vaddq_s16 = v__vaddq_s16'
assume
-val v__vcgeq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vsubq_s16': lhs: u8 -> rhs: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vcgeq_s16 = v__vcgeq_s16'
+let v__vsubq_s16 = v__vsubq_s16'
assume
-val v__vcleq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_n_s16': v: u8 -> c: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vcleq_s16 = v__vcleq_s16'
+let v__vmulq_n_s16 = v__vmulq_n_s16'
assume
-val v__vdupq_n_s16': i: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_n_u16': v: u8 -> c: u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vdupq_n_s16 = v__vdupq_n_s16'
+let v__vmulq_n_u16 = v__vmulq_n_u16'
assume
-val v__vdupq_n_u16': value: u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_s16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vdupq_n_u16 = v__vdupq_n_u16'
+let v__vshrq_n_s16 (v_SHIFT_BY: i32) = v__vshrq_n_s16' v_SHIFT_BY
assume
-val v__vdupq_n_u32': value: u32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_u16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vdupq_n_u32 = v__vdupq_n_u32'
+let v__vshrq_n_u16 (v_SHIFT_BY: i32) = v__vshrq_n_u16' v_SHIFT_BY
assume
-val v__vdupq_n_u64': i: u64 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_u64': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vdupq_n_u64 = v__vdupq_n_u64'
+let v__vshrq_n_u64 (v_SHIFT_BY: i32) = v__vshrq_n_u64' v_SHIFT_BY
assume
-val v__veorq_s16': mask: u8 -> shifted: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_n_u64': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__veorq_s16 = v__veorq_s16'
+let v__vshlq_n_u64 (v_SHIFT_BY: i32) = v__vshlq_n_u64' v_SHIFT_BY
assume
-val v__veorq_u64': mask: u8 -> shifted: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_n_s16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__veorq_u64 = v__veorq_u64'
+let v__vshlq_n_s16 (v_SHIFT_BY: i32) = v__vshlq_n_s16' v_SHIFT_BY
assume
-val v__vget_high_u16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_n_u32': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vget_high_u16 = v__vget_high_u16'
+let v__vshlq_n_u32 (v_SHIFT_BY: i32) = v__vshlq_n_u32' v_SHIFT_BY
assume
-val v__vget_low_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqdmulhq_n_s16': k: u8 -> b: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vget_low_s16 = v__vget_low_s16'
+let v__vqdmulhq_n_s16 = v__vqdmulhq_n_s16'
assume
-val v__vget_low_u16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqdmulhq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vget_low_u16 = v__vget_low_u16'
+let v__vqdmulhq_s16 = v__vqdmulhq_s16'
assume
-val v__vld1q_bytes_u64': array: t_Slice u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vcgeq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vld1q_bytes_u64 = v__vld1q_bytes_u64'
+let v__vcgeq_s16 = v__vcgeq_s16'
assume
-val v__vld1q_s16': array: t_Slice i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vandq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vld1q_s16 = v__vld1q_s16'
+let v__vandq_s16 = v__vandq_s16'
assume
-val v__vld1q_u16': ptr: t_Slice u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vbicq_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vld1q_u16 = v__vld1q_u16'
+let v__vbicq_u64 = v__vbicq_u64'
assume
-val v__vld1q_u64': array: t_Slice u64 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_u16': m0: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vld1q_u64 = v__vld1q_u64'
+let v__vreinterpretq_s16_u16 = v__vreinterpretq_s16_u16'
assume
-val v__vld1q_u8': ptr: t_Slice u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u16_s16': m0: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vld1q_u8 = v__vld1q_u8'
+let v__vreinterpretq_u16_s16 = v__vreinterpretq_u16_s16'
assume
-val v__vmlal_high_s16': a: u8 -> b: u8 -> c: u8
- -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmlal_high_s16 = v__vmlal_high_s16'
+let v__vmulq_s16 = v__vmulq_s16'
assume
-val v__vmlal_s16': a: u8 -> b: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__veorq_s16': mask: u8 -> shifted: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmlal_s16 = v__vmlal_s16'
+let v__veorq_s16 = v__veorq_s16'
assume
-val v__vmull_high_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__veorq_u64': mask: u8 -> shifted: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmull_high_s16 = v__vmull_high_s16'
+let v__veorq_u64 = v__veorq_u64'
assume
-val v__vmull_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_u32': value: u32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmull_s16 = v__vmull_s16'
+let v__vdupq_n_u32 = v__vdupq_n_u32'
assume
-val v__vmulq_n_s16': v: u8 -> c: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddq_u32': compressed: u8 -> half: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmulq_n_s16 = v__vmulq_n_s16'
+let v__vaddq_u32 = v__vaddq_u32'
assume
-val v__vmulq_n_u16': v: u8 -> c: u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s32_u32': compressed: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmulq_n_u16 = v__vmulq_n_u16'
+let v__vreinterpretq_s32_u32 = v__vreinterpretq_s32_u32'
assume
-val v__vmulq_n_u32': a: u8 -> b: u32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqdmulhq_n_s32': a: u8 -> b: i32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmulq_n_u32 = v__vmulq_n_u32'
+let v__vqdmulhq_n_s32 = v__vqdmulhq_n_s32'
assume
-val v__vmulq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u32_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vmulq_s16 = v__vmulq_s16'
+let v__vreinterpretq_u32_s32 = v__vreinterpretq_u32_s32'
assume
-val v__vqdmulhq_n_s16': k: u8 -> b: i16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_u32': v_N: i32 -> a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vqdmulhq_n_s16 = v__vqdmulhq_n_s16'
+let v__vshrq_n_u32 (v_N: i32) = v__vshrq_n_u32' v_N
assume
-val v__vqdmulhq_n_s32': a: u8 -> b: i32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vandq_u32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vqdmulhq_n_s32 = v__vqdmulhq_n_s32'
+let v__vandq_u32 = v__vandq_u32'
assume
-val v__vqdmulhq_s16': v: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u32_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vqdmulhq_s16 = v__vqdmulhq_s16'
+let v__vreinterpretq_u32_s16 = v__vreinterpretq_u32_s16'
assume
-val v__vqtbl1q_u8': t: u8 -> idx: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_u32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vqtbl1q_u8 = v__vqtbl1q_u8'
+let v__vreinterpretq_s16_u32 = v__vreinterpretq_s16_u32'
assume
-val v__vreinterpretq_s16_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn1q_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s16_s32 = v__vreinterpretq_s16_s32'
+let v__vtrn1q_s16 = v__vtrn1q_s16'
assume
-val v__vreinterpretq_s16_s64': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s16_s64 = v__vreinterpretq_s16_s64'
+let v__vtrn2q_s16 = v__vtrn2q_s16'
assume
-val v__vreinterpretq_s16_u16': m0: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_n_u32': a: u8 -> b: u32 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s16_u16 = v__vreinterpretq_s16_u16'
+let v__vmulq_n_u32 = v__vmulq_n_u32'
assume
-val v__vreinterpretq_s16_u32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn1q_s32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s16_u32 = v__vreinterpretq_s16_u32'
+let v__vtrn1q_s32 = v__vtrn1q_s32'
assume
-val v__vreinterpretq_s16_u8': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s16_u8 = v__vreinterpretq_s16_u8'
+let v__vreinterpretq_s16_s32 = v__vreinterpretq_s16_s32'
assume
val v__vreinterpretq_s32_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
@@ -220,172 +222,170 @@ val v__vreinterpretq_s32_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Pri
let v__vreinterpretq_s32_s16 = v__vreinterpretq_s32_s16'
assume
-val v__vreinterpretq_s32_u32': compressed: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_s32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s32_u32 = v__vreinterpretq_s32_u32'
+let v__vtrn2q_s32 = v__vtrn2q_s32'
assume
-val v__vreinterpretq_s64_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn1q_s64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s64_s16 = v__vreinterpretq_s64_s16'
+let v__vtrn1q_s64 = v__vtrn1q_s64'
assume
-val v__vreinterpretq_s64_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn1q_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_s64_s32 = v__vreinterpretq_s64_s32'
+let v__vtrn1q_u64 = v__vtrn1q_u64'
assume
-val v__vreinterpretq_u16_s16': m0: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_s64': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_u16_s16 = v__vreinterpretq_u16_s16'
+let v__vreinterpretq_s16_s64 = v__vreinterpretq_s16_s64'
assume
-val v__vreinterpretq_u16_u8': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s64_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_u16_u8 = v__vreinterpretq_u16_u8'
+let v__vreinterpretq_s64_s16 = v__vreinterpretq_s64_s16'
assume
-val v__vreinterpretq_u32_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_s64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_u32_s16 = v__vreinterpretq_u32_s16'
+let v__vtrn2q_s64 = v__vtrn2q_s64'
assume
-val v__vreinterpretq_u32_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_u32_s32 = v__vreinterpretq_u32_s32'
+let v__vtrn2q_u64 = v__vtrn2q_u64'
assume
-val v__vreinterpretq_u8_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmull_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_u8_s16 = v__vreinterpretq_u8_s16'
+let v__vmull_s16 = v__vmull_s16'
assume
-val v__vreinterpretq_u8_s64': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vget_low_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vreinterpretq_u8_s64 = v__vreinterpretq_u8_s64'
+let v__vget_low_s16 = v__vget_low_s16'
assume
-val v__vshlq_n_s16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmull_high_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshlq_n_s16 (v_SHIFT_BY: i32) = v__vshlq_n_s16' v_SHIFT_BY
+let v__vmull_high_s16 = v__vmull_high_s16'
assume
-val v__vshlq_n_u32': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmlal_s16': a: u8 -> b: u8 -> c: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshlq_n_u32 (v_SHIFT_BY: i32) = v__vshlq_n_u32' v_SHIFT_BY
+let v__vmlal_s16 = v__vmlal_s16'
assume
-val v__vshlq_n_u64': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmlal_high_s16': a: u8 -> b: u8 -> c: u8
+ -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshlq_n_u64 (v_SHIFT_BY: i32) = v__vshlq_n_u64' v_SHIFT_BY
+let v__vmlal_high_s16 = v__vmlal_high_s16'
assume
-val v__vshlq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_u8': ptr: t_Slice u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshlq_s16 = v__vshlq_s16'
+let v__vld1q_u8 = v__vld1q_u8'
assume
-val v__vshlq_u16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u8_s16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshlq_u16 = v__vshlq_u16'
+let v__vreinterpretq_u8_s16 = v__vreinterpretq_u8_s16'
assume
-val v__vshrq_n_s16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqtbl1q_u8': t: u8 -> idx: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshrq_n_s16 (v_SHIFT_BY: i32) = v__vshrq_n_s16' v_SHIFT_BY
+let v__vqtbl1q_u8 = v__vqtbl1q_u8'
assume
-val v__vshrq_n_u16': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_u8': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshrq_n_u16 (v_SHIFT_BY: i32) = v__vshrq_n_u16' v_SHIFT_BY
+let v__vreinterpretq_s16_u8 = v__vreinterpretq_s16_u8'
assume
-val v__vshrq_n_u32': v_N: i32 -> a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshrq_n_u32 (v_N: i32) = v__vshrq_n_u32' v_N
+let v__vshlq_s16 = v__vshlq_s16'
assume
-val v__vshrq_n_u64': v_SHIFT_BY: i32 -> v: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_u16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vshrq_n_u64 (v_SHIFT_BY: i32) = v__vshrq_n_u64' v_SHIFT_BY
+let v__vshlq_u16 = v__vshlq_u16'
assume
-val v__vsliq_n_s32': v_N: i32 -> a: u8 -> b: u8
- -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddv_u16': a: u8 -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
-let v__vsliq_n_s32 (v_N: i32) = v__vsliq_n_s32' v_N
+let v__vaddv_u16 = v__vaddv_u16'
assume
-val v__vsliq_n_s64': v_N: i32 -> a: u8 -> b: u8
- -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vget_low_u16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vsliq_n_s64 (v_N: i32) = v__vsliq_n_s64' v_N
+let v__vget_low_u16 = v__vget_low_u16'
assume
-val v__vst1q_bytes_u64': out: t_Slice u8 -> v: u8
- -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val v__vget_high_u16': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vst1q_bytes_u64 = v__vst1q_bytes_u64'
+let v__vget_high_u16 = v__vget_high_u16'
assume
-val v__vst1q_s16': out: t_Slice i16 -> v: u8
- -> Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddvq_s16': a: u8 -> Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
-let v__vst1q_s16 = v__vst1q_s16'
+let v__vaddvq_s16 = v__vaddvq_s16'
assume
-val v__vst1q_u64': out: t_Slice u64 -> v: u8
- -> Prims.Pure (t_Slice u64) Prims.l_True (fun _ -> Prims.l_True)
+val v__vsliq_n_s32': v_N: i32 -> a: u8 -> b: u8
+ -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vst1q_u64 = v__vst1q_u64'
+let v__vsliq_n_s32 (v_N: i32) = v__vsliq_n_s32' v_N
assume
-val v__vst1q_u8': out: t_Slice u8 -> v: u8
- -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s64_s32': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vst1q_u8 = v__vst1q_u8'
+let v__vreinterpretq_s64_s32 = v__vreinterpretq_s64_s32'
assume
-val v__vsubq_s16': lhs: u8 -> rhs: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vsliq_n_s64': v_N: i32 -> a: u8 -> b: u8
+ -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vsubq_s16 = v__vsubq_s16'
+let v__vsliq_n_s64 (v_N: i32) = v__vsliq_n_s64' v_N
assume
-val v__vtrn1q_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u8_s64': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn1q_s16 = v__vtrn1q_s16'
+let v__vreinterpretq_u8_s64 = v__vreinterpretq_u8_s64'
assume
-val v__vtrn1q_s32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_u8': out: t_Slice u8 -> v: u8
+ -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn1q_s32 = v__vtrn1q_s32'
+let v__vst1q_u8 = v__vst1q_u8'
assume
-val v__vtrn1q_s64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_u16': value: u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn1q_s64 = v__vtrn1q_s64'
+let v__vdupq_n_u16 = v__vdupq_n_u16'
assume
-val v__vtrn1q_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vandq_u16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn1q_u64 = v__vtrn1q_u64'
+let v__vandq_u16 = v__vandq_u16'
assume
-val v__vtrn2q_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u16_u8': a: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn2q_s16 = v__vtrn2q_s16'
+let v__vreinterpretq_u16_u8 = v__vreinterpretq_u16_u8'
assume
-val v__vtrn2q_s32': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_u16': ptr: t_Slice u16 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn2q_s32 = v__vtrn2q_s32'
+let v__vld1q_u16 = v__vld1q_u16'
assume
-val v__vtrn2q_s64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vcleq_s16': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn2q_s64 = v__vtrn2q_s64'
+let v__vcleq_s16 = v__vcleq_s16'
assume
-val v__vtrn2q_u64': a: u8 -> b: u8 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddvq_u16': a: u8 -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
-let v__vtrn2q_u64 = v__vtrn2q_u64'
+let v__vaddvq_u16 = v__vaddvq_u16'
diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti
index d4014e6a8..9f1999bf3 100644
--- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti
@@ -3,158 +3,158 @@ module Libcrux_intrinsics.Arm64_extract
open Core
open FStar.Mul
-val v__vaddq_s16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_s16 (i: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vaddq_u32 (compressed half: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_u64 (i: u64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vaddv_u16 (a: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_s16 (out: t_Slice i16) (v: u8)
+ : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
-val v__vaddvq_s16 (a: u8) : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_s16 (array: t_Slice i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vaddvq_u16 (a: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_bytes_u64 (array: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vandq_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_u64 (array: t_Slice u64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vandq_u16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_u64 (out: t_Slice u64) (v: u8)
+ : Prims.Pure (t_Slice u64) Prims.l_True (fun _ -> Prims.l_True)
-val v__vandq_u32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vst1q_bytes_u64 (out: t_Slice u8) (v: u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-val v__vbicq_u64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddq_s16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vcgeq_s16 (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vsubq_s16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vcleq_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_n_s16 (v: u8) (c: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vdupq_n_s16 (i: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_n_u16 (v: u8) (c: u16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vdupq_n_u16 (value: u16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_s16 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vdupq_n_u32 (value: u32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_u16 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vdupq_n_u64 (i: u64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_u64 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__veorq_s16 (mask shifted: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_n_u64 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__veorq_u64 (mask shifted: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_n_s16 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vget_high_u16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshlq_n_u32 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vget_low_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqdmulhq_n_s16 (k: u8) (b: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vget_low_u16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqdmulhq_s16 (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vld1q_bytes_u64 (array: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vcgeq_s16 (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vld1q_s16 (array: t_Slice i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vandq_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vld1q_u16 (ptr: t_Slice u16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vbicq_u64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vld1q_u64 (array: t_Slice u64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_u16 (m0: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vld1q_u8 (ptr: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u16_s16 (m0: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmlal_high_s16 (a b c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_s16 (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmlal_s16 (a b c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__veorq_s16 (mask shifted: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmull_high_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__veorq_u64 (mask shifted: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmull_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_u32 (value: u32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmulq_n_s16 (v: u8) (c: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddq_u32 (compressed half: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmulq_n_u16 (v: u8) (c: u16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s32_u32 (compressed: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmulq_n_u32 (a: u8) (b: u32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqdmulhq_n_s32 (a: u8) (b: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vmulq_s16 (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u32_s32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vqdmulhq_n_s16 (k: u8) (b: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vshrq_n_u32 (v_N: i32) (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vqdmulhq_n_s32 (a: u8) (b: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vandq_u32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vqdmulhq_s16 (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u32_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vqtbl1q_u8 (t idx: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_u32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s16_s32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn1q_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s16_s64 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s16_u16 (m0: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmulq_n_u32 (a: u8) (b: u32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s16_u32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn1q_s32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s16_u8 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s16_s32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val v__vreinterpretq_s32_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s32_u32 (compressed: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_s32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val v__vtrn1q_s64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val v__vtrn1q_u64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val v__vreinterpretq_s16_s64 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val v__vreinterpretq_s64_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_s64_s32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_s64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_u16_s16 (m0: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vtrn2q_u64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_u16_u8 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmull_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_u32_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vget_low_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_u32_s32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmull_high_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_u8_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmlal_s16 (a b c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vreinterpretq_u8_s64 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vmlal_high_s16 (a b c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshlq_n_s16 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_u8 (ptr: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshlq_n_u32 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u8_s16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshlq_n_u64 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vqtbl1q_u8 (t idx: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
+val v__vreinterpretq_s16_u8 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val v__vshlq_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val v__vshlq_u16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshrq_n_s16 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddv_u16 (a: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshrq_n_u16 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vget_low_u16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshrq_n_u32 (v_N: i32) (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vget_high_u16 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vshrq_n_u64 (v_SHIFT_BY: i32) (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddvq_s16 (a: u8) : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
val v__vsliq_n_s32 (v_N: i32) (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vsliq_n_s64 (v_N: i32) (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val v__vst1q_bytes_u64 (out: t_Slice u8) (v: u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_s64_s32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vst1q_s16 (out: t_Slice i16) (v: u8)
- : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+val v__vsliq_n_s64 (v_N: i32) (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vst1q_u64 (out: t_Slice u64) (v: u8)
- : Prims.Pure (t_Slice u64) Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u8_s64 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val v__vst1q_u8 (out: t_Slice u8) (v: u8)
: Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-val v__vsubq_s16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val v__vtrn1q_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val v__vtrn1q_s32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-
-val v__vtrn1q_s64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vdupq_n_u16 (value: u16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vtrn1q_u64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vandq_u16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vtrn2q_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vreinterpretq_u16_u8 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vtrn2q_s32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vld1q_u16 (ptr: t_Slice u16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vtrn2q_s64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vcleq_s16 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val v__vtrn2q_u64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val v__vaddvq_u16 (a: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst
index 5cf54bf43..6df4a0d5a 100644
--- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst
@@ -10,246 +10,290 @@ let mm256_movemask_ps = mm256_movemask_ps'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_3': Core.Clone.t_Clone t_Vec128
+val impl': Core.Clone.t_Clone t_Vec256
-let impl_3 = impl_3'
+let impl = impl'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_2': Core.Marker.t_Copy t_Vec128
+val impl_1': Core.Marker.t_Copy t_Vec256
-let impl_2 = impl_2'
+let impl_1 = impl_1'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl': Core.Clone.t_Clone t_Vec256
+val impl_3': Core.Clone.t_Clone t_Vec128
-let impl = impl'
+let impl_3 = impl_3'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_1': Core.Marker.t_Copy t_Vec256
+val impl_2': Core.Marker.t_Copy t_Vec128
-let impl_1 = impl_1'
+let impl_2 = impl_2'
assume
-val mm256_abs_epi32': a: t_Vec256 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_storeu_si256_u8': output: t_Slice u8 -> vector: t_Vec256
+ -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-let mm256_abs_epi32 = mm256_abs_epi32'
+let mm256_storeu_si256_u8 = mm256_storeu_si256_u8'
assume
-val mm256_add_epi16': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256
+val mm256_storeu_si256_i16': output: t_Slice i16 -> vector: t_Vec256
+ -> Prims.Pure (t_Slice i16)
Prims.l_True
(ensures
- fun result ->
- let result:t_Vec256 = result in
- vec256_as_i16x16 result ==
- Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
+ fun output_future ->
+ let output_future:t_Slice i16 = output_future in
+ (Core.Slice.impl__len #i16 output_future <: usize) =.
+ (Core.Slice.impl__len #i16 output <: usize))
-let mm256_add_epi16 = mm256_add_epi16'
+let mm256_storeu_si256_i16 = mm256_storeu_si256_i16'
assume
-val mm256_add_epi32': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_storeu_si256_i32': output: t_Slice i32 -> vector: t_Vec256
+ -> Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
-let mm256_add_epi32 = mm256_add_epi32'
+let mm256_storeu_si256_i32 = mm256_storeu_si256_i32'
assume
-val mm256_add_epi64': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_storeu_si128': output: t_Slice i16 -> vector: t_Vec128
+ -> Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
-let mm256_add_epi64 = mm256_add_epi64'
+let mm_storeu_si128 = mm_storeu_si128'
assume
-val mm256_andnot_si256': a: t_Vec256 -> b: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_storeu_si128_i32': output: t_Slice i32 -> vector: t_Vec128
+ -> Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
-let mm256_andnot_si256 = mm256_andnot_si256'
+let mm_storeu_si128_i32 = mm_storeu_si128_i32'
assume
-val mm256_blend_epi16': v_CONTROL: i32 -> lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_loadu_si256_u8': input: t_Slice u8
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_blend_epi16 (v_CONTROL: i32) = mm256_blend_epi16' v_CONTROL
+let mm256_loadu_si256_u8 = mm256_loadu_si256_u8'
assume
-val mm256_blend_epi32': v_CONTROL: i32 -> lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_loadu_si256_i16': input: t_Slice i16
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_blend_epi32 (v_CONTROL: i32) = mm256_blend_epi32' v_CONTROL
+let mm256_loadu_si256_i16 = mm256_loadu_si256_i16'
assume
-val mm256_bsrli_epi128': v_SHIFT_BY: i32 -> x: t_Vec256
+val mm256_loadu_si256_i32': input: t_Slice i32
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_bsrli_epi128 (v_SHIFT_BY: i32) = mm256_bsrli_epi128' v_SHIFT_BY
+let mm256_loadu_si256_i32 = mm256_loadu_si256_i32'
assume
-val mm256_castsi128_si256': vector: t_Vec128
+val mm256_setzero_si256': Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+let mm256_setzero_si256 = mm256_setzero_si256'
+
+assume
+val mm256_set_m128i': hi: t_Vec128 -> lo: t_Vec128
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_castsi128_si256 = mm256_castsi128_si256'
+let mm256_set_m128i = mm256_set_m128i'
assume
-val mm256_castsi256_ps': a: t_Vec256 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val mm_set1_epi16': constant: i16
+ -> Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant)
-let mm256_castsi256_ps = mm256_castsi256_ps'
+let mm_set1_epi16 = mm_set1_epi16'
assume
-val mm256_cmpeq_epi32': a: t_Vec256 -> b: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set1_epi32': constant: i32 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_cmpeq_epi32 = mm256_cmpeq_epi32'
+let mm256_set1_epi32 = mm256_set1_epi32'
assume
-val mm256_cmpgt_epi16': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_set_epi32': input3: i32 -> input2: i32 -> input1: i32 -> input0: i32
+ -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_cmpgt_epi16 = mm256_cmpgt_epi16'
+let mm_set_epi32 = mm_set_epi32'
assume
-val mm256_cmpgt_epi32': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_add_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+ -> Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result ==
+ Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
-let mm256_cmpgt_epi32 = mm256_cmpgt_epi32'
+let mm_add_epi16 = mm_add_epi16'
assume
-val mm256_cvtepi16_epi32': vector: t_Vec128
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_sub_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+ -> Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result ==
+ Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
-let mm256_cvtepi16_epi32 = mm256_cvtepi16_epi32'
+let mm_sub_epi16 = mm_sub_epi16'
assume
-val mm256_inserti128_si256': v_CONTROL: i32 -> vector: t_Vec256 -> vector_i128: t_Vec128
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_add_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure t_Vec256
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec256 = result in
+ vec256_as_i16x16 result ==
+ Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
-let mm256_inserti128_si256 (v_CONTROL: i32) = mm256_inserti128_si256' v_CONTROL
+let mm256_add_epi16 = mm256_add_epi16'
assume
-val mm256_loadu_si256_i16': input: t_Slice i16
+val mm256_add_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_loadu_si256_i16 = mm256_loadu_si256_i16'
+let mm256_add_epi32 = mm256_add_epi32'
assume
-val mm256_loadu_si256_i32': input: t_Slice i32
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_sub_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure t_Vec256
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec256 = result in
+ vec256_as_i16x16 result ==
+ Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
-let mm256_loadu_si256_i32 = mm256_loadu_si256_i32'
+let mm256_sub_epi16 = mm256_sub_epi16'
assume
-val mm256_loadu_si256_u8': input: t_Slice u8
+val mm256_add_epi64': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_loadu_si256_u8 = mm256_loadu_si256_u8'
+let mm256_add_epi64 = mm256_add_epi64'
assume
-val mm256_mul_epi32': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_abs_epi32': a: t_Vec256 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_mul_epi32 = mm256_mul_epi32'
+let mm256_abs_epi32 = mm256_abs_epi32'
assume
-val mm256_mul_epu32': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_sub_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_mul_epu32 = mm256_mul_epu32'
+let mm256_sub_epi32 = mm256_sub_epi32'
assume
-val mm256_mulhi_epi16': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256
+val mm_mullo_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+ -> Prims.Pure t_Vec128
Prims.l_True
(ensures
fun result ->
- let result:t_Vec256 = result in
- vec256_as_i16x16 result ==
- Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
- (vec256_as_i16x16 lhs)
- (vec256_as_i16x16 rhs))
-
-let mm256_mulhi_epi16 = mm256_mulhi_epi16'
-
-assume
-val mm256_mullo_epi32': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result ==
+ Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
-let mm256_mullo_epi32 = mm256_mullo_epi32'
+let mm_mullo_epi16 = mm_mullo_epi16'
assume
-val mm256_or_si256': a: t_Vec256 -> b: t_Vec256
+val mm256_cmpgt_epi16': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_or_si256 = mm256_or_si256'
+let mm256_cmpgt_epi16 = mm256_cmpgt_epi16'
assume
-val mm256_packs_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_cmpgt_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_packs_epi32 = mm256_packs_epi32'
+let mm256_cmpgt_epi32 = mm256_cmpgt_epi32'
assume
-val mm256_permute2x128_si256': v_IMM8: i32 -> a: t_Vec256 -> b: t_Vec256
+val mm256_cmpeq_epi32': a: t_Vec256 -> b: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_permute2x128_si256 (v_IMM8: i32) = mm256_permute2x128_si256' v_IMM8
+let mm256_cmpeq_epi32 = mm256_cmpeq_epi32'
assume
-val mm256_permute4x64_epi64': v_CONTROL: i32 -> vector: t_Vec256
+val mm256_sign_epi32': a: t_Vec256 -> b: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_permute4x64_epi64 (v_CONTROL: i32) = mm256_permute4x64_epi64' v_CONTROL
+let mm256_sign_epi32 = mm256_sign_epi32'
assume
-val mm256_set1_epi32': constant: i32 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_castsi256_ps': a: t_Vec256 -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_set1_epi32 = mm256_set1_epi32'
+let mm256_castsi256_ps = mm256_castsi256_ps'
assume
-val mm256_set1_epi64x': a: i64 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_mulhi_epi16': lhs: t_Vec128 -> rhs: t_Vec128
+ -> Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result ==
+ Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+ (vec128_as_i16x8 lhs)
+ (vec128_as_i16x8 rhs))
-let mm256_set1_epi64x = mm256_set1_epi64x'
+let mm_mulhi_epi16 = mm_mulhi_epi16'
assume
-val mm256_set_epi64x': input3: i64 -> input2: i64 -> input1: i64 -> input0: i64
+val mm256_mullo_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_set_epi64x = mm256_set_epi64x'
+let mm256_mullo_epi32 = mm256_mullo_epi32'
assume
-val mm256_set_m128i': hi: t_Vec128 -> lo: t_Vec128
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_mulhi_epi16': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure t_Vec256
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec256 = result in
+ vec256_as_i16x16 result ==
+ Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+ (vec256_as_i16x16 lhs)
+ (vec256_as_i16x16 rhs))
-let mm256_set_m128i = mm256_set_m128i'
+let mm256_mulhi_epi16 = mm256_mulhi_epi16'
assume
-val mm256_setzero_si256': Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_mul_epu32': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_setzero_si256 = mm256_setzero_si256'
+let mm256_mul_epu32 = mm256_mul_epu32'
assume
-val mm256_shuffle_epi32': v_CONTROL: i32 -> vector: t_Vec256
+val mm256_mul_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_shuffle_epi32 (v_CONTROL: i32) = mm256_shuffle_epi32' v_CONTROL
+let mm256_mul_epi32 = mm256_mul_epi32'
assume
-val mm256_sign_epi32': a: t_Vec256 -> b: t_Vec256
+val mm256_or_si256': a: t_Vec256 -> b: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_sign_epi32 = mm256_sign_epi32'
+let mm256_or_si256 = mm256_or_si256'
assume
-val mm256_slli_epi32': v_SHIFT_BY: i32 -> vector: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_testz_si256': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_slli_epi32 (v_SHIFT_BY: i32) = mm256_slli_epi32' v_SHIFT_BY
+let mm256_testz_si256 = mm256_testz_si256'
assume
-val mm256_slli_epi64': v_LEFT: i32 -> x: t_Vec256
+val mm256_xor_si256': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_slli_epi64 (v_LEFT: i32) = mm256_slli_epi64' v_LEFT
+let mm256_xor_si256 = mm256_xor_si256'
assume
val mm256_srai_epi16': v_SHIFT_BY: i32 -> vector: t_Vec256
@@ -276,188 +320,144 @@ val mm256_srli_epi32': v_SHIFT_BY: i32 -> vector: t_Vec256
let mm256_srli_epi32 (v_SHIFT_BY: i32) = mm256_srli_epi32' v_SHIFT_BY
assume
-val mm256_srlv_epi32': vector: t_Vec256 -> counts: t_Vec256
- -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_srli_epi64': v_SHIFT_BY: i32 -> vector: t_Vec128
+ -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_srlv_epi32 = mm256_srlv_epi32'
+let mm_srli_epi64 (v_SHIFT_BY: i32) = mm_srli_epi64' v_SHIFT_BY
assume
-val mm256_srlv_epi64': vector: t_Vec256 -> counts: t_Vec256
+val mm256_slli_epi32': v_SHIFT_BY: i32 -> vector: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_srlv_epi64 = mm256_srlv_epi64'
+let mm256_slli_epi32 (v_SHIFT_BY: i32) = mm256_slli_epi32' v_SHIFT_BY
assume
-val mm256_storeu_si256_i16': output: t_Slice i16 -> vector: t_Vec256
- -> Prims.Pure (t_Slice i16)
- Prims.l_True
- (ensures
- fun output_future ->
- let output_future:t_Slice i16 = output_future in
- (Core.Slice.impl__len #i16 output_future <: usize) =.
- (Core.Slice.impl__len #i16 output <: usize))
+val mm256_shuffle_epi32': v_CONTROL: i32 -> vector: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_storeu_si256_i16 = mm256_storeu_si256_i16'
+let mm256_shuffle_epi32 (v_CONTROL: i32) = mm256_shuffle_epi32' v_CONTROL
assume
-val mm256_storeu_si256_i32': output: t_Slice i32 -> vector: t_Vec256
- -> Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_permute4x64_epi64': v_CONTROL: i32 -> vector: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_storeu_si256_i32 = mm256_storeu_si256_i32'
+let mm256_permute4x64_epi64 (v_CONTROL: i32) = mm256_permute4x64_epi64' v_CONTROL
assume
-val mm256_storeu_si256_u8': output: t_Slice u8 -> vector: t_Vec256
- -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_unpackhi_epi64': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_storeu_si256_u8 = mm256_storeu_si256_u8'
+let mm256_unpackhi_epi64 = mm256_unpackhi_epi64'
assume
-val mm256_sub_epi16': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure t_Vec256
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec256 = result in
- vec256_as_i16x16 result ==
- Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
+val mm256_unpacklo_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_sub_epi16 = mm256_sub_epi16'
+let mm256_unpacklo_epi32 = mm256_unpacklo_epi32'
assume
-val mm256_sub_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_unpackhi_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_sub_epi32 = mm256_sub_epi32'
+let mm256_unpackhi_epi32 = mm256_unpackhi_epi32'
assume
-val mm256_testz_si256': lhs: t_Vec256 -> rhs: t_Vec256
- -> Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_castsi128_si256': vector: t_Vec128
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_testz_si256 = mm256_testz_si256'
+let mm256_castsi128_si256 = mm256_castsi128_si256'
assume
-val mm256_unpackhi_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_cvtepi16_epi32': vector: t_Vec128
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_unpackhi_epi32 = mm256_unpackhi_epi32'
+let mm256_cvtepi16_epi32 = mm256_cvtepi16_epi32'
assume
-val mm256_unpackhi_epi64': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_packs_epi32': lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_unpackhi_epi64 = mm256_unpackhi_epi64'
+let mm256_packs_epi32 = mm256_packs_epi32'
assume
-val mm256_unpacklo_epi32': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_inserti128_si256': v_CONTROL: i32 -> vector: t_Vec256 -> vector_i128: t_Vec128
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_unpacklo_epi32 = mm256_unpacklo_epi32'
+let mm256_inserti128_si256 (v_CONTROL: i32) = mm256_inserti128_si256' v_CONTROL
assume
-val mm256_unpacklo_epi64': a: t_Vec256 -> b: t_Vec256
+val mm256_blend_epi16': v_CONTROL: i32 -> lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_unpacklo_epi64 = mm256_unpacklo_epi64'
+let mm256_blend_epi16 (v_CONTROL: i32) = mm256_blend_epi16' v_CONTROL
assume
-val mm256_xor_si256': lhs: t_Vec256 -> rhs: t_Vec256
+val mm256_blend_epi32': v_CONTROL: i32 -> lhs: t_Vec256 -> rhs: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm256_xor_si256 = mm256_xor_si256'
+let mm256_blend_epi32 (v_CONTROL: i32) = mm256_blend_epi32' v_CONTROL
assume
-val mm_add_epi16': lhs: t_Vec128 -> rhs: t_Vec128
- -> Prims.Pure t_Vec128
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result ==
- Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+val vec256_blendv_epi32': a: t_Vec256 -> b: t_Vec256 -> mask: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_add_epi16 = mm_add_epi16'
+let vec256_blendv_epi32 = vec256_blendv_epi32'
assume
-val mm_mulhi_epi16': lhs: t_Vec128 -> rhs: t_Vec128
- -> Prims.Pure t_Vec128
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result ==
- Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
- (vec128_as_i16x8 lhs)
- (vec128_as_i16x8 rhs))
+val mm256_srlv_epi32': vector: t_Vec256 -> counts: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_mulhi_epi16 = mm_mulhi_epi16'
+let mm256_srlv_epi32 = mm256_srlv_epi32'
assume
-val mm_mullo_epi16': lhs: t_Vec128 -> rhs: t_Vec128
- -> Prims.Pure t_Vec128
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result ==
- Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+val mm256_srlv_epi64': vector: t_Vec256 -> counts: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_mullo_epi16 = mm_mullo_epi16'
+let mm256_srlv_epi64 = mm256_srlv_epi64'
assume
-val mm_set1_epi16': constant: i16
- -> Prims.Pure t_Vec128
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant)
+val mm_sllv_epi32': vector: t_Vec128 -> counts: t_Vec128
+ -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
-let mm_set1_epi16 = mm_set1_epi16'
+let mm_sllv_epi32 = mm_sllv_epi32'
assume
-val mm_set_epi32': input3: i32 -> input2: i32 -> input1: i32 -> input0: i32
- -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_slli_epi64': v_LEFT: i32 -> x: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_set_epi32 = mm_set_epi32'
+let mm256_slli_epi64 (v_LEFT: i32) = mm256_slli_epi64' v_LEFT
assume
-val mm_sllv_epi32': vector: t_Vec128 -> counts: t_Vec128
- -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_bsrli_epi128': v_SHIFT_BY: i32 -> x: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_sllv_epi32 = mm_sllv_epi32'
+let mm256_bsrli_epi128 (v_SHIFT_BY: i32) = mm256_bsrli_epi128' v_SHIFT_BY
assume
-val mm_srli_epi64': v_SHIFT_BY: i32 -> vector: t_Vec128
- -> Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_andnot_si256': a: t_Vec256 -> b: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_srli_epi64 (v_SHIFT_BY: i32) = mm_srli_epi64' v_SHIFT_BY
+let mm256_andnot_si256 = mm256_andnot_si256'
assume
-val mm_storeu_si128': output: t_Slice i16 -> vector: t_Vec128
- -> Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set1_epi64x': a: i64 -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_storeu_si128 = mm_storeu_si128'
+let mm256_set1_epi64x = mm256_set1_epi64x'
assume
-val mm_storeu_si128_i32': output: t_Slice i32 -> vector: t_Vec128
- -> Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set_epi64x': input3: i64 -> input2: i64 -> input1: i64 -> input0: i64
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_storeu_si128_i32 = mm_storeu_si128_i32'
+let mm256_set_epi64x = mm256_set_epi64x'
assume
-val mm_sub_epi16': lhs: t_Vec128 -> rhs: t_Vec128
- -> Prims.Pure t_Vec128
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result ==
- Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+val mm256_unpacklo_epi64': a: t_Vec256 -> b: t_Vec256
+ -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let mm_sub_epi16 = mm_sub_epi16'
+let mm256_unpacklo_epi64 = mm256_unpacklo_epi64'
assume
-val vec256_blendv_epi32': a: t_Vec256 -> b: t_Vec256 -> mask: t_Vec256
+val mm256_permute2x128_si256': v_IMM8: i32 -> a: t_Vec256 -> b: t_Vec256
-> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-let vec256_blendv_epi32 = vec256_blendv_epi32'
+let mm256_permute2x128_si256 (v_IMM8: i32) = mm256_permute2x128_si256' v_IMM8
diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti
index 4b6ebb714..b574e7c5d 100644
--- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti
+++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti
@@ -3,174 +3,163 @@ module Libcrux_intrinsics.Avx2_extract
open Core
open FStar.Mul
-val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+unfold type t_Vec256 = bit_vec 256
+val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16)
+let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i
unfold type t_Vec128 = bit_vec 128
val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8)
let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_3:Core.Clone.t_Clone t_Vec128
+include BitVec.Intrinsics {mm_storeu_bytes_si128}
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2:Core.Marker.t_Copy t_Vec128
+include BitVec.Intrinsics {mm_loadu_si128}
-unfold type t_Vec256 = bit_vec 256
-val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16)
-let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i
+include BitVec.Intrinsics {mm_set_epi8}
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Core.Clone.t_Clone t_Vec256
+include BitVec.Intrinsics {mm256_set_epi8}
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Core.Marker.t_Copy t_Vec256
+include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16}
+val lemma_mm256_set1_epi16 constant
+ : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant)
+ == Spec.Utils.create (sz 16) constant
+ )
+ [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))]
-val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16}
+let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 :
+ Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) ==
+ Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15)
+ [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit()
-val mm256_add_epi16 (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec256 = result in
- vec256_as_i16x16 result ==
- Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
+include BitVec.Intrinsics {mm256_set_epi32}
-val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16}
-val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16}
+let lemma_mm256_mullo_epi16 v1 v2 :
+ Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) ==
+ Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2))
+ [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit()
-val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256}
+val lemma_mm256_and_si256 lhs rhs
+ : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs)
+ == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)
+ )
+ [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))]
-val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16}
-val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64}
-val mm256_castsi128_si256 (vector: t_Vec128)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16}
-val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_shuffle_epi8}
-val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_shuffle_epi8}
-val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128}
-val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16}
-val mm256_cvtepi16_epi32 (vector: t_Vec128)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256}
-val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8}
-val mm256_loadu_si256_i16 (input: t_Slice i16)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_permutevar8x32_epi32}
-val mm256_loadu_si256_i32 (input: t_Slice i32)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+include BitVec.Intrinsics {mm256_sllv_epi32}
-val mm256_loadu_si256_u8 (input: t_Slice u8)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_Vec256
-val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_Vec256
-val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_3:Core.Clone.t_Clone t_Vec128
-val mm256_mulhi_epi16 (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Core.Marker.t_Copy t_Vec128
+
+val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256)
+ : Prims.Pure (t_Slice i16)
Prims.l_True
(ensures
- fun result ->
- let result:t_Vec256 = result in
- vec256_as_i16x16 result ==
- Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
- (vec256_as_i16x16 lhs)
- (vec256_as_i16x16 rhs))
+ fun output_future ->
+ let output_future:t_Slice i16 = output_future in
+ (Core.Slice.impl__len #i16 output_future <: usize) =.
+ (Core.Slice.impl__len #i16 output <: usize))
-val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256)
+ : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
-val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128)
+ : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
-val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128)
+ : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
-val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256)
+val mm256_loadu_si256_u8 (input: t_Slice u8)
: Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256)
+val mm256_loadu_si256_i16 (input: t_Slice i16)
: Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_permutevar8x32_epi32}
-
-val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-include BitVec.Intrinsics {mm256_set_epi32}
-
-val mm256_set_epi64x (input3 input2 input1 input0: i64)
+val mm256_loadu_si256_i32 (input: t_Slice i32)
: Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_set_epi8}
-
-val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_shuffle_epi8}
+val mm_set1_epi16 (constant: i16)
+ : Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant)
-val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_set_epi32 (input3 input2 input1 input0: i32)
+ : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm_add_epi16 (lhs rhs: t_Vec128)
+ : Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result ==
+ Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
-include BitVec.Intrinsics {mm256_sllv_epi32}
+val mm_sub_epi16 (lhs rhs: t_Vec128)
+ : Prims.Pure t_Vec128
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Vec128 = result in
+ vec128_as_i16x8 result ==
+ Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
-val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256)
+val mm256_add_epi16 (lhs rhs: t_Vec256)
: Prims.Pure t_Vec256
- (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
+ Prims.l_True
(ensures
fun result ->
let result:t_Vec256 = result in
vec256_as_i16x16 result ==
- Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector))
-
-val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_srlv_epi32 (vector counts: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_srlv_epi64 (vector counts: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256)
- : Prims.Pure (t_Slice i16)
- Prims.l_True
- (ensures
- fun output_future ->
- let output_future:t_Slice i16 = output_future in
- (Core.Slice.impl__len #i16 output_future <: usize) =.
- (Core.Slice.impl__len #i16 output <: usize))
-
-val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256)
- : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+ Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
-val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
val mm256_sub_epi16 (lhs rhs: t_Vec256)
: Prims.Pure t_Vec256
@@ -181,33 +170,30 @@ val mm256_sub_epi16 (lhs rhs: t_Vec256)
vec256_as_i16x16 result ==
Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs))
-val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_unpackhi_epi32 (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_unpackhi_epi64 (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val mm256_unpacklo_epi32 (lhs rhs: t_Vec256)
- : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm_add_epi16 (lhs rhs: t_Vec128)
+val mm_mullo_epi16 (lhs rhs: t_Vec128)
: Prims.Pure t_Vec128
Prims.l_True
(ensures
fun result ->
let result:t_Vec128 = result in
vec128_as_i16x8 result ==
- Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+ Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
-include BitVec.Intrinsics {mm_loadu_si128}
+val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val mm_mulhi_epi16 (lhs rhs: t_Vec128)
: Prims.Pure t_Vec128
@@ -220,94 +206,108 @@ val mm_mulhi_epi16 (lhs rhs: t_Vec128)
(vec128_as_i16x8 lhs)
(vec128_as_i16x8 rhs))
-val mm_mullo_epi16 (lhs rhs: t_Vec128)
- : Prims.Pure t_Vec128
+val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_mulhi_epi16 (lhs rhs: t_Vec256)
+ : Prims.Pure t_Vec256
Prims.l_True
(ensures
fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result ==
- Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+ let result:t_Vec256 = result in
+ vec256_as_i16x16 result ==
+ Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16)
+ (vec256_as_i16x16 lhs)
+ (vec256_as_i16x16 rhs))
-val mm_set1_epi16 (constant: i16)
- : Prims.Pure t_Vec128
- Prims.l_True
+val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256)
+ : Prims.Pure t_Vec256
+ (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
(ensures
fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant)
+ let result:t_Vec256 = result in
+ vec256_as_i16x16 result ==
+ Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector))
-val mm_set_epi32 (input3 input2 input1 input0: i32)
+val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128)
: Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm_set_epi8}
+val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm_shuffle_epi8}
+val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm_sllv_epi32 (vector counts: t_Vec128)
- : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128)
- : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
+val mm256_unpackhi_epi64 (lhs rhs: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm_storeu_bytes_si128}
+val mm256_unpacklo_epi32 (lhs rhs: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128)
- : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_unpackhi_epi32 (lhs rhs: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128)
- : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
+val mm256_castsi128_si256 (vector: t_Vec128)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val mm_sub_epi16 (lhs rhs: t_Vec128)
- : Prims.Pure t_Vec128
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Vec128 = result in
- vec128_as_i16x8 result ==
- Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs))
+val mm256_cvtepi16_epi32 (vector: t_Vec128)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val vec256_blendv_epi32 (a b mask: t_Vec256)
+val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128)
: Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256}
-val lemma_mm256_and_si256 lhs rhs
- : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs)
- == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)
- )
- [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))]
+val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128}
+val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256}
+val vec256_blendv_epi32 (a b mask: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16}
+val mm256_srlv_epi32 (vector counts: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16}
-let lemma_mm256_mullo_epi16 v1 v2 :
- Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) ==
- Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2))
- [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit()
+val mm256_srlv_epi64 (vector counts: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16}
-val lemma_mm256_set1_epi16 constant
- : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant)
- == Spec.Utils.create (sz 16) constant
- )
- [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))]
+val mm_sllv_epi32 (vector counts: t_Vec128)
+ : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16}
-let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 :
- Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) ==
- Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15)
- [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit()
+val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16}
+val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16}
+val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64}
+val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8}
+val mm256_set_epi64x (input3 input2 input1 input0: i64)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16}
+val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
+val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256)
+ : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst
index 9cbda3450..c9d13fb76 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst
@@ -9,85 +9,153 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let decompose_vector
+let vector_infinity_norm_exceeds
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (dimension: usize)
- (gamma2: i32)
- (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (bound: i32)
=
- let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let result:bool = false in
+ let result:bool =
+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ #FStar.Tactics.Typeclasses.solve
+ (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ vector
+ <:
+ Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ <:
+ Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ result
+ (fun result ring_element ->
+ let result:bool = result in
+ let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ ring_element
+ in
+ result ||
+ (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound
+ <:
+ bool))
+ in
+ result
+
+let shift_left_then_reduce
+ (#v_SIMDUnit: Type0)
+ (v_SHIFT_BY: i32)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ =
+ let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #v_SIMDUnit
+ (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
+ <:
+ usize)
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
+ let _:usize = temp_1_ in
+ true)
+ re
+ (fun re i ->
+ let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
+ let i:usize = i in
+ {
+ re with
+ Libcrux_ml_dsa.Polynomial.f_simd_units
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_dsa.Polynomial.f_simd_units
+ i
+ (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ v_SHIFT_BY
+ (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit)
+ <:
+ v_SIMDUnit)
+ <:
+ t_Array v_SIMDUnit (sz 32)
+ }
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ in
+ re
+
+let power2round_vector
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (t t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
Rust_primitives.Hax.Folds.fold_range (sz 0)
- dimension
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) t
+ <:
+ usize)
(fun temp_0_ temp_1_ ->
- let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let _:usize = temp_1_ in
true)
- (high, low
+ (t, t1
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
(fun temp_0_ i ->
- let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let i:usize = i in
Rust_primitives.Hax.Folds.fold_range (sz 0)
(Core.Slice.impl__len #v_SIMDUnit
- ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
+ ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
<:
usize)
(fun temp_0_ temp_1_ ->
- let high, low:(t_Slice
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let _:usize = temp_1_ in
true)
- (high, low
+ (t, t1
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
(fun temp_0_ j ->
- let high, low:(t_Slice
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let j:usize = j in
let tmp0, tmp1:(v_SIMDUnit & v_SIMDUnit) =
- Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit
+ Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit
#FStar.Tactics.Typeclasses.solve
- gamma2
((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
<:
v_SIMDUnit)
- ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
- <:
- v_SIMDUnit)
- ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ ((t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
<:
v_SIMDUnit)
in
- let low:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low
+ let t:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t
i
({
- (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
+ (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
Libcrux_ml_dsa.Polynomial.f_simd_units
=
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (low.[ i ]
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t.[ i ]
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units
@@ -99,14 +167,14 @@ let decompose_vector
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
in
- let high:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high
+ let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1
i
({
- (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
+ (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
Libcrux_ml_dsa.Polynomial.f_simd_units
=
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (high.[ i ]
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ]
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units
@@ -118,7 +186,7 @@ let decompose_vector
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
in
- high, low
+ t, t1
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
@@ -126,83 +194,90 @@ let decompose_vector
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
in
- low, high
+ t, t1
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
-let power2round_vector
+let decompose_vector
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (t t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (dimension: usize)
+ (gamma2: i32)
+ (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
=
- let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) t
- <:
- usize)
+ dimension
(fun temp_0_ temp_1_ ->
- let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let _:usize = temp_1_ in
true)
- (t, t1
+ (high, low
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
(fun temp_0_ i ->
- let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let high, low:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let i:usize = i in
Rust_primitives.Hax.Folds.fold_range (sz 0)
(Core.Slice.impl__len #v_SIMDUnit
- ((t.[ i ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
+ ((low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
<:
usize)
(fun temp_0_ temp_1_ ->
- let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let high, low:(t_Slice
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let _:usize = temp_1_ in
true)
- (t, t1
+ (high, low
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
(fun temp_0_ j ->
- let t, t1:(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ let high, low:(t_Slice
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) =
temp_0_
in
let j:usize = j in
let tmp0, tmp1:(v_SIMDUnit & v_SIMDUnit) =
- Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit
+ Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit
#FStar.Tactics.Typeclasses.solve
+ gamma2
((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
<:
v_SIMDUnit)
- ((t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
+ <:
+ v_SIMDUnit)
+ ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
<:
v_SIMDUnit)
in
- let t:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t
+ let low:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low
i
({
- (t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
+ (low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
Libcrux_ml_dsa.Polynomial.f_simd_units
=
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t.[ i ]
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (low.[ i ]
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units
@@ -214,14 +289,14 @@ let power2round_vector
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
in
- let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1
+ let high:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high
i
({
- (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
+ (high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with
Libcrux_ml_dsa.Polynomial.f_simd_units
=
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ]
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (high.[ i ]
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
.Libcrux_ml_dsa.Polynomial.f_simd_units
@@ -233,7 +308,7 @@ let power2round_vector
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
in
- t, t1
+ high, low
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
@@ -241,168 +316,11 @@ let power2round_vector
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)))
in
- t, t1
+ low, high
<:
(t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
-let shift_left_then_reduce
- (#v_SIMDUnit: Type0)
- (v_SHIFT_BY: i32)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- =
- let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #v_SIMDUnit
- (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit)
- <:
- usize)
- (fun re temp_1_ ->
- let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
- let _:usize = temp_1_ in
- true)
- re
- (fun re i ->
- let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in
- let i:usize = i in
- {
- re with
- Libcrux_ml_dsa.Polynomial.f_simd_units
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_dsa.Polynomial.f_simd_units
- i
- (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- v_SHIFT_BY
- (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit)
- <:
- v_SIMDUnit)
- <:
- t_Array v_SIMDUnit (sz 32)
- }
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- in
- re
-
-let use_hint
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (gamma2: i32)
- (hint: t_Slice (t_Array i32 (sz 256)))
- (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- =
- let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- re_vector
- <:
- usize)
- (fun re_vector temp_1_ ->
- let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- re_vector
- in
- let _:usize = temp_1_ in
- true)
- re_vector
- (fun re_vector i ->
- let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- re_vector
- in
- let i:usize = i in
- let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- in
- let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit
- (hint.[ i ] <: t_Slice i32)
- tmp
- in
- let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #v_SIMDUnit
- ((re_vector.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit
- )
- <:
- usize)
- (fun tmp temp_1_ ->
- let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in
- let _:usize = temp_1_ in
- true)
- tmp
- (fun tmp j ->
- let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in
- let j:usize = j in
- {
- tmp with
- Libcrux_ml_dsa.Polynomial.f_simd_units
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp
- .Libcrux_ml_dsa.Polynomial.f_simd_units
- j
- (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- gamma2
- ((re_vector.[ i ]
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
- <:
- v_SIMDUnit)
- (tmp.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit)
- <:
- v_SIMDUnit)
- <:
- t_Array v_SIMDUnit (sz 32)
- }
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- in
- let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_vector i tmp
- in
- re_vector)
- in
- re_vector
-
-let vector_infinity_norm_exceeds
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (bound: i32)
- =
- let result:bool = false in
- let result:bool =
- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- #FStar.Tactics.Typeclasses.solve
- (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- vector
- <:
- Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- <:
- Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- result
- (fun result ring_element ->
- let result:bool = result in
- let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- ring_element
- in
- result ||
- (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound
- <:
- bool))
- in
- result
-
let make_hint
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -516,3 +434,85 @@ let make_hint
in
let hax_temp_output:usize = true_hints in
hint, hax_temp_output <: (t_Slice (t_Array i32 (sz 256)) & usize)
+
+let use_hint
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (gamma2: i32)
+ (hint: t_Slice (t_Array i32 (sz 256)))
+ (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ re_vector
+ <:
+ usize)
+ (fun re_vector temp_1_ ->
+ let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ re_vector
+ in
+ let _:usize = temp_1_ in
+ true)
+ re_vector
+ (fun re_vector i ->
+ let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ re_vector
+ in
+ let i:usize = i in
+ let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ in
+ let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit
+ (hint.[ i ] <: t_Slice i32)
+ tmp
+ in
+ let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #v_SIMDUnit
+ ((re_vector.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit
+ )
+ <:
+ usize)
+ (fun tmp temp_1_ ->
+ let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in
+ let _:usize = temp_1_ in
+ true)
+ tmp
+ (fun tmp j ->
+ let tmp:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp in
+ let j:usize = j in
+ {
+ tmp with
+ Libcrux_ml_dsa.Polynomial.f_simd_units
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp
+ .Libcrux_ml_dsa.Polynomial.f_simd_units
+ j
+ (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ gamma2
+ ((re_vector.[ i ]
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ]
+ <:
+ v_SIMDUnit)
+ (tmp.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit)
+ <:
+ v_SIMDUnit)
+ <:
+ t_Array v_SIMDUnit (sz 32)
+ }
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ in
+ let re_vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re_vector i tmp
+ in
+ re_vector)
+ in
+ re_vector
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti
index 5816dd136..281aae3d4 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti
@@ -9,15 +9,19 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-val decompose_vector
+val vector_infinity_norm_exceeds
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (dimension: usize)
- (gamma2: i32)
- (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- : Prims.Pure
- (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (bound: i32)
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+val shift_left_then_reduce
+ (#v_SIMDUnit: Type0)
+ (v_SHIFT_BY: i32)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
Prims.l_True
(fun _ -> Prims.l_True)
@@ -31,36 +35,32 @@ val power2round_vector
Prims.l_True
(fun _ -> Prims.l_True)
-val shift_left_then_reduce
+val decompose_vector
(#v_SIMDUnit: Type0)
- (v_SHIFT_BY: i32)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (dimension: usize)
+ (gamma2: i32)
+ (t low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ : Prims.Pure
+ (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-val use_hint
+val make_hint
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
(gamma2: i32)
(hint: t_Slice (t_Array i32 (sz 256)))
- (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val vector_infinity_norm_exceeds
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (bound: i32)
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+ : Prims.Pure (t_Slice (t_Array i32 (sz 256)) & usize) Prims.l_True (fun _ -> Prims.l_True)
-val make_hint
+val use_hint
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (low high: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
(gamma2: i32)
(hint: t_Slice (t_Array i32 (sz 256)))
- : Prims.Pure (t_Slice (t_Array i32 (sz 256)) & usize) Prims.l_True (fun _ -> Prims.l_True)
+ (re_vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti
index 105a22c73..21cc9d4b9 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_44_.fsti
@@ -3,25 +3,25 @@ module Libcrux_ml_dsa.Constants.Ml_dsa_44_
open Core
open FStar.Mul
-let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6
-
-let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3
-
-let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18
+let v_ROWS_IN_A: usize = sz 4
let v_COLUMNS_IN_A: usize = sz 4
-let v_COMMITMENT_HASH_SIZE: usize = sz 32
-
let v_ETA: Libcrux_ml_dsa.Constants.t_Eta =
Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta
+let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3
+
let v_GAMMA1_EXPONENT: usize = sz 17
+let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l
+
+let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18
+
let v_MAX_ONES_IN_HINT: usize = sz 80
let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39
-let v_ROWS_IN_A: usize = sz 4
+let v_COMMITMENT_HASH_SIZE: usize = sz 32
-let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l
+let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti
index ac228b809..56d74fb95 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_65_.fsti
@@ -3,25 +3,25 @@ module Libcrux_ml_dsa.Constants.Ml_dsa_65_
open Core
open FStar.Mul
-let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4
-
-let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4
-
-let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20
+let v_ROWS_IN_A: usize = sz 6
let v_COLUMNS_IN_A: usize = sz 5
-let v_COMMITMENT_HASH_SIZE: usize = sz 48
-
let v_ETA: Libcrux_ml_dsa.Constants.t_Eta =
Libcrux_ml_dsa.Constants.Eta_Four <: Libcrux_ml_dsa.Constants.t_Eta
+let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4
+
let v_GAMMA1_EXPONENT: usize = sz 19
+let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l
+
+let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20
+
let v_MAX_ONES_IN_HINT: usize = sz 55
let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49
-let v_ROWS_IN_A: usize = sz 6
+let v_COMMITMENT_HASH_SIZE: usize = sz 48
-let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l
+let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti
index 30097ecf0..af828ef56 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.Ml_dsa_87_.fsti
@@ -3,25 +3,25 @@ module Libcrux_ml_dsa.Constants.Ml_dsa_87_
open Core
open FStar.Mul
-let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4
-
-let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3
-
-let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20
+let v_ROWS_IN_A: usize = sz 8
let v_COLUMNS_IN_A: usize = sz 7
-let v_COMMITMENT_HASH_SIZE: usize = sz 64
-
let v_ETA: Libcrux_ml_dsa.Constants.t_Eta =
Libcrux_ml_dsa.Constants.Eta_Two <: Libcrux_ml_dsa.Constants.t_Eta
+let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3
+
let v_GAMMA1_EXPONENT: usize = sz 19
+let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20
+
let v_MAX_ONES_IN_HINT: usize = sz 75
let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60
-let v_ROWS_IN_A: usize = sz 8
-
let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l
+
+let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4
+
+let v_COMMITMENT_HASH_SIZE: usize = sz 64
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst
index 34e40aa6e..42a5aa808 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst
@@ -8,6 +8,18 @@ let t_Eta_cast_to_repr (x: t_Eta) =
| Eta_Two -> discriminant_Eta_Two
| Eta_Four -> discriminant_Eta_Four
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_Eta
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_Eta
+
+let impl_1 = impl_1'
+
let beta (ones_in_verifier_challenge: usize) (eta: t_Eta) =
let (eta_val: usize):usize =
match eta <: t_Eta with
@@ -16,30 +28,17 @@ let beta (ones_in_verifier_challenge: usize) (eta: t_Eta) =
in
cast (ones_in_verifier_challenge *! eta_val <: usize) <: i32
-let commitment_ring_element_size (bits_per_commitment_coefficient: usize) =
- (bits_per_commitment_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
-
-let commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) =
- (commitment_ring_element_size bits_per_commitment_coefficient <: usize) *! rows_in_a
-
let error_ring_element_size (bits_per_error_coefficient: usize) =
(bits_per_error_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
let gamma1_ring_element_size (bits_per_gamma1_coefficient: usize) =
(bits_per_gamma1_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
-let signature_size
- (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient:
- usize)
- =
- ((commitment_hash_size +!
- (columns_in_a *! (gamma1_ring_element_size bits_per_gamma1_coefficient <: usize) <: usize)
- <:
- usize) +!
- max_ones_in_hint
- <:
- usize) +!
- rows_in_a
+let commitment_ring_element_size (bits_per_commitment_coefficient: usize) =
+ (bits_per_commitment_coefficient *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
+
+let commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize) =
+ (commitment_ring_element_size bits_per_commitment_coefficient <: usize) *! rows_in_a
let signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize) =
(((v_SEED_FOR_A_SIZE +! v_SEED_FOR_SIGNING_SIZE <: usize) +! v_BYTES_FOR_VERIFICATION_KEY_HASH
@@ -60,14 +59,15 @@ let verification_key_size (rows_in_a: usize) =
<:
usize)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl': Core.Clone.t_Clone t_Eta
-
-let impl = impl'
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_1': Core.Marker.t_Copy t_Eta
-
-let impl_1 = impl_1'
+let signature_size
+ (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient:
+ usize)
+ =
+ ((commitment_hash_size +!
+ (columns_in_a *! (gamma1_ring_element_size bits_per_gamma1_coefficient <: usize) <: usize)
+ <:
+ usize) +!
+ max_ones_in_hint
+ <:
+ usize) +!
+ rows_in_a
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti
index 97e8a82d8..294c55f78 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti
@@ -3,69 +3,69 @@ module Libcrux_ml_dsa.Constants
open Core
open FStar.Mul
-let discriminant_Eta_Four: isize = isz 4
-
-/// Eta values
-type t_Eta =
- | Eta_Two : t_Eta
- | Eta_Four : t_Eta
+let v_FIELD_MODULUS: i32 = 8380417l
-let discriminant_Eta_Two: isize = isz 2
+let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256
-val t_Eta_cast_to_repr (x: t_Eta) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
+let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23
let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13
-let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64
-
-let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256
+let v_RING_ELEMENT_OF_T0S_SIZE: usize =
+ (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
-/// The length of `context` is serialized to a single `u8`.
-let v_CONTEXT_MAX_LEN: usize = sz 255
+let v_BITS_IN_UPPER_PART_OF_T: usize =
+ v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T
-let v_FIELD_MODULUS: i32 = 8380417l
+let v_RING_ELEMENT_OF_T1S_SIZE: usize =
+ (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
-let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23
+let v_SEED_FOR_A_SIZE: usize = sz 32
-let v_BITS_IN_UPPER_PART_OF_T: usize =
- v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T
+let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64
-let v_GAMMA2_V261_888_: i32 = 261888l
+let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64
-let v_GAMMA2_V95_232_: i32 = 95232l
+let v_SEED_FOR_SIGNING_SIZE: usize = sz 32
/// Number of bytes of entropy required for key generation.
let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32
-let v_MASK_SEED_SIZE: usize = sz 64
+/// Number of bytes of entropy required for signing.
+let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32
let v_MESSAGE_REPRESENTATIVE_SIZE: usize = sz 64
+let v_MASK_SEED_SIZE: usize = sz 64
+
let v_REJECTION_SAMPLE_BOUND_SIGN: usize = sz 814
-let v_RING_ELEMENT_OF_T0S_SIZE: usize =
- (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
+/// The length of `context` is serialized to a single `u8`.
+let v_CONTEXT_MAX_LEN: usize = sz 255
-let v_RING_ELEMENT_OF_T1S_SIZE: usize =
- (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8
+/// Eta values
+type t_Eta =
+ | Eta_Two : t_Eta
+ | Eta_Four : t_Eta
-let v_SEED_FOR_A_SIZE: usize = sz 32
+let discriminant_Eta_Two: isize = isz 2
-let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64
+let discriminant_Eta_Four: isize = isz 4
-let v_SEED_FOR_SIGNING_SIZE: usize = sz 32
+val t_Eta_cast_to_repr (x: t_Eta) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
-/// Number of bytes of entropy required for signing.
-let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_Eta
-val beta (ones_in_verifier_challenge: usize) (eta: t_Eta)
- : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_Eta
-val commitment_ring_element_size (bits_per_commitment_coefficient: usize)
- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
+let v_GAMMA2_V261_888_: i32 = 261888l
-val commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize)
- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
+let v_GAMMA2_V95_232_: i32 = 95232l
+
+val beta (ones_in_verifier_challenge: usize) (eta: t_Eta)
+ : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
val error_ring_element_size (bits_per_error_coefficient: usize)
: Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
@@ -73,9 +73,10 @@ val error_ring_element_size (bits_per_error_coefficient: usize)
val gamma1_ring_element_size (bits_per_gamma1_coefficient: usize)
: Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-val signature_size
- (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient:
- usize)
+val commitment_ring_element_size (bits_per_commitment_coefficient: usize)
+ : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
+
+val commitment_vector_size (bits_per_commitment_coefficient rows_in_a: usize)
: Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize)
@@ -83,8 +84,7 @@ val signing_key_size (rows_in_a columns_in_a error_ring_element_size: usize)
val verification_key_size (rows_in_a: usize) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Core.Clone.t_Clone t_Eta
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Core.Marker.t_Copy t_Eta
+val signature_size
+ (rows_in_a columns_in_a max_ones_in_hint commitment_hash_size bits_per_gamma1_coefficient:
+ usize)
+ : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst
index b1c4bdc78..8f33d3386 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst
@@ -14,6 +14,56 @@ let chunk_size (eta: Libcrux_ml_dsa.Constants.t_Eta) =
| Libcrux_ml_dsa.Constants.Eta_Two -> sz 3
| Libcrux_ml_dsa.Constants.Eta_Four -> sz 4
+let serialize
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ =
+ let output_bytes_per_simd_unit:usize = chunk_size eta in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+ <:
+ t_Slice v_SIMDUnit)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({
+ Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
+ Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ eta
+ simd_unit
+ (serialized.[ {
+ Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ serialized
+
let deserialize
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -117,53 +167,3 @@ let deserialize_to_vector_then_ntt
ring_elements)
in
ring_elements
-
-let serialize
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- =
- let output_bytes_per_simd_unit:usize = chunk_size eta in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
- <:
- t_Slice v_SIMDUnit)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({
- Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
- Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- eta
- simd_unit
- (serialized.[ {
- Core.Ops.Range.f_start = i *! output_bytes_per_simd_unit <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! output_bytes_per_simd_unit <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti
index 7fec31f61..8583a11e1 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti
@@ -12,6 +12,14 @@ let _ =
val chunk_size (eta: Libcrux_ml_dsa.Constants.t_Eta)
: Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
+val serialize
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
val deserialize
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -32,11 +40,3 @@ val deserialize_to_vector_then_ntt
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst
index fa942586c..979cd689c 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst
@@ -9,6 +9,58 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+let serialize
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ (gamma1_exponent: usize)
+ =
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+ <:
+ t_Slice v_SIMDUnit)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({
+ Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ simd_unit
+ (serialized.[ {
+ Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ gamma1_exponent
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ let _:Prims.unit = () <: Prims.unit in
+ serialized
+
let deserialize
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -63,55 +115,3 @@ let deserialize
in
let _:Prims.unit = () <: Prims.unit in
result
-
-let serialize
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- (gamma1_exponent: usize)
- =
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
- <:
- t_Slice v_SIMDUnit)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({
- Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- simd_unit
- (serialized.[ {
- Core.Ops.Range.f_start = i *! (gamma1_exponent +! sz 1 <: usize) <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! (gamma1_exponent +! sz 1 <: usize) <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- gamma1_exponent
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- in
- let _:Prims.unit = () <: Prims.unit in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti
index 20ee5e8bc..930566dc1 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti
@@ -9,6 +9,14 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+val serialize
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ (gamma1_exponent: usize)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
val deserialize
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -18,11 +26,3 @@ val deserialize
: Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- (gamma1_exponent: usize)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst
index 5eb1c72d7..e30292f5b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst
@@ -9,6 +9,122 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+let serialize
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (commitment_hash: t_Slice u8)
+ (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (hint: t_Slice (t_Array i32 (sz 256)))
+ (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint:
+ usize)
+ (signature: t_Slice u8)
+ =
+ let offset:usize = sz 0 in
+ let signature:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature
+ ({
+ Core.Ops.Range.f_start = offset;
+ Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (signature.[ {
+ Core.Ops.Range.f_start = offset;
+ Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ commitment_hash
+ <:
+ t_Slice u8)
+ in
+ let offset:usize = offset +! commitment_hash_size in
+ let offset, signature:(usize & t_Slice u8) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ columns_in_a
+ (fun temp_0_ temp_1_ ->
+ let offset, signature:(usize & t_Slice u8) = temp_0_ in
+ let _:usize = temp_1_ in
+ true)
+ (offset, signature <: (usize & t_Slice u8))
+ (fun temp_0_ i ->
+ let offset, signature:(usize & t_Slice u8) = temp_0_ in
+ let i:usize = i in
+ let signature:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature
+ ({
+ Core.Ops.Range.f_start = offset;
+ Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit
+ (signer_response.[ i ]
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (signature.[ {
+ Core.Ops.Range.f_start = offset;
+ Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ gamma1_exponent
+ <:
+ t_Slice u8)
+ in
+ let offset:usize = offset +! gamma1_ring_element_size in
+ offset, signature <: (usize & t_Slice u8))
+ in
+ let true_hints_seen:usize = sz 0 in
+ let signature, true_hints_seen:(t_Slice u8 & usize) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ rows_in_a
+ (fun temp_0_ temp_1_ ->
+ let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
+ let _:usize = temp_1_ in
+ true)
+ (signature, true_hints_seen <: (t_Slice u8 & usize))
+ (fun temp_0_ i ->
+ let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
+ let i:usize = i in
+ let signature, true_hints_seen:(t_Slice u8 & usize) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #i32 (hint.[ i ] <: t_Slice i32) <: usize)
+ (fun temp_0_ temp_1_ ->
+ let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
+ let _:usize = temp_1_ in
+ true)
+ (signature, true_hints_seen <: (t_Slice u8 & usize))
+ (fun temp_0_ j ->
+ let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
+ let j:usize = j in
+ if ((hint.[ i ] <: t_Array i32 (sz 256)).[ j ] <: i32) =. 1l <: bool
+ then
+ let signature:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature
+ (offset +! true_hints_seen <: usize)
+ (cast (j <: usize) <: u8)
+ in
+ let true_hints_seen:usize = true_hints_seen +! sz 1 in
+ signature, true_hints_seen <: (t_Slice u8 & usize)
+ else signature, true_hints_seen <: (t_Slice u8 & usize))
+ in
+ let signature:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature
+ ((offset +! max_ones_in_hint <: usize) +! i <: usize)
+ (cast (true_hints_seen <: usize) <: u8)
+ in
+ signature, true_hints_seen <: (t_Slice u8 & usize))
+ in
+ signature
+
let set_hint (out_hint: t_Slice (t_Array i32 (sz 256))) (i j: usize) =
let out_hint:t_Slice (t_Array i32 (sz 256)) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out_hint
@@ -349,119 +465,3 @@ let deserialize
(t_Slice u8 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) &
t_Slice (t_Array i32 (sz 256)) &
Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
-
-let serialize
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (commitment_hash: t_Slice u8)
- (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (hint: t_Slice (t_Array i32 (sz 256)))
- (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint:
- usize)
- (signature: t_Slice u8)
- =
- let offset:usize = sz 0 in
- let signature:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature
- ({
- Core.Ops.Range.f_start = offset;
- Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (signature.[ {
- Core.Ops.Range.f_start = offset;
- Core.Ops.Range.f_end = offset +! commitment_hash_size <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- commitment_hash
- <:
- t_Slice u8)
- in
- let offset:usize = offset +! commitment_hash_size in
- let offset, signature:(usize & t_Slice u8) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- columns_in_a
- (fun temp_0_ temp_1_ ->
- let offset, signature:(usize & t_Slice u8) = temp_0_ in
- let _:usize = temp_1_ in
- true)
- (offset, signature <: (usize & t_Slice u8))
- (fun temp_0_ i ->
- let offset, signature:(usize & t_Slice u8) = temp_0_ in
- let i:usize = i in
- let signature:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature
- ({
- Core.Ops.Range.f_start = offset;
- Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit
- (signer_response.[ i ]
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (signature.[ {
- Core.Ops.Range.f_start = offset;
- Core.Ops.Range.f_end = offset +! gamma1_ring_element_size <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- gamma1_exponent
- <:
- t_Slice u8)
- in
- let offset:usize = offset +! gamma1_ring_element_size in
- offset, signature <: (usize & t_Slice u8))
- in
- let true_hints_seen:usize = sz 0 in
- let signature, true_hints_seen:(t_Slice u8 & usize) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- rows_in_a
- (fun temp_0_ temp_1_ ->
- let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
- let _:usize = temp_1_ in
- true)
- (signature, true_hints_seen <: (t_Slice u8 & usize))
- (fun temp_0_ i ->
- let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
- let i:usize = i in
- let signature, true_hints_seen:(t_Slice u8 & usize) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #i32 (hint.[ i ] <: t_Slice i32) <: usize)
- (fun temp_0_ temp_1_ ->
- let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
- let _:usize = temp_1_ in
- true)
- (signature, true_hints_seen <: (t_Slice u8 & usize))
- (fun temp_0_ j ->
- let signature, true_hints_seen:(t_Slice u8 & usize) = temp_0_ in
- let j:usize = j in
- if ((hint.[ i ] <: t_Array i32 (sz 256)).[ j ] <: i32) =. 1l <: bool
- then
- let signature:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature
- (offset +! true_hints_seen <: usize)
- (cast (j <: usize) <: u8)
- in
- let true_hints_seen:usize = true_hints_seen +! sz 1 in
- signature, true_hints_seen <: (t_Slice u8 & usize)
- else signature, true_hints_seen <: (t_Slice u8 & usize))
- in
- let signature:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature
- ((offset +! max_ones_in_hint <: usize) +! i <: usize)
- (cast (true_hints_seen <: usize) <: u8)
- in
- signature, true_hints_seen <: (t_Slice u8 & usize))
- in
- signature
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti
index 1e799b36e..0f71e5a8e 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti
@@ -9,6 +9,17 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+val serialize
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (commitment_hash: t_Slice u8)
+ (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (hint: t_Slice (t_Array i32 (sz 256)))
+ (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint:
+ usize)
+ (signature: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
val set_hint (out_hint: t_Slice (t_Array i32 (sz 256))) (i j: usize)
: Prims.Pure (t_Slice (t_Array i32 (sz 256))) Prims.l_True (fun _ -> Prims.l_True)
@@ -26,14 +37,3 @@ val deserialize
Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (commitment_hash: t_Slice u8)
- (signer_response: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (hint: t_Slice (t_Array i32 (sz 256)))
- (commitment_hash_size columns_in_a rows_in_a gamma1_exponent gamma1_ring_element_size max_ones_in_hint:
- usize)
- (signature: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst
index 4b0b93667..de9f50064 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst
@@ -9,6 +9,53 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+let serialize
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ =
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+ <:
+ t_Slice v_SIMDUnit)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({
+ Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+ Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ simd_unit
+ (serialized.[ {
+ Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ serialized
+
let deserialize
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -108,50 +155,3 @@ let deserialize_to_vector_then_ntt
ring_elements)
in
ring_elements
-
-let serialize
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- =
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
- <:
- t_Slice v_SIMDUnit)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({
- Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
- Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- simd_unit
- (serialized.[ {
- Core.Ops.Range.f_start = i *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! v_OUTPUT_BYTES_PER_SIMD_UNIT <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti
index 3e1291df0..fe66090f9 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti
@@ -11,6 +11,13 @@ let _ =
let v_OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13
+val serialize
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
val deserialize
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -28,10 +35,3 @@ val deserialize_to_vector_then_ntt
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst
index 1b47121ee..be43c8a94 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst
@@ -9,6 +9,55 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+let serialize
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ =
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
+ <:
+ t_Slice v_SIMDUnit)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({
+ Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ simd_unit
+ (serialized.[ {
+ Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ serialized
+
let deserialize
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -58,52 +107,3 @@ let deserialize
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
in
result
-
-let serialize
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- =
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units
- <:
- t_Slice v_SIMDUnit)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({
- Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- simd_unit
- (serialized.[ {
- Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti
index 26d77dadf..94a093522 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti
@@ -9,10 +9,17 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let deserialize__WINDOW: usize = sz 10
-
let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10
+val serialize
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+let deserialize__WINDOW: usize = sz 10
+
val deserialize
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -21,10 +28,3 @@ val deserialize
: Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst
index dc840bd86..ac1140b5d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst
@@ -9,62 +9,6 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let deserialize
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (rows_in_a verification_key_size: usize)
- (serialized: t_Slice u8)
- (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =.
- (verification_key_size -! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize)
- <:
- bool)
- in
- ()
- in
- let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- rows_in_a
- (fun t1 temp_1_ ->
- let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in
- let _:usize = temp_1_ in
- true)
- t1
- (fun t1 i ->
- let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1
- i
- (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit
- (serialized.[ {
- Core.Ops.Range.f_start
- =
- i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE
- <:
- usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- in
- t1
-
let generate_serialized
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -140,3 +84,59 @@ let generate_serialized
verification_key_serialized)
in
verification_key_serialized
+
+let deserialize
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (rows_in_a verification_key_size: usize)
+ (serialized: t_Slice u8)
+ (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =.
+ (verification_key_size -! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize)
+ <:
+ bool)
+ in
+ ()
+ in
+ let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ rows_in_a
+ (fun t1 temp_1_ ->
+ let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in
+ let _:usize = temp_1_ in
+ true)
+ t1
+ (fun t1 i ->
+ let t1:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = t1 in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1
+ i
+ (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit
+ (serialized.[ {
+ Core.Ops.Range.f_start
+ =
+ i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE
+ <:
+ usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ in
+ t1
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti
index 0f2375cef..7c4a29d36 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti
@@ -9,6 +9,14 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+val generate_serialized
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (seed: t_Slice u8)
+ (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (verification_key_serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
val deserialize
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -18,11 +26,3 @@ val deserialize
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-
-val generate_serialized
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (seed: t_Slice u8)
- (t1: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (verification_key_serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst
index 7d78d62f2..50757003f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst
@@ -9,31 +9,48 @@ val t_Shake128x4': eqtype
let t_Shake128x4 = t_Shake128x4'
assume
-val t_Shake256x4': eqtype
+val init_absorb':
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8
+ -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
-let t_Shake256x4 = t_Shake256x4'
+let init_absorb = init_absorb'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
+val squeeze_first_five_blocks':
+ state: t_Shake128x4 ->
+ out0: t_Array u8 (sz 840) ->
+ out1: t_Array u8 (sz 840) ->
+ out2: t_Array u8 (sz 840) ->
+ out3: t_Array u8 (sz 840)
+ -> Prims.Pure
+ (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-let impl = impl'
+let squeeze_first_five_blocks = squeeze_first_five_blocks'
+
+assume
+val squeeze_next_block': state: t_Shake128x4
+ -> Prims.Pure
+ (t_Shake128x4 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+let squeeze_next_block = squeeze_next_block'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
+val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
-let impl_1 = impl_1'
+let impl = impl'
assume
-val init_absorb':
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8
- -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
+val t_Shake256x4': eqtype
-let init_absorb = init_absorb'
+let t_Shake256x4 = t_Shake256x4'
assume
val init_absorb_x4':
@@ -45,24 +62,6 @@ val init_absorb_x4':
let init_absorb_x4 = init_absorb_x4'
-assume
-val shake256_x4':
- v_OUT_LEN: usize ->
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8 ->
- out0: t_Array u8 v_OUT_LEN ->
- out1: t_Array u8 v_OUT_LEN ->
- out2: t_Array u8 v_OUT_LEN ->
- out3: t_Array u8 v_OUT_LEN
- -> Prims.Pure
- (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN
-
assume
val squeeze_first_block_x4': state: t_Shake256x4
-> Prims.Pure
@@ -74,34 +73,35 @@ val squeeze_first_block_x4': state: t_Shake256x4
let squeeze_first_block_x4 = squeeze_first_block_x4'
assume
-val squeeze_first_five_blocks':
- state: t_Shake128x4 ->
- out0: t_Array u8 (sz 840) ->
- out1: t_Array u8 (sz 840) ->
- out2: t_Array u8 (sz 840) ->
- out3: t_Array u8 (sz 840)
+val squeeze_next_block_x4': state: t_Shake256x4
-> Prims.Pure
- (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
+ (t_Shake256x4 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-let squeeze_first_five_blocks = squeeze_first_five_blocks'
+let squeeze_next_block_x4 = squeeze_next_block_x4'
assume
-val squeeze_next_block': state: t_Shake128x4
+val shake256_x4':
+ v_OUT_LEN: usize ->
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8 ->
+ out0: t_Array u8 v_OUT_LEN ->
+ out1: t_Array u8 v_OUT_LEN ->
+ out2: t_Array u8 v_OUT_LEN ->
+ out3: t_Array u8 v_OUT_LEN
-> Prims.Pure
- (t_Shake128x4 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
Prims.l_True
(fun _ -> Prims.l_True)
-let squeeze_next_block = squeeze_next_block'
+let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN
+[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val squeeze_next_block_x4': state: t_Shake256x4
- -> Prims.Pure
- (t_Shake256x4 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
- Prims.l_True
- (fun _ -> Prims.l_True)
+val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
-let squeeze_next_block_x4 = squeeze_next_block_x4'
+let impl_1 = impl_1'
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti
index d27a20455..27c84e31f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti
@@ -5,31 +5,31 @@ open FStar.Mul
val t_Shake128x4:eqtype
-/// Neon SHAKE 256 x4 state
-val t_Shake256x4:eqtype
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
-
/// Init the state and absorb 4 blocks in parallel.
val init_absorb (input0 input1 input2 input3: t_Slice u8)
: Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
-val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
- : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840))
+ : Prims.Pure
+ (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-val shake256_x4
- (v_OUT_LEN: usize)
- (input0 input1 input2 input3: t_Slice u8)
- (out0 out1 out2 out3: t_Array u8 v_OUT_LEN)
+val squeeze_next_block (state: t_Shake128x4)
: Prims.Pure
- (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
+ (t_Shake128x4 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
Prims.l_True
(fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
+
+/// Neon SHAKE 256 x4 state
+val t_Shake256x4:eqtype
+
+val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
+ : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+
val squeeze_first_block_x4 (state: t_Shake256x4)
: Prims.Pure
(t_Shake256x4 &
@@ -37,21 +37,21 @@ val squeeze_first_block_x4 (state: t_Shake256x4)
Prims.l_True
(fun _ -> Prims.l_True)
-val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840))
- : Prims.Pure
- (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-
-val squeeze_next_block (state: t_Shake128x4)
+val squeeze_next_block_x4 (state: t_Shake256x4)
: Prims.Pure
- (t_Shake128x4 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ (t_Shake256x4 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
Prims.l_True
(fun _ -> Prims.l_True)
-val squeeze_next_block_x4 (state: t_Shake256x4)
+val shake256_x4
+ (v_OUT_LEN: usize)
+ (input0 input1 input2 input3: t_Slice u8)
+ (out0 out1 out2 out3: t_Array u8 v_OUT_LEN)
: Prims.Pure
- (t_Shake256x4 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
Prims.l_True
(fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst
index 4d34ec255..41c295b79 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst
@@ -3,30 +3,43 @@ module Libcrux_ml_dsa.Hash_functions.Portable
open Core
open FStar.Mul
-assume
-val t_Shake128': eqtype
-
-let t_Shake128 = t_Shake128'
-
assume
val t_Shake128X4': eqtype
let t_Shake128X4 = t_Shake128X4'
assume
-val t_Shake256': eqtype
+val init_absorb':
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8
+ -> Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
-let t_Shake256 = t_Shake256'
+let init_absorb = init_absorb'
assume
-val t_Shake256X4': eqtype
+val squeeze_first_five_blocks':
+ state: t_Shake128X4 ->
+ out0: t_Array u8 (sz 840) ->
+ out1: t_Array u8 (sz 840) ->
+ out2: t_Array u8 (sz 840) ->
+ out3: t_Array u8 (sz 840)
+ -> Prims.Pure
+ (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-let t_Shake256X4 = t_Shake256X4'
+let squeeze_first_five_blocks = squeeze_first_five_blocks'
assume
-val t_Shake256Xof': eqtype
+val squeeze_next_block': state: t_Shake128X4
+ -> Prims.Pure
+ (t_Shake128X4 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-let t_Shake256Xof = t_Shake256Xof'
+let squeeze_next_block = squeeze_next_block'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
@@ -34,39 +47,33 @@ val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4
let impl = impl'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_1': Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128
+val t_Shake128': eqtype
-let impl_1 = impl_1'
+let t_Shake128 = t_Shake128'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
+val shake128': input: t_Slice u8 -> out: t_Slice u8
+ -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-let impl_2 = impl_2'
+let shake128 = shake128'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_3': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4
+val impl_1': Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128
-let impl_3 = impl_3'
+let impl_1 = impl_1'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_4': Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof
+val t_Shake256': eqtype
-let impl_4 = impl_4'
+let t_Shake256 = t_Shake256'
assume
-val init_absorb':
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8
- -> Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
+val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
+ -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
-let init_absorb = init_absorb'
+let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH
assume
val init_absorb_final_shake256': input: t_Slice u8
@@ -75,32 +82,37 @@ val init_absorb_final_shake256': input: t_Slice u8
let init_absorb_final_shake256 = init_absorb_final_shake256'
assume
-val init_absorb_x4':
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8
- -> Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_first_block_shake256': state: t_Shake256
+ -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-let init_absorb_x4 = init_absorb_x4'
+let squeeze_first_block_shake256 = squeeze_first_block_shake256'
assume
-val shake128': input: t_Slice u8 -> out: t_Slice u8
- -> Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_next_block_shake256': state: t_Shake256
+ -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-let shake128 = shake128'
+let squeeze_next_block_shake256 = squeeze_next_block_shake256'
+[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
- -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
-let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH
+let impl_2 = impl_2'
assume
-val squeeze_first_block_shake256': state: t_Shake256
- -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+val t_Shake256X4': eqtype
-let squeeze_first_block_shake256 = squeeze_first_block_shake256'
+let t_Shake256X4 = t_Shake256X4'
+
+assume
+val init_absorb_x4':
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8
+ -> Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_x4 = init_absorb_x4'
assume
val squeeze_first_block_x4': state: t_Shake256X4
@@ -113,40 +125,28 @@ val squeeze_first_block_x4': state: t_Shake256X4
let squeeze_first_block_x4 = squeeze_first_block_x4'
assume
-val squeeze_first_five_blocks':
- state: t_Shake128X4 ->
- out0: t_Array u8 (sz 840) ->
- out1: t_Array u8 (sz 840) ->
- out2: t_Array u8 (sz 840) ->
- out3: t_Array u8 (sz 840)
+val squeeze_next_block_x4': state: t_Shake256X4
-> Prims.Pure
- (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
+ (t_Shake256X4 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-let squeeze_first_five_blocks = squeeze_first_five_blocks'
+let squeeze_next_block_x4 = squeeze_next_block_x4'
+[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val squeeze_next_block': state: t_Shake128X4
- -> Prims.Pure
- (t_Shake128X4 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
- Prims.l_True
- (fun _ -> Prims.l_True)
+val impl_3': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4
-let squeeze_next_block = squeeze_next_block'
+let impl_3 = impl_3'
assume
-val squeeze_next_block_shake256': state: t_Shake256
- -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+val t_Shake256Xof': eqtype
-let squeeze_next_block_shake256 = squeeze_next_block_shake256'
+let t_Shake256Xof = t_Shake256Xof'
+[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val squeeze_next_block_x4': state: t_Shake256X4
- -> Prims.Pure
- (t_Shake256X4 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
- Prims.l_True
- (fun _ -> Prims.l_True)
+val impl_4': Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof
-let squeeze_next_block_x4 = squeeze_next_block_x4'
+let impl_4 = impl_4'
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
index 3fc96890c..226520e52 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti
@@ -3,53 +3,60 @@ module Libcrux_ml_dsa.Hash_functions.Portable
open Core
open FStar.Mul
-/// Portable SHAKE 128 state
-val t_Shake128:eqtype
-
/// Portable SHAKE 128 x4 state.
/// We\'re using a portable implementation so this is actually sequential.
val t_Shake128X4:eqtype
-/// Portable SHAKE 256 state
-val t_Shake256:eqtype
+val init_absorb (input0 input1 input2 input3: t_Slice u8)
+ : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
-/// Portable SHAKE 256 x4 state.
-/// We\'re using a portable implementation so this is actually sequential.
-val t_Shake256X4:eqtype
+val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840))
+ : Prims.Pure
+ (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-val t_Shake256Xof:eqtype
+val squeeze_next_block (state: t_Shake128X4)
+ : Prims.Pure
+ (t_Shake128X4 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128
+/// Portable SHAKE 128 state
+val t_Shake128:eqtype
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
+val shake128 (input out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_3:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4
+val impl_1:Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_4:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof
+/// Portable SHAKE 256 state
+val t_Shake256:eqtype
-val init_absorb (input0 input1 input2 input3: t_Slice u8)
- : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True)
+val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH)
+ : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
val init_absorb_final_shake256 (input: t_Slice u8)
: Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
-val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
- : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_first_block_shake256 (state: t_Shake256)
+ : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-val shake128 (input out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_next_block_shake256 (state: t_Shake256)
+ : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH)
- : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
-val squeeze_first_block_shake256 (state: t_Shake256)
- : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+/// Portable SHAKE 256 x4 state.
+/// We\'re using a portable implementation so this is actually sequential.
+val t_Shake256X4:eqtype
+
+val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
+ : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True)
val squeeze_first_block_x4 (state: t_Shake256X4)
: Prims.Pure
@@ -58,24 +65,17 @@ val squeeze_first_block_x4 (state: t_Shake256X4)
Prims.l_True
(fun _ -> Prims.l_True)
-val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840))
- : Prims.Pure
- (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-
-val squeeze_next_block (state: t_Shake128X4)
- : Prims.Pure
- (t_Shake128X4 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val squeeze_next_block_shake256 (state: t_Shake256)
- : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-
val squeeze_next_block_x4 (state: t_Shake256X4)
: Prims.Pure
(t_Shake256X4 &
(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
Prims.l_True
(fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_3:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4
+
+val t_Shake256Xof:eqtype
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_4:Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256Xof
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti
index 67503f772..bf88da53a 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti
@@ -3,6 +3,10 @@ module Libcrux_ml_dsa.Hash_functions.Shake128
open Core
open FStar.Mul
+let v_BLOCK_SIZE: usize = sz 168
+
+let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5
+
class t_Xof (v_Self: Type0) = {
f_shake128_pre:t_Slice u8 -> t_Slice u8 -> Type0;
f_shake128_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0;
@@ -59,7 +63,3 @@ class t_XofX4 (v_Self: Type0) = {
(f_squeeze_next_block_pre x0)
(fun result -> f_squeeze_next_block_post x0 result)
}
-
-let v_BLOCK_SIZE: usize = sz 168
-
-let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti
index de5a31b65..486426747 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti
@@ -3,6 +3,8 @@ module Libcrux_ml_dsa.Hash_functions.Shake256
open Core
open FStar.Mul
+let v_BLOCK_SIZE: usize = sz 136
+
/// An ML-DSA specific Xof trait
/// This trait is not actually a full Xof implementation but opererates only
/// on multiple of blocks. The only real Xof API for SHAKE256 is [`Xof`].
@@ -38,27 +40,6 @@ class t_DsaXof (v_Self: Type0) = {
(fun result -> f_squeeze_next_block_post x0 result)
}
-/// A generic Xof trait
-class t_Xof (v_Self: Type0) = {
- f_init_pre:Prims.unit -> Type0;
- f_init_post:Prims.unit -> v_Self -> Type0;
- f_init:x0: Prims.unit -> Prims.Pure v_Self (f_init_pre x0) (fun result -> f_init_post x0 result);
- f_absorb_pre:v_Self -> t_Slice u8 -> Type0;
- f_absorb_post:v_Self -> t_Slice u8 -> v_Self -> Type0;
- f_absorb:x0: v_Self -> x1: t_Slice u8
- -> Prims.Pure v_Self (f_absorb_pre x0 x1) (fun result -> f_absorb_post x0 x1 result);
- f_absorb_final_pre:v_Self -> t_Slice u8 -> Type0;
- f_absorb_final_post:v_Self -> t_Slice u8 -> v_Self -> Type0;
- f_absorb_final:x0: v_Self -> x1: t_Slice u8
- -> Prims.Pure v_Self (f_absorb_final_pre x0 x1) (fun result -> f_absorb_final_post x0 x1 result);
- f_squeeze_pre:v_Self -> t_Slice u8 -> Type0;
- f_squeeze_post:v_Self -> t_Slice u8 -> (v_Self & t_Slice u8) -> Type0;
- f_squeeze:x0: v_Self -> x1: t_Slice u8
- -> Prims.Pure (v_Self & t_Slice u8)
- (f_squeeze_pre x0 x1)
- (fun result -> f_squeeze_post x0 x1 result)
-}
-
class t_XofX4 (v_Self: Type0) = {
f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0;
f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0;
@@ -129,4 +110,23 @@ class t_XofX4 (v_Self: Type0) = {
(fun result -> f_shake256_x4_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result)
}
-let v_BLOCK_SIZE: usize = sz 136
+/// A generic Xof trait
+class t_Xof (v_Self: Type0) = {
+ f_init_pre:Prims.unit -> Type0;
+ f_init_post:Prims.unit -> v_Self -> Type0;
+ f_init:x0: Prims.unit -> Prims.Pure v_Self (f_init_pre x0) (fun result -> f_init_post x0 result);
+ f_absorb_pre:v_Self -> t_Slice u8 -> Type0;
+ f_absorb_post:v_Self -> t_Slice u8 -> v_Self -> Type0;
+ f_absorb:x0: v_Self -> x1: t_Slice u8
+ -> Prims.Pure v_Self (f_absorb_pre x0 x1) (fun result -> f_absorb_post x0 x1 result);
+ f_absorb_final_pre:v_Self -> t_Slice u8 -> Type0;
+ f_absorb_final_post:v_Self -> t_Slice u8 -> v_Self -> Type0;
+ f_absorb_final:x0: v_Self -> x1: t_Slice u8
+ -> Prims.Pure v_Self (f_absorb_final_pre x0 x1) (fun result -> f_absorb_final_post x0 x1 result);
+ f_squeeze_pre:v_Self -> t_Slice u8 -> Type0;
+ f_squeeze_post:v_Self -> t_Slice u8 -> (v_Self & t_Slice u8) -> Type0;
+ f_squeeze:x0: v_Self -> x1: t_Slice u8
+ -> Prims.Pure (v_Self & t_Slice u8)
+ (f_squeeze_pre x0 x1)
+ (fun result -> f_squeeze_post x0 x1 result)
+}
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst
index fe67aa9fc..2c27cc72d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fst
@@ -9,42 +9,54 @@ val t_Shake128x4': eqtype
let t_Shake128x4 = t_Shake128x4'
assume
-val t_Shake256': eqtype
+val init_absorb':
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8
+ -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
-let t_Shake256 = t_Shake256'
+let init_absorb = init_absorb'
assume
-val t_Shake256x4': eqtype
+val squeeze_first_five_blocks':
+ state: t_Shake128x4 ->
+ out0: t_Array u8 (sz 840) ->
+ out1: t_Array u8 (sz 840) ->
+ out2: t_Array u8 (sz 840) ->
+ out3: t_Array u8 (sz 840)
+ -> Prims.Pure
+ (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-let t_Shake256x4 = t_Shake256x4'
+let squeeze_first_five_blocks = squeeze_first_five_blocks'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
+val squeeze_next_block': state: t_Shake128x4
+ -> Prims.Pure
+ (t_Shake128x4 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-let impl = impl'
+let squeeze_next_block = squeeze_next_block'
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
+val impl': Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
-let impl_1 = impl_1'
+let impl = impl'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
+val t_Shake256': eqtype
-let impl_2 = impl_2'
+let t_Shake256 = t_Shake256'
assume
-val init_absorb':
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8
- -> Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
+val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
+ -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
-let init_absorb = init_absorb'
+let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH
assume
val init_absorb_final_shake256': input: t_Slice u8
@@ -53,44 +65,37 @@ val init_absorb_final_shake256': input: t_Slice u8
let init_absorb_final_shake256 = init_absorb_final_shake256'
assume
-val init_absorb_x4':
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8
- -> Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_first_block_shake256': state: t_Shake256
+ -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-let init_absorb_x4 = init_absorb_x4'
+let squeeze_first_block_shake256 = squeeze_first_block_shake256'
assume
-val shake256': v_OUTPUT_LENGTH: usize -> input: t_Slice u8 -> out: t_Array u8 v_OUTPUT_LENGTH
- -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_next_block_shake256': state: t_Shake256
+ -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-let shake256 (v_OUTPUT_LENGTH: usize) = shake256' v_OUTPUT_LENGTH
+let squeeze_next_block_shake256 = squeeze_next_block_shake256'
+[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val shake256_x4':
- v_OUT_LEN: usize ->
- input0: t_Slice u8 ->
- input1: t_Slice u8 ->
- input2: t_Slice u8 ->
- input3: t_Slice u8 ->
- out0: t_Array u8 v_OUT_LEN ->
- out1: t_Array u8 v_OUT_LEN ->
- out2: t_Array u8 v_OUT_LEN ->
- out3: t_Array u8 v_OUT_LEN
- -> Prims.Pure
- (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
- Prims.l_True
- (fun _ -> Prims.l_True)
+val impl_1': Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
-let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN
+let impl_1 = impl_1'
assume
-val squeeze_first_block_shake256': state: t_Shake256
- -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+val t_Shake256x4': eqtype
-let squeeze_first_block_shake256 = squeeze_first_block_shake256'
+let t_Shake256x4 = t_Shake256x4'
+
+assume
+val init_absorb_x4':
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8
+ -> Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+
+let init_absorb_x4 = init_absorb_x4'
assume
val squeeze_first_block_x4': state: t_Shake256x4
@@ -103,40 +108,35 @@ val squeeze_first_block_x4': state: t_Shake256x4
let squeeze_first_block_x4 = squeeze_first_block_x4'
assume
-val squeeze_first_five_blocks':
- state: t_Shake128x4 ->
- out0: t_Array u8 (sz 840) ->
- out1: t_Array u8 (sz 840) ->
- out2: t_Array u8 (sz 840) ->
- out3: t_Array u8 (sz 840)
+val squeeze_next_block_x4': state: t_Shake256x4
-> Prims.Pure
- (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
+ (t_Shake256x4 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-let squeeze_first_five_blocks = squeeze_first_five_blocks'
+let squeeze_next_block_x4 = squeeze_next_block_x4'
assume
-val squeeze_next_block': state: t_Shake128x4
+val shake256_x4':
+ v_OUT_LEN: usize ->
+ input0: t_Slice u8 ->
+ input1: t_Slice u8 ->
+ input2: t_Slice u8 ->
+ input3: t_Slice u8 ->
+ out0: t_Array u8 v_OUT_LEN ->
+ out1: t_Array u8 v_OUT_LEN ->
+ out2: t_Array u8 v_OUT_LEN ->
+ out3: t_Array u8 v_OUT_LEN
-> Prims.Pure
- (t_Shake128x4 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
Prims.l_True
(fun _ -> Prims.l_True)
-let squeeze_next_block = squeeze_next_block'
-
-assume
-val squeeze_next_block_shake256': state: t_Shake256
- -> Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-
-let squeeze_next_block_shake256 = squeeze_next_block_shake256'
+let shake256_x4 (v_OUT_LEN: usize) = shake256_x4' v_OUT_LEN
+[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val squeeze_next_block_x4': state: t_Shake256x4
- -> Prims.Pure
- (t_Shake256x4 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
- Prims.l_True
- (fun _ -> Prims.l_True)
+val impl_2': Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
-let squeeze_next_block_x4 = squeeze_next_block_x4'
+let impl_2 = impl_2'
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
index 109c7ccf9..efb4f88de 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti
@@ -8,45 +8,48 @@ open FStar.Mul
/// version is used.
val t_Shake128x4:eqtype
-/// AVX2 SHAKE 256 state
-val t_Shake256:eqtype
+/// Init the state and absorb 4 blocks in parallel.
+val init_absorb (input0 input1 input2 input3: t_Slice u8)
+ : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
-/// AVX2 SHAKE 256 x4 state.
-val t_Shake256x4:eqtype
+val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840))
+ : Prims.Pure
+ (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
+val squeeze_next_block (state: t_Shake128x4)
+ : Prims.Pure
+ (t_Shake128x4 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
+val impl:Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
+/// AVX2 SHAKE 256 state
+val t_Shake256:eqtype
-/// Init the state and absorb 4 blocks in parallel.
-val init_absorb (input0 input1 input2 input3: t_Slice u8)
- : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True)
+val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH)
+ : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
val init_absorb_final_shake256 (input: t_Slice u8)
: Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True)
-val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
- : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_first_block_shake256 (state: t_Shake256)
+ : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH)
- : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True)
+val squeeze_next_block_shake256 (state: t_Shake256)
+ : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-val shake256_x4
- (v_OUT_LEN: usize)
- (input0 input1 input2 input3: t_Slice u8)
- (out0 out1 out2 out3: t_Array u8 v_OUT_LEN)
- : Prims.Pure
- (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
- Prims.l_True
- (fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof t_Shake256
-val squeeze_first_block_shake256 (state: t_Shake256)
- : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
+/// AVX2 SHAKE 256 x4 state.
+val t_Shake256x4:eqtype
+
+val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8)
+ : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True)
val squeeze_first_block_x4 (state: t_Shake256x4)
: Prims.Pure
@@ -55,24 +58,21 @@ val squeeze_first_block_x4 (state: t_Shake256x4)
Prims.l_True
(fun _ -> Prims.l_True)
-val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840))
- : Prims.Pure
- (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True)
-
-val squeeze_next_block (state: t_Shake128x4)
+val squeeze_next_block_x4 (state: t_Shake256x4)
: Prims.Pure
- (t_Shake128x4 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
+ (t_Shake256x4 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
Prims.l_True
(fun _ -> Prims.l_True)
-val squeeze_next_block_shake256 (state: t_Shake256)
- : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True)
-
-val squeeze_next_block_x4 (state: t_Shake256x4)
+val shake256_x4
+ (v_OUT_LEN: usize)
+ (input0 input1 input2 input3: t_Slice u8)
+ (out0 out1 out2 out3: t_Array u8 v_OUT_LEN)
: Prims.Pure
- (t_Shake256x4 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN)
Prims.l_True
(fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst
index 78a4705b7..74ad30218 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst
@@ -9,83 +9,6 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let vector_times_ring_element
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- =
- let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) vector
- <:
- usize)
- (fun vector temp_1_ ->
- let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- vector
- in
- let _:usize = temp_1_ in
- true)
- vector
- (fun vector i ->
- let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- vector
- in
- let i:usize = i in
- let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector
- i
- (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit
- (vector.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- ring_element
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- in
- let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector
- i
- (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit
- (vector.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- in
- vector)
- in
- vector
-
-let add_vectors
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (dimension: usize)
- (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- =
- let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- dimension
- (fun lhs temp_1_ ->
- let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
- let _:usize = temp_1_ in
- true)
- lhs
- (fun lhs i ->
- let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
- i
- (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit
- (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- in
- lhs
-
let compute_as1_plus_s2
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -263,6 +186,114 @@ let compute_matrix_x_mask
in
result
+let vector_times_ring_element
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ =
+ let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) vector
+ <:
+ usize)
+ (fun vector temp_1_ ->
+ let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ vector
+ in
+ let _:usize = temp_1_ in
+ true)
+ vector
+ (fun vector i ->
+ let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ vector
+ in
+ let i:usize = i in
+ let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector
+ i
+ (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit
+ (vector.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ ring_element
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ in
+ let vector:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector
+ i
+ (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit
+ (vector.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ in
+ vector)
+ in
+ vector
+
+let add_vectors
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (dimension: usize)
+ (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ dimension
+ (fun lhs temp_1_ ->
+ let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
+ let _:usize = temp_1_ in
+ true)
+ lhs
+ (fun lhs i ->
+ let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
+ i
+ (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit
+ (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ in
+ lhs
+
+let subtract_vectors
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (dimension: usize)
+ (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ dimension
+ (fun lhs temp_1_ ->
+ let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
+ let _:usize = temp_1_ in
+ true)
+ lhs
+ (fun lhs i ->
+ let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
+ i
+ (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit
+ (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ in
+ lhs
+
let compute_w_approx
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -363,34 +394,3 @@ let compute_w_approx
t1)
in
t1
-
-let subtract_vectors
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (dimension: usize)
- (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- =
- let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- dimension
- (fun lhs temp_1_ ->
- let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
- let _:usize = temp_1_ in
- true)
- lhs
- (fun lhs i ->
- let lhs:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = lhs in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
- i
- (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit
- (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- in
- lhs
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti
index 69baf07d6..a8266bbcb 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti
@@ -9,41 +9,50 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-val vector_times_ring_element
+/// Compute InvertNTT(Â ◦ ŝ₁) + s₂
+val compute_as1_plus_s2
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (rows_in_a columns_in_a: usize)
+ (a_as_ntt s1_ntt s1_s2 result:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-val add_vectors
+/// Compute InvertNTT(Â ◦ ŷ)
+val compute_matrix_x_mask
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (dimension: usize)
- (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (rows_in_a columns_in_a: usize)
+ (matrix mask result: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Compute InvertNTT(Â ◦ ŝ₁) + s₂
-val compute_as1_plus_s2
+val vector_times_ring_element
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (rows_in_a columns_in_a: usize)
- (a_as_ntt s1_ntt s1_s2 result:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (vector: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Compute InvertNTT(Â ◦ ŷ)
-val compute_matrix_x_mask
+val add_vectors
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (rows_in_a columns_in_a: usize)
- (matrix mask result: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (dimension: usize)
+ (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val subtract_vectors
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (dimension: usize)
+ (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
@@ -60,12 +69,3 @@ val compute_w_approx
: Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
Prims.l_True
(fun _ -> Prims.l_True)
-
-val subtract_vectors
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (dimension: usize)
- (lhs rhs: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- : Prims.Pure (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- Prims.l_True
- (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst
index 3506b3983..a765340a9 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst
@@ -37,6 +37,20 @@ let sign
context
randomness
+let verify
+ (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
+ (message context: t_Slice u8)
+ (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ =
+ Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref (
+ sz 1312)
+ verification_key
+ <:
+ t_Array u8 (sz 1312))
+ message
+ context
+ (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
+
let sign_pre_hashed_shake128
(signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560))
(message context: t_Slice u8)
@@ -59,20 +73,6 @@ let sign_pre_hashed_shake128
let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in
out
-let verify
- (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
- (message context: t_Slice u8)
- (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- =
- Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_44_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref (
- sz 1312)
- verification_key
- <:
- t_Array u8 (sz 1312))
- message
- context
- (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 2420) signature <: t_Array u8 (sz 2420))
-
let verify_pre_hashed_shake128
(verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
(message context: t_Slice u8)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti
index eb77b98a4..271b3e989 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti
@@ -26,6 +26,20 @@ val sign
(Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+/// Verify an ML-DSA-44 Signature
+/// The parameter `context` is used for domain separation
+/// and is a byte string of length at most 255 bytes. It
+/// may also be empty.
+/// Returns `Ok` when the `signature` is valid for the `message` and
+/// `verification_key`, and a [`VerificationError`] otherwise.
+val verify
+ (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
+ (message context: t_Slice u8)
+ (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
/// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing
/// Sign a digest of `message` derived using `pre_hash` with the
/// ML-DSA `signing_key`.
@@ -41,20 +55,6 @@ val sign_pre_hashed_shake128
(Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-/// Verify an ML-DSA-44 Signature
-/// The parameter `context` is used for domain separation
-/// and is a byte string of length at most 255 bytes. It
-/// may also be empty.
-/// Returns `Ok` when the `signature` is valid for the `message` and
-/// `verification_key`, and a [`VerificationError`] otherwise.
-val verify
- (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312))
- (message context: t_Slice u8)
- (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing
/// The parameter `context` is used for domain separation
/// and is a byte string of length at most 255 bytes. It
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst
index 243d5de79..d4f6f883f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst
@@ -37,6 +37,20 @@ let sign
context
randomness
+let verify
+ (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
+ (message context: t_Slice u8)
+ (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ =
+ Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref (
+ sz 1952)
+ verification_key
+ <:
+ t_Array u8 (sz 1952))
+ message
+ context
+ (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
+
let sign_pre_hashed_shake128
(signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032))
(message context: t_Slice u8)
@@ -59,20 +73,6 @@ let sign_pre_hashed_shake128
let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in
out
-let verify
- (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
- (message context: t_Slice u8)
- (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- =
- Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_65_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref (
- sz 1952)
- verification_key
- <:
- t_Array u8 (sz 1952))
- message
- context
- (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 3309) signature <: t_Array u8 (sz 3309))
-
let verify_pre_hashed_shake128
(verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
(message context: t_Slice u8)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti
index d7b76e429..b8a48b5dd 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti
@@ -26,6 +26,20 @@ val sign
(Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+/// Verify an ML-DSA-65 Signature
+/// The parameter `context` is used for domain separation
+/// and is a byte string of length at most 255 bytes. It
+/// may also be empty.
+/// Returns `Ok` when the `signature` is valid for the `message` and
+/// `verification_key`, and a [`VerificationError`] otherwise.
+val verify
+ (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
+ (message context: t_Slice u8)
+ (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
/// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing
/// Sign a digest of `message` derived using `pre_hash` with the
/// ML-DSA `signing_key`.
@@ -41,20 +55,6 @@ val sign_pre_hashed_shake128
(Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-/// Verify an ML-DSA-65 Signature
-/// The parameter `context` is used for domain separation
-/// and is a byte string of length at most 255 bytes. It
-/// may also be empty.
-/// Returns `Ok` when the `signature` is valid for the `message` and
-/// `verification_key`, and a [`VerificationError`] otherwise.
-val verify
- (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952))
- (message context: t_Slice u8)
- (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing
/// The parameter `context` is used for domain separation
/// and is a byte string of length at most 255 bytes. It
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst
index 56f5baaf3..561b3c090 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst
@@ -37,6 +37,20 @@ let sign
context
randomness
+let verify
+ (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
+ (message context: t_Slice u8)
+ (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ =
+ Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref (
+ sz 2592)
+ verification_key
+ <:
+ t_Array u8 (sz 2592))
+ message
+ context
+ (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
+
let sign_pre_hashed_shake128
(signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896))
(message context: t_Slice u8)
@@ -59,20 +73,6 @@ let sign_pre_hashed_shake128
let pre_hash_buffer:t_Array u8 (sz 256) = tmp0 in
out
-let verify
- (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
- (message context: t_Slice u8)
- (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- =
- Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.Ml_dsa_87_.verify (Libcrux_ml_dsa.Types.impl_2__as_ref (
- sz 2592)
- verification_key
- <:
- t_Array u8 (sz 2592))
- message
- context
- (Libcrux_ml_dsa.Types.impl_4__as_ref (sz 4627) signature <: t_Array u8 (sz 4627))
-
let verify_pre_hashed_shake128
(verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
(message context: t_Slice u8)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti
index 2dbf4d427..259054199 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti
@@ -26,6 +26,20 @@ val sign
(Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+/// Verify an ML-DSA-87 Signature
+/// The parameter `context` is used for domain separation
+/// and is a byte string of length at most 255 bytes. It
+/// may also be empty.
+/// Returns `Ok` when the `signature` is valid for the `message` and
+/// `verification_key`, and a [`VerificationError`] otherwise.
+val verify
+ (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
+ (message context: t_Slice u8)
+ (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
/// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing
/// Sign a digest of `message` derived using `pre_hash` with the
/// ML-DSA `signing_key`.
@@ -41,20 +55,6 @@ val sign_pre_hashed_shake128
(Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-/// Verify an ML-DSA-87 Signature
-/// The parameter `context` is used for domain separation
-/// and is a byte string of length at most 255 bytes. It
-/// may also be empty.
-/// Returns `Ok` when the `signature` is valid for the `message` and
-/// `verification_key`, and a [`VerificationError`] otherwise.
-val verify
- (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592))
- (message context: t_Slice u8)
- (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing
/// The parameter `context` is used for domain separation
/// and is a byte string of length at most 255 bytes. It
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst
index 5844e378d..11c2abad8 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fst
@@ -14,356 +14,208 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let verify_internal
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+let generate_key_pair
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
+ i6:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
+ i8:
Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
+ i9:
Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
+ i10:
Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (verification_key: t_Array u8 (sz 1312))
- (message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- (signature_serialized: t_Array u8 (sz 2420))
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (randomness: t_Array u8 (sz 32))
+ (signing_key verification_key: t_Slice u8)
=
- let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE
+ <:
+ bool)
+ in
+ ()
+ in
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =.
+ v_VERIFICATION_KEY_SIZE
+ <:
+ bool)
+ in
+ ()
+ in
+ let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (randomness <: t_Slice u8)
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ ((let list =
+ [
+ cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) <: u8;
+ cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) <: u8
+ ]
+ in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+ Rust_primitives.Hax.array_of_list 2 list)
+ <:
+ t_Slice u8)
+ in
+ let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ seed_expanded
+ in
+ let shake:v_Shake256Xof = tmp0 in
+ let seed_expanded:t_Array u8 (sz 128) = tmp1 in
+ let _:Prims.unit = () in
+ let _:Prims.unit = () in
+ let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
Core.Slice.impl__split_at #u8
- (verification_key <: t_Slice u8)
+ (seed_expanded <: t_Slice u8)
Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ seed_expanded
+ Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE
+ in
+ let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) =
Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 4)
+ (sz 16)
in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
- v_VERIFICATION_KEY_SIZE
- t1_serialized
- t1
+ let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) =
+ Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler
+ #FStar.Tactics.Typeclasses.solve
+ #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+ seed_for_a
+ a_as_ntt
in
- let deserialized_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 4)
+ (sz 8)
in
- let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) =
- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256))
+ let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit
+ #v_Shake256X4
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA
+ seed_for_error_vectors
+ s1_s2
+ in
+ let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
(sz 4)
in
- let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 32) &
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) &
- t_Array (t_Array i32 (sz 256)) (sz 4) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) =
- Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE
- (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response
- deserialized_hint
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 4)
in
- let deserialized_commitment_hash:t_Array u8 (sz 32) = tmp0 in
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- tmp1
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ s1_ntt
+ (s1_s2.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
in
- let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp2 in
- match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with
- | Core.Result.Result_Ok _ ->
- let _:Prims.unit = () <: Prims.unit in
- if
- Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
- (deserialized_signer_response
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ <:
+ usize)
+ (fun s1_ntt temp_1_ ->
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ s1_ntt
+ in
+ let _:usize = temp_1_ in
+ true)
+ s1_ntt
+ (fun s1_ntt i ->
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ s1_ntt
+ in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt
+ i
+ (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+ (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
<:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- ((2l <
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- deserialized_signer_response
- in
- let _:usize = temp_1_ in
- true)
- deserialized_signer_response
- (fun deserialized_signer_response i ->
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- deserialized_signer_response
- in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response
- i
- (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
- (deserialized_signer_response.[ i ]
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))
- in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
- (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (deserialized_signer_response
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- verifier_challenge
- t1
- in
- let recomputed_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2
- (deserialized_hint <: t_Slice (t_Array i32 (sz 256)))
- t1
- in
- let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in
- let commitment_serialized:t_Array u8 (sz 768) =
- Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
- v_COMMITMENT_RING_ELEMENT_SIZE
- (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- commitment_serialized
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (message_representative <: t_Slice u8)
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (commitment_serialized <: t_Slice u8)
- in
- let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- recomputed_commitment_hash
- in
- let shake:v_Shake256Xof = tmp0 in
- let recomputed_commitment_hash:t_Array u8 (sz 32) = tmp1 in
- let _:Prims.unit = () in
- let _:Prims.unit = () in
- if deserialized_commitment_hash =. recomputed_commitment_hash
- then
- Core.Result.Result_Ok (() <: Prims.unit)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
- else
- Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
- | Core.Result.Result_Err e ->
- Core.Result.Result_Err e
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (verification_key_serialized: t_Array u8 (sz 1312))
- (message context: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 2420))
- =
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- verify_internal #v_SIMDUnit
- #v_Sampler
- #v_Shake128X4
- #v_Shake256
- #v_Shake256Xof
- verification_key_serialized
- message
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- signature_serialized
- | Core.Result.Result_Err _ ->
- Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify_pre_hashed
- (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i12:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH)
- (verification_key_serialized: t_Array u8 (sz 1312))
- (message context pre_hash_buffer: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 2420))
- =
- let pre_hash_buffer:t_Slice u8 =
- Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
- #FStar.Tactics.Typeclasses.solve
- #v_Shake128
- message
- pre_hash_buffer
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 4)
in
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_Some
- (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve ()
- <:
- t_Array u8 (sz 11))
- <:
- Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError =
- verify_internal #v_SIMDUnit
- #v_Sampler
- #v_Shake128X4
- #v_Shake256
- #v_Shake256Xof
- verification_key_serialized
- pre_hash_buffer
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- signature_serialized
- in
- pre_hash_buffer, hax_temp_output
- <:
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- | Core.Result.Result_Err _ ->
- pre_hash_buffer,
- (Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) &
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) =
+ Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1
+ in
+ let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in
+ let _:Prims.unit = () in
+ let verification_key:t_Slice u8 =
+ Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit
+ seed_for_a
+ (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ verification_key
+ in
+ let signing_key:t_Slice u8 =
+ Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a
+ seed_for_signing verification_key
+ (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key
+ in
+ signing_key, verification_key <: (t_Slice u8 & t_Slice u8)
let sign_internal
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
@@ -938,105 +790,238 @@ let sign_internal
<:
(t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
-let sign_mut
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+let verify_internal
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
+ i5:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
+ i7:
Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
+ i8:
Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
+ i9:
Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
- (signature: t_Array u8 (sz 2420))
- =
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- let tmp0, out:(t_Array u8 (sz 2420) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
- sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
- signing_key message
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
- signature
- in
- let signature:t_Array u8 (sz 2420) = tmp0 in
- let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in
- signature, hax_temp_output
- <:
- (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- | Core.Result.Result_Err _ ->
- signature,
- (Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- <:
- (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
-
-let sign
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
+ (verification_key: t_Array u8 (sz 1312))
+ (message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ (signature_serialized: t_Array u8 (sz 2420))
=
- let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) =
- Libcrux_ml_dsa.Types.impl_4__zero (sz 2420) ()
+ let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ (verification_key <: t_Slice u8)
+ Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
in
- let tmp0, out:(t_Array u8 (sz 2420) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
- sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
- signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 4)
in
- let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) =
- { signature with Libcrux_ml_dsa.Types.f_value = tmp0 }
- <:
- Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
+ v_VERIFICATION_KEY_SIZE
+ t1_serialized
+ t1
in
- match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with
+ let deserialized_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 4)
+ in
+ let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) =
+ Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256))
+ (sz 4)
+ in
+ let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 32) &
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) &
+ t_Array (t_Array i32 (sz 256)) (sz 4) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) =
+ Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE
+ (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response
+ deserialized_hint
+ in
+ let deserialized_commitment_hash:t_Array u8 (sz 32) = tmp0 in
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ tmp1
+ in
+ let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 4) = tmp2 in
+ match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with
| Core.Result.Result_Ok _ ->
- Core.Result.Result_Ok signature
- <:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- Libcrux_ml_dsa.Types.t_SigningError
+ let _:Prims.unit = () <: Prims.unit in
+ if
+ Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
+ (deserialized_signer_response
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ ((2l <
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ deserialized_signer_response
+ in
+ let _:usize = temp_1_ in
+ true)
+ deserialized_signer_response
+ (fun deserialized_signer_response i ->
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ deserialized_signer_response
+ in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response
+ i
+ (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+ (deserialized_signer_response.[ i ]
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))
+ in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+ (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (deserialized_signer_response
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ verifier_challenge
+ t1
+ in
+ let recomputed_commitment_hash:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
+ Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_GAMMA2
+ (deserialized_hint <: t_Slice (t_Array i32 (sz 256)))
+ t1
+ in
+ let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in
+ let commitment_serialized:t_Array u8 (sz 768) =
+ Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
+ v_COMMITMENT_RING_ELEMENT_SIZE
+ (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ commitment_serialized
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (message_representative <: t_Slice u8)
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (commitment_serialized <: t_Slice u8)
+ in
+ let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 32)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ recomputed_commitment_hash
+ in
+ let shake:v_Shake256Xof = tmp0 in
+ let recomputed_commitment_hash:t_Array u8 (sz 32) = tmp1 in
+ let _:Prims.unit = () in
+ let _:Prims.unit = () in
+ if deserialized_commitment_hash =. recomputed_commitment_hash
+ then
+ Core.Result.Result_Ok (() <: Prims.unit)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+ else
+ Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
| Core.Result.Result_Err e ->
Core.Result.Result_Err e
<:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- Libcrux_ml_dsa.Types.t_SigningError
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
let sign_pre_hashed_mut
(#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
@@ -1180,214 +1165,229 @@ let sign_pre_hashed
| Core.Result.Result_Err e ->
Core.Result.Result_Err e
<:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- Libcrux_ml_dsa.Types.t_SigningError
- in
- pre_hash_buffer, hax_temp_output
- <:
- (t_Slice u8 &
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- Libcrux_ml_dsa.Types.t_SigningError)
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ Libcrux_ml_dsa.Types.t_SigningError
+ in
+ pre_hash_buffer, hax_temp_output
+ <:
+ (t_Slice u8 &
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ Libcrux_ml_dsa.Types.t_SigningError)
+
+let sign_mut
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i6:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i10:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ (signature: t_Array u8 (sz 2420))
+ =
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ let tmp0, out:(t_Array u8 (sz 2420) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
+ sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+ signing_key message
+ (Core.Option.Option_Some domain_separation_context
+ <:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
+ signature
+ in
+ let signature:t_Array u8 (sz 2420) = tmp0 in
+ let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in
+ signature, hax_temp_output
+ <:
+ (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ | Core.Result.Result_Err _ ->
+ signature,
+ (Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ <:
+ (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+
+let sign
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i6:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i10:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ =
+ let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) =
+ Libcrux_ml_dsa.Types.impl_4__zero (sz 2420) ()
+ in
+ let tmp0, out:(t_Array u8 (sz 2420) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
+ sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+ signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value
+ in
+ let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420) =
+ { signature with Libcrux_ml_dsa.Types.f_value = tmp0 }
+ <:
+ Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)
+ in
+ match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with
+ | Core.Result.Result_Ok _ ->
+ Core.Result.Result_Ok signature
+ <:
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ Libcrux_ml_dsa.Types.t_SigningError
+ | Core.Result.Result_Err e ->
+ Core.Result.Result_Err e
+ <:
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ Libcrux_ml_dsa.Types.t_SigningError
+
+let verify
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i5:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i7:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (verification_key_serialized: t_Array u8 (sz 1312))
+ (message context: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 2420))
+ =
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ verify_internal #v_SIMDUnit
+ #v_Sampler
+ #v_Shake128X4
+ #v_Shake256
+ #v_Shake256Xof
+ verification_key_serialized
+ message
+ (Core.Option.Option_Some domain_separation_context
+ <:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ signature_serialized
+ | Core.Result.Result_Err _ ->
+ Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-let generate_key_pair
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+let verify_pre_hashed
+ (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
+ i7:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i10:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (randomness: t_Array u8 (sz 32))
- (signing_key verification_key: t_Slice u8)
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i12:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH)
+ (verification_key_serialized: t_Array u8 (sz 1312))
+ (message context pre_hash_buffer: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 2420))
=
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE
- <:
- bool)
- in
- ()
- in
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =.
- v_VERIFICATION_KEY_SIZE
- <:
- bool)
- in
- ()
- in
- let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (randomness <: t_Slice u8)
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- ((let list =
- [
- cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A <: usize) <: u8;
- cast (Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A <: usize) <: u8
- ]
- in
- FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
- Rust_primitives.Hax.array_of_list 2 list)
- <:
- t_Slice u8)
- in
- let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- seed_expanded
- in
- let shake:v_Shake256Xof = tmp0 in
- let seed_expanded:t_Array u8 (sz 128) = tmp1 in
- let _:Prims.unit = () in
- let _:Prims.unit = () in
- let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- (seed_expanded <: t_Slice u8)
- Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
- in
- let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- seed_expanded
- Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE
- in
- let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 16)
- in
- let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 16) =
- Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler
+ let pre_hash_buffer:t_Slice u8 =
+ Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
#FStar.Tactics.Typeclasses.solve
- #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
- seed_for_a
- a_as_ntt
- in
- let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 8)
- in
- let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit
- #v_Shake256X4
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA
- seed_for_error_vectors
- s1_s2
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 4)
- in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 4)
+ #v_Shake128
+ message
+ pre_hash_buffer
in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- s1_ntt
- (s1_s2.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
- }
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_Some
+ (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve ()
<:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ t_Array u8 (sz 11))
<:
- usize)
- (fun s1_ntt temp_1_ ->
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- s1_ntt
- in
- let _:usize = temp_1_ in
- true)
- s1_ntt
- (fun s1_ntt i ->
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- s1_ntt
- in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt
- i
- (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
- (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError =
+ verify_internal #v_SIMDUnit
+ #v_Sampler
+ #v_Shake128X4
+ #v_Shake256
+ #v_Shake256Xof
+ verification_key_serialized
+ pre_hash_buffer
+ (Core.Option.Option_Some domain_separation_context
<:
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4))
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
- (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- t0
- in
- let _:Prims.unit = () in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ signature_serialized
+ in
+ pre_hash_buffer, hax_temp_output
+ <:
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ | Core.Result.Result_Err _ ->
+ pre_hash_buffer,
+ (Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
<:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 4)
- in
- let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) &
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4)) =
- Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp0 in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 4) = tmp1 in
- let _:Prims.unit = () in
- let verification_key:t_Slice u8 =
- Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit
- seed_for_a
- (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- verification_key
- in
- let signing_key:t_Slice u8 =
- Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a
- seed_for_signing verification_key
- (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key
- in
- signing_key, verification_key <: (t_Slice u8 & t_Slice u8)
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti
index c55d05042..716255d52 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_44_.fsti
@@ -14,16 +14,13 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let v_BETA: i32 =
- Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA
-
-let v_COMMITMENT_RING_ELEMENT_SIZE: usize =
- Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT
+let v_ROW_COLUMN: usize =
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +!
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
-let v_COMMITMENT_VECTOR_SIZE: usize =
- Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
+let v_ROW_X_COLUMN: usize =
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A *!
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
let v_ERROR_RING_ELEMENT_SIZE: usize =
Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_ERROR_COEFFICIENT
@@ -31,20 +28,16 @@ let v_ERROR_RING_ELEMENT_SIZE: usize =
let v_GAMMA1_RING_ELEMENT_SIZE: usize =
Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT
-let v_ROW_COLUMN: usize =
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A +!
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+let v_COMMITMENT_RING_ELEMENT_SIZE: usize =
+ Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT
-let v_ROW_X_COLUMN: usize =
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A *!
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+let v_BETA: i32 =
+ Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ONES_IN_VERIFIER_CHALLENGE
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ETA
-let v_SIGNATURE_SIZE: usize =
- Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT
+let v_COMMITMENT_VECTOR_SIZE: usize =
+ Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_COMMITMENT_COEFFICIENT
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
let v_SIGNING_KEY_SIZE: usize =
Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
@@ -54,57 +47,14 @@ let v_SIGNING_KEY_SIZE: usize =
let v_VERIFICATION_KEY_SIZE: usize =
Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
-/// The internal verification API.
-/// If no `domain_separation_context` is supplied, it is assumed that
-/// `message` already contains the domain separation.
-val verify_internal
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- (verification_key: t_Array u8 (sz 1312))
- (message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- (signature_serialized: t_Array u8 (sz 2420))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val verify
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- (verification_key_serialized: t_Array u8 (sz 1312))
- (message context: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 2420))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val verify_pre_hashed
- (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
- {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
- {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |}
- (verification_key_serialized: t_Array u8 (sz 1312))
- (message context pre_hash_buffer: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 2420))
- : Prims.Pure
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let v_SIGNATURE_SIZE: usize =
+ Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COLUMNS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_MAX_ONES_IN_HINT
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_COMMITMENT_HASH_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_44_.v_BITS_PER_GAMMA1_COEFFICIENT
-val sign_internal
+val generate_key_pair
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -112,17 +62,11 @@ val sign_internal
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
(randomness: t_Array u8 (sz 32))
- (signature: t_Array u8 (sz 2420))
- : Prims.Pure
- (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (signing_key verification_key: t_Slice u8)
+ : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-val sign_mut
+val sign_internal
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -130,7 +74,9 @@ val sign_mut
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message context: t_Slice u8)
+ (signing_key message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
(randomness: t_Array u8 (sz 32))
(signature: t_Array u8 (sz 2420))
: Prims.Pure
@@ -138,19 +84,24 @@ val sign_mut
Prims.l_True
(fun _ -> Prims.l_True)
-val sign
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
- {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure
- (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
- Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+/// The internal verification API.
+/// If no `domain_separation_context` is supplied, it is assumed that
+/// `message` already contains the domain separation.
+val verify_internal
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ (verification_key: t_Array u8 (sz 1312))
+ (message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ (signature_serialized: t_Array u8 (sz 2420))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
val sign_pre_hashed_mut
(#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
@@ -190,7 +141,7 @@ val sign_pre_hashed
Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-val generate_key_pair
+val sign_mut
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -198,6 +149,55 @@ val generate_key_pair
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+ (signing_key message context: t_Slice u8)
(randomness: t_Array u8 (sz 32))
- (signing_key verification_key: t_Slice u8)
- : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+ (signature: t_Array u8 (sz 2420))
+ : Prims.Pure
+ (t_Array u8 (sz 2420) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val sign
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure
+ (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420))
+ Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+val verify
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ (verification_key_serialized: t_Array u8 (sz 1312))
+ (message context: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 2420))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val verify_pre_hashed
+ (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
+ {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
+ {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |}
+ (verification_key_serialized: t_Array u8 (sz 1312))
+ (message context pre_hash_buffer: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 2420))
+ : Prims.Pure
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst
index 9cd43f56e..bb138ae8b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fst
@@ -14,356 +14,208 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let verify_internal
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+let generate_key_pair
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
+ i6:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
+ i8:
Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
+ i9:
Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
+ i10:
Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (verification_key: t_Array u8 (sz 1952))
- (message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- (signature_serialized: t_Array u8 (sz 3309))
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (randomness: t_Array u8 (sz 32))
+ (signing_key verification_key: t_Slice u8)
=
- let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE
+ <:
+ bool)
+ in
+ ()
+ in
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =.
+ v_VERIFICATION_KEY_SIZE
+ <:
+ bool)
+ in
+ ()
+ in
+ let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (randomness <: t_Slice u8)
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ ((let list =
+ [
+ cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) <: u8;
+ cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) <: u8
+ ]
+ in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+ Rust_primitives.Hax.array_of_list 2 list)
+ <:
+ t_Slice u8)
+ in
+ let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ seed_expanded
+ in
+ let shake:v_Shake256Xof = tmp0 in
+ let seed_expanded:t_Array u8 (sz 128) = tmp1 in
+ let _:Prims.unit = () in
+ let _:Prims.unit = () in
+ let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
Core.Slice.impl__split_at #u8
- (verification_key <: t_Slice u8)
+ (seed_expanded <: t_Slice u8)
Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
+ let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ seed_expanded
+ Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE
+ in
+ let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) =
Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 6)
+ (sz 30)
in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
- Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
- v_VERIFICATION_KEY_SIZE
- t1_serialized
- t1
+ let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) =
+ Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler
+ #FStar.Tactics.Typeclasses.solve
+ #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+ seed_for_a
+ a_as_ntt
in
- let deserialized_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) =
Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 5)
+ (sz 11)
in
- let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) =
- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256))
+ let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) =
+ Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit
+ #v_Shake256X4
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA
+ seed_for_error_vectors
+ s1_s2
+ in
+ let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
(sz 6)
in
- let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 48) &
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) &
- t_Array (t_Array i32 (sz 256)) (sz 6) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) =
- Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE
- (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response
- deserialized_hint
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 5)
in
- let deserialized_commitment_hash:t_Array u8 (sz 48) = tmp0 in
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- tmp1
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ s1_ntt
+ (s1_s2.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
in
- let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp2 in
- match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with
- | Core.Result.Result_Ok _ ->
- let _:Prims.unit = () <: Prims.unit in
- if
- Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
- (deserialized_signer_response
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ <:
+ usize)
+ (fun s1_ntt temp_1_ ->
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ s1_ntt
+ in
+ let _:usize = temp_1_ in
+ true)
+ s1_ntt
+ (fun s1_ntt i ->
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ s1_ntt
+ in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt
+ i
+ (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+ (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
<:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- ((2l <
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- deserialized_signer_response
- in
- let _:usize = temp_1_ in
- true)
- deserialized_signer_response
- (fun deserialized_signer_response i ->
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- deserialized_signer_response
- in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response
- i
- (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
- (deserialized_signer_response.[ i ]
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))
- in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
- Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
- (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (deserialized_signer_response
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- verifier_challenge
- t1
- in
- let recomputed_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
- Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2
- (deserialized_hint <: t_Slice (t_Array i32 (sz 256)))
- t1
- in
- let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in
- let commitment_serialized:t_Array u8 (sz 768) =
- Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
- v_COMMITMENT_RING_ELEMENT_SIZE
- (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- commitment_serialized
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (message_representative <: t_Slice u8)
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (commitment_serialized <: t_Slice u8)
- in
- let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- recomputed_commitment_hash
- in
- let shake:v_Shake256Xof = tmp0 in
- let recomputed_commitment_hash:t_Array u8 (sz 48) = tmp1 in
- let _:Prims.unit = () in
- let _:Prims.unit = () in
- if deserialized_commitment_hash =. recomputed_commitment_hash
- then
- Core.Result.Result_Ok (() <: Prims.unit)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
- else
- Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
- | Core.Result.Result_Err e ->
- Core.Result.Result_Err e
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (verification_key_serialized: t_Array u8 (sz 1952))
- (message context: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 3309))
- =
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- verify_internal #v_SIMDUnit
- #v_Sampler
- #v_Shake128X4
- #v_Shake256
- #v_Shake256Xof
- verification_key_serialized
- message
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- signature_serialized
- | Core.Result.Result_Err _ ->
- Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify_pre_hashed
- (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i12:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH)
- (verification_key_serialized: t_Array u8 (sz 1952))
- (message context pre_hash_buffer: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 3309))
- =
- let pre_hash_buffer:t_Slice u8 =
- Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
- #FStar.Tactics.Typeclasses.solve
- #v_Shake128
- message
- pre_hash_buffer
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 6)
in
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_Some
- (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve ()
- <:
- t_Array u8 (sz 11))
- <:
- Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError =
- verify_internal #v_SIMDUnit
- #v_Sampler
- #v_Shake128X4
- #v_Shake256
- #v_Shake256Xof
- verification_key_serialized
- pre_hash_buffer
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- signature_serialized
- in
- pre_hash_buffer, hax_temp_output
- <:
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- | Core.Result.Result_Err _ ->
- pre_hash_buffer,
- (Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) &
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) =
+ Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1
+ in
+ let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in
+ let _:Prims.unit = () in
+ let verification_key:t_Slice u8 =
+ Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit
+ seed_for_a
+ (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ verification_key
+ in
+ let signing_key:t_Slice u8 =
+ Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a
+ seed_for_signing verification_key
+ (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key
+ in
+ signing_key, verification_key <: (t_Slice u8 & t_Slice u8)
let sign_internal
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
@@ -938,105 +790,238 @@ let sign_internal
<:
(t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
-let sign_mut
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+let verify_internal
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
+ i5:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
+ i7:
Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
+ i8:
Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
+ i9:
Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
- (signature: t_Array u8 (sz 3309))
- =
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- let tmp0, out:(t_Array u8 (sz 3309) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
- sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
- signing_key message
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
- signature
- in
- let signature:t_Array u8 (sz 3309) = tmp0 in
- let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in
- signature, hax_temp_output
- <:
- (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- | Core.Result.Result_Err _ ->
- signature,
- (Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- <:
- (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
-
-let sign
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
+ (verification_key: t_Array u8 (sz 1952))
+ (message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ (signature_serialized: t_Array u8 (sz 3309))
=
- let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) =
- Libcrux_ml_dsa.Types.impl_4__zero (sz 3309) ()
+ let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ (verification_key <: t_Slice u8)
+ Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
in
- let tmp0, out:(t_Array u8 (sz 3309) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
- sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
- signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 6)
in
- let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) =
- { signature with Libcrux_ml_dsa.Types.f_value = tmp0 }
- <:
- Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
+ Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
+ v_VERIFICATION_KEY_SIZE
+ t1_serialized
+ t1
in
- match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with
+ let deserialized_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 5)
+ in
+ let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) =
+ Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256))
+ (sz 6)
+ in
+ let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 48) &
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) &
+ t_Array (t_Array i32 (sz 256)) (sz 6) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) =
+ Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE
+ (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response
+ deserialized_hint
+ in
+ let deserialized_commitment_hash:t_Array u8 (sz 48) = tmp0 in
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ tmp1
+ in
+ let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 6) = tmp2 in
+ match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with
| Core.Result.Result_Ok _ ->
- Core.Result.Result_Ok signature
- <:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- Libcrux_ml_dsa.Types.t_SigningError
+ let _:Prims.unit = () <: Prims.unit in
+ if
+ Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
+ (deserialized_signer_response
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ ((2l <
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ deserialized_signer_response
+ in
+ let _:usize = temp_1_ in
+ true)
+ deserialized_signer_response
+ (fun deserialized_signer_response i ->
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
+ deserialized_signer_response
+ in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response
+ i
+ (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+ (deserialized_signer_response.[ i ]
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))
+ in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
+ Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+ (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (deserialized_signer_response
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ verifier_challenge
+ t1
+ in
+ let recomputed_commitment_hash:t_Array u8 (sz 48) = Rust_primitives.Hax.repeat 0uy (sz 48) in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
+ Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_GAMMA2
+ (deserialized_hint <: t_Slice (t_Array i32 (sz 256)))
+ t1
+ in
+ let commitment_serialized:t_Array u8 (sz 768) = Rust_primitives.Hax.repeat 0uy (sz 768) in
+ let commitment_serialized:t_Array u8 (sz 768) =
+ Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
+ v_COMMITMENT_RING_ELEMENT_SIZE
+ (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ commitment_serialized
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (message_representative <: t_Slice u8)
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (commitment_serialized <: t_Slice u8)
+ in
+ let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 48)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ recomputed_commitment_hash
+ in
+ let shake:v_Shake256Xof = tmp0 in
+ let recomputed_commitment_hash:t_Array u8 (sz 48) = tmp1 in
+ let _:Prims.unit = () in
+ let _:Prims.unit = () in
+ if deserialized_commitment_hash =. recomputed_commitment_hash
+ then
+ Core.Result.Result_Ok (() <: Prims.unit)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+ else
+ Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
| Core.Result.Result_Err e ->
Core.Result.Result_Err e
<:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- Libcrux_ml_dsa.Types.t_SigningError
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
let sign_pre_hashed_mut
(#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
@@ -1180,214 +1165,229 @@ let sign_pre_hashed
| Core.Result.Result_Err e ->
Core.Result.Result_Err e
<:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- Libcrux_ml_dsa.Types.t_SigningError
- in
- pre_hash_buffer, hax_temp_output
- <:
- (t_Slice u8 &
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- Libcrux_ml_dsa.Types.t_SigningError)
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ Libcrux_ml_dsa.Types.t_SigningError
+ in
+ pre_hash_buffer, hax_temp_output
+ <:
+ (t_Slice u8 &
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ Libcrux_ml_dsa.Types.t_SigningError)
+
+let sign_mut
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i6:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i10:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ (signature: t_Array u8 (sz 3309))
+ =
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ let tmp0, out:(t_Array u8 (sz 3309) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
+ sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+ signing_key message
+ (Core.Option.Option_Some domain_separation_context
+ <:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
+ signature
+ in
+ let signature:t_Array u8 (sz 3309) = tmp0 in
+ let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in
+ signature, hax_temp_output
+ <:
+ (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ | Core.Result.Result_Err _ ->
+ signature,
+ (Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ <:
+ (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+
+let sign
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i6:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i10:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ =
+ let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) =
+ Libcrux_ml_dsa.Types.impl_4__zero (sz 3309) ()
+ in
+ let tmp0, out:(t_Array u8 (sz 3309) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
+ sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+ signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value
+ in
+ let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309) =
+ { signature with Libcrux_ml_dsa.Types.f_value = tmp0 }
+ <:
+ Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)
+ in
+ match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with
+ | Core.Result.Result_Ok _ ->
+ Core.Result.Result_Ok signature
+ <:
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ Libcrux_ml_dsa.Types.t_SigningError
+ | Core.Result.Result_Err e ->
+ Core.Result.Result_Err e
+ <:
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ Libcrux_ml_dsa.Types.t_SigningError
+
+let verify
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i5:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i7:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (verification_key_serialized: t_Array u8 (sz 1952))
+ (message context: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 3309))
+ =
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ verify_internal #v_SIMDUnit
+ #v_Sampler
+ #v_Shake128X4
+ #v_Shake256
+ #v_Shake256Xof
+ verification_key_serialized
+ message
+ (Core.Option.Option_Some domain_separation_context
+ <:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ signature_serialized
+ | Core.Result.Result_Err _ ->
+ Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-let generate_key_pair
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+let verify_pre_hashed
+ (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
+ i7:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i10:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (randomness: t_Array u8 (sz 32))
- (signing_key verification_key: t_Slice u8)
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i12:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH)
+ (verification_key_serialized: t_Array u8 (sz 1952))
+ (message context pre_hash_buffer: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 3309))
=
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE
- <:
- bool)
- in
- ()
- in
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =.
- v_VERIFICATION_KEY_SIZE
- <:
- bool)
- in
- ()
- in
- let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (randomness <: t_Slice u8)
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- ((let list =
- [
- cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A <: usize) <: u8;
- cast (Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A <: usize) <: u8
- ]
- in
- FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
- Rust_primitives.Hax.array_of_list 2 list)
- <:
- t_Slice u8)
- in
- let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- seed_expanded
- in
- let shake:v_Shake256Xof = tmp0 in
- let seed_expanded:t_Array u8 (sz 128) = tmp1 in
- let _:Prims.unit = () in
- let _:Prims.unit = () in
- let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- (seed_expanded <: t_Slice u8)
- Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
- in
- let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- seed_expanded
- Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE
- in
- let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 30)
- in
- let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 30) =
- Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler
+ let pre_hash_buffer:t_Slice u8 =
+ Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
#FStar.Tactics.Typeclasses.solve
- #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
- seed_for_a
- a_as_ntt
- in
- let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 11)
- in
- let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 11) =
- Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit
- #v_Shake256X4
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA
- seed_for_error_vectors
- s1_s2
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 6)
- in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 5)
+ #v_Shake128
+ message
+ pre_hash_buffer
in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- s1_ntt
- (s1_s2.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
- }
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_Some
+ (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve ()
<:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ t_Array u8 (sz 11))
<:
- usize)
- (fun s1_ntt temp_1_ ->
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- s1_ntt
- in
- let _:usize = temp_1_ in
- true)
- s1_ntt
- (fun s1_ntt i ->
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5) =
- s1_ntt
- in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt
- i
- (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
- (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError =
+ verify_internal #v_SIMDUnit
+ #v_Sampler
+ #v_Shake128X4
+ #v_Shake256
+ #v_Shake256Xof
+ verification_key_serialized
+ pre_hash_buffer
+ (Core.Option.Option_Some domain_separation_context
<:
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 5))
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
- Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
- (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- t0
- in
- let _:Prims.unit = () in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ signature_serialized
+ in
+ pre_hash_buffer, hax_temp_output
+ <:
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ | Core.Result.Result_Err _ ->
+ pre_hash_buffer,
+ (Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
<:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 6)
- in
- let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) &
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6)) =
- Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp0 in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 6) = tmp1 in
- let _:Prims.unit = () in
- let verification_key:t_Slice u8 =
- Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit
- seed_for_a
- (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- verification_key
- in
- let signing_key:t_Slice u8 =
- Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a
- seed_for_signing verification_key
- (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key
- in
- signing_key, verification_key <: (t_Slice u8 & t_Slice u8)
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti
index dc9e55a43..b4528e575 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_65_.fsti
@@ -14,16 +14,13 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let v_BETA: i32 =
- Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA
-
-let v_COMMITMENT_RING_ELEMENT_SIZE: usize =
- Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT
+let v_ROW_COLUMN: usize =
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +!
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
-let v_COMMITMENT_VECTOR_SIZE: usize =
- Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
+let v_ROW_X_COLUMN: usize =
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A *!
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
let v_ERROR_RING_ELEMENT_SIZE: usize =
Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_ERROR_COEFFICIENT
@@ -31,20 +28,16 @@ let v_ERROR_RING_ELEMENT_SIZE: usize =
let v_GAMMA1_RING_ELEMENT_SIZE: usize =
Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT
-let v_ROW_COLUMN: usize =
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A +!
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+let v_COMMITMENT_RING_ELEMENT_SIZE: usize =
+ Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT
-let v_ROW_X_COLUMN: usize =
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A *!
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+let v_BETA: i32 =
+ Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ONES_IN_VERIFIER_CHALLENGE
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ETA
-let v_SIGNATURE_SIZE: usize =
- Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT
+let v_COMMITMENT_VECTOR_SIZE: usize =
+ Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_COMMITMENT_COEFFICIENT
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
let v_SIGNING_KEY_SIZE: usize =
Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
@@ -54,57 +47,14 @@ let v_SIGNING_KEY_SIZE: usize =
let v_VERIFICATION_KEY_SIZE: usize =
Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
-/// The internal verification API.
-/// If no `domain_separation_context` is supplied, it is assumed that
-/// `message` already contains the domain separation.
-val verify_internal
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- (verification_key: t_Array u8 (sz 1952))
- (message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- (signature_serialized: t_Array u8 (sz 3309))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val verify
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- (verification_key_serialized: t_Array u8 (sz 1952))
- (message context: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 3309))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val verify_pre_hashed
- (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
- {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
- {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |}
- (verification_key_serialized: t_Array u8 (sz 1952))
- (message context pre_hash_buffer: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 3309))
- : Prims.Pure
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let v_SIGNATURE_SIZE: usize =
+ Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COLUMNS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_MAX_ONES_IN_HINT
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_COMMITMENT_HASH_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_65_.v_BITS_PER_GAMMA1_COEFFICIENT
-val sign_internal
+val generate_key_pair
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -112,17 +62,11 @@ val sign_internal
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
(randomness: t_Array u8 (sz 32))
- (signature: t_Array u8 (sz 3309))
- : Prims.Pure
- (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (signing_key verification_key: t_Slice u8)
+ : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-val sign_mut
+val sign_internal
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -130,7 +74,9 @@ val sign_mut
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message context: t_Slice u8)
+ (signing_key message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
(randomness: t_Array u8 (sz 32))
(signature: t_Array u8 (sz 3309))
: Prims.Pure
@@ -138,19 +84,24 @@ val sign_mut
Prims.l_True
(fun _ -> Prims.l_True)
-val sign
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
- {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure
- (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
- Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+/// The internal verification API.
+/// If no `domain_separation_context` is supplied, it is assumed that
+/// `message` already contains the domain separation.
+val verify_internal
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ (verification_key: t_Array u8 (sz 1952))
+ (message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ (signature_serialized: t_Array u8 (sz 3309))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
val sign_pre_hashed_mut
(#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
@@ -190,7 +141,7 @@ val sign_pre_hashed
Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-val generate_key_pair
+val sign_mut
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -198,6 +149,55 @@ val generate_key_pair
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+ (signing_key message context: t_Slice u8)
(randomness: t_Array u8 (sz 32))
- (signing_key verification_key: t_Slice u8)
- : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+ (signature: t_Array u8 (sz 3309))
+ : Prims.Pure
+ (t_Array u8 (sz 3309) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val sign
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure
+ (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309))
+ Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+val verify
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ (verification_key_serialized: t_Array u8 (sz 1952))
+ (message context: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 3309))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val verify_pre_hashed
+ (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
+ {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
+ {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |}
+ (verification_key_serialized: t_Array u8 (sz 1952))
+ (message context pre_hash_buffer: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 3309))
+ : Prims.Pure
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst
index a2fc8ab3e..2a402b17d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fst
@@ -14,356 +14,208 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let verify_internal
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+let generate_key_pair
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
+ i6:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
+ i8:
Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
+ i9:
Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
+ i10:
Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (verification_key: t_Array u8 (sz 2592))
- (message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- (signature_serialized: t_Array u8 (sz 4627))
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (randomness: t_Array u8 (sz 32))
+ (signing_key verification_key: t_Slice u8)
=
- let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE
+ <:
+ bool)
+ in
+ ()
+ in
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =.
+ v_VERIFICATION_KEY_SIZE
+ <:
+ bool)
+ in
+ ()
+ in
+ let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (randomness <: t_Slice u8)
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ ((let list =
+ [
+ cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) <: u8;
+ cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) <: u8
+ ]
+ in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+ Rust_primitives.Hax.array_of_list 2 list)
+ <:
+ t_Slice u8)
+ in
+ let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ seed_expanded
+ in
+ let shake:v_Shake256Xof = tmp0 in
+ let seed_expanded:t_Array u8 (sz 128) = tmp1 in
+ let _:Prims.unit = () in
+ let _:Prims.unit = () in
+ let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
Core.Slice.impl__split_at #u8
- (verification_key <: t_Slice u8)
+ (seed_expanded <: t_Slice u8)
Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ seed_expanded
+ Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE
+ in
+ let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) =
Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 8)
+ (sz 56)
in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
- v_VERIFICATION_KEY_SIZE
- t1_serialized
- t1
+ let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) =
+ Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler
+ #FStar.Tactics.Typeclasses.solve
+ #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+ seed_for_a
+ a_as_ntt
in
- let deserialized_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) =
Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 7)
+ (sz 15)
in
- let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) =
- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256))
+ let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) =
+ Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit
+ #v_Shake256X4
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA
+ seed_for_error_vectors
+ s1_s2
+ in
+ let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
(sz 8)
in
- let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 64) &
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) &
- t_Array (t_Array i32 (sz 256)) (sz 8) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) =
- Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE
- (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response
- deserialized_hint
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 7)
in
- let deserialized_commitment_hash:t_Array u8 (sz 64) = tmp0 in
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- tmp1
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ s1_ntt
+ (s1_s2.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
in
- let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp2 in
- match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with
- | Core.Result.Result_Ok _ ->
- let _:Prims.unit = () <: Prims.unit in
- if
- Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
- (deserialized_signer_response
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ <:
+ usize)
+ (fun s1_ntt temp_1_ ->
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ s1_ntt
+ in
+ let _:usize = temp_1_ in
+ true)
+ s1_ntt
+ (fun s1_ntt i ->
+ let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ s1_ntt
+ in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt
+ i
+ (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+ (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
<:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- ((2l <
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- deserialized_signer_response
- in
- let _:usize = temp_1_ in
- true)
- deserialized_signer_response
- (fun deserialized_signer_response i ->
- let deserialized_signer_response:t_Array
- (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- deserialized_signer_response
- in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response
- i
- (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
- (deserialized_signer_response.[ i ]
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))
- in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
- (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (deserialized_signer_response
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- verifier_challenge
- t1
- in
- let recomputed_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2
- (deserialized_hint <: t_Slice (t_Array i32 (sz 256)))
- t1
- in
- let commitment_serialized:t_Array u8 (sz 1024) = Rust_primitives.Hax.repeat 0uy (sz 1024) in
- let commitment_serialized:t_Array u8 (sz 1024) =
- Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
- v_COMMITMENT_RING_ELEMENT_SIZE
- (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- commitment_serialized
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (message_representative <: t_Slice u8)
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (commitment_serialized <: t_Slice u8)
- in
- let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- recomputed_commitment_hash
- in
- let shake:v_Shake256Xof = tmp0 in
- let recomputed_commitment_hash:t_Array u8 (sz 64) = tmp1 in
- let _:Prims.unit = () in
- let _:Prims.unit = () in
- if deserialized_commitment_hash =. recomputed_commitment_hash
- then
- Core.Result.Result_Ok (() <: Prims.unit)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
- else
- Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
- | Core.Result.Result_Err e ->
- Core.Result.Result_Err e
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (verification_key_serialized: t_Array u8 (sz 2592))
- (message context: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 4627))
- =
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- verify_internal #v_SIMDUnit
- #v_Sampler
- #v_Shake128X4
- #v_Shake256
- #v_Shake256Xof
- verification_key_serialized
- message
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- signature_serialized
- | Core.Result.Result_Err _ ->
- Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-
-let verify_pre_hashed
- (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i7:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i12:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH)
- (verification_key_serialized: t_Array u8 (sz 2592))
- (message context pre_hash_buffer: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 4627))
- =
- let pre_hash_buffer:t_Slice u8 =
- Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
- #FStar.Tactics.Typeclasses.solve
- #v_Shake128
- message
- pre_hash_buffer
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 8)
in
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_Some
- (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve ()
- <:
- t_Array u8 (sz 11))
- <:
- Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError =
- verify_internal #v_SIMDUnit
- #v_Sampler
- #v_Shake128X4
- #v_Shake256
- #v_Shake256Xof
- verification_key_serialized
- pre_hash_buffer
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- signature_serialized
- in
- pre_hash_buffer, hax_temp_output
- <:
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- | Core.Result.Result_Err _ ->
- pre_hash_buffer,
- (Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- <:
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) &
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) =
+ Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1
+ in
+ let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in
+ let _:Prims.unit = () in
+ let verification_key:t_Slice u8 =
+ Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit
+ seed_for_a
+ (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ verification_key
+ in
+ let signing_key:t_Slice u8 =
+ Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a
+ seed_for_signing verification_key
+ (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key
+ in
+ signing_key, verification_key <: (t_Slice u8 & t_Slice u8)
let sign_internal
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
@@ -940,105 +792,238 @@ let sign_internal
<:
(t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
-let sign_mut
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+let verify_internal
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
+ i5:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
+ i7:
Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
+ i8:
Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
+ i9:
Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
- (signature: t_Array u8 (sz 4627))
- =
- match
- Libcrux_ml_dsa.Pre_hash.impl_1__new context
- (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
- <:
- Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
- Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
- with
- | Core.Result.Result_Ok dsc ->
- let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
- let tmp0, out:(t_Array u8 (sz 4627) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
- sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
- signing_key message
- (Core.Option.Option_Some domain_separation_context
- <:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
- signature
- in
- let signature:t_Array u8 (sz 4627) = tmp0 in
- let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in
- signature, hax_temp_output
- <:
- (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- | Core.Result.Result_Err _ ->
- signature,
- (Core.Result.Result_Err
- (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
- <:
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- <:
- (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
-
-let sign
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i10:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
+ (verification_key: t_Array u8 (sz 2592))
+ (message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ (signature_serialized: t_Array u8 (sz 4627))
=
- let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) =
- Libcrux_ml_dsa.Types.impl_4__zero (sz 4627) ()
+ let seed_for_a, t1_serialized:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ (verification_key <: t_Slice u8)
+ Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
in
- let tmp0, out:(t_Array u8 (sz 4627) &
- Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
- sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
- signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 8)
in
- let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) =
- { signature with Libcrux_ml_dsa.Types.f_value = tmp0 }
- <:
- Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
+ v_VERIFICATION_KEY_SIZE
+ t1_serialized
+ t1
in
- match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with
+ let deserialized_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (sz 7)
+ in
+ let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) =
+ Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256))
+ (sz 8)
+ in
+ let tmp0, tmp1, tmp2, out:(t_Array u8 (sz 64) &
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) &
+ t_Array (t_Array i32 (sz 256)) (sz 8) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) =
+ Libcrux_ml_dsa.Encoding.Signature.deserialize #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE
+ (signature_serialized <: t_Slice u8) deserialized_commitment_hash deserialized_signer_response
+ deserialized_hint
+ in
+ let deserialized_commitment_hash:t_Array u8 (sz 64) = tmp0 in
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ tmp1
+ in
+ let deserialized_hint:t_Array (t_Array i32 (sz 256)) (sz 8) = tmp2 in
+ match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError with
| Core.Result.Result_Ok _ ->
- Core.Result.Result_Ok signature
- <:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- Libcrux_ml_dsa.Types.t_SigningError
+ let _:Prims.unit = () <: Prims.unit in
+ if
+ Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit
+ (deserialized_signer_response
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ ((2l <
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ deserialized_signer_response
+ in
+ let _:usize = temp_1_ in
+ true)
+ deserialized_signer_response
+ (fun deserialized_signer_response i ->
+ let deserialized_signer_response:t_Array
+ (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
+ deserialized_signer_response
+ in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_signer_response
+ i
+ (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
+ (deserialized_signer_response.[ i ]
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))
+ in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ Libcrux_ml_dsa.Matrix.compute_w_approx #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+ (matrix <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (deserialized_signer_response
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ verifier_challenge
+ t1
+ in
+ let recomputed_commitment_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+ let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
+ Libcrux_ml_dsa.Arithmetic.use_hint #v_SIMDUnit
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_GAMMA2
+ (deserialized_hint <: t_Slice (t_Array i32 (sz 256)))
+ t1
+ in
+ let commitment_serialized:t_Array u8 (sz 1024) = Rust_primitives.Hax.repeat 0uy (sz 1024) in
+ let commitment_serialized:t_Array u8 (sz 1024) =
+ Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit
+ v_COMMITMENT_RING_ELEMENT_SIZE
+ (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ commitment_serialized
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (message_representative <: t_Slice u8)
+ in
+ let shake:v_Shake256Xof =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ (commitment_serialized <: t_Slice u8)
+ in
+ let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 64)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
+ #FStar.Tactics.Typeclasses.solve
+ shake
+ recomputed_commitment_hash
+ in
+ let shake:v_Shake256Xof = tmp0 in
+ let recomputed_commitment_hash:t_Array u8 (sz 64) = tmp1 in
+ let _:Prims.unit = () in
+ let _:Prims.unit = () in
+ if deserialized_commitment_hash =. recomputed_commitment_hash
+ then
+ Core.Result.Result_Ok (() <: Prims.unit)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
+ else
+ Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
| Core.Result.Result_Err e ->
Core.Result.Result_Err e
<:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- Libcrux_ml_dsa.Types.t_SigningError
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
let sign_pre_hashed_mut
(#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
@@ -1182,214 +1167,229 @@ let sign_pre_hashed
| Core.Result.Result_Err e ->
Core.Result.Result_Err e
<:
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- Libcrux_ml_dsa.Types.t_SigningError
- in
- pre_hash_buffer, hax_temp_output
- <:
- (t_Slice u8 &
- Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- Libcrux_ml_dsa.Types.t_SigningError)
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ Libcrux_ml_dsa.Types.t_SigningError
+ in
+ pre_hash_buffer, hax_temp_output
+ <:
+ (t_Slice u8 &
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ Libcrux_ml_dsa.Types.t_SigningError)
+
+let sign_mut
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i6:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i10:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ (signature: t_Array u8 (sz 4627))
+ =
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ let tmp0, out:(t_Array u8 (sz 4627) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
+ sign_internal #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+ signing_key message
+ (Core.Option.Option_Some domain_separation_context
+ <:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness
+ signature
+ in
+ let signature:t_Array u8 (sz 4627) = tmp0 in
+ let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError = out in
+ signature, hax_temp_output
+ <:
+ (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ | Core.Result.Result_Err _ ->
+ signature,
+ (Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ <:
+ (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+
+let sign
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i6:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i10:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i11:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ =
+ let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) =
+ Libcrux_ml_dsa.Types.impl_4__zero (sz 4627) ()
+ in
+ let tmp0, out:(t_Array u8 (sz 4627) &
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError) =
+ sign_mut #v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4
+ signing_key message context randomness signature.Libcrux_ml_dsa.Types.f_value
+ in
+ let signature:Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627) =
+ { signature with Libcrux_ml_dsa.Types.f_value = tmp0 }
+ <:
+ Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)
+ in
+ match out <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError with
+ | Core.Result.Result_Ok _ ->
+ Core.Result.Result_Ok signature
+ <:
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ Libcrux_ml_dsa.Types.t_SigningError
+ | Core.Result.Result_Err e ->
+ Core.Result.Result_Err e
+ <:
+ Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ Libcrux_ml_dsa.Types.t_SigningError
+
+let verify
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i5:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i7:
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i8:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i9:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (verification_key_serialized: t_Array u8 (sz 2592))
+ (message context: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 4627))
+ =
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ verify_internal #v_SIMDUnit
+ #v_Sampler
+ #v_Shake128X4
+ #v_Shake256
+ #v_Shake256Xof
+ verification_key_serialized
+ message
+ (Core.Option.Option_Some domain_separation_context
+ <:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ signature_serialized
+ | Core.Result.Result_Err _ ->
+ Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError
-let generate_key_pair
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+let verify_pre_hashed
+ (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i6:
+ i7:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i8:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i9:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i10:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i11:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (randomness: t_Array u8 (sz 32))
- (signing_key verification_key: t_Slice u8)
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i12:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH)
+ (verification_key_serialized: t_Array u8 (sz 2592))
+ (message context pre_hash_buffer: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 4627))
=
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 signing_key <: usize) =. v_SIGNING_KEY_SIZE
- <:
- bool)
- in
- ()
- in
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 verification_key <: usize) =.
- v_VERIFICATION_KEY_SIZE
- <:
- bool)
- in
- ()
- in
- let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init #v_Shake256Xof #FStar.Tactics.Typeclasses.solve ()
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- (randomness <: t_Slice u8)
- in
- let shake:v_Shake256Xof =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_absorb_final #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- ((let list =
- [
- cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A <: usize) <: u8;
- cast (Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A <: usize) <: u8
- ]
- in
- FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
- Rust_primitives.Hax.array_of_list 2 list)
- <:
- t_Slice u8)
- in
- let tmp0, tmp1:(v_Shake256Xof & t_Array u8 (sz 128)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze #v_Shake256Xof
- #FStar.Tactics.Typeclasses.solve
- shake
- seed_expanded
- in
- let shake:v_Shake256Xof = tmp0 in
- let seed_expanded:t_Array u8 (sz 128) = tmp1 in
- let _:Prims.unit = () in
- let _:Prims.unit = () in
- let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- (seed_expanded <: t_Slice u8)
- Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE
- in
- let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- seed_expanded
- Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE
- in
- let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 56)
- in
- let a_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 56) =
- Libcrux_ml_dsa.Samplex4.f_matrix_flat #v_Sampler
+ let pre_hash_buffer:t_Slice u8 =
+ Libcrux_ml_dsa.Pre_hash.f_hash #v_PH
#FStar.Tactics.Typeclasses.solve
- #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
- seed_for_a
- a_as_ntt
- in
- let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 15)
- in
- let s1_s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 15) =
- Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit
- #v_Shake256X4
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA
- seed_for_error_vectors
- s1_s2
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 8)
- in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 7)
+ #v_Shake128
+ message
+ pre_hash_buffer
in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- Core.Slice.impl__copy_from_slice #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- s1_ntt
- (s1_s2.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
- }
+ match
+ Libcrux_ml_dsa.Pre_hash.impl_1__new context
+ (Core.Option.Option_Some
+ (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #FStar.Tactics.Typeclasses.solve ()
<:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- in
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ t_Array u8 (sz 11))
<:
- usize)
- (fun s1_ntt temp_1_ ->
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- s1_ntt
- in
- let _:usize = temp_1_ in
- true)
- s1_ntt
- (fun s1_ntt i ->
- let s1_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7) =
- s1_ntt
- in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1_ntt
- i
- (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit
- (s1_ntt.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ Core.Option.t_Option (t_Array u8 (sz 11)))
+ <:
+ Core.Result.t_Result Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext
+ Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError
+ with
+ | Core.Result.Result_Ok dsc ->
+ let domain_separation_context:Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext = dsc in
+ let hax_temp_output:Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError =
+ verify_internal #v_SIMDUnit
+ #v_Sampler
+ #v_Shake128X4
+ #v_Shake256
+ #v_Shake256Xof
+ verification_key_serialized
+ pre_hash_buffer
+ (Core.Option.Option_Some domain_separation_context
<:
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 7))
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Libcrux_ml_dsa.Matrix.compute_as1_plus_s2 #v_SIMDUnit
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
- (a_as_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (s1_ntt <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- t0
- in
- let _:Prims.unit = () in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__zero #v_SIMDUnit ()
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ signature_serialized
+ in
+ pre_hash_buffer, hax_temp_output
+ <:
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ | Core.Result.Result_Err _ ->
+ pre_hash_buffer,
+ (Core.Result.Result_Err
+ (Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
<:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (sz 8)
- in
- let tmp0, tmp1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) &
- t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8)) =
- Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit t0 t1
- in
- let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp0 in
- let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (sz 8) = tmp1 in
- let _:Prims.unit = () in
- let verification_key:t_Slice u8 =
- Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit
- seed_for_a
- (t1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- verification_key
- in
- let signing_key:t_Slice u8 =
- Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA v_ERROR_RING_ELEMENT_SIZE seed_for_a
- seed_for_signing verification_key
- (s1_s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) signing_key
- in
- signing_key, verification_key <: (t_Slice u8 & t_Slice u8)
+ Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ <:
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti
index 1185fe9ef..bebc865cf 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Ml_dsa_87_.fsti
@@ -14,16 +14,13 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let v_BETA: i32 =
- Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA
-
-let v_COMMITMENT_RING_ELEMENT_SIZE: usize =
- Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT
+let v_ROW_COLUMN: usize =
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +!
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
-let v_COMMITMENT_VECTOR_SIZE: usize =
- Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
+let v_ROW_X_COLUMN: usize =
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A *!
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
let v_ERROR_RING_ELEMENT_SIZE: usize =
Libcrux_ml_dsa.Constants.error_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_ERROR_COEFFICIENT
@@ -31,20 +28,16 @@ let v_ERROR_RING_ELEMENT_SIZE: usize =
let v_GAMMA1_RING_ELEMENT_SIZE: usize =
Libcrux_ml_dsa.Constants.gamma1_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT
-let v_ROW_COLUMN: usize =
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A +!
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+let v_COMMITMENT_RING_ELEMENT_SIZE: usize =
+ Libcrux_ml_dsa.Constants.commitment_ring_element_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT
-let v_ROW_X_COLUMN: usize =
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A *!
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+let v_BETA: i32 =
+ Libcrux_ml_dsa.Constants.beta Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ONES_IN_VERIFIER_CHALLENGE
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ETA
-let v_SIGNATURE_SIZE: usize =
- Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE
- Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT
+let v_COMMITMENT_VECTOR_SIZE: usize =
+ Libcrux_ml_dsa.Constants.commitment_vector_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_COMMITMENT_COEFFICIENT
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
let v_SIGNING_KEY_SIZE: usize =
Libcrux_ml_dsa.Constants.signing_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
@@ -54,57 +47,14 @@ let v_SIGNING_KEY_SIZE: usize =
let v_VERIFICATION_KEY_SIZE: usize =
Libcrux_ml_dsa.Constants.verification_key_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
-/// The internal verification API.
-/// If no `domain_separation_context` is supplied, it is assumed that
-/// `message` already contains the domain separation.
-val verify_internal
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- (verification_key: t_Array u8 (sz 2592))
- (message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
- (signature_serialized: t_Array u8 (sz 4627))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val verify
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
- {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- (verification_key_serialized: t_Array u8 (sz 2592))
- (message context: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 4627))
- : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val verify_pre_hashed
- (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
- {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
- {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |}
- (verification_key_serialized: t_Array u8 (sz 2592))
- (message context pre_hash_buffer: t_Slice u8)
- (signature_serialized: t_Array u8 (sz 4627))
- : Prims.Pure
- (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let v_SIGNATURE_SIZE: usize =
+ Libcrux_ml_dsa.Constants.signature_size Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_ROWS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COLUMNS_IN_A
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_MAX_ONES_IN_HINT
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_COMMITMENT_HASH_SIZE
+ Libcrux_ml_dsa.Constants.Ml_dsa_87_.v_BITS_PER_GAMMA1_COEFFICIENT
-val sign_internal
+val generate_key_pair
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -112,17 +62,11 @@ val sign_internal
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message: t_Slice u8)
- (domain_separation_context:
- Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
(randomness: t_Array u8 (sz 32))
- (signature: t_Array u8 (sz 4627))
- : Prims.Pure
- (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (signing_key verification_key: t_Slice u8)
+ : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-val sign_mut
+val sign_internal
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -130,7 +74,9 @@ val sign_mut
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message context: t_Slice u8)
+ (signing_key message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
(randomness: t_Array u8 (sz 32))
(signature: t_Array u8 (sz 4627))
: Prims.Pure
@@ -138,19 +84,24 @@ val sign_mut
Prims.l_True
(fun _ -> Prims.l_True)
-val sign
- (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
- {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
- {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
- {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
- {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
- (signing_key message context: t_Slice u8)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure
- (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
- Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+/// The internal verification API.
+/// If no `domain_separation_context` is supplied, it is assumed that
+/// `message` already contains the domain separation.
+val verify_internal
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ (verification_key: t_Array u8 (sz 2592))
+ (message: t_Slice u8)
+ (domain_separation_context:
+ Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext)
+ (signature_serialized: t_Array u8 (sz 4627))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
val sign_pre_hashed_mut
(#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4 #v_PH:
@@ -190,7 +141,7 @@ val sign_pre_hashed
Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
-val generate_key_pair
+val sign_mut
(#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
{| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
{| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
@@ -198,6 +149,55 @@ val generate_key_pair
{| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
{| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
{| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+ (signing_key message context: t_Slice u8)
(randomness: t_Array u8 (sz 32))
- (signing_key verification_key: t_Slice u8)
- : Prims.Pure (t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+ (signature: t_Array u8 (sz 4627))
+ : Prims.Pure
+ (t_Array u8 (sz 4627) & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_SigningError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val sign
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_Shake256X4: Type0)
+ {| i6: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i7: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i10: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |}
+ (signing_key message context: t_Slice u8)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure
+ (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627))
+ Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True)
+
+val verify
+ (#v_SIMDUnit #v_Sampler #v_Shake128X4 #v_Shake256 #v_Shake256Xof: Type0)
+ {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i6: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i7: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ (verification_key_serialized: t_Array u8 (sz 2592))
+ (message context: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 4627))
+ : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val verify_pre_hashed
+ (#v_SIMDUnit #v_Sampler #v_Shake128 #v_Shake128X4 #v_Shake256 #v_Shake256Xof #v_PH: Type0)
+ {| i7: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i8: Libcrux_ml_dsa.Samplex4.t_X4Sampler v_Sampler |}
+ {| i9: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof v_Shake128 |}
+ {| i10: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |}
+ {| i11: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
+ {| i12: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256Xof |}
+ {| i13: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH |}
+ (verification_key_serialized: t_Array u8 (sz 2592))
+ (message context pre_hash_buffer: t_Slice u8)
+ (signature_serialized: t_Array u8 (sz 4627))
+ : Prims.Pure
+ (t_Slice u8 & Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
index f79c280f8..75ba16f21 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst
@@ -9,7 +9,7 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let invert_ntt_montgomery
+let ntt
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
@@ -21,7 +21,7 @@ let invert_ntt_montgomery
re with
Libcrux_ml_dsa.Polynomial.f_simd_units
=
- Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_montgomery #v_SIMDUnit
+ Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit
#FStar.Tactics.Typeclasses.solve
re.Libcrux_ml_dsa.Polynomial.f_simd_units
}
@@ -30,7 +30,7 @@ let invert_ntt_montgomery
in
re
-let ntt
+let invert_ntt_montgomery
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
@@ -42,7 +42,7 @@ let ntt
re with
Libcrux_ml_dsa.Polynomial.f_simd_units
=
- Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit
+ Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_montgomery #v_SIMDUnit
#FStar.Tactics.Typeclasses.solve
re.Libcrux_ml_dsa.Polynomial.f_simd_units
}
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
index 1c6b919dc..a64077ec7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti
@@ -9,7 +9,7 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-val invert_ntt_montgomery
+val ntt
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
(re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
@@ -17,7 +17,7 @@ val invert_ntt_montgomery
Prims.l_True
(fun _ -> Prims.l_True)
-val ntt
+val invert_ntt_montgomery
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
(re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst
index cdb574003..0ce22c939 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst
@@ -41,6 +41,81 @@ let impl_2
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
= impl_2' #v_SIMDUnit #i1 #i2
+let impl__zero
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (_: Prims.unit)
+ =
+ {
+ f_simd_units
+ =
+ Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ <:
+ v_SIMDUnit)
+ (sz 32)
+ }
+ <:
+ t_PolynomialRingElement v_SIMDUnit
+
+let impl__to_i32_array
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (self: t_PolynomialRingElement v_SIMDUnit)
+ =
+ let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in
+ let result:t_Array i32 (sz 256) =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit)
+ (fun result temp_1_ ->
+ let result:t_Array i32 (sz 256) = result in
+ let _:usize = temp_1_ in
+ true)
+ result
+ (fun result temp_1_ ->
+ let result:t_Array i32 (sz 256) = result in
+ let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range result
+ ({
+ Core.Ops.Range.f_start
+ =
+ i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+ <:
+ usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ simd_unit
+ (result.[ {
+ Core.Ops.Range.f_start
+ =
+ i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+ <:
+ usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice i32)
+ <:
+ t_Slice i32)
+ <:
+ t_Array i32 (sz 256))
+ in
+ result
+
let impl__from_i32_array
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -102,25 +177,35 @@ let impl__from_i32_array
in
result
-let impl__zero
+let impl__infinity_norm_exceeds
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (_: Prims.unit)
+ (self: t_PolynomialRingElement v_SIMDUnit)
+ (bound: i32)
=
- {
- f_simd_units
- =
- Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_zero #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- ()
- <:
- v_SIMDUnit)
- (sz 32)
- }
- <:
- t_PolynomialRingElement v_SIMDUnit
+ let result:bool = false in
+ let result:bool =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize)
+ (fun result temp_1_ ->
+ let result:bool = result in
+ let _:usize = temp_1_ in
+ true)
+ result
+ (fun result i ->
+ let result:bool = result in
+ let i:usize = i in
+ result ||
+ (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ (self.f_simd_units.[ i ] <: v_SIMDUnit)
+ bound
+ <:
+ bool))
+ in
+ result
let impl__add
(#v_SIMDUnit: Type0)
@@ -160,36 +245,6 @@ let impl__add
in
self
-let impl__infinity_norm_exceeds
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (self: t_PolynomialRingElement v_SIMDUnit)
- (bound: i32)
- =
- let result:bool = false in
- let result:bool =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #v_SIMDUnit (self.f_simd_units <: t_Slice v_SIMDUnit) <: usize)
- (fun result temp_1_ ->
- let result:bool = result in
- let _:usize = temp_1_ in
- true)
- result
- (fun result i ->
- let result:bool = result in
- let i:usize = i in
- result ||
- (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- (self.f_simd_units.[ i ] <: v_SIMDUnit)
- bound
- <:
- bool))
- in
- result
-
let impl__subtract
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -227,58 +282,3 @@ let impl__subtract
t_PolynomialRingElement v_SIMDUnit)
in
self
-
-let impl__to_i32_array
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (self: t_PolynomialRingElement v_SIMDUnit)
- =
- let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in
- let result:t_Array i32 (sz 256) =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit)
- (fun result temp_1_ ->
- let result:t_Array i32 (sz 256) = result in
- let _:usize = temp_1_ in
- true)
- result
- (fun result temp_1_ ->
- let result:t_Array i32 (sz 256) = result in
- let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range result
- ({
- Core.Ops.Range.f_start
- =
- i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
- <:
- usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- simd_unit
- (result.[ {
- Core.Ops.Range.f_start
- =
- i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
- <:
- usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice i32)
- <:
- t_Slice i32)
- <:
- t_Array i32 (sz 256))
- in
- result
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti
index 9667cb818..96754394f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti
@@ -27,23 +27,23 @@ val impl_2
{| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
: Core.Marker.t_Copy (t_PolynomialRingElement v_SIMDUnit)
-val impl__from_i32_array
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (array: t_Slice i32)
- (result: t_PolynomialRingElement v_SIMDUnit)
- : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
-
val impl__zero:
#v_SIMDUnit: Type0 ->
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} ->
Prims.unit
-> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
-val impl__add
+val impl__to_i32_array
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (self rhs: t_PolynomialRingElement v_SIMDUnit)
+ (self: t_PolynomialRingElement v_SIMDUnit)
+ : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl__from_i32_array
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (array: t_Slice i32)
+ (result: t_PolynomialRingElement v_SIMDUnit)
: Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
val impl__infinity_norm_exceeds
@@ -53,14 +53,14 @@ val impl__infinity_norm_exceeds
(bound: i32)
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-val impl__subtract
+val impl__add
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
(self rhs: t_PolynomialRingElement v_SIMDUnit)
: Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
-val impl__to_i32_array
+val impl__subtract
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (self: t_PolynomialRingElement v_SIMDUnit)
- : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True)
+ (self rhs: t_PolynomialRingElement v_SIMDUnit)
+ : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst
index 55181b452..9e453aac7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst
@@ -9,45 +9,6 @@ let _ =
let open Libcrux_ml_dsa.Hash_functions.Shake128 in
()
-let impl_1__context (self: t_DomainSeparationContext) = self.f_context
-
-let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid
-
-let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) =
- match x <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> isz 0
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError =
- {
- f_from_pre = (fun (e: t_DomainSeparationError) -> true);
- f_from_post
- =
- (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true);
- f_from
- =
- fun (e: t_DomainSeparationError) ->
- match e <: t_DomainSeparationError with
- | DomainSeparationError_ContextTooLongError ->
- Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError =
- {
- f_from_pre = (fun (e: t_DomainSeparationError) -> true);
- f_from_post
- =
- (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true);
- f_from
- =
- fun (e: t_DomainSeparationError) ->
- match e <: t_DomainSeparationError with
- | DomainSeparationError_ContextTooLongError ->
- Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
- <:
- Libcrux_ml_dsa.Types.t_VerificationError
- }
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl: t_PreHash t_SHAKE128_PH =
{
@@ -105,6 +66,9 @@ let impl: t_PreHash t_SHAKE128_PH =
output
}
+let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) =
+ match x <: t_DomainSeparationError with | DomainSeparationError_ContextTooLongError -> isz 0
+
let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) =
if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN
then
@@ -116,3 +80,39 @@ let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Arr
({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext)
<:
Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError
+
+let impl_1__context (self: t_DomainSeparationContext) = self.f_context
+
+let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError =
+ {
+ f_from_pre = (fun (e: t_DomainSeparationError) -> true);
+ f_from_post
+ =
+ (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true);
+ f_from
+ =
+ fun (e: t_DomainSeparationError) ->
+ match e <: t_DomainSeparationError with
+ | DomainSeparationError_ContextTooLongError ->
+ Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError
+ }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError =
+ {
+ f_from_pre = (fun (e: t_DomainSeparationError) -> true);
+ f_from_post
+ =
+ (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true);
+ f_from
+ =
+ fun (e: t_DomainSeparationError) ->
+ match e <: t_DomainSeparationError with
+ | DomainSeparationError_ContextTooLongError ->
+ Libcrux_ml_dsa.Types.VerificationError_VerificationContextTooLongError
+ <:
+ Libcrux_ml_dsa.Types.t_VerificationError
+ }
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti
index 37b79c9e3..f7b67d9a2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti
@@ -9,25 +9,7 @@ let _ =
let open Libcrux_ml_dsa.Hash_functions.Shake128 in
()
-/// Binds the context string to an optional pre-hash OID identifying
-/// the hash function or XOF used for pre-hashing.
-type t_DomainSeparationContext = {
- f_context:t_Slice u8;
- f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11))
-}
-
-/// Returns the context, guaranteed to be at most 255 bytes long.
-val impl_1__context (self: t_DomainSeparationContext)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Returns the pre-hash OID, if any.
-val impl_1__pre_hash_oid (self: t_DomainSeparationContext)
- : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True)
-
-type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError
-
-val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError)
- : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
+let v_PRE_HASH_OID_LEN: usize = sz 11
class t_PreHash (v_Self: Type0) = {
f_oid_pre:Prims.unit -> Type0;
@@ -61,24 +43,42 @@ class t_PreHash (v_Self: Type0) = {
/// digest length 256 bytes.
type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH
-let v_PRE_HASH_OID_LEN: usize = sz 11
-
let v_SHAKE128_OID: t_Array u8 (sz 11) =
let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in
FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11);
Rust_primitives.Hax.array_of_list 11 list
[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError
+val impl:t_PreHash t_SHAKE128_PH
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError
+/// Binds the context string to an optional pre-hash OID identifying
+/// the hash function or XOF used for pre-hashing.
+type t_DomainSeparationContext = {
+ f_context:t_Slice u8;
+ f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11))
+}
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:t_PreHash t_SHAKE128_PH
+type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError
+
+val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError)
+ : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
/// `context` must be at most 255 bytes long.
val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11)))
: Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError)
Prims.l_True
(fun _ -> Prims.l_True)
+
+/// Returns the context, guaranteed to be at most 255 bytes long.
+val impl_1__context (self: t_DomainSeparationContext)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Returns the pre-hash OID, if any.
+val impl_1__pre_hash_oid (self: t_DomainSeparationContext)
+ : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_3:Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst
index b5b5bafcc..074861a3d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst
@@ -11,149 +11,6 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
-let generate_domain_separator (row, column: (u8 & u8)) =
- (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) <
- let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
- let random_bytes:t_Slice u8 = random_bytes in
- if ~.done <: bool
- then
- let tmp0, out1:(t_Slice i32 & usize) =
- Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- random_bytes
- (out.[ { Core.Ops.Range.f_start = sampled_coefficients }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice i32)
- in
- let out:t_Array i32 (sz 263) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out
- ({ Core.Ops.Range.f_start = sampled_coefficients }
- <:
- Core.Ops.Range.t_RangeFrom usize)
- tmp0
- in
- let sampled:usize = out1 in
- let sampled_coefficients:usize = sampled_coefficients +! sampled in
- if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
- then
- let done:bool = true in
- done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
- else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
- else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
- in
- let hax_temp_output:bool = done in
- sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
-
-let rejection_sample_less_than_eta_equals_4_
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (randomness: t_Slice u8)
- (sampled_coefficients: usize)
- (out: t_Array i32 (sz 263))
- =
- let done:bool = false in
- let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) =
- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
- u8)
- #FStar.Tactics.Typeclasses.solve
- (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8)
- <:
- Core.Slice.Iter.t_ChunksExact u8)
- (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
- (fun temp_0_ random_bytes ->
- let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
- let random_bytes:t_Slice u8 = random_bytes in
- if ~.done <: bool
- then
- let tmp0, out1:(t_Slice i32 & usize) =
- Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit
- #FStar.Tactics.Typeclasses.solve
- random_bytes
- (out.[ { Core.Ops.Range.f_start = sampled_coefficients }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice i32)
- in
- let out:t_Array i32 (sz 263) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out
- ({ Core.Ops.Range.f_start = sampled_coefficients }
- <:
- Core.Ops.Range.t_RangeFrom usize)
- tmp0
- in
- let sampled:usize = out1 in
- let sampled_coefficients:usize = sampled_coefficients +! sampled in
- if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
- then
- let done:bool = true in
- done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
- else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
- else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
- in
- let hax_temp_output:bool = done in
- sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
-
-let rejection_sample_less_than_eta
- (#v_SIMDUnit: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (randomness: t_Slice u8)
- (sampled: usize)
- (out: t_Array i32 (sz 263))
- =
- let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) =
- match eta <: Libcrux_ml_dsa.Constants.t_Eta with
- | Libcrux_ml_dsa.Constants.Eta_Two ->
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out
- in
- let sampled:usize = tmp0 in
- let out:t_Array i32 (sz 263) = tmp1 in
- (out, sampled <: (t_Array i32 (sz 263) & usize)), out1
- <:
- ((t_Array i32 (sz 263) & usize) & bool)
- | Libcrux_ml_dsa.Constants.Eta_Four ->
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out
- in
- let sampled:usize = tmp0 in
- let out:t_Array i32 (sz 263) = tmp1 in
- (out, sampled <: (t_Array i32 (sz 263) & usize)), out1
- <:
- ((t_Array i32 (sz 263) & usize) & bool)
- in
- sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
-
let rejection_sample_less_than_field_modulus
(#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
@@ -206,6 +63,9 @@ let rejection_sample_less_than_field_modulus
let hax_temp_output:bool = done in
sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
+let generate_domain_separator (row, column: (u8 & u8)) =
+ (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) <>! 8l <: u16) <: u8)
- in
- out
-
-let inside_out_shuffle
- (randomness: t_Slice u8)
- (out_index: usize)
- (signs: u64)
- (result: t_Array i32 (sz 256))
- =
- let done:bool = false in
- let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) =
- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
- u8)
- #FStar.Tactics.Typeclasses.solve
- (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8)
- <:
- Core.Slice.Iter.t_Iter u8)
- (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64))
- (fun temp_0_ byte ->
- let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) =
- temp_0_
- in
- let byte:u8 = byte in
- if ~.done <: bool
- then
- let sample_at:usize = cast (byte <: u8) <: usize in
- let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) =
- if sample_at <=. out_index
- then
- let result:t_Array i32 (sz 256) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
- out_index
- (result.[ sample_at ] <: i32)
- in
- let out_index:usize = out_index +! sz 1 in
- let result:t_Array i32 (sz 256) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
- sample_at
- (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32)
- in
- let signs:u64 = signs >>! 1l in
- out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64)
- else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64)
- in
- let done:bool =
- out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize)
- in
- done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)
- else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64))
- in
- let hax_temp_output:bool = done in
- out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool)
+let sample_up_to_four_ring_elements_flat__xy (index width: usize) =
+ (cast (index /! width <: usize) <: u8), (cast (index %! width <: usize) <: u8) <: (u8 & u8)
-let sample_challenge_ring_element
- (#v_SIMDUnit #v_Shake256: Type0)
+let sample_up_to_four_ring_elements_flat
+ (#v_SIMDUnit #v_Shake128: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i2:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i3:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
+ (columns: usize)
(seed: t_Slice u8)
- (number_of_ones: usize)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840))
+ (tmp_stack: t_Slice (t_Array i32 (sz 263)))
+ (start_index elements_requested: usize)
=
- let state:v_Shake256 =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256
- #FStar.Tactics.Typeclasses.solve
- seed
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in
+ ()
in
- let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256
- #FStar.Tactics.Typeclasses.solve
- state
- in
- let state:v_Shake256 = tmp0 in
- let randomness:t_Array u8 (sz 136) = out in
- let signs:u64 =
- Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8))
- #Core.Array.t_TryFromSliceError
- (Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 (sz 8))
- #FStar.Tactics.Typeclasses.solve
- (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- <:
- Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError)
- <:
- t_Array u8 (sz 8))
- in
- let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in
- let out_index:usize =
- (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! number_of_ones
+ let seed0:t_Array u8 (sz 34) =
+ add_domain_separator seed
+ (sample_up_to_four_ring_elements_flat__xy start_index columns <: (u8 & u8))
in
- let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) =
- inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- out_index
- signs
- result
+ let seed1:t_Array u8 (sz 34) =
+ add_domain_separator seed
+ (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 1 <: usize) columns <: (u8 & u8))
in
- let out_index:usize = tmp0 in
- let signs:u64 = tmp1 in
- let result:t_Array i32 (sz 256) = tmp2 in
- let done:bool = out in
- let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)
- =
- Rust_primitives.f_while_loop (fun temp_0_ ->
- let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 &
- v_Shake256) =
- temp_0_
- in
- ~.done <: bool)
- (done, out_index, result, signs, state
- <:
- (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256))
- (fun temp_0_ ->
- let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 &
- v_Shake256) =
- temp_0_
- in
- let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256
- #FStar.Tactics.Typeclasses.solve
- state
- in
- let state:v_Shake256 = tmp0 in
- let randomness:t_Array u8 (sz 136) = out in
- let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) =
- inside_out_shuffle (randomness <: t_Slice u8) out_index signs result
- in
- let out_index:usize = tmp0 in
- let signs:u64 = tmp1 in
- let result:t_Array i32 (sz 256) = tmp2 in
- let done:bool = out in
- done, out_index, result, signs, state
- <:
- (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256))
+ let seed2:t_Array u8 (sz 34) =
+ add_domain_separator seed
+ (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 2 <: usize) columns <: (u8 & u8))
in
- let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) re
+ let seed3:t_Array u8 (sz 34) =
+ add_domain_separator seed
+ (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 3 <: usize) columns <: (u8 & u8))
in
- re
-
-let sample_four_error_ring_elements
- (#v_SIMDUnit #v_Shake256: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256)
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (seed: t_Slice u8)
- (start_index: u16)
- (re: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- =
- let seed0:t_Array u8 (sz 66) = add_error_domain_separator seed start_index in
- let seed1:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 1us <: u16) in
- let seed2:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 2us <: u16) in
- let seed3:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 3us <: u16) in
- let state:v_Shake256 =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256
+ let state:v_Shake128 =
+ Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128
#FStar.Tactics.Typeclasses.solve
(seed0 <: t_Slice u8)
(seed1 <: t_Slice u8)
(seed2 <: t_Slice u8)
(seed3 <: t_Slice u8)
in
- let tmp0, out1:(v_Shake256 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256
+ let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Array u8 (sz 840)) =
+ Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128
#FStar.Tactics.Typeclasses.solve
state
+ rand_stack0
+ rand_stack1
+ rand_stack2
+ rand_stack3
in
- let state:v_Shake256 = tmp0 in
- let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) &
- t_Array u8 (sz 136)) =
- out1
- in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 263) <: t_Array i32 (sz 263))
- (sz 4)
- in
+ let state:v_Shake128 = tmp0 in
+ let rand_stack0:t_Array u8 (sz 840) = tmp1 in
+ let rand_stack1:t_Array u8 (sz 840) = tmp2 in
+ let rand_stack2:t_Array u8 (sz 840) = tmp3 in
+ let rand_stack3:t_Array u8 (sz 840) = tmp4 in
+ let _:Prims.unit = () in
let sampled0:usize = sz 0 in
let sampled1:usize = sz 0 in
let sampled2:usize = sz 0 in
let sampled3:usize = sz 0 in
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
- (randomnesses._1 <: t_Slice u8)
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
+ (rand_stack0 <: t_Slice u8)
sampled0
- (out.[ sz 0 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263))
in
let sampled0:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1
in
- let done0:bool = out1 in
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
- (randomnesses._2 <: t_Slice u8)
+ let done0:bool = out in
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
+ (rand_stack1 <: t_Slice u8)
sampled1
- (out.[ sz 1 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263))
in
let sampled1:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1
in
- let done1:bool = out1 in
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
- (randomnesses._3 <: t_Slice u8)
+ let done1:bool = out in
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
+ (rand_stack2 <: t_Slice u8)
sampled2
- (out.[ sz 2 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263))
in
let sampled2:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1
in
- let done2:bool = out1 in
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
- (randomnesses._4 <: t_Slice u8)
+ let done2:bool = out in
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
+ (rand_stack3 <: t_Slice u8)
sampled3
- (out.[ sz 3 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263))
in
let sampled3:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1
in
- let done3:bool = out1 in
- let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & bool &
+ let done3:bool = out in
+ let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
+ bool &
bool &
bool &
- t_Array (t_Array i32 (sz 263)) (sz 4) &
usize &
usize &
usize &
usize &
- v_Shake256) =
+ v_Shake128 &
+ t_Slice (t_Array i32 (sz 263))) =
Rust_primitives.f_while_loop (fun temp_0_ ->
- let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool &
+ let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
bool &
bool &
bool &
- t_Array (t_Array i32 (sz 263)) (sz 4) &
usize &
usize &
usize &
usize &
- v_Shake256) =
+ v_Shake128 &
+ t_Slice (t_Array i32 (sz 263))) =
temp_0_
in
(~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool))
- (done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state
+ (done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
<:
- (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize &
- usize &
- v_Shake256))
+ (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
+ t_Slice (t_Array i32 (sz 263))))
(fun temp_0_ ->
- let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool &
+ let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
bool &
bool &
bool &
- t_Array (t_Array i32 (sz 263)) (sz 4) &
usize &
usize &
usize &
usize &
- v_Shake256) =
+ v_Shake128 &
+ t_Slice (t_Array i32 (sz 263))) =
temp_0_
in
- let tmp0, out1:(v_Shake256 &
- (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ let tmp0, out:(v_Shake128 &
+ (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
=
- Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256
+ Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128
#FStar.Tactics.Typeclasses.solve
state
in
- let state:v_Shake256 = tmp0 in
- let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) &
- t_Array u8 (sz 136)) =
- out1
+ let state:v_Shake128 = tmp0 in
+ let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) &
+ t_Array u8 (sz 168)) =
+ out
in
- let done0, out, sampled0:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) =
+ let done0, sampled0, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
if ~.done0
then
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
(randomnesses._1 <: t_Slice u8)
sampled0
- (out.[ sz 0 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263))
in
let sampled0:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1
in
- let done0:bool = out1 in
- done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
- else done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ let done0:bool = out in
+ done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+ else done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
in
- let done1, out, sampled1:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) =
+ let done1, sampled1, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
if ~.done1
then
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
(randomnesses._2 <: t_Slice u8)
sampled1
- (out.[ sz 1 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263))
in
let sampled1:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1
in
- let done1:bool = out1 in
- done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
- else done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ let done1:bool = out in
+ done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+ else done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
in
- let done2, out, sampled2:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) =
+ let done2, sampled2, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
if ~.done2
then
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
(randomnesses._3 <: t_Slice u8)
sampled2
- (out.[ sz 2 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263))
in
let sampled2:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1
in
- let done2:bool = out1 in
- done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
- else done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ let done2:bool = out in
+ done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
+ else done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
in
if ~.done3
then
- let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_eta #v_SIMDUnit
- eta
+ let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_field_modulus #v_SIMDUnit
(randomnesses._4 <: t_Slice u8)
sampled3
- (out.[ sz 3 ] <: t_Array i32 (sz 263))
+ (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263))
in
let sampled3:usize = tmp0 in
- let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1
+ let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1
in
- let done3:bool = out1 in
- done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state
+ let done3:bool = out in
+ done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
<:
- (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize &
- usize &
- usize &
- v_Shake256)
+ (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
+ t_Slice (t_Array i32 (sz 263)))
else
- done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state
+ done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
<:
- (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize &
- usize &
- usize &
- v_Shake256))
- in
- let max:usize = (cast (start_index <: u16) <: usize) +! sz 4 in
- let max:usize =
- if
- (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re
- <:
- usize) <.
- max
- then Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re
- else max
+ (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
+ t_Slice (t_Array i32 (sz 263))))
in
- let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (cast (start_index <: u16) <: usize)
- max
- (fun re temp_1_ ->
- let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in
+ let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ elements_requested
+ (fun matrix temp_1_ ->
+ let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ matrix
+ in
let _:usize = temp_1_ in
true)
- re
- (fun re i ->
- let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in
- let i:usize = i in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- i
+ matrix
+ (fun matrix k ->
+ let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ matrix
+ in
+ let k:usize = k in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize matrix
+ (start_index +! k <: usize)
(Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit
- (out.[ i %! sz 4 <: usize ] <: t_Slice i32)
- (re.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (tmp_stack.[ k ] <: t_Slice i32)
+ (matrix.[ start_index +! k <: usize ]
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
<:
Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
<:
t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
in
- re
+ matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack
+ <:
+ (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Slice (t_Array i32 (sz 263)))
-let sample_mask_ring_element
- (#v_SIMDUnit #v_Shake256: Type0)
+let rejection_sample_less_than_eta_equals_2_
+ (#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
+ i1:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (seed: t_Array u8 (sz 66))
- (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- (gamma1_exponent: usize)
+ (randomness: t_Slice u8)
+ (sampled_coefficients: usize)
+ (out: t_Array i32 (sz 263))
=
- let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- match cast (gamma1_exponent <: usize) <: u8 with
- | 17uy ->
- let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
- let out:t_Array u8 (sz 576) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
- #FStar.Tactics.Typeclasses.solve
- (sz 576)
- (seed <: t_Slice u8)
- out
- in
- let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
- gamma1_exponent
- (out <: t_Slice u8)
- result
- in
- result
- | 19uy ->
- let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in
- let out:t_Array u8 (sz 640) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
+ let done:bool = false in
+ let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) =
+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
+ u8)
#FStar.Tactics.Typeclasses.solve
- (sz 640)
- (seed <: t_Slice u8)
- out
- in
- let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
- Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
- gamma1_exponent
- (out <: t_Slice u8)
- result
- in
- result
- | _ -> result
+ (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8)
+ <:
+ Core.Slice.Iter.t_ChunksExact u8)
+ (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
+ (fun temp_0_ random_bytes ->
+ let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
+ let random_bytes:t_Slice u8 = random_bytes in
+ if ~.done <: bool
+ then
+ let tmp0, out1:(t_Slice i32 & usize) =
+ Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ random_bytes
+ (out.[ { Core.Ops.Range.f_start = sampled_coefficients }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice i32)
+ in
+ let out:t_Array i32 (sz 263) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out
+ ({ Core.Ops.Range.f_start = sampled_coefficients }
+ <:
+ Core.Ops.Range.t_RangeFrom usize)
+ tmp0
+ in
+ let sampled:usize = out1 in
+ let sampled_coefficients:usize = sampled_coefficients +! sampled in
+ if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
+ then
+ let done:bool = true in
+ done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
+ else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
+ else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
in
- result
+ let hax_temp_output:bool = done in
+ sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
-let sample_mask_vector
- (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0)
+let rejection_sample_less_than_eta_equals_4_
+ (#v_SIMDUnit: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
+ i1:
Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i4:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i5:
- Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
- (dimension gamma1_exponent: usize)
- (seed: t_Array u8 (sz 64))
- (domain_separator: u16)
- (mask: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (randomness: t_Slice u8)
+ (sampled_coefficients: usize)
+ (out: t_Array i32 (sz 263))
=
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((dimension =. sz 4 <: bool) || (dimension =. sz 5 <: bool) ||
- (dimension =. sz 7 <: bool))
- in
- ()
- in
- let seed0:t_Array u8 (sz 66) = add_error_domain_separator (seed <: t_Slice u8) domain_separator in
- let seed1:t_Array u8 (sz 66) =
- add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 1us <: u16)
- in
- let seed2:t_Array u8 (sz 66) =
- add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 2us <: u16)
- in
- let seed3:t_Array u8 (sz 66) =
- add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 3us <: u16)
- in
- let domain_separator:u16 = domain_separator +! 4us in
- let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- match cast (gamma1_exponent <: usize) <: u8 with
- | 17uy ->
- let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
- let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
- let out2:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
- let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
- let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) &
- t_Array u8 (sz 576)) =
- Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4
- #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8)
- (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3
- in
- let out0:t_Array u8 (sz 576) = tmp0 in
+ let done:bool = false in
+ let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) =
+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
+ u8)
+ #FStar.Tactics.Typeclasses.solve
+ (Core.Slice.impl__chunks_exact #u8 randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8)
+ <:
+ Core.Slice.Iter.t_ChunksExact u8)
+ (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
+ (fun temp_0_ random_bytes ->
+ let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in
+ let random_bytes:t_Slice u8 = random_bytes in
+ if ~.done <: bool
+ then
+ let tmp0, out1:(t_Slice i32 & usize) =
+ Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit
+ #FStar.Tactics.Typeclasses.solve
+ random_bytes
+ (out.[ { Core.Ops.Range.f_start = sampled_coefficients }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice i32)
+ in
+ let out:t_Array i32 (sz 263) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out
+ ({ Core.Ops.Range.f_start = sampled_coefficients }
+ <:
+ Core.Ops.Range.t_RangeFrom usize)
+ tmp0
+ in
+ let sampled:usize = out1 in
+ let sampled_coefficients:usize = sampled_coefficients +! sampled in
+ if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT
+ then
+ let done:bool = true in
+ done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
+ else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)
+ else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize))
+ in
+ let hax_temp_output:bool = done in
+ sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
+
+let rejection_sample_less_than_eta
+ (#v_SIMDUnit: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (randomness: t_Slice u8)
+ (sampled: usize)
+ (out: t_Array i32 (sz 263))
+ =
+ let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) =
+ match eta <: Libcrux_ml_dsa.Constants.t_Eta with
+ | Libcrux_ml_dsa.Constants.Eta_Two ->
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out
+ in
+ let sampled:usize = tmp0 in
+ let out:t_Array i32 (sz 263) = tmp1 in
+ (out, sampled <: (t_Array i32 (sz 263) & usize)), out1
+ <:
+ ((t_Array i32 (sz 263) & usize) & bool)
+ | Libcrux_ml_dsa.Constants.Eta_Four ->
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out
+ in
+ let sampled:usize = tmp0 in
+ let out:t_Array i32 (sz 263) = tmp1 in
+ (out, sampled <: (t_Array i32 (sz 263) & usize)), out1
+ <:
+ ((t_Array i32 (sz 263) & usize) & bool)
+ in
+ sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool)
+
+let add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16) =
+ let out:t_Array u8 (sz 66) = Rust_primitives.Hax.repeat 0uy (sz 66) in
+ let out:t_Array u8 (sz 66) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
+ ({
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (out.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ slice
+ <:
+ t_Slice u8)
+ in
+ let out:t_Array u8 (sz 66) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+ (sz 64)
+ (cast (domain_separator <: u16) <: u8)
+ in
+ let out:t_Array u8 (sz 66) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out
+ (sz 65)
+ (cast (domain_separator >>! 8l <: u16) <: u8)
+ in
+ out
+
+let sample_four_error_ring_elements
+ (#v_SIMDUnit #v_Shake256: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256)
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (seed: t_Slice u8)
+ (start_index: u16)
+ (re: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let seed0:t_Array u8 (sz 66) = add_error_domain_separator seed start_index in
+ let seed1:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 1us <: u16) in
+ let seed2:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 2us <: u16) in
+ let seed3:t_Array u8 (sz 66) = add_error_domain_separator seed (start_index +! 3us <: u16) in
+ let state:v_Shake256 =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ (seed0 <: t_Slice u8)
+ (seed1 <: t_Slice u8)
+ (seed2 <: t_Slice u8)
+ (seed3 <: t_Slice u8)
+ in
+ let tmp0, out1:(v_Shake256 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ state
+ in
+ let state:v_Shake256 = tmp0 in
+ let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) &
+ t_Array u8 (sz 136)) =
+ out1
+ in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 263) <: t_Array i32 (sz 263))
+ (sz 4)
+ in
+ let sampled0:usize = sz 0 in
+ let sampled1:usize = sz 0 in
+ let sampled2:usize = sz 0 in
+ let sampled3:usize = sz 0 in
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._1 <: t_Slice u8)
+ sampled0
+ (out.[ sz 0 ] <: t_Array i32 (sz 263))
+ in
+ let sampled0:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1
+ in
+ let done0:bool = out1 in
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._2 <: t_Slice u8)
+ sampled1
+ (out.[ sz 1 ] <: t_Array i32 (sz 263))
+ in
+ let sampled1:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1
+ in
+ let done1:bool = out1 in
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._3 <: t_Slice u8)
+ sampled2
+ (out.[ sz 2 ] <: t_Array i32 (sz 263))
+ in
+ let sampled2:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1
+ in
+ let done2:bool = out1 in
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._4 <: t_Slice u8)
+ sampled3
+ (out.[ sz 3 ] <: t_Array i32 (sz 263))
+ in
+ let sampled3:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1
+ in
+ let done3:bool = out1 in
+ let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool & bool &
+ bool &
+ bool &
+ t_Array (t_Array i32 (sz 263)) (sz 4) &
+ usize &
+ usize &
+ usize &
+ usize &
+ v_Shake256) =
+ Rust_primitives.f_while_loop (fun temp_0_ ->
+ let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool &
+ bool &
+ bool &
+ bool &
+ t_Array (t_Array i32 (sz 263)) (sz 4) &
+ usize &
+ usize &
+ usize &
+ usize &
+ v_Shake256) =
+ temp_0_
+ in
+ (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool))
+ (done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state
+ <:
+ (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize & usize &
+ usize &
+ v_Shake256))
+ (fun temp_0_ ->
+ let done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state:(bool &
+ bool &
+ bool &
+ bool &
+ t_Array (t_Array i32 (sz 263)) (sz 4) &
+ usize &
+ usize &
+ usize &
+ usize &
+ v_Shake256) =
+ temp_0_
+ in
+ let tmp0, out1:(v_Shake256 &
+ (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))
+ =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ state
+ in
+ let state:v_Shake256 = tmp0 in
+ let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) &
+ t_Array u8 (sz 136)) =
+ out1
+ in
+ let done0, out, sampled0:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) =
+ if ~.done0
+ then
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._1 <: t_Slice u8)
+ sampled0
+ (out.[ sz 0 ] <: t_Array i32 (sz 263))
+ in
+ let sampled0:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) tmp1
+ in
+ let done0:bool = out1 in
+ done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ else done0, out, sampled0 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ in
+ let done1, out, sampled1:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) =
+ if ~.done1
+ then
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._2 <: t_Slice u8)
+ sampled1
+ (out.[ sz 1 ] <: t_Array i32 (sz 263))
+ in
+ let sampled1:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) tmp1
+ in
+ let done1:bool = out1 in
+ done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ else done1, out, sampled1 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ in
+ let done2, out, sampled2:(bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize) =
+ if ~.done2
+ then
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._3 <: t_Slice u8)
+ sampled2
+ (out.[ sz 2 ] <: t_Array i32 (sz 263))
+ in
+ let sampled2:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) tmp1
+ in
+ let done2:bool = out1 in
+ done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ else done2, out, sampled2 <: (bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize)
+ in
+ if ~.done3
+ then
+ let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) =
+ rejection_sample_less_than_eta #v_SIMDUnit
+ eta
+ (randomnesses._4 <: t_Slice u8)
+ sampled3
+ (out.[ sz 3 ] <: t_Array i32 (sz 263))
+ in
+ let sampled3:usize = tmp0 in
+ let out:t_Array (t_Array i32 (sz 263)) (sz 4) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) tmp1
+ in
+ let done3:bool = out1 in
+ done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state
+ <:
+ (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize &
+ usize &
+ usize &
+ v_Shake256)
+ else
+ done0, done1, done2, done3, out, sampled0, sampled1, sampled2, sampled3, state
+ <:
+ (bool & bool & bool & bool & t_Array (t_Array i32 (sz 263)) (sz 4) & usize & usize &
+ usize &
+ usize &
+ v_Shake256))
+ in
+ let max:usize = (cast (start_index <: u16) <: usize) +! sz 4 in
+ let max:usize =
+ if
+ (Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re
+ <:
+ usize) <.
+ max
+ then Core.Slice.impl__len #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) re
+ else max
+ in
+ let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ Rust_primitives.Hax.Folds.fold_range (cast (start_index <: u16) <: usize)
+ max
+ (fun re temp_1_ ->
+ let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in
+ let _:usize = temp_1_ in
+ true)
+ re
+ (fun re i ->
+ let re:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = re in
+ let i:usize = i in
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ i
+ (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit
+ (out.[ i %! sz 4 <: usize ] <: t_Slice i32)
+ (re.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ <:
+ t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ in
+ re
+
+let sample_mask_ring_element
+ (#v_SIMDUnit #v_Shake256: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (seed: t_Array u8 (sz 66))
+ (result: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ (gamma1_exponent: usize)
+ =
+ let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ match cast (gamma1_exponent <: usize) <: u8 with
+ | 17uy ->
+ let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
+ let out:t_Array u8 (sz 576) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ (sz 576)
+ (seed <: t_Slice u8)
+ out
+ in
+ let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
+ gamma1_exponent
+ (out <: t_Slice u8)
+ result
+ in
+ result
+ | 19uy ->
+ let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in
+ let out:t_Array u8 (sz 640) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ (sz 640)
+ (seed <: t_Slice u8)
+ out
+ in
+ let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit
+ gamma1_exponent
+ (out <: t_Slice u8)
+ result
+ in
+ result
+ | _ -> result
+ in
+ result
+
+let sample_mask_vector
+ (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i4:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i5:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4)
+ (dimension gamma1_exponent: usize)
+ (seed: t_Array u8 (sz 64))
+ (domain_separator: u16)
+ (mask: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((dimension =. sz 4 <: bool) || (dimension =. sz 5 <: bool) ||
+ (dimension =. sz 7 <: bool))
+ in
+ ()
+ in
+ let seed0:t_Array u8 (sz 66) = add_error_domain_separator (seed <: t_Slice u8) domain_separator in
+ let seed1:t_Array u8 (sz 66) =
+ add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 1us <: u16)
+ in
+ let seed2:t_Array u8 (sz 66) =
+ add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 2us <: u16)
+ in
+ let seed3:t_Array u8 (sz 66) =
+ add_error_domain_separator (seed <: t_Slice u8) (domain_separator +! 3us <: u16)
+ in
+ let domain_separator:u16 = domain_separator +! 4us in
+ let mask:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
+ match cast (gamma1_exponent <: usize) <: u8 with
+ | 17uy ->
+ let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
+ let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
+ let out2:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
+ let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in
+ let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) &
+ t_Array u8 (sz 576)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4
+ #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8)
+ (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3
+ in
+ let out0:t_Array u8 (sz 576) = tmp0 in
let out1:t_Array u8 (sz 576) = tmp1 in
let out2:t_Array u8 (sz 576) = tmp2 in
let out3:t_Array u8 (sz 576) = tmp3 in
@@ -931,274 +1056,149 @@ let sample_mask_vector
<:
(u16 & t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
-let sample_up_to_four_ring_elements_flat
- (#v_SIMDUnit #v_Shake128: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
- Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128)
- (columns: usize)
- (seed: t_Slice u8)
- (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840))
- (tmp_stack: t_Slice (t_Array i32 (sz 263)))
- (start_index elements_requested: usize)
+let inside_out_shuffle
+ (randomness: t_Slice u8)
+ (out_index: usize)
+ (signs: u64)
+ (result: t_Array i32 (sz 256))
=
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit = Hax_lib.v_assert (elements_requested <=. sz 4 <: bool) in
- ()
- in
- let seed0:t_Array u8 (sz 34) =
- add_domain_separator seed
- (sample_up_to_four_ring_elements_flat__xy start_index columns <: (u8 & u8))
- in
- let seed1:t_Array u8 (sz 34) =
- add_domain_separator seed
- (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 1 <: usize) columns <: (u8 & u8))
- in
- let seed2:t_Array u8 (sz 34) =
- add_domain_separator seed
- (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 2 <: usize) columns <: (u8 & u8))
- in
- let seed3:t_Array u8 (sz 34) =
- add_domain_separator seed
- (sample_up_to_four_ring_elements_flat__xy (start_index +! sz 3 <: usize) columns <: (u8 & u8))
- in
- let state:v_Shake128 =
- Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128
- #FStar.Tactics.Typeclasses.solve
- (seed0 <: t_Slice u8)
- (seed1 <: t_Slice u8)
- (seed2 <: t_Slice u8)
- (seed3 <: t_Slice u8)
- in
- let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Array u8 (sz 840)) =
- Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128
- #FStar.Tactics.Typeclasses.solve
- state
- rand_stack0
- rand_stack1
- rand_stack2
- rand_stack3
- in
- let state:v_Shake128 = tmp0 in
- let rand_stack0:t_Array u8 (sz 840) = tmp1 in
- let rand_stack1:t_Array u8 (sz 840) = tmp2 in
- let rand_stack2:t_Array u8 (sz 840) = tmp3 in
- let rand_stack3:t_Array u8 (sz 840) = tmp4 in
- let _:Prims.unit = () in
- let sampled0:usize = sz 0 in
- let sampled1:usize = sz 0 in
- let sampled2:usize = sz 0 in
- let sampled3:usize = sz 0 in
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (rand_stack0 <: t_Slice u8)
- sampled0
- (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263))
- in
- let sampled0:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1
- in
- let done0:bool = out in
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (rand_stack1 <: t_Slice u8)
- sampled1
- (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263))
+ let done:bool = false in
+ let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) =
+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter
+ u8)
+ #FStar.Tactics.Typeclasses.solve
+ (Core.Slice.impl__iter #u8 randomness <: Core.Slice.Iter.t_Iter u8)
+ <:
+ Core.Slice.Iter.t_Iter u8)
+ (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64))
+ (fun temp_0_ byte ->
+ let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) =
+ temp_0_
+ in
+ let byte:u8 = byte in
+ if ~.done <: bool
+ then
+ let sample_at:usize = cast (byte <: u8) <: usize in
+ let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) =
+ if sample_at <=. out_index
+ then
+ let result:t_Array i32 (sz 256) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+ out_index
+ (result.[ sample_at ] <: i32)
+ in
+ let out_index:usize = out_index +! sz 1 in
+ let result:t_Array i32 (sz 256) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result
+ sample_at
+ (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32)
+ in
+ let signs:u64 = signs >>! 1l in
+ out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64)
+ else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64)
+ in
+ let done:bool =
+ out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize)
+ in
+ done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)
+ else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64))
in
- let sampled1:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1
+ let hax_temp_output:bool = done in
+ out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool)
+
+let sample_challenge_ring_element
+ (#v_SIMDUnit #v_Shake256: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256)
+ (seed: t_Slice u8)
+ (number_of_ones: usize)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ =
+ let state:v_Shake256 =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_final #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ seed
in
- let done1:bool = out in
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (rand_stack2 <: t_Slice u8)
- sampled2
- (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263))
+ let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256
+ #FStar.Tactics.Typeclasses.solve
+ state
in
- let sampled2:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1
+ let state:v_Shake256 = tmp0 in
+ let randomness:t_Array u8 (sz 136) = out in
+ let signs:u64 =
+ Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8))
+ #Core.Array.t_TryFromSliceError
+ (Core.Convert.f_try_into #(t_Slice u8)
+ #(t_Array u8 (sz 8))
+ #FStar.Tactics.Typeclasses.solve
+ (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ <:
+ Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError)
+ <:
+ t_Array u8 (sz 8))
in
- let done2:bool = out in
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (rand_stack3 <: t_Slice u8)
- sampled3
- (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263))
+ let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in
+ let out_index:usize =
+ (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! number_of_ones
in
- let sampled3:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1
+ let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) =
+ inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ out_index
+ signs
+ result
in
- let done3:bool = out in
- let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
- bool &
- bool &
- bool &
- usize &
- usize &
- usize &
- usize &
- v_Shake128 &
- t_Slice (t_Array i32 (sz 263))) =
+ let out_index:usize = tmp0 in
+ let signs:u64 = tmp1 in
+ let result:t_Array i32 (sz 256) = tmp2 in
+ let done:bool = out in
+ let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)
+ =
Rust_primitives.f_while_loop (fun temp_0_ ->
- let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
- bool &
- bool &
- bool &
- usize &
- usize &
- usize &
- usize &
- v_Shake128 &
- t_Slice (t_Array i32 (sz 263))) =
+ let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 &
+ v_Shake256) =
temp_0_
in
- (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool))
- (done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
+ ~.done <: bool)
+ (done, out_index, result, signs, state
<:
- (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
- t_Slice (t_Array i32 (sz 263))))
+ (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256))
(fun temp_0_ ->
- let done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack:(bool &
- bool &
- bool &
- bool &
- usize &
- usize &
- usize &
- usize &
- v_Shake128 &
- t_Slice (t_Array i32 (sz 263))) =
+ let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 &
+ v_Shake256) =
temp_0_
in
- let tmp0, out:(v_Shake128 &
- (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)))
- =
- Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128
+ let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) =
+ Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256
#FStar.Tactics.Typeclasses.solve
state
in
- let state:v_Shake128 = tmp0 in
- let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) &
- t_Array u8 (sz 168)) =
- out
- in
- let done0, sampled0, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
- if ~.done0
- then
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (randomnesses._1 <: t_Slice u8)
- sampled0
- (tmp_stack.[ sz 0 ] <: t_Array i32 (sz 263))
- in
- let sampled0:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 0) tmp1
- in
- let done0:bool = out in
- done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
- else done0, sampled0, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
- in
- let done1, sampled1, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
- if ~.done1
- then
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (randomnesses._2 <: t_Slice u8)
- sampled1
- (tmp_stack.[ sz 1 ] <: t_Array i32 (sz 263))
- in
- let sampled1:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 1) tmp1
- in
- let done1:bool = out in
- done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
- else done1, sampled1, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
- in
- let done2, sampled2, tmp_stack:(bool & usize & t_Slice (t_Array i32 (sz 263))) =
- if ~.done2
- then
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (randomnesses._3 <: t_Slice u8)
- sampled2
- (tmp_stack.[ sz 2 ] <: t_Array i32 (sz 263))
- in
- let sampled2:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 2) tmp1
- in
- let done2:bool = out in
- done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
- else done2, sampled2, tmp_stack <: (bool & usize & t_Slice (t_Array i32 (sz 263)))
- in
- if ~.done3
- then
- let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) =
- rejection_sample_less_than_field_modulus #v_SIMDUnit
- (randomnesses._4 <: t_Slice u8)
- sampled3
- (tmp_stack.[ sz 3 ] <: t_Array i32 (sz 263))
- in
- let sampled3:usize = tmp0 in
- let tmp_stack:t_Slice (t_Array i32 (sz 263)) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tmp_stack (sz 3) tmp1
- in
- let done3:bool = out in
- done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
- <:
- (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
- t_Slice (t_Array i32 (sz 263)))
- else
- done0, done1, done2, done3, sampled0, sampled1, sampled2, sampled3, state, tmp_stack
- <:
- (bool & bool & bool & bool & usize & usize & usize & usize & v_Shake128 &
- t_Slice (t_Array i32 (sz 263))))
- in
- let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- elements_requested
- (fun matrix temp_1_ ->
- let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- matrix
- in
- let _:usize = temp_1_ in
- true)
- matrix
- (fun matrix k ->
- let matrix:t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) =
- matrix
+ let state:v_Shake256 = tmp0 in
+ let randomness:t_Array u8 (sz 136) = out in
+ let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) =
+ inside_out_shuffle (randomness <: t_Slice u8) out_index signs result
in
- let k:usize = k in
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize matrix
- (start_index +! k <: usize)
- (Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit
- (tmp_stack.[ k ] <: t_Slice i32)
- (matrix.[ start_index +! k <: usize ]
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- <:
- Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ let out_index:usize = tmp0 in
+ let signs:u64 = tmp1 in
+ let result:t_Array i32 (sz 256) = tmp2 in
+ let done:bool = out in
+ done, out_index, result, signs, state
<:
- t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256))
in
- matrix, rand_stack0, rand_stack1, rand_stack2, rand_stack3, tmp_stack
- <:
- (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Slice (t_Array i32 (sz 263)))
+ let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit =
+ Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) re
+ in
+ re
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti
index 7991fde68..3611537a5 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti
@@ -11,11 +11,46 @@ let _ =
let open Libcrux_ml_dsa.Simd.Traits in
()
+val rejection_sample_less_than_field_modulus
+ (#v_SIMDUnit: Type0)
+ {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ (randomness: t_Slice u8)
+ (sampled_coefficients: usize)
+ (out: t_Array i32 (sz 263))
+ : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True)
+
val generate_domain_separator: (u8 & u8) -> Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True)
+val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8))
+ : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True)
+
val sample_up_to_four_ring_elements_flat__xy (index width: usize)
: Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True)
+/// Sample and write out up to four ring elements.
+/// If i <= `elements_requested`, a field element with domain separated
+/// seed according to the provided index is generated in
+/// `tmp_stack[i]`. After successful rejection sampling in
+/// `tmp_stack[i]`, the ring element is written to `matrix` at the
+/// provided index in `indices[i]`.
+/// `rand_stack` is a working buffer that holds initial Shake output.
+val sample_up_to_four_ring_elements_flat
+ (#v_SIMDUnit #v_Shake128: Type0)
+ {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
+ {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
+ (columns: usize)
+ (seed: t_Slice u8)
+ (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
+ (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840))
+ (tmp_stack: t_Slice (t_Array i32 (sz 263)))
+ (start_index elements_requested: usize)
+ : Prims.Pure
+ (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Array u8 (sz 840) &
+ t_Slice (t_Array i32 (sz 263))) Prims.l_True (fun _ -> Prims.l_True)
+
val rejection_sample_less_than_eta_equals_2_
(#v_SIMDUnit: Type0)
{| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -41,38 +76,9 @@ val rejection_sample_less_than_eta
(out: t_Array i32 (sz 263))
: Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True)
-val rejection_sample_less_than_field_modulus
- (#v_SIMDUnit: Type0)
- {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- (randomness: t_Slice u8)
- (sampled_coefficients: usize)
- (out: t_Array i32 (sz 263))
- : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True)
-
-val add_domain_separator (slice: t_Slice u8) (indices: (u8 & u8))
- : Prims.Pure (t_Array u8 (sz 34)) Prims.l_True (fun _ -> Prims.l_True)
-
val add_error_domain_separator (slice: t_Slice u8) (domain_separator: u16)
: Prims.Pure (t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True)
-val inside_out_shuffle
- (randomness: t_Slice u8)
- (out_index: usize)
- (signs: u64)
- (result: t_Array i32 (sz 256))
- : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True)
-
-val sample_challenge_ring_element
- (#v_SIMDUnit #v_Shake256: Type0)
- {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
- (seed: t_Slice u8)
- (number_of_ones: usize)
- (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
val sample_four_error_ring_elements
(#v_SIMDUnit #v_Shake256: Type0)
{| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
@@ -109,26 +115,20 @@ val sample_mask_vector
Prims.l_True
(fun _ -> Prims.l_True)
-/// Sample and write out up to four ring elements.
-/// If i <= `elements_requested`, a field element with domain separated
-/// seed according to the provided index is generated in
-/// `tmp_stack[i]`. After successful rejection sampling in
-/// `tmp_stack[i]`, the ring element is written to `matrix` at the
-/// provided index in `indices[i]`.
-/// `rand_stack` is a working buffer that holds initial Shake output.
-val sample_up_to_four_ring_elements_flat
- (#v_SIMDUnit #v_Shake128: Type0)
+val inside_out_shuffle
+ (randomness: t_Slice u8)
+ (out_index: usize)
+ (signs: u64)
+ (result: t_Array i32 (sz 256))
+ : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True)
+
+val sample_challenge_ring_element
+ (#v_SIMDUnit #v_Shake256: Type0)
{| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |}
- {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |}
- (columns: usize)
+ {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_DsaXof v_Shake256 |}
(seed: t_Slice u8)
- (matrix: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit))
- (rand_stack0 rand_stack1 rand_stack2 rand_stack3: t_Array u8 (sz 840))
- (tmp_stack: t_Slice (t_Array i32 (sz 263)))
- (start_index elements_requested: usize)
- : Prims.Pure
- (t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) & t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Array u8 (sz 840) &
- t_Slice (t_Array i32 (sz 263))) Prims.l_True (fun _ -> Prims.l_True)
+ (number_of_ones: usize)
+ (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst
index 1385acbb6..4aa328f6f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst
@@ -3,100 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic
open Core
open FStar.Mul
-let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs
- in
- lhs
-
-let compute_hint
- (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (gamma2: i32)
- (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- =
- let minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg gamma2 <: i32)
- in
- let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 gamma2
- in
- let low_within_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32
- low
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- gamma2
- in
- let low_equals_minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_cmpeq_epi32 low minus_gamma2
- in
- let low_equals_minus_gamma2_and_high_is_nonzero:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high
- in
- let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound
- low_equals_minus_gamma2_and_high_is_nonzero
- in
- let hints_mask:i32 =
- Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps
- hint
- <:
- u8)
- in
- let hint:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hint
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let hax_temp_output:usize = cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize in
- hint, hax_temp_output <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)
-
-let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) =
- let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit
- in
- let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32)
- in
- let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound
- in
- let result:i32 =
- Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound
- in
- result <>. 1l
-
-let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs
- in
- lhs
-
-let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit
- in
- let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l <. 1l
+
+let power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = to_unsigned_representatives r0 in
+ let r1:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r0
+ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < Prims.l_True)
-val compute_hint
- (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (gamma2: i32)
- (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)
- Prims.l_True
- (fun _ -> Prims.l_True)
+val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32)
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val to_unsigned_representatives_ret (t: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32)
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
val power2round (r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure
(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
Prims.l_True
(fun _ -> Prims.l_True)
-val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
val decompose (gamma2: i32) (r r0 r1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure
(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256)
Prims.l_True
(fun _ -> Prims.l_True)
+val compute_hint
+ (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (gamma2: i32)
+ (hint: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure (Libcrux_intrinsics.Avx2_extract.t_Vec256 & usize)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
val use_hint (gamma2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst
index e64d2efe3..9d33278d4 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst
@@ -3,97 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error
open Core
open FStar.Mul
-let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool)
- in
- ()
- in
- let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32)
- (cast (bytes.[ sz 2 ] <: u8) <: i32)
- (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized
- | Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_to_unsigned_when_eta_is_4_ serialized
-
-let deserialize
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (serialized: t_Slice u8)
- (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- =
- let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = deserialize_to_unsigned eta serialized in
- let eta:i32 =
- match eta <: Libcrux_ml_dsa.Constants.t_Eta with
- | Libcrux_ml_dsa.Constants.Eta_Two -> 2l
- | Libcrux_ml_dsa.Constants.Eta_Four -> 4l
- in
- let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
- eta
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- unsigned
- in
- out
-
let serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) =
let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
@@ -246,3 +155,94 @@ let serialize
| Libcrux_ml_dsa.Constants.Eta_Four -> serialize_when_eta_is_4_ simd_unit serialized
in
serialized
+
+let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool)
+ in
+ ()
+ in
+ let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32)
+ (cast (bytes.[ sz 2 ] <: u8) <: i32)
+ (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized
+ | Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_to_unsigned_when_eta_is_4_ serialized
+
+let deserialize
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (serialized: t_Slice u8)
+ (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ =
+ let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = deserialize_to_unsigned eta serialized in
+ let eta:i32 =
+ match eta <: Libcrux_ml_dsa.Constants.t_Eta with
+ | Libcrux_ml_dsa.Constants.Eta_Two -> 2l
+ | Libcrux_ml_dsa.Constants.Eta_Four -> 4l
+ in
+ let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
+ eta
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ unsigned
+ in
+ out
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti
index b88141b5b..7cabc3562 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti
@@ -3,17 +3,29 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error
open Core
open FStar.Mul
-let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True)
+
let serialize_when_eta_is_4___ETA: i32 = 4l
+val serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True)
+let deserialize_to_unsigned_when_eta_is_4___COEFFICIENT_MASK: i32 = (1l < Prims.l_True)
@@ -25,15 +37,3 @@ val deserialize
(serialized: t_Slice u8)
(out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_eta_is_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_eta_is_4_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst
index 4e1d65188..cc642fd12 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst
@@ -3,147 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1
open Core
open FStar.Mul
-let deserialize_when_gamma1_is_2_pow_17_
- (serialized: t_Slice u8)
- (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool)
- in
- ()
- in
- let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = sz 16
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 2;
- Core.Ops.Range.f_end = sz 18
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y
- 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK
-
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
- deserialize_when_gamma1_is_2_pow_17___GAMMA1
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- coefficients
- in
- out
-
-let deserialize_when_gamma1_is_2_pow_19_
- (serialized: t_Slice u8)
- (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool)
- in
- ()
- in
- let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = sz 16
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 4;
- Core.Ops.Range.f_end = sz 20
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y
- 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK
-
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
- deserialize_when_gamma1_is_2_pow_19___GAMMA1
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- coefficients
- in
- out
-
-let deserialize
- (serialized: t_Slice u8)
- (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (gamma1_exponent: usize)
- =
- let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- match cast (gamma1_exponent <: usize) <: u8 with
- | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized out
- | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized out
- | _ -> out
- in
- out
-
let serialize_when_gamma1_is_2_pow_17_
(simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
(out: t_Slice u8)
@@ -323,3 +182,144 @@ let serialize
| _ -> serialized
in
serialized
+
+let deserialize_when_gamma1_is_2_pow_17_
+ (serialized: t_Slice u8)
+ (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool)
+ in
+ ()
+ in
+ let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = sz 16
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
+ Core.Ops.Range.f_start = sz 2;
+ Core.Ops.Range.f_end = sz 18
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y
+ 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK
+
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
+ deserialize_when_gamma1_is_2_pow_17___GAMMA1
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ coefficients
+ in
+ out
+
+let deserialize_when_gamma1_is_2_pow_19_
+ (serialized: t_Slice u8)
+ (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool)
+ in
+ ()
+ in
+ let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = sz 16
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ {
+ Core.Ops.Range.f_start = sz 4;
+ Core.Ops.Range.f_end = sz 20
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y
+ 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK
+
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32
+ deserialize_when_gamma1_is_2_pow_19___GAMMA1
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ coefficients
+ in
+ out
+
+let deserialize
+ (serialized: t_Slice u8)
+ (out: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (gamma1_exponent: usize)
+ =
+ let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ match cast (gamma1_exponent <: usize) <: u8 with
+ | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized out
+ | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized out
+ | _ -> out
+ in
+ out
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti
index 2eef37a40..5ed6a3299 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti
@@ -3,25 +3,41 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1
open Core
open FStar.Mul
-let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True)
-let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True)
-let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True)
-let serialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True)
+let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True)
-
-val serialize_when_gamma1_is_2_pow_17_
- (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (out: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_gamma1_is_2_pow_19_
- (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (out: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize
- (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (serialized: t_Slice u8)
- (gamma1_exponent: usize)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst
index 2a5d26958..d0ae2d410 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst
@@ -12,61 +12,6 @@ let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
in
Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 interval_end simd_unit
-let deserialize (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- match Core.Slice.impl__len #u8 serialized, sz 13 <: (usize & usize) with
- | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool)
- in
- ()
- in
- let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
- let serialized_extended:t_Array u8 (sz 16) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended
- ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- serialized
- <:
- t_Slice u8)
- in
- let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8)
- in
- let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y)
- (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y
- 0y
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval coefficients in
- out
-
let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8) =
let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval simd_unit in
@@ -125,3 +70,58 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slic
t_Slice u8)
in
out
+
+let deserialize (serialized: t_Slice u8) (out: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ match Core.Slice.impl__len #u8 serialized, sz 13 <: (usize & usize) with
+ | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool)
+ in
+ ()
+ in
+ let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
+ let serialized_extended:t_Array u8 (sz 16) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended
+ ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ serialized
+ <:
+ t_Slice u8)
+ in
+ let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8)
+ in
+ let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y)
+ (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y
+ 0y
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval coefficients in
+ out
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti
index bc8592ab5..6b69d7c41 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti
@@ -6,10 +6,10 @@ open FStar.Mul
val change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True)
-
-val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti
index e47831a31..9e8db82fb 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti
@@ -3,10 +3,10 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1
open Core
open FStar.Mul
-let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True)
+let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst
index b51dbfe26..456c7bb71 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fst
@@ -68,6 +68,105 @@ let simd_unit_invert_ntt_at_layer_0_
<:
(Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+let simd_unit_invert_ntt_at_layer_1_
+ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (zeta00 zeta01 zeta10 zeta11: i32)
+ =
+ let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 simd_unit0 simd_unit1
+ in
+ let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1
+ in
+ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in
+ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values
+ in
+ let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
+ in
+ let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in
+ let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta11
+ zeta11
+ zeta01
+ zeta01
+ zeta10
+ zeta10
+ zeta00
+ zeta00
+ in
+ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
+ in
+ let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
+ {
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ =
+ Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
+ in
+ let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
+ {
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ =
+ Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
+ in
+ a, b
+ <:
+ (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+
+let simd_unit_invert_ntt_at_layer_2_
+ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (zeta0 zeta1: i32)
+ =
+ let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l simd_unit0 simd_unit1
+ in
+ let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l simd_unit0 simd_unit1
+ in
+ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in
+ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values
+ in
+ let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
+ in
+ let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in
+ let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0
+ in
+ let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
+ in
+ let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
+ {
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ =
+ Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
+ in
+ let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
+ {
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ =
+ Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
+ in
+ a, b
+ <:
+ (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+
let invert_ntt_at_layer_0___round
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -157,59 +256,6 @@ let invert_ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V
in
re
-let simd_unit_invert_ntt_at_layer_1_
- (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (zeta00 zeta01 zeta10 zeta11: i32)
- =
- let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 simd_unit0 simd_unit1
- in
- let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 simd_unit0 simd_unit1
- in
- let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in
- let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values
- in
- let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
- in
- let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in
- let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta11
- zeta11
- zeta01
- zeta01
- zeta10
- zeta10
- zeta00
- zeta00
- in
- let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
- in
- let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
- {
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- =
- Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 sums differences
- }
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
- in
- let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
- {
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- =
- Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 sums differences
- }
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
- in
- a, b
- <:
- (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
-
let invert_ntt_at_layer_1___round
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -286,52 +332,6 @@ let invert_ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V
in
re
-let simd_unit_invert_ntt_at_layer_2_
- (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (zeta0 zeta1: i32)
- =
- let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l simd_unit0 simd_unit1
- in
- let hi_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l simd_unit0 simd_unit1
- in
- let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 = hi_values in
- let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract differences lo_values
- in
- let lo_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lo_values hi_values
- in
- let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = lo_values in
- let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0
- in
- let differences:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply differences zetas
- in
- let a:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
- {
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- =
- Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 32l sums differences
- }
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
- in
- let b:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 =
- {
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- =
- Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 49l sums differences
- }
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
- in
- a, b
- <:
- (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
-
let invert_ntt_at_layer_2___round
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti
index 0903ff088..e7b8f66fc 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Invntt.fsti
@@ -3,30 +3,8 @@ module Libcrux_ml_dsa.Simd.Avx2.Invntt
open Core
open FStar.Mul
-let invert_ntt_at_layer_3___STEP: usize = sz 8
-
-let invert_ntt_at_layer_3___STEP_BY: usize = sz 1
-
-let invert_ntt_at_layer_4___STEP: usize = sz 16
-
-let invert_ntt_at_layer_4___STEP_BY: usize = sz 2
-
-let invert_ntt_at_layer_5___STEP: usize = sz 32
-
-let invert_ntt_at_layer_5___STEP_BY: usize = sz 4
-
-let invert_ntt_at_layer_6___STEP: usize = sz 64
-
-let invert_ntt_at_layer_6___STEP_BY: usize = sz 8
-
-let invert_ntt_at_layer_7___STEP: usize = sz 128
-
-let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
-
let invert_ntt_montgomery__inv_inner__FACTOR: i32 = 41978l
-let simd_unit_invert_ntt_at_layer_0___SHUFFLE: i32 = 216l
-
val simd_unit_invert_ntt_at_layer_0_
(simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
(zeta00 zeta01 zeta02 zeta03 zeta10 zeta11 zeta12 zeta13: i32)
@@ -34,6 +12,22 @@ val simd_unit_invert_ntt_at_layer_0_
(Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
) Prims.l_True (fun _ -> Prims.l_True)
+let simd_unit_invert_ntt_at_layer_0___SHUFFLE: i32 = 216l
+
+val simd_unit_invert_ntt_at_layer_1_
+ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (zeta00 zeta01 zeta10 zeta11: i32)
+ : Prims.Pure
+ (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
+ ) Prims.l_True (fun _ -> Prims.l_True)
+
+val simd_unit_invert_ntt_at_layer_2_
+ (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (zeta0 zeta1: i32)
+ : Prims.Pure
+ (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
+ ) Prims.l_True (fun _ -> Prims.l_True)
+
val invert_ntt_at_layer_0___round
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -47,13 +41,6 @@ val invert_ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V
Prims.l_True
(fun _ -> Prims.l_True)
-val simd_unit_invert_ntt_at_layer_1_
- (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (zeta00 zeta01 zeta10 zeta11: i32)
- : Prims.Pure
- (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
- ) Prims.l_True (fun _ -> Prims.l_True)
-
val invert_ntt_at_layer_1___round
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -67,13 +54,6 @@ val invert_ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V
Prims.l_True
(fun _ -> Prims.l_True)
-val simd_unit_invert_ntt_at_layer_2_
- (simd_unit0 simd_unit1: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (zeta0 zeta1: i32)
- : Prims.Pure
- (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256
- ) Prims.l_True (fun _ -> Prims.l_True)
-
val invert_ntt_at_layer_2___round
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -100,21 +80,37 @@ val invert_ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_V
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_3___STEP: usize = sz 8
+
+let invert_ntt_at_layer_3___STEP_BY: usize = sz 1
+
val invert_ntt_at_layer_4_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_4___STEP: usize = sz 16
+
+let invert_ntt_at_layer_4___STEP_BY: usize = sz 2
+
val invert_ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_5___STEP: usize = sz 32
+
+let invert_ntt_at_layer_5___STEP_BY: usize = sz 4
+
val invert_ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_6___STEP: usize = sz 64
+
+let invert_ntt_at_layer_6___STEP_BY: usize = sz 8
+
val invert_ntt_at_layer_7_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
Prims.l_True
@@ -130,3 +126,7 @@ val invert_ntt_montgomery (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Ve
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+
+let invert_ntt_at_layer_7___STEP: usize = sz 128
+
+let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
index e57e38802..4880fcb6f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst
@@ -3,98 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt
open Core
open FStar.Mul
-let ntt_at_layer_7_and_6___mul
- (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
- (index: usize)
- (zeta: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (step_by: usize)
- (field_modulus inverse_of_modulus_mod_montgomery_r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- =
- let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ]
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- zeta
- in
- let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
- 245l
- (re.[ index +! step_by <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
- in
- let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
- in
- let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus
- in
- let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus
- in
- let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02
- in
- let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13
- in
- let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02
- in
- let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- (index +! step_by <: usize)
- (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- (index +! step_by <: usize)
- ({
- (re.[ index +! step_by <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index +! step_by <: usize ]
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- t
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256
- }
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- index
- ({
- (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- =
- Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ]
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
- t
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256
- }
- <:
- Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
- in
- re
-
let butterfly_2_
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -476,6 +384,98 @@ let ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (
in
re
+let ntt_at_layer_7_and_6___mul
+ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
+ (index: usize)
+ (zeta: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (step_by: usize)
+ (field_modulus inverse_of_modulus_mod_montgomery_r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ =
+ let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ]
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ zeta
+ in
+ let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32
+ 245l
+ (re.[ index +! step_by <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let k02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r
+ in
+ let k13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r
+ in
+ let c02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus
+ in
+ let c13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus
+ in
+ let res02:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02
+ in
+ let res13:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13
+ in
+ let res02_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02
+ in
+ let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ (index +! step_by <: usize)
+ (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ (index +! step_by <: usize)
+ ({
+ (re.[ index +! step_by <: usize ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index +! step_by <: usize ]
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ t
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ index
+ ({
+ (re.[ index ] <: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256) with
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ =
+ Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ]
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_value
+ t
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256)
+ in
+ re
+
let ntt_at_layer_7_and_6_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32)) =
let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
index 02c44d807..a0ca4fe56 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti
@@ -3,39 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt
open Core
open FStar.Mul
-let butterfly_2___SHUFFLE: i32 = 216l
-
-let ntt_at_layer_5_to_3___STEP: usize = sz 1 < Prims.l_True)
-
-let ntt_at_layer_5_to_3___STEP_BY: usize =
- ntt_at_layer_5_to_3___STEP /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-
-let ntt_at_layer_5_to_3___STEP_BY_1: usize =
- ntt_at_layer_5_to_3___STEP_1 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-
-let ntt_at_layer_5_to_3___STEP_BY_2: usize =
- ntt_at_layer_5_to_3___STEP_2 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
-
-let ntt_at_layer_7_and_6___STEP_BY_6_: usize =
- (sz 1 < Prims.l_True)
+let butterfly_2___SHUFFLE: i32 = 216l
+
val butterfly_4_
(re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
(index: usize)
@@ -75,6 +44,22 @@ val ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (
Prims.l_True
(fun _ -> Prims.l_True)
+val ntt_at_layer_7_and_6___mul
+ (re: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
+ (index: usize)
+ (zeta: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (step_by: usize)
+ (field_modulus inverse_of_modulus_mod_montgomery_r: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_Vec256 (sz 32))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+let ntt_at_layer_7_and_6___STEP_BY_7_: usize =
+ sz 2 *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT
+
+let ntt_at_layer_7_and_6___STEP_BY_6_: usize =
+ (sz 1 < Prims.l_True)
+let ntt_at_layer_5_to_3___STEP: usize = sz 1 < Prims.l_True)
+
+val generate_shuffle_table: Prims.unit
+ -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True)
+
let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) =
let list =
[
@@ -132,9 +138,3 @@ let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) =
in
FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
Rust_primitives.Hax.array_of_list 16 list
-
-val is_bit_set (number: usize) (bit_position: u8)
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
-val generate_shuffle_table: Prims.unit
- -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst
index cb7d7a4f1..4c64e4ac1 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst
@@ -3,21 +3,6 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type
open Core
open FStar.Mul
-let from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) =
- let out:t_Vec256 =
- { out with f_value = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array }
- <:
- t_Vec256
- in
- out
-
-let to_coefficient_array (value: t_Vec256) (out: t_Slice i32) =
- let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value.f_value in
- out
-
-let zero (_: Prims.unit) =
- { f_value = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_Vec256
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
val impl': Core.Clone.t_Clone t_Vec256
@@ -29,3 +14,18 @@ assume
val impl_1': Core.Marker.t_Copy t_Vec256
let impl_1 = impl_1'
+
+let zero (_: Prims.unit) =
+ { f_value = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_Vec256
+
+let from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256) =
+ let out:t_Vec256 =
+ { out with f_value = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array }
+ <:
+ t_Vec256
+ in
+ out
+
+let to_coefficient_array (value: t_Vec256) (out: t_Slice i32) =
+ let out:t_Slice i32 = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 out value.f_value in
+ out
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti
index 6d962b8d6..6c2f727dc 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti
@@ -6,6 +6,15 @@ open FStar.Mul
/// The vector type
type t_Vec256 = { f_value:Libcrux_intrinsics.Avx2_extract.t_Vec256 }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_Vec256
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_Vec256
+
+/// Create an all-zero vector coefficient
+val zero: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
/// Create a coefficient from an `i32` array
val from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256)
: Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
@@ -13,12 +22,3 @@ val from_coefficient_array (coefficient_array: t_Slice i32) (out: t_Vec256)
/// Write out the coefficient to an `i32` array
val to_coefficient_array (value: t_Vec256) (out: t_Slice i32)
: Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create an all-zero vector coefficient
-val zero: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Core.Clone.t_Clone t_Vec256
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Core.Marker.t_Copy t_Vec256
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst
index 1564e438b..b997bc750 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst
@@ -3,123 +3,6 @@ module Libcrux_ml_dsa.Simd.Portable.Arithmetic
open Core
open FStar.Mul
-let compute_one_hint (low high gamma2: i32) =
- if
- low >. gamma2 || low <. (Core.Ops.Arith.Neg.neg gamma2 <: i32) ||
- low =. (Core.Ops.Arith.Neg.neg gamma2 <: i32) && high <>. 0l
- then 1l
- else 0l
-
-let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in
- fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
-
-let montgomery_reduce_element (value: i64) =
- let t:u64 =
- (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *!
- Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
- in
- let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in
- let k_times_modulus:i64 =
- (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64)
- in
- let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in
- let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in
- value_high -! c
-
-let montgomery_multiply_fe_by_fer (fe fer: i32) =
- montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64)
-
-let decompose_element (gamma2 r: i32) =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((r >.
- (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
- <:
- bool) &&
- (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool))
- in
- ()
- in
- let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in
- let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in
- let r1:i32 =
- match gamma2 <: i32 with
- | 95232l ->
- let result:i32 =
- ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l
- in
- (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result
- | 261888l ->
- let result:i32 =
- ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l
- in
- result &. 15l
- | _ ->
- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
- <:
- Rust_primitives.Hax.t_Never)
- in
- let alpha:i32 = gamma2 *! 2l in
- let r0:i32 = r -! (r1 *! alpha <: i32) in
- let r0:i32 =
- r0 -!
- (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>!
- 31l
- <:
- i32) &.
- Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
- <:
- i32)
- in
- r0, r1 <: (i32 & i32)
-
-let power2round_element (t: i32) =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((t >.
- (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
- <:
- bool) &&
- (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool))
- in
- ()
- in
- let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in
- let t1:i32 =
- ((t -! 1l <: i32) +!
- (1l <>!
- Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T
- in
- let t0:i32 = t -! (t1 <
- if r0 >. 0l
- then if r1 =. 43l then 0l else r1 +! hint
- else if r1 =. 0l then 43l else r1 -! hint
- | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l
- | _ ->
- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
- <:
- Rust_primitives.Hax.t_Never)
-
let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -154,169 +37,7 @@ let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
in
lhs
-let compute_hint
- (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (gamma2: i32)
- (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- =
- let one_hints_count:usize = sz 0 in
- let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #i32
- (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- <:
- usize)
- (fun temp_0_ temp_1_ ->
- let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize
- ) =
- temp_0_
- in
- let _:usize = temp_1_ in
- true)
- (hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize))
- (fun temp_0_ i ->
- let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize
- ) =
- temp_0_
- in
- let i:usize = i in
- let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
- {
- hint with
- Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint
- .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- i
- (compute_one_hint (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ]
- <:
- i32)
- (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
- gamma2
- <:
- i32)
- }
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- in
- let one_hints_count:usize =
- one_hints_count +!
- (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) <: usize)
- in
- hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)
- )
- in
- let hax_temp_output:usize = one_hints_count in
- hint, hax_temp_output <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)
-
-let decompose
- (gamma2: i32)
- (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- =
- let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #i32
- (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- <:
- usize)
- (fun temp_0_ temp_1_ ->
- let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
- temp_0_
- in
- let _:usize = temp_1_ in
- true)
- (high, low
- <:
- (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients))
- (fun temp_0_ i ->
- let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
- temp_0_
- in
- let i:usize = i in
- let lhs, lhs_1_:(i32 & i32) =
- decompose_element gamma2
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
- in
- let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
- {
- low with
- Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low
- .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- i
- lhs
- }
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- in
- let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
- {
- high with
- Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high
- .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- i
- lhs_1_
- }
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- in
- high, low
- <:
- (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients))
- in
- low, high
- <:
- (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
-
-let infinity_norm_exceeds
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (bound: i32)
- =
- let result:bool = false in
- let result:bool =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #i32
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- <:
- usize)
- (fun result temp_1_ ->
- let result:bool = result in
- let _:usize = temp_1_ in
- true)
- result
- (fun result i ->
- let result:bool = result in
- let i:usize = i in
- let coefficient:i32 = simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] in
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((coefficient >.
- (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
- <:
- bool) &&
- (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool))
- in
- ()
- in
- let sign:i32 = coefficient >>! 31l in
- let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in
- let result:bool = result || normalized >=. bound in
- result)
- in
- result
-
-let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
+let subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
Rust_primitives.Hax.Folds.fold_range (sz 0)
(Core.Slice.impl__len #i32
@@ -338,17 +59,8 @@ let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coe
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
i
- (montgomery_reduce_element ((cast (lhs
- .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ]
- <:
- i32)
- <:
- i64) *!
- (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
- <:
- i64)
- <:
- i64)
+ ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) -!
+ (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
<:
i32)
<:
@@ -359,6 +71,24 @@ let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coe
in
lhs
+let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! v_MONTGOMERY_SHIFT <: i64) <: i32 in
+ let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in
+ value_high -! c
+
+let montgomery_multiply_fe_by_fer (fe fer: i32) =
+ montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64)
+
let montgomery_multiply_by_constant
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(c: i32)
@@ -401,7 +131,74 @@ let montgomery_multiply_by_constant
<:
Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
in
- simd_unit
+ simd_unit
+
+let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
+ let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #i32
+ (lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ <:
+ usize)
+ (fun lhs temp_1_ ->
+ let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in
+ let _:usize = temp_1_ in
+ true)
+ lhs
+ (fun lhs i ->
+ let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in
+ let i:usize = i in
+ {
+ lhs with
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
+ .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ i
+ (montgomery_reduce_element ((cast (lhs
+ .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ]
+ <:
+ i32)
+ <:
+ i64) *!
+ (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
+ <:
+ i64)
+ <:
+ i64)
+ <:
+ i32)
+ <:
+ t_Array i32 (sz 8)
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ in
+ lhs
+
+let power2round_element (t: i32) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((t >.
+ (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
+ <:
+ bool) &&
+ (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool))
+ in
+ ()
+ in
+ let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in
+ let t1:i32 =
+ ((t -! 1l <: i32) +!
+ (1l <>!
+ Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T
+ in
+ let t0:i32 = t -! (t1 <
+ let result:bool = result in
+ let _:usize = temp_1_ in
+ true)
+ result
+ (fun result i ->
+ let result:bool = result in
+ let i:usize = i in
+ let coefficient:i32 = simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] in
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((coefficient >.
+ (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
+ <:
+ bool) &&
+ (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool))
+ in
+ ()
+ in
+ let sign:i32 = coefficient >>! 31l in
+ let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in
+ let result:bool = result || normalized >=. bound in
+ result)
+ in
+ result
+
+let reduce_element (fe: i32) =
+ let quotient:i32 = (fe +! (1l <>! 23l in
+ fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
+
let shift_left_then_reduce
(v_SHIFT_BY: i32)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -508,39 +348,199 @@ let shift_left_then_reduce
in
simd_unit
-let subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
- let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
+let compute_one_hint (low high gamma2: i32) =
+ if
+ low >. gamma2 || low <. (Core.Ops.Arith.Neg.neg gamma2 <: i32) ||
+ low =. (Core.Ops.Arith.Neg.neg gamma2 <: i32) && high <>. 0l
+ then 1l
+ else 0l
+
+let compute_hint
+ (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (gamma2: i32)
+ (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ =
+ let one_hints_count:usize = sz 0 in
+ let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize) =
Rust_primitives.Hax.Folds.fold_range (sz 0)
(Core.Slice.impl__len #i32
- (lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
<:
usize)
- (fun lhs temp_1_ ->
- let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in
+ (fun temp_0_ temp_1_ ->
+ let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize
+ ) =
+ temp_0_
+ in
let _:usize = temp_1_ in
true)
- lhs
- (fun lhs i ->
- let lhs:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients = lhs in
+ (hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize))
+ (fun temp_0_ i ->
+ let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize
+ ) =
+ temp_0_
+ in
let i:usize = i in
- {
- lhs with
- Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
- .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
- i
- ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) -!
- (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
- <:
- i32)
+ let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
+ {
+ hint with
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint
+ .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ i
+ (compute_one_hint (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ]
+ <:
+ i32)
+ (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
+ gamma2
+ <:
+ i32)
+ }
<:
- t_Array i32 (sz 8)
- }
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ in
+ let one_hints_count:usize =
+ one_hints_count +!
+ (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32) <: usize)
+ in
+ hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)
+ )
+ in
+ let hax_temp_output:usize = one_hints_count in
+ hint, hax_temp_output <: (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)
+
+let decompose_element (gamma2 r: i32) =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((r >.
+ (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32)
+ <:
+ bool) &&
+ (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool))
+ in
+ ()
+ in
+ let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in
+ let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in
+ let r1:i32 =
+ match gamma2 <: i32 with
+ | 95232l ->
+ let result:i32 =
+ ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l
+ in
+ (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result
+ | 261888l ->
+ let result:i32 =
+ ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l
+ in
+ result &. 15l
+ | _ ->
+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
<:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ Rust_primitives.Hax.t_Never)
in
- lhs
+ let alpha:i32 = gamma2 *! 2l in
+ let r0:i32 = r -! (r1 *! alpha <: i32) in
+ let r0:i32 =
+ r0 -!
+ (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>!
+ 31l
+ <:
+ i32) &.
+ Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS
+ <:
+ i32)
+ in
+ r0, r1 <: (i32 & i32)
+
+let use_one_hint (gamma2 r hint: i32) =
+ let r0, r1:(i32 & i32) = decompose_element gamma2 r in
+ if hint =. 0l
+ then r1
+ else
+ match gamma2 <: i32 with
+ | 95232l ->
+ if r0 >. 0l
+ then if r1 =. 43l then 0l else r1 +! hint
+ else if r1 =. 0l then 43l else r1 -! hint
+ | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l
+ | _ ->
+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+ <:
+ Rust_primitives.Hax.t_Never)
+
+let decompose
+ (gamma2: i32)
+ (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ =
+ let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #i32
+ (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ <:
+ usize)
+ (fun temp_0_ temp_1_ ->
+ let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
+ temp_0_
+ in
+ let _:usize = temp_1_ in
+ true)
+ (high, low
+ <:
+ (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients))
+ (fun temp_0_ i ->
+ let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
+ temp_0_
+ in
+ let i:usize = i in
+ let lhs, lhs_1_:(i32 & i32) =
+ decompose_element gamma2
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ i ] <: i32)
+ in
+ let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
+ {
+ low with
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low
+ .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ i
+ lhs
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ in
+ let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
+ {
+ high with
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high
+ .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values
+ i
+ lhs_1_
+ }
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ in
+ high, low
+ <:
+ (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients))
+ in
+ low, high
+ <:
+ (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
let use_hint (gamma2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients) =
let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients =
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti
index afb9b56a4..8d7bcf337 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti
@@ -5,40 +5,39 @@ open FStar.Mul
let v_MONTGOMERY_SHIFT: u8 = 32uy
-val compute_one_hint (low high gamma2: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ Prims.l_True
+ (fun _ -> Prims.l_True)
val get_n_least_significant_bits (n: u8) (value: u64)
: Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True)
-val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-
val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
val montgomery_multiply_fe_by_fer (fe fer: i32)
: Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-val decompose_element (gamma2 r: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True)
-
-val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True)
-
-val use_one_hint (gamma2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-
-val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+val montgomery_multiply_by_constant
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (c: i32)
: Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
Prims.l_True
(fun _ -> Prims.l_True)
-val compute_hint
- (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (gamma2: i32)
- (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- : Prims.Pure (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)
+val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
Prims.l_True
(fun _ -> Prims.l_True)
-val decompose
- (gamma2: i32)
- (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True)
+
+val power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
: Prims.Pure
(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -50,34 +49,35 @@ val infinity_norm_exceeds
(bound: i32)
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- Prims.l_True
- (fun _ -> Prims.l_True)
+val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-val montgomery_multiply_by_constant
+val shift_left_then_reduce
+ (v_SHIFT_BY: i32)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (c: i32)
: Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
Prims.l_True
(fun _ -> Prims.l_True)
-val power2round (t0 t1: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- : Prims.Pure
- (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- Prims.l_True
- (fun _ -> Prims.l_True)
+val compute_one_hint (low high gamma2: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
-val shift_left_then_reduce
- (v_SHIFT_BY: i32)
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+val compute_hint
+ (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (gamma2: i32)
+ (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ : Prims.Pure (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients & usize)
Prims.l_True
(fun _ -> Prims.l_True)
-val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+val decompose_element (gamma2 r: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True)
+
+val use_one_hint (gamma2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+
+val decompose
+ (gamma2: i32)
+ (simd_unit low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ : Prims.Pure
+ (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients &
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
Prims.l_True
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst
index d950169bc..c0abeeb68 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst
@@ -3,6 +3,150 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error
open Core
open FStar.Mul
+let serialize_when_eta_is_2_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool)
+ in
+ ()
+ in
+ let coefficient0:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient1:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient2:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient3:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient4:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient5:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient6:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let coefficient7:u8 =
+ cast (serialize_when_eta_is_2___ETA -!
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32)
+ <:
+ i32)
+ <:
+ u8
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 0)
+ (((coefficient2 <>! 2l <: u8)
+ <:
+ u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 2)
+ (((coefficient7 <>! 1l <: u8)
+ <:
+ u8)
+ in
+ serialized
+
+let serialize_when_eta_is_4_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ =
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, coefficients:(usize & t_Slice i32) = temp_1_ in
+ let coefficient0:u8 =
+ cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8
+ in
+ let coefficient1:u8 =
+ cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ i
+ ((coefficient1 < serialize_when_eta_is_2_ simd_unit serialized
+ | Libcrux_ml_dsa.Constants.Eta_Four -> serialize_when_eta_is_4_ simd_unit serialized
+ in
+ serialized
+
let deserialize_when_eta_is_2_
(serialized: t_Slice u8)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -193,147 +337,3 @@ let deserialize
| Libcrux_ml_dsa.Constants.Eta_Four -> deserialize_when_eta_is_4_ serialized out
in
out
-
-let serialize_when_eta_is_2_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool)
- in
- ()
- in
- let coefficient0:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient1:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient2:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient3:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient4:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient5:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient6:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let coefficient7:u8 =
- cast (serialize_when_eta_is_2___ETA -!
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32)
- <:
- i32)
- <:
- u8
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 0)
- (((coefficient2 <>! 2l <: u8)
- <:
- u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 2)
- (((coefficient7 <>! 1l <: u8)
- <:
- u8)
- in
- serialized
-
-let serialize_when_eta_is_4_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- =
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, coefficients:(usize & t_Slice i32) = temp_1_ in
- let coefficient0:u8 =
- cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8
- in
- let coefficient1:u8 =
- cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- i
- ((coefficient1 < serialize_when_eta_is_2_ simd_unit serialized
- | Libcrux_ml_dsa.Constants.Eta_Four -> serialize_when_eta_is_4_ simd_unit serialized
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti
index 6ebce847f..5cfa7a48c 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti
@@ -3,14 +3,28 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error
open Core
open FStar.Mul
-let deserialize_when_eta_is_2___ETA: i32 = 2l
-
-let deserialize_when_eta_is_4___ETA: i32 = 4l
-
let serialize_when_eta_is_2___ETA: i32 = 2l
+val serialize_when_eta_is_2_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
let serialize_when_eta_is_4___ETA: i32 = 4l
+val serialize_when_eta_is_4_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize
+ (eta: Libcrux_ml_dsa.Constants.t_Eta)
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+let deserialize_when_eta_is_2___ETA: i32 = 2l
+
val deserialize_when_eta_is_2_
(serialized: t_Slice u8)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -18,6 +32,8 @@ val deserialize_when_eta_is_2_
Prims.l_True
(fun _ -> Prims.l_True)
+let deserialize_when_eta_is_4___ETA: i32 = 4l
+
val deserialize_when_eta_is_4_
(serialized: t_Slice u8)
(simd_units: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -32,19 +48,3 @@ val deserialize
: Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize_when_eta_is_2_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_eta_is_4_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize
- (eta: Libcrux_ml_dsa.Constants.t_Eta)
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst
index 6a637b6b9..db22697c6 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst
@@ -3,6 +3,177 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1
open Core
open FStar.Mul
+let serialize_when_gamma1_is_2_pow_17_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ =
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, coefficients:(usize & t_Slice i32) = temp_1_ in
+ let coefficient0:i32 =
+ serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32)
+ in
+ let coefficient1:i32 =
+ serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32)
+ in
+ let coefficient2:i32 =
+ serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32)
+ in
+ let coefficient3:i32 =
+ serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 9 *! i <: usize)
+ (cast (coefficient0 <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 1 <: usize)
+ (cast (coefficient0 >>! 8l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 2 <: usize)
+ (cast (coefficient0 >>! 16l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 2 <: usize)
+ ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |.
+ (cast (coefficient1 <>! 6l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 4 <: usize)
+ (cast (coefficient1 >>! 14l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 4 <: usize)
+ ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |.
+ (cast (coefficient2 <>! 4l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 6 <: usize)
+ (cast (coefficient2 >>! 12l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 6 <: usize)
+ ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |.
+ (cast (coefficient3 <>! 2l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 9 *! i <: usize) +! sz 8 <: usize)
+ (cast (coefficient3 >>! 10l <: i32) <: u8)
+ in
+ serialized)
+ in
+ serialized
+
+let serialize_when_gamma1_is_2_pow_19_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ =
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, coefficients:(usize & t_Slice i32) = temp_1_ in
+ let coefficient0:i32 =
+ serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32)
+ in
+ let coefficient1:i32 =
+ serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 5 *! i <: usize)
+ (cast (coefficient0 <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 1 <: usize)
+ (cast (coefficient0 >>! 8l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 2 <: usize)
+ (cast (coefficient0 >>! 16l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 2 <: usize)
+ ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |.
+ (cast (coefficient1 <>! 4l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 4 <: usize)
+ (cast (coefficient1 >>! 12l <: i32) <: u8)
+ in
+ serialized)
+ in
+ serialized
+
+let serialize
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ (gamma1_exponent: usize)
+ =
+ let serialized:t_Slice u8 =
+ match cast (gamma1_exponent <: usize) <: u8 with
+ | 17uy -> serialize_when_gamma1_is_2_pow_17_ simd_unit serialized
+ | 19uy -> serialize_when_gamma1_is_2_pow_19_ simd_unit serialized
+ | _ -> serialized
+ in
+ serialized
+
let deserialize_when_gamma1_is_2_pow_17_
(serialized: t_Slice u8)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -204,174 +375,3 @@ let deserialize
| _ -> out
in
out
-
-let serialize_when_gamma1_is_2_pow_17_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- =
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, coefficients:(usize & t_Slice i32) = temp_1_ in
- let coefficient0:i32 =
- serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32)
- in
- let coefficient1:i32 =
- serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32)
- in
- let coefficient2:i32 =
- serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32)
- in
- let coefficient3:i32 =
- serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 9 *! i <: usize)
- (cast (coefficient0 <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 1 <: usize)
- (cast (coefficient0 >>! 8l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 2 <: usize)
- (cast (coefficient0 >>! 16l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 2 <: usize)
- ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |.
- (cast (coefficient1 <>! 6l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 4 <: usize)
- (cast (coefficient1 >>! 14l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 4 <: usize)
- ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |.
- (cast (coefficient2 <>! 4l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 6 <: usize)
- (cast (coefficient2 >>! 12l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 6 <: usize)
- ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |.
- (cast (coefficient3 <>! 2l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 9 *! i <: usize) +! sz 8 <: usize)
- (cast (coefficient3 >>! 10l <: i32) <: u8)
- in
- serialized)
- in
- serialized
-
-let serialize_when_gamma1_is_2_pow_19_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- =
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2)
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, coefficients:(usize & t_Slice i32) = temp_1_ in
- let coefficient0:i32 =
- serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32)
- in
- let coefficient1:i32 =
- serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 5 *! i <: usize)
- (cast (coefficient0 <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 1 <: usize)
- (cast (coefficient0 >>! 8l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 2 <: usize)
- (cast (coefficient0 >>! 16l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 2 <: usize)
- ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |.
- (cast (coefficient1 <>! 4l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 4 <: usize)
- (cast (coefficient1 >>! 12l <: i32) <: u8)
- in
- serialized)
- in
- serialized
-
-let serialize
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- (gamma1_exponent: usize)
- =
- let serialized:t_Slice u8 =
- match cast (gamma1_exponent <: usize) <: u8 with
- | 17uy -> serialize_when_gamma1_is_2_pow_17_ simd_unit serialized
- | 19uy -> serialize_when_gamma1_is_2_pow_19_ simd_unit serialized
- | _ -> serialized
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti
index 4c6ce1b08..674b82261 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti
@@ -3,19 +3,30 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1
open Core
open FStar.Mul
-let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True)
-let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True)
-let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True)
-let serialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True)
+let deserialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = 1l < Prims.l_True)
-
-val serialize_when_gamma1_is_2_pow_17_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_when_gamma1_is_2_pow_19_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- (gamma1_exponent: usize)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst
index e39c1468a..6e36d4fd7 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst
@@ -6,6 +6,144 @@ open FStar.Mul
let change_t0_interval (t0: i32) =
(1l <>! 8l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 1)
+ ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 3)
+ (cast (coefficient1 >>! 11l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 3)
+ ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 4)
+ ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 6)
+ (cast (coefficient3 >>! 9l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 6)
+ ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 8)
+ (cast (coefficient4 >>! 12l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 8)
+ ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 9)
+ ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 11)
+ (cast (coefficient6 >>! 10l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 11)
+ ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8)
+ in
+ serialized
+
let deserialize
(serialized: t_Slice u8)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -164,141 +302,3 @@ let deserialize
Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
in
simd_unit
-
-let serialize
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool)
- in
- ()
- in
- let coefficient0:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 0 ] <: i32)
- in
- let coefficient1:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 1 ] <: i32)
- in
- let coefficient2:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 2 ] <: i32)
- in
- let coefficient3:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 3 ] <: i32)
- in
- let coefficient4:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 4 ] <: i32)
- in
- let coefficient5:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 5 ] <: i32)
- in
- let coefficient6:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 6 ] <: i32)
- in
- let coefficient7:i32 =
- change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values.[ sz 7 ] <: i32)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 0)
- (cast (coefficient0 <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 1)
- (cast (coefficient0 >>! 8l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 1)
- ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 3)
- (cast (coefficient1 >>! 11l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 3)
- ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 4)
- ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 6)
- (cast (coefficient3 >>! 9l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 6)
- ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 8)
- (cast (coefficient4 >>! 12l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 8)
- ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 9)
- ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 11)
- (cast (coefficient6 >>! 10l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 11)
- ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8)
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti
index 6d5bd9cba..d7d151e10 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti
@@ -5,6 +5,11 @@ open FStar.Mul
val change_t0_interval (t0: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True)
+val serialize
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 =
(1l < Prims.l_True)
-
-val serialize
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst
index 80f5daa84..042122b1d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst
@@ -3,6 +3,67 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1
open Core
open FStar.Mul
+let serialize
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ =
+ let _:Prims.unit =
+ if true
+ then
+ let _:Prims.unit =
+ Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool)
+ in
+ ()
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
+ (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let _:usize = temp_1_ in
+ true)
+ serialized
+ (fun serialized temp_1_ ->
+ let serialized:t_Slice u8 = serialized in
+ let i, coefficients:(usize & t_Slice i32) = temp_1_ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ (sz 5 *! i <: usize)
+ (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 1 <: usize)
+ (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8)
+ <:
+ u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 2 <: usize)
+ (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8)
+ <:
+ u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 3 <: usize)
+ (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8)
+ <:
+ u8)
+ in
+ let serialized:t_Slice u8 =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
+ ((sz 5 *! i <: usize) +! sz 4 <: usize)
+ (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8)
+ in
+ serialized)
+ in
+ serialized
+
let deserialize
(serialized: t_Slice u8)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
@@ -87,64 +148,3 @@ let deserialize
simd_unit)
in
simd_unit
-
-let serialize
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit =
- if true
- then
- let _:Prims.unit =
- Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool)
- in
- ()
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4)
- (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_values <: t_Slice i32)
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let _:usize = temp_1_ in
- true)
- serialized
- (fun serialized temp_1_ ->
- let serialized:t_Slice u8 = serialized in
- let i, coefficients:(usize & t_Slice i32) = temp_1_ in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- (sz 5 *! i <: usize)
- (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 1 <: usize)
- (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8)
- <:
- u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 2 <: usize)
- (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8)
- <:
- u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 3 <: usize)
- (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8)
- <:
- u8)
- in
- let serialized:t_Slice u8 =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized
- ((sz 5 *! i <: usize) +! sz 4 <: usize)
- (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8)
- in
- serialized)
- in
- serialized
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti
index 2ae66a6cb..726580f6d 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti
@@ -3,14 +3,14 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1
open Core
open FStar.Mul
+val serialize
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (serialized: t_Slice u8)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
val deserialize
(serialized: t_Slice u8)
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
: Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
Prims.l_True
(fun _ -> Prims.l_True)
-
-val serialize
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (serialized: t_Slice u8)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst
index e31da3316..e6edfbc00 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fst
@@ -155,127 +155,6 @@ let simd_unit_invert_ntt_at_layer_0_
in
simd_unit
-let invert_ntt_at_layer_0___round
- (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
- (index: usize)
- (zeta0 zeta1 zeta2 zeta3: i32)
- =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- index
- (simd_unit_invert_ntt_at_layer_0_ (re.[ index ]
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- zeta0
- zeta1
- zeta2
- zeta3
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- in
- re
-
-let invert_ntt_at_layer_0_
- (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
- =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 3) (-2286327l) (-420899l) (-2235985l) (-2939036l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 5) 1910376l (-1803090l) 1723600l (-426683l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 7) 269760l 3866901l 3523897l (-3038916l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 9) 3014001l 1616392l 162844l (-3183426l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 11) (-164721l) 2454455l 2432395l (-2013608l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 13) (-1846953l) (-1671176l) (-2831860l) (-542412l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 15) (-1374803l) (-2546312l) 1917081l (-1279661l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 17) (-1430225l) (-3318210l) 1237275l (-1333058l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 21) 1265009l (-2590150l) 2691481l 2842341l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 23) 4108315l (-2437823l) 286988l 342297l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 25) 3207046l 2031748l (-3122442l) (-655327l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 27) 819034l 909542l 1859098l 900702l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 29) 3513181l (-1235728l) 2434439l 266997l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_0___round re (sz 31) 3817976l 2316500l 3407706l 2091667l
- in
- re
-
let simd_unit_invert_ntt_at_layer_1_
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(zeta0 zeta1: i32)
@@ -422,125 +301,6 @@ let simd_unit_invert_ntt_at_layer_1_
in
simd_unit
-let invert_ntt_at_layer_1___round
- (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
- (index: usize)
- (zeta_00_ zeta_01_: i32)
- =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- index
- (simd_unit_invert_ntt_at_layer_1_ (re.[ index ]
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- zeta_00_
- zeta_01_
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- in
- re
-
-let invert_ntt_at_layer_1_
- (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
- =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 1) (-3881060l) (-3019102l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 3) (-1584928l) 1285669l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 5) (-177440l) (-2409325l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 7) (-3553272l) 189548l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 9) (-210977l) 2389356l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 11) (-8578l) (-3724342l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 13) (-1100098l) 44288l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 15) 264944l (-3343383l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 17) 1349076l (-381987l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 19) (-1228525l) (-671102l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 21) (-3693493l) (-2967645l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 23) (-983419l) 3412210l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 25) (-3157330l) (-3190144l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 27) 1939314l (-1257611l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 29) 3475950l (-1452451l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- invert_ntt_at_layer_1___round re (sz 31) (-1528703l) (-3930395l)
- in
- re
-
let simd_unit_invert_ntt_at_layer_2_
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(zeta: i32)
@@ -683,6 +443,246 @@ let simd_unit_invert_ntt_at_layer_2_
in
simd_unit
+let invert_ntt_at_layer_0___round
+ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
+ (index: usize)
+ (zeta0 zeta1 zeta2 zeta3: i32)
+ =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ index
+ (simd_unit_invert_ntt_at_layer_0_ (re.[ index ]
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ zeta0
+ zeta1
+ zeta2
+ zeta3
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ in
+ re
+
+let invert_ntt_at_layer_0_
+ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
+ =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 0) 1976782l (-846154l) 1400424l 3937738l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 2) (-3545687l) 1612842l (-976891l) 183443l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 3) (-2286327l) (-420899l) (-2235985l) (-2939036l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 4) (-3833893l) (-260646l) (-1104333l) (-1667432l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 5) 1910376l (-1803090l) 1723600l (-426683l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 6) 472078l 1717735l (-975884l) 2213111l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 7) 269760l 3866901l 3523897l (-3038916l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 9) 3014001l 1616392l 162844l (-3183426l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 10) (-1207385l) 185531l 3369112l 1957272l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 11) (-164721l) 2454455l 2432395l (-2013608l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 13) (-1846953l) (-1671176l) (-2831860l) (-542412l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 14) 3406031l 2235880l 777191l 1500165l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 15) (-1374803l) (-2546312l) 1917081l (-1279661l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 16) (-1962642l) 3306115l 1312455l (-451100l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 17) (-1430225l) (-3318210l) 1237275l (-1333058l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 20) 1595974l 2486353l 1247620l 4055324l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 21) 1265009l (-2590150l) 2691481l 2842341l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 22) 203044l 1735879l (-3342277l) 3437287l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 23) 4108315l (-2437823l) 286988l 342297l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 24) (-3595838l) (-768622l) (-525098l) (-3556995l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 25) 3207046l 2031748l (-3122442l) (-655327l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 27) 819034l 909542l 1859098l 900702l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 28) (-3193378l) (-1197226l) (-3759364l) (-3520352l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 29) 3513181l (-1235728l) 2434439l 266997l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 30) (-3562462l) (-2446433l) 2244091l (-3342478l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_0___round re (sz 31) 3817976l 2316500l 3407706l 2091667l
+ in
+ re
+
+let invert_ntt_at_layer_1___round
+ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
+ (index: usize)
+ (zeta_00_ zeta_01_: i32)
+ =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ index
+ (simd_unit_invert_ntt_at_layer_1_ (re.[ index ]
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ zeta_00_
+ zeta_01_
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ in
+ re
+
+let invert_ntt_at_layer_1_
+ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
+ =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 0) 3839961l (-3628969l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 1) (-3881060l) (-3019102l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 2) (-1439742l) (-812732l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 3) (-1584928l) 1285669l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 4) 1341330l 1315589l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 5) (-177440l) (-2409325l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 6) (-1851402l) 3159746l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 7) (-3553272l) 189548l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 8) (-1316856l) 759969l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 9) (-210977l) 2389356l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 10) (-3249728l) 1653064l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 11) (-8578l) (-3724342l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 12) 3958618l 904516l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 13) (-1100098l) 44288l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 14) 3097992l 508951l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 15) 264944l (-3343383l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 16) (-1430430l) 1852771l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 17) 1349076l (-381987l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 18) (-1308169l) (-22981l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 19) (-1228525l) (-671102l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 20) (-2477047l) (-411027l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 21) (-3693493l) (-2967645l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 22) 2715295l 2147896l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 23) (-983419l) 3412210l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 24) 126922l (-3632928l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 25) (-3157330l) (-3190144l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 26) (-1000202l) (-4083598l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 27) 1939314l (-1257611l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 28) (-1585221l) 2176455l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 29) 3475950l (-1452451l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 30) (-3041255l) (-3677745l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ invert_ntt_at_layer_1___round re (sz 31) (-1528703l) (-3930395l)
+ in
+ re
+
let invert_ntt_at_layer_2___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti
index d5accef63..9e6902a2f 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Invntt.fsti
@@ -9,26 +9,6 @@ let _ =
let open Libcrux_ml_dsa.Simd.Portable.Vector_type in
()
-let invert_ntt_at_layer_3___STEP: usize = sz 8
-
-let invert_ntt_at_layer_3___STEP_BY: usize = sz 1
-
-let invert_ntt_at_layer_4___STEP: usize = sz 16
-
-let invert_ntt_at_layer_4___STEP_BY: usize = sz 2
-
-let invert_ntt_at_layer_5___STEP: usize = sz 32
-
-let invert_ntt_at_layer_5___STEP_BY: usize = sz 4
-
-let invert_ntt_at_layer_6___STEP: usize = sz 64
-
-let invert_ntt_at_layer_6___STEP_BY: usize = sz 8
-
-let invert_ntt_at_layer_7___STEP: usize = sz 128
-
-let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
-
val simd_unit_invert_ntt_at_layer_0_
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(zeta0 zeta1 zeta2 zeta3: i32)
@@ -36,6 +16,20 @@ val simd_unit_invert_ntt_at_layer_0_
Prims.l_True
(fun _ -> Prims.l_True)
+val simd_unit_invert_ntt_at_layer_1_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (zeta0 zeta1: i32)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val simd_unit_invert_ntt_at_layer_2_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (zeta: i32)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
val invert_ntt_at_layer_0___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
@@ -50,13 +44,6 @@ val invert_ntt_at_layer_0_
Prims.l_True
(fun _ -> Prims.l_True)
-val simd_unit_invert_ntt_at_layer_1_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (zeta0 zeta1: i32)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- Prims.l_True
- (fun _ -> Prims.l_True)
-
val invert_ntt_at_layer_1___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
@@ -71,13 +58,6 @@ val invert_ntt_at_layer_1_
Prims.l_True
(fun _ -> Prims.l_True)
-val simd_unit_invert_ntt_at_layer_2_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (zeta: i32)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- Prims.l_True
- (fun _ -> Prims.l_True)
-
val invert_ntt_at_layer_2___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
@@ -106,30 +86,50 @@ val invert_ntt_at_layer_3_
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_3___STEP: usize = sz 8
+
+let invert_ntt_at_layer_3___STEP_BY: usize = sz 1
+
val invert_ntt_at_layer_4_
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_4___STEP: usize = sz 16
+
+let invert_ntt_at_layer_4___STEP_BY: usize = sz 2
+
val invert_ntt_at_layer_5_
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_5___STEP: usize = sz 32
+
+let invert_ntt_at_layer_5___STEP_BY: usize = sz 4
+
val invert_ntt_at_layer_6_
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_6___STEP: usize = sz 64
+
+let invert_ntt_at_layer_6___STEP_BY: usize = sz 8
+
val invert_ntt_at_layer_7_
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let invert_ntt_at_layer_7___STEP: usize = sz 128
+
+let invert_ntt_at_layer_7___STEP_BY: usize = sz 16
+
val invert_ntt_montgomery
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
index a3cb8b326..e986c9984 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst
@@ -141,125 +141,6 @@ let simd_unit_ntt_at_layer_0_
in
simd_unit
-let ntt_at_layer_0___round
- (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
- (index: usize)
- (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
- =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- index
- (simd_unit_ntt_at_layer_0_ (re.[ index ]
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- zeta_0_
- zeta_1_
- zeta_2_
- zeta_3_
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- in
- re
-
-let ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l
- in
- re
-
let simd_unit_ntt_at_layer_1_
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(zeta1 zeta2: i32)
@@ -398,123 +279,6 @@ let simd_unit_ntt_at_layer_1_
in
simd_unit
-let ntt_at_layer_1___round
- (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
- (index: usize)
- (zeta_0_ zeta_1_: i32)
- =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- index
- (simd_unit_ntt_at_layer_1_ (re.[ index ]
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- zeta_0_
- zeta_1_
- <:
- Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- in
- re
-
-let ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) =
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 8) 3412210l (-983419l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 9) 2147896l 2715295l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 17) 508951l 3097992l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 18) 44288l (-1100098l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 19) 904516l 3958618l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 22) 2389356l (-210977l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 23) 759969l (-1316856l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 24) 189548l (-3553272l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 27) 1315589l 1341330l
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l)
- in
- let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
- ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l
- in
- re
-
let simd_unit_ntt_at_layer_2_
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(zeta: i32)
@@ -653,6 +417,242 @@ let simd_unit_ntt_at_layer_2_
in
simd_unit
+let ntt_at_layer_0___round
+ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
+ (index: usize)
+ (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32)
+ =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ index
+ (simd_unit_ntt_at_layer_0_ (re.[ index ]
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ zeta_0_
+ zeta_1_
+ zeta_2_
+ zeta_3_
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ in
+ re
+
+let ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l
+ in
+ re
+
+let ntt_at_layer_1___round
+ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
+ (index: usize)
+ (zeta_0_ zeta_1_: i32)
+ =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ index
+ (simd_unit_ntt_at_layer_1_ (re.[ index ]
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ zeta_0_
+ zeta_1_
+ <:
+ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ in
+ re
+
+let ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32)) =
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 8) 3412210l (-983419l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 9) 2147896l 2715295l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 17) 508951l 3097992l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 18) 44288l (-1100098l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 19) 904516l 3958618l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 22) 2389356l (-210977l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 23) 759969l (-1316856l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 24) 189548l (-3553272l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 27) 1315589l 1341330l
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l)
+ in
+ let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32) =
+ ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l
+ in
+ re
+
let ntt_at_layer_2___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
index 71ab0dd53..ba6b220e3 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti
@@ -3,26 +3,6 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt
open Core
open FStar.Mul
-let ntt_at_layer_3___STEP: usize = sz 8
-
-let ntt_at_layer_3___STEP_BY: usize = sz 1
-
-let ntt_at_layer_4___STEP: usize = sz 16
-
-let ntt_at_layer_4___STEP_BY: usize = sz 2
-
-let ntt_at_layer_5___STEP: usize = sz 32
-
-let ntt_at_layer_5___STEP_BY: usize = sz 4
-
-let ntt_at_layer_6___STEP: usize = sz 64
-
-let ntt_at_layer_6___STEP_BY: usize = sz 8
-
-let ntt_at_layer_7___STEP: usize = sz 128
-
-let ntt_at_layer_7___STEP_BY: usize = sz 16
-
val simd_unit_ntt_at_layer_0_
(simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
(zeta0 zeta1 zeta2 zeta3: i32)
@@ -30,6 +10,20 @@ val simd_unit_ntt_at_layer_0_
Prims.l_True
(fun _ -> Prims.l_True)
+val simd_unit_ntt_at_layer_1_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (zeta1 zeta2: i32)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val simd_unit_ntt_at_layer_2_
+ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
+ (zeta: i32)
+ : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
val ntt_at_layer_0___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
@@ -43,13 +37,6 @@ val ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coef
Prims.l_True
(fun _ -> Prims.l_True)
-val simd_unit_ntt_at_layer_1_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (zeta1 zeta2: i32)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- Prims.l_True
- (fun _ -> Prims.l_True)
-
val ntt_at_layer_1___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
@@ -63,13 +50,6 @@ val ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coef
Prims.l_True
(fun _ -> Prims.l_True)
-val simd_unit_ntt_at_layer_2_
- (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients)
- (zeta: i32)
- : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients
- Prims.l_True
- (fun _ -> Prims.l_True)
-
val ntt_at_layer_2___round
(re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
(index: usize)
@@ -96,26 +76,46 @@ val ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coef
Prims.l_True
(fun _ -> Prims.l_True)
+let ntt_at_layer_3___STEP: usize = sz 8
+
+let ntt_at_layer_3___STEP_BY: usize = sz 1
+
val ntt_at_layer_4_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let ntt_at_layer_4___STEP: usize = sz 16
+
+let ntt_at_layer_4___STEP_BY: usize = sz 2
+
val ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let ntt_at_layer_5___STEP: usize = sz 32
+
+let ntt_at_layer_5___STEP_BY: usize = sz 4
+
val ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let ntt_at_layer_6___STEP: usize = sz 64
+
+let ntt_at_layer_6___STEP_BY: usize = sz 8
+
val ntt_at_layer_7_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
+let ntt_at_layer_7___STEP: usize = sz 128
+
+let ntt_at_layer_7___STEP_BY: usize = sz 16
+
val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
: Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_Coefficients (sz 32))
Prims.l_True
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst
index b381e5f1b..5eaf95b8b 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst
@@ -3,6 +3,37 @@ module Libcrux_ml_dsa.Simd.Portable.Sample
open Core
open FStar.Mul
+let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) =
+ let sampled:usize = sz 0 in
+ let out, sampled:(t_Slice i32 & usize) =
+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_ChunksExact
+ u8)
+ #FStar.Tactics.Typeclasses.solve
+ (Core.Slice.impl__chunks_exact #u8 randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8)
+ <:
+ Core.Slice.Iter.t_ChunksExact u8)
+ (out, sampled <: (t_Slice i32 & usize))
+ (fun temp_0_ bytes ->
+ let out, sampled:(t_Slice i32 & usize) = temp_0_ in
+ let bytes:t_Slice u8 = bytes in
+ let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in
+ let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in
+ let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in
+ let coefficient:i32 =
+ (((b2 <
- let out, sampled:(t_Slice i32 & usize) = temp_0_ in
- let bytes:t_Slice u8 = bytes in
- let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in
- let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in
- let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in
- let coefficient:i32 =
- (((b2 < Prims.l_True)
-val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32)
+val rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32)
: Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True)
-val rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32)
+val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32)
: Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
index b67afeff8..de175f072 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti
@@ -3,6 +3,15 @@ module Libcrux_ml_dsa.Simd.Traits
open Core
open FStar.Mul
+let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8
+
+let v_SIMD_UNITS_IN_RING_ELEMENT: usize =
+ Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT
+
+let v_FIELD_MODULUS: i32 = 8380417l
+
+let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL
+
class t_Operations (v_Self: Type0) = {
[@@@ FStar.Tactics.Typeclasses.no_method]_super_13011033735201511749:Core.Marker.t_Copy v_Self;
[@@@ FStar.Tactics.Typeclasses.no_method]_super_9529721400157967266:Core.Clone.t_Clone v_Self;
@@ -156,12 +165,3 @@ class t_Operations (v_Self: Type0) = {
(f_invert_ntt_montgomery_pre x0)
(fun result -> f_invert_ntt_montgomery_post x0 result)
}
-
-let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8
-
-let v_FIELD_MODULUS: i32 = 8380417l
-
-let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL
-
-let v_SIMD_UNITS_IN_RING_ELEMENT: usize =
- Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst
index 18c957ce8..41c19ffa2 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst
@@ -3,56 +3,67 @@ module Libcrux_ml_dsa.Types
open Core
open FStar.Mul
-let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE)
-let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+let impl_1 (v_SIZE: usize) = impl_1' v_SIZE
-let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+let impl__zero (v_SIZE: usize) (_: Prims.unit) =
+ { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASigningKey v_SIZE
-let impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value
+let impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
+ { f_value = value } <: t_MLDSASigningKey v_SIZE
-let impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
- { f_value = value } <: t_MLDSASignature v_SIZE
+let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8
let impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value
-let impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
- { f_value = value } <: t_MLDSASigningKey v_SIZE
+let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
-let impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_3': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE)
+
+let impl_3 (v_SIZE: usize) = impl_3' v_SIZE
+
+let impl_2__zero (v_SIZE: usize) (_: Prims.unit) =
+ { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSAVerificationKey v_SIZE
let impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
{ f_value = value } <: t_MLDSAVerificationKey v_SIZE
-let t_SigningError_cast_to_repr (x: t_SigningError) =
- match x <: t_SigningError with
- | SigningError_RejectionSamplingError -> isz 0
- | SigningError_ContextTooLongError -> isz 1
+let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) =
+ self.f_value <: t_Slice u8
-let t_VerificationError_cast_to_repr (x: t_VerificationError) =
- match x <: t_VerificationError with
- | VerificationError_MalformedHintError -> isz 0
- | VerificationError_SignerResponseExceedsBoundError -> isz 1
- | VerificationError_CommitmentHashesDontMatchError -> isz 3
- | VerificationError_VerificationContextTooLongError -> isz 6
+let impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self.f_value
+
+let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
-val impl_1': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE)
+val impl_5': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASignature v_SIZE)
-let impl_1 (v_SIZE: usize) = impl_1' v_SIZE
+let impl_5 (v_SIZE: usize) = impl_5' v_SIZE
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_3': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE)
+let impl_4__zero (v_SIZE: usize) (_: Prims.unit) =
+ { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASignature v_SIZE
-let impl_3 (v_SIZE: usize) = impl_3' v_SIZE
+let impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE) =
+ { f_value = value } <: t_MLDSASignature v_SIZE
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_5': v_SIZE: usize -> Core.Clone.t_Clone (t_MLDSASignature v_SIZE)
+let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value <: t_Slice u8
-let impl_5 (v_SIZE: usize) = impl_5' v_SIZE
+let impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value
+
+let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE
+
+let t_VerificationError_cast_to_repr (x: t_VerificationError) =
+ match x <: t_VerificationError with
+ | VerificationError_MalformedHintError -> isz 0
+ | VerificationError_SignerResponseExceedsBoundError -> isz 1
+ | VerificationError_CommitmentHashesDontMatchError -> isz 3
+ | VerificationError_VerificationContextTooLongError -> isz 6
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
@@ -60,24 +71,13 @@ val impl_6': Core.Fmt.t_Debug t_VerificationError
let impl_6 = impl_6'
+let t_SigningError_cast_to_repr (x: t_SigningError) =
+ match x <: t_SigningError with
+ | SigningError_RejectionSamplingError -> isz 0
+ | SigningError_ContextTooLongError -> isz 1
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
val impl_7': Core.Fmt.t_Debug t_SigningError
let impl_7 = impl_7'
-
-let impl__zero (v_SIZE: usize) (_: Prims.unit) =
- { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASigningKey v_SIZE
-
-let impl_2__zero (v_SIZE: usize) (_: Prims.unit) =
- { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSAVerificationKey v_SIZE
-
-let impl_4__zero (v_SIZE: usize) (_: Prims.unit) =
- { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MLDSASignature v_SIZE
-
-let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self.f_value <: t_Slice u8
-
-let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) =
- self.f_value <: t_Slice u8
-
-let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self.f_value <: t_Slice u8
diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti
index 03b14dde4..54f32683e 100644
--- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti
+++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti
@@ -3,49 +3,82 @@ module Libcrux_ml_dsa.Types
open Core
open FStar.Mul
-/// The number of bytes
-val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// The number of bytes
-val impl_2__len: v_SIZE: usize -> Prims.unit
- -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
-
-/// The number of bytes
-val impl_4__len: v_SIZE: usize -> Prims.unit
- -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
+///An ML-DSA signature key.
+type t_MLDSASigningKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-///An ML-DSA signature.
-type t_MLDSASignature (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE)
-/// A reference to the raw byte array.
-val impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE)
- : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+/// Init with zero
+val impl__zero: v_SIZE: usize -> Prims.unit
+ -> Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
/// Build
-val impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
- : Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+val impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
+ : Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-///An ML-DSA signature key.
-type t_MLDSASigningKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+/// A reference to the raw byte slice.
+val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
/// A reference to the raw byte array.
val impl__as_ref (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE)
: Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-/// Build
-val impl__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
- : Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+/// The number of bytes
+val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
///An ML-DSA verification key.
type t_MLDSAVerificationKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_3 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE)
+
+/// Init with zero
+val impl_2__zero: v_SIZE: usize -> Prims.unit
+ -> Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Build
+val impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
+ : Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+
+/// A reference to the raw byte slice.
+val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
/// A reference to the raw byte array.
val impl_2__as_ref (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE)
: Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+/// The number of bytes
+val impl_2__len: v_SIZE: usize -> Prims.unit
+ -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
+
+///An ML-DSA signature.
+type t_MLDSASignature (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_5 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASignature v_SIZE)
+
+/// Init with zero
+val impl_4__zero: v_SIZE: usize -> Prims.unit
+ -> Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+
/// Build
-val impl_2__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
- : Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+val impl_4__new (v_SIZE: usize) (value: t_Array u8 v_SIZE)
+ : Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+
+/// A reference to the raw byte slice.
+val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE)
+ : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
+
+/// A reference to the raw byte array.
+val impl_4__as_ref (v_SIZE: usize) (self: t_MLDSASignature v_SIZE)
+ : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
+
+/// The number of bytes
+val impl_4__len: v_SIZE: usize -> Prims.unit
+ -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True)
/// An ML-DSA key pair.
type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = {
@@ -53,13 +86,6 @@ type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize)
f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE
}
-type t_SigningError =
- | SigningError_RejectionSamplingError : t_SigningError
- | SigningError_ContextTooLongError : t_SigningError
-
-val t_SigningError_cast_to_repr (x: t_SigningError)
- : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
-
type t_VerificationError =
| VerificationError_MalformedHintError : t_VerificationError
| VerificationError_SignerResponseExceedsBoundError : t_VerificationError
@@ -70,40 +96,14 @@ val t_VerificationError_cast_to_repr (x: t_VerificationError)
: Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASigningKey v_SIZE)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_3 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSAVerificationKey v_SIZE)
+val impl_6:Core.Fmt.t_Debug t_VerificationError
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_5 (v_SIZE: usize) : Core.Clone.t_Clone (t_MLDSASignature v_SIZE)
+type t_SigningError =
+ | SigningError_RejectionSamplingError : t_SigningError
+ | SigningError_ContextTooLongError : t_SigningError
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_6:Core.Fmt.t_Debug t_VerificationError
+val t_SigningError_cast_to_repr (x: t_SigningError)
+ : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True)
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_7:Core.Fmt.t_Debug t_SigningError
-
-/// Init with zero
-val impl__zero: v_SIZE: usize -> Prims.unit
- -> Prims.Pure (t_MLDSASigningKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Init with zero
-val impl_2__zero: v_SIZE: usize -> Prims.unit
- -> Prims.Pure (t_MLDSAVerificationKey v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Init with zero
-val impl_4__zero: v_SIZE: usize -> Prims.unit
- -> Prims.Pure (t_MLDSASignature v_SIZE) Prims.l_True (fun _ -> Prims.l_True)
-
-/// A reference to the raw byte slice.
-val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-/// A reference to the raw byte slice.
-val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
-
-/// A reference to the raw byte slice.
-val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE)
- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst
index 184d21930..e5061f519 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst
@@ -97,9 +97,6 @@ let compare (lhs rhs: t_Slice u8) =
in
is_non_zero r
-let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) =
- Core.Hint.black_box #u8 (compare lhs rhs <: u8)
-
#push-options "--ifuel 0 --z3rlimit 50"
let select_ct (lhs rhs: t_Slice u8) (selector: u8) =
@@ -186,6 +183,9 @@ let select_ct (lhs rhs: t_Slice u8) (selector: u8) =
#pop-options
+let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) =
+ Core.Hint.black_box #u8 (compare lhs rhs <: u8)
+
let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) =
Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti
index 981aa5aa1..34491dcac 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti
@@ -30,14 +30,6 @@ val compare (lhs rhs: t_Slice u8)
let result:u8 = result in
(lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy))
-val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8)
- : Prims.Pure u8
- (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize))
- (ensures
- fun result ->
- let result:u8 = result in
- (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy))
-
/// If `selector` is not zero, return the bytes in `rhs`; return the bytes in
/// `lhs` otherwise.
val select_ct (lhs rhs: t_Slice u8) (selector: u8)
@@ -50,6 +42,14 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8)
let result:t_Array u8 (sz 32) = result in
(selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs))
+val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8)
+ : Prims.Pure u8
+ (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize))
+ (ensures
+ fun result ->
+ let result:u8 = result in
+ (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy))
+
val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8)
: Prims.Pure (t_Array u8 (sz 32))
(requires
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti
index 1c3fdf673..e50920433 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti
@@ -15,13 +15,13 @@ let v_BITS_PER_RING_ELEMENT: usize = v_COEFFICIENTS_IN_RING_ELEMENT *! sz 12
/// Bytes required per (uncompressed) ring element
let v_BYTES_PER_RING_ELEMENT: usize = v_BITS_PER_RING_ELEMENT /! sz 8
-let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = sz 32
+/// The size of an ML-KEM shared secret.
+let v_SHARED_SECRET_SIZE: usize = sz 32
-/// SHA3 512 digest size
-let v_G_DIGEST_SIZE: usize = sz 64
+let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = sz 32
/// SHA3 256 digest size
let v_H_DIGEST_SIZE: usize = sz 32
-/// The size of an ML-KEM shared secret.
-let v_SHARED_SECRET_SIZE: usize = sz 32
+/// SHA3 512 digest size
+let v_G_DIGEST_SIZE: usize = sz 64
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst
index e5d447350..b35c46a25 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fst
@@ -8,12 +8,6 @@ val t_Simd256Hash': eqtype
let t_Simd256Hash = t_Simd256Hash'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K
-
-let impl (v_K: usize) = impl' v_K
-
assume
val v_G': input: t_Slice u8
-> Prims.Pure (t_Array u8 (sz 64))
@@ -79,3 +73,9 @@ val shake128_squeeze_next_block': v_K: usize -> st: t_Simd256Hash
(fun _ -> Prims.l_True)
let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K
+
+let impl (v_K: usize) = impl' v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti
index c830bb8f6..d57a03f50 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti
@@ -8,9 +8,6 @@ open FStar.Mul
/// All other functions don\'t actually use any members.
val t_Simd256Hash:eqtype
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K
-
val v_G (input: t_Slice u8)
: Prims.Pure (t_Array u8 (sz 64))
Prims.l_True
@@ -55,3 +52,6 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash)
: Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)
Prims.l_True
(fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst
index 8c2d78e3f..71d96ffcd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fst
@@ -8,12 +8,6 @@ val t_Simd128Hash': eqtype
let t_Simd128Hash = t_Simd128Hash'
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K
-
-let impl (v_K: usize) = impl' v_K
-
assume
val v_G': input: t_Slice u8
-> Prims.Pure (t_Array u8 (sz 64))
@@ -79,3 +73,9 @@ val shake128_squeeze_next_block': v_K: usize -> st: t_Simd128Hash
(fun _ -> Prims.l_True)
let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K
+
+let impl (v_K: usize) = impl' v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti
index 1a7c6875a..31ac2d75f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti
@@ -8,9 +8,6 @@ open FStar.Mul
/// All other functions don\'t actually use any members.
val t_Simd128Hash:eqtype
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K
-
val v_G (input: t_Slice u8)
: Prims.Pure (t_Array u8 (sz 64))
Prims.l_True
@@ -55,3 +52,6 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash)
: Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)
Prims.l_True
(fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst
index 7ed902f04..688ad2278 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fst
@@ -8,12 +8,6 @@ val t_PortableHash': v_K: usize -> eqtype
let t_PortableHash (v_K: usize) = t_PortableHash' v_K
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K
-
-let impl (v_K: usize) = impl' v_K
-
assume
val v_G': input: t_Slice u8
-> Prims.Pure (t_Array u8 (sz 64))
@@ -79,3 +73,9 @@ val shake128_squeeze_next_block': v_K: usize -> st: t_PortableHash v_K
(fun _ -> Prims.l_True)
let shake128_squeeze_next_block (v_K: usize) = shake128_squeeze_next_block' v_K
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': v_K: usize -> Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K
+
+let impl (v_K: usize) = impl' v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti
index 661213d58..6d8dee682 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti
@@ -8,9 +8,6 @@ open FStar.Mul
/// All other functions don\'t actually use any members.
val t_PortableHash (v_K: usize) : eqtype
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K
-
val v_G (input: t_Slice u8)
: Prims.Pure (t_Array u8 (sz 64))
Prims.l_True
@@ -55,3 +52,6 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K)
: Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)
Prims.l_True
(fun _ -> Prims.l_True)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst
index ec28ee0ba..d3c42e003 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst
@@ -13,59 +13,65 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let decapsulate_avx2
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
- v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
- key_pair ciphertext
-
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+let unpack_public_key_avx2
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
- decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE
- v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
+ v_T_AS_NTT_ENCODED_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ public_key
+ unpacked_public_key
+ in
+ unpacked_public_key
-let encapsulate_avx2
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (public_key:
+let unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (randomness: t_Array u8 (sz 32))
=
- Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
- v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
- #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ unpack_public_key_avx2 v_K
+ v_T_AS_NTT_ENCODED_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ public_key
+ unpacked_public_key
+ in
+ unpacked_public_key
-let encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+let keypair_from_private_key
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
usize)
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (randomness: t_Array u8 (sz 32))
=
- encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
- v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
- v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Unpacked.keys_from_private_key v_K
+ v_SECRET_KEY_SIZE
+ v_CPA_SECRET_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_BYTES_PER_RING_ELEMENT
+ v_T_AS_NTT_ENCODED_SIZE
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ private_key
+ key_pair
+ in
+ key_pair
let generate_keypair_avx2
(v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
@@ -106,62 +112,56 @@ let generate_keypair
in
out
-let keypair_from_private_key
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+let encapsulate_avx2
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Unpacked.keys_from_private_key v_K
- v_SECRET_KEY_SIZE
- v_CPA_SECRET_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_BYTES_PER_RING_ELEMENT
- v_T_AS_NTT_ENCODED_SIZE
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
+ v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness
-let unpack_public_key_avx2
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
+let encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+ usize)
+ (public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
- v_T_AS_NTT_ENCODED_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+ v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
+ v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness
-let unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+let decapsulate_avx2
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+ usize)
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- unpack_public_key_avx2 v_K
- v_T_AS_NTT_ENCODED_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
+ v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
+ key_pair ciphertext
+
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+ usize)
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ =
+ decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE
+ v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti
index b55a38fd3..97a744e17 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti
@@ -13,47 +13,88 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-val decapsulate_avx2
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+/// Get the unpacked public key.
+val unpack_public_key_avx2
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Take a serialized private key and generate an unpacked key pair from it.
+val keypair_from_private_key
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
usize)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
(requires
- Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Unpacked decapsulate
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+val generate_keypair_avx2
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
usize)
- (key_pair:
+ (randomness: t_Array u8 (sz 64))
+ (out:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
(requires
- Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+ Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Generate a key pair
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ (out:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
(fun _ -> Prims.l_True)
val encapsulate_avx2
@@ -97,86 +138,45 @@ val encapsulate
v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
(fun _ -> Prims.l_True)
-val generate_keypair_avx2
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (randomness: t_Array u8 (sz 64))
- (out:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Generate a key pair
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+val decapsulate_avx2
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- (out:
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+ Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Take a serialized private key and generate an unpacked key pair from it.
-val keypair_from_private_key
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+/// Unpacked decapsulate
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpack_public_key_avx2
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst
index c6fa41647..5aa8ec2e7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst
@@ -13,6 +13,45 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let generate_keypair_avx2
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ =
+ Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
+ #Libcrux_ml_kem.Variant.t_MlKem randomness
+
+let generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ =
+ generate_keypair_avx2 v_K
+ v_CPA_PRIVATE_KEY_SIZE
+ v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_BYTES_PER_RING_ELEMENT
+ v_ETA1
+ v_ETA1_RANDOMNESS_SIZE
+ randomness
+
+let validate_public_key_avx2
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ =
+ Libcrux_ml_kem.Ind_cca.validate_public_key v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ public_key
+
+let validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ = validate_public_key_avx2 v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key
+
let validate_private_key_avx2
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -40,30 +79,6 @@ let validate_private_key_only
#Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
private_key
-let decapsulate_avx2
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE
- v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
- #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext
-
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE
- v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext
-
let encapsulate_avx2
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -86,41 +101,26 @@ let encapsulate
v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness
-let generate_keypair_avx2
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+let decapsulate_avx2
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
- Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE
+ v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
#Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash
- #Libcrux_ml_kem.Variant.t_MlKem randomness
+ #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext
-let generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- =
- generate_keypair_avx2 v_K
- v_CPA_PRIVATE_KEY_SIZE
- v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_BYTES_PER_RING_ELEMENT
- v_ETA1
- v_ETA1_RANDOMNESS_SIZE
- randomness
-
-let validate_public_key_avx2
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
- Libcrux_ml_kem.Ind_cca.validate_public_key v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
- public_key
-
-let validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- = validate_public_key_avx2 v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key
+ decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE
+ v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti
index d31791ba7..f1a076348 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti
@@ -13,6 +13,55 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Portable generate key pair.
+val generate_keypair_avx2
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+val validate_public_key_avx2
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ : Prims.Pure bool
+ (requires
+ Spec.MLKEM.is_rank v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+val validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ : Prims.Pure bool
+ (requires
+ Spec.MLKEM.is_rank v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
val validate_private_key_avx2
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -42,50 +91,6 @@ val validate_private_key_only
)
(fun _ -> Prims.l_True)
-val decapsulate_avx2
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
- (fun _ -> Prims.l_True)
-
val encapsulate_avx2
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -124,51 +129,46 @@ val encapsulate
v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Portable generate key pair.
-val generate_keypair_avx2
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+val decapsulate_avx2
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-val validate_public_key_avx2
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- : Prims.Pure bool
- (requires
- Spec.MLKEM.is_rank v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-val validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- : Prims.Pure bool
- (requires
- Spec.MLKEM.is_rank v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst
index c6b885fed..793237fb4 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst
@@ -13,52 +13,25 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
- v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext
-
-let encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (public_key:
+let unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
- v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness
-
-let generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (randomness: t_Array u8 (sz 64))
- (out:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
=
- let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
+ v_T_AS_NTT_ENCODED_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
#Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness
- out
+ public_key
+ unpacked_public_key
in
- out
+ unpacked_public_key
let keypair_from_private_key
(v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
@@ -82,22 +55,49 @@ let keypair_from_private_key
in
key_pair
-let unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+let generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ (out:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
- v_T_AS_NTT_ENCODED_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
+ Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
#Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- public_key
- unpacked_public_key
+ #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness
+ out
in
- unpacked_public_key
+ out
+
+let encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+ usize)
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
+ v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness
+
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+ usize)
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ =
+ Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
+ v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti
index 05e8e5cd5..bdaffe833 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti
@@ -13,29 +13,58 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-/// Unpacked decapsulate
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+/// Get the unpacked public key.
+val unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Take a serialized private key and generate an unpacked key pair from it.
+val keypair_from_private_key
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
usize)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
(requires
Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Generate a key pair
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ (out:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
/// Unpacked encapsulate
@@ -60,56 +89,27 @@ val encapsulate
v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Generate a key pair
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (randomness: t_Array u8 (sz 64))
- (out:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Take a serialized private key and generate an unpacked key pair from it.
-val keypair_from_private_key
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+/// Unpacked decapsulate
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst
index 30ff60795..8df0f25e0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst
@@ -13,6 +13,26 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ =
+ Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness
+
+let validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ =
+ Libcrux_ml_kem.Ind_cca.validate_public_key v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ public_key
+
let validate_private_key
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -34,20 +54,6 @@ let validate_private_key_only
#Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash
private_key
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE
- v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem private_key
- ciphertext
-
let encapsulate
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -61,22 +67,16 @@ let encapsulate
#Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key
randomness
-let generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- =
- Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness
-
-let validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
- Libcrux_ml_kem.Ind_cca.validate_public_key v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
+ Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE
+ v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
#Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- public_key
+ #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem private_key
+ ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti
index fd97941df..e0656541b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti
@@ -13,6 +13,32 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Portable generate key pair.
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Public key validation
+val validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ : Prims.Pure bool
+ (requires
+ Spec.MLKEM.is_rank v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
/// Private key validation
val validate_private_key
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
@@ -33,29 +59,6 @@ val validate_private_key_only
)
(fun _ -> Prims.l_True)
-/// Portable decapsulate
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
- (fun _ -> Prims.l_True)
-
val encapsulate
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -75,28 +78,25 @@ val encapsulate
v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Portable generate key pair.
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+/// Portable decapsulate
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Public key validation
-val validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- : Prims.Pure bool
- (requires
- Spec.MLKEM.is_rank v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst
index c32203958..b1d3208cb 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst
@@ -13,52 +13,25 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
- v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext
-
-let encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (public_key:
+let unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
- v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness
-
-let generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (randomness: t_Array u8 (sz 64))
- (out:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
=
- let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
+ v_T_AS_NTT_ENCODED_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
#Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
- randomness out
+ public_key
+ unpacked_public_key
in
- out
+ unpacked_public_key
let keypair_from_private_key
(v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
@@ -82,22 +55,49 @@ let keypair_from_private_key
in
key_pair
-let unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+let generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ (out:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ let out:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K
- v_T_AS_NTT_ENCODED_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
+ Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
#Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- public_key
- unpacked_public_key
+ #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
+ randomness out
in
- unpacked_public_key
+ out
+
+let encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+ usize)
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE
+ v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness
+
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+ usize)
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ =
+ Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
+ v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti
index f406d6a8f..61be48b3e 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti
@@ -13,29 +13,58 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-/// Unpacked decapsulate
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+/// Get the unpacked public key.
+val unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Take a serialized private key and generate an unpacked key pair from it.
+val keypair_from_private_key
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
usize)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
(requires
Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Generate a key pair
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ (out:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
/// Unpacked encapsulate
@@ -60,56 +89,27 @@ val encapsulate
v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Generate a key pair
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (randomness: t_Array u8 (sz 64))
- (out:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Take a serialized private key and generate an unpacked key pair from it.
-val keypair_from_private_key
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+/// Unpacked decapsulate
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst
index 414098242..140aaad8b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst
@@ -13,6 +13,27 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ =
+ Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
+ randomness
+
+let validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ =
+ Libcrux_ml_kem.Ind_cca.validate_public_key v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ public_key
+
let validate_private_key
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -34,20 +55,6 @@ let validate_private_key_only
#(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
private_key
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE
- v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
- v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
- v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
- private_key ciphertext
-
let encapsulate
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -61,23 +68,16 @@ let encapsulate
#(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
public_key randomness
-let generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
- Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE
+ Libcrux_ml_kem.Ind_cca.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE
+ v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR
+ v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
+ v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
#Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
#(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem
- randomness
-
-let validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.validate_public_key v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- public_key
+ private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti
index 19dc4859d..07201e636 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti
@@ -13,6 +13,32 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Portable generate key pair.
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+/// Public key validation
+val validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ : Prims.Pure bool
+ (requires
+ Spec.MLKEM.is_rank v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
/// Private key validation
val validate_private_key
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
@@ -33,29 +59,6 @@ val validate_private_key_only
)
(fun _ -> Prims.l_True)
-/// Portable decapsulate
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
- (fun _ -> Prims.l_True)
-
val encapsulate
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -75,28 +78,25 @@ val encapsulate
v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
-/// Portable generate key pair.
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+/// Portable decapsulate
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Public key validation
-val validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- : Prims.Pure bool
- (requires
- Spec.MLKEM.is_rank v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst
index ca7056f6c..d5da4cbde 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst
@@ -3,6 +3,15 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing
open Core
open FStar.Mul
+let validate_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ public_key
+
let validate_private_key
(v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
@@ -14,42 +23,41 @@ let validate_private_key
private_key
ciphertext
-let validate_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- public_key
-
-let decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
+let generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ (randomness: t_Array u8 (sz 64))
=
if Libcrux_platform.Platform.simd256_support ()
then
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate v_K v_SECRET_KEY_SIZE
- v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
- v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- private_key ciphertext
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair v_K
+ v_CPA_PRIVATE_KEY_SIZE
+ v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_ETA1
+ v_ETA1_RANDOMNESS_SIZE
+ randomness
else
if Libcrux_platform.Platform.simd128_support ()
then
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate v_K v_SECRET_KEY_SIZE
- v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
- v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- private_key ciphertext
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair v_K
+ v_CPA_PRIVATE_KEY_SIZE
+ v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_ETA1
+ v_ETA1_RANDOMNESS_SIZE
+ randomness
else
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate v_K v_SECRET_KEY_SIZE
- v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
- v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
- private_key ciphertext
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair v_K
+ v_CPA_PRIVATE_KEY_SIZE
+ v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_ETA1
+ v_ETA1_RANDOMNESS_SIZE
+ randomness
let encapsulate
(v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
@@ -76,38 +84,30 @@ let encapsulate
v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2
v_ETA2_RANDOMNESS_SIZE public_key randomness
-let generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+let decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
=
if Libcrux_platform.Platform.simd256_support ()
then
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair v_K
- v_CPA_PRIVATE_KEY_SIZE
- v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_ETA1
- v_ETA1_RANDOMNESS_SIZE
- randomness
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate v_K v_SECRET_KEY_SIZE
+ v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+ v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+ private_key ciphertext
else
if Libcrux_platform.Platform.simd128_support ()
then
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair v_K
- v_CPA_PRIVATE_KEY_SIZE
- v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_ETA1
- v_ETA1_RANDOMNESS_SIZE
- randomness
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate v_K v_SECRET_KEY_SIZE
+ v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+ v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+ private_key ciphertext
else
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair v_K
- v_CPA_PRIVATE_KEY_SIZE
- v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_ETA1
- v_ETA1_RANDOMNESS_SIZE
- randomness
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate v_K v_SECRET_KEY_SIZE
+ v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+ v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE
+ private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti
index 4fc70d000..523eb4bd1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti
@@ -3,16 +3,6 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing
open Core
open FStar.Mul
-val validate_private_key
- (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure bool
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
- (fun _ -> Prims.l_True)
-
val validate_public_key
(v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
(public_key: t_Array u8 v_PUBLIC_KEY_SIZE)
@@ -23,26 +13,28 @@ val validate_public_key
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
(fun _ -> Prims.l_True)
-val decapsulate
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
- usize)
+val validate_private_key
+ (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure bool
(requires
Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
val encapsulate
@@ -64,16 +56,24 @@ val encapsulate
v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
(fun _ -> Prims.l_True)
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+val decapsulate
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
- (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K)
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K)
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
index 74db3dabb..df129f377 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst
@@ -15,24 +15,6 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let impl_4__private_key
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- = self.f_private_key
-
-let impl_4__public_key
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- = self.f_public_key
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
val impl_2':
@@ -51,102 +33,170 @@ let impl_2
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
= impl_2' v_K #v_Vector #i1 #i2
-#push-options "--z3rlimit 200"
+let unpack_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (#v_Hasher #v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ =
+ let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
+ {
+ unpacked_public_key with
+ f_ind_cpa_public_key
+ =
+ {
+ unpacked_public_key.f_ind_cpa_public_key with
+ Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ =
+ Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K
+ #v_Vector
+ (public_key.Libcrux_ml_kem.Types.f_value.[ {
+ Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE
+ }
+ <:
+ Core.Ops.Range.t_RangeTo usize ]
+ <:
+ t_Slice u8)
+ unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ }
+ <:
+ t_MlKemPublicKeyUnpacked v_K v_Vector
+ in
+ let _:Prims.unit =
+ let _, seed = split public_key.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) in
+ Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed;
+ Lib.Sequence.eq_intro #u8
+ #32
+ (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32)
+ seed
+ in
+ let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
+ {
+ unpacked_public_key with
+ f_ind_cpa_public_key
+ =
+ {
+ unpacked_public_key.f_ind_cpa_public_key with
+ Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+ =
+ Libcrux_ml_kem.Utils.into_padded_array (sz 32)
+ (public_key.Libcrux_ml_kem.Types.f_value.[ {
+ Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE
+ }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ }
+ <:
+ t_MlKemPublicKeyUnpacked v_K v_Vector
+ in
+ let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
+ {
+ unpacked_public_key with
+ f_ind_cpa_public_key
+ =
+ {
+ unpacked_public_key.f_ind_cpa_public_key with
+ Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+ =
+ Libcrux_ml_kem.Matrix.sample_matrix_A v_K
+ #v_Vector
+ #v_Hasher
+ unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+ (Libcrux_ml_kem.Utils.into_padded_array (sz 34)
+ (public_key.Libcrux_ml_kem.Types.f_value.[ {
+ Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE
+ }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ <:
+ t_Array u8 (sz 34))
+ false
+ }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ }
+ <:
+ t_MlKemPublicKeyUnpacked v_K v_Vector
+ in
+ let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
+ {
+ unpacked_public_key with
+ f_public_key_hash
+ =
+ Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
+ #v_K
+ #FStar.Tactics.Typeclasses.solve
+ (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
+ }
+ <:
+ t_MlKemPublicKeyUnpacked v_K v_Vector
+ in
+ unpacked_public_key
-let transpose_a
+let impl_3__serialized_mut
(v_K: usize)
(#v_Vector: Type0)
+ (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (ind_cpa_a:
- t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+ (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
=
- let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- v_K
- (fun v__i ->
- let v__i:usize = v__i in
- Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K
- (fun v__j ->
- let v__j:usize = v__j in
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- <:
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- in
- let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- v_K
- (fun v_A i ->
- let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- v_K =
- v_A
- in
- let i:usize = i in
- forall (j: nat).
- j < v i ==>
- (forall (k: nat).
- k < v v_K ==> Seq.index (Seq.index v_A j) k == Seq.index (Seq.index ind_cpa_a k) j))
- v_A
- (fun v_A i ->
- let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- v_K =
- v_A
- in
- let i:usize = i in
- let v__a_i:t_Array
- (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- v_A
- in
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- v_K
- (fun v_A j ->
- let v_A:t_Array
- (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- v_A
- in
- let j:usize = j in
- (forall (k: nat). k < v i ==> Seq.index v_A k == Seq.index v__a_i k) /\
- (forall (k: nat).
- k < v j ==>
- Seq.index (Seq.index v_A (v i)) k == Seq.index (Seq.index ind_cpa_a k) (v i)))
- v_A
- (fun v_A j ->
- let v_A:t_Array
- (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- v_A
- in
- let j:usize = j in
- let v_A:t_Array
- (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A
- i
- (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A.[ i ]
- <:
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- j
- (Core.Clone.f_clone #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement
- v_Vector)
- #FStar.Tactics.Typeclasses.solve
- ((ind_cpa_a.[ j ]
- <:
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K).[ i ]
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- <:
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- in
- v_A))
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
+ {
+ serialized with
+ Libcrux_ml_kem.Types.f_value
+ =
+ Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #v_Vector
+ self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+ serialized.Libcrux_ml_kem.Types.f_value
+ }
+ <:
+ Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE
in
- v_A
+ serialized
-#pop-options
+let impl_3__serialized
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ =
+ Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ #(t_Array u8 v_PUBLIC_KEY_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ #v_Vector
+ self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+ <:
+ t_Array u8 v_PUBLIC_KEY_SIZE)
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl
@@ -175,54 +225,6 @@ let impl
t_MlKemPublicKeyUnpacked v_K v_Vector
}
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_1
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector) =
- {
- f_default_pre = (fun (_: Prims.unit) -> true);
- f_default_post = (fun (_: Prims.unit) (out: t_MlKemKeyPairUnpacked v_K v_Vector) -> true);
- f_default
- =
- fun (_: Prims.unit) ->
- {
- f_private_key
- =
- {
- f_ind_cpa_private_key
- =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K
- v_Vector)
- #FStar.Tactics.Typeclasses.solve
- ();
- f_implicit_rejection_value = Rust_primitives.Hax.repeat 0uy (sz 32)
- }
- <:
- t_MlKemPrivateKeyUnpacked v_K v_Vector;
- f_public_key
- =
- Core.Default.f_default #(t_MlKemPublicKeyUnpacked v_K v_Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
- }
- <:
- t_MlKemKeyPairUnpacked v_K v_Vector
- }
-
-let impl_4__new
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (_: Prims.unit)
- =
- Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve ()
-
let keys_from_private_key
(v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
usize)
@@ -316,350 +318,345 @@ let keys_from_private_key
let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
{
key_pair with
- f_private_key
- =
- {
- key_pair.f_private_key with
- f_implicit_rejection_value
- =
- Core.Slice.impl__copy_from_slice #u8
- key_pair.f_private_key.f_implicit_rejection_value
- implicit_rejection_value
- }
- <:
- t_MlKemPrivateKeyUnpacked v_K v_Vector
- }
- <:
- t_MlKemKeyPairUnpacked v_K v_Vector
- in
- let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
- {
- key_pair with
- f_public_key
- =
- {
- key_pair.f_public_key with
- f_ind_cpa_public_key
- =
- {
- key_pair.f_public_key.f_ind_cpa_public_key with
- Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
- =
- Core.Slice.impl__copy_from_slice #u8
- key_pair.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
- (ind_cpa_public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- }
- <:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
- }
- <:
- t_MlKemPublicKeyUnpacked v_K v_Vector
- }
- <:
- t_MlKemKeyPairUnpacked v_K v_Vector
- in
- key_pair
-
-let impl_4__from_private_key
- (v_K: usize)
- (#v_Vector: Type0)
- (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
- usize)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- =
- let out:t_MlKemKeyPairUnpacked v_K v_Vector =
- Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let out:t_MlKemKeyPairUnpacked v_K v_Vector =
- keys_from_private_key v_K
- v_SECRET_KEY_SIZE
- v_CPA_SECRET_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_BYTES_PER_RING_ELEMENT
- v_T_AS_NTT_ENCODED_SIZE
- #v_Vector
- private_key
- out
- in
- out
-
-let unpack_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (#v_Hasher #v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
- =
- let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
- {
- unpacked_public_key with
- f_ind_cpa_public_key
- =
- {
- unpacked_public_key.f_ind_cpa_public_key with
- Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- =
- Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K
- #v_Vector
- (public_key.Libcrux_ml_kem.Types.f_value.[ {
- Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE
- }
- <:
- Core.Ops.Range.t_RangeTo usize ]
- <:
- t_Slice u8)
- unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- }
- <:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
- }
- <:
- t_MlKemPublicKeyUnpacked v_K v_Vector
- in
- let _:Prims.unit =
- let _, seed = split public_key.f_value (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K) in
- Lib.Sequence.eq_intro #u8 #32 (Libcrux_ml_kem.Utils.into_padded_array (sz 32) seed) seed;
- Lib.Sequence.eq_intro #u8
- #32
- (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32)
- seed
- in
- let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
- {
- unpacked_public_key with
- f_ind_cpa_public_key
- =
- {
- unpacked_public_key.f_ind_cpa_public_key with
- Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
- =
- Libcrux_ml_kem.Utils.into_padded_array (sz 32)
- (public_key.Libcrux_ml_kem.Types.f_value.[ {
- Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE
- }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- }
- <:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
- }
- <:
- t_MlKemPublicKeyUnpacked v_K v_Vector
- in
- let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
- {
- unpacked_public_key with
- f_ind_cpa_public_key
- =
- {
- unpacked_public_key.f_ind_cpa_public_key with
- Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
- =
- Libcrux_ml_kem.Matrix.sample_matrix_A v_K
- #v_Vector
- #v_Hasher
- unpacked_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
- (Libcrux_ml_kem.Utils.into_padded_array (sz 34)
- (public_key.Libcrux_ml_kem.Types.f_value.[ {
- Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE
- }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- <:
- t_Array u8 (sz 34))
- false
+ f_private_key
+ =
+ {
+ key_pair.f_private_key with
+ f_implicit_rejection_value
+ =
+ Core.Slice.impl__copy_from_slice #u8
+ key_pair.f_private_key.f_implicit_rejection_value
+ implicit_rejection_value
}
<:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ t_MlKemPrivateKeyUnpacked v_K v_Vector
}
<:
- t_MlKemPublicKeyUnpacked v_K v_Vector
+ t_MlKemKeyPairUnpacked v_K v_Vector
in
- let unpacked_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector =
+ let key_pair:t_MlKemKeyPairUnpacked v_K v_Vector =
{
- unpacked_public_key with
- f_public_key_hash
+ key_pair with
+ f_public_key
=
- Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
- #v_K
- #FStar.Tactics.Typeclasses.solve
- (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
+ {
+ key_pair.f_public_key with
+ f_ind_cpa_public_key
+ =
+ {
+ key_pair.f_public_key.f_ind_cpa_public_key with
+ Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+ =
+ Core.Slice.impl__copy_from_slice #u8
+ key_pair.f_public_key.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A
+ (ind_cpa_public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ }
+ <:
+ t_MlKemPublicKeyUnpacked v_K v_Vector
}
<:
- t_MlKemPublicKeyUnpacked v_K v_Vector
+ t_MlKemKeyPairUnpacked v_K v_Vector
in
- unpacked_public_key
+ key_pair
-let encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (#v_Vector #v_Hasher: Type0)
+let impl_4__public_key
+ (v_K: usize)
+ (#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
+ i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ = self.f_public_key
+
+let impl_4__private_key
+ (v_K: usize)
+ (#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
- (randomness: t_Array u8 (sz 32))
- =
- let _:Prims.unit =
- Lib.Sequence.eq_intro #u8
- #32
- (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 64) randomness) 0 32)
- randomness
- in
- let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
- Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
- in
- let to_hash:t_Array u8 (sz 64) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
- ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize)
- (Core.Slice.impl__copy_from_slice #u8
- (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- (public_key.f_public_key_hash <: t_Slice u8)
- <:
- t_Slice u8)
- in
- let _:Prims.unit =
- Lib.Sequence.eq_intro #u8 #64 to_hash (concat randomness public_key.f_public_key_hash)
- in
- let hashed:t_Array u8 (sz 64) =
- Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
- #v_K
- #FStar.Tactics.Typeclasses.solve
- (to_hash <: t_Slice u8)
- in
- let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- (hashed <: t_Slice u8)
- Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
- in
- let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
- Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
- v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
- v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
- public_key.f_ind_cpa_public_key randomness pseudorandomness
- in
- let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let shared_secret_array:t_Array u8 (sz 32) =
- Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret
- in
- Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- #(t_Array u8 v_CIPHERTEXT_SIZE)
- #FStar.Tactics.Typeclasses.solve
- ciphertext,
- shared_secret_array
- <:
- (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ = self.f_private_key
-let impl_3__serialized_mut
+let impl_4__serialized_public_key_mut
(v_K: usize)
(#v_Vector: Type0)
(v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
(serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
=
let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
+ impl_3__serialized_mut v_K
+ #v_Vector
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ self.f_public_key
+ serialized
+ in
+ serialized
+
+let impl_4__serialized_public_key
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ =
+ impl_3__serialized v_K
+ #v_Vector
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
+ self.f_public_key
+
+let impl_4__serialized_private_key_mut
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
+ usize)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+ =
+ let ind_cpa_private_key, ind_cpa_public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE &
+ t_Array u8 v_PUBLIC_KEY_SIZE) =
+ Libcrux_ml_kem.Ind_cpa.serialize_unpacked_secret_key v_K
+ v_CPA_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ #v_Vector
+ self.f_public_key.f_ind_cpa_public_key
+ self.f_private_key.f_ind_cpa_private_key
+ in
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
{
serialized with
Libcrux_ml_kem.Types.f_value
=
- Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #v_Vector
- self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+ Libcrux_ml_kem.Ind_cca.serialize_kem_secret_key_mut v_K
+ v_PRIVATE_KEY_SIZE
+ #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
+ (ind_cpa_private_key <: t_Slice u8)
+ (ind_cpa_public_key <: t_Slice u8)
+ (self.f_private_key.f_implicit_rejection_value <: t_Slice u8)
serialized.Libcrux_ml_kem.Types.f_value
}
<:
- Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE
+ Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE
in
serialized
-let impl_4__serialized_public_key_mut
+let impl_4__serialized_private_key
(v_K: usize)
(#v_Vector: Type0)
- (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
+ usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
(self: t_MlKemKeyPairUnpacked v_K v_Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
- impl_3__serialized_mut v_K
+ let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
+ Core.Default.f_default #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
+ impl_4__serialized_private_key_mut v_K
#v_Vector
- v_RANKED_BYTES_PER_RING_ELEMENT
+ v_CPA_PRIVATE_KEY_SIZE
+ v_PRIVATE_KEY_SIZE
v_PUBLIC_KEY_SIZE
- self.f_public_key
- serialized
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ self
+ sk
in
- serialized
+ sk
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_1
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector) =
+ {
+ f_default_pre = (fun (_: Prims.unit) -> true);
+ f_default_post = (fun (_: Prims.unit) (out: t_MlKemKeyPairUnpacked v_K v_Vector) -> true);
+ f_default
+ =
+ fun (_: Prims.unit) ->
+ {
+ f_private_key
+ =
+ {
+ f_ind_cpa_private_key
+ =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K
+ v_Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ();
+ f_implicit_rejection_value = Rust_primitives.Hax.repeat 0uy (sz 32)
+ }
+ <:
+ t_MlKemPrivateKeyUnpacked v_K v_Vector;
+ f_public_key
+ =
+ Core.Default.f_default #(t_MlKemPublicKeyUnpacked v_K v_Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ }
+ <:
+ t_MlKemKeyPairUnpacked v_K v_Vector
+ }
+
+let impl_4__new
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (_: Prims.unit)
+ =
+ Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve ()
-let impl_3__serialized
+let impl_4__from_private_key
(v_K: usize)
(#v_Vector: Type0)
- (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+ usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
=
- Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- #(t_Array u8 v_PUBLIC_KEY_SIZE)
- #FStar.Tactics.Typeclasses.solve
- (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #v_Vector
- self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
- <:
- t_Array u8 v_PUBLIC_KEY_SIZE)
+ let out:t_MlKemKeyPairUnpacked v_K v_Vector =
+ Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let out:t_MlKemKeyPairUnpacked v_K v_Vector =
+ keys_from_private_key v_K
+ v_SECRET_KEY_SIZE
+ v_CPA_SECRET_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_BYTES_PER_RING_ELEMENT
+ v_T_AS_NTT_ENCODED_SIZE
+ #v_Vector
+ private_key
+ out
+ in
+ out
-let impl_4__serialized_public_key
+#push-options "--z3rlimit 200"
+
+let transpose_a
(v_K: usize)
(#v_Vector: Type0)
- (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ (ind_cpa_a:
+ t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
=
- impl_3__serialized v_K
- #v_Vector
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- self.f_public_key
+ let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ Core.Array.from_fn #(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ v_K
+ (fun v__i ->
+ let v__i:usize = v__i in
+ Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K
+ (fun v__j ->
+ let v__j:usize = v__j in
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ <:
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ in
+ let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ v_K
+ (fun v_A i ->
+ let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ v_K =
+ v_A
+ in
+ let i:usize = i in
+ forall (j: nat).
+ j < v i ==>
+ (forall (k: nat).
+ k < v v_K ==> Seq.index (Seq.index v_A j) k == Seq.index (Seq.index ind_cpa_a k) j))
+ v_A
+ (fun v_A i ->
+ let v_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ v_K =
+ v_A
+ in
+ let i:usize = i in
+ let v__a_i:t_Array
+ (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ v_A
+ in
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ v_K
+ (fun v_A j ->
+ let v_A:t_Array
+ (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ v_A
+ in
+ let j:usize = j in
+ (forall (k: nat). k < v i ==> Seq.index v_A k == Seq.index v__a_i k) /\
+ (forall (k: nat).
+ k < v j ==>
+ Seq.index (Seq.index v_A (v i)) k == Seq.index (Seq.index ind_cpa_a k) (v i)))
+ v_A
+ (fun v_A j ->
+ let v_A:t_Array
+ (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ v_A
+ in
+ let j:usize = j in
+ let v_A:t_Array
+ (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A
+ i
+ (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A.[ i ]
+ <:
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ j
+ (Core.Clone.f_clone #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement
+ v_Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ((ind_cpa_a.[ j ]
+ <:
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K).[ i ]
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ <:
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ in
+ v_A))
+ in
+ v_A
+
+#pop-options
#push-options "--z3rlimit 1500 --ext context_pruning --z3refresh"
@@ -839,71 +836,74 @@ let generate_keypair
#pop-options
-let impl_4__serialized_private_key_mut
- (v_K: usize)
- (#v_Vector: Type0)
- (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
+let encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
+ (#v_Vector #v_Hasher: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
+ i2:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let ind_cpa_private_key, ind_cpa_public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE &
- t_Array u8 v_PUBLIC_KEY_SIZE) =
- Libcrux_ml_kem.Ind_cpa.serialize_unpacked_secret_key v_K
- v_CPA_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- #v_Vector
- self.f_public_key.f_ind_cpa_public_key
- self.f_private_key.f_ind_cpa_private_key
+ let _:Prims.unit =
+ Lib.Sequence.eq_intro #u8
+ #32
+ (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 64) randomness) 0 32)
+ randomness
in
- let serialized:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
- {
- serialized with
- Libcrux_ml_kem.Types.f_value
- =
- Libcrux_ml_kem.Ind_cca.serialize_kem_secret_key_mut v_K
- v_PRIVATE_KEY_SIZE
- #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K)
- (ind_cpa_private_key <: t_Slice u8)
- (ind_cpa_public_key <: t_Slice u8)
- (self.f_private_key.f_implicit_rejection_value <: t_Slice u8)
- serialized.Libcrux_ml_kem.Types.f_value
- }
- <:
- Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE
+ let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
+ Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
in
- serialized
-
-let impl_4__serialized_private_key
- (v_K: usize)
- (#v_Vector: Type0)
- (v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT:
- usize)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- =
- let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
- Core.Default.f_default #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+ let to_hash:t_Array u8 (sz 64) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
+ ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ (public_key.f_public_key_hash <: t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ let _:Prims.unit =
+ Lib.Sequence.eq_intro #u8 #64 to_hash (concat randomness public_key.f_public_key_hash)
+ in
+ let hashed:t_Array u8 (sz 64) =
+ Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
+ #v_K
#FStar.Tactics.Typeclasses.solve
- ()
+ (to_hash <: t_Slice u8)
in
- let sk:Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE =
- impl_4__serialized_private_key_mut v_K
- #v_Vector
- v_CPA_PRIVATE_KEY_SIZE
- v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
- self
- sk
+ let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ (hashed <: t_Slice u8)
+ Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
in
- sk
+ let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
+ Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE
+ v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN
+ v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
+ public_key.f_ind_cpa_public_key randomness pseudorandomness
+ in
+ let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let shared_secret_array:t_Array u8 (sz 32) =
+ Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret
+ in
+ Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ #(t_Array u8 v_CIPHERTEXT_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ ciphertext,
+ shared_secret_array
+ <:
+ (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
#push-options "--z3rlimit 200 --ext context_pruning --z3refresh"
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti
index a6eb033b1..e3a802c64 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti
@@ -31,30 +31,6 @@ type t_MlKemPublicKeyUnpacked
f_public_key_hash:t_Array u8 (sz 32)
}
-/// An unpacked ML-KEM KeyPair
-type t_MlKemKeyPairUnpacked
- (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- = {
- f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector;
- f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector
-}
-
-/// Get the serialized public key.
-val impl_4__private_key
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get the serialized public key.
-val impl_4__public_key
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_2
(v_K: usize)
@@ -63,82 +39,13 @@ val impl_2
{| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
: Core.Clone.t_Clone (t_MlKemPublicKeyUnpacked v_K v_Vector)
-val transpose_a
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (ind_cpa_a:
- t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
- : Prims.Pure
- (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
- Prims.l_True
- (ensures
- fun result ->
- let result:t_Array
- (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
- result
- in
- forall (i: nat).
- i < v v_K ==>
- (forall (j: nat).
- j < v v_K ==>
- Seq.index (Seq.index result i) j == Seq.index (Seq.index ind_cpa_a j) i))
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector)
-
-/// Create a new empty unpacked key pair.
-val impl_4__new:
- v_K: usize ->
- #v_Vector: Type0 ->
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
- Prims.unit
- -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Take a serialized private key and generate an unpacked key pair from it.
-val keys_from_private_key
- (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
- usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
- : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
- (fun _ -> Prims.l_True)
-
-/// Take a serialized private key and generate an unpacked key pair from it.
-val impl_4__from_private_key
- (v_K: usize)
- (#v_Vector: Type0)
- (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
- usize)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
- (fun _ -> Prims.l_True)
+/// An unpacked ML-KEM KeyPair
+type t_MlKemKeyPairUnpacked
+ (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ = {
+ f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector;
+ f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector
+}
/// Generate an unpacked key from a serialized key.
val unpack_public_key
@@ -171,45 +78,6 @@ val unpack_public_key
deserialized_pk /\ unpacked_public_key_future.f_ind_cpa_public_key.f_seed_for_A == seed /\
unpacked_public_key_future.f_public_key_hash == public_key_hash)
-val encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (#v_Vector #v_Hasher: Type0)
- {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
- (ensures
- fun temp_0_ ->
- let ciphertext_result, shared_secret_array:(Libcrux_ml_kem.Types.t_MlKemCiphertext
- v_CIPHERTEXT_SIZE &
- t_Array u8 (sz 32)) =
- temp_0_
- in
- let ciphertext, shared_secret =
- Spec.MLKEM.ind_cca_unpack_encapsulate v_K
- public_key.f_public_key_hash
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
- #v_Vector
- public_key.f_ind_cpa_public_key.f_t_as_ntt)
- (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
- #v_Vector
- public_key.f_ind_cpa_public_key.f_A)
- randomness
- in
- ciphertext_result.f_value == ciphertext /\ shared_secret_array == shared_secret)
-
/// Get the serialized public key.
val impl_3__serialized_mut
(v_K: usize)
@@ -242,13 +110,12 @@ val impl_3__serialized_mut
self.f_ind_cpa_public_key.f_seed_for_A)
/// Get the serialized public key.
-val impl_4__serialized_public_key_mut
+val impl_3__serialized
(v_K: usize)
(#v_Vector: Type0)
(v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self: t_MlKemKeyPairUnpacked v_K v_Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
(requires
Spec.MLKEM.is_rank v_K /\
@@ -256,29 +123,68 @@ val impl_4__serialized_public_key_mut
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
(forall (i: nat).
i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self.f_public_key
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self
.f_ind_cpa_public_key
.f_t_as_ntt
i)))
(ensures
- fun serialized_future ->
- let serialized_future:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
- serialized_future
- in
- serialized_future.f_value ==
+ fun res ->
+ let res:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = res in
+ res.f_value ==
Seq.append (Spec.MLKEM.vector_encode_12 #v_K
(Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
#v_Vector
- self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
- self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)
+ self.f_ind_cpa_public_key.f_t_as_ntt))
+ self.f_ind_cpa_public_key.f_seed_for_A)
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ : Core.Default.t_Default (t_MlKemPublicKeyUnpacked v_K v_Vector)
+
+/// Take a serialized private key and generate an unpacked key pair from it.
+val keys_from_private_key
+ (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+ usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector)
+ : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
/// Get the serialized public key.
-val impl_3__serialized
+val impl_4__public_key
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val impl_4__private_key
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val impl_4__serialized_public_key_mut
(v_K: usize)
(#v_Vector: Type0)
(v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ (self: t_MlKemKeyPairUnpacked v_K v_Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
(requires
Spec.MLKEM.is_rank v_K /\
@@ -286,19 +192,21 @@ val impl_3__serialized
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
(forall (i: nat).
i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index self.f_public_key
.f_ind_cpa_public_key
.f_t_as_ntt
i)))
(ensures
- fun res ->
- let res:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = res in
- res.f_value ==
+ fun serialized_future ->
+ let serialized_future:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE =
+ serialized_future
+ in
+ serialized_future.f_value ==
Seq.append (Spec.MLKEM.vector_encode_12 #v_K
(Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
#v_Vector
- self.f_ind_cpa_public_key.f_t_as_ntt))
- self.f_ind_cpa_public_key.f_seed_for_A)
+ self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
+ self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)
/// Get the serialized public key.
val impl_4__serialized_public_key
@@ -328,35 +236,6 @@ val impl_4__serialized_public_key
self.f_public_key.f_ind_cpa_public_key.f_t_as_ntt))
self.f_public_key.f_ind_cpa_public_key.f_seed_for_A)
-/// Generate Unpacked Keys
-val generate_keypair
- (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (#v_Vector #v_Hasher #v_Scheme: Type0)
- {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
- (randomness: t_Array u8 (sz 64))
- (out: t_MlKemKeyPairUnpacked v_K v_Vector)
- : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
- (ensures
- fun out_future ->
- let out_future:t_MlKemKeyPairUnpacked v_K v_Vector = out_future in
- let ((m_A, public_key_hash), implicit_rejection_value), valid =
- Spec.MLKEM.ind_cca_unpack_generate_keypair v_K randomness
- in
- valid ==>
- Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
- #v_Vector
- out_future.f_public_key.f_ind_cpa_public_key.f_A ==
- m_A /\ out_future.f_public_key.f_public_key_hash == public_key_hash /\
- out_future.f_private_key.f_implicit_rejection_value == implicit_rejection_value)
-
/// Get the serialized private key.
val impl_4__serialized_private_key_mut
(v_K: usize)
@@ -390,6 +269,127 @@ val impl_4__serialized_private_key
v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K)
(fun _ -> Prims.l_True)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ : Core.Default.t_Default (t_MlKemKeyPairUnpacked v_K v_Vector)
+
+/// Create a new empty unpacked key pair.
+val impl_4__new:
+ v_K: usize ->
+ #v_Vector: Type0 ->
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+ Prims.unit
+ -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Take a serialized private key and generate an unpacked key pair from it.
+val impl_4__from_private_key
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_T_AS_NTT_ENCODED_SIZE:
+ usize)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
+val transpose_a
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (ind_cpa_a:
+ t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+ : Prims.Pure
+ (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_Array
+ (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K =
+ result
+ in
+ forall (i: nat).
+ i < v v_K ==>
+ (forall (j: nat).
+ j < v v_K ==>
+ Seq.index (Seq.index result i) j == Seq.index (Seq.index ind_cpa_a j) i))
+
+/// Generate Unpacked Keys
+val generate_keypair
+ (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+ usize)
+ (#v_Vector #v_Hasher #v_Scheme: Type0)
+ {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
+ (randomness: t_Array u8 (sz 64))
+ (out: t_MlKemKeyPairUnpacked v_K v_Vector)
+ : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+ (ensures
+ fun out_future ->
+ let out_future:t_MlKemKeyPairUnpacked v_K v_Vector = out_future in
+ let ((m_A, public_key_hash), implicit_rejection_value), valid =
+ Spec.MLKEM.ind_cca_unpack_generate_keypair v_K randomness
+ in
+ valid ==>
+ Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+ #v_Vector
+ out_future.f_public_key.f_ind_cpa_public_key.f_A ==
+ m_A /\ out_future.f_public_key.f_public_key_hash == public_key_hash /\
+ out_future.f_private_key.f_implicit_rejection_value == implicit_rejection_value)
+
+val encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+ usize)
+ (#v_Vector #v_Hasher: Type0)
+ {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_U_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+ (ensures
+ fun temp_0_ ->
+ let ciphertext_result, shared_secret_array:(Libcrux_ml_kem.Types.t_MlKemCiphertext
+ v_CIPHERTEXT_SIZE &
+ t_Array u8 (sz 32)) =
+ temp_0_
+ in
+ let ciphertext, shared_secret =
+ Spec.MLKEM.ind_cca_unpack_encapsulate v_K
+ public_key.f_public_key_hash
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+ #v_Vector
+ public_key.f_ind_cpa_public_key.f_t_as_ntt)
+ (Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K
+ #v_Vector
+ public_key.f_ind_cpa_public_key.f_A)
+ randomness
+ in
+ ciphertext_result.f_value == ciphertext /\ shared_secret_array == shared_secret)
+
val decapsulate
(v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
usize)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
index a6ffee609..9033af6e0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst
@@ -12,55 +12,6 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-#push-options "--z3rlimit 300"
-
-let validate_private_key_only
- (v_K v_SECRET_KEY_SIZE: usize)
- (#v_Hasher: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- =
- let t:t_Array u8 (sz 32) =
- Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
- #v_K
- #FStar.Tactics.Typeclasses.solve
- (private_key.Libcrux_ml_kem.Types.f_value.[ {
- Core.Ops.Range.f_start = sz 384 *! v_K <: usize;
- Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let expected:t_Slice u8 =
- private_key.Libcrux_ml_kem.Types.f_value.[ {
- Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize;
- Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- in
- t =. expected
-
-#pop-options
-
-#push-options "--z3rlimit 300"
-
-let validate_private_key
- (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
- (#v_Hasher: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- = validate_private_key_only v_K v_SECRET_KEY_SIZE #v_Hasher private_key
-
-#pop-options
-
#push-options "--z3rlimit 150"
let serialize_kem_secret_key_mut
@@ -235,97 +186,6 @@ let serialize_kem_secret_key
#pop-options
-#push-options "--z3rlimit 300"
-
-let encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (#v_Vector #v_Hasher #v_Scheme: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i4:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (randomness: t_Array u8 (sz 32))
- =
- let randomness:t_Array u8 (sz 32) =
- Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme
- #FStar.Tactics.Typeclasses.solve
- v_K
- #v_Hasher
- (randomness <: t_Slice u8)
- in
- let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
- Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
- in
- let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in
- let to_hash:t_Array u8 (sz 64) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
- ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize)
- (Core.Slice.impl__copy_from_slice #u8
- (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
- #v_K
- #FStar.Tactics.Typeclasses.solve
- (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
- <:
- t_Slice u8)
- <:
- t_Slice u8)
- in
- let _:Prims.unit =
- assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness);
- lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value);
- assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value))
- in
- let hashed:t_Array u8 (sz 64) =
- Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
- #v_K
- #FStar.Tactics.Typeclasses.solve
- (to_hash <: t_Slice u8)
- in
- let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
- Core.Slice.impl__split_at #u8
- (hashed <: t_Slice u8)
- Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
- in
- let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
- Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
- v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
- v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
- (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness
- pseudorandomness
- in
- let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE =
- Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- #(t_Array u8 v_CIPHERTEXT_SIZE)
- #FStar.Tactics.Typeclasses.solve
- ciphertext
- in
- let shared_secret_array:t_Array u8 (sz 32) =
- Libcrux_ml_kem.Variant.f_kdf #v_Scheme
- #FStar.Tactics.Typeclasses.solve
- v_K
- v_CIPHERTEXT_SIZE
- #v_Hasher
- shared_secret
- ciphertext
- in
- ciphertext, shared_secret_array
- <:
- (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
-
-#pop-options
-
let validate_public_key
(v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
(#v_Vector: Type0)
@@ -359,6 +219,55 @@ let validate_public_key
#push-options "--z3rlimit 300"
+let validate_private_key_only
+ (v_K v_SECRET_KEY_SIZE: usize)
+ (#v_Hasher: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ =
+ let t:t_Array u8 (sz 32) =
+ Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
+ #v_K
+ #FStar.Tactics.Typeclasses.solve
+ (private_key.Libcrux_ml_kem.Types.f_value.[ {
+ Core.Ops.Range.f_start = sz 384 *! v_K <: usize;
+ Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ let expected:t_Slice u8 =
+ private_key.Libcrux_ml_kem.Types.f_value.[ {
+ Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize;
+ Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ in
+ t =. expected
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let validate_private_key
+ (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
+ (#v_Hasher: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ = validate_private_key_only v_K v_SECRET_KEY_SIZE #v_Hasher private_key
+
+#pop-options
+
+#push-options "--z3rlimit 300"
+
let generate_keypair
(v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
usize)
@@ -420,6 +329,97 @@ let generate_keypair
#pop-options
+#push-options "--z3rlimit 300"
+
+let encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+ usize)
+ (#v_Vector #v_Hasher #v_Scheme: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i4:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (randomness: t_Array u8 (sz 32))
+ =
+ let randomness:t_Array u8 (sz 32) =
+ Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme
+ #FStar.Tactics.Typeclasses.solve
+ v_K
+ #v_Hasher
+ (randomness <: t_Slice u8)
+ in
+ let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) =
+ Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8)
+ in
+ let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in
+ let to_hash:t_Array u8 (sz 64) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash
+ ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher
+ #v_K
+ #FStar.Tactics.Typeclasses.solve
+ (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8)
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ let _:Prims.unit =
+ assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness);
+ lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value);
+ assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value))
+ in
+ let hashed:t_Array u8 (sz 64) =
+ Libcrux_ml_kem.Hash_functions.f_G #v_Hasher
+ #v_K
+ #FStar.Tactics.Typeclasses.solve
+ (to_hash <: t_Slice u8)
+ in
+ let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) =
+ Core.Slice.impl__split_at #u8
+ (hashed <: t_Slice u8)
+ Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
+ in
+ let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE =
+ Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE
+ v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1
+ v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher
+ (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness
+ pseudorandomness
+ in
+ let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE =
+ Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ #(t_Array u8 v_CIPHERTEXT_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ ciphertext
+ in
+ let shared_secret_array:t_Array u8 (sz 32) =
+ Libcrux_ml_kem.Variant.f_kdf #v_Scheme
+ #FStar.Tactics.Typeclasses.solve
+ v_K
+ v_CIPHERTEXT_SIZE
+ #v_Hasher
+ shared_secret
+ ciphertext
+ in
+ ciphertext, shared_secret_array
+ <:
+ (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+
+#pop-options
+
#push-options "--z3rlimit 500"
let decapsulate
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti
index 057295e89..25ee9ff33 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti
@@ -12,41 +12,13 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-/// Seed size for encapsulation
-let v_ENCAPS_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-
/// Seed size for key generation
let v_KEY_GENERATION_SEED_SIZE: usize =
Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +!
Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-/// Validate an ML-KEM private key.
-/// This implements the Hash check in 7.3 3.
-val validate_private_key_only
- (v_K v_SECRET_KEY_SIZE: usize)
- (#v_Hasher: Type0)
- {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- : Prims.Pure bool
- (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K
- )
- (fun _ -> Prims.l_True)
-
-/// Validate an ML-KEM private key.
-/// This implements the Hash check in 7.3 3.
-/// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE`
-/// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types.
-val validate_private_key
- (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
- (#v_Hasher: Type0)
- {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
- (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
- : Prims.Pure bool
- (requires
- Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
- (fun _ -> Prims.l_True)
+/// Seed size for encapsulation
+let v_ENCAPS_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
/// Serialize the secret key.
val serialize_kem_secret_key_mut
@@ -88,36 +60,6 @@ val serialize_kem_secret_key
(Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value)
))
-val encapsulate
- (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
- usize)
- (#v_Vector #v_Hasher #v_Scheme: Type0)
- {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
- v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
- (ensures
- fun result ->
- let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
- =
- result
- in
- let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in
- valid ==> (result._1.f_value, result._2) == expected)
-
/// Validate an ML-KEM public key.
/// This implements the Modulus check in 7.2 2.
/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the
@@ -134,6 +76,34 @@ val validate_public_key
v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K)
(fun _ -> Prims.l_True)
+/// Validate an ML-KEM private key.
+/// This implements the Hash check in 7.3 3.
+val validate_private_key_only
+ (v_K v_SECRET_KEY_SIZE: usize)
+ (#v_Hasher: Type0)
+ {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ : Prims.Pure bool
+ (requires Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K
+ )
+ (fun _ -> Prims.l_True)
+
+/// Validate an ML-KEM private key.
+/// This implements the Hash check in 7.3 3.
+/// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE`
+/// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types.
+val validate_private_key
+ (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize)
+ (#v_Hasher: Type0)
+ {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE)
+ (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE)
+ : Prims.Pure bool
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K)
+ (fun _ -> Prims.l_True)
+
/// Packed API
/// Generate a key pair.
/// Depending on the `Vector` and `Hasher` used, this requires different hardware
@@ -162,6 +132,36 @@ val generate_keypair
let expected, valid = Spec.MLKEM.ind_cca_generate_keypair v_K randomness in
valid ==> (result.f_sk.f_value, result.f_pk.f_value) == expected)
+val encapsulate
+ (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
+ usize)
+ (#v_Vector #v_Hasher #v_Scheme: Type0)
+ {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\
+ v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K)
+ (ensures
+ fun result ->
+ let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32))
+ =
+ result
+ in
+ let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in
+ valid ==> (result._1.f_value, result._2) == expected)
+
/// This code verifies on some machines, runs out of memory on others
val decapsulate
(v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE:
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst
index 1f6cee7c2..b4b47e483 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fst
@@ -9,24 +9,6 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_2':
- v_K: usize ->
- #v_Vector: Type0 ->
- {| i1: Core.Clone.t_Clone v_Vector |} ->
- {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- -> Core.Clone.t_Clone (t_IndCpaPublicKeyUnpacked v_K v_Vector)
-
-let impl_2
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- = impl_2' v_K #v_Vector #i1 #i2
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl
(v_K: usize)
@@ -53,6 +35,24 @@ let impl
t_IndCpaPrivateKeyUnpacked v_K v_Vector
}
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2':
+ v_K: usize ->
+ #v_Vector: Type0 ->
+ {| i1: Core.Clone.t_Clone v_Vector |} ->
+ {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ -> Core.Clone.t_Clone (t_IndCpaPublicKeyUnpacked v_K v_Vector)
+
+let impl_2
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Core.Clone.t_Clone v_Vector)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ = impl_2' v_K #v_Vector #i1 #i2
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl_1
(v_K: usize)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti
index 1f7036f4f..d4d516027 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti
@@ -14,6 +14,13 @@ type t_IndCpaPrivateKeyUnpacked
(v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
= { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+
/// An unpacked ML-KEM IND-CPA Private Key
type t_IndCpaPublicKeyUnpacked
(v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -31,13 +38,6 @@ val impl_2
{| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
: Core.Clone.t_Clone (t_IndCpaPublicKeyUnpacked v_K v_Vector)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- : Core.Default.t_Default (t_IndCpaPrivateKeyUnpacked v_K v_Vector)
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_1
(v_K: usize)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
index d8e4b83fe..ef045a166 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst
@@ -12,242 +12,213 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-#push-options "--z3rlimit 800 --ext context_pruning"
+#push-options "--z3rlimit 1000 --ext context_pruning --z3refresh"
-let deserialize_secret_key
- (v_K: usize)
+let serialize_secret_key
+ (v_K v_OUT_LEN: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (secret_key: t_Slice u8)
+ (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
=
let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in
- let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K
- (fun temp_0_ ->
- let _:usize = temp_0_ in
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
- secret_key
- (fun secret_as_ntt i ->
- let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
- =
- secret_as_ntt
- in
+ let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
+ let out:t_Array u8 v_OUT_LEN =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice key
+ (fun out i ->
+ let out:t_Array u8 v_OUT_LEN = out in
let i:usize = i in
- forall (j: nat).
- j < v i ==>
- j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT +
- v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <=
- v (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K) /\
- Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index secret_as_ntt j) ==
- Spec.MLKEM.byte_decode 12
- (Seq.slice secret_key
+ (v i < v v_K ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) /\
+ (forall (j: nat).
+ j < v i ==>
+ (j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= Seq.length out /\
+ (Seq.slice out
(j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
- (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT +
- v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)))
- secret_as_ntt
- (fun secret_as_ntt temp_1_ ->
- let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
- =
- secret_as_ntt
+ ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) ==
+ Spec.MLKEM.byte_encode 12
+ (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j)))))
+ out
+ (fun out temp_1_ ->
+ let out:t_Array u8 v_OUT_LEN = out in
+ let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+ temp_1_
in
- let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in
- let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt
- i
- (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector
- secret_bytes
+ let out:t_Array u8 v_OUT_LEN =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
+ ({
+ Core.Ops.Range.f_start
+ =
+ i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize
+ }
<:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (out.[ {
+ Core.Ops.Range.f_start
+ =
+ i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
+ Core.Ops.Range.f_end
+ =
+ (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
+ <:
+ usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
in
- secret_as_ntt)
+ let _:Prims.unit =
+ let lemma_aux (j: nat{j < v i})
+ : Lemma
+ (Seq.slice out
+ (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+ ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) ==
+ Spec.MLKEM.byte_encode 12
+ (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j))) =
+ Lib.Sequence.eq_intro #u8
+ #(v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+ (Seq.slice out
+ (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+ ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT))
+ (Spec.MLKEM.byte_encode 12
+ (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j)))
+ in
+ Classical.forall_intro lemma_aux
+ in
+ out)
in
let _:Prims.unit =
- Lib.Sequence.eq_intro #Spec.MLKEM.polynomial
- #(v v_K)
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_as_ntt)
- (Spec.MLKEM.vector_decode_12 #v_K secret_key)
+ assert (Spec.MLKEM.coerce_vector_12 (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+ #v_Vector
+ key) ==
+ Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key);
+ reveal_opaque (`%Spec.MLKEM.vector_encode_12) (Spec.MLKEM.vector_encode_12 #v_K);
+ Lib.Sequence.eq_intro #u8
+ #(v v_OUT_LEN)
+ out
+ (Spec.MLKEM.vector_encode_12 #v_K
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key))
in
- secret_as_ntt
+ out
#pop-options
-let build_unpacked_public_key_mut
- (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
- (#v_Vector #v_Hasher: Type0)
+let serialize_public_key_mut
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
+ i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (public_key: t_Slice u8)
- (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (seed_for_a: t_Slice u8)
+ (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
- {
- unpacked_public_key with
- Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- =
- Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K
- #v_Vector
- (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE }
+ let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (serialized.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
<:
- Core.Ops.Range.t_RangeTo usize ]
- <:
- t_Slice u8)
- unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- }
- <:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ t_Slice u8)
+ (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt
+ <:
+ t_Slice u8)
+ <:
+ t_Slice u8)
in
- let seed:t_Slice u8 =
- public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
+ let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized
+ ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
+ <:
+ Core.Ops.Range.t_RangeFrom usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
+ seed_for_a
+ <:
+ t_Slice u8)
in
let _:Prims.unit =
Lib.Sequence.eq_intro #u8
- #32
- seed
- (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32)
- in
- let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
- {
- unpacked_public_key with
- Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
- =
- Libcrux_ml_kem.Matrix.sample_matrix_A v_K
- #v_Vector
- #v_Hasher
- unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
- (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34))
- false
- }
- <:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ #(v v_PUBLIC_KEY_SIZE)
+ serialized
+ (Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
+ seed_for_a)
in
- unpacked_public_key
+ serialized
-let build_unpacked_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
- (#v_Vector #v_Hasher: Type0)
+let serialize_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
+ i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (public_key: t_Slice u8)
+ (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (seed_for_a: t_Slice u8)
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
+ let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+ Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE
in
- let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
- build_unpacked_public_key_mut v_K
- v_T_AS_NTT_ENCODED_SIZE
+ let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+ serialize_public_key_mut v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
#v_Vector
- #v_Hasher
- public_key
- unpacked_public_key
+ tt_as_ntt
+ seed_for_a
+ public_key_serialized
in
- unpacked_public_key
+ public_key_serialized
-#push-options "--z3rlimit 800 --ext context_pruning"
+#push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
-let deserialize_then_decompress_u
- (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
+let sample_ring_element_cbd_helper_2
+ (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
+ i2:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
- =
- let _:Prims.unit =
- assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /!
- sz 8) ==
- v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))
- in
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K
- (fun temp_0_ ->
- let _:usize = temp_0_ in
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *!
- v_U_COMPRESSION_FACTOR
- <:
- usize) /!
- sz 8
- <:
- usize)
- (ciphertext <: t_Slice u8)
- (fun u_as_ntt i ->
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- u_as_ntt
- in
- let i:usize = i in
- forall (j: nat).
- j < v i ==>
- j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <=
- v v_CIPHERTEXT_SIZE /\
- Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) ==
- Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR)
- (Seq.slice ciphertext
- (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))
- (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)))
- ))
- u_as_ntt
- (fun u_as_ntt temp_1_ ->
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- u_as_ntt
- in
- let i, u_bytes:(usize & t_Slice u8) = temp_1_ in
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
- i
- (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR
- #v_Vector
- u_bytes
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
- i
- (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR
- #v_Vector
- (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- u_as_ntt)
- in
- let _:Prims.unit =
- Lib.Sequence.eq_intro #Spec.MLKEM.polynomial
- #(v v_K)
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt)
- (let open Spec.MLKEM in
- vector_ntt (decode_then_decompress_u #v_K
- (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))
- in
- u_as_ntt
-
-#pop-options
+ (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (prf_input: t_Array u8 (sz 33))
+ (domain_separator: u8) : Lemma
+ (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
+ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
+ v domain_separator < 2 * v v_K /\
+ (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
+ (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
+ (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in
+ forall (i: nat). i < v v_K ==>
+ Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] ==
+ Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ]))
+ (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 ==
+ (Spec.MLKEM.sample_vector_cbd2 #v_K
+ (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+ =
+ Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1)
+ (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))
let sample_ring_element_cbd_helper_1
(v_K: usize)
@@ -274,34 +245,6 @@ let sample_ring_element_cbd_helper_1
(createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
(Seq.slice prf_input 0 32) (sz (v domain_separator))))
-let sample_ring_element_cbd_helper_2
- (v_K v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i2:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (error_1: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (prf_input: t_Array u8 (sz 33))
- (domain_separator: u8) : Lemma
- (requires Spec.MLKEM.is_rank v_K /\ v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\
- v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\
- v domain_separator < 2 * v v_K /\
- (let prf_outputs = Spec.MLKEM.v_PRFxN v_K v_ETA2_RANDOMNESS_SIZE
- (createi v_K (Spec.MLKEM.sample_vector_cbd2_prf_input #v_K
- (Seq.slice prf_input 0 32) (sz (v domain_separator)))) in
- forall (i: nat). i < v v_K ==>
- Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector error_1.[ sz i ] ==
- Spec.MLKEM.sample_poly_cbd v_ETA2 prf_outputs.[ sz i ]))
- (ensures Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1 ==
- (Spec.MLKEM.sample_vector_cbd2 #v_K
- (Seq.slice prf_input 0 32) (sz (v domain_separator))))
- =
- Lib.Sequence.eq_intro #(Spec.MLKEM.polynomial) #(v v_K)
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector error_1)
- (Spec.MLKEM.sample_vector_cbd2 #v_K (Seq.slice prf_input 0 32) (sz (v domain_separator)))
-
-#push-options "--max_fuel 15 --z3rlimit 1500 --ext context_pruning --z3refresh --split_queries always"
-
let sample_ring_element_cbd
(v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize)
(#v_Vector #v_Hasher: Type0)
@@ -385,30 +328,7 @@ let sample_ring_element_cbd
#pop-options
-let sample_vector_cbd_then_ntt_helper_1
- (v_K: usize)
- (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
- (prf_input: t_Array u8 (sz 33))
- (domain_separator: u8) : Lemma
- (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
- (forall (i: nat). i < v v_K ==>
- v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
- Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
- (ensures prf_inputs == createi v_K
- (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
- (Seq.slice prf_input 0 32) (sz (v domain_separator))))
- =
- let lemma_aux (i: nat{i < v v_K}) : Lemma
- (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
- (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
- Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
- (Seq.append (Seq.slice prf_input 0 32)
- (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
- in
- Classical.forall_intro lemma_aux;
- Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
- (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
- (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+#push-options "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
let sample_vector_cbd_then_ntt_helper_2
(v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
@@ -438,7 +358,30 @@ let sample_vector_cbd_then_ntt_helper_2
(Spec.MLKEM.sample_vector_cbd_then_ntt #v_K
(Seq.slice prf_input 0 32) (sz (v domain_separator)))
-#push-options "--max_fuel 25 --z3rlimit 2500 --ext context_pruning --z3refresh --split_queries always"
+let sample_vector_cbd_then_ntt_helper_1
+ (v_K: usize)
+ (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K)
+ (prf_input: t_Array u8 (sz 33))
+ (domain_separator: u8) : Lemma
+ (requires Spec.MLKEM.is_rank v_K /\ v domain_separator < 2 * v v_K /\
+ (forall (i: nat). i < v v_K ==>
+ v (Seq.index (Seq.index prf_inputs i) 32) == v domain_separator + i /\
+ Seq.slice (Seq.index prf_inputs i) 0 32 == Seq.slice prf_input 0 32))
+ (ensures prf_inputs == createi v_K
+ (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+ (Seq.slice prf_input 0 32) (sz (v domain_separator))))
+ =
+ let lemma_aux (i: nat{i < v v_K}) : Lemma
+ (prf_inputs.[ sz i ] == (Seq.append (Seq.slice prf_input 0 32) (Seq.create 1
+ (mk_int #u8_inttype (v (domain_separator +! (mk_int #u8_inttype i))))))) =
+ Lib.Sequence.eq_intro #u8 #33 prf_inputs.[ sz i ]
+ (Seq.append (Seq.slice prf_input 0 32)
+ (Seq.create 1 (mk_int #u8_inttype (v domain_separator + i))))
+ in
+ Classical.forall_intro lemma_aux;
+ Lib.Sequence.eq_intro #(t_Array u8 (sz 33)) #(v v_K) prf_inputs
+ (createi v_K (Spec.MLKEM.sample_vector_cbd1_prf_input #v_K
+ (Seq.slice prf_input 0 32) (sz (v domain_separator))))
let sample_vector_cbd_then_ntt
(v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize)
@@ -706,65 +649,83 @@ let generate_keypair_unpacked
#pop-options
-let decrypt_unpacked
- (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
- usize)
+#push-options "--admit_smt_queries true"
+
+let serialize_unpacked_secret_key
+ (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+ (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
=
- let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext
- in
- let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_K
- v_V_COMPRESSION_FACTOR
+ let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
+ serialize_public_key v_K
+ v_RANKED_BYTES_PER_RING_ELEMENT
+ v_PUBLIC_KEY_SIZE
#v_Vector
- (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
+ public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ (public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
in
- let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Matrix.compute_message v_K
+ let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE =
+ serialize_secret_key v_K
+ v_PRIVATE_KEY_SIZE
#v_Vector
- v
- secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
- u_as_ntt
+ private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
in
- Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message
+ secret_key_serialized, public_key_serialized
+ <:
+ (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
-let decrypt
- (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
+#pop-options
+
+let generate_keypair
+ (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
usize)
- (#v_Vector: Type0)
+ (#v_Vector #v_Hasher #v_Scheme: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
+ i3:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (secret_key: t_Slice u8)
- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i4:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
+ (key_generation_seed: t_Slice u8)
=
- let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in
- let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- deserialize_secret_key v_K #v_Vector secret_key
+ let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
+ )
+ #FStar.Tactics.Typeclasses.solve
+ ()
in
- let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector =
- { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt }
- <:
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
+ let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
in
- decrypt_unpacked v_K
- v_CIPHERTEXT_SIZE
- v_VECTOR_U_ENCODED_SIZE
- v_U_COMPRESSION_FACTOR
- v_V_COMPRESSION_FACTOR
+ let tmp0, tmp1:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector &
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) =
+ generate_keypair_unpacked v_K
+ v_ETA1
+ v_ETA1_RANDOMNESS_SIZE
+ #v_Vector
+ #v_Hasher
+ #v_Scheme
+ key_generation_seed
+ private_key
+ public_key
+ in
+ let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = tmp0 in
+ let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = tmp1 in
+ let _:Prims.unit = () in
+ serialize_unpacked_secret_key v_K
+ v_PRIVATE_KEY_SIZE
+ v_PUBLIC_KEY_SIZE
+ v_RANKED_BYTES_PER_RING_ELEMENT
#v_Vector
- secret_key_unpacked
- ciphertext
+ public_key
+ private_key
#push-options "--z3rlimit 1500 --ext context_pruning --z3refresh"
@@ -997,6 +958,89 @@ let encrypt_unpacked
#pop-options
+let build_unpacked_public_key_mut
+ (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+ (#v_Vector #v_Hasher: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (public_key: t_Slice u8)
+ (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ =
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+ {
+ unpacked_public_key with
+ Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ =
+ Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K
+ #v_Vector
+ (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE }
+ <:
+ Core.Ops.Range.t_RangeTo usize ]
+ <:
+ t_Slice u8)
+ unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
+ }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ in
+ let seed:t_Slice u8 =
+ public_key.[ { Core.Ops.Range.f_start = v_T_AS_NTT_ENCODED_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ in
+ let _:Prims.unit =
+ Lib.Sequence.eq_intro #u8
+ #32
+ seed
+ (Seq.slice (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed) 0 32)
+ in
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+ {
+ unpacked_public_key with
+ Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+ =
+ Libcrux_ml_kem.Matrix.sample_matrix_A v_K
+ #v_Vector
+ #v_Hasher
+ unpacked_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A
+ (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed <: t_Array u8 (sz 34))
+ false
+ }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector
+ in
+ unpacked_public_key
+
+let build_unpacked_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+ (#v_Vector #v_Hasher: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i2:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i3:
+ Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
+ (public_key: t_Slice u8)
+ =
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+ build_unpacked_public_key_mut v_K
+ v_T_AS_NTT_ENCODED_SIZE
+ #v_Vector
+ #v_Hasher
+ public_key
+ unpacked_public_key
+ in
+ unpacked_public_key
+
#push-options "--z3rlimit 500 --ext context_pruning"
let encrypt
@@ -1023,260 +1067,216 @@ let encrypt
#pop-options
-#push-options "--z3rlimit 1000 --ext context_pruning --z3refresh"
+#push-options "--z3rlimit 800 --ext context_pruning"
-let serialize_secret_key
- (v_K v_OUT_LEN: usize)
+let deserialize_then_decompress_u
+ (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
=
- let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in
- let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in
- let out:t_Array u8 v_OUT_LEN =
- Rust_primitives.Hax.Folds.fold_enumerated_slice key
- (fun out i ->
- let out:t_Array u8 v_OUT_LEN = out in
+ let _:Prims.unit =
+ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /!
+ sz 8) ==
+ v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))
+ in
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K
+ (fun temp_0_ ->
+ let _:usize = temp_0_ in
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *!
+ v_U_COMPRESSION_FACTOR
+ <:
+ usize) /!
+ sz 8
+ <:
+ usize)
+ (ciphertext <: t_Slice u8)
+ (fun u_as_ntt i ->
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ u_as_ntt
+ in
let i:usize = i in
- (v i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) /\
- (forall (j: nat).
- j < v i ==>
- (j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= Seq.length out /\
- (Seq.slice out
- (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
- ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) ==
- Spec.MLKEM.byte_encode 12
- (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j)))))
- out
- (fun out temp_1_ ->
- let out:t_Array u8 v_OUT_LEN = out in
- let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
- temp_1_
+ forall (j: nat).
+ j < v i ==>
+ j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <=
+ v v_CIPHERTEXT_SIZE /\
+ Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) ==
+ Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR)
+ (Seq.slice ciphertext
+ (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))
+ (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)))
+ ))
+ u_as_ntt
+ (fun u_as_ntt temp_1_ ->
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ u_as_ntt
in
- let out:t_Array u8 v_OUT_LEN =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
- ({
- Core.Ops.Range.f_start
- =
- i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (out.[ {
- Core.Ops.Range.f_start
- =
- i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize;
- Core.Ops.Range.f_end
- =
- (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
- <:
- usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re
- <:
- t_Slice u8)
+ let i, u_bytes:(usize & t_Slice u8) = temp_1_ in
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
+ i
+ (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR
+ #v_Vector
+ u_bytes
<:
- t_Slice u8)
- in
- let _:Prims.unit =
- let lemma_aux (j: nat{j < v i})
- : Lemma
- (Seq.slice out
- (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
- ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) ==
- Spec.MLKEM.byte_encode 12
- (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j))) =
- Lib.Sequence.eq_intro #u8
- #(v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
- (Seq.slice out
- (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
- ((j + 1) * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT))
- (Spec.MLKEM.byte_encode 12
- (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index key j)))
- in
- Classical.forall_intro lemma_aux
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
in
- out)
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt
+ i
+ (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR
+ #v_Vector
+ (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ u_as_ntt)
in
let _:Prims.unit =
- assert (Spec.MLKEM.coerce_vector_12 (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
- #v_Vector
- key) ==
- Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key);
- reveal_opaque (`%Spec.MLKEM.vector_encode_12) (Spec.MLKEM.vector_encode_12 #v_K);
- Lib.Sequence.eq_intro #u8
- #(v v_OUT_LEN)
- out
- (Spec.MLKEM.vector_encode_12 #v_K
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key))
+ Lib.Sequence.eq_intro #Spec.MLKEM.polynomial
+ #(v v_K)
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt)
+ (let open Spec.MLKEM in
+ vector_ntt (decode_then_decompress_u #v_K
+ (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))
in
- out
+ u_as_ntt
#pop-options
-let serialize_public_key_mut
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+#push-options "--z3rlimit 800 --ext context_pruning"
+
+let deserialize_secret_key
+ (v_K: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (seed_for_a: t_Slice u8)
- (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
+ (secret_key: t_Slice u8)
=
- let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (serialized.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt
- <:
- t_Slice u8)
- <:
- t_Slice u8)
+ let _:Prims.unit = assert_norm (Spec.MLKEM.polynomial_d 12 == Spec.MLKEM.polynomial) in
+ let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K
+ (fun temp_0_ ->
+ let _:usize = temp_0_ in
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
in
- let serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized
- ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
- <:
- Core.Ops.Range.t_RangeFrom usize)
- (Core.Slice.impl__copy_from_slice #u8
- (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT }
- <:
- Core.Ops.Range.t_RangeFrom usize ]
- <:
- t_Slice u8)
- seed_for_a
- <:
- t_Slice u8)
+ let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
+ secret_key
+ (fun secret_as_ntt i ->
+ let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+ =
+ secret_as_ntt
+ in
+ let i:usize = i in
+ forall (j: nat).
+ j < v i ==>
+ j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT +
+ v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <=
+ v (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K) /\
+ Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index secret_as_ntt j) ==
+ Spec.MLKEM.byte_decode 12
+ (Seq.slice secret_key
+ (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
+ (j * v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT +
+ v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)))
+ secret_as_ntt
+ (fun secret_as_ntt temp_1_ ->
+ let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+ =
+ secret_as_ntt
+ in
+ let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in
+ let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt
+ i
+ (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector
+ secret_bytes
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ secret_as_ntt)
in
let _:Prims.unit =
- Lib.Sequence.eq_intro #u8
- #(v v_PUBLIC_KEY_SIZE)
- serialized
- (Seq.append (Spec.MLKEM.vector_encode_12 #v_K
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
- seed_for_a)
- in
- serialized
-
-let serialize_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (seed_for_a: t_Slice u8)
- =
- let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
- Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE
- in
- let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
- serialize_public_key_mut v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
- #v_Vector
- tt_as_ntt
- seed_for_a
- public_key_serialized
+ Lib.Sequence.eq_intro #Spec.MLKEM.polynomial
+ #(v v_K)
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_as_ntt)
+ (Spec.MLKEM.vector_decode_12 #v_K secret_key)
in
- public_key_serialized
+ secret_as_ntt
-#push-options "--admit_smt_queries true"
+#pop-options
-let serialize_unpacked_secret_key
- (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize)
+let decrypt_unpacked
+ (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
+ usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
- (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+ (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
=
- let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE =
- serialize_public_key v_K
- v_RANKED_BYTES_PER_RING_ELEMENT
- v_PUBLIC_KEY_SIZE
+ let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext
+ in
+ let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_K
+ v_V_COMPRESSION_FACTOR
#v_Vector
- public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt
- (public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8)
+ (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE }
+ <:
+ Core.Ops.Range.t_RangeFrom usize ]
+ <:
+ t_Slice u8)
in
- let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE =
- serialize_secret_key v_K
- v_PRIVATE_KEY_SIZE
+ let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Matrix.compute_message v_K
#v_Vector
- private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
+ v
+ secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt
+ u_as_ntt
in
- secret_key_serialized, public_key_serialized
- <:
- (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
-
-#pop-options
+ Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message
-let generate_keypair
- (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
+let decrypt
+ (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
usize)
- (#v_Vector #v_Hasher #v_Scheme: Type0)
+ (#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
- i3:
+ i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i4:
- Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme)
- (key_generation_seed: t_Slice u8)
+ (secret_key: t_Slice u8)
+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
=
- let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
- )
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
+ let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in
+ let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ deserialize_secret_key v_K #v_Vector secret_key
in
- let tmp0, tmp1:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector &
- Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) =
- generate_keypair_unpacked v_K
- v_ETA1
- v_ETA1_RANDOMNESS_SIZE
- #v_Vector
- #v_Hasher
- #v_Scheme
- key_generation_seed
- private_key
- public_key
+ let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector =
+ { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt }
+ <:
+ Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector
in
- let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = tmp0 in
- let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = tmp1 in
- let _:Prims.unit = () in
- serialize_unpacked_secret_key v_K
- v_PRIVATE_KEY_SIZE
- v_PUBLIC_KEY_SIZE
- v_RANKED_BYTES_PER_RING_ELEMENT
+ decrypt_unpacked v_K
+ v_CIPHERTEXT_SIZE
+ v_VECTOR_U_ENCODED_SIZE
+ v_U_COMPRESSION_FACTOR
+ v_V_COMPRESSION_FACTOR
#v_Vector
- public_key
- private_key
+ secret_key_unpacked
+ ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti
index 981a0c86e..934e1bd89 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti
@@ -12,91 +12,71 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
-val deserialize_secret_key
- (v_K: usize)
+/// Call [`serialize_uncompressed_ring_element`] for each ring element.
+val serialize_secret_key
+ (v_K v_OUT_LEN: usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (secret_key: t_Slice u8)
- : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ : Prims.Pure (t_Array u8 v_OUT_LEN)
(requires
- Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v (Core.Slice.impl__len #u8 secret_key) /
- v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <=
- v v_K)
+ Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ (forall (i: nat).
+ i < v v_K ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i)))
(ensures
fun res ->
- let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
- Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res ==
- Spec.MLKEM.vector_decode_12 #v_K secret_key)
-
-val build_unpacked_public_key_mut
- (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
- (#v_Vector #v_Hasher: Type0)
- {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- (public_key: t_Slice u8)
- (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
- : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
- (requires
- Spec.MLKEM.is_rank v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
- (ensures
- fun unpacked_public_key_future ->
- let unpacked_public_key_future:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked
- v_K v_Vector =
- unpacked_public_key_future
- in
- let t_as_ntt_bytes, seed_for_A = split public_key v_T_AS_NTT_ENCODED_SIZE in
- let t_as_ntt = Spec.MLKEM.vector_decode_12 #v_K t_as_ntt_bytes in
- let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
- #v_Vector
- unpacked_public_key_future.f_t_as_ntt ==
- t_as_ntt /\ valid ==>
- Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector unpacked_public_key_future.f_A ==
- Spec.MLKEM.matrix_transpose matrix_A_as_ntt))
+ let res:t_Array u8 v_OUT_LEN = res in
+ res ==
+ Spec.MLKEM.vector_encode_12 #v_K
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key))
-val build_unpacked_public_key
- (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
- (#v_Vector #v_Hasher: Type0)
- {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- (public_key: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+/// Concatenate `t` and `ρ` into the public key.
+val serialize_public_key_mut
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (seed_for_a: t_Slice u8)
+ (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
+ : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE)
(requires
- Spec.MLKEM.is_rank v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
- length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+ Spec.MLKEM.is_rank v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\
+ (forall (i: nat).
+ i < v v_K ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i)))
(ensures
- fun result ->
- let result:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
- result
- in
- let t_as_ntt_bytes, seed_for_A = split public_key v_T_AS_NTT_ENCODED_SIZE in
- let t_as_ntt = Spec.MLKEM.vector_decode_12 #v_K t_as_ntt_bytes in
- let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector result.f_t_as_ntt == t_as_ntt /\
- valid ==>
- Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector result.f_A ==
- Spec.MLKEM.matrix_transpose matrix_A_as_ntt))
+ fun serialized_future ->
+ let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in
+ serialized_future ==
+ Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
+ seed_for_a)
-/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element
-/// in the `ciphertext`.
-val deserialize_then_decompress_u
- (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
+/// Concatenate `t` and `ρ` into the public key.
+val serialize_public_key
+ (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (seed_for_a: t_Slice u8)
+ : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE)
(requires
- Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K)
+ Spec.MLKEM.is_rank v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\
+ (forall (i: nat).
+ i < v v_K ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i)))
(ensures
fun res ->
- let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
- Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res ==
- Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K
- (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))))
+ let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in
+ res ==
+ Seq.append (Spec.MLKEM.vector_encode_12 #v_K
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
+ seed_for_a)
/// Sample a vector of ring elements from a centered binomial distribution.
val sample_ring_element_cbd
@@ -256,63 +236,38 @@ val generate_keypair_unpacked
.f_t_as_ntt
i)))
-/// This function implements Algorithm 14 of the
-/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm.
-/// Algorithm 14 is reproduced below:
-/// ```plaintext
-/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}.
-/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}.
-/// Output: message m ∈ 𝔹^{32}.
-/// c₁ ← c[0 : 32dᵤk]
-/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)]
-/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁))
-/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂))
-/// ŝ ← ByteDecode₁₂(dkₚₖₑ)
-/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u))
-/// m ← ByteEncode₁(Compress₁(w))
-/// return m
-/// ```
-/// The NIST FIPS 203 standard can be found at
-/// .
-val decrypt_unpacked
- (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
- usize)
+/// Serialize the secret key from the unpacked key pair generation.
+val serialize_unpacked_secret_key
+ (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
- (requires
- Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K)
- (ensures
- fun result ->
- let result:t_Array u8 (sz 32) = result in
- result ==
- Spec.MLKEM.ind_cpa_decrypt_unpacked v_K
- ciphertext
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt))
+ (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+ : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-val decrypt
- (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
+val generate_keypair
+ (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (secret_key: t_Slice u8)
- (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
- : Prims.Pure (t_Array u8 (sz 32))
+ (#v_Vector #v_Hasher #v_Scheme: Type0)
+ {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
+ (key_generation_seed: t_Slice u8)
+ : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
(requires
- Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
- v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\
- v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
- v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K)
+ Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
+ v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
+ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
+ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
+ length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE)
(ensures
fun result ->
- let result:t_Array u8 (sz 32) = result in
- result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext)
+ let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in
+ let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in
+ valid ==> result == expected)
/// Call [`compress_then_serialize_ring_element_u`] on each ring element.
val compress_then_serialize_u
@@ -402,6 +357,56 @@ val encrypt_unpacked
(Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector public_key.f_t_as_ntt)
(Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector public_key.f_A))
+val build_unpacked_public_key_mut
+ (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+ (#v_Vector #v_Hasher: Type0)
+ {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ (public_key: t_Slice u8)
+ (unpacked_public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+ (ensures
+ fun unpacked_public_key_future ->
+ let unpacked_public_key_future:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked
+ v_K v_Vector =
+ unpacked_public_key_future
+ in
+ let t_as_ntt_bytes, seed_for_A = split public_key v_T_AS_NTT_ENCODED_SIZE in
+ let t_as_ntt = Spec.MLKEM.vector_decode_12 #v_K t_as_ntt_bytes in
+ let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K
+ #v_Vector
+ unpacked_public_key_future.f_t_as_ntt ==
+ t_as_ntt /\ valid ==>
+ Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector unpacked_public_key_future.f_A ==
+ Spec.MLKEM.matrix_transpose matrix_A_as_ntt))
+
+val build_unpacked_public_key
+ (v_K v_T_AS_NTT_ENCODED_SIZE: usize)
+ (#v_Vector #v_Hasher: Type0)
+ {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
+ (public_key: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\ v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\
+ length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector =
+ result
+ in
+ let t_as_ntt_bytes, seed_for_A = split public_key v_T_AS_NTT_ENCODED_SIZE in
+ let t_as_ntt = Spec.MLKEM.vector_decode_12 #v_K t_as_ntt_bytes in
+ let matrix_A_as_ntt, valid = Spec.MLKEM.sample_matrix_A_ntt #v_K seed_for_A in
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector result.f_t_as_ntt == t_as_ntt /\
+ valid ==>
+ Libcrux_ml_kem.Polynomial.to_spec_matrix_t #v_K #v_Vector result.f_A ==
+ Spec.MLKEM.matrix_transpose matrix_A_as_ntt))
+
val encrypt
(v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE:
usize)
@@ -430,101 +435,96 @@ val encrypt
let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in
valid ==> result == expected)
-/// Call [`serialize_uncompressed_ring_element`] for each ring element.
-val serialize_secret_key
- (v_K v_OUT_LEN: usize)
+/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element
+/// in the `ciphertext`.
+val deserialize_then_decompress_u
+ (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- : Prims.Pure (t_Array u8 v_OUT_LEN)
+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
(requires
- Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- (forall (i: nat).
- i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i)))
+ Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K)
(ensures
fun res ->
- let res:t_Array u8 v_OUT_LEN = res in
- res ==
- Spec.MLKEM.vector_encode_12 #v_K
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key))
+ let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
+ Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res ==
+ Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K
+ (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))))
-/// Concatenate `t` and `ρ` into the public key.
-val serialize_public_key_mut
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element.
+val deserialize_secret_key
+ (v_K: usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (seed_for_a: t_Slice u8)
- (serialized: t_Array u8 v_PUBLIC_KEY_SIZE)
- : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE)
+ (secret_key: t_Slice u8)
+ : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
(requires
- Spec.MLKEM.is_rank v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\
- (forall (i: nat).
- i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i)))
+ Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v (Core.Slice.impl__len #u8 secret_key) /
+ v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <=
+ v v_K)
(ensures
- fun serialized_future ->
- let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in
- serialized_future ==
- Seq.append (Spec.MLKEM.vector_encode_12 #v_K
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
- seed_for_a)
+ fun res ->
+ let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in
+ Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res ==
+ Spec.MLKEM.vector_decode_12 #v_K secret_key)
-/// Concatenate `t` and `ρ` into the public key.
-val serialize_public_key
- (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize)
+/// This function implements Algorithm 14 of the
+/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm.
+/// Algorithm 14 is reproduced below:
+/// ```plaintext
+/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}.
+/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}.
+/// Output: message m ∈ 𝔹^{32}.
+/// c₁ ← c[0 : 32dᵤk]
+/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)]
+/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁))
+/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂))
+/// ŝ ← ByteDecode₁₂(dkₚₖₑ)
+/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u))
+/// m ← ByteEncode₁(Compress₁(w))
+/// return m
+/// ```
+/// The NIST FIPS 203 standard can be found at
+/// .
+val decrypt_unpacked
+ (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
+ usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (seed_for_a: t_Slice u8)
- : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE)
+ (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\
- (forall (i: nat).
- i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i)))
+ Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K)
(ensures
- fun res ->
- let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in
- res ==
- Seq.append (Spec.MLKEM.vector_encode_12 #v_K
- (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt))
- seed_for_a)
+ fun result ->
+ let result:t_Array u8 (sz 32) = result in
+ result ==
+ Spec.MLKEM.ind_cpa_decrypt_unpacked v_K
+ ciphertext
+ (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt))
-/// Serialize the secret key from the unpacked key pair generation.
-val serialize_unpacked_secret_key
- (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT: usize)
+val decrypt
+ (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR:
+ usize)
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector)
- (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector)
- : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val generate_keypair
- (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE:
- usize)
- (#v_Vector #v_Hasher #v_Scheme: Type0)
- {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |}
- {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |}
- (key_generation_seed: t_Slice u8)
- : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE)
+ (secret_key: t_Slice u8)
+ (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE)
+ : Prims.Pure (t_Array u8 (sz 32))
(requires
- Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
- v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\
- v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\
- v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\
- v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\
- length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE)
+ Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\
+ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\
+ v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\
+ v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\
+ v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K)
(ensures
fun result ->
- let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in
- let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in
- valid ==> result == expected)
+ let result:t_Array u8 (sz 32) = result in
+ result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst
index c405a03d7..ac4b10e1b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst
@@ -9,26 +9,6 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let inv_ntt_layer_int_vec_step_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (a b: v_Vector)
- (zeta_r: i16)
- =
- let a_minus_b:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve b a
- in
- let a:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
- #FStar.Tactics.Typeclasses.solve
- (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a b <: v_Vector
- )
- in
- let b:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector a_minus_b zeta_r in
- a, b <: (v_Vector & v_Vector)
-
#push-options "--z3rlimit 200 --ext context_pruning"
let invert_ntt_at_layer_1_
@@ -261,6 +241,26 @@ let invert_ntt_at_layer_3_
#pop-options
+let inv_ntt_layer_int_vec_step_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (a b: v_Vector)
+ (zeta_r: i16)
+ =
+ let a_minus_b:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve b a
+ in
+ let a:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a b <: v_Vector
+ )
+ in
+ let b:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector a_minus_b zeta_r in
+ a, b <: (v_Vector & v_Vector)
+
#push-options "--admit_smt_queries true"
let invert_ntt_at_layer_4_plus
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti
index 52d37549d..1f6cd021e 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti
@@ -9,27 +9,12 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-val inv_ntt_layer_int_vec_step_reduce
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (a b: v_Vector)
- (zeta_r: i16)
- : Prims.Pure (v_Vector & v_Vector)
- (requires
- Spec.Utils.is_i16b 1664 zeta_r /\
- (forall i.
- i < 16 ==>
- Spec.Utils.is_intb (pow2 15 - 1)
- (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) -
- v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\
- (forall i.
- i < 16 ==>
- Spec.Utils.is_intb (pow2 15 - 1)
- (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) +
- v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\
- Spec.Utils.is_i16b_array 28296
- (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b)))
- (fun _ -> Prims.l_True)
+[@@ "opaque_to_smt"]
+ let invert_ntt_re_range_2 (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+ forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328
+ (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
[@@ "opaque_to_smt"]
let invert_ntt_re_range_1 (#v_Vector: Type0)
@@ -38,13 +23,6 @@ val inv_ntt_layer_int_vec_step_reduce
forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328)
(Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
-[@@ "opaque_to_smt"]
- let invert_ntt_re_range_2 (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
- forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328
- (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
-
val invert_ntt_at_layer_1_
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -90,6 +68,28 @@ val invert_ntt_at_layer_3_
in
invert_ntt_re_range_2 re_future /\ v zeta_i_future == 16)
+val inv_ntt_layer_int_vec_step_reduce
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (a b: v_Vector)
+ (zeta_r: i16)
+ : Prims.Pure (v_Vector & v_Vector)
+ (requires
+ Spec.Utils.is_i16b 1664 zeta_r /\
+ (forall i.
+ i < 16 ==>
+ Spec.Utils.is_intb (pow2 15 - 1)
+ (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) -
+ v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\
+ (forall i.
+ i < 16 ==>
+ Spec.Utils.is_intb (pow2 15 - 1)
+ (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) +
+ v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\
+ Spec.Utils.is_i16b_array 28296
+ (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b)))
+ (fun _ -> Prims.l_True)
+
val invert_ntt_at_layer_4_plus
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst
index 6c1d41758..4e0739b87 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst
@@ -137,101 +137,6 @@ let sample_matrix_A
let _:Prims.unit = result in
v_A_transpose
-let compute_As_plus_e
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (matrix_A:
- t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
- (s_as_ntt error_as_ntt:
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- =
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (matrix_A
- <:
- t_Slice (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K))
- (fun tt_as_ntt temp_1_ ->
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- tt_as_ntt
- in
- let _:usize = temp_1_ in
- true)
- tt_as_ntt
- (fun tt_as_ntt temp_1_ ->
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- tt_as_ntt
- in
- let i, row:(usize &
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) =
- temp_1_
- in
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
- i
- (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Folds.fold_enumerated_slice (row
- <:
- t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector))
- (fun tt_as_ntt temp_1_ ->
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K =
- tt_as_ntt
- in
- let _:usize = temp_1_ in
- true)
- tt_as_ntt
- (fun tt_as_ntt temp_1_ ->
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K =
- tt_as_ntt
- in
- let j, matrix_element:(usize &
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
- temp_1_
- in
- let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector
- matrix_element
- (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
- i
- (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector
- v_K
- (tt_as_ntt.[ i ]
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- product
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- tt_as_ntt)
- in
- let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
- i
- (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector
- (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- tt_as_ntt)
- in
- let result:Prims.unit = () <: Prims.unit in
- let _:Prims.unit = admit () (* Panic freedom *) in
- let _:Prims.unit = result in
- tt_as_ntt
-
#push-options "--admit_smt_queries true"
let compute_message
@@ -427,3 +332,98 @@ let compute_vector_u
result
#pop-options
+
+let compute_As_plus_e
+ (v_K: usize)
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (matrix_A:
+ t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+ (s_as_ntt error_as_ntt:
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ =
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (matrix_A
+ <:
+ t_Slice (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K))
+ (fun tt_as_ntt temp_1_ ->
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ tt_as_ntt
+ in
+ let _:usize = temp_1_ in
+ true)
+ tt_as_ntt
+ (fun tt_as_ntt temp_1_ ->
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ tt_as_ntt
+ in
+ let i, row:(usize &
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) =
+ temp_1_
+ in
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
+ i
+ (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Folds.fold_enumerated_slice (row
+ <:
+ t_Slice (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector))
+ (fun tt_as_ntt temp_1_ ->
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K =
+ tt_as_ntt
+ in
+ let _:usize = temp_1_ in
+ true)
+ tt_as_ntt
+ (fun tt_as_ntt temp_1_ ->
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K =
+ tt_as_ntt
+ in
+ let j, matrix_element:(usize &
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+ temp_1_
+ in
+ let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector
+ matrix_element
+ (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
+ i
+ (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector
+ v_K
+ (tt_as_ntt.[ i ]
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ product
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ tt_as_ntt)
+ in
+ let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt
+ i
+ (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector
+ (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ in
+ tt_as_ntt)
+ in
+ let result:Prims.unit = () <: Prims.unit in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ let _:Prims.unit = result in
+ tt_as_ntt
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti
index 8c4c95e96..13f83c59a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti
@@ -36,34 +36,6 @@ val sample_matrix_A
Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future ==
Spec.MLKEM.matrix_transpose matrix_A))
-/// Compute  ◦ ŝ + ê
-val compute_As_plus_e
- (v_K: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (matrix_A:
- t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
- (s_as_ntt error_as_ntt:
- t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
- (requires Spec.MLKEM.is_rank v_K)
- (ensures
- fun tt_as_ntt_future ->
- let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- v_K =
- tt_as_ntt_future
- in
- let open Libcrux_ml_kem.Polynomial in
- to_spec_vector_t tt_as_ntt_future =
- Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A)
- (to_spec_vector_t s_as_ntt)
- (to_spec_vector_t error_as_ntt) /\
- (forall (i: nat).
- i < v v_K ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt_future
- i)))
-
/// The following functions compute various expressions involving
/// vectors and matrices. The computation of these expressions has been
/// abstracted away into these functions in order to save on loop iterations.
@@ -134,3 +106,31 @@ val compute_vector_u
(forall (i: nat).
i < v v_K ==>
Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i)))
+
+/// Compute  ◦ ŝ + ê
+val compute_As_plus_e
+ (v_K: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (matrix_A:
+ t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K)
+ (s_as_ntt error_as_ntt:
+ t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (requires Spec.MLKEM.is_rank v_K)
+ (ensures
+ fun tt_as_ntt_future ->
+ let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ v_K =
+ tt_as_ntt_future
+ in
+ let open Libcrux_ml_kem.Polynomial in
+ to_spec_vector_t tt_as_ntt_future =
+ Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A)
+ (to_spec_vector_t s_as_ntt)
+ (to_spec_vector_t error_as_ntt) /\
+ (forall (i: nat).
+ i < v v_K ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt_future
+ i)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst
index be6ebd525..58d47cc4a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ (sz 1536)
+ (sz 1568)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
@@ -42,6 +70,22 @@ let key_pair_serialized_private_key_mut
in
serialized
+let key_pair_serialized_public_key_mut
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ (sz 1536)
+ (sz 1568)
+ key_pair
+ serialized
+ in
+ serialized
+
let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
@@ -53,57 +97,41 @@ let key_pair_serialized_public_key
(sz 1568)
key_pair
-let key_pair_serialized_public_key_mut
+let key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.keypair_from_private_key (sz 4)
+ (sz 3168)
(sz 1536)
(sz 1568)
+ (sz 1536)
+ (sz 1536)
+ private_key
key_pair
- serialized
in
- serialized
+ key_pair
-let serialized_public_key
- (public_key:
+let unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4)
+ (sz 1536)
(sz 1536)
(sz 1568)
public_key
- serialized
+ unpacked_public_key
in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536)
- (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
- (sz 128) (sz 1600) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
- (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
- randomness
+ unpacked_public_key
let generate_key_pair_mut
(randomness: t_Array u8 (sz 64))
@@ -139,50 +167,22 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
in
key_pair
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.keypair_from_private_key (sz 4)
- (sz 3168)
- (sz 1536)
- (sz 1568)
- (sz 1536)
- (sz 1536)
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
+ (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+ randomness
-let unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4)
- (sz 1536)
- (sz 1536)
- (sz 1568)
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536)
+ (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
+ (sz 128) (sz 1600) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti
index 72df96050..0b733d36a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (requires
+ forall (i: nat).
+ i < 4 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,10 +59,11 @@ val key_pair_serialized_private_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key
+val key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(requires
forall (i: nat).
@@ -46,11 +75,10 @@ val key_pair_serialized_public_key
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
+val key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(requires
forall (i: nat).
@@ -61,32 +89,41 @@ val key_pair_serialized_public_key_mut
i))
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val serialized_public_key
- (public_key:
+/// Get an unpacked key from a private key.
+val key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (requires
- forall (i: nat).
- i < 4 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 1024 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`]
-/// and an [`MlKem1024Ciphertext`].
-val decapsulate
- (private_key:
+/// Generate ML-KEM 1024 Key Pair in "unpacked" form
+val generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 1024 Key Pair in "unpacked" form.
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
let _ =
(* This module has implicit dependencies, here we make them explicit. *)
@@ -110,50 +147,13 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 1024 Key Pair in "unpacked" form
-val generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 1024 Key Pair in "unpacked" form.
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get an unpacked key from a private key.
-val key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (key_pair:
+/// Decapsulate ML-KEM 1024 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`]
+/// and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst
index c9b450487..13b91e9f3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem1024.Avx2
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4)
+ (sz 1536)
+ (sz 1568)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -16,21 +22,6 @@ let validate_private_key
let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 4) (sz 3168) private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568)
- (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128)
- (sz 1600) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536)
- (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair (sz 4)
(sz 1536)
@@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 128)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4)
- (sz 1536)
- (sz 1568)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536)
+ (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568)
+ (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128)
+ (sz 1600) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti
index 763fc3d71..f9eaab872 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem1024.Avx2
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 1024
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 1024 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 1024
/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 1024 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 1024
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst
index 865f73d20..d0bffad7c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ (sz 1536)
+ (sz 1568)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
@@ -42,6 +70,22 @@ let key_pair_serialized_private_key_mut
in
serialized
+let key_pair_serialized_public_key_mut
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ (sz 1536)
+ (sz 1568)
+ key_pair
+ serialized
+ in
+ serialized
+
let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
@@ -53,57 +97,41 @@ let key_pair_serialized_public_key
(sz 1568)
key_pair
-let key_pair_serialized_public_key_mut
+let key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.keypair_from_private_key (sz 4)
+ (sz 3168)
(sz 1536)
(sz 1568)
+ (sz 1536)
+ (sz 1536)
+ private_key
key_pair
- serialized
in
- serialized
+ key_pair
-let serialized_public_key
- (public_key:
+let unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4)
+ (sz 1536)
(sz 1536)
(sz 1568)
public_key
- serialized
+ unpacked_public_key
in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536)
- (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
- (sz 128) (sz 1600) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
- (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
- randomness
+ unpacked_public_key
let generate_key_pair_mut
(randomness: t_Array u8 (sz 64))
@@ -139,50 +167,22 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
in
key_pair
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.keypair_from_private_key (sz 4)
- (sz 3168)
- (sz 1536)
- (sz 1568)
- (sz 1536)
- (sz 1536)
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
+ (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+ randomness
-let unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4)
- (sz 1536)
- (sz 1536)
- (sz 1568)
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536)
+ (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
+ (sz 128) (sz 1600) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti
index 3b4eb1833..cf49202bc 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti
@@ -11,6 +11,38 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (requires
+ forall (i: nat).
+ i < 4 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,10 +63,11 @@ val key_pair_serialized_private_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key
+val key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(requires
forall (i: nat).
@@ -46,11 +79,10 @@ val key_pair_serialized_public_key
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
+val key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(requires
forall (i: nat).
@@ -61,52 +93,27 @@ val key_pair_serialized_public_key_mut
i))
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (requires
- forall (i: nat).
- i < 4 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
-/// Decapsulate ML-KEM 1024 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`]
-/// and an [`MlKem1024Ciphertext`].
-val decapsulate
- (private_key:
+/// Get an unpacked key from a private key.
+val key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-/// Encapsulate ML-KEM 1024 (unpacked)
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
-///
-val encapsulate
- (public_key:
+/// Get the unpacked public key.
+val unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
Prims.l_True
(fun _ -> Prims.l_True)
@@ -130,42 +137,35 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
-/// Get an unpacked key from a private key.
-val key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+/// Encapsulate ML-KEM 1024 (unpacked)
+/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
+///
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the unpacked public key.
-val unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+/// Decapsulate ML-KEM 1024 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`]
+/// and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst
index f664c07b3..3e33b4827 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem1024.Neon
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4)
+ (sz 1536)
+ (sz 1568)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -16,21 +22,6 @@ let validate_private_key
let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 4) (sz 3168) private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568)
- (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128)
- (sz 1600) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536)
- (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair (sz 4)
(sz 1536)
@@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 128)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4)
- (sz 1536)
- (sz 1568)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536)
+ (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568)
+ (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128)
+ (sz 1600) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti
index 097585875..c4e505237 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem1024.Neon
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 1024
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 1024 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 1024
/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 1024 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 1024
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst
index 864cd1438..a4291d768 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (sz 1536)
+ (sz 1568)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
@@ -42,6 +70,22 @@ let key_pair_serialized_private_key_mut
in
serialized
+let key_pair_serialized_public_key_mut
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (sz 1536)
+ (sz 1568)
+ key_pair
+ serialized
+ in
+ serialized
+
let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
@@ -53,57 +97,41 @@ let key_pair_serialized_public_key
(sz 1568)
key_pair
-let key_pair_serialized_public_key_mut
+let key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 4)
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.keypair_from_private_key (sz 4)
+ (sz 3168)
(sz 1536)
(sz 1568)
+ (sz 1536)
+ (sz 1536)
+ private_key
key_pair
- serialized
in
- serialized
+ key_pair
-let serialized_public_key
- (public_key:
+let unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 4)
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4)
+ (sz 1536)
(sz 1536)
(sz 1568)
public_key
- serialized
+ unpacked_public_key
in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536)
- (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
- (sz 128) (sz 1600) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
- (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
- randomness
+ unpacked_public_key
let generate_key_pair_mut
(randomness: t_Array u8 (sz 64))
@@ -139,50 +167,22 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
in
key_pair
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.keypair_from_private_key (sz 4)
- (sz 3168)
- (sz 1536)
- (sz 1568)
- (sz 1536)
- (sz 1536)
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568)
+ (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+ randomness
-let unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4)
- (sz 1536)
- (sz 1536)
- (sz 1568)
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536)
+ (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2)
+ (sz 128) (sz 1600) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti
index 6370203e4..10aeb2dd1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti
@@ -11,6 +11,38 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (requires
+ forall (i: nat).
+ i < 4 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,10 +63,11 @@ val key_pair_serialized_private_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key
+val key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(requires
forall (i: nat).
@@ -46,11 +79,10 @@ val key_pair_serialized_public_key
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
+val key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(requires
forall (i: nat).
@@ -61,52 +93,27 @@ val key_pair_serialized_public_key_mut
i))
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (requires
- forall (i: nat).
- i < 4 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
-/// Decapsulate ML-KEM 1024 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`]
-/// and an [`MlKem1024Ciphertext`].
-val decapsulate
- (private_key:
+/// Get an unpacked key from a private key.
+val key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-/// Encapsulate ML-KEM 1024 (unpacked)
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
-///
-val encapsulate
- (public_key:
+/// Get the unpacked public key.
+val unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
Prims.l_True
(fun _ -> Prims.l_True)
@@ -130,42 +137,35 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
-/// Get an unpacked key from a private key.
-val key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
+/// Encapsulate ML-KEM 1024 (unpacked)
+/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved:
+///
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the unpacked public key.
-val unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
+/// Decapsulate ML-KEM 1024 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`]
+/// and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst
index c093cfc37..766cdb831 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem1024.Portable
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4)
+ (sz 1536)
+ (sz 1568)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -18,21 +24,6 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK
(sz 3168)
private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568)
- (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128)
- (sz 1600) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536)
- (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair (sz 4)
(sz 1536)
@@ -43,8 +34,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 128)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4)
- (sz 1536)
- (sz 1568)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536)
+ (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568)
+ (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128)
+ (sz 1600) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti
index cb06fc90f..634656bdd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem1024.Portable
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 1024
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 1024 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 1024
/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 1024 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 1024
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst
index 69f4ab0fc..4d0f9a927 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst
@@ -9,43 +9,43 @@ let _ =
let open Rand_core in
()
-let encapsulate
+let generate_key_pair
(#impl_277843321_: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(rng: impl_277843321_)
=
- let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) =
+ let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+ let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) =
Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness
in
let rng:impl_277843321_ = tmp0 in
- let randomness:t_Array u8 (sz 32) = tmp1 in
+ let randomness:t_Array u8 (sz 64) = tmp1 in
let _:Prims.unit = () in
- let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) =
- Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness
+ let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) =
+ Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness
in
rng, hax_temp_output
<:
- (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)))
+ (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
-let generate_key_pair
+let encapsulate
(#impl_277843321_: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(rng: impl_277843321_)
=
- let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
- let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) =
+ let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) =
Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness
in
let rng:impl_277843321_ = tmp0 in
- let randomness:t_Array u8 (sz 64) = tmp1 in
+ let randomness:t_Array u8 (sz 32) = tmp1 in
let _:Prims.unit = () in
- let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) =
- Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness
+ let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) =
+ Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness
in
rng, hax_temp_output
<:
- (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
+ (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti
index b2175b095..e05ca0a8f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti
@@ -9,31 +9,31 @@ let _ =
let open Rand_core in
()
-/// Encapsulate ML-KEM 1024
-/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an [`MlKem1024PublicKey`].
+/// Generate ML-KEM 1024 Key Pair
/// The random number generator `rng` needs to implement `RngCore` and
/// `CryptoRng` to sample the required randomness internally.
-val encapsulate
+/// This function returns an [`MlKem1024KeyPair`].
+val generate_key_pair
(#impl_277843321_: Type0)
{| i1: Rand_core.t_RngCore impl_277843321_ |}
{| i2: Rand_core.t_CryptoRng impl_277843321_ |}
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(rng: impl_277843321_)
- : Prims.Pure
- (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)))
+ : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 1024 Key Pair
+/// Encapsulate ML-KEM 1024
+/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an [`MlKem1024PublicKey`].
/// The random number generator `rng` needs to implement `RngCore` and
/// `CryptoRng` to sample the required randomness internally.
-/// This function returns an [`MlKem1024KeyPair`].
-val generate_key_pair
+val encapsulate
(#impl_277843321_: Type0)
{| i1: Rand_core.t_RngCore impl_277843321_ |}
{| i2: Rand_core.t_CryptoRng impl_277843321_ |}
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
(rng: impl_277843321_)
- : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
+ : Prims.Pure
+ (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)))
Prims.l_True
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst
index c296a0efc..5bbefd780 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem1024
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4)
+ (sz 1536)
+ (sz 1568)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
@@ -13,20 +19,16 @@ let validate_private_key
private_key
ciphertext
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 4)
- (sz 1536)
- (sz 1568)
- public_key.Libcrux_ml_kem.Types.f_value
-
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- =
- let result:t_Array u8 (sz 32) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568)
- (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600)
- private_key ciphertext
+let generate_key_pair (randomness: t_Array u8 (sz 64)) =
+ let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4)
+ (sz 1536)
+ (sz 3168)
+ (sz 1568)
+ (sz 1536)
+ (sz 2)
+ (sz 128)
+ randomness
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
@@ -42,16 +44,14 @@ let encapsulate
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let generate_key_pair (randomness: t_Array u8 (sz 64)) =
- let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4)
- (sz 1536)
- (sz 3168)
- (sz 1568)
- (sz 1536)
- (sz 2)
- (sz 128)
- randomness
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ =
+ let result:t_Array u8 (sz 32) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568)
+ (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600)
+ private_key ciphertext
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti
index 007e5c86f..86a3ff54a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti
@@ -3,23 +3,8 @@ module Libcrux_ml_kem.Mlkem1024
open Core
open FStar.Mul
-let v_ETA1: usize = sz 2
-
-let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64
-
-let v_ETA2: usize = sz 2
-
-let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64
-
let v_RANK_1024_: usize = sz 4
-let v_CPA_PKE_SECRET_KEY_SIZE_1024_: usize =
- ((v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *!
- Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT
- <:
- usize) /!
- sz 8
-
let v_RANKED_BYTES_PER_RING_ELEMENT_1024_: usize =
(v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8
@@ -30,15 +15,6 @@ let v_T_AS_NTT_ENCODED_SIZE_1024_: usize =
usize) /!
sz 8
-let v_CPA_PKE_PUBLIC_KEY_SIZE_1024_: usize = v_T_AS_NTT_ENCODED_SIZE_1024_ +! sz 32
-
-let v_SECRET_KEY_SIZE_1024_: usize =
- ((v_CPA_PKE_SECRET_KEY_SIZE_1024_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_1024_ <: usize) +!
- Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
- <:
- usize) +!
- Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-
let v_VECTOR_U_COMPRESSION_FACTOR_1024_: usize = sz 11
let v_C1_BLOCK_SIZE_1024_: usize =
@@ -57,38 +33,61 @@ let v_C2_SIZE_1024_: usize =
usize) /!
sz 8
+let v_CPA_PKE_SECRET_KEY_SIZE_1024_: usize =
+ ((v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *!
+ Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT
+ <:
+ usize) /!
+ sz 8
+
+let v_CPA_PKE_PUBLIC_KEY_SIZE_1024_: usize = v_T_AS_NTT_ENCODED_SIZE_1024_ +! sz 32
+
let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_
+let v_SECRET_KEY_SIZE_1024_: usize =
+ ((v_CPA_PKE_SECRET_KEY_SIZE_1024_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_1024_ <: usize) +!
+ Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
+ <:
+ usize) +!
+ Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
+
+let v_ETA1: usize = sz 2
+
+let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64
+
+let v_ETA2: usize = sz 2
+
+let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64
+
let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize =
Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_
-/// Validate a private key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_private_key
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
/// Validate a public key.
/// Returns `true` if valid, and `false` otherwise.
val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 1024
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
-val decapsulate
+/// Validate a private key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 1024 Key Pair
+/// Generate an ML-KEM key pair. The input is a byte array of size
+/// [`KEY_GENERATION_SEED_SIZE`].
+/// This function returns an [`MlKem1024KeyPair`].
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
Prims.l_True
(ensures
fun res ->
- let res:t_Array u8 (sz 32) = res in
- let shared_secret, valid =
- Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value
+ let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in
+ let (secret_key, public_key), valid =
+ Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness
in
- valid ==> res == shared_secret)
+ valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
/// Encapsulate ML-KEM 1024
/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -108,17 +107,18 @@ val encapsulate
let res_ciphertext, res_shared_secret = res in
valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret))
-/// Generate ML-KEM 1024 Key Pair
-/// Generate an ML-KEM key pair. The input is a byte array of size
-/// [`KEY_GENERATION_SEED_SIZE`].
-/// This function returns an [`MlKem1024KeyPair`].
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568))
+/// Decapsulate ML-KEM 1024
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568))
+ : Prims.Pure (t_Array u8 (sz 32))
Prims.l_True
(ensures
fun res ->
- let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in
- let (secret_key, public_key), valid =
- Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness
+ let res:t_Array u8 (sz 32) = res in
+ let shared_secret, valid =
+ Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value
in
- valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
+ valid ==> res == shared_secret)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst
index c02a6e7aa..5fa5d411b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ (sz 768)
+ (sz 800)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
@@ -42,6 +70,22 @@ let key_pair_serialized_private_key_mut
in
serialized
+let key_pair_serialized_public_key_mut
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ (sz 768)
+ (sz 800)
+ key_pair
+ serialized
+ in
+ serialized
+
let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
@@ -53,56 +97,41 @@ let key_pair_serialized_public_key
(sz 800)
key_pair
-let key_pair_serialized_public_key_mut
+let key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.keypair_from_private_key (sz 2)
+ (sz 1632)
(sz 768)
(sz 800)
+ (sz 768)
+ (sz 768)
+ private_key
key_pair
- serialized
in
- serialized
+ key_pair
-let serialized_public_key
- (public_key:
+let unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2)
+ (sz 768)
(sz 768)
(sz 800)
public_key
- serialized
+ unpacked_public_key
in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800)
- (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
- (sz 800) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
- (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+ unpacked_public_key
let generate_key_pair_mut
(randomness: t_Array u8 (sz 64))
@@ -138,50 +167,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
in
key_pair
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.keypair_from_private_key (sz 2)
- (sz 1632)
- (sz 768)
- (sz 800)
- (sz 768)
- (sz 768)
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
+ (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
-let unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2)
- (sz 768)
- (sz 768)
- (sz 800)
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800)
+ (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
+ (sz 800) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti
index 21aeb9213..dcd19cd24 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (requires
+ forall (i: nat).
+ i < 2 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,10 +59,11 @@ val key_pair_serialized_private_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key
+val key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(requires
forall (i: nat).
@@ -46,11 +75,10 @@ val key_pair_serialized_public_key
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
+val key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(requires
forall (i: nat).
@@ -61,32 +89,41 @@ val key_pair_serialized_public_key_mut
i))
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val serialized_public_key
- (public_key:
+/// Get an unpacked key from a private key.
+val key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the unpacked public key.
+val unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (requires
- forall (i: nat).
- i < 2 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 512 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`]
-/// and an [`MlKem512Ciphertext`].
-val decapsulate
- (private_key:
+/// Generate ML-KEM 512 Key Pair in "unpacked" form
+val generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 512 Key Pair in "unpacked" form.
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
let _ =
(* This module has implicit dependencies, here we make them explicit. *)
@@ -108,50 +145,13 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 512 Key Pair in "unpacked" form
-val generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 512 Key Pair in "unpacked" form.
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get an unpacked key from a private key.
-val key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (key_pair:
+/// Decapsulate ML-KEM 512 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`]
+/// and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Get the unpacked public key.
-val unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst
index 81867e6a4..28a4e60c6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem512.Avx2
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2)
+ (sz 768)
+ (sz 800)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -16,21 +22,6 @@ let validate_private_key
let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 2) (sz 1632) private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
- (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
- private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640)
- (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair (sz 2)
(sz 768)
@@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 192)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2)
- (sz 768)
- (sz 800)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640)
+ (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
+ (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
+ private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti
index b138131fe..155b410a7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem512.Avx2
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 512
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 512 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 512
/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 512 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 512
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst
index dc2ec0335..c7cee7c1b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ (sz 768)
+ (sz 800)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
@@ -42,6 +70,22 @@ let key_pair_serialized_private_key_mut
in
serialized
+let key_pair_serialized_public_key_mut
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ (sz 768)
+ (sz 800)
+ key_pair
+ serialized
+ in
+ serialized
+
let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
@@ -53,56 +97,41 @@ let key_pair_serialized_public_key
(sz 800)
key_pair
-let key_pair_serialized_public_key_mut
+let key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.keypair_from_private_key (sz 2)
+ (sz 1632)
(sz 768)
(sz 800)
+ (sz 768)
+ (sz 768)
+ private_key
key_pair
- serialized
in
- serialized
+ key_pair
-let serialized_public_key
- (public_key:
+let unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2)
+ (sz 768)
(sz 768)
(sz 800)
public_key
- serialized
+ unpacked_public_key
in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800)
- (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
- (sz 800) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
- (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+ unpacked_public_key
let generate_key_pair_mut
(randomness: t_Array u8 (sz 64))
@@ -138,50 +167,21 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
in
key_pair
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.keypair_from_private_key (sz 2)
- (sz 1632)
- (sz 768)
- (sz 800)
- (sz 768)
- (sz 768)
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
+ (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
-let unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2)
- (sz 768)
- (sz 768)
- (sz 800)
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800)
+ (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
+ (sz 800) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti
index d6eab98a0..a1db53972 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti
@@ -11,6 +11,38 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (requires
+ forall (i: nat).
+ i < 2 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,10 +63,11 @@ val key_pair_serialized_private_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key
+val key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(requires
forall (i: nat).
@@ -46,11 +79,10 @@ val key_pair_serialized_public_key
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
+val key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(requires
forall (i: nat).
@@ -61,50 +93,27 @@ val key_pair_serialized_public_key_mut
i))
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (requires
- forall (i: nat).
- i < 2 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
-/// Decapsulate ML-KEM 512 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`]
-/// and an [`MlKem512Ciphertext`].
-val decapsulate
- (private_key:
+/// Get an unpacked key from a private key.
+val key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-/// Encapsulate ML-KEM 512 (unpacked)
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
- (public_key:
+/// Get the unpacked public key.
+val unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
Prims.l_True
(fun _ -> Prims.l_True)
@@ -128,42 +137,33 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
-/// Get an unpacked key from a private key.
-val key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+/// Encapsulate ML-KEM 512 (unpacked)
+/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the unpacked public key.
-val unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+/// Decapsulate ML-KEM 512 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`]
+/// and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst
index 077af75fe..4a2be4c3f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem512.Neon
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2)
+ (sz 768)
+ (sz 800)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -16,21 +22,6 @@ let validate_private_key
let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 2) (sz 1632) private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
- (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
- private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640)
- (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair (sz 2)
(sz 768)
@@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 192)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2)
- (sz 768)
- (sz 800)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640)
+ (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
+ (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
+ private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti
index 6886ec966..d029866f8 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem512.Neon
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 512
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 512 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 512
/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 512 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 512
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst
index 858d9359a..30232f848 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (sz 768)
+ (sz 800)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
@@ -42,6 +70,22 @@ let key_pair_serialized_private_key_mut
in
serialized
+let key_pair_serialized_public_key_mut
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (sz 768)
+ (sz 800)
+ key_pair
+ serialized
+ in
+ serialized
+
let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
@@ -53,57 +97,41 @@ let key_pair_serialized_public_key
(sz 800)
key_pair
-let key_pair_serialized_public_key_mut
+let key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 2)
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.keypair_from_private_key (sz 2)
+ (sz 1632)
(sz 768)
(sz 800)
+ (sz 768)
+ (sz 768)
+ private_key
key_pair
- serialized
in
- serialized
+ key_pair
-let serialized_public_key
- (public_key:
+let unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
=
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 2)
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2)
+ (sz 768)
(sz 768)
(sz 800)
public_key
- serialized
+ unpacked_public_key
in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768)
- (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2)
- (sz 128) (sz 800) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800)
- (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key
- randomness
+ unpacked_public_key
let generate_key_pair_mut
(randomness: t_Array u8 (sz 64))
@@ -139,50 +167,22 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
in
key_pair
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.keypair_from_private_key (sz 2)
- (sz 1632)
- (sz 768)
- (sz 800)
- (sz 768)
- (sz 768)
- private_key
- key_pair
- in
- key_pair
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800)
+ (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key
+ randomness
-let unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
=
- let unpacked_public_key:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2)
- (sz 768)
- (sz 768)
- (sz 800)
- public_key
- unpacked_public_key
- in
- unpacked_public_key
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768)
+ (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2)
+ (sz 128) (sz 800) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti
index 7f06b0b9c..0691e26fd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti
@@ -11,6 +11,38 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (requires
+ forall (i: nat).
+ i < 2 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,10 +63,11 @@ val key_pair_serialized_private_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key
+val key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(requires
forall (i: nat).
@@ -46,11 +79,10 @@ val key_pair_serialized_public_key
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val key_pair_serialized_public_key_mut
+val key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(requires
forall (i: nat).
@@ -61,50 +93,27 @@ val key_pair_serialized_public_key_mut
i))
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (requires
- forall (i: nat).
- i < 2 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
-/// Decapsulate ML-KEM 512 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`]
-/// and an [`MlKem512Ciphertext`].
-val decapsulate
- (private_key:
+/// Get an unpacked key from a private key.
+val key_pair_from_private_mut
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
-/// Encapsulate ML-KEM 512 (unpacked)
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
- (public_key:
+/// Get the unpacked public key.
+val unpacked_public_key
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (unpacked_public_key:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
Prims.l_True
(fun _ -> Prims.l_True)
@@ -128,42 +137,33 @@ val generate_key_pair (randomness: t_Array u8 (sz 64))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
-/// Get an unpacked key from a private key.
-val key_pair_from_private_mut
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
+/// Encapsulate ML-KEM 512 (unpacked)
+/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the unpacked public key.
-val unpacked_public_key
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (unpacked_public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
+/// Decapsulate ML-KEM 512 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`]
+/// and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst
index 4c6c96ff8..090dcd204 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem512.Portable
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2)
+ (sz 768)
+ (sz 800)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -18,21 +24,6 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK
(sz 1632)
private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800)
- (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
- (sz 800) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
- (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair (sz 2)
(sz 768)
@@ -43,8 +34,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 192)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2)
- (sz 768)
- (sz 800)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 2) (sz 768) (sz 800) (sz 768)
+ (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800)
+ (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128)
+ (sz 800) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti
index 64d59c955..c0964f505 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem512.Portable
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 512
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 512 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 512
/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 512 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 512
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst
index adca30249..e739bdfa0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst
@@ -9,41 +9,41 @@ let _ =
let open Rand_core in
()
-let encapsulate
+let generate_key_pair
(#impl_277843321_: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(rng: impl_277843321_)
=
- let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) =
+ let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+ let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) =
Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness
in
let rng:impl_277843321_ = tmp0 in
- let randomness:t_Array u8 (sz 32) = tmp1 in
+ let randomness:t_Array u8 (sz 64) = tmp1 in
let _:Prims.unit = () in
- let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) =
- Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness
+ let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) =
+ Libcrux_ml_kem.Mlkem512.generate_key_pair randomness
in
- rng, hax_temp_output
- <:
- (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)))
+ rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
-let generate_key_pair
+let encapsulate
(#impl_277843321_: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(rng: impl_277843321_)
=
- let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
- let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) =
+ let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) =
Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness
in
let rng:impl_277843321_ = tmp0 in
- let randomness:t_Array u8 (sz 64) = tmp1 in
+ let randomness:t_Array u8 (sz 32) = tmp1 in
let _:Prims.unit = () in
- let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) =
- Libcrux_ml_kem.Mlkem512.generate_key_pair randomness
+ let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) =
+ Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness
in
- rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
+ rng, hax_temp_output
+ <:
+ (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti
index 31ef494ee..16f8cd014 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti
@@ -9,31 +9,31 @@ let _ =
let open Rand_core in
()
-/// Encapsulate ML-KEM 512
-/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an [`MlKem512PublicKey`].
+/// Generate ML-KEM 512 Key Pair
/// The random number generator `rng` needs to implement `RngCore` and
/// `CryptoRng` to sample the required randomness internally.
-val encapsulate
+/// This function returns an [`MlKem512KeyPair`].
+val generate_key_pair
(#impl_277843321_: Type0)
{| i1: Rand_core.t_RngCore impl_277843321_ |}
{| i2: Rand_core.t_CryptoRng impl_277843321_ |}
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(rng: impl_277843321_)
- : Prims.Pure
- (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)))
+ : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 512 Key Pair
+/// Encapsulate ML-KEM 512
+/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an [`MlKem512PublicKey`].
/// The random number generator `rng` needs to implement `RngCore` and
/// `CryptoRng` to sample the required randomness internally.
-/// This function returns an [`MlKem512KeyPair`].
-val generate_key_pair
+val encapsulate
(#impl_277843321_: Type0)
{| i1: Rand_core.t_RngCore impl_277843321_ |}
{| i2: Rand_core.t_CryptoRng impl_277843321_ |}
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
(rng: impl_277843321_)
- : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
+ : Prims.Pure
+ (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)))
Prims.l_True
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst
index ec76cf211..756aaaa67 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem512
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2)
+ (sz 768)
+ (sz 800)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
@@ -13,20 +19,16 @@ let validate_private_key
private_key
ciphertext
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 2)
- (sz 768)
- (sz 800)
- public_key.Libcrux_ml_kem.Types.f_value
-
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- =
- let result:t_Array u8 (sz 32) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
- (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
- private_key ciphertext
+let generate_key_pair (randomness: t_Array u8 (sz 64)) =
+ let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2)
+ (sz 768)
+ (sz 1632)
+ (sz 800)
+ (sz 768)
+ (sz 3)
+ (sz 192)
+ randomness
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
@@ -42,16 +44,14 @@ let encapsulate
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let generate_key_pair (randomness: t_Array u8 (sz 64)) =
- let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2)
- (sz 768)
- (sz 1632)
- (sz 800)
- (sz 768)
- (sz 3)
- (sz 192)
- randomness
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ =
+ let result:t_Array u8 (sz 32) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768)
+ (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800)
+ private_key ciphertext
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti
index 94590e2ee..74ca4c5d2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti
@@ -3,23 +3,8 @@ module Libcrux_ml_kem.Mlkem512
open Core
open FStar.Mul
-let v_ETA1: usize = sz 3
-
-let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64
-
-let v_ETA2: usize = sz 2
-
-let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64
-
let v_RANK_512_: usize = sz 2
-let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize =
- ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *!
- Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT
- <:
- usize) /!
- sz 8
-
let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize =
(v_RANK_512_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8
@@ -30,15 +15,6 @@ let v_T_AS_NTT_ENCODED_SIZE_512_: usize =
usize) /!
sz 8
-let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32
-
-let v_SECRET_KEY_SIZE_512_: usize =
- ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +!
- Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
- <:
- usize) +!
- Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-
let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10
let v_C1_BLOCK_SIZE_512_: usize =
@@ -57,38 +33,61 @@ let v_C2_SIZE_512_: usize =
usize) /!
sz 8
+let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize =
+ ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *!
+ Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT
+ <:
+ usize) /!
+ sz 8
+
+let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32
+
let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_
+let v_SECRET_KEY_SIZE_512_: usize =
+ ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +!
+ Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
+ <:
+ usize) +!
+ Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
+
+let v_ETA1: usize = sz 3
+
+let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64
+
+let v_ETA2: usize = sz 2
+
+let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64
+
let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize =
Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_
-/// Validate a private key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_private_key
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
/// Validate a public key.
/// Returns `true` if valid, and `false` otherwise.
val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 512
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
-val decapsulate
+/// Validate a private key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 512 Key Pair
+/// The input is a byte array of size
+/// [`KEY_GENERATION_SEED_SIZE`].
+/// This function returns an [`MlKem512KeyPair`].
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
Prims.l_True
(ensures
fun res ->
- let res:t_Array u8 (sz 32) = res in
- let shared_secret, valid =
- Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value
+ let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in
+ let (secret_key, public_key), valid =
+ Spec.MLKEM.Instances.mlkem512_generate_keypair randomness
in
- valid ==> res == shared_secret)
+ valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
/// Encapsulate ML-KEM 512
/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -108,17 +107,18 @@ val encapsulate
let res_ciphertext, res_shared_secret = res in
valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret))
-/// Generate ML-KEM 512 Key Pair
-/// The input is a byte array of size
-/// [`KEY_GENERATION_SEED_SIZE`].
-/// This function returns an [`MlKem512KeyPair`].
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800))
+/// Decapsulate ML-KEM 512
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768))
+ : Prims.Pure (t_Array u8 (sz 32))
Prims.l_True
(ensures
fun res ->
- let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in
- let (secret_key, public_key), valid =
- Spec.MLKEM.Instances.mlkem512_generate_keypair randomness
+ let res:t_Array u8 (sz 32) = res in
+ let shared_secret, valid =
+ Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value
in
- valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
+ valid ==> res == shared_secret)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst
index 26a1de1e8..4718cc7a3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ (sz 1152)
+ (sz 1184)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -42,17 +70,6 @@ let key_pair_serialized_private_key_mut
in
serialized
-let key_pair_serialized_public_key
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
- (sz 1152)
- (sz 1184)
- key_pair
-
let key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -69,87 +86,16 @@ let key_pair_serialized_public_key_mut
in
serialized
-let serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- =
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
- #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
- (sz 1152)
- (sz 1184)
- public_key
- serialized
- in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152)
- (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
- (sz 128) (sz 1120) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
- (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
- randomness
-
-let generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
+let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3)
- (sz 1152)
- (sz 2400)
- (sz 1184)
- (sz 1152)
- (sz 2)
- (sz 128)
- randomness
- key_pair
- in
- key_pair
-
-let generate_key_pair (randomness: t_Array u8 (sz 64)) =
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
- generate_key_pair_mut randomness key_pair
- in
- key_pair
-
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
+ #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector
+ (sz 1152)
+ (sz 1184)
+ key_pair
let key_pair_from_private_mut
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -208,3 +154,57 @@ let unpacked_public_key
unpacked_public_key
in
unpacked_public_key
+
+let generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ =
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3)
+ (sz 1152)
+ (sz 2400)
+ (sz 1184)
+ (sz 1152)
+ (sz 2)
+ (sz 128)
+ randomness
+ key_pair
+ in
+ key_pair
+
+let generate_key_pair (randomness: t_Array u8 (sz 64)) =
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector =
+ generate_key_pair_mut randomness key_pair
+ in
+ key_pair
+
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
+ (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+ randomness
+
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152)
+ (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
+ (sz 128) (sz 1120) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti
index 26bf0ffd6..7ac606b83 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti
@@ -11,6 +11,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ (requires
+ forall (i: nat).
+ i < 3 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -30,21 +58,6 @@ val key_pair_serialized_private_key_mut
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val key_pair_serialized_public_key
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- (requires
- forall (i: nat).
- i < 3 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
/// Get the serialized public key.
val key_pair_serialized_public_key_mut
(key_pair:
@@ -63,80 +76,20 @@ val key_pair_serialized_public_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+val key_pair_serialized_public_key
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(requires
forall (i: nat).
i < 3 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
.f_ind_cpa_public_key
.f_t_as_ntt
i))
(fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`]
-/// and an [`MlKem768Ciphertext`].
-val decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
-
-/// Encapsulate ML-KEM 768 (unpacked)
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 768 Key Pair in "unpacked" form.
-val generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 768 Key Pair in "unpacked" form.
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
-
/// Get an unpacked key from a private key.
val key_pair_from_private_mut
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -168,3 +121,50 @@ val unpacked_public_key
: Prims.Pure
(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair in "unpacked" form.
+val generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair in "unpacked" form.
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
+
+/// Encapsulate ML-KEM 768 (unpacked)
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Decapsulate ML-KEM 768 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`]
+/// and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst
index ec517abff..f67977469 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem768.Avx2
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3)
+ (sz 1152)
+ (sz 1184)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -16,21 +22,6 @@ let validate_private_key
let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_private_key_only (sz 3) (sz 2400) private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184)
- (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128)
- (sz 1120) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152)
- (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.generate_keypair (sz 3)
(sz 1152)
@@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 128)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3)
- (sz 1152)
- (sz 1184)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152)
+ (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184)
+ (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128)
+ (sz 1120) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti
index 32d3615e9..f608cf49f 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem768.Avx2
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 768 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 768
/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 768 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 768
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst
index 3a57c5f0b..c00d88015 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst
@@ -12,6 +12,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ (sz 1152)
+ (sz 1184)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -43,17 +71,6 @@ let key_pair_serialized_private_key_mut
in
serialized
-let key_pair_serialized_public_key
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- (sz 1152)
- (sz 1184)
- key_pair
-
let key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -70,87 +87,16 @@ let key_pair_serialized_public_key_mut
in
serialized
-let serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- =
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
- #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- (sz 1152)
- (sz 1184)
- public_key
- serialized
- in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152)
- (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
- (sz 128) (sz 1120) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
- (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
- randomness
-
-let generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
+let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3)
- (sz 1152)
- (sz 2400)
- (sz 1184)
- (sz 1152)
- (sz 2)
- (sz 128)
- randomness
- key_pair
- in
- key_pair
-
-let generate_key_pair (randomness: t_Array u8 (sz 64)) =
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- generate_key_pair_mut randomness key_pair
- in
- key_pair
-
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- #FStar.Tactics.Typeclasses.solve
- ()
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
+ #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ (sz 1152)
+ (sz 1184)
+ key_pair
let key_pair_from_private_mut
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -209,3 +155,57 @@ let unpacked_public_key
unpacked_public_key
in
unpacked_public_key
+
+let generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ =
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3)
+ (sz 1152)
+ (sz 2400)
+ (sz 1184)
+ (sz 1152)
+ (sz 2)
+ (sz 128)
+ randomness
+ key_pair
+ in
+ key_pair
+
+let generate_key_pair (randomness: t_Array u8 (sz 64)) =
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ generate_key_pair_mut randomness key_pair
+ in
+ key_pair
+
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
+ (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+ randomness
+
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152)
+ (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
+ (sz 128) (sz 1120) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti
index 3fbc5e15c..0bf82e31d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti
@@ -12,6 +12,38 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ (requires
+ forall (i: nat).
+ i < 3 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,21 +63,6 @@ val key_pair_serialized_private_key_mut
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val key_pair_serialized_public_key
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- (requires
- forall (i: nat).
- i < 3 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
/// Get the serialized public key.
val key_pair_serialized_public_key_mut
(key_pair:
@@ -64,88 +81,20 @@ val key_pair_serialized_public_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+val key_pair_serialized_public_key
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(requires
forall (i: nat).
i < 3 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
.f_ind_cpa_public_key
.f_t_as_ntt
i))
(fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`]
-/// and an [`MlKem768Ciphertext`].
-val decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
-
-/// Encapsulate ML-KEM 768 (unpacked)
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 768 Key Pair in "unpacked" form.
-val generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 768 Key Pair in "unpacked" form.
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
/// Get an unpacked key from a private key.
val key_pair_from_private_mut
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -183,3 +132,54 @@ val unpacked_public_key
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
Prims.l_True
(fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair in "unpacked" form.
+val generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair in "unpacked" form.
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
+
+/// Encapsulate ML-KEM 768 (unpacked)
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Decapsulate ML-KEM 768 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`]
+/// and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst
index d6ffc47a4..217db89fb 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem768.Neon
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3)
+ (sz 1152)
+ (sz 1184)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -16,21 +22,6 @@ let validate_private_key
let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_private_key_only (sz 3) (sz 2400) private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184)
- (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128)
- (sz 1120) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152)
- (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Neon.generate_keypair (sz 3)
(sz 1152)
@@ -41,8 +32,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 128)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3)
- (sz 1152)
- (sz 1184)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152)
+ (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Neon.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184)
+ (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128)
+ (sz 1120) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti
index 00fc18c11..8aebfc0f2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem768.Neon
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 768 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 768
/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 768 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 768
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst
index 02504bb00..de49efa0a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst
@@ -12,6 +12,34 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let init_key_pair (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let init_public_key (_: Prims.unit) =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+
+let serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ =
+ let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (sz 1152)
+ (sz 1184)
+ public_key
+ serialized
+ in
+ serialized
+
let key_pair_serialized_private_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -43,17 +71,6 @@ let key_pair_serialized_private_key_mut
in
serialized
-let key_pair_serialized_public_key
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (sz 1152)
- (sz 1184)
- key_pair
-
let key_pair_serialized_public_key_mut
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
@@ -70,87 +87,16 @@ let key_pair_serialized_public_key_mut
in
serialized
-let serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- =
- let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) =
- Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_mut (sz 3)
- #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (sz 1152)
- (sz 1184)
- public_key
- serialized
- in
- serialized
-
-let decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152)
- (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
- (sz 128) (sz 1120) private_key ciphertext
-
-let encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
- (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
- randomness
-
-let generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
+let key_pair_serialized_public_key
(key_pair:
Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
=
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3)
- (sz 1152)
- (sz 2400)
- (sz 1184)
- (sz 1152)
- (sz 2)
- (sz 128)
- randomness
- key_pair
- in
- key_pair
-
-let generate_key_pair (randomness: t_Array u8 (sz 64)) =
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
- in
- let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- generate_key_pair_mut randomness key_pair
- in
- key_pair
-
-let init_key_pair (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
-
-let init_public_key (_: Prims.unit) =
- Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- #FStar.Tactics.Typeclasses.solve
- ()
+ Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key (sz 3)
+ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (sz 1152)
+ (sz 1184)
+ key_pair
let key_pair_from_private_mut
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -209,3 +155,57 @@ let unpacked_public_key
unpacked_public_key
in
unpacked_public_key
+
+let generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ =
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3)
+ (sz 1152)
+ (sz 2400)
+ (sz 1184)
+ (sz 1152)
+ (sz 2)
+ (sz 128)
+ randomness
+ key_pair
+ in
+ key_pair
+
+let generate_key_pair (randomness: t_Array u8 (sz 64)) =
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ in
+ let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ generate_key_pair_mut randomness key_pair
+ in
+ key_pair
+
+let encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184)
+ (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key
+ randomness
+
+let decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152)
+ (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2)
+ (sz 128) (sz 1120) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti
index e4f2a98e1..89578b57a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti
@@ -12,6 +12,38 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+/// Create a new, empty unpacked key.
+val init_key_pair: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Create a new, empty unpacked public key.
+val init_public_key: Prims.unit
+ -> Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Get the serialized public key.
+val serialized_public_key
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ (requires
+ forall (i: nat).
+ i < 3 ==>
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ .f_ind_cpa_public_key
+ .f_t_as_ntt
+ i))
+ (fun _ -> Prims.l_True)
+
/// Get the serialized private key.
val key_pair_serialized_private_key
(key_pair:
@@ -31,21 +63,6 @@ val key_pair_serialized_private_key_mut
Prims.l_True
(fun _ -> Prims.l_True)
-/// Get the serialized public key.
-val key_pair_serialized_public_key
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- (requires
- forall (i: nat).
- i < 3 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
- .f_ind_cpa_public_key
- .f_t_as_ntt
- i))
- (fun _ -> Prims.l_True)
-
/// Get the serialized public key.
val key_pair_serialized_public_key_mut
(key_pair:
@@ -64,88 +81,20 @@ val key_pair_serialized_public_key_mut
(fun _ -> Prims.l_True)
/// Get the serialized public key.
-val serialized_public_key
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+val key_pair_serialized_public_key
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
: Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(requires
forall (i: nat).
i < 3 ==>
- Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key
+ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key_pair.f_public_key
.f_ind_cpa_public_key
.f_t_as_ntt
i))
(fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768 (unpacked)
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`]
-/// and an [`MlKem768Ciphertext`].
-val decapsulate
- (private_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
-
-let _ =
- (* This module has implicit dependencies, here we make them explicit. *)
- (* The implicit dependencies arise from typeclasses instances. *)
- let open Libcrux_ml_kem.Vector.Portable in
- let open Libcrux_ml_kem.Vector.Neon in
- ()
-
-/// Encapsulate ML-KEM 768 (unpacked)
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
-/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
-val encapsulate
- (public_key:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (randomness: t_Array u8 (sz 32))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 768 Key Pair in "unpacked" form.
-val generate_key_pair_mut
- (randomness: t_Array u8 (sz 64))
- (key_pair:
- Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Generate ML-KEM 768 Key Pair in "unpacked" form.
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked key.
-val init_key_pair: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Create a new, empty unpacked public key.
-val init_public_key: Prims.unit
- -> Prims.Pure
- (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- Prims.l_True
- (fun _ -> Prims.l_True)
-
/// Get an unpacked key from a private key.
val key_pair_from_private_mut
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
@@ -183,3 +132,54 @@ val unpacked_public_key
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
Prims.l_True
(fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair in "unpacked" form.
+val generate_key_pair_mut
+ (randomness: t_Array u8 (sz 64))
+ (key_pair:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair in "unpacked" form.
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure
+ (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+let _ =
+ (* This module has implicit dependencies, here we make them explicit. *)
+ (* The implicit dependencies arise from typeclasses instances. *)
+ let open Libcrux_ml_kem.Vector.Portable in
+ let open Libcrux_ml_kem.Vector.Neon in
+ ()
+
+/// Encapsulate ML-KEM 768 (unpacked)
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`],
+/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`.
+val encapsulate
+ (public_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (randomness: t_Array u8 (sz 32))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+/// Decapsulate ML-KEM 768 (unpacked)
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`]
+/// and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key:
+ Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3)
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst
index ef78b1c7e..ffe9b58f0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem768.Portable
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3)
+ (sz 1152)
+ (sz 1184)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -18,21 +24,6 @@ let validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateK
(sz 2400)
private_key
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184)
- (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128)
- (sz 1120) private_key ciphertext
-
-let encapsulate
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- (randomness: t_Array u8 (sz 32))
- =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152)
- (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
-
let generate_key_pair (randomness: t_Array u8 (sz 64)) =
Libcrux_ml_kem.Ind_cca.Instantiations.Portable.generate_keypair (sz 3)
(sz 1152)
@@ -43,8 +34,17 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) =
(sz 128)
randomness
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
- Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3)
- (sz 1152)
- (sz 1184)
- public_key.Libcrux_ml_kem.Types.f_value
+let encapsulate
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ (randomness: t_Array u8 (sz 32))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152)
+ (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness
+
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ Libcrux_ml_kem.Ind_cca.Instantiations.Portable.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184)
+ (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128)
+ (sz 1120) private_key ciphertext
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti
index d503ab893..7847d3793 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti
@@ -3,6 +3,11 @@ module Libcrux_ml_kem.Mlkem768.Portable
open Core
open FStar.Mul
+/// Validate a public key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
/// Validate a private key.
/// Returns `true` if valid, and `false` otherwise.
val validate_private_key
@@ -15,13 +20,11 @@ val validate_private_key
val validate_private_key_only (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
-val decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
+/// Generate ML-KEM 768 Key Pair
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
+ Prims.l_True
+ (fun _ -> Prims.l_True)
/// Encapsulate ML-KEM 768
/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -34,13 +37,10 @@ val encapsulate
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 768 Key Pair
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-/// Validate a public key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+/// Decapsulate ML-KEM 768
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst
index 80ac366d4..e5bea331d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst
@@ -9,43 +9,43 @@ let _ =
let open Rand_core in
()
-let encapsulate
+let generate_key_pair
(#impl_277843321_: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_)
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(rng: impl_277843321_)
=
- let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) =
+ let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
+ let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) =
Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness
in
let rng:impl_277843321_ = tmp0 in
- let randomness:t_Array u8 (sz 32) = tmp1 in
+ let randomness:t_Array u8 (sz 64) = tmp1 in
let _:Prims.unit = () in
- let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) =
- Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness
+ let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) =
+ Libcrux_ml_kem.Mlkem768.generate_key_pair randomness
in
rng, hax_temp_output
<:
- (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)))
+ (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
-let generate_key_pair
+let encapsulate
(#impl_277843321_: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_)
(#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_)
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(rng: impl_277843321_)
=
- let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in
- let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) =
+ let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) =
Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness
in
let rng:impl_277843321_ = tmp0 in
- let randomness:t_Array u8 (sz 64) = tmp1 in
+ let randomness:t_Array u8 (sz 32) = tmp1 in
let _:Prims.unit = () in
- let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) =
- Libcrux_ml_kem.Mlkem768.generate_key_pair randomness
+ let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) =
+ Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness
in
rng, hax_temp_output
<:
- (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
+ (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti
index fb034e0f5..a9bea6f7d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti
@@ -9,31 +9,31 @@ let _ =
let open Rand_core in
()
-/// Encapsulate ML-KEM 768
-/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
-/// The input is a reference to an [`MlKem768PublicKey`].
+/// Generate ML-KEM 768 Key Pair
/// The random number generator `rng` needs to implement `RngCore` and
/// `CryptoRng` to sample the required randomness internally.
-val encapsulate
+/// This function returns an [`MlKem768KeyPair`].
+val generate_key_pair
(#impl_277843321_: Type0)
{| i1: Rand_core.t_RngCore impl_277843321_ |}
{| i2: Rand_core.t_CryptoRng impl_277843321_ |}
- (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(rng: impl_277843321_)
- : Prims.Pure
- (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)))
+ : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
Prims.l_True
(fun _ -> Prims.l_True)
-/// Generate ML-KEM 768 Key Pair
+/// Encapsulate ML-KEM 768
+/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
+/// The input is a reference to an [`MlKem768PublicKey`].
/// The random number generator `rng` needs to implement `RngCore` and
/// `CryptoRng` to sample the required randomness internally.
-/// This function returns an [`MlKem768KeyPair`].
-val generate_key_pair
+val encapsulate
(#impl_277843321_: Type0)
{| i1: Rand_core.t_RngCore impl_277843321_ |}
{| i2: Rand_core.t_CryptoRng impl_277843321_ |}
+ (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
(rng: impl_277843321_)
- : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
+ : Prims.Pure
+ (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)))
Prims.l_True
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst
index 7a9f4607c..0d24f0dd0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst
@@ -3,6 +3,12 @@ module Libcrux_ml_kem.Mlkem768
open Core
open FStar.Mul
+let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3)
+ (sz 1152)
+ (sz 1184)
+ public_key.Libcrux_ml_kem.Types.f_value
+
let validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
@@ -13,20 +19,16 @@ let validate_private_key
private_key
ciphertext
-let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.validate_public_key (sz 3)
- (sz 1152)
- (sz 1184)
- public_key.Libcrux_ml_kem.Types.f_value
-
-let decapsulate
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- =
- let result:t_Array u8 (sz 32) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088)
- (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120)
- private_key ciphertext
+let generate_key_pair (randomness: t_Array u8 (sz 64)) =
+ let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3)
+ (sz 1152)
+ (sz 2400)
+ (sz 1184)
+ (sz 1152)
+ (sz 2)
+ (sz 128)
+ randomness
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
@@ -42,16 +44,14 @@ let encapsulate
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let generate_key_pair (randomness: t_Array u8 (sz 64)) =
- let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) =
- Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3)
- (sz 1152)
- (sz 2400)
- (sz 1184)
- (sz 1152)
- (sz 2)
- (sz 128)
- randomness
+let decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ =
+ let result:t_Array u8 (sz 32) =
+ Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088)
+ (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120)
+ private_key ciphertext
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti
index d1d7c217f..2a2e96421 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti
@@ -3,23 +3,8 @@ module Libcrux_ml_kem.Mlkem768
open Core
open FStar.Mul
-let v_ETA1: usize = sz 2
-
-let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64
-
-let v_ETA2: usize = sz 2
-
-let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64
-
let v_RANK_768_: usize = sz 3
-let v_CPA_PKE_SECRET_KEY_SIZE_768_: usize =
- ((v_RANK_768_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *!
- Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT
- <:
- usize) /!
- sz 8
-
let v_RANKED_BYTES_PER_RING_ELEMENT_768_: usize =
(v_RANK_768_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8
@@ -30,15 +15,6 @@ let v_T_AS_NTT_ENCODED_SIZE_768_: usize =
usize) /!
sz 8
-let v_CPA_PKE_PUBLIC_KEY_SIZE_768_: usize = v_T_AS_NTT_ENCODED_SIZE_768_ +! sz 32
-
-let v_SECRET_KEY_SIZE_768_: usize =
- ((v_CPA_PKE_SECRET_KEY_SIZE_768_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_768_ <: usize) +!
- Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
- <:
- usize) +!
- Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
-
let v_VECTOR_U_COMPRESSION_FACTOR_768_: usize = sz 10
let v_C1_BLOCK_SIZE_768_: usize =
@@ -57,38 +33,61 @@ let v_C2_SIZE_768_: usize =
usize) /!
sz 8
+let v_CPA_PKE_SECRET_KEY_SIZE_768_: usize =
+ ((v_RANK_768_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *!
+ Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT
+ <:
+ usize) /!
+ sz 8
+
+let v_CPA_PKE_PUBLIC_KEY_SIZE_768_: usize = v_T_AS_NTT_ENCODED_SIZE_768_ +! sz 32
+
let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_
+let v_SECRET_KEY_SIZE_768_: usize =
+ ((v_CPA_PKE_SECRET_KEY_SIZE_768_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_768_ <: usize) +!
+ Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE
+ <:
+ usize) +!
+ Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE
+
+let v_ETA1: usize = sz 2
+
+let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64
+
+let v_ETA2: usize = sz 2
+
+let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64
+
let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize =
Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_
-/// Validate a private key.
-/// Returns `true` if valid, and `false` otherwise.
-val validate_private_key
- (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
- (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
/// Validate a public key.
/// Returns `true` if valid, and `false` otherwise.
val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184))
: Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-/// Decapsulate ML-KEM 768
-/// Generates an [`MlKemSharedSecret`].
-/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
-val decapsulate
+/// Validate a private key.
+/// Returns `true` if valid, and `false` otherwise.
+val validate_private_key
(private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
(ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
- : Prims.Pure (t_Array u8 (sz 32))
+ : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+/// Generate ML-KEM 768 Key Pair
+/// Generate an ML-KEM key pair. The input is a byte array of size
+/// [`KEY_GENERATION_SEED_SIZE`].
+/// This function returns an [`MlKem768KeyPair`].
+val generate_key_pair (randomness: t_Array u8 (sz 64))
+ : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
Prims.l_True
(ensures
fun res ->
- let res:t_Array u8 (sz 32) = res in
- let shared_secret, valid =
- Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value
+ let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in
+ let (secret_key, public_key), valid =
+ Spec.MLKEM.Instances.mlkem768_generate_keypair randomness
in
- valid ==> res == shared_secret)
+ valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
/// Encapsulate ML-KEM 768
/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple.
@@ -108,17 +107,18 @@ val encapsulate
let res_ciphertext, res_shared_secret = res in
valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret))
-/// Generate ML-KEM 768 Key Pair
-/// Generate an ML-KEM key pair. The input is a byte array of size
-/// [`KEY_GENERATION_SEED_SIZE`].
-/// This function returns an [`MlKem768KeyPair`].
-val generate_key_pair (randomness: t_Array u8 (sz 64))
- : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184))
+/// Decapsulate ML-KEM 768
+/// Generates an [`MlKemSharedSecret`].
+/// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`].
+val decapsulate
+ (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400))
+ (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088))
+ : Prims.Pure (t_Array u8 (sz 32))
Prims.l_True
(ensures
fun res ->
- let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in
- let (secret_key, public_key), valid =
- Spec.MLKEM.Instances.mlkem768_generate_keypair randomness
+ let res:t_Array u8 (sz 32) = res in
+ let shared_secret, valid =
+ Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value
in
- valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key))
+ valid ==> res == shared_secret)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst
index c9cb3fbc7..851e27bf5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst
@@ -9,23 +9,6 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let ntt_layer_int_vec_step
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (a b: v_Vector)
- (zeta_r: i16)
- =
- let t:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector b zeta_r in
- let b:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve a t
- in
- let a:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a t
- in
- a, b <: (v_Vector & v_Vector)
-
#push-options "--z3rlimit 200 --ext context_pruning"
let ntt_at_layer_1_
@@ -263,6 +246,23 @@ let ntt_at_layer_3_
#pop-options
+let ntt_layer_int_vec_step
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (a b: v_Vector)
+ (zeta_r: i16)
+ =
+ let t:v_Vector = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe #v_Vector b zeta_r in
+ let b:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector #FStar.Tactics.Typeclasses.solve a t
+ in
+ let a:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve a t
+ in
+ a, b <: (v_Vector & v_Vector)
+
#push-options "--admit_smt_queries true"
let ntt_at_layer_4_plus
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti
index 7f10c45bd..b45637e3e 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti
@@ -9,26 +9,12 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-val ntt_layer_int_vec_step
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (a b: v_Vector)
- (zeta_r: i16)
- : Prims.Pure (v_Vector & v_Vector)
- (requires
- Spec.Utils.is_i16b 1664 zeta_r /\
- (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in
- (forall i.
- i < 16 ==>
- Spec.Utils.is_intb (pow2 15 - 1)
- (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) -
- v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
- (forall i.
- i < 16 ==>
- Spec.Utils.is_intb (pow2 15 - 1)
- (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) +
- v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i)))))
- (fun _ -> Prims.l_True)
+[@@ "opaque_to_smt"]
+ let ntt_re_range_2 (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+ forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328)
+ (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
[@@ "opaque_to_smt"]
let ntt_re_range_1 (#v_Vector: Type0)
@@ -37,13 +23,6 @@ val ntt_layer_int_vec_step
forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328)
(Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
-[@@ "opaque_to_smt"]
- let ntt_re_range_2 (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
- forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328)
- (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))
-
val ntt_at_layer_1_
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -106,6 +85,27 @@ val ntt_at_layer_3_
in
ntt_re_range_3 re_future /\ v zeta_i_future == 31)
+val ntt_layer_int_vec_step
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (a b: v_Vector)
+ (zeta_r: i16)
+ : Prims.Pure (v_Vector & v_Vector)
+ (requires
+ Spec.Utils.is_i16b 1664 zeta_r /\
+ (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in
+ (forall i.
+ i < 16 ==>
+ Spec.Utils.is_intb (pow2 15 - 1)
+ (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) -
+ v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\
+ (forall i.
+ i < 16 ==>
+ Spec.Utils.is_intb (pow2 15 - 1)
+ (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) +
+ v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i)))))
+ (fun _ -> Prims.l_True)
+
val ntt_at_layer_4_plus
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
index 98121e9f7..547dfca90 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst
@@ -46,14 +46,122 @@ let impl_1
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
= impl_1' #v_Vector #i1 #i2
+let v_ZERO
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (_: Prims.unit)
+ =
+ {
+ f_coefficients
+ =
+ Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ <:
+ v_Vector)
+ (sz 16)
+ }
+ <:
+ t_PolynomialRingElement v_Vector
+
+let from_i16_array
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (a: t_Slice i16)
+ =
+ let result:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
+ let result:t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ v_VECTORS_IN_RING_ELEMENT
+ (fun result temp_1_ ->
+ let result:t_PolynomialRingElement v_Vector = result in
+ let _:usize = temp_1_ in
+ true)
+ result
+ (fun result i ->
+ let result:t_PolynomialRingElement v_Vector = result in
+ let i:usize = i in
+ {
+ result with
+ f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_from_i16_array #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ (a.[ {
+ Core.Ops.Range.f_start = i *! sz 16 <: usize;
+ Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! sz 16 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice i16)
+ <:
+ v_Vector)
+ <:
+ t_Array v_Vector (sz 16)
+ }
+ <:
+ t_PolynomialRingElement v_Vector)
+ in
+ result
+
#push-options "--admit_smt_queries true"
-let add_error_reduce
+let add_to_ring_element
(#v_Vector: Type0)
+ (v_K: usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (myself error: t_PolynomialRingElement v_Vector)
+ (myself rhs: t_PolynomialRingElement v_Vector)
+ =
+ let myself:t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (Core.Slice.impl__len #v_Vector (myself.f_coefficients <: t_Slice v_Vector) <: usize)
+ (fun myself temp_1_ ->
+ let myself:t_PolynomialRingElement v_Vector = myself in
+ let _:usize = temp_1_ in
+ true)
+ myself
+ (fun myself i ->
+ let myself:t_PolynomialRingElement v_Vector = myself in
+ let i:usize = i in
+ {
+ myself with
+ f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ (myself.f_coefficients.[ i ] <: v_Vector)
+ (rhs.f_coefficients.[ i ] <: v_Vector)
+ <:
+ v_Vector)
+ <:
+ t_Array v_Vector (sz 16)
+ }
+ <:
+ t_PolynomialRingElement v_Vector)
+ in
+ myself
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let poly_barrett_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (myself: t_PolynomialRingElement v_Vector)
=
let myself:t_PolynomialRingElement v_Vector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -63,28 +171,69 @@ let add_error_reduce
let _:usize = temp_1_ in
true)
myself
- (fun myself j ->
+ (fun myself i ->
let myself:t_PolynomialRingElement v_Vector = myself in
- let j:usize = j in
+ let i:usize = i in
+ {
+ myself with
+ f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ (myself.f_coefficients.[ i ] <: v_Vector)
+ <:
+ v_Vector)
+ <:
+ t_Array v_Vector (sz 16)
+ }
+ <:
+ t_PolynomialRingElement v_Vector)
+ in
+ myself
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let subtract_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (myself b: t_PolynomialRingElement v_Vector)
+ =
+ let b:t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ v_VECTORS_IN_RING_ELEMENT
+ (fun b temp_1_ ->
+ let b:t_PolynomialRingElement v_Vector = b in
+ let _:usize = temp_1_ in
+ true)
+ b
+ (fun b i ->
+ let b:t_PolynomialRingElement v_Vector = b in
+ let i:usize = i in
let coefficient_normal_form:v_Vector =
Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
#FStar.Tactics.Typeclasses.solve
- (myself.f_coefficients.[ j ] <: v_Vector)
+ (b.f_coefficients.[ i ] <: v_Vector)
1441s
in
- let myself:t_PolynomialRingElement v_Vector =
+ let b:t_PolynomialRingElement v_Vector =
{
- myself with
+ b with
f_coefficients
=
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
- j
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients
+ i
(Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
#FStar.Tactics.Typeclasses.solve
- (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
+ (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector
#FStar.Tactics.Typeclasses.solve
+ (myself.f_coefficients.[ i ] <: v_Vector)
coefficient_normal_form
- (error.f_coefficients.[ j ] <: v_Vector)
<:
v_Vector)
<:
@@ -93,22 +242,12 @@ let add_error_reduce
<:
t_PolynomialRingElement v_Vector
in
- myself)
+ b)
in
- myself
+ b
#pop-options
-let impl_2__add_error_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self error: t_PolynomialRingElement v_Vector)
- =
- let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in
- self
-
#push-options "--admit_smt_queries true"
let add_message_error_reduce
@@ -169,17 +308,9 @@ let add_message_error_reduce
#pop-options
-let impl_2__add_message_error_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self message result: t_PolynomialRingElement v_Vector)
- = add_message_error_reduce #v_Vector self message result
-
#push-options "--admit_smt_queries true"
-let add_standard_error_reduce
+let add_error_reduce
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
@@ -198,8 +329,10 @@ let add_standard_error_reduce
let myself:t_PolynomialRingElement v_Vector = myself in
let j:usize = j in
let coefficient_normal_form:v_Vector =
- Libcrux_ml_kem.Vector.Traits.to_standard_domain #v_Vector
+ Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
+ #FStar.Tactics.Typeclasses.solve
(myself.f_coefficients.[ j ] <: v_Vector)
+ 1441s
in
let myself:t_PolynomialRingElement v_Vector =
{
@@ -228,24 +361,14 @@ let add_standard_error_reduce
#pop-options
-let impl_2__add_standard_error_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self error: t_PolynomialRingElement v_Vector)
- =
- let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in
- self
-
#push-options "--admit_smt_queries true"
-let poly_barrett_reduce
+let add_standard_error_reduce
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (myself: t_PolynomialRingElement v_Vector)
+ (myself error: t_PolynomialRingElement v_Vector)
=
let myself:t_PolynomialRingElement v_Vector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -255,79 +378,26 @@ let poly_barrett_reduce
let _:usize = temp_1_ in
true)
myself
- (fun myself i ->
+ (fun myself j ->
let myself:t_PolynomialRingElement v_Vector = myself in
- let i:usize = i in
- {
- myself with
- f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
- #FStar.Tactics.Typeclasses.solve
- (myself.f_coefficients.[ i ] <: v_Vector)
- <:
- v_Vector)
- <:
- t_Array v_Vector (sz 16)
- }
- <:
- t_PolynomialRingElement v_Vector)
- in
- myself
-
-#pop-options
-
-let impl_2__poly_barrett_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self: t_PolynomialRingElement v_Vector)
- =
- let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in
- self
-
-#push-options "--admit_smt_queries true"
-
-let subtract_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (myself b: t_PolynomialRingElement v_Vector)
- =
- let b:t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- v_VECTORS_IN_RING_ELEMENT
- (fun b temp_1_ ->
- let b:t_PolynomialRingElement v_Vector = b in
- let _:usize = temp_1_ in
- true)
- b
- (fun b i ->
- let b:t_PolynomialRingElement v_Vector = b in
- let i:usize = i in
+ let j:usize = j in
let coefficient_normal_form:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector
- #FStar.Tactics.Typeclasses.solve
- (b.f_coefficients.[ i ] <: v_Vector)
- 1441s
+ Libcrux_ml_kem.Vector.Traits.to_standard_domain #v_Vector
+ (myself.f_coefficients.[ j ] <: v_Vector)
in
- let b:t_PolynomialRingElement v_Vector =
+ let myself:t_PolynomialRingElement v_Vector =
{
- b with
+ myself with
f_coefficients
=
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients
- i
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
+ j
(Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector
#FStar.Tactics.Typeclasses.solve
- (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector
+ (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
#FStar.Tactics.Typeclasses.solve
- (myself.f_coefficients.[ i ] <: v_Vector)
coefficient_normal_form
+ (error.f_coefficients.[ j ] <: v_Vector)
<:
v_Vector)
<:
@@ -336,113 +406,12 @@ let subtract_reduce
<:
t_PolynomialRingElement v_Vector
in
- b)
+ myself)
in
- b
+ myself
#pop-options
-let impl_2__subtract_reduce
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self b: t_PolynomialRingElement v_Vector)
- = subtract_reduce #v_Vector self b
-
-let impl_2__ZERO
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (_: Prims.unit)
- =
- {
- f_coefficients
- =
- Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
- #FStar.Tactics.Typeclasses.solve
- ()
- <:
- v_Vector)
- (sz 16)
- }
- <:
- t_PolynomialRingElement v_Vector
-
-let v_ZERO
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (_: Prims.unit)
- =
- {
- f_coefficients
- =
- Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
- #FStar.Tactics.Typeclasses.solve
- ()
- <:
- v_Vector)
- (sz 16)
- }
- <:
- t_PolynomialRingElement v_Vector
-
-let from_i16_array
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (a: t_Slice i16)
- =
- let result:t_PolynomialRingElement v_Vector = v_ZERO #v_Vector () in
- let result:t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- v_VECTORS_IN_RING_ELEMENT
- (fun result temp_1_ ->
- let result:t_PolynomialRingElement v_Vector = result in
- let _:usize = temp_1_ in
- true)
- result
- (fun result i ->
- let result:t_PolynomialRingElement v_Vector = result in
- let i:usize = i in
- {
- result with
- f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_from_i16_array #v_Vector
- #FStar.Tactics.Typeclasses.solve
- (a.[ {
- Core.Ops.Range.f_start = i *! sz 16 <: usize;
- Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! sz 16 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice i16)
- <:
- v_Vector)
- <:
- t_Array v_Vector (sz 16)
- }
- <:
- t_PolynomialRingElement v_Vector)
- in
- result
-
-let impl_2__from_i16_array
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (a: t_Slice i16)
- = from_i16_array #v_Vector a
-
#push-options "--admit_smt_queries true"
let ntt_multiply
@@ -490,64 +459,95 @@ let ntt_multiply
#pop-options
-let impl_2__ntt_multiply
+let impl_2__ZERO
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self rhs: t_PolynomialRingElement v_Vector)
- = ntt_multiply #v_Vector self rhs
-
-#push-options "--admit_smt_queries true"
+ (_: Prims.unit)
+ =
+ {
+ f_coefficients
+ =
+ Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ ()
+ <:
+ v_Vector)
+ (sz 16)
+ }
+ <:
+ t_PolynomialRingElement v_Vector
-let add_to_ring_element
+let impl_2__add_to_ring_element
(#v_Vector: Type0)
(v_K: usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (myself rhs: t_PolynomialRingElement v_Vector)
+ (self rhs: t_PolynomialRingElement v_Vector)
=
- let myself:t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (Core.Slice.impl__len #v_Vector (myself.f_coefficients <: t_Slice v_Vector) <: usize)
- (fun myself temp_1_ ->
- let myself:t_PolynomialRingElement v_Vector = myself in
- let _:usize = temp_1_ in
- true)
- myself
- (fun myself i ->
- let myself:t_PolynomialRingElement v_Vector = myself in
- let i:usize = i in
- {
- myself with
- f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize myself.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector
- #FStar.Tactics.Typeclasses.solve
- (myself.f_coefficients.[ i ] <: v_Vector)
- (rhs.f_coefficients.[ i ] <: v_Vector)
- <:
- v_Vector)
- <:
- t_Array v_Vector (sz 16)
- }
- <:
- t_PolynomialRingElement v_Vector)
- in
- myself
+ let self:t_PolynomialRingElement v_Vector = add_to_ring_element #v_Vector v_K self rhs in
+ self
-#pop-options
+let impl_2__poly_barrett_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self: t_PolynomialRingElement v_Vector)
+ =
+ let self:t_PolynomialRingElement v_Vector = poly_barrett_reduce #v_Vector self in
+ self
-let impl_2__add_to_ring_element
+let impl_2__subtract_reduce
(#v_Vector: Type0)
- (v_K: usize)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (self rhs: t_PolynomialRingElement v_Vector)
+ (self b: t_PolynomialRingElement v_Vector)
+ = subtract_reduce #v_Vector self b
+
+let impl_2__add_message_error_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self message result: t_PolynomialRingElement v_Vector)
+ = add_message_error_reduce #v_Vector self message result
+
+let impl_2__add_error_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self error: t_PolynomialRingElement v_Vector)
=
- let self:t_PolynomialRingElement v_Vector = add_to_ring_element #v_Vector v_K self rhs in
+ let self:t_PolynomialRingElement v_Vector = add_error_reduce #v_Vector self error in
+ self
+
+let impl_2__add_standard_error_reduce
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self error: t_PolynomialRingElement v_Vector)
+ =
+ let self:t_PolynomialRingElement v_Vector = add_standard_error_reduce #v_Vector self error in
self
+
+let impl_2__ntt_multiply
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (self rhs: t_PolynomialRingElement v_Vector)
+ = ntt_multiply #v_Vector self rhs
+
+let impl_2__from_i16_array
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (a: t_Slice i16)
+ = from_i16_array #v_Vector a
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
index c64101d1e..703ae891c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti
@@ -51,12 +51,10 @@ let to_spec_poly_t (#v_Vector: Type0)
createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe
(Seq.index (i2._super_12682756204189288427.f_repr
(Seq.index p.f_coefficients (v i / 16))) (v i % 16)))
-
let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
{| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
(m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r =
createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))
-
let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
{| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
(m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r =
@@ -76,40 +74,28 @@ val impl_1
{| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
: Core.Marker.t_Copy (t_PolynomialRingElement v_Vector)
-val add_error_reduce
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (myself error: t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-val impl_2__add_error_reduce
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self error: t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-val add_message_error_reduce
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (myself message result: t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-val impl_2__add_message_error_reduce
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self message result: t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+val v_ZERO:
+ #v_Vector: Type0 ->
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+ Prims.unit
+ -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-val add_standard_error_reduce
+val from_i16_array
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (myself error: t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+ (a: t_Slice i16)
+ : Prims.Pure (t_PolynomialRingElement v_Vector)
+ (requires
+ (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
+ (fun _ -> Prims.l_True)
-val impl_2__add_standard_error_reduce
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+val add_to_ring_element
(#v_Vector: Type0)
+ (v_K: usize)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self error: t_PolynomialRingElement v_Vector)
+ (myself rhs: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
val poly_barrett_reduce
@@ -118,53 +104,29 @@ val poly_barrett_reduce
(myself: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-val impl_2__poly_barrett_reduce
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self: t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
val subtract_reduce
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
(myself b: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-val impl_2__subtract_reduce
+val add_message_error_reduce
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (self b: t_PolynomialRingElement v_Vector)
+ (myself message result: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-val impl_2__ZERO:
- #v_Vector: Type0 ->
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
- Prims.unit
- -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-val v_ZERO:
- #v_Vector: Type0 ->
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
- Prims.unit
- -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-
-val from_i16_array
+val add_error_reduce
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (a: t_Slice i16)
- : Prims.Pure (t_PolynomialRingElement v_Vector)
- (requires
- (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
- (fun _ -> Prims.l_True)
+ (myself error: t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-val impl_2__from_i16_array
+val add_standard_error_reduce
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (a: t_Slice i16)
- : Prims.Pure (t_PolynomialRingElement v_Vector)
- (requires
- (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
- (fun _ -> Prims.l_True)
+ (myself error: t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
/// Given two `KyberPolynomialRingElement`s in their NTT representations,
/// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`,
@@ -192,26 +154,62 @@ val ntt_multiply
(myself rhs: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-val impl_2__ntt_multiply
+val impl_2__ZERO:
+ #v_Vector: Type0 ->
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} ->
+ Prims.unit
+ -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
+/// sum of their constituent coefficients.
+val impl_2__add_to_ring_element
(#v_Vector: Type0)
+ (v_K: usize)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
(self rhs: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
-/// sum of their constituent coefficients.
-val add_to_ring_element
+val impl_2__poly_barrett_reduce
(#v_Vector: Type0)
- (v_K: usize)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (myself rhs: t_PolynomialRingElement v_Vector)
+ (self: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
-/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise
-/// sum of their constituent coefficients.
-val impl_2__add_to_ring_element
+val impl_2__subtract_reduce
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (self b: t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__add_message_error_reduce
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (self message result: t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__add_error_reduce
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (self error: t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__add_standard_error_reduce
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (self error: t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__ntt_multiply
(#v_Vector: Type0)
- (v_K: usize)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
(self rhs: t_PolynomialRingElement v_Vector)
: Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True)
+
+val impl_2__from_i16_array
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (a: t_Slice i16)
+ : Prims.Pure (t_PolynomialRingElement v_Vector)
+ (requires
+ (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize))
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst
index d24b6539c..ad5b4761d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst
@@ -21,34 +21,103 @@ let to_unsigned_field_modulus
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let deserialize_then_decompress_10_
+let compress_then_serialize_message
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Slice u8)
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
=
- let _:Prims.unit =
- assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)
+ let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let serialized:t_Array u8 (sz 32) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (sz 16)
+ (fun serialized i ->
+ let serialized:t_Array u8 (sz 32) = serialized in
+ let i:usize = i in
+ v i < 16 ==> coefficients_field_modulus_range re)
+ serialized
+ (fun serialized i ->
+ let serialized:t_Array u8 (sz 32) = serialized in
+ let i:usize = i in
+ let _:Prims.unit = assert (2 * v i + 2 <= 32) in
+ let _:Prims.unit =
+ reveal_opaque (`%coefficients_field_modulus_range)
+ (coefficients_field_modulus_range #v_Vector)
+ in
+ let coefficient:v_Vector =
+ to_unsigned_field_modulus #v_Vector
+ (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+ in
+ let coefficient_compressed:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ coefficient
+ in
+ let bytes:t_Array u8 (sz 2) =
+ Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ coefficient_compressed
+ in
+ let serialized:t_Array u8 (sz 32) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({
+ Core.Ops.Range.f_start = sz 2 *! i <: usize;
+ Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (serialized.[ {
+ Core.Ops.Range.f_start = sz 2 *! i <: usize;
+ Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ (bytes <: t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ serialized)
in
+ let result:t_Array u8 (sz 32) = serialized in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
+
+let deserialize_then_decompress_message
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (serialized: t_Array u8 (sz 32))
+ =
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
in
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20)
- serialized
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ (sz 16)
(fun re temp_1_ ->
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
let _:usize = temp_1_ in
true)
re
- (fun re temp_1_ ->
+ (fun re i ->
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let i, bytes:(usize & t_Slice u8) = temp_1_ in
- let coefficient:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector
+ let i:usize = i in
+ let coefficient_compressed:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector
#FStar.Tactics.Typeclasses.solve
- bytes
+ (serialized.[ {
+ Core.Ops.Range.f_start = sz 2 *! i <: usize;
+ Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
in
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
{
@@ -58,10 +127,7 @@ let deserialize_then_decompress_10_
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
.Libcrux_ml_kem.Polynomial.f_coefficients
i
- (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
- #FStar.Tactics.Typeclasses.solve
- 10l
- coefficient
+ (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed
<:
v_Vector)
}
@@ -70,25 +136,84 @@ let deserialize_then_decompress_10_
in
re)
in
- re
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
-#push-options "--admit_smt_queries true"
+let serialize_uncompressed_ring_element
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ =
+ let _:Prims.unit = assert_norm (pow2 12 == 4096) in
+ let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in
+ let serialized:t_Array u8 (sz 384) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
+ (fun serialized i ->
+ let serialized:t_Array u8 (sz 384) = serialized in
+ let i:usize = i in
+ v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re)
+ serialized
+ (fun serialized i ->
+ let serialized:t_Array u8 (sz 384) = serialized in
+ let i:usize = i in
+ let _:Prims.unit = assert (24 * v i + 24 <= 384) in
+ let _:Prims.unit =
+ reveal_opaque (`%coefficients_field_modulus_range)
+ (coefficients_field_modulus_range #v_Vector)
+ in
+ let coefficient:v_Vector =
+ to_unsigned_field_modulus #v_Vector
+ (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+ in
+ let bytes:t_Array u8 (sz 24) =
+ Libcrux_ml_kem.Vector.Traits.f_serialize_12_ #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ coefficient
+ in
+ let serialized:t_Array u8 (sz 384) =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
+ ({
+ Core.Ops.Range.f_start = sz 24 *! i <: usize;
+ Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (serialized.[ {
+ Core.Ops.Range.f_start = sz 24 *! i <: usize;
+ Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ (bytes <: t_Slice u8)
+ <:
+ t_Slice u8)
+ in
+ serialized)
+ in
+ let result:t_Array u8 (sz 384) = serialized in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
-let deserialize_then_decompress_11_
+let deserialize_to_uncompressed_ring_element
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
(serialized: t_Slice u8)
=
- let _:Prims.unit =
- assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)
- in
+ let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
in
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22)
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
serialized
(fun re temp_1_ ->
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
@@ -98,50 +223,41 @@ let deserialize_then_decompress_11_
(fun re temp_1_ ->
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
let i, bytes:(usize & t_Slice u8) = temp_1_ in
- let coefficient:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- bytes
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- {
- re with
- Libcrux_ml_kem.Polynomial.f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_kem.Polynomial.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
- #FStar.Tactics.Typeclasses.solve
- 11l
- coefficient
- <:
- v_Vector)
- }
+ {
+ re with
+ Libcrux_ml_kem.Polynomial.f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_kem.Polynomial.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ bytes
+ <:
+ v_Vector)
<:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
- in
- re)
+ t_Array v_Vector (sz 16)
+ }
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
in
- re
-
-#pop-options
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
-let deserialize_then_decompress_4_
+let deserialize_to_reduced_ring_element
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
(serialized: t_Slice u8)
=
- let _:Prims.unit =
- assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)
- in
+ let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
in
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8)
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
serialized
(fun re temp_1_ ->
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
@@ -152,7 +268,7 @@ let deserialize_then_decompress_4_
let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
let i, bytes:(usize & t_Slice u8) = temp_1_ in
let coefficient:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector
+ Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
#FStar.Tactics.Typeclasses.solve
bytes
in
@@ -164,9 +280,8 @@ let deserialize_then_decompress_4_
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
.Libcrux_ml_kem.Polynomial.f_coefficients
i
- (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+ (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector
#FStar.Tactics.Typeclasses.solve
- 4l
coefficient
<:
v_Vector)
@@ -176,237 +291,18 @@ let deserialize_then_decompress_4_
in
re)
in
- re
-
-#push-options "--admit_smt_queries true"
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
-let deserialize_then_decompress_5_
+let deserialize_ring_elements_reduced
+ (v_K: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit =
- assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10)
- serialized
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:usize = temp_1_ in
- true)
- re
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let i, bytes:(usize & t_Slice u8) = temp_1_ in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- {
- re with
- Libcrux_ml_kem.Polynomial.f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_kem.Polynomial.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- bytes
- <:
- v_Vector)
- }
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- {
- re with
- Libcrux_ml_kem.Polynomial.f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_kem.Polynomial.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
- #FStar.Tactics.Typeclasses.solve
- 5l
- (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
- <:
- v_Vector)
- }
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
- in
- re)
- in
- re
-
-#pop-options
-
-let deserialize_then_decompress_message
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Array u8 (sz 32))
- =
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (sz 16)
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:usize = temp_1_ in
- true)
- re
- (fun re i ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let i:usize = i in
- let coefficient_compressed:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- (serialized.[ {
- Core.Ops.Range.f_start = sz 2 *! i <: usize;
- Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- {
- re with
- Libcrux_ml_kem.Polynomial.f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_kem.Polynomial.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed
- <:
- v_Vector)
- }
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
- in
- re)
- in
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
-let deserialize_then_decompress_ring_element_u
- (v_COMPRESSION_FACTOR: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit =
- assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/
- (v (cast v_COMPRESSION_FACTOR <: u32) == 11))
- in
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
- | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized
- | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized
- | _ ->
- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
- <:
- Rust_primitives.Hax.t_Never)
- in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
-let deserialize_then_decompress_ring_element_v
- (v_K v_COMPRESSION_FACTOR: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit =
- assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/
- (v (cast v_COMPRESSION_FACTOR <: u32) == 5))
- in
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
- | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized
- | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized
- | _ ->
- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
- <:
- Rust_primitives.Hax.t_Never)
- in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
-let deserialize_to_reduced_ring_element
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
- serialized
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:usize = temp_1_ in
- true)
- re
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let i, bytes:(usize & t_Slice u8) = temp_1_ in
- let coefficient:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- bytes
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- {
- re with
- Libcrux_ml_kem.Polynomial.f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_kem.Polynomial.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- coefficient
- <:
- v_Vector)
- }
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
- in
- re)
- in
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
-let deserialize_ring_elements_reduced
- (v_K: usize)
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (public_key: t_Slice u8)
- (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
+ (public_key: t_Slice u8)
+ (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K)
=
let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K =
Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT
@@ -464,50 +360,6 @@ let deserialize_ring_elements_reduced_out
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let deserialize_to_uncompressed_ring_element
- (#v_Vector: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()]
- i1:
- Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (serialized: t_Slice u8)
- =
- let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
- in
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
- Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24)
- serialized
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:usize = temp_1_ in
- true)
- re
- (fun re temp_1_ ->
- let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let i, bytes:(usize & t_Slice u8) = temp_1_ in
- {
- re with
- Libcrux_ml_kem.Polynomial.f_coefficients
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
- .Libcrux_ml_kem.Polynomial.f_coefficients
- i
- (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- bytes
- <:
- v_Vector)
- <:
- t_Array v_Vector (sz 16)
- }
- <:
- Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- in
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
let compress_then_serialize_10_
(v_OUT_LEN: usize)
(#v_Vector: Type0)
@@ -638,18 +490,44 @@ let compress_then_serialize_11_
#pop-options
-let compress_then_serialize_4_
+let compress_then_serialize_ring_element_u
+ (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
(re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (serialized: t_Slice u8)
=
- let _:Prims.unit = assert_norm (pow2 4 == 16) in
- let serialized, result:(t_Slice u8 & Prims.unit) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
+ let _:Prims.unit =
+ assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/
+ (v (cast v_COMPRESSION_FACTOR <: u32) == 11));
+ Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR)
+ in
+ let result:t_Array u8 v_OUT_LEN =
+ match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+ | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re
+ | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re
+ | _ ->
+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+ <:
+ Rust_primitives.Hax.t_Never)
+ in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
+
+let compress_then_serialize_4_
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (serialized: t_Slice u8)
+ =
+ let _:Prims.unit = assert_norm (pow2 4 == 16) in
+ let serialized, result:(t_Slice u8 & Prims.unit) =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
(fun serialized i ->
let serialized:t_Slice u8 = serialized in
let i:usize = i in
@@ -770,88 +648,159 @@ let compress_then_serialize_5_
#pop-options
-let compress_then_serialize_message
+let compress_then_serialize_ring_element_v
+ (v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
(re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (out: t_Slice u8)
=
- let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
- let serialized:t_Array u8 (sz 32) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- (sz 16)
- (fun serialized i ->
- let serialized:t_Array u8 (sz 32) = serialized in
- let i:usize = i in
- v i < 16 ==> coefficients_field_modulus_range re)
+ let _:Prims.unit =
+ assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/
+ (v (cast v_COMPRESSION_FACTOR <: u32) == 5));
+ Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR)
+ in
+ let out, result:(t_Slice u8 & Prims.unit) =
+ match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+ | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
+ | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
+ | _ ->
+ out,
+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+ <:
+ Rust_primitives.Hax.t_Never)
+ <:
+ (t_Slice u8 & Prims.unit)
+ in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ let _:Prims.unit = result in
+ out
+
+let deserialize_then_decompress_10_
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (serialized: t_Slice u8)
+ =
+ let _:Prims.unit =
+ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20)
serialized
- (fun serialized i ->
- let serialized:t_Array u8 (sz 32) = serialized in
- let i:usize = i in
- let _:Prims.unit = assert (2 * v i + 2 <= 32) in
- let _:Prims.unit =
- reveal_opaque (`%coefficients_field_modulus_range)
- (coefficients_field_modulus_range #v_Vector)
- in
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:usize = temp_1_ in
+ true)
+ re
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let i, bytes:(usize & t_Slice u8) = temp_1_ in
let coefficient:v_Vector =
- to_unsigned_field_modulus #v_Vector
- (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
- in
- let coefficient_compressed:v_Vector =
- Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector
+ Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector
#FStar.Tactics.Typeclasses.solve
- coefficient
+ bytes
in
- let bytes:t_Array u8 (sz 2) =
- Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ {
+ re with
+ Libcrux_ml_kem.Polynomial.f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_kem.Polynomial.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ 10l
+ coefficient
+ <:
+ v_Vector)
+ }
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
+ in
+ re)
+ in
+ re
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_then_decompress_11_
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (serialized: t_Slice u8)
+ =
+ let _:Prims.unit =
+ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22)
+ serialized
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:usize = temp_1_ in
+ true)
+ re
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let i, bytes:(usize & t_Slice u8) = temp_1_ in
+ let coefficient:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector
#FStar.Tactics.Typeclasses.solve
- coefficient_compressed
+ bytes
in
- let serialized:t_Array u8 (sz 32) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({
- Core.Ops.Range.f_start = sz 2 *! i <: usize;
- Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (serialized.[ {
- Core.Ops.Range.f_start = sz 2 *! i <: usize;
- Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- (bytes <: t_Slice u8)
- <:
- t_Slice u8)
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ {
+ re with
+ Libcrux_ml_kem.Polynomial.f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_kem.Polynomial.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ 11l
+ coefficient
+ <:
+ v_Vector)
+ }
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
in
- serialized)
+ re)
in
- let result:t_Array u8 (sz 32) = serialized in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
+ re
-let compress_then_serialize_ring_element_u
- (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
+#pop-options
+
+let deserialize_then_decompress_ring_element_u
+ (v_COMPRESSION_FACTOR: usize)
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (serialized: t_Slice u8)
=
let _:Prims.unit =
assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/
- (v (cast v_COMPRESSION_FACTOR <: u32) == 11));
- Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR)
+ (v (cast v_COMPRESSION_FACTOR <: u32) == 11))
in
- let result:t_Array u8 v_OUT_LEN =
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
- | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re
- | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re
+ | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized
+ | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized
| _ ->
Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
@@ -861,94 +810,145 @@ let compress_then_serialize_ring_element_u
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let compress_then_serialize_ring_element_v
- (v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize)
+let deserialize_then_decompress_4_
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (out: t_Slice u8)
+ (serialized: t_Slice u8)
=
let _:Prims.unit =
- assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/
- (v (cast v_COMPRESSION_FACTOR <: u32) == 5));
- Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR)
+ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)
in
- let out, result:(t_Slice u8 & Prims.unit) =
- match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
- | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
- | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit)
- | _ ->
- out,
- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
-
- <:
- Rust_primitives.Hax.t_Never)
- <:
- (t_Slice u8 & Prims.unit)
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
in
- let _:Prims.unit = admit () (* Panic freedom *) in
- let _:Prims.unit = result in
- out
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8)
+ serialized
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:usize = temp_1_ in
+ true)
+ re
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let i, bytes:(usize & t_Slice u8) = temp_1_ in
+ let coefficient:v_Vector =
+ Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ bytes
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ {
+ re with
+ Libcrux_ml_kem.Polynomial.f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_kem.Polynomial.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ 4l
+ coefficient
+ <:
+ v_Vector)
+ }
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
+ in
+ re)
+ in
+ re
-let serialize_uncompressed_ring_element
+#push-options "--admit_smt_queries true"
+
+let deserialize_then_decompress_5_
(#v_Vector: Type0)
(#[FStar.Tactics.Typeclasses.tcresolve ()]
i1:
Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (serialized: t_Slice u8)
=
- let _:Prims.unit = assert_norm (pow2 12 == 4096) in
- let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in
- let serialized:t_Array u8 (sz 384) =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT
- (fun serialized i ->
- let serialized:t_Array u8 (sz 384) = serialized in
- let i:usize = i in
- v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re)
+ let _:Prims.unit =
+ assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector ()
+ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10)
serialized
- (fun serialized i ->
- let serialized:t_Array u8 (sz 384) = serialized in
- let i:usize = i in
- let _:Prims.unit = assert (24 * v i + 24 <= 384) in
- let _:Prims.unit =
- reveal_opaque (`%coefficients_field_modulus_range)
- (coefficients_field_modulus_range #v_Vector)
- in
- let coefficient:v_Vector =
- to_unsigned_field_modulus #v_Vector
- (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
- in
- let bytes:t_Array u8 (sz 24) =
- Libcrux_ml_kem.Vector.Traits.f_serialize_12_ #v_Vector
- #FStar.Tactics.Typeclasses.solve
- coefficient
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let _:usize = temp_1_ in
+ true)
+ re
+ (fun re temp_1_ ->
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in
+ let i, bytes:(usize & t_Slice u8) = temp_1_ in
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ {
+ re with
+ Libcrux_ml_kem.Polynomial.f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_kem.Polynomial.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ bytes
+ <:
+ v_Vector)
+ }
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
in
- let serialized:t_Array u8 (sz 384) =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({
- Core.Ops.Range.f_start = sz 24 *! i <: usize;
- Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (serialized.[ {
- Core.Ops.Range.f_start = sz 24 *! i <: usize;
- Core.Ops.Range.f_end = (sz 24 *! i <: usize) +! sz 24 <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- (bytes <: t_Slice u8)
- <:
- t_Slice u8)
+ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ {
+ re with
+ Libcrux_ml_kem.Polynomial.f_coefficients
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re
+ .Libcrux_ml_kem.Polynomial.f_coefficients
+ i
+ (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector
+ #FStar.Tactics.Typeclasses.solve
+ 5l
+ (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector)
+ <:
+ v_Vector)
+ }
+ <:
+ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector
in
- serialized)
+ re)
+ in
+ re
+
+#pop-options
+
+let deserialize_then_decompress_ring_element_v
+ (v_K v_COMPRESSION_FACTOR: usize)
+ (#v_Vector: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()]
+ i1:
+ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector)
+ (serialized: t_Slice u8)
+ =
+ let _:Prims.unit =
+ assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/
+ (v (cast v_COMPRESSION_FACTOR <: u32) == 5))
+ in
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector =
+ match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with
+ | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized
+ | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized
+ | _ ->
+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code"
+
+ <:
+ Rust_primitives.Hax.t_Never)
in
- let result:t_Array u8 (sz 384) = serialized in
let _:Prims.unit = admit () (* Panic freedom *) in
result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti
index ba52b97a2..9cdba581c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti
@@ -38,37 +38,18 @@ val to_unsigned_field_modulus
v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) <
v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)
-val deserialize_then_decompress_10_
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (serialized: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320)
- (fun _ -> Prims.l_True)
-
-val deserialize_then_decompress_11_
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (serialized: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352)
- (fun _ -> Prims.l_True)
-
-val deserialize_then_decompress_4_
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (serialized: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128)
- (fun _ -> Prims.l_True)
-
-val deserialize_then_decompress_5_
+val compress_then_serialize_message
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (serialized: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160)
- (fun _ -> Prims.l_True)
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_Array u8 (sz 32))
+ (requires coefficients_field_modulus_range re)
+ (ensures
+ fun result ->
+ let result:t_Array u8 (sz 32) = result in
+ result ==
+ Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector
+ re))
val deserialize_then_decompress_message
(#v_Vector: Type0)
@@ -82,36 +63,31 @@ val deserialize_then_decompress_message
Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
Spec.MLKEM.decode_then_decompress_message serialized)
-val deserialize_then_decompress_ring_element_u
- (v_COMPRESSION_FACTOR: usize)
+val serialize_uncompressed_ring_element
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (serialized: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (requires
- (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) &&
- (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize))
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_Array u8 (sz 384))
+ (requires coefficients_field_modulus_range re)
(ensures
fun result ->
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
- Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
- Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized)
+ let result:t_Array u8 (sz 384) = result in
+ result ==
+ Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
-val deserialize_then_decompress_ring_element_v
- (v_K v_COMPRESSION_FACTOR: usize)
+val deserialize_to_uncompressed_ring_element
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
(serialized: t_Slice u8)
: Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
(requires
- Spec.MLKEM.is_rank v_K /\
- v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
- Seq.length serialized == 32 * v v_COMPRESSION_FACTOR)
+ (Core.Slice.impl__len #u8 serialized <: usize) =.
+ Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
(ensures
fun result ->
let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
- Spec.MLKEM.decode_then_decompress_v #v_K serialized)
+ Spec.MLKEM.byte_decode 12 serialized)
/// Only use with public values.
/// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`.
@@ -164,20 +140,6 @@ val deserialize_ring_elements_reduced_out
in
forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i))
-val deserialize_to_uncompressed_ring_element
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (serialized: t_Slice u8)
- : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- (requires
- (Core.Slice.impl__len #u8 serialized <: usize) =.
- Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
- Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
- Spec.MLKEM.byte_decode 12 serialized)
-
val compress_then_serialize_10_
(v_OUT_LEN: usize)
(#v_Vector: Type0)
@@ -194,6 +156,22 @@ val compress_then_serialize_11_
(re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
: Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True)
+val compress_then_serialize_ring_element_u
+ (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ : Prims.Pure (t_Array u8 v_OUT_LEN)
+ (requires
+ (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\
+ v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re)
+ (ensures
+ fun result ->
+ let result:t_Array u8 v_OUT_LEN = result in
+ result ==
+ Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
+ (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
+
val compress_then_serialize_4_
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
@@ -218,35 +196,6 @@ val compress_then_serialize_5_
let serialized_future:t_Slice u8 = serialized_future in
Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized)
-val compress_then_serialize_message
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_Array u8 (sz 32))
- (requires coefficients_field_modulus_range re)
- (ensures
- fun result ->
- let result:t_Array u8 (sz 32) = result in
- result ==
- Spec.MLKEM.compress_then_encode_message (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector
- re))
-
-val compress_then_serialize_ring_element_u
- (v_COMPRESSION_FACTOR v_OUT_LEN: usize)
- (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_Array u8 v_OUT_LEN)
- (requires
- (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\
- v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re)
- (ensures
- fun result ->
- let result:t_Array u8 v_OUT_LEN = result in
- result ==
- Spec.MLKEM.compress_then_byte_encode (v v_COMPRESSION_FACTOR)
- (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
-
val compress_then_serialize_ring_element_v
(v_K v_COMPRESSION_FACTOR v_OUT_LEN: usize)
(#v_Vector: Type0)
@@ -267,14 +216,65 @@ val compress_then_serialize_ring_element_v
Spec.MLKEM.compress_then_encode_v #v_K
(Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
-val serialize_uncompressed_ring_element
+val deserialize_then_decompress_10_
(#v_Vector: Type0)
{| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
- : Prims.Pure (t_Array u8 (sz 384))
- (requires coefficients_field_modulus_range re)
+ (serialized: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320)
+ (fun _ -> Prims.l_True)
+
+val deserialize_then_decompress_11_
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (serialized: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352)
+ (fun _ -> Prims.l_True)
+
+val deserialize_then_decompress_ring_element_u
+ (v_COMPRESSION_FACTOR: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (serialized: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (requires
+ (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) &&
+ (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize))
(ensures
fun result ->
- let result:t_Array u8 (sz 384) = result in
- result ==
- Spec.MLKEM.byte_encode 12 (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re))
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+ Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+ Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized)
+
+val deserialize_then_decompress_4_
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (serialized: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128)
+ (fun _ -> Prims.l_True)
+
+val deserialize_then_decompress_5_
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (serialized: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160)
+ (fun _ -> Prims.l_True)
+
+val deserialize_then_decompress_ring_element_v
+ (v_K v_COMPRESSION_FACTOR: usize)
+ (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (serialized: t_Slice u8)
+ : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector)
+ (requires
+ Spec.MLKEM.is_rank v_K /\
+ v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\
+ Seq.length serialized == 32 * v v_COMPRESSION_FACTOR)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in
+ Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result ==
+ Spec.MLKEM.decode_then_decompress_v #v_K serialized)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
index 900372fd8..f47d6311e 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst
@@ -3,17 +3,39 @@ module Libcrux_ml_kem.Types
open Core
open FStar.Mul
-/// The number of bytes
-let impl_6__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
+///An ML-KEM Ciphertext
+type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
-/// The number of bytes
-let impl_13__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
+ {
+ f_default_pre = (fun (_: Prims.unit) -> true);
+ f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
+ f_default
+ =
+ fun (_: Prims.unit) ->
+ { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
+ }
-/// The number of bytes
-let impl_20__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
+ {
+ f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
+ f_as_ref_post
+ =
+ (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+ f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
+ }
-///An ML-KEM Ciphertext
-type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+ {
+ f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+ f_from_post
+ =
+ (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
+ f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
+ }
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl_1 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
@@ -37,15 +59,41 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip
}
[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) =
+let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
{
- f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
- f_from_post
+ f_Error = Core.Array.t_TryFromSliceError;
+ f_try_from_pre = (fun (value: t_Slice u8) -> true);
+ f_try_from_post
=
- (fun (value: t_Array u8 v_SIZE) (result: t_MlKemCiphertext v_SIZE) -> result.f_value = value);
- f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemCiphertext v_SIZE
+ (fun
+ (value: t_Slice u8)
+ (out: Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError)
+ ->
+ true);
+ f_try_from
+ =
+ fun (value: t_Slice u8) ->
+ match
+ Core.Convert.f_try_into #(t_Slice u8)
+ #(t_Array u8 v_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ value
+ <:
+ Core.Result.t_Result (t_Array u8 v_SIZE) Core.Array.t_TryFromSliceError
+ with
+ | Core.Result.Result_Ok value ->
+ Core.Result.Result_Ok ({ f_value = value } <: t_MlKemCiphertext v_SIZE)
+ <:
+ Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
+ | Core.Result.Result_Err e ->
+ Core.Result.Result_Err e
+ <:
+ Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
}
+/// The number of bytes
+let impl_6__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
+
/// A reference to the raw byte slice.
let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
: Prims.Pure (t_Array u8 v_SIZE)
@@ -58,6 +106,37 @@ let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE)
///An ML-KEM Private key
type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
+ {
+ f_default_pre = (fun (_: Prims.unit) -> true);
+ f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
+ f_default
+ =
+ fun (_: Prims.unit) ->
+ { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
+ }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
+ {
+ f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
+ f_as_ref_post
+ =
+ (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+ f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
+ }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+ {
+ f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+ f_from_post
+ =
+ (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
+ f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
+ }
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
{
@@ -80,15 +159,41 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPri
}
[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) =
+let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
{
- f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
- f_from_post
+ f_Error = Core.Array.t_TryFromSliceError;
+ f_try_from_pre = (fun (value: t_Slice u8) -> true);
+ f_try_from_post
=
- (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPrivateKey v_SIZE) -> result.f_value = value);
- f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPrivateKey v_SIZE
+ (fun
+ (value: t_Slice u8)
+ (out: Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError)
+ ->
+ true);
+ f_try_from
+ =
+ fun (value: t_Slice u8) ->
+ match
+ Core.Convert.f_try_into #(t_Slice u8)
+ #(t_Array u8 v_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ value
+ <:
+ Core.Result.t_Result (t_Array u8 v_SIZE) Core.Array.t_TryFromSliceError
+ with
+ | Core.Result.Result_Ok value ->
+ Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPrivateKey v_SIZE)
+ <:
+ Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
+ | Core.Result.Result_Err e ->
+ Core.Result.Result_Err e
+ <:
+ Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
}
+/// The number of bytes
+let impl_13__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
+
/// A reference to the raw byte slice.
let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
: Prims.Pure (t_Array u8 v_SIZE)
@@ -101,6 +206,37 @@ let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE)
///An ML-KEM Public key
type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE }
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
+ {
+ f_default_pre = (fun (_: Prims.unit) -> true);
+ f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
+ f_default
+ =
+ fun (_: Prims.unit) ->
+ { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
+ }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
+ {
+ f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
+ f_as_ref_post
+ =
+ (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
+ f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
+ }
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+ {
+ f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
+ f_from_post
+ =
+ (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
+ f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
+ }
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
{
@@ -123,15 +259,41 @@ let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu
}
[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) =
+let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
{
- f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true);
- f_from_post
+ f_Error = Core.Array.t_TryFromSliceError;
+ f_try_from_pre = (fun (value: t_Slice u8) -> true);
+ f_try_from_post
=
- (fun (value: t_Array u8 v_SIZE) (result: t_MlKemPublicKey v_SIZE) -> result.f_value = value);
- f_from = fun (value: t_Array u8 v_SIZE) -> { f_value = value } <: t_MlKemPublicKey v_SIZE
+ (fun
+ (value: t_Slice u8)
+ (out: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError)
+ ->
+ true);
+ f_try_from
+ =
+ fun (value: t_Slice u8) ->
+ match
+ Core.Convert.f_try_into #(t_Slice u8)
+ #(t_Array u8 v_SIZE)
+ #FStar.Tactics.Typeclasses.solve
+ value
+ <:
+ Core.Result.t_Result (t_Array u8 v_SIZE) Core.Array.t_TryFromSliceError
+ with
+ | Core.Result.Result_Ok value ->
+ Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPublicKey v_SIZE)
+ <:
+ Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
+ | Core.Result.Result_Err e ->
+ Core.Result.Result_Err e
+ <:
+ Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
}
+/// The number of bytes
+let impl_20__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE
+
/// A reference to the raw byte slice.
let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE)
: Prims.Pure (t_Array u8 v_SIZE)
@@ -147,28 +309,6 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = {
f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE
}
-/// Create a new [`MlKemKeyPair`] from the secret and public key.
-let impl_21__from
- (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
- (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
- (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
- : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
- Prims.l_True
- (ensures
- fun result ->
- let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in
- result.f_sk == sk /\ result.f_pk == pk) =
- { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
-
-/// Separate this key into the public and private key.
-let impl_21__into_parts
- (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
- (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
- : (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) =
- self.f_sk, self.f_pk
- <:
- (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
-
/// Creates a new [`MlKemKeyPair`].
let impl_21__new
(v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
@@ -192,11 +332,11 @@ let impl_21__new
<:
t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
-/// Get a reference to the raw public key bytes.
-let impl_21__pk
+/// Get a reference to the [`MlKemPublicKey`].
+let impl_21__public_key
(v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
(self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
- : t_Array u8 v_PUBLIC_KEY_SIZE = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk
+ : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk
/// Get a reference to the [`MlKemPrivateKey`].
let impl_21__private_key
@@ -204,11 +344,11 @@ let impl_21__private_key
(self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE = self.f_sk
-/// Get a reference to the [`MlKemPublicKey`].
-let impl_21__public_key
+/// Get a reference to the raw public key bytes.
+let impl_21__pk
(v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
(self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
- : t_MlKemPublicKey v_PUBLIC_KEY_SIZE = self.f_pk
+ : t_Array u8 v_PUBLIC_KEY_SIZE = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk
/// Get a reference to the raw private key bytes.
let impl_21__sk
@@ -216,6 +356,28 @@ let impl_21__sk
(self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
: t_Array u8 v_PRIVATE_KEY_SIZE = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk
+/// Separate this key into the public and private key.
+let impl_21__into_parts
+ (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
+ (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ : (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) =
+ self.f_sk, self.f_pk
+ <:
+ (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+
+/// Create a new [`MlKemKeyPair`] from the secret and public key.
+let impl_21__from
+ (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize)
+ (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE)
+ (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE)
+ : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE)
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in
+ result.f_sk == sk /\ result.f_pk == pk) =
+ { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE
+
/// Unpack an incoming private key into it\'s different parts.
/// We have this here in types to extract into a common core for C.
let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private_key: t_Slice u8)
@@ -258,165 +420,3 @@ let unpack_private_key (v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (private
ind_cpa_secret_key, ind_cpa_public_key, ind_cpa_public_key_hash, implicit_rejection_value
<:
(t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8)
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) =
- {
- f_default_pre = (fun (_: Prims.unit) -> true);
- f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true);
- f_default
- =
- fun (_: Prims.unit) ->
- { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) =
- {
- f_default_pre = (fun (_: Prims.unit) -> true);
- f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true);
- f_default
- =
- fun (_: Prims.unit) ->
- { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) =
- {
- f_default_pre = (fun (_: Prims.unit) -> true);
- f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true);
- f_default
- =
- fun (_: Prims.unit) ->
- { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_4 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
- {
- f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true);
- f_as_ref_post
- =
- (fun (self___: t_MlKemCiphertext v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
- f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_11 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
- {
- f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true);
- f_as_ref_post
- =
- (fun (self___: t_MlKemPrivateKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
- f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_18 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
- {
- f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true);
- f_as_ref_post
- =
- (fun (self___: t_MlKemPublicKey v_SIZE) (result: t_Slice u8) -> result = self___.f_value);
- f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_3 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) =
- {
- f_Error = Core.Array.t_TryFromSliceError;
- f_try_from_pre = (fun (value: t_Slice u8) -> true);
- f_try_from_post
- =
- (fun
- (value: t_Slice u8)
- (out: Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError)
- ->
- true);
- f_try_from
- =
- fun (value: t_Slice u8) ->
- match
- Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 v_SIZE)
- #FStar.Tactics.Typeclasses.solve
- value
- <:
- Core.Result.t_Result (t_Array u8 v_SIZE) Core.Array.t_TryFromSliceError
- with
- | Core.Result.Result_Ok value ->
- Core.Result.Result_Ok ({ f_value = value } <: t_MlKemCiphertext v_SIZE)
- <:
- Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
- | Core.Result.Result_Err e ->
- Core.Result.Result_Err e
- <:
- Core.Result.t_Result (t_MlKemCiphertext v_SIZE) Core.Array.t_TryFromSliceError
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_10 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) =
- {
- f_Error = Core.Array.t_TryFromSliceError;
- f_try_from_pre = (fun (value: t_Slice u8) -> true);
- f_try_from_post
- =
- (fun
- (value: t_Slice u8)
- (out: Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError)
- ->
- true);
- f_try_from
- =
- fun (value: t_Slice u8) ->
- match
- Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 v_SIZE)
- #FStar.Tactics.Typeclasses.solve
- value
- <:
- Core.Result.t_Result (t_Array u8 v_SIZE) Core.Array.t_TryFromSliceError
- with
- | Core.Result.Result_Ok value ->
- Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPrivateKey v_SIZE)
- <:
- Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
- | Core.Result.Result_Err e ->
- Core.Result.Result_Err e
- <:
- Core.Result.t_Result (t_MlKemPrivateKey v_SIZE) Core.Array.t_TryFromSliceError
- }
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) =
- {
- f_Error = Core.Array.t_TryFromSliceError;
- f_try_from_pre = (fun (value: t_Slice u8) -> true);
- f_try_from_post
- =
- (fun
- (value: t_Slice u8)
- (out: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError)
- ->
- true);
- f_try_from
- =
- fun (value: t_Slice u8) ->
- match
- Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 v_SIZE)
- #FStar.Tactics.Typeclasses.solve
- value
- <:
- Core.Result.t_Result (t_Array u8 v_SIZE) Core.Array.t_TryFromSliceError
- with
- | Core.Result.Result_Ok value ->
- Core.Result.Result_Ok ({ f_value = value } <: t_MlKemPublicKey v_SIZE)
- <:
- Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
- | Core.Result.Result_Err e ->
- Core.Result.Result_Err e
- <:
- Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError
- }
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst
index 84b152b40..5adcde2f7 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst
@@ -3,6 +3,48 @@ module Libcrux_ml_kem.Utils
open Core
open FStar.Mul
+let into_padded_array (v_LEN: usize) (slice: t_Slice u8) =
+ let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in
+ let out:t_Array u8 v_LEN =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
+ ({
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize)
+ (Core.Slice.impl__copy_from_slice #u8
+ (out.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ slice
+ <:
+ t_Slice u8)
+ in
+ let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in
+ let _:Prims.unit =
+ assert (Seq.slice out (Seq.length slice) (v v_LEN) ==
+ Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))
+ in
+ let _:Prims.unit =
+ assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)
+ in
+ let _:Prims.unit =
+ assert (forall i.
+ (i >= Seq.length slice && i < v v_LEN) ==>
+ Seq.index out i ==
+ Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))
+ in
+ let _:Prims.unit =
+ Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))
+ in
+ out
+
#push-options "--z3rlimit 200"
let prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (domain_separator: u8) =
@@ -49,45 +91,3 @@ let prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (d
prf_inputs, hax_temp_output <: (t_Array (t_Array u8 (sz 33)) v_K & u8)
#pop-options
-
-let into_padded_array (v_LEN: usize) (slice: t_Slice u8) =
- let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in
- let out:t_Array u8 v_LEN =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_range out
- ({
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize
- }
- <:
- Core.Ops.Range.t_Range usize)
- (Core.Slice.impl__copy_from_slice #u8
- (out.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- slice
- <:
- t_Slice u8)
- in
- let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in
- let _:Prims.unit =
- assert (Seq.slice out (Seq.length slice) (v v_LEN) ==
- Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))
- in
- let _:Prims.unit =
- assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)
- in
- let _:Prims.unit =
- assert (forall i.
- (i >= Seq.length slice && i < v v_LEN) ==>
- Seq.index out i ==
- Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))
- in
- let _:Prims.unit =
- Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))
- in
- out
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti
index 033a1e9d3..67b8e0959 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti
@@ -3,6 +3,16 @@ module Libcrux_ml_kem.Utils
open Core
open FStar.Mul
+/// Pad the `slice` with `0`s at the end.
+val into_padded_array (v_LEN: usize) (slice: t_Slice u8)
+ : Prims.Pure (t_Array u8 v_LEN)
+ (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN)
+ (ensures
+ fun result ->
+ let result:t_Array u8 v_LEN = result in
+ result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy)
+ )
+
val prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (domain_separator: u8)
: Prims.Pure (t_Array (t_Array u8 (sz 33)) v_K & u8)
(requires range (v domain_separator + v v_K) u8_inttype)
@@ -15,13 +25,3 @@ val prf_input_inc (v_K: usize) (prf_inputs: t_Array (t_Array u8 (sz 33)) v_K) (d
v (Seq.index (Seq.index prf_inputs_future i) 32) == v domain_separator + i /\
Seq.slice (Seq.index prf_inputs_future i) 0 32 ==
Seq.slice (Seq.index prf_inputs i) 0 32))
-
-/// Pad the `slice` with `0`s at the end.
-val into_padded_array (v_LEN: usize) (slice: t_Slice u8)
- : Prims.Pure (t_Array u8 v_LEN)
- (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN)
- (ensures
- fun result ->
- let result:t_Array u8 v_LEN = result in
- result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy)
- )
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti
index 9f3dc29f3..9737e9b24 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti
@@ -9,14 +9,6 @@ let _ =
let open Libcrux_ml_kem.Hash_functions in
()
-/// Implements [`Variant`], to perform the ML-KEM-specific actions
-/// during encapsulation and decapsulation.
-/// Specifically,
-/// * during key generation, the seed hash is domain separated (this is a difference from the FIPS 203 IPD and Kyber)
-/// * during encapsulation, the initial randomness is used without prior hashing,
-/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext.
-type t_MlKem = | MlKem : t_MlKem
-
/// This trait collects differences in specification between ML-KEM
/// (FIPS 203) and the Round 3 CRYSTALS-Kyber submission in the
/// NIST PQ competition.
@@ -97,5 +89,13 @@ class t_Variant (v_Self: Type0) = {
(fun result -> f_cpa_keygen_seed_post v_K #v_Hasher #i3 x0 result)
}
+/// Implements [`Variant`], to perform the ML-KEM-specific actions
+/// during encapsulation and decapsulation.
+/// Specifically,
+/// * during key generation, the seed hash is domain separated (this is a difference from the FIPS 203 IPD and Kyber)
+/// * during encapsulation, the initial randomness is used without prior hashing,
+/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext.
+type t_MlKem = | MlKem : t_MlKem
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl:t_Variant t_MlKem
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
index a80c67948..94a571aa2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst
@@ -19,17 +19,19 @@ let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
in
result
-let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) =
- let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant
- in
+let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma
+ (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))))
+ (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) ==
+ (v (get_lane lhs i) - v (get_lane rhs i))))
+ [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()
+
+let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs
in
let _:Prims.unit =
- Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)
- (Spec.Utils.map_array (fun x -> x &. constant)
- (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+ assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i);
+ assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))
in
result
@@ -58,6 +60,20 @@ let multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (con
in
result
+let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) =
+ let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant
+ in
+ let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv
+ in
+ let _:Prims.unit =
+ Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)
+ (Spec.Utils.map_array (fun x -> x &. constant)
+ (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+ in
+ result
+
let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector
@@ -69,22 +85,48 @@ let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec
in
result
-let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma
- (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))))
- (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) ==
- (v (get_lane lhs i) - v (get_lane rhs i))))
- [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()
+#push-options "--z3rlimit 100"
-let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
+ in
+ let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in
+ let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus
+ in
+ let _:Prims.unit =
+ assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s)
+ in
+ let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus
+ in
+ let _:Prims.unit =
+ assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l))
+ in
+ let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus
+ in
+ let _:Prims.unit =
+ assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s))
+ in
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs
+ Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus
+ conditional_add_field_modulus
in
let _:Prims.unit =
- assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i);
- assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))
+ assert (forall i.
+ get_lane result i ==
+ (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i));
+ assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i));
+ assert (forall i.
+ get_lane result i ==
+ (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i))
in
result
+#pop-options
+
#push-options "--z3rlimit 200"
let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
@@ -142,48 +184,6 @@ let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
#pop-options
-#push-options "--z3rlimit 100"
-
-let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
- in
- let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in
- let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus
- in
- let _:Prims.unit =
- assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s)
- in
- let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus
- in
- let _:Prims.unit =
- assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l))
- in
- let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus
- in
- let _:Prims.unit =
- assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s))
- in
- let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus
- conditional_add_field_modulus
- in
- let _:Prims.unit =
- assert (forall i.
- get_lane result i ==
- (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i));
- assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i));
- assert (forall i.
- get_lane result i ==
- (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i))
- in
- result
-
-#pop-options
-
#push-options "--z3rlimit 100 --ext context_pruning"
let montgomery_multiply_by_constant
@@ -328,6 +328,42 @@ let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext
#pop-options
+let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec
+ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
+ <:
+ u32)
+ <:
+ i32)
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k
+ (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
+ <:
+ i16)
+ <:
+ i32)
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec
+ in
+ let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
+ in
+ let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result
+ in
+ let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result
+ in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
+
#push-options "--z3rlimit 100"
let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) =
@@ -400,39 +436,3 @@ let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Av
result
#pop-options
-
-let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R
- <:
- u32)
- <:
- i32)
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k
- (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS
- <:
- i16)
- <:
- i32)
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec
- in
- let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus
- in
- let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result
- in
- let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result
- in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti
index 6cfb8659a..14cf907ec 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti
@@ -3,8 +3,6 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic
open Core
open FStar.Mul
-let v_BARRETT_MULTIPLIER: i16 = 20159s
-
open Libcrux_intrinsics.Avx2_extract
val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
@@ -17,15 +15,15 @@ val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) + v (get_lane rhs i)))
-val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16)
+val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
- Prims.l_True
+ (requires
+ forall i.
+ i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))
(ensures
fun result ->
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
- Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result ==
- Spec.Utils.map_array (fun x -> x &. constant)
- (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+ forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i)))
val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
@@ -36,6 +34,16 @@ val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (con
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
forall i. i < 16 ==> v (get_lane result i) == (v (get_lane vector i) * v constant))
+val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
+ Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result ==
+ Spec.Utils.map_array (fun x -> x &. constant)
+ (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
+
val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
@@ -47,15 +55,21 @@ val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec
Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY)
(Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
-val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires
- forall i.
- i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))
+ Spec.Utils.is_i16b_array (pow2 12 - 1)
+ (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
(ensures
fun result ->
let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
- forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i)))
+ forall i.
+ i < 16 ==>
+ get_lane result i ==
+ (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i
+ ))
+
+let v_BARRETT_MULTIPLIER: i16 = 20159s
/// See Section 3.2 of the implementation notes document for an explanation
/// of this code.
@@ -69,20 +83,6 @@ val barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\
(forall i. i < 16 ==> v (get_lane result i) % 3329 == (v (get_lane vector i) % 3329)))
-val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
- (requires
- Spec.Utils.is_i16b_array (pow2 12 - 1)
- (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector))
- (ensures
- fun result ->
- let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in
- forall i.
- i < 16 ==>
- get_lane result i ==
- (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i
- ))
-
val montgomery_multiply_by_constant
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
(constant: i16)
@@ -109,19 +109,6 @@ val montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext
v (get_lane result i) % 3329 ==
((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329)))
-val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128
- (requires
- Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants))
- (ensures
- fun result ->
- let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in
- Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\
- (forall i.
- i < 8 ==>
- v (get_lane128 result i) % 3329 ==
- ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329)))
-
val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires
@@ -137,3 +124,16 @@ val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256)
Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) /\
(forall i. i < 16 ==> v (get_lane result i) % 3329 == ((v (get_lane vec i) * 169) % 3329))
)
+
+val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128
+ (requires
+ Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants))
+ (ensures
+ fun result ->
+ let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in
+ Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\
+ (forall i.
+ i < 8 ==>
+ v (get_lane128 result i) % 3329 ==
+ ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst
index 849da1049..c84cf4a1c 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst
@@ -26,6 +26,39 @@ let mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
<:
Libcrux_intrinsics.Avx2_extract.t_Vec256)
+let compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -!
+ 1s
+ <:
+ i16) /!
+ 2s
+ <:
+ i16)
+ in
+ let field_modulus_quartered:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -!
+ 1s
+ <:
+ i16) /!
+ 4s
+ <:
+ i16)
+ in
+ let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 field_modulus_halved vector
+ in
+ let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l shifted
+ in
+ let shifted_to_positive:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 mask shifted
+ in
+ let shifted_to_positive_in_range:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 shifted_to_positive field_modulus_quartered
+ in
+ Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l shifted_to_positive_in_range
+
let compress_ciphertext_coefficient
(v_COEFFICIENT_BITS: i32)
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
@@ -98,39 +131,6 @@ let compress_ciphertext_coefficient
in
Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l compressed
-let compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -!
- 1s
- <:
- i16) /!
- 2s
- <:
- i16)
- in
- let field_modulus_quartered:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS -!
- 1s
- <:
- i16) /!
- 4s
- <:
- i16)
- in
- let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 field_modulus_halved vector
- in
- let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l shifted
- in
- let shifted_to_positive:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_xor_si256 mask shifted
- in
- let shifted_to_positive_in_range:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 shifted_to_positive field_modulus_quartered
- in
- Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 15l shifted_to_positive_in_range
-
let decompress_ciphertext_coefficient
(v_COEFFICIENT_BITS: i32)
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti
index 267f93c47..3a6db0bb0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti
@@ -6,6 +6,9 @@ open FStar.Mul
val mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
val compress_ciphertext_coefficient
(v_COEFFICIENT_BITS: i32)
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
@@ -15,9 +18,6 @@ val compress_ciphertext_coefficient
range (v (1l < Prims.l_True)
-val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
val decompress_ciphertext_coefficient
(v_COEFFICIENT_BITS: i32)
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
index 6d1f1794f..a41ca52e5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst
@@ -3,6 +3,72 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt
open Core
open FStar.Mul
+let ntt_layer_1_step
+ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ (zeta0 zeta1 zeta2 zeta3: i16)
+ =
+ let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0
+ in
+ let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector
+ in
+ let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas
+ in
+ let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector
+ in
+ Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
+
+let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) =
+ let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1
+ (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16)
+ (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0
+ zeta0
+ in
+ let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector
+ in
+ let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas
+ in
+ let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector
+ in
+ Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
+
+let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) =
+ let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector
+ in
+ let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs
+ (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec128)
+ in
+ let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector
+ in
+ let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs
+ in
+ let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs
+ in
+ let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients
+ in
+ Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients
+
#push-options "--admit_smt_queries true"
let inv_ntt_layer_1_step
@@ -89,72 +155,6 @@ let inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zet
in
Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients
-let ntt_layer_1_step
- (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- (zeta0 zeta1 zeta2 zeta3: i16)
- =
- let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16)
- (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16)
- (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16)
- (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16)
- (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0
- in
- let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector
- in
- let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas
- in
- let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector
- in
- Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
-
-let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) =
- let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16)
- (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16)
- (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1
- (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16)
- (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0
- zeta0
- in
- let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector
- in
- let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas
- in
- let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector
- in
- Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs
-
-let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) =
- let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector
- in
- let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs
- (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec128)
- in
- let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector
- in
- let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs
- in
- let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs
- in
- let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients
- in
- Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients
-
#push-options "--admit_smt_queries true"
let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) =
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti
index e2cfc07ca..9086e4521 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti
@@ -3,9 +3,7 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt
open Core
open FStar.Mul
-let ntt_multiply__PERMUTE_WITH: i32 = 216l
-
-val inv_ntt_layer_1_step
+val ntt_layer_1_step
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
(zeta0 zeta1 zeta2 zeta3: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
@@ -14,17 +12,17 @@ val inv_ntt_layer_1_step
Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3)
(fun _ -> Prims.l_True)
-val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16)
+val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1)
(fun _ -> Prims.l_True)
-val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16)
+val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires Spec.Utils.is_i16b 1664 zeta)
(fun _ -> Prims.l_True)
-val ntt_layer_1_step
+val inv_ntt_layer_1_step
(vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
(zeta0 zeta1 zeta2 zeta3: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
@@ -33,16 +31,18 @@ val ntt_layer_1_step
Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3)
(fun _ -> Prims.l_True)
-val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16)
+val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1)
(fun _ -> Prims.l_True)
-val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16)
+val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires Spec.Utils.is_i16b 1664 zeta)
(fun _ -> Prims.l_True)
+let ntt_multiply__PERMUTE_WITH: i32 = 216l
+
val ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
(requires
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
index 87cf7addd..bf8b92cd5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst
@@ -10,10 +10,49 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-[@@"opaque_to_smt"]
+#push-options "--ext context_pruning --compat_pre_core 0"
+
+let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector
+ in
+ let low_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lsb_to_msb
+ in
+ let high_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lsb_to_msb
+ in
+ let msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs
+ in
+ let _:Prims.unit =
+ let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in
+ FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}).
+ bits_packed' i = vector ((i / 1) * 16 + i % 1))
+ (fun _ ->
+ ();
+ (Tactics.Utils.prove_forall_nat_pointwise (fun _ ->
+ Tactics.compute ();
+ Tactics.smt_sync ())))
+ in
+ let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in
+ let result:t_Array u8 (sz 2) =
+ let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+ Rust_primitives.Hax.array_of_list 2 list
+ in
+ let _:Prims.unit =
+ assert (forall (i: nat{i < 8}).
+ get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8)))
+ in
+ result
+
+#pop-options
#push-options "--ext context_pruning"
+[@@"opaque_to_smt"]
+
let deserialize_1___deserialize_1_i16s (a b: i16) =
let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 b b b b b b b b a a a a a a a a
@@ -41,6 +80,55 @@ let deserialize_1___deserialize_1_u8s (a b: u8) =
let deserialize_1_ (bytes: t_Slice u8) =
deserialize_1___deserialize_1_u8s (bytes.[ sz 0 ] <: u8) (bytes.[ sz 1 ] <: u8)
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
+ let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ mm256_concat_pairs_n 4uy vector
+ in
+ let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+ (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
+ (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_8_combined
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 combined
+ in
+ let serialized:t_Array u8 (sz 16) =
+ Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized combined
+ in
+ let _:Prims.unit =
+ assert (forall (i: nat{i < 64}). combined i == bit_vec_of_int_t_array serialized 8 i);
+ introduce forall (i: nat{i < 64}) . combined i = vector ((i / 4) * 16 + i % 4)
+ with assert_norm (BitVec.Utils.forall64 (fun i -> combined i = vector ((i / 4) * 16 + i % 4)));
+ assert (forall (i: nat{i < 64}).
+ bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4))
+ in
+ Core.Result.impl__unwrap #(t_Array u8 (sz 8))
+ #Core.Array.t_TryFromSliceError
+ (Core.Convert.f_try_into #(t_Slice u8)
+ #(t_Array u8 (sz 8))
+ #FStar.Tactics.Typeclasses.solve
+ (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ <:
+ Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError)
+
+#pop-options
+
[@@"opaque_to_smt"]
let deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) =
@@ -89,138 +177,40 @@ let deserialize_4_ (bytes: t_Slice u8) =
(bytes.[ sz 6 ] <: u8)
(bytes.[ sz 7 ] <: u8)
-#push-options "--ext context_pruning --compat_pre_core 0"
-
-let serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let lsb_to_msb:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_slli_epi16 15l vector
- in
- let low_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lsb_to_msb
- in
- let high_msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lsb_to_msb
- in
- let msbs:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_packs_epi16 low_msbs high_msbs
- in
- let _:Prims.unit =
- let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in
- FStar.Tactics.Effect.assert_by_tactic (forall (i: nat{i < 16}).
- bits_packed' i = vector ((i / 1) * 16 + i % 1))
- (fun _ ->
- ();
- (Tactics.Utils.prove_forall_nat_pointwise (fun _ ->
- Tactics.compute ();
- Tactics.smt_sync ())))
- in
- let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in
- let result:t_Array u8 (sz 2) =
- let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in
- FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
- Rust_primitives.Hax.array_of_list 2 list
- in
- let _:Prims.unit =
- assert (forall (i: nat{i < 8}).
- get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8)))
- in
- result
-
-#pop-options
-
-#push-options "--ext context_pruning --split_queries always"
-
-let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- mm256_concat_pairs_n 10uy vector
+ Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 10) * 16 + i % 10)));
- introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)
- with assert_norm (BitVec.Utils.forall_n 80
- (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)))
- in
- lower_8_, upper_8_
- <:
- (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
-
-#pop-options
-
-#push-options "--ext context_pruning --split_queries always"
-
-let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- mm256_concat_pairs_n 12uy vector
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 8l adjacent_4_combined
in
- let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 8l 0l 8l 0l 8l 0l 8l
+ let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_8_combined
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 12l 0l 0l 0l 12l
<:
Libcrux_intrinsics.Avx2_extract.t_Vec256)
in
- let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 8l adjacent_4_combined
- in
let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y
- 5y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) 13y 12y 11y 10y 9y 8y 5y 4y 3y 2y 1y 0y
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_8_combined
in
let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined
in
- let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
- in
- let _:Prims.unit =
- introduce forall (i: nat{i < 96}) . lower_8_ i = vector ((i / 12) * 16 + i % 12)
- with assert_norm (BitVec.Utils.forall_n 96
- (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12)));
- introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)
- with assert_norm (BitVec.Utils.forall_n 96
- (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)))
- in
- lower_8_, upper_8_
- <:
- (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
-
-#pop-options
-
-#push-options "--ext context_pruning --split_queries always"
-
-let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
- Libcrux_intrinsics.Avx2_extract.t_Vec128) =
- serialize_10___serialize_10_vec vector
- in
- let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
let serialized:t_Array u8 (sz 32) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -238,14 +228,17 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
<:
t_Slice u8)
in
+ let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
+ in
let serialized:t_Array u8 (sz 32) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 }
+ ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 }
<:
Core.Ops.Range.t_Range usize)
(Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 10;
- Core.Ops.Range.f_end = sz 26
+ Core.Ops.Range.f_start = sz 5;
+ Core.Ops.Range.f_end = sz 21
}
<:
Core.Ops.Range.t_Range usize ]
@@ -255,29 +248,70 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
<:
t_Slice u8)
in
- Core.Result.impl__unwrap #(t_Array u8 (sz 20))
+ Core.Result.impl__unwrap #(t_Array u8 (sz 10))
#Core.Array.t_TryFromSliceError
(Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 (sz 20))
+ #(t_Array u8 (sz 10))
#FStar.Tactics.Typeclasses.solve
- (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 }
+ (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 }
<:
Core.Ops.Range.t_Range usize ]
<:
t_Slice u8)
<:
- Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError)
+ Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError)
+
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ mm256_concat_pairs_n 10uy vector
+ in
+ let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_2_combined
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined
+ in
+ let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_4_combined
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y
+ 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y
+ 0y
+ <:
+ Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ in
+ let lower_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined
+ in
+ let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
+ in
+ let _:Prims.unit =
+ introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10)
+ with assert_norm (BitVec.Utils.forall_n 80
+ (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10)));
+ introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)
+ with assert_norm (BitVec.Utils.forall_n 80
+ (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10)))
+ in
+ lower_8_, upper_8_
+ <:
+ (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
#pop-options
#push-options "--ext context_pruning --split_queries always"
-let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
Libcrux_intrinsics.Avx2_extract.t_Vec128) =
- serialize_12___serialize_12_vec vector
+ serialize_10___serialize_10_vec vector
in
+ let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
let serialized:t_Array u8 (sz 32) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -297,12 +331,12 @@ let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
in
let serialized:t_Array u8 (sz 32) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({ Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 28 }
+ ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 }
<:
Core.Ops.Range.t_Range usize)
(Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 12;
- Core.Ops.Range.f_end = sz 28
+ Core.Ops.Range.f_start = sz 10;
+ Core.Ops.Range.f_end = sz 26
}
<:
Core.Ops.Range.t_Range usize ]
@@ -312,55 +346,106 @@ let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
<:
t_Slice u8)
in
- Core.Result.impl__unwrap #(t_Array u8 (sz 24))
+ Core.Result.impl__unwrap #(t_Array u8 (sz 20))
#Core.Array.t_TryFromSliceError
(Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 (sz 24))
+ #(t_Array u8 (sz 20))
#FStar.Tactics.Typeclasses.solve
- (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 24 }
+ (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 }
<:
Core.Ops.Range.t_Range usize ]
<:
t_Slice u8)
<:
- Core.Result.t_Result (t_Array u8 (sz 24)) Core.Array.t_TryFromSliceError)
+ Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError)
#pop-options
-let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+#push-options "--admit_smt_queries true"
+
+let serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let array:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
+ let array:t_Array i16 (sz 16) =
+ Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 array vector
+ in
+ let input:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Vector.Traits.f_from_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #FStar.Tactics.Typeclasses.solve
+ (array <: t_Slice i16)
+ in
+ Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #FStar.Tactics.Typeclasses.solve
+ input
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
+let deserialize_11_ (bytes: t_Slice u8) =
+ let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #FStar.Tactics.Typeclasses.solve
+ bytes
+ in
+ let array:t_Array i16 (sz 16) =
+ Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ #FStar.Tactics.Typeclasses.solve
+ output
+ in
+ Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 (array <: t_Slice i16)
+
+#pop-options
+
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 12) * 16 + i % 12)));
+ introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)
+ with assert_norm (BitVec.Utils.forall_n 96
+ (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12)))
+ in
+ lower_8_, upper_8_
+ <:
+ (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
+
+#pop-options
+
+#push-options "--ext context_pruning --split_queries always"
+
+let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
+ let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in
+ let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 &
+ Libcrux_intrinsics.Avx2_extract.t_Vec128) =
+ serialize_12___serialize_12_vec vector
+ in
let serialized:t_Array u8 (sz 32) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 }
@@ -378,17 +463,14 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
<:
t_Slice u8)
in
- let upper_8_:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined
- in
let serialized:t_Array u8 (sz 32) =
Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized
- ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 }
+ ({ Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 28 }
<:
Core.Ops.Range.t_Range usize)
(Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ {
- Core.Ops.Range.f_start = sz 5;
- Core.Ops.Range.f_end = sz 21
+ Core.Ops.Range.f_start = sz 12;
+ Core.Ops.Range.f_end = sz 28
}
<:
Core.Ops.Range.t_Range usize ]
@@ -398,67 +480,50 @@ let serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
<:
t_Slice u8)
in
- Core.Result.impl__unwrap #(t_Array u8 (sz 10))
+ Core.Result.impl__unwrap #(t_Array u8 (sz 24))
#Core.Array.t_TryFromSliceError
(Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 (sz 10))
+ #(t_Array u8 (sz 24))
#FStar.Tactics.Typeclasses.solve
- (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 }
+ (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 24 }
<:
Core.Ops.Range.t_Range usize ]
<:
t_Slice u8)
<:
- Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError)
+ Core.Result.t_Result (t_Array u8 (sz 24)) Core.Array.t_TryFromSliceError)
-#push-options "--ext context_pruning --split_queries always"
+#pop-options
-let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) =
- let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in
- let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- mm256_concat_pairs_n 4uy vector
+let deserialize_5_ (bytes: t_Slice u8) =
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
+ Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8)
+ (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8)
+ (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8)
+ (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8)
+ (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8)
in
- let adjacent_8_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
- (-1y) (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y)
- (-1y) (-1y) (-1y) (-1y) 12y 8y 4y 0y
+ let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ mm256_si256_from_two_si128 coefficients coefficients
+ in
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y
+ 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y
<:
Libcrux_intrinsics.Avx2_extract.t_Vec256)
in
- let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_8_combined
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 0l 0l 4l 0l
+ let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
+ Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
+ (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < combined i = vector ((i / 4) * 16 + i % 4)));
- assert (forall (i: nat{i < 64}).
- bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4))
- in
- Core.Result.impl__unwrap #(t_Array u8 (sz 8))
- #Core.Array.t_TryFromSliceError
- (Core.Convert.f_try_into #(t_Slice u8)
- #(t_Array u8 (sz 8))
- #FStar.Tactics.Typeclasses.solve
- (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- <:
- Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError)
-
-#pop-options
+ Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 11l coefficients
[@@"opaque_to_smt"]
@@ -605,68 +670,3 @@ let deserialize_12_ (bytes: t_Slice u8) =
t_Slice u8)
in
deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients
-
-let deserialize_5_ (bytes: t_Slice u8) =
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 =
- Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8)
- (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8)
- (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8)
- (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8)
- (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8)
- in
- let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- mm256_si256_from_two_si128 coefficients coefficients
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y
- 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y
- <:
- Libcrux_intrinsics.Avx2_extract.t_Vec256)
- in
- let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 =
- Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients
- (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s <= 1 ==> vector i == 0)
+ (ensures
+ fun result ->
+ let result:t_Array u8 (sz 2) = result in
+ forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16))
+
val deserialize_1___deserialize_1_i16s (a b: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
Prims.l_True
@@ -52,6 +60,16 @@ val deserialize_1_ (bytes: t_Slice u8)
let j = (i / 16) * 1 + i % 16 in
bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j))
+include BitVec.Intrinsics {mm256_concat_pairs_n}
+
+val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure (t_Array u8 (sz 8))
+ (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0)
+ (ensures
+ fun r ->
+ let r:t_Array u8 (sz 8) = r in
+ forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4))
+
val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16)
: Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
Prims.l_True
@@ -110,15 +128,10 @@ val deserialize_4_ (bytes: t_Slice u8)
let j = (i / 16) * 4 + i % 16 in
bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j))
-include BitVec.Intrinsics {mm256_concat_pairs_n}
+val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
-val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure (t_Array u8 (sz 2))
- (requires forall i. i % 16 >= 1 ==> vector i == 0)
- (ensures
- fun result ->
- let result:t_Array u8 (sz 2) = result in
- forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16))
+include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128}
val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure
@@ -133,6 +146,20 @@ val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V
forall (i: nat{i < 160}).
vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80)))
+val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure (t_Array u8 (sz 20))
+ (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0)
+ (ensures
+ fun r ->
+ let r:t_Array u8 (sz 20) = r in
+ forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10))
+
+val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
+ : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_11_ (bytes: t_Slice u8)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
+
val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure
(Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128)
@@ -146,14 +173,6 @@ val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_V
forall (i: nat{i < 192}).
vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96)))
-val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure (t_Array u8 (sz 20))
- (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0)
- (ensures
- fun r ->
- let r:t_Array u8 (sz 20) = r in
- forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10))
-
val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
: Prims.Pure (t_Array u8 (sz 24))
(requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0)
@@ -162,18 +181,10 @@ val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
let r:t_Array u8 (sz 24) = r in
forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12))
-val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure (t_Array u8 (sz 8))
- (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0)
- (ensures
- fun r ->
- let r:t_Array u8 (sz 8) = r in
- forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4))
-
-include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128}
+val deserialize_5_ (bytes: t_Slice u8)
+ : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
+ (requires Seq.length bytes == 10)
+ (fun _ -> Prims.l_True)
val deserialize_10___deserialize_10_vec
(lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128)
@@ -232,14 +243,3 @@ val deserialize_12_ (bytes: t_Slice u8)
else
let j = (i / 16) * 12 + i % 16 in
bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j))
-
-val deserialize_5_ (bytes: t_Slice u8)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256
- (requires Seq.length bytes == 10)
- (fun _ -> Prims.l_True)
-
-val deserialize_11_ (bytes: t_Slice u8)
- : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256)
- : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
index f63bcef62..7decfe504 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst
@@ -9,50 +9,45 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-#push-options "--admit_smt_queries true"
-
-let deserialize_1_ (bytes: t_Slice u8) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector
-
-#pop-options
-
-#push-options "--admit_smt_queries true"
-
-let deserialize_4_ (bytes: t_Slice u8) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector
-
-#pop-options
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Clone.t_Clone t_SIMD256Vector
-#push-options "--admit_smt_queries true"
+let impl_1 = impl_1'
-let serialize_1_ (vector: t_SIMD256Vector) =
- Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_2': Core.Marker.t_Copy t_SIMD256Vector
-#pop-options
+let impl_2 = impl_2'
-let vec_from_i16_array (array: t_Slice i16) =
+let vec_zero (_: Prims.unit) =
let result:t_SIMD256Vector =
- { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector
+ { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
-let vec_zero (_: Prims.unit) =
+let vec_to_i16_array (v: t_SIMD256Vector) =
+ let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
+ let output:t_Array i16 (sz 16) =
+ Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements
+ in
+ let result:t_Array i16 (sz 16) = output in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
+
+let vec_from_i16_array (array: t_Slice i16) =
let result:t_SIMD256Vector =
- { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector
+ { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector
in
let _:Prims.unit = admit () (* Panic freedom *) in
result
#push-options "--admit_smt_queries true"
-let compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) =
- {
- f_elements
- =
- Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS
- vector.f_elements
- }
+let cond_subtract_3329_ (vector: t_SIMD256Vector) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements }
<:
t_SIMD256Vector
@@ -71,8 +66,13 @@ let compress_1_ (vector: t_SIMD256Vector) =
#push-options "--admit_smt_queries true"
-let cond_subtract_3329_ (vector: t_SIMD256Vector) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements }
+let compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) =
+ {
+ f_elements
+ =
+ Libcrux_ml_kem.Vector.Avx2.Compress.compress_ciphertext_coefficient v_COEFFICIENT_BITS
+ vector.f_elements
+ }
<:
t_SIMD256Vector
@@ -80,11 +80,11 @@ let cond_subtract_3329_ (vector: t_SIMD256Vector) =
#push-options "--admit_smt_queries true"
-let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
{
f_elements
=
- Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
+ Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
}
<:
t_SIMD256Vector
@@ -93,8 +93,8 @@ let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16
#push-options "--admit_smt_queries true"
-let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 }
+let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 }
<:
t_SIMD256Vector
@@ -102,8 +102,8 @@ let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
#push-options "--admit_smt_queries true"
-let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta }
+let ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta }
<:
t_SIMD256Vector
@@ -111,11 +111,11 @@ let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
#push-options "--admit_smt_queries true"
-let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
+let inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
{
f_elements
=
- Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
+ Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_1_step vector.f_elements zeta0 zeta1 zeta2 zeta3
}
<:
t_SIMD256Vector
@@ -124,8 +124,8 @@ let ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
#push-options "--admit_smt_queries true"
-let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 }
+let inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_2_step vector.f_elements zeta0 zeta1 }
<:
t_SIMD256Vector
@@ -133,8 +133,8 @@ let ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16) =
#push-options "--admit_smt_queries true"
-let ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
- { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta }
+let inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta }
<:
t_SIMD256Vector
@@ -158,57 +158,40 @@ let ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16) =
#pop-options
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_1': Core.Clone.t_Clone t_SIMD256Vector
-
-let impl_1 = impl_1'
+#push-options "--admit_smt_queries true"
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_2': Core.Marker.t_Copy t_SIMD256Vector
+let serialize_1_ (vector: t_SIMD256Vector) =
+ Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements
-let impl_2 = impl_2'
+#pop-options
#push-options "--admit_smt_queries true"
-let serialize_10_ (vector: t_SIMD256Vector) =
- Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements
+let deserialize_1_ (bytes: t_Slice u8) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector
#pop-options
#push-options "--admit_smt_queries true"
-let serialize_12_ (vector: t_SIMD256Vector) =
- Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements
+let serialize_4_ (vector: t_SIMD256Vector) =
+ Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements
#pop-options
#push-options "--admit_smt_queries true"
-let serialize_4_ (vector: t_SIMD256Vector) =
- Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements
+let deserialize_4_ (bytes: t_Slice u8) =
+ { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_4_ bytes } <: t_SIMD256Vector
#pop-options
-let vec_to_i16_array (v: t_SIMD256Vector) =
- let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in
- let output:t_Array i16 (sz 16) =
- Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements
- in
- let result:t_Array i16 (sz 16) = output in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
+#push-options "--admit_smt_queries true"
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector =
- {
- _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve;
- _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve;
- f_repr_pre = (fun (x: t_SIMD256Vector) -> true);
- f_repr_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true);
- f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x
- }
+let serialize_10_ (vector: t_SIMD256Vector) =
+ Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements
+
+#pop-options
#push-options "--admit_smt_queries true"
@@ -219,11 +202,28 @@ let deserialize_10_ (bytes: t_Slice u8) =
#push-options "--admit_smt_queries true"
+let serialize_12_ (vector: t_SIMD256Vector) =
+ Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements
+
+#pop-options
+
+#push-options "--admit_smt_queries true"
+
let deserialize_12_ (bytes: t_Slice u8) =
{ f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes } <: t_SIMD256Vector
#pop-options
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector =
+ {
+ _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve;
+ _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve;
+ f_repr_pre = (fun (x: t_SIMD256Vector) -> true);
+ f_repr_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true);
+ f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x
+ }
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector =
{
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
index 3ba81f3eb..c2121ea74 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti
@@ -15,60 +15,44 @@ type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 }
let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements
-val deserialize_1_ (bytes: t_Slice u8)
- : Prims.Pure t_SIMD256Vector
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2)
- (ensures
- fun out ->
- let out:t_SIMD256Vector = out in
- sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (repr out))
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Clone.t_Clone t_SIMD256Vector
-val deserialize_4_ (bytes: t_Slice u8)
- : Prims.Pure t_SIMD256Vector
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8)
- (ensures
- fun out ->
- let out:t_SIMD256Vector = out in
- sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (repr out))
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_2:Core.Marker.t_Copy t_SIMD256Vector
-val serialize_1_ (vector: t_SIMD256Vector)
- : Prims.Pure (t_Array u8 (sz 2))
- (requires Spec.MLKEM.serialize_pre 1 (repr vector))
+val vec_zero: Prims.unit
+ -> Prims.Pure t_SIMD256Vector
+ Prims.l_True
(ensures
- fun out ->
- let out:t_Array u8 (sz 2) = out in
- Spec.MLKEM.serialize_pre 1 (repr vector) ==> Spec.MLKEM.serialize_post 1 (repr vector) out
- )
+ fun result ->
+ let result:t_SIMD256Vector = result in
+ repr result == Seq.create 16 0s)
-val vec_from_i16_array (array: t_Slice i16)
- : Prims.Pure t_SIMD256Vector
+val vec_to_i16_array (v: t_SIMD256Vector)
+ : Prims.Pure (t_Array i16 (sz 16))
Prims.l_True
(ensures
fun result ->
- let result:t_SIMD256Vector = result in
- repr result == array)
+ let result:t_Array i16 (sz 16) = result in
+ result == repr v)
-val vec_zero: Prims.unit
- -> Prims.Pure t_SIMD256Vector
+val vec_from_i16_array (array: t_Slice i16)
+ : Prims.Pure t_SIMD256Vector
Prims.l_True
(ensures
fun result ->
let result:t_SIMD256Vector = result in
- repr result == Seq.create 16 0s)
+ repr result == array)
-val compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector)
+val cond_subtract_3329_ (vector: t_SIMD256Vector)
: Prims.Pure t_SIMD256Vector
- (requires
- (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
- v v_COEFFICIENT_BITS == 11) /\
- (forall (i: nat).
- i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329))
+ (requires Spec.Utils.is_i16b_array (pow2 12 - 1) (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
- v v_COEFFICIENT_BITS == 11) ==>
- (forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) (v v_COEFFICIENT_BITS)))
+ repr out ==
+ Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr vector))
val compress_1_ (vector: t_SIMD256Vector)
: Prims.Pure t_SIMD256Vector
@@ -80,73 +64,78 @@ val compress_1_ (vector: t_SIMD256Vector)
let out:t_SIMD256Vector = out in
forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) 1)
-val cond_subtract_3329_ (vector: t_SIMD256Vector)
+val compress (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector)
: Prims.Pure t_SIMD256Vector
- (requires Spec.Utils.is_i16b_array (pow2 12 - 1) (repr vector))
+ (requires
+ (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+ v v_COEFFICIENT_BITS == 11) /\
+ (forall (i: nat).
+ i < 16 ==> v (Seq.index (repr vector) i) >= 0 /\ v (Seq.index (repr vector) i) < 3329))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- repr out ==
- Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (repr vector))
+ (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/
+ v v_COEFFICIENT_BITS == 11) ==>
+ (forall (i: nat). i < 16 ==> bounded (Seq.index (repr out) i) (v v_COEFFICIENT_BITS)))
-val inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+val ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
: Prims.Pure t_SIMD256Vector
(requires
Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
- Spec.Utils.is_i16b_array (4 * 3328) (repr vector))
+ Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- Spec.Utils.is_i16b_array 3328 (repr out))
+ Spec.Utils.is_i16b_array (11207 + 6 * 3328) (repr out))
-val inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
+val ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
: Prims.Pure t_SIMD256Vector
(requires
Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
- Spec.Utils.is_i16b_array 3328 (repr vector))
+ Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- Spec.Utils.is_i16b_array 3328 (repr out))
+ Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr out))
-val inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
+val ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
: Prims.Pure t_SIMD256Vector
- (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (repr vector))
+ (requires
+ Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- Spec.Utils.is_i16b_array 3328 (repr out))
+ Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr out))
-val ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
+val inv_ntt_layer_1_step (vector: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
: Prims.Pure t_SIMD256Vector
(requires
Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
- Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr vector))
+ Spec.Utils.is_i16b_array (4 * 3328) (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- Spec.Utils.is_i16b_array (11207 + 6 * 3328) (repr out))
+ Spec.Utils.is_i16b_array 3328 (repr out))
-val ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
+val inv_ntt_layer_2_step (vector: t_SIMD256Vector) (zeta0 zeta1: i16)
: Prims.Pure t_SIMD256Vector
(requires
Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
- Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr vector))
+ Spec.Utils.is_i16b_array 3328 (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- Spec.Utils.is_i16b_array (11207 + 5 * 3328) (repr out))
+ Spec.Utils.is_i16b_array 3328 (repr out))
-val ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
+val inv_ntt_layer_3_step (vector: t_SIMD256Vector) (zeta: i16)
: Prims.Pure t_SIMD256Vector
- (requires
- Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (repr vector))
+ (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (repr vector))
(ensures
fun out ->
let out:t_SIMD256Vector = out in
- Spec.Utils.is_i16b_array (11207 + 4 * 3328) (repr out))
+ Spec.Utils.is_i16b_array 3328 (repr out))
val ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
: Prims.Pure t_SIMD256Vector
@@ -159,29 +148,22 @@ val ntt_multiply (lhs rhs: t_SIMD256Vector) (zeta0 zeta1 zeta2 zeta3: i16)
let out:t_SIMD256Vector = out in
Spec.Utils.is_i16b_array 3328 (repr out))
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Core.Clone.t_Clone t_SIMD256Vector
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_2:Core.Marker.t_Copy t_SIMD256Vector
-
-val serialize_10_ (vector: t_SIMD256Vector)
- : Prims.Pure (t_Array u8 (sz 20))
- (requires Spec.MLKEM.serialize_pre 10 (repr vector))
+val serialize_1_ (vector: t_SIMD256Vector)
+ : Prims.Pure (t_Array u8 (sz 2))
+ (requires Spec.MLKEM.serialize_pre 1 (repr vector))
(ensures
fun out ->
- let out:t_Array u8 (sz 20) = out in
- Spec.MLKEM.serialize_pre 10 (repr vector) ==>
- Spec.MLKEM.serialize_post 10 (repr vector) out)
+ let out:t_Array u8 (sz 2) = out in
+ Spec.MLKEM.serialize_pre 1 (repr vector) ==> Spec.MLKEM.serialize_post 1 (repr vector) out
+ )
-val serialize_12_ (vector: t_SIMD256Vector)
- : Prims.Pure (t_Array u8 (sz 24))
- (requires Spec.MLKEM.serialize_pre 12 (repr vector))
+val deserialize_1_ (bytes: t_Slice u8)
+ : Prims.Pure t_SIMD256Vector
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2)
(ensures
fun out ->
- let out:t_Array u8 (sz 24) = out in
- Spec.MLKEM.serialize_pre 12 (repr vector) ==>
- Spec.MLKEM.serialize_post 12 (repr vector) out)
+ let out:t_SIMD256Vector = out in
+ sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (repr out))
val serialize_4_ (vector: t_SIMD256Vector)
: Prims.Pure (t_Array u8 (sz 8))
@@ -192,16 +174,22 @@ val serialize_4_ (vector: t_SIMD256Vector)
Spec.MLKEM.serialize_pre 4 (repr vector) ==> Spec.MLKEM.serialize_post 4 (repr vector) out
)
-val vec_to_i16_array (v: t_SIMD256Vector)
- : Prims.Pure (t_Array i16 (sz 16))
- Prims.l_True
+val deserialize_4_ (bytes: t_Slice u8)
+ : Prims.Pure t_SIMD256Vector
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8)
(ensures
- fun result ->
- let result:t_Array i16 (sz 16) = result in
- result == repr v)
+ fun out ->
+ let out:t_SIMD256Vector = out in
+ sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (repr out))
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector
+val serialize_10_ (vector: t_SIMD256Vector)
+ : Prims.Pure (t_Array u8 (sz 20))
+ (requires Spec.MLKEM.serialize_pre 10 (repr vector))
+ (ensures
+ fun out ->
+ let out:t_Array u8 (sz 20) = out in
+ Spec.MLKEM.serialize_pre 10 (repr vector) ==>
+ Spec.MLKEM.serialize_post 10 (repr vector) out)
val deserialize_10_ (bytes: t_Slice u8)
: Prims.Pure t_SIMD256Vector
@@ -211,6 +199,15 @@ val deserialize_10_ (bytes: t_Slice u8)
let out:t_SIMD256Vector = out in
sz (Seq.length bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 bytes (repr out))
+val serialize_12_ (vector: t_SIMD256Vector)
+ : Prims.Pure (t_Array u8 (sz 24))
+ (requires Spec.MLKEM.serialize_pre 12 (repr vector))
+ (ensures
+ fun out ->
+ let out:t_Array u8 (sz 24) = out in
+ Spec.MLKEM.serialize_pre 12 (repr vector) ==>
+ Spec.MLKEM.serialize_post 12 (repr vector) out)
+
val deserialize_12_ (bytes: t_Slice u8)
: Prims.Pure t_SIMD256Vector
(requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24)
@@ -219,5 +216,8 @@ val deserialize_12_ (bytes: t_Slice u8)
let out:t_SIMD256Vector = out in
sz (Seq.length bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 bytes (repr out))
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_3:Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst
index 1139236f7..4709c35c0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst
@@ -29,54 +29,40 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
in
lhs
-let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) =
- let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in
- let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+ let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
- v with
+ lhs with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
=
- Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
in
- let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
- v with
+ lhs with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
=
- Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- c
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs
+ .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
in
- v
+ lhs
-let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
- let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 3329s in
- let m0:u8 =
- Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c
- in
- let m1:u8 =
- Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c
- in
- let c0:u8 =
- Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c
- (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m0 <: u8)
- in
- let c1:u8 =
- Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c
- (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m1 <: u8)
- in
+let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) =
let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
v with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
=
- Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- c0
+ Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ c
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
@@ -86,22 +72,23 @@ let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vect
v with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
=
- Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- c1
+ Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v
+ .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ c
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
in
v
-let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) =
+let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) =
+ let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in
let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
v with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
=
- Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- c
+ Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
@@ -111,8 +98,7 @@ let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vec
v with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
=
- Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v
- .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ Libcrux_intrinsics.Arm64_extract.v__vandq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
c
}
<:
@@ -145,31 +131,45 @@ let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_S
in
v
-let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
- let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+ let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 3329s in
+ let m0:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c
+ in
+ let m1:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vcgeq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c
+ in
+ let c0:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c
+ (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m0 <: u8)
+ in
+ let c1:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vandq_s16 c
+ (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 m1 <: u8)
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
- lhs with
+ v with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
=
- Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ c0
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
in
- let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
- lhs with
+ v with
Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
=
- Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 lhs
- .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- rhs.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ c1
}
<:
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
in
- lhs
+ v
let barrett_reduce_int16x8_t (v: u8) =
let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in
@@ -230,6 +230,14 @@ let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) =
in
montgomery_reduce_int16x8_t vv_low vv_high
+let montgomery_multiply_int16x8_t (v c: u8) =
+ let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in
+ let vv_high:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
+ (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8)
+ in
+ montgomery_reduce_int16x8_t vv_low vv_high
+
let montgomery_multiply_by_constant
(v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
(c: i16)
@@ -255,11 +263,3 @@ let montgomery_multiply_by_constant
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
in
v
-
-let montgomery_multiply_int16x8_t (v c: u8) =
- let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in
- let vv_high:u8 =
- Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l
- (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8)
- in
- montgomery_reduce_int16x8_t vv_low vv_high
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti
index 91b5164fe..3ee9e6fb1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti
@@ -3,24 +3,22 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic
open Core
open FStar.Mul
-let v_BARRETT_MULTIPLIER: i16 = 20159s
-
val add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
+val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
+val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
@@ -30,11 +28,13 @@ val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_S
Prims.l_True
(fun _ -> Prims.l_True)
-val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
+let v_BARRETT_MULTIPLIER: i16 = 20159s
+
val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
@@ -47,11 +47,11 @@ val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun
val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16)
: Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
+
val montgomery_multiply_by_constant
(v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
(c: i16)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-
-val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst
index 797444743..b855cdcd5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst
@@ -3,6 +3,69 @@ module Libcrux_ml_kem.Vector.Neon.Compress
open Core
open FStar.Mul
+let compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+ let half:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1664s in
+ let quarter:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 832s in
+ let shifted:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 half
+ v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ in
+ let mask:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 15l shifted in
+ let shifted_to_positive:u8 = Libcrux_intrinsics.Arm64_extract.v__veorq_s16 mask shifted in
+ let shifted_positive_in_range:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 shifted_to_positive quarter
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ v with
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vshrq_n_u16
+ 15l
+ (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 shifted_positive_in_range
+ <:
+ u8)
+ <:
+ u8)
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ in
+ let shifted:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 half
+ v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ in
+ let mask:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 15l shifted in
+ let shifted_to_positive:u8 = Libcrux_intrinsics.Arm64_extract.v__veorq_s16 mask shifted in
+ let shifted_positive_in_range:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 shifted_to_positive quarter
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ v with
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vshrq_n_u16
+ 15l
+ (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 shifted_positive_in_range
+ <:
+ u8)
+ <:
+ u8)
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ in
+ v
+
+let mask_n_least_significant_bits (coefficient_bits: i16) =
+ match coefficient_bits <: i16 with
+ | 4s -> 15s
+ | 5s -> 31s
+ | 10s -> 1023s
+ | 11s -> 2047s
+ | x -> (1s < 15s
- | 5s -> 31s
- | 10s -> 1023s
- | 11s -> 2047s
- | x -> (1s < Prims.l_True)
+val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ Prims.l_True
+ (fun _ -> Prims.l_True)
val mask_n_least_significant_bits (coefficient_bits: i16)
: Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True)
-val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- Prims.l_True
- (fun _ -> Prims.l_True)
+val compress_int32x4_t (v_COEFFICIENT_BITS: i32) (v: u8)
+ : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True)
-val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst
index 36abe54f2..a370847c6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst
@@ -3,65 +3,7 @@ module Libcrux_ml_kem.Vector.Neon.Ntt
open Core
open FStar.Mul
-let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
- let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
- let b_minus_a:u8 =
- Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- in
- let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- {
- v with
- Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- =
- Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- }
- <:
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- in
- let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- {
- v with
- Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- =
- Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta
- }
- <:
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- in
- v
-
-let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
- let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
- let t:u8 =
- Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v
- .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- zeta
- in
- let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- {
- v with
- Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
- =
- Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
- }
- <:
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- in
- let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- {
- v with
- Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
- =
- Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
- }
- <:
- Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- in
- v
-
-let inv_ntt_layer_1_step
+let ntt_layer_1_step
(v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
(zeta1 zeta2 zeta3 zeta4: i16)
=
@@ -71,7 +13,7 @@ let inv_ntt_layer_1_step
Rust_primitives.Hax.array_of_list 8 list
in
let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in
- let a:u8 =
+ let dup_a:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s32
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -84,7 +26,7 @@ let inv_ntt_layer_1_step
<:
u8)
in
- let b:u8 =
+ let dup_b:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s32
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -97,10 +39,9 @@ let inv_ntt_layer_1_step
<:
u8)
in
- let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in
- let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in
- let a:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.barrett_reduce_int16x8_t a in
- let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in
+ let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in
+ let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in
+ let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in
let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
v with
@@ -131,17 +72,14 @@ let inv_ntt_layer_1_step
in
v
-let inv_ntt_layer_2_step
- (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (zeta1 zeta2: i16)
- =
+let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16) =
let zetas:t_Array i16 (sz 8) =
let list = [zeta1; zeta1; zeta1; zeta1; zeta2; zeta2; zeta2; zeta2] in
FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
Rust_primitives.Hax.array_of_list 8 list
in
let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in
- let a:u8 =
+ let dup_a:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s64
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -154,7 +92,7 @@ let inv_ntt_layer_2_step
<:
u8)
in
- let b:u8 =
+ let dup_b:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s64
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -167,9 +105,9 @@ let inv_ntt_layer_2_step
<:
u8)
in
- let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in
- let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in
- let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in
+ let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in
+ let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in
+ let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in
let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
v with
@@ -200,7 +138,36 @@ let inv_ntt_layer_2_step
in
v
-let ntt_layer_1_step
+let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
+ let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
+ let t:u8 =
+ Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v
+ .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ zeta
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ v with
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ v with
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ in
+ v
+
+let inv_ntt_layer_1_step
(v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
(zeta1 zeta2 zeta3 zeta4: i16)
=
@@ -210,7 +177,7 @@ let ntt_layer_1_step
Rust_primitives.Hax.array_of_list 8 list
in
let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in
- let dup_a:u8 =
+ let a:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s32
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -223,7 +190,7 @@ let ntt_layer_1_step
<:
u8)
in
- let dup_b:u8 =
+ let b:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s32 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s32
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -236,9 +203,10 @@ let ntt_layer_1_step
<:
u8)
in
- let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in
- let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in
- let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in
+ let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in
+ let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in
+ let a:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.barrett_reduce_int16x8_t a in
+ let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in
let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
v with
@@ -269,14 +237,17 @@ let ntt_layer_1_step
in
v
-let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16) =
+let inv_ntt_layer_2_step
+ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (zeta1 zeta2: i16)
+ =
let zetas:t_Array i16 (sz 8) =
let list = [zeta1; zeta1; zeta1; zeta1; zeta2; zeta2; zeta2; zeta2] in
FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
Rust_primitives.Hax.array_of_list 8 list
in
let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (zetas <: t_Slice i16) in
- let dup_a:u8 =
+ let a:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s64
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -289,7 +260,7 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
<:
u8)
in
- let dup_b:u8 =
+ let b:u8 =
Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_s64 (Libcrux_intrinsics.Arm64_extract.v__vtrn2q_s64
(Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s64_s16 v
.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
@@ -302,9 +273,9 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
<:
u8)
in
- let t:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t dup_b zeta in
- let b:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 dup_a t in
- let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 dup_a t in
+ let b_minus_a:u8 = Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 b a in
+ let a:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 a b in
+ let b:u8 = Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta in
let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
{
v with
@@ -335,6 +306,35 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
in
v
+let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) =
+ let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in
+ let b_minus_a:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ v with
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ in
+ let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ v with
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ =
+ Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ in
+ v
+
let ntt_multiply
(lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
(zeta1 zeta2 zeta3 zeta4: i16)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti
index 8beabc8b6..8c5dcd75b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti
@@ -3,7 +3,14 @@ module Libcrux_ml_kem.Vector.Neon.Ntt
open Core
open FStar.Mul
-val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16)
+val ntt_layer_1_step
+ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ (zeta1 zeta2 zeta3 zeta4: i16)
+ : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ Prims.l_True
+ (fun _ -> Prims.l_True)
+
+val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
@@ -27,14 +34,7 @@ val inv_ntt_layer_2_step
Prims.l_True
(fun _ -> Prims.l_True)
-val ntt_layer_1_step
- (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- (zeta1 zeta2 zeta3 zeta4: i16)
- : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2: i16)
+val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst
index 2bda9f7e7..daa2708e2 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst
@@ -10,6 +10,200 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+ let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
+ let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+ Rust_primitives.Hax.array_of_list 8 list
+ in
+ let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
+ let low:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ shift
+ in
+ let high:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ shift
+ in
+ let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in
+ let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in
+ let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2);
+ Rust_primitives.Hax.array_of_list 2 list
+
+let deserialize_1_ (a: t_Slice u8) =
+ let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in
+ let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in
+ let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in
+ let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
+ let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+ Rust_primitives.Hax.array_of_list 8 list
+ in
+ let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
+ let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in
+ let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in
+ {
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one;
+ Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one
+ }
+ <:
+ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+
+let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) =
+ let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) =
+ let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8);
+ Rust_primitives.Hax.array_of_list 8 list
+ in
+ let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in
+ let lowt:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16
+ v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low
+ <:
+ u8)
+ shift
+ in
+ let hight:u8 =
+ Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16
+ v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high
+ <:
+ u8)
+ shift
+ in
+ let sum0:u64 =
+ cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_low_u16
+ lowt
+ <:
+ u8)
+ <:
+ u16)
+ <:
+ u64
+ in
+ let sum1:u64 =
+ cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_high_u16
+ lowt
+ <:
+ u8)
+ <:
+ u16)
+ <:
+ u64
+ in
+ let sum2:u64 =
+ cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_low_u16
+ hight
+ <:
+ u8)
+ <:
+ u16)
+ <:
+ u64
+ in
+ let sum3:u64 =
+ cast (Libcrux_intrinsics.Arm64_extract.v__vaddv_u16 (Libcrux_intrinsics.Arm64_extract.v__vget_high_u16
+ hight
+ <:
+ u8)
+ <:
+ u16)
+ <:
+ u64
+ in
+ let sum:u64 =
+ ((sum0 |. (sum1 < Prims.l_True)
-
-val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
val deserialize_1_ (a: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val deserialize_12_ (v: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
- Prims.l_True
- (fun _ -> Prims.l_True)
-
-val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
-
val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
: Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
-val deserialize_10_ (v: t_Slice u8)
+val deserialize_4_ (v: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val deserialize_11_ (v: t_Slice u8)
+val serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_5_ (v: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val deserialize_4_ (v: t_Slice u8)
+val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_10_ (v: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val deserialize_5_ (v: t_Slice u8)
+val serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_11_ (v: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
Prims.l_True
(fun _ -> Prims.l_True)
-val serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
+ : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
-val serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector)
- : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_12_ (v: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+ Prims.l_True
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst
index 761d0a4b3..0905daec0 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst
@@ -5,48 +5,6 @@ open FStar.Mul
let repr (x:t_SIMD128Vector) = admit()
-let v_ZERO (_: Prims.unit) =
- let result:t_SIMD128Vector =
- {
- f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s;
- f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s
- }
- <:
- t_SIMD128Vector
- in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
-let from_i16_array (array: t_Slice i16) =
- let result:t_SIMD128Vector =
- {
- f_low
- =
- Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = sz 8
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice i16);
- f_high
- =
- Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
- Core.Ops.Range.f_start = sz 8;
- Core.Ops.Range.f_end = sz 16
- }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice i16)
- }
- <:
- t_SIMD128Vector
- in
- let _:Prims.unit = admit () (* Panic freedom *) in
- result
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
assume
val impl': Core.Clone.t_Clone t_SIMD128Vector
@@ -98,3 +56,45 @@ let to_i16_array (v: t_SIMD128Vector) =
let result:t_Array i16 (sz 16) = out in
let _:Prims.unit = admit () (* Panic freedom *) in
result
+
+let from_i16_array (array: t_Slice i16) =
+ let result:t_SIMD128Vector =
+ {
+ f_low
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
+ Core.Ops.Range.f_start = sz 0;
+ Core.Ops.Range.f_end = sz 8
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice i16);
+ f_high
+ =
+ Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ {
+ Core.Ops.Range.f_start = sz 8;
+ Core.Ops.Range.f_end = sz 16
+ }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice i16)
+ }
+ <:
+ t_SIMD128Vector
+ in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
+
+let v_ZERO (_: Prims.unit) =
+ let result:t_SIMD128Vector =
+ {
+ f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s;
+ f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s
+ }
+ <:
+ t_SIMD128Vector
+ in
+ let _:Prims.unit = admit () (* Panic freedom *) in
+ result
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti
index ce6c9b299..10b61f8a1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti
@@ -10,13 +10,19 @@ type t_SIMD128Vector = {
val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16)
-val v_ZERO: Prims.unit
- -> Prims.Pure t_SIMD128Vector
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_SIMD128Vector
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_SIMD128Vector
+
+val to_i16_array (v: t_SIMD128Vector)
+ : Prims.Pure (t_Array i16 (sz 16))
Prims.l_True
(ensures
fun result ->
- let result:t_SIMD128Vector = result in
- repr result == Seq.create 16 0s)
+ let result:t_Array i16 (sz 16) = result in
+ result == repr v)
val from_i16_array (array: t_Slice i16)
: Prims.Pure t_SIMD128Vector
@@ -26,16 +32,10 @@ val from_i16_array (array: t_Slice i16)
let result:t_SIMD128Vector = result in
repr result == array)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Core.Clone.t_Clone t_SIMD128Vector
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Core.Marker.t_Copy t_SIMD128Vector
-
-val to_i16_array (v: t_SIMD128Vector)
- : Prims.Pure (t_Array i16 (sz 16))
+val v_ZERO: Prims.unit
+ -> Prims.Pure t_SIMD128Vector
Prims.l_True
(ensures
fun result ->
- let result:t_Array i16 (sz 16) = result in
- result == repr v)
+ let result:t_SIMD128Vector = result in
+ repr result == Seq.create 16 0s)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst
index 0c4739a48..4c636e2e5 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst
@@ -10,6 +10,22 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
+ {
+ _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve;
+ _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve;
+ f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
+ f_repr_post
+ =
+ (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) ->
+ true);
+ f_repr
+ =
+ fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
+ Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x
+ }
+
let rej_sample (a: t_Slice u8) (result: t_Slice i16) =
let sampled:usize = sz 0 in
let result, sampled:(t_Slice i16 & usize) =
@@ -48,22 +64,6 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) =
let hax_temp_output:usize = sampled in
result, hax_temp_output <: (t_Slice i16 & usize)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
- {
- _super_13011033735201511749 = FStar.Tactics.Typeclasses.solve;
- _super_9529721400157967266 = FStar.Tactics.Typeclasses.solve;
- f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true);
- f_repr_post
- =
- (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) ->
- true);
- f_repr
- =
- fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) ->
- Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x
- }
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector =
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti
index a9ba571dd..3d016d0e6 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti
@@ -10,12 +10,12 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-val rej_sample (a: t_Slice u8) (result: t_Slice i16)
- : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True)
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl:Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
+val rej_sample (a: t_Slice u8) (result: t_Slice i16)
+ : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True)
+
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_1:Libcrux_ml_kem.Vector.Traits.t_Operations
Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
index 46f0a37be..a0f65afc1 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst
@@ -28,148 +28,6 @@ let get_n_least_significant_bits (n: u8) (value: u32) =
#pop-options
-#push-options "--z3rlimit 150 --ext context_pruning"
-
-let barrett_reduce_element (value: i16) =
- let t:i32 =
- ((Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) *!
- v_BARRETT_MULTIPLIER
- <:
- i32) +!
- (Libcrux_ml_kem.Vector.Traits.v_BARRETT_R >>! 1l <: i32)
- in
- let _:Prims.unit =
- assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2 * 3329));
- assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)
- in
- let _:Prims.unit = assert (v t / pow2 26 < 9) in
- let _:Prims.unit = assert (v t / pow2 26 > - 9) in
- let quotient:i16 = cast (t >>! Libcrux_ml_kem.Vector.Traits.v_BARRETT_SHIFT <: i32) <: i16 in
- let _:Prims.unit = assert (v quotient = v t / pow2 26) in
- let _:Prims.unit = assert (Spec.Utils.is_i16b 9 quotient) in
- let result:i16 = value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) in
- let _:Prims.unit =
- calc ( == ) {
- v result % 3329;
- ( == ) { () }
- (v value - (v quotient * 3329)) % 3329;
- ( == ) { Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329 }
- (v value - (v quotient * 3329) % 3329) % 3329;
- ( == ) { Math.Lemmas.cancel_mul_mod (v quotient) 3329 }
- (v value - 0) % 3329;
- ( == ) { () }
- (v value) % 3329;
- }
- in
- result
-
-#pop-options
-
-#push-options "--z3rlimit 500 --split_queries always"
-
-let montgomery_reduce_element (value: i32) =
- let _:i32 = v_MONTGOMERY_R in
- let k:i32 =
- (cast (cast (value <: i32) <: i16) <: i32) *!
- (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32)
- in
- let _:Prims.unit =
- assert (v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16);
- assert (v k == (v value @% pow2 16) * 62209);
- assert (v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16);
- assert (v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15);
- assert (v (cast (cast (k <: i32) <: i16) <: i32) >= - pow2 15);
- assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)
- in
- let k_times_modulus:i32 =
- (cast (cast (k <: i32) <: i16) <: i32) *!
- (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32)
- in
- let _:Prims.unit =
- Spec.Utils.lemma_mul_i16b (pow2 15)
- (3329)
- (cast (k <: i32) <: i16)
- Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS;
- assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)
- in
- let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in
- let _:Prims.unit =
- assert (v k_times_modulus < pow2 31);
- assert (v k_times_modulus / pow2 16 < pow2 15);
- assert (v c == (v k_times_modulus / pow2 16) @% pow2 16);
- assert (v c == v k_times_modulus / pow2 16);
- assert (Spec.Utils.is_i16b 1665 c)
- in
- let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in
- let _:Prims.unit =
- assert (v value < pow2 31);
- assert (v value / pow2 16 < pow2 15);
- assert (v value_high == (v value / pow2 16) @% pow2 16);
- Spec.Utils.lemma_div_at_percent (v value) (pow2 16);
- assert (v value_high == (v value / pow2 16));
- assert (Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high);
- assert (Spec.Utils.is_i16b 3328 value_high)
- in
- let res:i16 = value_high -! c in
- let _:Prims.unit = assert (Spec.Utils.is_i16b (3328 + 1665) res) in
- let _:Prims.unit =
- assert (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)
- in
- let _:Prims.unit =
- calc ( == ) {
- v k_times_modulus % pow2 16;
- ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
- ((v k @% pow2 16) * 3329) % pow2 16;
- ( == ) { assert (v k = (v value @% pow2 16) * 62209) }
- ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16;
- ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329)
- (pow2 16)
- 3329 }
- ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16;
- ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) }
- ((((v value @% pow2 16) * 62209) * 3329) % pow2 16);
- ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) }
- ((v value @% pow2 16) % pow2 16);
- ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 }
- (v value) % pow2 16;
- };
- Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus);
- assert ((v value - v k_times_modulus) % pow2 16 == 0)
- in
- let _:Prims.unit =
- calc ( == ) {
- v res % 3329;
- ( == ) { assert (v res == v value_high - v c) }
- (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329;
- ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
- ((v value - v k_times_modulus) / pow2 16) % 3329;
- ( == ) { assert ((pow2 16 * 169) % 3329 == 1) }
- (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329;
- ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16)
- (pow2 16 * 169)
- 3329 }
- (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329;
- ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
- ((v value - v k_times_modulus) * 169) % 3329;
- ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
- ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329;
- ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169) }
- (v value * 169) % 3329;
- }
- in
- res
-
-#pop-options
-
-#push-options "--z3rlimit 300"
-
-let montgomery_multiply_fe_by_fer (fe fer: i16) =
- let _:Prims.unit = Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer in
- let product:i32 = (cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) in
- montgomery_reduce_element product
-
-#pop-options
-
#push-options "--z3rlimit 150"
let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
@@ -216,9 +74,49 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
#pop-options
-#push-options "--z3rlimit 150"
+let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+ let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
+ let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ Rust_primitives.Hax.Folds.fold_range (sz 0)
+ Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
+ (fun lhs i ->
+ let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
+ let i:usize = i in
+ (forall j.
+ j < v i ==>
+ (Seq.index lhs.f_elements j) ==
+ (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\
+ (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j)))
+ lhs
+ (fun lhs i ->
+ let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
+ let i:usize = i in
+ let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ {
+ lhs with
+ Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ i
+ ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -!
+ (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+ <:
+ i16)
+ }
+ <:
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ in
+ lhs)
+ in
+ let _:Prims.unit =
+ assert (forall i.
+ v (Seq.index lhs.f_elements i) ==
+ v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i))
+ in
+ lhs
-let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) =
let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -227,23 +125,12 @@ let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVe
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
(forall j.
- j < v i ==>
- (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\
- v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329)
- )) /\
- (forall j.
- j >= v i ==>
- (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\
- Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j))))
+ j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\
+ (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j)))
vec
(fun vec i ->
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
- let vi:i16 =
- barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
- <:
- i16)
- in
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
{
vec with
@@ -252,24 +139,20 @@ let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVe
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
i
- vi
+ ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c
+ <:
+ i16)
}
<:
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
in
- let _:Prims.unit =
- assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1);
- assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j));
- assert (Spec.Utils.is_i16b 3328 vi);
- assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i)));
- assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))
- in
vec)
in
+ let _:Prims.unit =
+ assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c)
+ in
vec
-#pop-options
-
let bitwise_and_with_constant
(vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
(c: i16)
@@ -310,9 +193,7 @@ let bitwise_and_with_constant
in
vec
-#push-options "--z3rlimit 300"
-
-let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -322,19 +203,13 @@ let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Porta
let i:usize = i in
(forall j.
j < v i ==>
- Seq.index vec.f_elements j ==
- (let x = Seq.index v__vec0.f_elements j in
- if x >=. 3329s then x -! 3329s else x)) /\
+ Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\
(forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j))
vec
(fun vec i ->
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
- if
- (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s
- <:
- bool
- then
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
{
vec with
Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
@@ -342,30 +217,25 @@ let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Porta
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
i
- ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s
+ ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>!
+ v_SHIFT_BY
<:
i16)
- <:
- t_Array i16 (sz 16)
}
<:
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- else vec)
+ in
+ vec)
in
let _:Prims.unit =
Seq.lemma_eq_intro vec.f_elements
- (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements)
+ (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements)
in
vec
-#pop-options
-
-#push-options "--z3rlimit 150"
+#push-options "--z3rlimit 300"
-let montgomery_multiply_by_constant
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (c: i16)
- =
+let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -375,54 +245,19 @@ let montgomery_multiply_by_constant
let i:usize = i in
(forall j.
j < v i ==>
- (let vecj = Seq.index vec.f_elements j in
- (Spec.Utils.is_i16b 3328 vecj /\
- v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\
- (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j)))
- vec
- (fun vec i ->
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
- let i:usize = i in
- {
- vec with
- Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- i
- (montgomery_multiply_fe_by_fer (vec
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
- <:
- i16)
- c
- <:
- i16)
- <:
- t_Array i16 (sz 16)
- }
- <:
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- in
- vec
-
-#pop-options
-
-let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) =
- let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- Rust_primitives.Hax.Folds.fold_range (sz 0)
- Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
- (fun vec i ->
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
- let i:usize = i in
- (forall j.
- j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\
- (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j)))
+ Seq.index vec.f_elements j ==
+ (let x = Seq.index v__vec0.f_elements j in
+ if x >=. 3329s then x -! 3329s else x)) /\
+ (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j))
vec
(fun vec i ->
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ if
+ (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s
+ <:
+ bool
+ then
{
vec with
Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
@@ -430,21 +265,64 @@ let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Port
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
i
- ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c
+ ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s
<:
i16)
+ <:
+ t_Array i16 (sz 16)
}
<:
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- in
- vec)
+ else vec)
in
let _:Prims.unit =
- assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c)
+ Seq.lemma_eq_intro vec.f_elements
+ (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements)
in
vec
-let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+#pop-options
+
+#push-options "--z3rlimit 150 --ext context_pruning"
+
+let barrett_reduce_element (value: i16) =
+ let t:i32 =
+ ((Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) *!
+ v_BARRETT_MULTIPLIER
+ <:
+ i32) +!
+ (Libcrux_ml_kem.Vector.Traits.v_BARRETT_R >>! 1l <: i32)
+ in
+ let _:Prims.unit =
+ assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2 * 3329));
+ assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)
+ in
+ let _:Prims.unit = assert (v t / pow2 26 < 9) in
+ let _:Prims.unit = assert (v t / pow2 26 > - 9) in
+ let quotient:i16 = cast (t >>! Libcrux_ml_kem.Vector.Traits.v_BARRETT_SHIFT <: i32) <: i16 in
+ let _:Prims.unit = assert (v quotient = v t / pow2 26) in
+ let _:Prims.unit = assert (Spec.Utils.is_i16b 9 quotient) in
+ let result:i16 = value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) in
+ let _:Prims.unit =
+ calc ( == ) {
+ v result % 3329;
+ ( == ) { () }
+ (v value - (v quotient * 3329)) % 3329;
+ ( == ) { Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329 }
+ (v value - (v quotient * 3329) % 3329) % 3329;
+ ( == ) { Math.Lemmas.cancel_mul_mod (v quotient) 3329 }
+ (v value - 0) % 3329;
+ ( == ) { () }
+ (v value) % 3329;
+ }
+ in
+ result
+
+#pop-options
+
+#push-options "--z3rlimit 150"
+
+let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
@@ -454,12 +332,22 @@ let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_ty
let i:usize = i in
(forall j.
j < v i ==>
- Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\
- (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j))
+ (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\
+ v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329)
+ )) /\
+ (forall j.
+ j >= v i ==>
+ (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\
+ Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j))))
vec
(fun vec i ->
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
+ let vi:i16 =
+ barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
+ <:
+ i16)
+ in
let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
{
vec with
@@ -468,60 +356,172 @@ let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_ty
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
i
- ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>!
- v_SHIFT_BY
- <:
- i16)
+ vi
}
<:
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
in
+ let _:Prims.unit =
+ assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1);
+ assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j));
+ assert (Spec.Utils.is_i16b 3328 vi);
+ assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i)));
+ assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))
+ in
vec)
in
+ vec
+
+#pop-options
+
+#push-options "--z3rlimit 500 --split_queries always"
+
+let montgomery_reduce_element (value: i32) =
+ let _:i32 = v_MONTGOMERY_R in
+ let k:i32 =
+ (cast (cast (value <: i32) <: i16) <: i32) *!
+ (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32)
+ in
let _:Prims.unit =
- Seq.lemma_eq_intro vec.f_elements
- (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements)
+ assert (v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16);
+ assert (v k == (v value @% pow2 16) * 62209);
+ assert (v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16);
+ assert (v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15);
+ assert (v (cast (cast (k <: i32) <: i16) <: i32) >= - pow2 15);
+ assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)
in
- vec
+ let k_times_modulus:i32 =
+ (cast (cast (k <: i32) <: i16) <: i32) *!
+ (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32)
+ in
+ let _:Prims.unit =
+ Spec.Utils.lemma_mul_i16b (pow2 15)
+ (3329)
+ (cast (k <: i32) <: i16)
+ Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS;
+ assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)
+ in
+ let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in
+ let _:Prims.unit =
+ assert (v k_times_modulus < pow2 31);
+ assert (v k_times_modulus / pow2 16 < pow2 15);
+ assert (v c == (v k_times_modulus / pow2 16) @% pow2 16);
+ assert (v c == v k_times_modulus / pow2 16);
+ assert (Spec.Utils.is_i16b 1665 c)
+ in
+ let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in
+ let _:Prims.unit =
+ assert (v value < pow2 31);
+ assert (v value / pow2 16 < pow2 15);
+ assert (v value_high == (v value / pow2 16) @% pow2 16);
+ Spec.Utils.lemma_div_at_percent (v value) (pow2 16);
+ assert (v value_high == (v value / pow2 16));
+ assert (Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high);
+ assert (Spec.Utils.is_i16b 3328 value_high)
+ in
+ let res:i16 = value_high -! c in
+ let _:Prims.unit = assert (Spec.Utils.is_i16b (3328 + 1665) res) in
+ let _:Prims.unit =
+ assert (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)
+ in
+ let _:Prims.unit =
+ calc ( == ) {
+ v k_times_modulus % pow2 16;
+ ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
+ ((v k @% pow2 16) * 3329) % pow2 16;
+ ( == ) { assert (v k = (v value @% pow2 16) * 62209) }
+ ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16;
+ ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329)
+ (pow2 16)
+ 3329 }
+ ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16;
+ ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) }
+ ((((v value @% pow2 16) * 62209) * 3329) % pow2 16);
+ ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) }
+ ((v value @% pow2 16) % pow2 16);
+ ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 }
+ (v value) % pow2 16;
+ };
+ Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus);
+ assert ((v value - v k_times_modulus) % pow2 16 == 0)
+ in
+ let _:Prims.unit =
+ calc ( == ) {
+ v res % 3329;
+ ( == ) { assert (v res == v value_high - v c) }
+ (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329;
+ ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
+ ((v value - v k_times_modulus) / pow2 16) % 3329;
+ ( == ) { assert ((pow2 16 * 169) % 3329 == 1) }
+ (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329;
+ ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16)
+ (pow2 16 * 169)
+ 3329 }
+ (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329;
+ ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) }
+ ((v value - v k_times_modulus) * 169) % 3329;
+ ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) }
+ ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329;
+ ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169) }
+ (v value * 169) % 3329;
+ }
+ in
+ res
-let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
- let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
- let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+#pop-options
+
+#push-options "--z3rlimit 300"
+
+let montgomery_multiply_fe_by_fer (fe fer: i16) =
+ let _:Prims.unit = Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer in
+ let product:i32 = (cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) in
+ montgomery_reduce_element product
+
+#pop-options
+
+#push-options "--z3rlimit 150"
+
+let montgomery_multiply_by_constant
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (c: i16)
+ =
+ let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
Rust_primitives.Hax.Folds.fold_range (sz 0)
Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR
- (fun lhs i ->
- let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
+ (fun vec i ->
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
(forall j.
j < v i ==>
- (Seq.index lhs.f_elements j) ==
- (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\
- (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j)))
- lhs
- (fun lhs i ->
- let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in
+ (let vecj = Seq.index vec.f_elements j in
+ (Spec.Utils.is_i16b 3328 vecj /\
+ v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\
+ (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j)))
+ vec
+ (fun vec i ->
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in
let i:usize = i in
- let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- {
- lhs with
- Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- i
- ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -!
- (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
- <:
- i16)
- }
+ {
+ vec with
+ Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ i
+ (montgomery_multiply_fe_by_fer (vec
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
+ <:
+ i16)
+ c
+ <:
+ i16)
<:
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- in
- lhs)
- in
- let _:Prims.unit =
- assert (forall i.
- v (Seq.index lhs.f_elements i) ==
- v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i))
+ t_Array i16 (sz 16)
+ }
+ <:
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
in
- lhs
+ vec
+
+#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti
index e072f08d9..a1f8aaec3 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti
@@ -3,13 +3,13 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic
open Core
open FStar.Mul
-/// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋
-let v_BARRETT_MULTIPLIER: i32 = 20159l
-
let v_MONTGOMERY_SHIFT: u8 = 16uy
let v_MONTGOMERY_R: i32 = 1l <
+ Spec.Utils.is_intb (pow2 15 - 1)
+ (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)))
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ forall i.
+ i < 16 ==>
+ (v (Seq.index result.f_elements i) ==
+ v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)))
+
+val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ forall i.
+ i < 16 ==>
+ Spec.Utils.is_intb (pow2 15 - 1)
+ (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)))
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ forall i.
+ i < 16 ==>
+ (v (Seq.index result.f_elements i) ==
+ v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)))
+
+val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c)
+ )
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ forall i.
+ i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c))
+
+val bitwise_and_with_constant
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (c: i16)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ Prims.l_True
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements))
+
+val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
+ result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements))
+
+/// Note: This function is not secret independent
+/// Only use with public values.
+val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires Spec.Utils.is_i16b_array (pow2 12 - 1) vec.f_elements)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ result.f_elements ==
+ Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements))
+
/// Signed Barrett Reduction
/// Given an input `value`, `barrett_reduce` outputs a representative `result`
/// such that:
@@ -33,6 +104,17 @@ val barrett_reduce_element (value: i16)
let result:i16 = result in
Spec.Utils.is_i16b 3328 result /\ v result % 3329 == v value % 3329)
+val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires Spec.Utils.is_i16b_array 28296 vec.f_elements)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ Spec.Utils.is_i16b_array 3328 result.f_elements /\
+ (forall i.
+ (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329))
+ )
+
/// Signed Montgomery Reduction
/// Given an input `value`, `montgomery_reduce` outputs a representative `o`
/// such that:
@@ -65,53 +147,6 @@ val montgomery_multiply_fe_by_fer (fe fer: i16)
let result:i16 = result in
Spec.Utils.is_i16b 3328 result /\ v result % 3329 == (v fe * v fer * 169) % 3329)
-val add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- forall i.
- i < 16 ==>
- Spec.Utils.is_intb (pow2 15 - 1)
- (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)))
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- forall i.
- i < 16 ==>
- (v (Seq.index result.f_elements i) ==
- v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i)))
-
-val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires Spec.Utils.is_i16b_array 28296 vec.f_elements)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- Spec.Utils.is_i16b_array 3328 result.f_elements /\
- (forall i.
- (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329))
- )
-
-val bitwise_and_with_constant
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (c: i16)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- Prims.l_True
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements))
-
-/// Note: This function is not secret independent
-/// Only use with public values.
-val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires Spec.Utils.is_i16b_array (pow2 12 - 1) vec.f_elements)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- result.f_elements ==
- Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements))
-
val montgomery_multiply_by_constant
(vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
(c: i16)
@@ -125,38 +160,3 @@ val montgomery_multiply_by_constant
i < 16 ==>
(v (Seq.index result.f_elements i) % 3329 ==
(v (Seq.index vec.f_elements i) * v c * 169) % 3329)))
-
-val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c)
- )
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- forall i.
- i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c))
-
-val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==>
- result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements))
-
-val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- forall i.
- i < 16 ==>
- Spec.Utils.is_intb (pow2 15 - 1)
- (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)))
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- forall i.
- i < 16 ==>
- (v (Seq.index result.f_elements i) ==
- v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i)))
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst
index 8ccf885b5..f3fe97511 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst
@@ -5,22 +5,6 @@ open FStar.Mul
#push-options "--z3rlimit 200 --ext context_pruning"
-let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) =
- let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in
- cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.get_n_least_significant_bits coefficient_bits
- (cast (compressed <: u64) <: u32)
- <:
- u32)
- <:
- i16
-
-#pop-options
-
-#push-options "--z3rlimit 200 --ext context_pruning"
-
let compress_message_coefficient (fe: u16) =
let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in
let _:Prims.unit = assert (v shifted == 1664 - v fe) in
@@ -63,17 +47,32 @@ let compress_message_coefficient (fe: u16) =
#pop-options
+#push-options "--z3rlimit 200 --ext context_pruning"
+
+let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) =
+ let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in
+ cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.get_n_least_significant_bits coefficient_bits
+ (cast (compressed <: u64) <: u32)
+ <:
+ u32)
+ <:
+ i16
+
+#pop-options
+
+let compress_message_coefficient_range_helper (fe: u16) : Lemma
+ (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
+ (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
+ v (cast (compress_message_coefficient fe) <: i16) < 2) =
+ assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
+ v (cast (compress_message_coefficient fe) <: i16) < 2)
+
#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000"
-let compress
- (v_COEFFICIENT_BITS: i32)
- (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- =
- let _:Prims.unit =
- assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS);
- assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS);
- assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16) == 3329)
- in
+let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
let _:Prims.unit =
assert (forall (i: nat).
i < 16 ==>
@@ -93,12 +92,14 @@ let compress
v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\
(forall (j: nat).
j < v i ==>
- v (a.f_elements.[ sz j ] <: i16) >= 0 /\
- v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))))
+ v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2))
a
(fun a i ->
let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
let i:usize = i in
+ let _:Prims.unit =
+ compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16)
+ in
let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
{
a with
@@ -107,10 +108,14 @@ let compress
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a
.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
i
- (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8)
- (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
+ (cast (compress_message_coefficient (cast (a
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
+ <:
+ i16)
+ <:
+ u16)
<:
- u16)
+ u8)
<:
i16)
}
@@ -118,16 +123,13 @@ let compress
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
in
let _:Prims.unit =
- assert (v (a.f_elements.[ i ] <: i16) >= 0 /\
- v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))
+ assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2)
in
a)
in
let _:Prims.unit =
assert (forall (i: nat).
- i < 16 ==>
- v (a.f_elements.[ sz i ] <: i16) >= 0 /\
- v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS))
+ i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2)
in
a
@@ -135,14 +137,15 @@ let compress
#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000"
-let compress_message_coefficient_range_helper (fe: u16) : Lemma
- (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))
- (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
- v (cast (compress_message_coefficient fe) <: i16) < 2) =
- assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\
- v (cast (compress_message_coefficient fe) <: i16) < 2)
-
-let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+let compress
+ (v_COEFFICIENT_BITS: i32)
+ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ =
+ let _:Prims.unit =
+ assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS);
+ assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS);
+ assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16) == 3329)
+ in
let _:Prims.unit =
assert (forall (i: nat).
i < 16 ==>
@@ -162,14 +165,12 @@ let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\
(forall (j: nat).
j < v i ==>
- v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2))
+ v (a.f_elements.[ sz j ] <: i16) >= 0 /\
+ v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))))
a
(fun a i ->
let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in
let i:usize = i in
- let _:Prims.unit =
- compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16)
- in
let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
{
a with
@@ -178,14 +179,10 @@ let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a
.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
i
- (cast (compress_message_coefficient (cast (a
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ]
- <:
- i16)
- <:
- u16)
+ (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8)
+ (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16)
<:
- u8)
+ u16)
<:
i16)
}
@@ -193,13 +190,16 @@ let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
in
let _:Prims.unit =
- assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2)
+ assert (v (a.f_elements.[ i ] <: i16) >= 0 /\
+ v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))
in
a)
in
let _:Prims.unit =
assert (forall (i: nat).
- i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2)
+ i < 16 ==>
+ v (a.f_elements.[ sz i ] <: i16) >= 0 /\
+ v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS))
in
a
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti
index 32527079f..e25c235c8 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti
@@ -3,18 +3,6 @@ module Libcrux_ml_kem.Vector.Portable.Compress
open Core
open FStar.Mul
-val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16)
- : Prims.Pure i16
- (requires
- (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy ||
- coefficient_bits =. 11uy) &&
- fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16))
- (ensures
- fun result ->
- let result:i16 = result in
- result >=. 0s &&
- result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16))
-
/// The `compress_*` functions implement the `Compress` function specified in the NIST FIPS
/// 203 standard (Page 18, Expression 4.5), which is defined as:
/// ```plaintext
@@ -45,6 +33,30 @@ val compress_message_coefficient (fe: u16)
let _:Prims.unit = temp_0_ in
result =. 0uy <: bool))
+val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16)
+ : Prims.Pure i16
+ (requires
+ (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy ||
+ coefficient_bits =. 11uy) &&
+ fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16))
+ (ensures
+ fun result ->
+ let result:i16 = result in
+ result >=. 0s &&
+ result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16))
+
+val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ forall (i: nat).
+ i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ forall (i: nat).
+ i < 16 ==>
+ v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2)
+
val compress
(v_COEFFICIENT_BITS: i32)
(a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
@@ -62,18 +74,6 @@ val compress
v (result.f_elements.[ sz i ] <: i16) >= 0 /\
v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS))
-val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- forall (i: nat).
- i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- forall (i: nat).
- i < 16 ==>
- v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2)
-
val decompress_ciphertext_coefficient
(v_COEFFICIENT_BITS: i32)
(a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst
index cd2dd7446..a7830a398 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst
@@ -3,6 +3,194 @@ module Libcrux_ml_kem.Vector.Portable.Ntt
open Core
open FStar.Mul
+let ntt_step
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (zeta: i16)
+ (i j: usize)
+ =
+ let t:i16 =
+ Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ]
+ <:
+ i16)
+ zeta
+ in
+ let _:Prims.unit =
+ assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))
+ in
+ let a_minus_t:i16 =
+ (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t
+ in
+ let _:Prims.unit =
+ calc ( == ) {
+ v a_minus_t % 3329;
+ ( == ) { () }
+ (v (Seq.index vec.f_elements (v i)) - v t) % 3329;
+ ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 }
+ (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329;
+ ( == ) { () }
+ (v (Seq.index vec.f_elements (v i)) -
+ ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) %
+ 3329;
+ ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i)))
+ (v (Seq.index vec.f_elements (v j)) * v zeta * 169)
+ 3329 }
+ (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) %
+ 3329;
+ }
+ in
+ let a_plus_t:i16 =
+ (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t
+ in
+ let _:Prims.unit =
+ calc ( == ) {
+ v a_plus_t % 3329;
+ ( == ) { () }
+ (v (Seq.index vec.f_elements (v i)) + v t) % 3329;
+ ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 }
+ (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329;
+ ( == ) { () }
+ (v (Seq.index vec.f_elements (v i)) +
+ ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) %
+ 3329;
+ ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i)))
+ (v (Seq.index vec.f_elements (v j)) * v zeta * 169)
+ 3329 }
+ (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) %
+ 3329;
+ }
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ {
+ vec with
+ Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ j
+ a_minus_t
+ }
+ <:
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ {
+ vec with
+ Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ =
+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
+ .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ i
+ a_plus_t
+ }
+ <:
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ in
+ let _:Prims.unit =
+ assert (Seq.index vec.f_elements (v i) == a_plus_t);
+ assert (Seq.index vec.f_elements (v j) == a_minus_t)
+ in
+ vec
+
+#push-options "--z3rlimit 100"
+
+let ntt_layer_1_step
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (zeta0 zeta1 zeta2 zeta3: i16)
+ =
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta0 (sz 0) (sz 2)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta0 (sz 1) (sz 3)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta1 (sz 4) (sz 6)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta1 (sz 5) (sz 7)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta2 (sz 8) (sz 10)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta2 (sz 9) (sz 11)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta3 (sz 12) (sz 14)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta3 (sz 13) (sz 15)
+ in
+ vec
+
+#pop-options
+
+#push-options "--z3rlimit 100"
+
+let ntt_layer_2_step
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (zeta0 zeta1: i16)
+ =
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta0 (sz 0) (sz 4)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta0 (sz 1) (sz 5)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta0 (sz 2) (sz 6)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta0 (sz 3) (sz 7)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta1 (sz 8) (sz 12)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta1 (sz 9) (sz 13)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta1 (sz 10) (sz 14)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta1 (sz 11) (sz 15)
+ in
+ vec
+
+#pop-options
+
+#push-options "--z3rlimit 100"
+
+let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) =
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 0) (sz 8)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 1) (sz 9)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 2) (sz 10)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 3) (sz 11)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 4) (sz 12)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 5) (sz 13)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 6) (sz 14)
+ in
+ let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
+ ntt_step vec zeta (sz 7) (sz 15)
+ in
+ vec
+
+#pop-options
+
let inv_ntt_step
(vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
(zeta: i16)
@@ -322,194 +510,6 @@ let ntt_multiply_binomials
#pop-options
-let ntt_step
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (zeta: i16)
- (i j: usize)
- =
- let t:i16 =
- Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ]
- <:
- i16)
- zeta
- in
- let _:Prims.unit =
- assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))
- in
- let a_minus_t:i16 =
- (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t
- in
- let _:Prims.unit =
- calc ( == ) {
- v a_minus_t % 3329;
- ( == ) { () }
- (v (Seq.index vec.f_elements (v i)) - v t) % 3329;
- ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 }
- (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329;
- ( == ) { () }
- (v (Seq.index vec.f_elements (v i)) -
- ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) %
- 3329;
- ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i)))
- (v (Seq.index vec.f_elements (v j)) * v zeta * 169)
- 3329 }
- (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) %
- 3329;
- }
- in
- let a_plus_t:i16 =
- (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t
- in
- let _:Prims.unit =
- calc ( == ) {
- v a_plus_t % 3329;
- ( == ) { () }
- (v (Seq.index vec.f_elements (v i)) + v t) % 3329;
- ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 }
- (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329;
- ( == ) { () }
- (v (Seq.index vec.f_elements (v i)) +
- ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) %
- 3329;
- ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i)))
- (v (Seq.index vec.f_elements (v j)) * v zeta * 169)
- 3329 }
- (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) %
- 3329;
- }
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- {
- vec with
- Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- j
- a_minus_t
- }
- <:
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- {
- vec with
- Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- =
- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec
- .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
- i
- a_plus_t
- }
- <:
- Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- in
- let _:Prims.unit =
- assert (Seq.index vec.f_elements (v i) == a_plus_t);
- assert (Seq.index vec.f_elements (v j) == a_minus_t)
- in
- vec
-
-#push-options "--z3rlimit 100"
-
-let ntt_layer_1_step
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (zeta0 zeta1 zeta2 zeta3: i16)
- =
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta0 (sz 0) (sz 2)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta0 (sz 1) (sz 3)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta1 (sz 4) (sz 6)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta1 (sz 5) (sz 7)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta2 (sz 8) (sz 10)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta2 (sz 9) (sz 11)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta3 (sz 12) (sz 14)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta3 (sz 13) (sz 15)
- in
- vec
-
-#pop-options
-
-#push-options "--z3rlimit 100"
-
-let ntt_layer_2_step
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (zeta0 zeta1: i16)
- =
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta0 (sz 0) (sz 4)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta0 (sz 1) (sz 5)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta0 (sz 2) (sz 6)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta0 (sz 3) (sz 7)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta1 (sz 8) (sz 12)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta1 (sz 9) (sz 13)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta1 (sz 10) (sz 14)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta1 (sz 11) (sz 15)
- in
- vec
-
-#pop-options
-
-#push-options "--z3rlimit 100"
-
-let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) =
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 0) (sz 8)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 1) (sz 9)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 2) (sz 10)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 3) (sz 11)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 4) (sz 12)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 5) (sz 13)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 6) (sz 14)
- in
- let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
- ntt_step vec zeta (sz 7) (sz 15)
- in
- vec
-
-#pop-options
-
#push-options "--z3rlimit 100"
let ntt_multiply
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti
index c5532bbde..e5498d53d 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti
@@ -5,6 +5,65 @@ open FStar.Mul
[@@ "opaque_to_smt"]
+val ntt_step
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (zeta: i16)
+ (i j: usize)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\
+ Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\
+ Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\
+ Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ])
+ (ensures
+ fun vec_future ->
+ let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in
+ (forall k.
+ (k <> v i /\ k <> v j) ==>
+ Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\
+ (forall b.
+ (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\
+ Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==>
+ (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\
+ Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\
+ Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements)
+
+val ntt_layer_1_step
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (zeta0 zeta1 zeta2 zeta3: i16)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+ Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
+ Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements)
+
+val ntt_layer_2_step
+ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ (zeta0 zeta1: i16)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
+ Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements)
+
+val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires
+ Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements)
+ (ensures
+ fun result ->
+ let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
+ Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements)
+
+[@@ "opaque_to_smt"]
+
val inv_ntt_step
(vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
(zeta: i16)
@@ -102,65 +161,6 @@ val ntt_multiply_binomials
((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\
((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329))))
-[@@ "opaque_to_smt"]
-
-val ntt_step
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (zeta: i16)
- (i j: usize)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\
- Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\
- Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\
- Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ])
- (ensures
- fun vec_future ->
- let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in
- (forall k.
- (k <> v i /\ k <> v j) ==>
- Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\
- (forall b.
- (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\
- Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==>
- (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\
- Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\
- Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements)
-
-val ntt_layer_1_step
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (zeta0 zeta1 zeta2 zeta3: i16)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
- Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\
- Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements)
-
-val ntt_layer_2_step
- (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- (zeta0 zeta1: i16)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\
- Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements)
-
-val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires
- Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements)
- (ensures
- fun result ->
- let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in
- Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements)
-
val ntt_multiply
(lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
(zeta0 zeta1 zeta2 zeta3: i16)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst
index 9e7f111dc..553759235 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst
@@ -3,89 +3,20 @@ module Libcrux_ml_kem.Vector.Portable.Serialize
open Core
open FStar.Mul
-let deserialize_10_int (bytes: t_Slice u8) =
- let r0:i16 =
- (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16)
- in
- let r2:i16 =
- (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16)
- in
- let r3:i16 =
- ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16)
- in
- let r4:i16 =
- (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16)
- in
- let r6:i16 =
- (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16)
- in
- let r7:i16 =
- ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16)
- in
- r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
-
-let deserialize_11_int (bytes: t_Slice u8) =
- let r0:i16 =
- (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 7s <: i16) <>! 3l <: i16)
- in
- let r2:i16 =
- ((((cast (bytes.[ sz 4 ] <: u8) <: i16) &. 1s <: i16) <>! 6l <: i16)
- in
- let r3:i16 =
- (((cast (bytes.[ sz 5 ] <: u8) <: i16) &. 15s <: i16) <>! 1l <: i16)
- in
- let r4:i16 =
- (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16)
+let serialize_4_int (v: t_Slice i16) =
+ let result0:u8 =
+ ((cast (v.[ sz 1 ] <: i16) <: u8) <>! 7l <: i16)
+ let result1:u8 =
+ ((cast (v.[ sz 3 ] <: i16) <: u8) <>! 2l <: i16)
+ let result2:u8 =
+ ((cast (v.[ sz 5 ] <: i16) <: u8) <>! 5l <: i16)
+ let result3:u8 =
+ ((cast (v.[ sz 7 ] <: i16) <: u8) <>! 4l <: i16) &. 15s <: i16) in
- r0, r1 <: (i16 & i16)
+ result0, result1, result2, result3 <: (u8 & u8 & u8 & u8)
let deserialize_4_int (bytes: t_Slice u8) =
let v0:i16 = cast ((bytes.[ sz 0 ] <: u8) &. 15uy <: u8) <: i16 in
@@ -98,6 +29,62 @@ let deserialize_4_int (bytes: t_Slice u8) =
let v7:i16 = cast (((bytes.[ sz 3 ] <: u8) >>! 4l <: u8) &. 15uy <: u8) <: i16 in
v0, v1, v2, v3, v4, v5, v6, v7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+let serialize_5_int (v: t_Slice i16) =
+ let r0:u8 = cast ((v.[ sz 0 ] <: i16) |. ((v.[ sz 1 ] <: i16) <>! 3l <: i16) |. ((v.[ sz 2 ] <: i16) <>! 1l <: i16) |. ((v.[ sz 4 ] <: i16) <>! 4l <: i16) |. ((v.[ sz 5 ] <: i16) <>! 2l <: i16) |. ((v.[ sz 7 ] <: i16) <>! 3l <: u8) <: i16 in
v0, v1, v2, v3, v4, v5, v6, v7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+let deserialize_5_ (bytes: t_Slice u8) =
+ let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+ deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 5 }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
+ deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 10 }
+ <:
+ Core.Ops.Range.t_Range usize ]
+ <:
+ t_Slice u8)
+ in
+ {
+ Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements
+ =
+ let list =
+ [
+ v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1;
+ v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8
+ ]
+ in
+ FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16);
+ Rust_primitives.Hax.array_of_list 16 list
+ }
+ <:
+ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+
let serialize_10_int (v: t_Slice i16) =
let r0:u8 = cast ((v.[ sz 0 ] <: i16) &. 255s <: i16) <: u8 in
let r1:u8 =
@@ -154,6 +171,41 @@ let serialize_10_int (v: t_Slice i16) =
let r4:u8 = cast (((v.[ sz 3 ] <: i16) >>! 2l <: i16) &. 255s <: i16) <: u8 in
r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8)
+let deserialize_10_int (bytes: t_Slice u8) =
+ let r0:i16 =
+ (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16)
+ in
+ let r2:i16 =
+ (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16)
+ in
+ let r3:i16 =
+ ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16)
+ in
+ let r4:i16 =
+ (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16)
+ in
+ let r6:i16 =
+ (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16)
+ in
+ let r7:i16 =
+ ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16)
+ in
+ r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+
let serialize_11_int (v: t_Slice i16) =
let r0:u8 = cast (v.[ sz 0 ] <: i16) <: u8 in
let r1:u8 =
@@ -191,58 +243,77 @@ let serialize_11_int (v: t_Slice i16) =
<:
(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8)
-let serialize_12_int (v: t_Slice i16) =
- let r0:u8 = cast ((v.[ sz 0 ] <: i16) &. 255s <: i16) <: u8 in
- let r1:u8 =
- cast (((v.[ sz 0 ] <: i16) >>! 8l <: i16) |. (((v.[ sz 1 ] <: i16) &. 15s <: i16) <>! 4l <: i16) &. 255s <: i16) <: u8 in
- r0, r1, r2 <: (u8 & u8 & u8)
-
-let serialize_4_int (v: t_Slice i16) =
- let result0:u8 =
- ((cast (v.[ sz 1 ] <: i16) <: u8) <>! 3l <: i16) |. ((v.[ sz 2 ] <: i16) <>! 1l <: i16) |. ((v.[ sz 4 ] <: i16) <>! 3l <: i16)
in
- let r3:u8 =
- cast ((((v.[ sz 4 ] <: i16) >>! 4l <: i16) |. ((v.[ sz 5 ] <: i16) <>! 6l <: i16)
in
- let r4:u8 =
- cast (((v.[ sz 6 ] <: i16) >>! 2l <: i16) |. ((v.[ sz 7 ] <: i16) <>! 1l <: i16)
in
- r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8)
+ let r4:i16 =
+ (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 127s <: i16) <>! 4l <: i16)
+ in
+ let r5:i16 =
+ ((((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 3s <: i16) <>! 7l <: i16)
+ in
+ let r6:i16 =
+ (((cast (bytes.[ sz 9 ] <: u8) <: i16) &. 31s <: i16) <>! 2l <: i16)
+ in
+ let r7:i16 =
+ ((cast (bytes.[ sz 10 ] <: u8) <: i16) <>! 5l <: i16)
+ in
+ r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
let deserialize_11_ (bytes: t_Slice u8) =
let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
@@ -274,96 +345,142 @@ let deserialize_11_ (bytes: t_Slice u8) =
<:
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-let deserialize_5_ (bytes: t_Slice u8) =
- let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
- deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 5 }
- <:
- Core.Ops.Range.t_Range usize ]
- <:
- t_Slice u8)
- in
- let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) =
- deserialize_5_int (bytes.[ { Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 10 }
- <:
- Core.Ops.Range.t_Range usize ]
+let serialize_12_int (v: t_Slice i16) =
+ let r0:u8 = cast ((v.[ sz 0 ] <: i16) &. 255s <: i16) <: u8 in
+ let r1:u8 =
+ cast (((v.[ sz 0 ] <: i16) >>! 8l <: i16) |. (((v.[ sz 1 ] <: i16) &. 15s <: i16) <>! 4l <: i16) &. 255s <: i16) <: u8 in
+ r0, r1, r2 <: (u8 & u8 & u8)
-let serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
- let r0_10_:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) =
- serialize_11_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ {
- Core.Ops.Range.f_start = sz 0;
- Core.Ops.Range.f_end = sz 8
- }
+let deserialize_12_int (bytes: t_Slice u8) =
+ let byte0:i16 = cast (bytes.[ sz 0 ] <: u8) <: i16 in
+ let byte1:i16 = cast (bytes.[ sz 1 ] <: u8) <: i16 in
+ let byte2:i16 = cast (bytes.[ sz 2 ] <: u8) <: i16 in
+ let r0:i16 = ((byte1 &. 15s <: i16) <>! 4l <: i16) &. 15s <: i16) in
+ r0, r1 <: (i16 & i16)
+
+let rec serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+ let result0:u8 =
+ (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |.
+ ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16)
+ <:
+ u8) < Prims.l_True)
-val deserialize_11_int (bytes: t_Slice u8)
+val deserialize_4_int (bytes: t_Slice u8)
: Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 11)
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 4)
(fun _ -> Prims.l_True)
-val deserialize_12_int (bytes: t_Slice u8)
- : Prims.Pure (i16 & i16)
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 3)
+val serialize_5_int (v: t_Slice i16)
+ : Prims.Pure (u8 & u8 & u8 & u8 & u8)
+ (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8)
(fun _ -> Prims.l_True)
-val deserialize_4_int (bytes: t_Slice u8)
- : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 4)
- (fun _ -> Prims.l_True)
+val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
val deserialize_5_int (bytes: t_Slice u8)
: Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
(requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 5)
(fun _ -> Prims.l_True)
+val deserialize_5_ (bytes: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 10)
+ (fun _ -> Prims.l_True)
+
val serialize_10_int (v: t_Slice i16)
: Prims.Pure (u8 & u8 & u8 & u8 & u8)
(requires (Core.Slice.impl__len #i16 v <: usize) =. sz 4)
(fun _ -> Prims.l_True)
+val deserialize_10_int (bytes: t_Slice u8)
+ : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 10)
+ (fun _ -> Prims.l_True)
+
val serialize_11_int (v: t_Slice i16)
: Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8)
(requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8)
(fun _ -> Prims.l_True)
-val serialize_12_int (v: t_Slice i16)
- : Prims.Pure (u8 & u8 & u8)
- (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 2)
- (fun _ -> Prims.l_True)
-
-val serialize_4_int (v: t_Slice i16)
- : Prims.Pure (u8 & u8 & u8 & u8)
- (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8)
- (fun _ -> Prims.l_True)
+val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
-val serialize_5_int (v: t_Slice i16)
- : Prims.Pure (u8 & u8 & u8 & u8 & u8)
- (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 8)
+val deserialize_11_int (bytes: t_Slice u8)
+ : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16)
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 11)
(fun _ -> Prims.l_True)
val deserialize_11_ (bytes: t_Slice u8)
@@ -58,16 +59,22 @@ val deserialize_11_ (bytes: t_Slice u8)
(requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 22)
(fun _ -> Prims.l_True)
-val deserialize_5_ (bytes: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 10)
+val serialize_12_int (v: t_Slice i16)
+ : Prims.Pure (u8 & u8 & u8)
+ (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 2)
(fun _ -> Prims.l_True)
-val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_12_int (bytes: t_Slice u8)
+ : Prims.Pure (i16 & i16)
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 3)
+ (fun _ -> Prims.l_True)
-val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
+
+val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+ (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1))
+ (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1)
val deserialize_1_ (v: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
@@ -80,45 +87,23 @@ val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma
val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma
(ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1)
-val deserialize_10_ (bytes: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20)
- (fun _ -> Prims.l_True)
-
-val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma
- (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8)
-
-val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
- (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10)
-
-val deserialize_12_ (bytes: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24)
- (fun _ -> Prims.l_True)
-
-val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma
- (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8)
+val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
-val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma
- (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12)
+val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+ (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4))
+ (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4)
val deserialize_4_ (bytes: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
(requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8)
(fun _ -> Prims.l_True)
-val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma
- (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8)
-
val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma
(ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4)
-val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
- (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1))
- (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1)
+val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma
+ (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8)
val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
: Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True)
@@ -127,6 +112,17 @@ val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por
(requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10))
(ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10)
+val deserialize_10_ (bytes: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20)
+ (fun _ -> Prims.l_True)
+
+val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+ (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8)
+
+val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+ (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10)
+
val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
: Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True)
@@ -134,9 +130,13 @@ val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_Por
(requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12))
(ensures bit_vec_of_int_t_array (serialize_12_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12)
-val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True)
+val deserialize_12_ (bytes: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24)
+ (fun _ -> Prims.l_True)
-val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
- (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4))
- (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4)
+val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+ (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12)
+
+val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+ (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst
index 70c80f4e5..61b05fdfd 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst
@@ -3,6 +3,23 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type
open Core
open FStar.Mul
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl': Core.Clone.t_Clone t_PortableVector
+
+let impl = impl'
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+assume
+val impl_1': Core.Marker.t_Copy t_PortableVector
+
+let impl_1 = impl_1'
+
+let zero (_: Prims.unit) =
+ { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector
+
+let to_i16_array (x: t_PortableVector) = x.f_elements
+
let from_i16_array (array: t_Slice i16) =
{
f_elements
@@ -22,20 +39,3 @@ let from_i16_array (array: t_Slice i16) =
}
<:
t_PortableVector
-
-let to_i16_array (x: t_PortableVector) = x.f_elements
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl': Core.Clone.t_Clone t_PortableVector
-
-let impl = impl'
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-assume
-val impl_1': Core.Marker.t_Copy t_PortableVector
-
-let impl_1 = impl_1'
-
-let zero (_: Prims.unit) =
- { f_elements = Rust_primitives.Hax.repeat 0s (sz 16) } <: t_PortableVector
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti
index 0d4b6268a..37e1c236b 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti
@@ -5,13 +5,19 @@ open FStar.Mul
type t_PortableVector = { f_elements:t_Array i16 (sz 16) }
-val from_i16_array (array: t_Slice i16)
- : Prims.Pure t_PortableVector
- (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16)
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl:Core.Clone.t_Clone t_PortableVector
+
+[@@ FStar.Tactics.Typeclasses.tcinstance]
+val impl_1:Core.Marker.t_Copy t_PortableVector
+
+val zero: Prims.unit
+ -> Prims.Pure t_PortableVector
+ Prims.l_True
(ensures
fun result ->
let result:t_PortableVector = result in
- result.f_elements == array)
+ result.f_elements == Seq.create 16 0s)
val to_i16_array (x: t_PortableVector)
: Prims.Pure (t_Array i16 (sz 16))
@@ -21,16 +27,10 @@ val to_i16_array (x: t_PortableVector)
let result:t_Array i16 (sz 16) = result in
result == x.f_elements)
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl:Core.Clone.t_Clone t_PortableVector
-
-[@@ FStar.Tactics.Typeclasses.tcinstance]
-val impl_1:Core.Marker.t_Copy t_PortableVector
-
-val zero: Prims.unit
- -> Prims.Pure t_PortableVector
- Prims.l_True
+val from_i16_array (array: t_Slice i16)
+ : Prims.Pure t_PortableVector
+ (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16)
(ensures
fun result ->
let result:t_PortableVector = result in
- result.f_elements == Seq.create 16 0s)
+ result.f_elements == array)
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst
index e59261ebb..ee337628a 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst
@@ -10,16 +10,6 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a
-
-let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a
-
-let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
- Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a
-
-let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
- Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
let impl: Libcrux_ml_kem.Vector.Traits.t_Repr
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
@@ -40,43 +30,53 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector =
Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x
}
+let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+ let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in
+ let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in
+ Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a
+
let deserialize_1_ (a: t_Slice u8) =
let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in
let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in
Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a
-let deserialize_10_ (a: t_Slice u8) =
- let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in
- let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in
- Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a
-
-let deserialize_12_ (a: t_Slice u8) =
- let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in
- let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in
- Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a
+let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+ let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in
+ let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in
+ Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a
let deserialize_4_ (a: t_Slice u8) =
let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in
let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in
Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a
-let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
- let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in
- let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in
- Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a
+let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+ Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a
+
+let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a
let serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma a in
Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a
+let deserialize_10_ (a: t_Slice u8) =
+ let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in
+ let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in
+ Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a
+
+let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
+ Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a
+
+let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a
+
let serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma a in
Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a
-let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) =
- let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in
- let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in
- Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a
+let deserialize_12_ (a: t_Slice u8) =
+ let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in
+ let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in
+ Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a
#push-options "--z3rlimit 400 --split_queries always"
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti
index c9cf458ce..709ead4ba 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti
@@ -10,49 +10,35 @@ let _ =
let open Libcrux_ml_kem.Vector.Traits in
()
-val deserialize_11_ (a: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22)
- (fun _ -> Prims.l_True)
-
-val deserialize_5_ (a: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10)
- (fun _ -> Prims.l_True)
-
-val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
-
-val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
-
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl:Libcrux_ml_kem.Vector.Traits.t_Repr
Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
-val deserialize_1_ (a: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2)
+val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 2))
+ (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a))
(ensures
fun out ->
- let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
- sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out))
+ let out:t_Array u8 (sz 2) = out in
+ Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==>
+ Spec.MLKEM.serialize_post 1 (impl.f_repr a) out)
-val deserialize_10_ (a: t_Slice u8)
+val deserialize_1_ (a: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20)
+ (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2)
(ensures
fun out ->
let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
- sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out))
+ sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out))
-val deserialize_12_ (a: t_Slice u8)
- : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
- (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24)
+val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 8))
+ (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a))
(ensures
fun out ->
- let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
- sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out))
+ let out:t_Array u8 (sz 8) = out in
+ Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==>
+ Spec.MLKEM.serialize_post 4 (impl.f_repr a) out)
val deserialize_4_ (a: t_Slice u8)
: Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
@@ -62,14 +48,13 @@ val deserialize_4_ (a: t_Slice u8)
let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out))
-val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 2))
- (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a))
- (ensures
- fun out ->
- let out:t_Array u8 (sz 2) = out in
- Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==>
- Spec.MLKEM.serialize_post 1 (impl.f_repr a) out)
+val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_5_ (a: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10)
+ (fun _ -> Prims.l_True)
val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
: Prims.Pure (t_Array u8 (sz 20))
@@ -80,6 +65,22 @@ val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVecto
Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==>
Spec.MLKEM.serialize_post 10 (impl.f_repr a) out)
+val deserialize_10_ (a: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20)
+ (ensures
+ fun out ->
+ let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+ sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out))
+
+val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
+ : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True)
+
+val deserialize_11_ (a: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22)
+ (fun _ -> Prims.l_True)
+
val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
: Prims.Pure (t_Array u8 (sz 24))
(requires Spec.MLKEM.serialize_pre 12 (impl.f_repr a))
@@ -89,14 +90,13 @@ val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVecto
Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==>
Spec.MLKEM.serialize_post 12 (impl.f_repr a) out)
-val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector)
- : Prims.Pure (t_Array u8 (sz 8))
- (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a))
+val deserialize_12_ (a: t_Slice u8)
+ : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector
+ (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24)
(ensures
fun out ->
- let out:t_Array u8 (sz 8) = out in
- Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==>
- Spec.MLKEM.serialize_post 4 (impl.f_repr a) out)
+ let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in
+ sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out))
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_1:Libcrux_ml_kem.Vector.Traits.t_Operations
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst
index 534f1aae9..33c1ba6cb 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst
@@ -3,6 +3,38 @@ module Libcrux_ml_kem.Vector.Traits
open Core
open FStar.Mul
+let montgomery_multiply_fe
+ (#v_T: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
+ (v: v_T)
+ (fer: i16)
+ = f_montgomery_multiply_by_constant #v_T #FStar.Tactics.Typeclasses.solve v fer
+
+let to_standard_domain
+ (#v_T: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
+ (v: v_T)
+ =
+ f_montgomery_multiply_by_constant #v_T
+ #FStar.Tactics.Typeclasses.solve
+ v
+ v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS
+
+#push-options "--admit_smt_queries true"
+
+let to_unsigned_representative
+ (#v_T: Type0)
+ (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
+ (a: v_T)
+ =
+ let t:v_T = f_shift_right #v_T #FStar.Tactics.Typeclasses.solve 15l a in
+ let fm:v_T =
+ f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS
+ in
+ f_add #v_T #FStar.Tactics.Typeclasses.solve a fm
+
+#pop-options
+
#push-options "--z3rlimit 200 --split_queries always"
let decompress_1_
@@ -35,35 +67,3 @@ let decompress_1_
f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s
#pop-options
-
-let montgomery_multiply_fe
- (#v_T: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
- (v: v_T)
- (fer: i16)
- = f_montgomery_multiply_by_constant #v_T #FStar.Tactics.Typeclasses.solve v fer
-
-let to_standard_domain
- (#v_T: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
- (v: v_T)
- =
- f_montgomery_multiply_by_constant #v_T
- #FStar.Tactics.Typeclasses.solve
- v
- v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS
-
-#push-options "--admit_smt_queries true"
-
-let to_unsigned_representative
- (#v_T: Type0)
- (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T)
- (a: v_T)
- =
- let t:v_T = f_shift_right #v_T #FStar.Tactics.Typeclasses.solve 15l a in
- let fm:v_T =
- f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS
- in
- f_add #v_T #FStar.Tactics.Typeclasses.solve a fm
-
-#pop-options
diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti
index 8b0564a28..36328b521 100644
--- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti
+++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti
@@ -3,17 +3,17 @@ module Libcrux_ml_kem.Vector.Traits
open Core
open FStar.Mul
-let v_BARRETT_SHIFT: i32 = 26l
+let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353s
-let v_BARRETT_R: i32 = 1l < f_rej_sample_post x0 x1 result)
}
-val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (vec: v_T)
- : Prims.Pure v_T
- (requires
- forall i.
- let x = Seq.index (i1._super_12682756204189288427.f_repr vec) i in
- (x == 0s \/ x == 1s))
- (fun _ -> Prims.l_True)
-
val montgomery_multiply_fe (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) (fer: i16)
: Prims.Pure v_T (requires Spec.Utils.is_i16b 1664 fer) (fun _ -> Prims.l_True)
@@ -438,3 +430,11 @@ val to_unsigned_representative (#v_T: Type0) {| i1: t_Operations v_T |} (a: v_T)
(let x = Seq.index (i1._super_12682756204189288427.f_repr a) i in
let y = Seq.index (i1._super_12682756204189288427.f_repr result) i in
(v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329))))
+
+val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (vec: v_T)
+ : Prims.Pure v_T
+ (requires
+ forall i.
+ let x = Seq.index (i1._super_12682756204189288427.f_repr vec) i in
+ (x == 0s \/ x == 1s))
+ (fun _ -> Prims.l_True)
diff --git a/libcrux-ml-kem/src/polynomial.rs b/libcrux-ml-kem/src/polynomial.rs
index 0b97d24ac..e7c9e334e 100644
--- a/libcrux-ml-kem/src/polynomial.rs
+++ b/libcrux-ml-kem/src/polynomial.rs
@@ -27,26 +27,6 @@ pub fn zeta(i: usize) -> i16 {
pub(crate) const VECTORS_IN_RING_ELEMENT: usize =
super::constants::COEFFICIENTS_IN_RING_ELEMENT / FIELD_ELEMENTS_IN_VECTOR;
-#[cfg_attr(
- hax,
- hax_lib::fstar::after(
- interface,
- "let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
- {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r =
- createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))"
- )
-)]
-#[cfg_attr(
- hax,
- hax_lib::fstar::after(
- interface,
- "let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
- {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r =
- createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))"
- )
-)]
#[cfg_attr(
hax,
hax_lib::fstar::after(
@@ -56,7 +36,15 @@ pub(crate) const VECTORS_IN_RING_ELEMENT: usize =
(p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial =
createi (sz 256) (fun i -> Spec.MLKEM.Math.to_spec_fe
(Seq.index (i2._super_12682756204189288427.f_repr
- (Seq.index p.f_coefficients (v i / 16))) (v i % 16)))"
+ (Seq.index p.f_coefficients (v i / 16))) (v i % 16)))
+let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
+ {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r =
+ createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))
+let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0)
+ {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r =
+ createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))"
)
)]
// XXX: We don't want to copy this. But for eurydice we have to have this.
diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs
index 6c496a785..a1d5fa731 100644
--- a/libcrux-ml-kem/src/serialize.rs
+++ b/libcrux-ml-kem/src/serialize.rs
@@ -8,14 +8,6 @@ use crate::{
};
#[inline(always)]
-#[hax_lib::fstar::before(
- interface,
- r#"[@@ "opaque_to_smt"]
-let coefficients_field_modulus_range (#v_Vector: Type0)
- {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
- (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
- forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)"#
-)]
#[hax_lib::fstar::before(
interface,
r#"[@@ "opaque_to_smt"]
@@ -26,6 +18,14 @@ let field_modulus_range (#v_Vector: Type0)
forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\
v (Seq.index coef i) < v $FIELD_MODULUS"#
)]
+#[hax_lib::fstar::before(
+ interface,
+ r#"[@@ "opaque_to_smt"]
+let coefficients_field_modulus_range (#v_Vector: Type0)
+ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |}
+ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) =
+ forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)"#
+)]
#[hax_lib::fstar::verification_status(panic_free)]
#[hax_lib::requires(fstar!(r#"field_modulus_range $a"#))]
#[hax_lib::ensures(|result| fstar!(r#"forall (i:nat). i < 16 ==>
diff --git a/libcrux-ml-kem/src/vector/portable/serialize.rs b/libcrux-ml-kem/src/vector/portable/serialize.rs
index 9a6522847..90546ae3e 100644
--- a/libcrux-ml-kem/src/vector/portable/serialize.rs
+++ b/libcrux-ml-kem/src/vector/portable/serialize.rs
@@ -14,21 +14,20 @@
use super::vector_type::*;
-#[cfg_attr(hax, hax_lib::fstar::after(interface, "
-val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
- (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1))
- (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1)
-"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-let serialize_1_lemma inputs =
- serialize_1_bit_vec_lemma inputs.f_elements ();
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1))
+let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16))
+ (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 1 in
+ let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in
+ (forall (i: nat {i < 16}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
#pop-options
"
@@ -38,21 +37,22 @@ let serialize_1_lemma inputs =
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+#push-options \"--z3rlimit 300\"
-let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16))
- (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1))
- : squash (
- let inputs = bit_vec_of_int_t_array v 1 in
- let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in
- (forall (i: nat {i < 16}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+let serialize_1_lemma inputs =
+ serialize_1_bit_vec_lemma inputs.f_elements ();
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1))
#pop-options
"
)
)]
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+ (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1))
+ (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1)
+"))]
#[inline(always)]
pub(crate) fn serialize_1(v: PortableVector) -> [u8; 2] {
let result0 = (v.elements[0] as u8)
@@ -74,23 +74,22 @@ pub(crate) fn serialize_1(v: PortableVector) -> [u8; 2] {
[result0, result1]
}
-//deserialize_1_bounded_lemma
-#[cfg_attr(
- hax,
- hax_lib::fstar::after(
- interface,
- "
-val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma
- (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_1} inputs).f_elements i) 1)
-"
- )
-)]
+//deserialize_1_bit_vec_lemma
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-let deserialize_1_bounded_lemma inputs =
- admit()
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 8 in
+ let outputs = bit_vec_of_int_t_array (${deserialize_1} v).f_elements 1 in
+ (forall (i: nat {i < 16}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
"
)
)]
@@ -114,22 +113,23 @@ let deserialize_1_lemma inputs =
"
)
)]
-//deserialize_1_bit_vec_lemma
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-
-let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2))
- : squash (
- let inputs = bit_vec_of_int_t_array v 8 in
- let outputs = bit_vec_of_int_t_array (${deserialize_1} v).f_elements 1 in
- (forall (i: nat {i < 16}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
-
-#pop-options
+let deserialize_1_bounded_lemma inputs =
+ admit()
+"
+ )
+)]
+//deserialize_1_bounded_lemma
+#[cfg_attr(
+ hax,
+ hax_lib::fstar::after(
+ interface,
+ "
+val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma
+ (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_1} inputs).f_elements i) 1)
"
)
)]
@@ -174,21 +174,20 @@ pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) {
(result0, result1, result2, result3)
}
-#[cfg_attr(hax, hax_lib::fstar::after(interface, "
-val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
- (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4))
- (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4)
-"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-let serialize_4_lemma inputs =
- serialize_4_bit_vec_lemma inputs.f_elements ();
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4))
+let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16))
+ (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 4 in
+ let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in
+ (forall (i: nat {i < 64}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
#pop-options
"
@@ -198,21 +197,22 @@ let serialize_4_lemma inputs =
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+#push-options \"--z3rlimit 300\"
-let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16))
- (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4))
- : squash (
- let inputs = bit_vec_of_int_t_array v 4 in
- let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in
- (forall (i: nat {i < 64}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+let serialize_4_lemma inputs =
+ serialize_4_bit_vec_lemma inputs.f_elements ();
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4))
#pop-options
"
)
)]
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+ (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4))
+ (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4)
+"))]
#[inline(always)]
pub(crate) fn serialize_4(v: PortableVector) -> [u8; 8] {
let result0_3 = serialize_4_int(&v.elements[0..8]);
@@ -265,40 +265,40 @@ let deserialize_4_bounded_lemma inputs =
"
)
)]
-//deserialize_4_lemma
-#[cfg_attr(hax, hax_lib::fstar::after(interface, "
-val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma
- (ensures bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8)
-"))]
+//deserialize_4_bit_vec_lemma
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-let deserialize_4_lemma inputs =
- deserialize_4_bit_vec_lemma inputs;
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 8 in
+ let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in
+ (forall (i: nat {i < 64}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
#pop-options
"
)
)]
-//deserialize_4_bit_vec_lemma
+//deserialize_4_lemma
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma
+ (ensures bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8)
+"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+#push-options \"--z3rlimit 300\"
-let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8))
- : squash (
- let inputs = bit_vec_of_int_t_array v 8 in
- let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in
- (forall (i: nat {i < 64}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+let deserialize_4_lemma inputs =
+ deserialize_4_bit_vec_lemma inputs;
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
#pop-options
"
@@ -385,40 +385,40 @@ pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) {
(r0, r1, r2, r3, r4)
}
-#[cfg_attr(hax, hax_lib::fstar::after(interface, "
-val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
- (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10))
- (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10)
-"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-let serialize_10_lemma inputs =
- serialize_10_bit_vec_lemma inputs.f_elements ();
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10))
+let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16))
+ (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 10 in
+ let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in
+ (forall (i: nat {i < 160}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
#pop-options
"
)
)]
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+ (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10))
+ (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10)
+"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+#push-options \"--z3rlimit 300\"
-let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16))
- (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10))
- : squash (
- let inputs = bit_vec_of_int_t_array v 10 in
- let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in
- (forall (i: nat {i < 160}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+let serialize_10_lemma inputs =
+ serialize_10_bit_vec_lemma inputs.f_elements ();
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10))
#pop-options
"
@@ -452,14 +452,22 @@ pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16,
(r0, r1, r2, r3, r4, r5, r6, r7)
}
-//deserialize_10_bounded_lemma
+//deserialize_10_bit_vec_lemma
#[cfg_attr(
hax,
hax_lib::fstar::after(
- interface,
"
-val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
- (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_10} inputs).f_elements i) 10)
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+
+let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 8 in
+ let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in
+ (forall (i: nat {i < 160}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+
+#pop-options
"
)
)]
@@ -467,8 +475,14 @@ val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
hax,
hax_lib::fstar::after(
"
-let deserialize_10_bounded_lemma inputs =
- admit()
+#push-options \"--z3rlimit 300\"
+
+let deserialize_10_lemma inputs =
+ deserialize_10_bit_vec_lemma inputs;
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+
+#pop-options
"
)
)]
@@ -481,33 +495,19 @@ val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
-
-let deserialize_10_lemma inputs =
- deserialize_10_bit_vec_lemma inputs;
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
-
-#pop-options
+let deserialize_10_bounded_lemma inputs =
+ admit()
"
)
)]
-//deserialize_10_bit_vec_lemma
+//deserialize_10_bounded_lemma
#[cfg_attr(
hax,
hax_lib::fstar::after(
+ interface,
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-
-let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20))
- : squash (
- let inputs = bit_vec_of_int_t_array v 8 in
- let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in
- (forall (i: nat {i < 160}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
-
-#pop-options
+val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma
+ (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_10} inputs).f_elements i) 10)
"
)
)]
@@ -598,40 +598,40 @@ pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) {
(r0, r1, r2)
}
-#[cfg_attr(hax, hax_lib::fstar::after(interface, "
-val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
- (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12))
- (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12)
-"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-let serialize_12_lemma inputs =
- serialize_12_bit_vec_lemma inputs.f_elements ();
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12))
+let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16))
+ (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 12 in
+ let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in
+ (forall (i: nat {i < 192}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
#pop-options
"
)
)]
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma
+ (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12))
+ (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12)
+"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+#push-options \"--z3rlimit 300\"
-let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16))
- (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12))
- : squash (
- let inputs = bit_vec_of_int_t_array v 12 in
- let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in
- (forall (i: nat {i < 192}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+let serialize_12_lemma inputs =
+ serialize_12_bit_vec_lemma inputs.f_elements ();
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12))
#pop-options
"
@@ -687,40 +687,40 @@ let deserialize_12_bounded_lemma inputs =
"
)
)]
-//deserialize_12_lemma
-#[cfg_attr(hax, hax_lib::fstar::after(interface, "
-val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma
- (ensures bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8)
-"))]
+//deserialize_12_bit_vec_lemma
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--z3rlimit 300\"
+#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
-let deserialize_12_lemma inputs =
- deserialize_12_bit_vec_lemma inputs;
- BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12)
- (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
+let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24))
+ : squash (
+ let inputs = bit_vec_of_int_t_array v 8 in
+ let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in
+ (forall (i: nat {i < 192}). inputs i == outputs i)
+ ) =
+ _ by (Tactics.GetBit.prove_bit_vector_equality' ())
#pop-options
"
)
)]
-//deserialize_12_bit_vec_lemma
+//deserialize_12_lemma
+#[cfg_attr(hax, hax_lib::fstar::after(interface, "
+val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma
+ (ensures bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8)
+"))]
#[cfg_attr(
hax,
hax_lib::fstar::after(
"
-#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\"
+#push-options \"--z3rlimit 300\"
-let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24))
- : squash (
- let inputs = bit_vec_of_int_t_array v 8 in
- let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in
- (forall (i: nat {i < 192}). inputs i == outputs i)
- ) =
- _ by (Tactics.GetBit.prove_bit_vector_equality' ())
+let deserialize_12_lemma inputs =
+ deserialize_12_bit_vec_lemma inputs;
+ BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12)
+ (BitVecEq.retype (bit_vec_of_int_t_array inputs 8))
#pop-options
"
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst
index a740de583..ac9d05a93 100644
--- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fst
@@ -4,14 +4,19 @@ open Core
open FStar.Mul
assume
-val adv_simd_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val simd128_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-let adv_simd_support = adv_simd_support'
+let simd128_support = simd128_support'
assume
-val aes_ni_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val simd256_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-let aes_ni_support = aes_ni_support'
+let simd256_support = simd256_support'
+
+assume
+val x25519_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+let x25519_support = x25519_support'
assume
val bmi2_adx_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
@@ -24,21 +29,16 @@ val pmull_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l
let pmull_support = pmull_support'
assume
-val sha256_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
-let sha256_support = sha256_support'
-
-assume
-val simd128_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val adv_simd_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-let simd128_support = simd128_support'
+let adv_simd_support = adv_simd_support'
assume
-val simd256_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val aes_ni_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-let simd256_support = simd256_support'
+let aes_ni_support = aes_ni_support'
assume
-val x25519_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val sha256_support': Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-let x25519_support = x25519_support'
+let sha256_support = sha256_support'
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti
index 95dad6932..793f0b321 100644
--- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti
@@ -3,18 +3,18 @@ module Libcrux_platform.Platform
open Core
open FStar.Mul
-val adv_simd_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-val aes_ni_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val simd256_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+val x25519_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
val bmi2_adx_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
val pmull_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-val sha256_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-
-val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val adv_simd_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-val simd256_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val aes_ni_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-val x25519_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val sha256_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst
index fa4428704..934670659 100644
--- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst
@@ -50,11 +50,11 @@ val impl_1': Core.Marker.t_Copy t_Feature
let impl_1 = impl_1'
assume
-val init': Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True)
+val supported': feature: t_Feature -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
-let init = init'
+let supported = supported'
assume
-val supported': feature: t_Feature -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+val init': Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True)
-let supported = supported'
+let init = init'
diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
index 0c9c90e71..122af158f 100644
--- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
+++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti
@@ -44,8 +44,8 @@ val impl:Core.Clone.t_Clone t_Feature
[@@ FStar.Tactics.Typeclasses.tcinstance]
val impl_1:Core.Marker.t_Copy t_Feature
-/// Initialize CPU detection.
-val init: Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True)
-
/// Check hardware [`Feature`] support.
val supported (feature: t_Feature) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True)
+
+/// Initialize CPU detection.
+val init: Prims.unit -> Prims.Pure Prims.unit Prims.l_True (fun _ -> Prims.l_True)