diff --git a/proofs/fstar/extraction-edited.patch b/proofs/fstar/extraction-edited.patch index 63564ca7..6b5843dc 100644 --- a/proofs/fstar/extraction-edited.patch +++ b/proofs/fstar/extraction-edited.patch @@ -1,6 +1,6 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst --- extraction/BitVecEq.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/BitVecEq.fst 2024-02-19 11:45:43.372553294 +0100 ++++ extraction-edited/BitVecEq.fst 2024-02-19 11:53:07.122952261 +0100 @@ -0,0 +1,12 @@ +module BitVecEq + @@ -16,7 +16,7 @@ diff -ruN extraction/BitVecEq.fst extraction-edited/BitVecEq.fst + diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti --- extraction/BitVecEq.fsti 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/BitVecEq.fsti 2024-02-19 11:45:43.404552582 +0100 ++++ extraction-edited/BitVecEq.fsti 2024-02-19 11:53:07.157951700 +0100 @@ -0,0 +1,294 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -312,9 +312,61 @@ diff -ruN extraction/BitVecEq.fsti extraction-edited/BitVecEq.fsti + (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits) + = admit () +*) +diff -ruN extraction/Libcrux.Digest.fst extraction-edited/Libcrux.Digest.fst +--- extraction/Libcrux.Digest.fst 2024-02-19 11:53:07.092952742 +0100 ++++ extraction-edited/Libcrux.Digest.fst 1970-01-01 01:00:00.000000000 +0100 +@@ -1,48 +0,0 @@ +-module Libcrux.Digest +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +-open Core +-open FStar.Mul +- +-let sha3_256_ (payload: t_Slice u8) = Libcrux.Hacl.Sha3.sha256 payload +- +-let sha3_512_ (payload: t_Slice u8) = Libcrux.Hacl.Sha3.sha512 payload +- +-let shake128 (v_LEN: usize) (data: t_Slice u8) = Libcrux.Hacl.Sha3.shake128 v_LEN data +- +-let shake256 (v_LEN: usize) (data: t_Slice u8) = Libcrux.Hacl.Sha3.shake256 v_LEN data +- +-let shake128x4_portable (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = +- let input_len:usize = Core.Slice.impl__len data0 in +- let _:Prims.unit = +- if true +- then +- let _:Prims.unit = +- if +- ~.((input_len =. (Core.Slice.impl__len data1 <: usize) <: bool) && +- (input_len =. (Core.Slice.impl__len data2 <: usize) <: bool) && +- (input_len =. (Core.Slice.impl__len data3 <: usize) <: bool) && +- (input_len <=. (cast (Core.Num.impl__u32__MAX <: u32) <: usize) <: bool) && +- (v_LEN <=. (cast (Core.Num.impl__u32__MAX <: u32) <: usize) <: bool)) +- then +- Rust_primitives.Hax.never_to_any (Core.Panicking.panic "assertion failed: input_len == data1.len() && input_len == data2.len() &&\\n input_len == data3.len() && input_len <= u32::MAX as usize &&\\n LEN <= u32::MAX as usize" +- +- <: +- Rust_primitives.Hax.t_Never) +- in +- () +- in +- let digest0:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data0 in +- let digest1:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data1 in +- let digest2:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data2 in +- let digest3:t_Array u8 v_LEN = Libcrux.Hacl.Sha3.shake128 v_LEN data3 in +- digest0, digest1, digest2, digest3 +- <: +- (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) +- +-let shake128x4_256_ (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = +- shake128x4_portable v_LEN data0 data1 data2 data3 +- +-let shake128x4 (v_LEN: usize) (data0 data1 data2 data3: t_Slice u8) = +- if Libcrux_platform.Platform.simd256_support () +- then shake128x4_256_ v_LEN data0 data1 data2 data3 +- else shake128x4_portable v_LEN data0 data1 data2 data3 diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti ---- extraction/Libcrux.Digest.fsti 2024-02-19 11:45:43.343553939 +0100 -+++ extraction-edited/Libcrux.Digest.fsti 2024-02-19 11:45:43.400552671 +0100 +--- extraction/Libcrux.Digest.fsti 2024-02-19 11:53:07.080952935 +0100 ++++ extraction-edited/Libcrux.Digest.fsti 2024-02-19 11:53:07.152951780 +0100 @@ -3,6 +3,11 @@ open Core open FStar.Mul @@ -341,7 +393,7 @@ diff -ruN extraction/Libcrux.Digest.fsti extraction-edited/Libcrux.Digest.fsti : Prims.Pure (t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN & t_Array u8 v_LEN) diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst --- extraction/Libcrux.Kem.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.fst 2024-02-19 11:45:43.388552938 +0100 ++++ extraction-edited/Libcrux.Kem.fst 2024-02-19 11:53:07.139951988 +0100 @@ -0,0 +1,6 @@ +module Libcrux.Kem +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -350,14 +402,16 @@ diff -ruN extraction/Libcrux.Kem.fst extraction-edited/Libcrux.Kem.fst + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:45:43.384553027 +0100 -@@ -0,0 +1,356 @@ -+module Libcrux.Kem.Kyber.Arithmetic +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:53:07.095952694 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:53:07.134952068 +0100 +@@ -1,81 +1,356 @@ + module Libcrux.Kem.Kyber.Arithmetic +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -+open Core -+open FStar.Mul -+ + open Core + open FStar.Mul + +-let get_n_least_significant_bits (n: u8) (value: u32) = + +let lemma_mul_i32_range (n1 n2: i32) (b1 b2: nat) + : Lemma (requires (i32_range n1 b1 /\ i32_range n2 b2 /\ b1 * b2 < pow2 31)) @@ -441,7 +495,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 100 --split_queries always" +let get_n_least_significant_bits n value = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- value &. ((1ul <>! 1l <: i64) -+ in + (v_BARRETT_R >>! 1l <: i64) + in + assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2*3329)); + assert (v t = v x * v v_BARRETT_MULTIPLIER + pow2 25); -+ let quotient:i32 = cast (t >>! v_BARRETT_SHIFT <: i64) <: i32 in + let quotient:i32 = cast (t >>! v_BARRETT_SHIFT <: i64) <: i32 in + assert (v quotient = v t / pow2 26); -+ let result:i32 = value -! (quotient *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) in + let result:i32 = value -! (quotient *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) in +- let _:Prims.unit = () <: Prims.unit in + calc (==) { + v result % 3329; + (==) { } @@ -484,23 +542,29 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + (==) {} + (v value) % 3329; + }; -+ result + result +#pop-options -+ + +-let montgomery_reduce (value: i32) = +#push-options "--ifuel 0 --z3rlimit 1600" +let montgomery_reduce #b value = -+ let _:i32 = v_MONTGOMERY_R in -+ let _:Prims.unit = () <: Prims.unit in + let _:i32 = v_MONTGOMERY_R in + let _:Prims.unit = () <: Prims.unit in + let v0 = (cast (value <: i32) <: u32) in + assert (v v0 == v value % pow2 32); + let t0 = (get_n_least_significant_bits v_MONTGOMERY_SHIFT v0 <: u32) in + assert (v t0 = (v value % pow2 32) % pow2 16); + Math.Lemmas.pow2_modulo_modulo_lemma_1 (v value) 16 32; + assert (v t0 = v value % pow2 16); -+ let t:u32 = + let t:u32 = +- (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i32) <: u32) <: u32) *! +- v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + t0 *! + v_INVERSE_OF_MODULUS_MOD_R -+ in + in +- let k:i16 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u32) <: i16 in +- let k_times_modulus:i32 = +- (cast (k <: i16) <: i32) *! Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS + assert (v t = (v value % pow2 16) * v v_INVERSE_OF_MODULUS_MOD_R); + let k0 = get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u32 in + let k:i32_b (pow2 15) = cast (cast k0 <: i16) <: i32 in @@ -537,7 +601,10 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + assert ((v value - v k * 3329) % v v_MONTGOMERY_R == 0); + let k_times_modulus:i32_b (pow2 15 * 3329) = + mul_i32_b k Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS -+ in + in +- let c:i32 = k_times_modulus >>! v_MONTGOMERY_SHIFT in +- let value_high:i32 = value >>! v_MONTGOMERY_SHIFT in +- value_high -! c + let c:i32_b 1665 = shr_i32_b k_times_modulus v_MONTGOMERY_SHIFT in + let value_high:i32_b (nat_div_ceil b (v v_MONTGOMERY_R)) = shr_i32_b value v_MONTGOMERY_SHIFT in + assert (v value_high = v value / v v_MONTGOMERY_R); @@ -577,13 +644,20 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + +let montgomery_multiply_sfe_by_fer fe fer = + montgomery_reduce (mul_i32_b fe fer) -+ -+ + +-let montgomery_multiply_fe_by_fer (fe fer: i32) = montgomery_reduce (fe *! fer <: i32) + +-let to_standard_domain (mfe: i32) = +- montgomery_reduce (mfe *! v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32) +let to_standard_domain mfe = + montgomery_reduce (mul_i32_b mfe (v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS <: i32_b 1353)) -+ + +-let to_unsigned_representative (fe: i32) = +let to_unsigned_representative fe = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- cast (fe +! (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &. (fe >>! 31l <: i32) <: i32) <: i32) +- <: +- u16 + logand_lemma Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS (fe >>! 31l <: i32); + let res = + cast (fe +! (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS &. (fe >>! 31l <: i32) <: i32) <: i32) <: u16 @@ -623,7 +697,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + eq_intro dx dr; + assert(Seq.equal dx dr); + res -+ + +-let add_to_ring_element (v_K: usize) (lhs rhs: t_PolynomialRingElement) = +let cast_vector_b #v_K #b1 #b2 x = + let r = createi v_K (fun i -> cast_poly_b #b1 #b2 x.[i]) in + let dx = derefine_vector_b x in @@ -666,8 +741,10 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + + +let add_to_ring_element #b1 #b2 v_K lhs rhs = -+ let _:Prims.unit = () <: Prims.unit in -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let lhs:t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + let orig_lhs = lhs in + [@ inline_let] + let inv = fun (acc:t_PolynomialRingElement_b (b1+b2)) (i:usize) -> @@ -675,43 +752,57 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fst extraction-edited/Libcrux. + (forall j. j >=. i ==> acc.f_coefficients.[j] == orig_lhs.f_coefficients.[j]) in + let lhs:t_PolynomialRingElement_b (b1 + b2) = + Rust_primitives.Iterators.foldi_range #_ #(t_PolynomialRingElement_b (b1+b2)) #inv { -+ Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end +- = +- Core.Slice.impl__len (Rust_primitives.unsize lhs.f_coefficients <: t_Slice i32) +- <: +- usize + Core.Ops.Range.f_end = + Core.Slice.impl__len (Rust_primitives.unsize lhs.f_coefficients <: t_Slice (i32_b b1)) -+ } + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- lhs + (cast_poly_b #b1 #(b1+b2) lhs) -+ (fun lhs i -> + (fun lhs i -> +- let lhs:t_PolynomialRingElement = lhs in + let lhs:t_PolynomialRingElement_b (b1+b2) = lhs in -+ let i:usize = i in + let i:usize = i in + assert (orig_lhs.f_coefficients.[i] == lhs.f_coefficients.[i]); + let lhsi: i32_b b1 = orig_lhs.f_coefficients.[i] in + let lhs = -+ { -+ lhs with -+ f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs.f_coefficients -+ i + { + lhs with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs.f_coefficients + i +- ((lhs.f_coefficients.[ i ] <: i32) +! (rhs.f_coefficients.[ i ] <: i32) <: i32) + (add_i32_b #b1 #b2 (lhsi) (rhs.f_coefficients.[ i ])) -+ <: + <: +- t_Array i32 (sz 256) + t_Array (i32_b (b1 + b2)) (sz 256) -+ } -+ <: + } + <: +- t_PolynomialRingElement) + t_PolynomialRingElement_b (b1 + b2) + in + assert (forall j. (j >. i /\ j <. sz 256) ==> lhs.f_coefficients.[j] == orig_lhs.f_coefficients.[j]); + lhs + ) -+ in -+ let _:Prims.unit = () <: Prims.unit in + in + let _:Prims.unit = () <: Prims.unit in + assert (forall j. j <. sz 256 ==> lhs.f_coefficients.[j] == orig_lhs.f_coefficients.[j] +! rhs.f_coefficients.[j]); -+ lhs + lhs + + + diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:45:43.337554072 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:45:43.375553227 +0100 +--- extraction/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:53:07.070953095 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:53:07.125952213 +0100 @@ -3,10 +3,32 @@ open Core open FStar.Mul @@ -1062,21 +1153,37 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-edited/Libcrux - <: - bool)) diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Kem.Kyber.Compress.fst ---- extraction/Libcrux.Kem.Kyber.Compress.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:45:43.366553427 +0100 -@@ -0,0 +1,79 @@ -+module Libcrux.Kem.Kyber.Compress +--- extraction/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:53:07.075953015 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:53:07.115952373 +0100 +@@ -1,39 +1,79 @@ + module Libcrux.Kem.Kyber.Compress +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" -+open Core -+open FStar.Mul -+ + open Core + open FStar.Mul + +-let compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) = +- let _:Prims.unit = () <: Prims.unit in +- let _:Prims.unit = () <: Prims.unit in +- let compressed:u64 = (cast (fe <: u16) <: u64) <>! 35l in +- cast (Libcrux.Kem.Kyber.Arithmetic.get_n_least_significant_bits coefficient_bits +- (cast (compressed <: u64) <: u32) +- <: +- u32) +- <: +- i32 +- +-let compress_message_coefficient (fe: u16) = +let compress_message_coefficient fe = -+ let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in + let (shifted: i16):i16 = 1664s -! (cast (fe <: u16) <: i16) in + assert (v shifted == 1664 - v fe); -+ let mask:i16 = shifted >>! 15l in + let mask:i16 = shifted >>! 15l in + assert (v mask = v shifted / pow2 15); + assert (if v shifted < 0 then mask = ones else mask = zero); -+ let shifted_to_positive:i16 = mask ^. shifted in + let shifted_to_positive:i16 = mask ^. shifted in + logxor_lemma shifted mask; + assert (v shifted < 0 ==> v shifted_to_positive = v (lognot shifted)); + neg_equiv_lemma shifted; @@ -1086,7 +1193,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + assert (v shifted >= 0 ==> mask ^. shifted = shifted); + assert (v shifted >= 0 ==> v shifted_to_positive = v shifted); + assert (shifted_to_positive >=. 0s); -+ let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in + let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in +- cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 + assert (1664 - v fe >= 0 ==> v shifted_positive_in_range == 832 - v fe); + assert (1664 - v fe < 0 ==> v shifted_positive_in_range == -2497 + v fe); + let r0 = shifted_positive_in_range >>! 15l in @@ -1118,22 +1226,27 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + i32 + in + res -+ + +-let decompress_ciphertext_coefficient (coefficient_bits: u8) (fe: i32) = +#push-options "--z3rlimit 300" +let decompress_ciphertext_coefficient coefficient_bits fe = -+ let _:Prims.unit = () <: Prims.unit in -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + assert (v (1ul <>! (coefficient_bits +! 1uy <: u8) in + let decompressed:u32 = + (cast (fe <: i32) <: u32) *! (cast (Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32) <: u32) + in + let decompressed:u32 = (decompressed <>! (coefficient_bits +! 1uy <: u8) in +- cast (decompressed <: u32) <: i32 + let res = cast (decompressed <: u32) <: i32 in + let res : Libcrux.Kem.Kyber.Arithmetic.i32_b 3328 = res in + res -+ + +-let decompress_message_coefficient (fe: i32) = +- (Core.Ops.Arith.Neg.neg fe <: i32) &. +- ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) +let decompress_message_coefficient fe = + let res = (Core.Ops.Arith.Neg.neg fe <: i32) &. + ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) in @@ -1145,8 +1258,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fst extraction-edited/Libcrux.Ke + res <: Libcrux.Kem.Kyber.Arithmetic.i32_b 3328 +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.Kem.Kyber.Compress.fsti ---- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:45:43.325554338 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:45:43.395552782 +0100 +--- extraction/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:53:07.059953272 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:53:07.147951860 +0100 @@ -3,8 +3,19 @@ open Core open FStar.Mul @@ -1212,17 +1325,19 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Compress.fsti extraction-edited/Libcrux.K + (requires fe =. 0l || fe =. 1l) + (fun result -> v result >= 0 /\ v result < 3329) diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:45:43.378553160 +0100 -@@ -0,0 +1,166 @@ -+module Libcrux.Kem.Kyber.Constant_time_ops -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ -+let is_non_zero (value: u8) = +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:53:07.096952678 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:53:07.128952165 +0100 +@@ -4,56 +4,163 @@ + open FStar.Mul + + let is_non_zero (value: u8) = + let orig_value = value in -+ let value:u16 = cast (value <: u8) <: u16 in + let value:u16 = cast (value <: u8) <: u16 in +- let result:u16 = +- ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. +- 1us +- in +- cast (result <: u16) <: u8 + let result:u8 = cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) in + let res:u8 = result &. 1uy in + if v orig_value = 0 then ( @@ -1253,11 +1368,12 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + assert (res = 1uy); + res + ) -+ + +-let compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) = +let compare_ciphertexts_in_constant_time v_CIPHERTEXT_SIZE lhs rhs = -+ let _:Prims.unit = () <: Prims.unit in -+ let _:Prims.unit = () <: Prims.unit in -+ let (r: u8):u8 = 0uy in + let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let (r: u8):u8 = 0uy in + [@ inline_let] + let inv = fun (acc:u8) (i:usize) -> + v i <= v v_CIPHERTEXT_SIZE /\ @@ -1265,15 +1381,21 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + acc == 0uy + else ~ (acc == 0uy)) + in -+ let r:u8 = + let r:u8 = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Rust_primitives.Iterators.foldi_range #_ #u8 #inv { -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_CIPHERTEXT_SIZE -+ } -+ r -+ (fun r i -> -+ let r:u8 = r in -+ let i:usize = i in + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_CIPHERTEXT_SIZE + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + r + (fun r i -> + let r:u8 = r in + let i:usize = i in +- r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8) + let nr = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8 in + if r =. 0uy then ( + if (Seq.index lhs (v i) = Seq.index rhs (v i)) then ( @@ -1307,33 +1429,39 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + else nr + ) + ) -+ in + in +- is_non_zero r + let res = is_non_zero r in + res -+ + +#push-options "--ifuel 0 --z3rlimit 50" -+let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = -+ let _:Prims.unit = () <: Prims.unit in -+ let _:Prims.unit = () <: Prims.unit in -+ let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in + let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = + let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in + assert (if selector = 0uy then mask = ones else mask = zero); + lognot_lemma mask; + assert (if selector = 0uy then ~.mask = zero else ~.mask = ones); -+ let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + [@ inline_let] + let inv = fun (acc:t_Array u8 (sz 32)) (i:usize) -> + v i <= 32 /\ + (forall j. j < v i ==> (if (selector =. 0uy) then Seq.index acc j == Seq.index lhs j else Seq.index acc j == Seq.index rhs j)) /\ + (forall j. j >= v i ==> Seq.index acc j == 0uy) + in -+ let out:t_Array u8 (sz 32) = + let out:t_Array u8 (sz 32) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Rust_primitives.Iterators.foldi_range #_ #(t_Array u8 (sz 32)) #inv { -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE -+ } -+ out -+ (fun out i -> -+ let out:t_Array u8 (sz 32) = out in + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + out + (fun out i -> + let out:t_Array u8 (sz 32) = out in + assert ((out.[ i ] <: u8) = 0uy); + let outi = + ((out.[ i ] <: u8) |. @@ -1365,13 +1493,15 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + assert (((out.[ i ] <: u8) |. (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) <: u8) == (rhs.[ i ] <: u8)); + assert (outi = (rhs.[ i ] <: u8)) + ); -+ let i:usize = i in -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ i + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i +- (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) + outi -+ <: -+ t_Array u8 (sz 32)) -+ in + <: + t_Array u8 (sz 32)) + in +- out + if (selector =. 0uy) then ( + eq_intro out lhs; + out @@ -1382,8 +1512,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-edited/L + ) +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:45:43.351553761 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:45:43.385553005 +0100 +--- extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:53:07.093952726 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:53:07.135952052 +0100 @@ -20,7 +20,8 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1415,8 +1545,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-edited/ + Hax_lib.implies (selector =. 0uy <: bool) (fun _ -> result =. lhs <: bool) && + Hax_lib.implies (selector <>. 0uy <: bool) (fun _ -> result =. rhs <: bool)) diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.fst ---- extraction/Libcrux.Kem.Kyber.fst 2024-02-19 11:45:43.327554294 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-19 11:45:43.370553338 +0100 +--- extraction/Libcrux.Kem.Kyber.fst 2024-02-19 11:53:07.060953256 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-19 11:53:07.120952293 +0100 @@ -1,12 +1,29 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1690,8 +1820,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fst extraction-edited/Libcrux.Kem.Kyber.f (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber.fsti ---- extraction/Libcrux.Kem.Kyber.fsti 2024-02-19 11:45:43.346553872 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-19 11:45:43.398552716 +0100 +--- extraction/Libcrux.Kem.Kyber.fsti 2024-02-19 11:53:07.086952839 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-19 11:53:07.150951812 +0100 @@ -10,36 +10,84 @@ Libcrux.Kem.Kyber.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE @@ -1792,128 +1922,62 @@ diff -ruN extraction/Libcrux.Kem.Kyber.fsti extraction-edited/Libcrux.Kem.Kyber. + (ensures (fun kp -> + (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.ind_cca_generate_keypair p randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fst extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:45:43.376553205 +0100 -@@ -0,0 +1,116 @@ -+module Libcrux.Kem.Kyber.Hash_functions -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:53:07.097952662 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:53:07.127952181 +0100 +@@ -3,13 +3,23 @@ + open Core + open FStar.Mul + +-let v_G (input: t_Slice u8) = Libcrux.Digest.sha3_512_ input +let v_G (input: t_Slice u8) = + let res = Libcrux.Digest.sha3_512_ input in + admit(); // We assume that sha3_512 correctly implements G + res -+ + +-let v_H (input: t_Slice u8) = Libcrux.Digest.sha3_256_ input +let v_H (input: t_Slice u8) = + let res = Libcrux.Digest.sha3_256_ input in + admit(); // We assume that sha3_512 correctly implements H + res -+ + +-let v_PRF (v_LEN: usize) (input: t_Slice u8) = Libcrux.Digest.shake256 v_LEN input +let v_PRF (v_LEN: usize) (input: t_Slice u8) = + let res = Libcrux.Digest.shake256 v_LEN input in + admit(); // We assume that sha3_512 correctly implements H + res -+ + +-let v_XOFx4 (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) = +let v_XOFx4 v_K (input: t_Array (t_Array u8 (sz 34)) v_K) = + assert (v v_K >= 2); -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ if ~.(Libcrux_platform.Platform.simd256_support () <: bool) -+ then -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_K -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) -+ out -+ (fun out i -> -+ let out:t_Array (t_Array u8 (sz 840)) v_K = out in -+ let i:usize = i in -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ i -+ (Libcrux.Digest.shake128 (sz 840) -+ (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ <: -+ t_Array u8 (sz 840)) -+ <: -+ t_Array (t_Array u8 (sz 840)) v_K) -+ else -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ match cast (v_K <: usize) <: u8 with -+ | 2uy -> -+ let d0, d1, _, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & -+ t_Array u8 (sz 840)) = -+ Libcrux.Digest.shake128x4 (sz 840) -+ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 -+ in -+ out -+ | 3uy -> + let out:t_Array (t_Array u8 (sz 840)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0uy (sz 840) <: t_Array u8 (sz 840)) v_K + in +@@ -56,6 +66,7 @@ + in + out + | 3uy -> + assert (v (cast v_K <: u8) = 3); -+ let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & -+ t_Array u8 (sz 840)) = -+ Libcrux.Digest.shake128x4 (sz 840) -+ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) d2 -+ in -+ out -+ | 4uy -> + let d0, d1, d2, _:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux.Digest.shake128x4 (sz 840) +@@ -75,6 +86,7 @@ + in + out + | 4uy -> + assert (v (cast v_K <: u8) = 4); -+ let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & -+ t_Array u8 (sz 840)) = -+ Libcrux.Digest.shake128x4 (sz 840) -+ (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 0) d0 -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 1) d1 -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 2) d2 -+ in -+ let out:t_Array (t_Array u8 (sz 840)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out (sz 3) d3 -+ in -+ out -+ | _ -> out -+ in -+ out -+ in + let d0, d1, d2, d3:(t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux.Digest.shake128x4 (sz 840) +@@ -100,4 +112,5 @@ + in + out + in +- out + admit(); // We assume that shake128x4 correctly implements XOFx4 + out diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:45:43.324554361 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:45:43.403552604 +0100 +--- extraction/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:53:07.055953336 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:53:07.155951732 +0100 @@ -3,12 +3,17 @@ open Core open FStar.Mul @@ -1939,8 +2003,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-edited/Lib + (ensures (fun res -> + (forall i. i < v v_K ==> Seq.index res i == Spec.Kyber.v_XOF (sz 840) (Seq.index input i)))) diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:45:43.330554227 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:45:43.401552649 +0100 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:53:07.062953223 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:53:07.153951764 +0100 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2651,8 +2715,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-edited/Libcrux.Kem + res + diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:45:43.352553738 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:45:43.391552871 +0100 +--- extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:53:07.100952614 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:53:07.142951940 +0100 @@ -1,80 +1,151 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2854,149 +2918,113 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-edited/Libcrux.Ke + + diff -ruN extraction/Libcrux.Kem.Kyber.Kyber1024.fst extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:45:43.361553538 +0100 -@@ -0,0 +1,43 @@ -+module Libcrux.Kem.Kyber.Kyber1024 -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ -+let decapsulate -+ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) -+ (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) -+ = +--- extraction/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:53:07.087952823 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:53:07.110952454 +0100 +@@ -7,19 +7,19 @@ + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 3168)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1568)) + = +- Libcrux.Kem.Kyber.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) + Libcrux.Kem.Kyber.decapsulate #Spec.Kyber.kyber1024_params (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) (sz 1536) (sz 1408) -+ (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext -+ -+let encapsulate -+ (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) -+ (randomness: t_Array u8 (sz 32)) -+ = + (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) secret_key ciphertext + + let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) + (randomness: t_Array u8 (sz 32)) + = +- Libcrux.Kem.Kyber.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) + Libcrux.Kem.Kyber.encapsulate #Spec.Kyber.kyber1024_params (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) -+ (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness -+ -+let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) = -+ if + (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + + let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) = + if +- Libcrux.Kem.Kyber.validate_public_key (sz 4) + Libcrux.Kem.Kyber.validate_public_key #Spec.Kyber.kyber1024_params (sz 4) -+ (sz 1536) -+ (sz 1568) -+ public_key.Libcrux.Kem.Kyber.Types.f_value -+ then -+ Core.Option.Option_Some public_key -+ <: -+ Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) -+ else -+ Core.Option.Option_None -+ <: -+ Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) -+ -+let generate_key_pair (randomness: t_Array u8 (sz 64)) = + (sz 1536) + (sz 1568) + public_key.Libcrux.Kem.Kyber.Types.f_value +@@ -33,7 +33,7 @@ + Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1568)) + + let generate_key_pair (randomness: t_Array u8 (sz 64)) = +- Libcrux.Kem.Kyber.generate_keypair (sz 4) + Libcrux.Kem.Kyber.generate_keypair #Spec.Kyber.kyber1024_params (sz 4) -+ (sz 1536) -+ (sz 3168) -+ (sz 1568) -+ (sz 1536) -+ (sz 2) -+ (sz 128) -+ randomness + (sz 1536) + (sz 3168) + (sz 1568) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber512.fst extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction/Libcrux.Kem.Kyber.Kyber512.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:45:43.381553093 +0100 -@@ -0,0 +1,43 @@ -+module Libcrux.Kem.Kyber.Kyber512 -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ -+let decapsulate -+ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) -+ (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) -+ = +--- extraction/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:53:07.053953368 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:53:07.131952117 +0100 +@@ -7,19 +7,19 @@ + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 1632)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 768)) + = +- Libcrux.Kem.Kyber.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) + Libcrux.Kem.Kyber.decapsulate #Spec.Kyber.kyber512_params (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) (sz 768) (sz 640) -+ (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext -+ -+let encapsulate -+ (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) -+ (randomness: t_Array u8 (sz 32)) -+ = + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) secret_key ciphertext + + let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) + (randomness: t_Array u8 (sz 32)) + = +- Libcrux.Kem.Kyber.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) + Libcrux.Kem.Kyber.encapsulate #Spec.Kyber.kyber512_params (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) -+ (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness -+ -+let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) = -+ if + (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + + let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) = + if +- Libcrux.Kem.Kyber.validate_public_key (sz 2) + Libcrux.Kem.Kyber.validate_public_key #Spec.Kyber.kyber512_params (sz 2) -+ (sz 768) -+ (sz 800) -+ public_key.Libcrux.Kem.Kyber.Types.f_value -+ then -+ Core.Option.Option_Some public_key -+ <: -+ Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) -+ else -+ Core.Option.Option_None -+ <: -+ Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) -+ -+let generate_key_pair (randomness: t_Array u8 (sz 64)) = + (sz 768) + (sz 800) + public_key.Libcrux.Kem.Kyber.Types.f_value +@@ -33,7 +33,7 @@ + Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 800)) + + let generate_key_pair (randomness: t_Array u8 (sz 64)) = +- Libcrux.Kem.Kyber.generate_keypair (sz 2) + Libcrux.Kem.Kyber.generate_keypair #Spec.Kyber.kyber512_params (sz 2) -+ (sz 768) -+ (sz 1632) -+ (sz 800) -+ (sz 768) -+ (sz 3) -+ (sz 192) -+ randomness + (sz 768) + (sz 1632) + (sz 800) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fst extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction/Libcrux.Kem.Kyber.Kyber768.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:45:43.379553138 +0100 -@@ -0,0 +1,43 @@ -+module Libcrux.Kem.Kyber.Kyber768 -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ -+let decapsulate -+ (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) -+ (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) -+ = +--- extraction/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:53:07.057953304 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:53:07.130952133 +0100 +@@ -7,19 +7,19 @@ + (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) + (ciphertext: Libcrux.Kem.Kyber.Types.t_MlKemCiphertext (sz 1088)) + = +- Libcrux.Kem.Kyber.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) + Libcrux.Kem.Kyber.decapsulate #Spec.Kyber.kyber768_params (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) (sz 1152) (sz 960) -+ (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext -+ -+let encapsulate -+ (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) -+ (randomness: t_Array u8 (sz 32)) -+ = + (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) secret_key ciphertext + + let encapsulate + (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) + (randomness: t_Array u8 (sz 32)) + = +- Libcrux.Kem.Kyber.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) + Libcrux.Kem.Kyber.encapsulate #Spec.Kyber.kyber768_params (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) (sz 128) (sz 10) -+ (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness -+ -+let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) = -+ if + (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness + + let validate_public_key (public_key: Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) = + if +- Libcrux.Kem.Kyber.validate_public_key (sz 3) + Libcrux.Kem.Kyber.validate_public_key #Spec.Kyber.kyber768_params (sz 3) -+ (sz 1152) -+ (sz 1184) -+ public_key.Libcrux.Kem.Kyber.Types.f_value -+ then -+ Core.Option.Option_Some public_key -+ <: -+ Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) -+ else -+ Core.Option.Option_None -+ <: -+ Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) -+ -+let generate_key_pair (randomness: t_Array u8 (sz 64)) = + (sz 1152) + (sz 1184) + public_key.Libcrux.Kem.Kyber.Types.f_value +@@ -33,7 +33,7 @@ + Core.Option.t_Option (Libcrux.Kem.Kyber.Types.t_MlKemPublicKey (sz 1184)) + + let generate_key_pair (randomness: t_Array u8 (sz 64)) = +- Libcrux.Kem.Kyber.generate_keypair (sz 3) + Libcrux.Kem.Kyber.generate_keypair #Spec.Kyber.kyber768_params (sz 3) -+ (sz 1152) -+ (sz 2400) -+ (sz 1184) -+ (sz 1152) -+ (sz 2) -+ (sz 128) -+ randomness + (sz 1152) + (sz 2400) + (sz 1184) diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:45:43.342553960 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:45:43.369553360 +0100 +--- extraction/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:53:07.078952967 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:53:07.119952309 +0100 @@ -74,14 +74,15 @@ val decapsulate (secret_key: Libcrux.Kem.Kyber.Types.t_MlKemPrivateKey (sz 2400)) @@ -3022,14 +3050,35 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Kyber768.fsti extraction-edited/Libcrux.K - (fun _ -> Prims.l_True) + (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem.Kyber.Matrix.fst ---- extraction/Libcrux.Kem.Kyber.Matrix.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:45:43.407552515 +0100 -@@ -0,0 +1,527 @@ -+module Libcrux.Kem.Kyber.Matrix -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ +--- extraction/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:53:07.065953175 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:53:07.160951652 +0100 +@@ -3,192 +3,188 @@ + open Core + open FStar.Mul + +-let compute_As_plus_e +- (v_K: usize) +- (matrix_A: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) +- (s_as_ntt error_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- = +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K +- in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__iter (Rust_primitives.unsize matrix_A +- <: +- t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) +- <: +- Core.Slice.Iter.t_Iter +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))) +open Libcrux.Kem.Kyber.Arithmetic + +let op_Array_Access (x:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) (i:usize{v i < 256}): i32 = @@ -3051,13 +3100,29 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + let result:t_Array wfPolynomialRingElement v_K = + Rust_primitives.Iterators.foldi_slice #(t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) #(t_Array wfPolynomialRingElement v_K) #inv0 + matrix_A -+ result -+ (fun result temp_1_ -> + result + (fun result temp_1_ -> +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = result in +- let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = + let orig_result = result in + let orig_result_cast = (cast_vector_b #v_K #3328 #(v v_K * 3328) orig_result) in + let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = -+ temp_1_ -+ in + temp_1_ + in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__iter (Rust_primitives.unsize row +- <: +- t_Slice Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- <: +- Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)) +- result + [@ inline_let] + let inv1 = fun (acc:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) v_K) (inner:usize) -> + (v inner <= v v_K) /\ @@ -3071,28 +3136,50 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Rust_primitives.Iterators.foldi_slice #Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement #(t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) v_K) #inv1 + row + orig_result_cast -+ (fun result temp_1_ -> -+ let j, matrix_element:(usize & + (fun result temp_1_ -> +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- result +- in + let j, matrix_element:(usize & +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) = -+ temp_1_ -+ in + temp_1_ + in +- let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let resulti = down_cast_poly_b #(v v_K * 3328) #(v j * 3328) result.[i] in + let product:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ Libcrux.Kem.Kyber.Ntt.ntt_multiply matrix_element + Libcrux.Kem.Kyber.Ntt.ntt_multiply matrix_element +- (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + (s_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ in + in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + let product_sum:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b ((v j + 1) * 3328) = + (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element #(v j * 3328) #3328 v_K + resulti + product) in + let product_sum:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) = cast_poly_b #((v j+1)* 3328) #(v v_K * 3328) product_sum in + let result:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result -+ i + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i +- (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K +- (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- product +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + product_sum -+ in -+ result) -+ in + in + result) + in +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ +- Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end +- = +- Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + let result1 = result in + [@ inline_let] + let inv2 = fun (acc:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) v_K) (inner:usize) -> @@ -3108,15 +3195,26 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + } -+ result + result +- (fun result j -> +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- result +- in + (fun result j -> + let result: t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) v_K = result in -+ let j:usize = j in + let j:usize = j in +- let coefficient_normal_form:i32 = +- Libcrux.Kem.Kyber.Arithmetic.to_standard_domain ((result.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] +- <: +- i32) + let resulti:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) = result.[ i ] <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328)) in + let coefficient_normal_form: i32_b ((nat_div_ceil (v v_K * 3328 * 1353) (pow2 16)) + 1665) = + Libcrux.Kem.Kyber.Arithmetic.to_standard_domain #(v v_K * 3328) (resulti + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]) -+ in + in + assert ((nat_div_ceil (v v_K * 3328 * 1353) (pow2 16)) + 1665 <= 1940); + let coefficient_normal_form: i32_b 1940 = cast_i32_b #((nat_div_ceil (v v_K * 3328 * 1353) (pow2 16)) + 1665) #1940 coefficient_normal_form in + let x1: i32_b 3328 = (error_as_ntt.[ i ] @@ -3133,14 +3231,37 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + (resulti.Libcrux.Kem.Kyber.Arithmetic.f_coefficients) + j resultij in + let result = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result -+ i -+ ({ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + ({ +- (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with + resulti with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- j +- (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +! +- ((error_as_ntt.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] +- <: +- i32) +- <: +- i32) +- <: +- i32) +- <: +- t_Array i32 (sz 256) + = resulti_coeffs -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement))) +- in +- result + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K*3328)) in + assert ((result.[i]).f_coefficients.[j] == resultij); + assert(inv2 result (j +! sz 1)); @@ -3156,7 +3277,14 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + admit(); //P-F + result +#pop-options -+ + +-let compute_message +- (v_K: usize) +- (v: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (secret_as_ntt u_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- = +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO +#push-options "--ifuel 0 --z3rlimit 100" +let compute_message #p v_K m_v secret_as_ntt u_as_ntt = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = @@ -3167,58 +3295,99 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + let inv = fun (acc:acc_t) (i:usize) -> + (v i <= v v_K) /\ + (poly_range #(v v_K * 3328) acc (v i * 3328)) -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = + Rust_primitives.Iterators.foldi_range #_ #acc_t #inv { -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_K -+ } + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- result + result -+ (fun result i -> -+ let i:usize = i in + (fun result i -> +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in + let i:usize = i in +- let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let result:t_PolynomialRingElement_b (v i * 3328) = + down_cast_poly_b #(v v_K * 3328) #(v i * 3328) result in + let product:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ Libcrux.Kem.Kyber.Ntt.ntt_multiply (secret_as_ntt.[ i ] -+ <: + Libcrux.Kem.Kyber.Ntt.ntt_multiply (secret_as_ntt.[ i ] + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + (u_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b ((v i+1) * 3328) = -+ Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product -+ in + Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product + in + let result = cast_poly_b #((v i + 1) * 3328) #(v v_K * 3328) result in + assert(inv result (i +! sz 1)); -+ result) -+ in + result) + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result + let acc_t = t_PolynomialRingElement_b (64*v v_K*3328) in + let result:acc_t = Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + [@ inline_let] + let inv = fun (acc:acc_t) (i:usize) -> + (v i <= 256) /\ + (forall (j:usize). (v j < v i) ==> i32_range ((acc <: t_PolynomialRingElement_b (64* v v_K * 3328)).f_coefficients.[j]) 3328) in + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K*3328) = + Rust_primitives.Iterators.foldi_range #_ #_ #inv { -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ } + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- result + result -+ (fun result i -> -+ let i:usize = i in + (fun result i -> +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in + let i:usize = i in +- let coefficient_normal_form:i32 = +- Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] +- <: +- i32) *! +- 1441l +- <: +- i32) +- in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- { +- result with +- Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- i +- (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((v + let coefficient_normal_form: i32_b (nat_div_ceil (306921472*v v_K) 65536 + 1665) = + Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce + (Libcrux.Kem.Kyber.Arithmetic.mul_i32_b #(64 * v v_K * 3328) #1441 + result.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] + (1441l <: Libcrux.Kem.Kyber.Arithmetic.i32_b 1441)) in + let resulti : i32_b 3328 = (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((m_v -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] -+ <: -+ i32) -! -+ coefficient_normal_form -+ <: -+ i32) -+ <: + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] + <: + i32) -! +@@ -196,81 +192,77 @@ + <: + i32) + <: +- i32) + i32) in + let resulti = cast_i32_b #3328 #(64*v v_K*3328) resulti in + let result = @@ -3229,15 +3398,27 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + i resulti -+ } -+ in + } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + in + assert (inv result (i +! sz 1)); -+ result) -+ in + result) + in + admit(); //P-F -+ result + result +#pop-options -+ + +-let compute_ring_element_v +- (v_K: usize) +- (tt_as_ntt r_as_ntt: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- (error_2_ message: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- = +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO +- in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ +#push-options "--ifuel 0 --z3rlimit 100" +let compute_ring_element_v v_K tt_as_ntt r_as_ntt error_2_ message = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = @@ -3249,40 +3430,77 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + (poly_range acc (v i * 3328)) in + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (v v_K * 3328) = + Rust_primitives.Iterators.foldi_range #_ #_ #inv ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_K -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ result -+ (fun result i -> + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K + } +- <: +- Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) + result + (fun result i -> +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in +- let i:usize = i in +- let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let product:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ Libcrux.Kem.Kyber.Ntt.ntt_multiply (tt_as_ntt.[ i ] -+ <: + Libcrux.Kem.Kyber.Ntt.ntt_multiply (tt_as_ntt.[ i ] + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + (r_as_ntt.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let result:t_PolynomialRingElement_b (v i * 3328) = + down_cast_poly_b #(v v_K * 3328) #(v i * 3328) result in + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b ((v i + 1) * 3328) = -+ Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product -+ in + Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K result product + in +- result) + cast_poly_b result) -+ in + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328) = -+ Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result -+ in + Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K result + in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + [@ inline_let] + let inv = fun (acc:t_PolynomialRingElement_b (64 * v v_K * 3328)) (i:usize) -> + (v i <= 256) /\ + (forall (j:usize). (v j < v i) ==> i32_range ((acc <: t_PolynomialRingElement_b (64* v v_K * 3328)).f_coefficients.[j]) 3328) in + let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328) = + Rust_primitives.Iterators.foldi_range #_ #_ #inv { -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ } + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- result + result -+ (fun result i -> + (fun result i -> +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = result in +- let i:usize = i in +- let coefficient_normal_form:i32 = +- Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((result +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] +- <: +- i32) *! +- 1441l +- <: +- i32) +- in +- let result:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- { +- result with +- Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- i +- (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +! + let coefficient_normal_form: i32_b (nat_div_ceil (306921472*v v_K) 65536 + 1665) = + Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce + (Libcrux.Kem.Kyber.Arithmetic.mul_i32_b #(64 * v v_K * 3328) #1441 @@ -3290,13 +3508,14 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + (1441l <: Libcrux.Kem.Kyber.Arithmetic.i32_b 1441)) in + let resulti : i32_b 3328 = + (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce ((coefficient_normal_form +! -+ (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32) -+ <: -+ i32) +! -+ (message.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32) -+ <: -+ i32) -+ <: + (error_2_.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] <: i32) + <: + i32) +! +@@ -278,157 +270,151 @@ + <: + i32) + <: +- i32) + i32) in + let resulti = cast_i32_b #3328 #(64*v v_K*3328) resulti in + let result = @@ -3307,17 +3526,40 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + i resulti -+ } -+ in -+ result) -+ in + } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + in + result) + in + admit(); //P-F -+ result + result +#pop-options -+ + +#push-options "--ifuel 0 --z3rlimit 300" -+let compute_vector_u -+ (v_K: usize) + let compute_vector_u + (v_K: usize) +- (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K) +- (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- = +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO v_K +- in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__iter (Rust_primitives.unsize a_as_ntt +- <: +- t_Slice (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) +- <: +- Core.Slice.Iter.t_Iter +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K))) + (a_as_ntt: t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K) + (r_as_ntt error_1_: t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = + let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in @@ -3333,14 +3575,30 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + let result:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = + Rust_primitives.Iterators.foldi_slice #(t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) #acc_t #inv0 + a_as_ntt -+ result -+ (fun result temp_1_ -> + result + (fun result temp_1_ -> +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = result in +- let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) = + let result:t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K = result in + let orig_result = result in + let orig_result_cast = (cast_vector_b #v_K #3328 #(64 * v v_K * 3328) orig_result) in + let i, row:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) = -+ temp_1_ -+ in + temp_1_ + in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__iter (Rust_primitives.unsize row +- <: +- t_Slice Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- <: +- Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate +- (Core.Slice.Iter.t_Iter Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement)) +- result + [@ inline_let] + let inv1 = fun (acc:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328)) v_K) (inner:usize) -> + (v inner <= v v_K) /\ @@ -3354,33 +3612,61 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Rust_primitives.Iterators.foldi_slice #Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement #(t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328)) v_K) #inv1 + row + orig_result_cast -+ (fun result temp_1_ -> + (fun result temp_1_ -> +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- result +- in +- let j, a_element:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let j, a_element:(usize & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) = -+ temp_1_ -+ in + temp_1_ + in +- let product:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let resulti = down_cast_poly_b #(64 * v v_K * 3328) #(v j * 3328) result.[i] in + let product:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ Libcrux.Kem.Kyber.Ntt.ntt_multiply a_element + Libcrux.Kem.Kyber.Ntt.ntt_multiply a_element +- (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + (r_as_ntt.[ j ] <: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ in + in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + let product_sum:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b ((v j + 1) * 3328) = + (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element #(v j * 3328) #3328 v_K + resulti + product) in + let product_sum:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328)) = cast_poly_b #((v j+1)* 3328) #(64 * v v_K * 3328) product_sum in + let result:t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64 * v v_K * 3328)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result -+ i + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i +- (Libcrux.Kem.Kyber.Arithmetic.add_to_ring_element v_K +- (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- product +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + product_sum -+ in -+ result) -+ in + in + result) + in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + assert (forall (j:usize). (v j < v i /\ v j < v v_K) ==> result.[j] == orig_result_cast.[j]); + assert (forall (j:usize). (v j > v i /\ v j < v v_K) ==> result.[j] == orig_result_cast.[j]); + let resulti : t_PolynomialRingElement_b (v v_K * 3328) = down_cast_poly_b result.[i] in + let result = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result -+ i + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i +- (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K +- (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- in +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ +- Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end +- = +- Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + (Libcrux.Kem.Kyber.Ntt.invert_ntt_montgomery v_K resulti) + in + [@ inline_let] @@ -3399,8 +3685,24 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + } -+ result -+ (fun result j -> + result + (fun result j -> +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = +- result +- in +- let j:usize = j in +- let coefficient_normal_form:i32 = +- Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (((result.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] +- <: +- i32) *! +- 1441l +- <: +- i32) +- in +- let result:t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K = + let result: t_Array (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)) v_K = result in + let resulti:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)) = result.[ i ] <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*v v_K * 3328)) in + let coefficient_normal_form: i32_b (nat_div_ceil (306921472*v v_K) 65536 + 1665) = @@ -3413,15 +3715,38 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]))) in + let result = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result -+ i -+ ({ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + ({ +- (result.[ i ] <: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) with + resulti with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = + Libcrux.Kem.Kyber.Arithmetic.f_coefficients + = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (resulti + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients) -+ j + j +- (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (coefficient_normal_form +! +- ((error_1_.[ i ] +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] +- <: +- i32) +- <: +- i32) +- <: +- i32) +- <: +- t_Array i32 (sz 256) +- } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- in +- result)) + (cast_i32_b #3328 #(64 * v v_K * 3328) resultij) + }) in + result) @@ -3431,130 +3756,94 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fst extraction-edited/Libcrux.Kem. + assert (forall (j:usize). (v j >= v i + 1 /\ v j < v v_K) ==> derefine_poly_b result.[j] == derefine_poly_b orig_result.[j]); + assume (inv0 result (i +! sz 1)); + result) -+ in + in + admit(); //P-F -+ result + result +#pop-options -+ -+let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) = + + let sample_matrix_A (v_K: usize) (seed: t_Array u8 (sz 34)) (transpose: bool) = +- let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = +- Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO +- v_K +- <: +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) +- v_K + let wfZero: wfPolynomialRingElement = (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b #1 #3328 Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) in + let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat wfZero v_K) v_K -+ in + in +- let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + let v_A_transpose:t_Array (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K = -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_K -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) -+ v_A_transpose -+ (fun v_A_transpose i -> -+ let v_A_transpose:t_Array + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_K +@@ -440,7 +426,7 @@ + v_A_transpose + (fun v_A_transpose i -> + let v_A_transpose:t_Array +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K = -+ v_A_transpose -+ in -+ let i:usize = i in -+ let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in -+ let seeds:t_Array (t_Array u8 (sz 34)) v_K = -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_K -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) -+ seeds -+ (fun seeds j -> -+ let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in -+ let j:usize = j in -+ let seeds:t_Array (t_Array u8 (sz 34)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds -+ j -+ (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] -+ <: -+ t_Array u8 (sz 34)) -+ (sz 32) -+ (cast (i <: usize) <: u8) -+ <: -+ t_Array u8 (sz 34)) -+ in -+ let seeds:t_Array (t_Array u8 (sz 34)) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds -+ j -+ (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] -+ <: -+ t_Array u8 (sz 34)) -+ (sz 33) -+ (cast (j <: usize) <: u8) -+ <: -+ t_Array u8 (sz 34)) -+ in -+ seeds) -+ in -+ let xof_bytes:t_Array (t_Array u8 (sz 840)) v_K = -+ Libcrux.Kem.Kyber.Hash_functions.v_XOFx4 v_K seeds -+ in -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = v_K -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) -+ v_A_transpose -+ (fun v_A_transpose j -> -+ let v_A_transpose:t_Array + v_A_transpose + in + let i:usize = i in +@@ -496,11 +482,11 @@ + v_A_transpose + (fun v_A_transpose j -> + let v_A_transpose:t_Array +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K = -+ v_A_transpose -+ in -+ let j:usize = j in + v_A_transpose + in + let j:usize = j in +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let sampled:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ Libcrux.Kem.Kyber.Sampling.sample_from_uniform_distribution (xof_bytes.[ j ] -+ <: -+ t_Array u8 (sz 840)) -+ in -+ if transpose -+ then -+ let v_A_transpose:t_Array + Libcrux.Kem.Kyber.Sampling.sample_from_uniform_distribution (xof_bytes.[ j ] + <: + t_Array u8 (sz 840)) +@@ -508,33 +494,34 @@ + if transpose + then + let v_A_transpose:t_Array +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose -+ j -+ (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j -+ ] -+ <: + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j + ] + <: +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) -+ i -+ sampled -+ <: + i + sampled + <: +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) -+ in -+ v_A_transpose -+ else -+ let v_A_transpose:t_Array + in + v_A_transpose + else + let v_A_transpose:t_Array +- (t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) v_K = + (t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) v_K = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose -+ i -+ (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i -+ ] -+ <: + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i + ] + <: +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) -+ j -+ sampled -+ <: + j + sampled + <: +- t_Array Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement v_K) + t_Array Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement v_K) -+ in -+ v_A_transpose)) -+ in + in + v_A_transpose)) + in + admit(); //P-F -+ v_A_transpose + v_A_transpose diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:45:43.339554027 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:45:43.390552893 +0100 +--- extraction/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:53:07.072953063 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:53:07.140951972 +0100 @@ -3,39 +3,71 @@ open Core open FStar.Mul @@ -3657,14 +3946,29 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Matrix.fsti extraction-edited/Libcrux.Kem + if transpose then Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == matrix_A + else Libcrux.Kem.Kyber.Arithmetic.to_spec_matrix_b #p res == Spec.Kyber.matrix_transpose matrix_A) diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyber.Ntt.fst ---- extraction/Libcrux.Kem.Kyber.Ntt.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:45:43.373553271 +0100 -@@ -0,0 +1,656 @@ -+module Libcrux.Kem.Kyber.Ntt +--- extraction/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:53:07.073953047 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:53:07.124952229 +0100 +@@ -1,56 +1,130 @@ + module Libcrux.Kem.Kyber.Ntt +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -+open Core -+open FStar.Mul -+ + open Core + open FStar.Mul + +-let ntt_multiply_binomials (a0, a1: (i32 & i32)) (b0, b1: (i32 & i32)) (zeta: i32) = +- Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b0 <: i32) +! +- ((Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a1 *! b1 <: i32) <: i32) *! zeta <: i32) +- <: +- i32), +- Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce ((a0 *! b1 <: i32) +! (a1 *! b0 <: i32) <: i32) +- <: +- (i32 & i32) +- +-let invert_ntt_at_layer +- (zeta_i: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (layer: usize) +- = + +let v_ZETAS_TIMES_MONTGOMERY_R = + let list : list (i32_b 1664) = @@ -3735,7 +4039,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + +#push-options "--ifuel 0 --z3rlimit 1200" +let invert_ntt_at_layer #v_K #b zeta_i re layer = -+ let step:usize = sz 1 < 0); + assert (v step == pow2 (v layer)); + let orig_re = re in @@ -3748,15 +4054,25 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + in + let re, zeta_i: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b) & usize) = + Rust_primitives.Iterators.foldi_range #_ #(t_PolynomialRingElement_b (2*b) & usize) #inv { -+ Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end = sz 128 >>! layer <: usize + Core.Ops.Range.f_end = sz 128 /! step -+ } + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + (cast_poly_b #b #(2*b) re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b) & usize)) -+ (fun temp_0_ round -> + (fun temp_0_ round -> +- let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in + let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b) & usize) = temp_0_ in -+ let round:usize = round in + let round:usize = round in + let orig_re_round = re in -+ let zeta_i:usize = zeta_i -! sz 1 in + let zeta_i:usize = zeta_i -! sz 1 in +- let offset:usize = (round *! step <: usize) *! sz 2 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + assert(v round * v step < 128); + assert(v round * v step + v step <= 128); + assert(v round * v step * 2 <= 254); @@ -3772,11 +4088,17 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2 * b) = + Rust_primitives.Iterators.foldi_range #_ #_ #inv { -+ Core.Ops.Range.f_start = offset; -+ Core.Ops.Range.f_end = offset +! step <: usize + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! step <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + } -+ re -+ (fun re j -> + re + (fun re j -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2 * b) = re in + assert (re.f_coefficients.[j] == orig_re_round.f_coefficients.[j]); + assert (re.f_coefficients.[j +! step] == orig_re_round.f_coefficients.[j +! step]); @@ -3784,124 +4106,178 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + assert (re.f_coefficients.[j +! step] == orig_re.f_coefficients.[j +! step]); + let re_j:i32_b b = orig_re.f_coefficients.[j] in + let re_j_step:i32_b b = orig_re.f_coefficients.[j +! step] in -+ let j:usize = j in + let j:usize = j in +- let a_minus_b:i32 = +- (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] <: i32) -! +- (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +- in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let a_minus_b:i32_b (2*b) = sub_i32_b re_j_step re_j in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2 * b) = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ j + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -58,17 +132,13 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + j +- ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! +- (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] +- <: +- i32) +- <: +- i32) + (add_i32_b re_j re_j_step) -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2 * b) -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let red = mul_zeta_red #v_K #b orig_zeta_i layer a_minus_b round in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b) = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (j +! step <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -76,74 +146,69 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (j +! step <: usize) +- (Libcrux.Kem.Kyber.Arithmetic.montgomery_reduce (a_minus_b *! +- (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) +- <: +- i32) +- <: +- i32) + red -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b) -+ in -+ re) -+ in + in + re) + in +- re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + re, zeta_i <: t_PolynomialRingElement_b (2*b) & usize) -+ in + in +- let hax_temp_output:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in +- zeta_i, hax_temp_output <: (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + let hax_temp_output:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b) = re in + lemma_zeta_decr orig_zeta_i zeta_i layer; + zeta_i, hax_temp_output <: (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b)) +#pop-options -+ + +-let invert_ntt_montgomery (v_K: usize) (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +#push-options "--z3rlimit 500" +let invert_ntt_montgomery v_K re = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + let b = v v_K * 3328 in + assert (v v_K <= 4); + assert (b <= 4 * 3328); -+ let zeta_i:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in + let zeta_i:usize = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 2 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 1) + assert (v zeta_i == pow2 (8 - 1)); + let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (2*b)) = + invert_ntt_at_layer #v_K #b zeta_i re (sz 1) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hoist1:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist1 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 2) + let hoist1 = out in + let re = hoist1 in + let tmp0, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (4*b)) = + invert_ntt_at_layer #v_K zeta_i re (sz 2) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hoist2:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist2 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 3) + let tmp0, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (8*b)) = + invert_ntt_at_layer #v_K zeta_i re (sz 3) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hoist3:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist3 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 4) + assert (8*b = v v_K * 3328 * pow2 (4 - 1)); + let tmp0, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (16*b)) = + invert_ntt_at_layer #v_K zeta_i re (sz 4) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hoist4:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist4 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 5) + assert (16*b == v v_K * 3328 * pow2 (5 - 1)); + let tmp0, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (32*b)) = + invert_ntt_at_layer #v_K zeta_i re (sz 5) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hoist5:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist5 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 6) + assert (32*b = v v_K * 3328 * pow2 (6 - 1)); + let tmp0, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*b)) = + invert_ntt_at_layer #v_K zeta_i re (sz 6) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hoist6:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist6 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- invert_ntt_at_layer zeta_i re (sz 7) + assert (64*b = v v_K * 3328 * pow2 (7 - 1)); + let tmp0, re:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (128*b)) = + invert_ntt_at_layer #v_K zeta_i re (sz 7) -+ in -+ let zeta_i:usize = tmp0 in -+ let _:Prims.unit = () <: Prims.unit in -+ let _:Prims.unit = () <: Prims.unit in + in + let zeta_i:usize = tmp0 in +- let hoist7:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist7 in + let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + admit(); + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*b) = -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end = sz 2 + Core.Ops.Range.f_end = sz 8 -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) -+ re -+ (fun re i -> + } + <: + Core.Ops.Range.t_Range usize) +@@ -151,7 +216,7 @@ + Core.Ops.Range.t_Range usize) + re + (fun re i -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (128*b) = re in -+ let i:usize = i in -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ i -+ (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] -+ <: -+ i32) -+ <: -+ i32) -+ <: -+ t_Array i32 (sz 256) -+ } -+ <: + let i:usize = i in + { + re with +@@ -170,52 +235,84 @@ + t_Array i32 (sz 256) + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (64*b)) -+ in + in +- re + re +#pop-options -+ + +-let ntt_at_layer +- (zeta_i: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (layer v__initial_coefficient_bound: usize) +- = +- let step:usize = sz 1 <= 0 /\ v zeta_i <= 63} ) @@ -3935,14 +4311,24 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + in + let re, zeta_i: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) & usize) = + Rust_primitives.Iterators.foldi_range #_ #(t_PolynomialRingElement_b (3328+b) & usize) #inv { -+ Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_start = sz 0; +- Core.Ops.Range.f_end = sz 128 >>! layer <: usize + Core.Ops.Range.f_end = loop_end -+ } + } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- (re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + (cast_poly_b #b #(3328+b) re, zeta_i) -+ (fun temp_0_ round -> + (fun temp_0_ round -> +- let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) = temp_0_ in + let re, zeta_i:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) & usize) = temp_0_ in -+ let round:usize = round in -+ let zeta_i:usize = zeta_i +! sz 1 in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in +- let offset:usize = (round *! step <: usize) *! sz 2 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + assert(v round * v step < 128); + assert(v round * v step + v step <= 128); + assert(v round * v step * 2 <= 254); @@ -3961,13 +4347,27 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + assert (inv re offset); + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+ b) = + Rust_primitives.Iterators.foldi_range #usize_inttype #(t_PolynomialRingElement_b (3328+b)) #inv { -+ Core.Ops.Range.f_start = offset; -+ Core.Ops.Range.f_end = offset +! step <: usize + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! step <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + } -+ re -+ (fun re j -> + re + (fun re j -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) = re in -+ let j:usize = j in + let j:usize = j in +- let t:i32 = +- Libcrux.Kem.Kyber.Arithmetic.montgomery_multiply_fe_by_fer (re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! step <: usize ] +- <: +- i32) +- (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) +- in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + assert (re.f_coefficients.[j] == orig_re.f_coefficients.[j]); + assert (re.f_coefficients.[j +! step] == orig_re.f_coefficients.[j +! step]); + let re_j:i32_b b = orig_re.f_coefficients.[j] in @@ -3975,64 +4375,93 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + let t:i32_b 3328 = mul_zeta_red2 #b orig_zeta_i layer + re_j_step round in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (j +! step <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -223,12 +320,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (j +! step <: usize) +- ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32) + (sub_i32_b #b #3328 re_j_step t) -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ j + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -236,64 +333,70 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + j +- ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32) + (add_i32_b #b #3328 re_j t) -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) -+ in -+ re) -+ in + in + re) + in +- re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + re, zeta_i <: (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) & usize)) -+ in -+ let _:Prims.unit = () <: Prims.unit in + in + let _:Prims.unit = () <: Prims.unit in +- let hax_temp_output:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in +- zeta_i, hax_temp_output <: (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + let hax_temp_output:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (3328+b) = re in + assert (v zeta_i = v orig_zeta_i + 128/v step); + assert (v zeta_i = v orig_zeta_i + pow2(7 - v layer)); + assert (v zeta_i = pow2(8 - v layer) - 1); + zeta_i, hax_temp_output +#pop-options -+ + +-let ntt_at_layer_3_ +- (zeta_i: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (layer: usize) +- = +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- ntt_at_layer zeta_i re layer (sz 3) +let ntt_at_layer_3_ #b zeta_i re layer = + let tmp0, out = + ntt_at_layer zeta_i re layer (sz 7879) -+ in -+ let zeta_i:usize = tmp0 in + in + let zeta_i:usize = tmp0 in +- let hax_temp_output:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- zeta_i, hax_temp_output <: (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- +-let ntt_at_layer_3328_ +- (zeta_i: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- (layer: usize) +- = +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let hax_temp_output = out in + zeta_i, hax_temp_output + +let ntt_at_layer_3328_ zeta_i re layer = + let tmp0, out = -+ ntt_at_layer zeta_i re layer (sz 3328) -+ in -+ let zeta_i:usize = tmp0 in + ntt_at_layer zeta_i re layer (sz 3328) + in + let zeta_i:usize = tmp0 in +- let hax_temp_output:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- zeta_i, hax_temp_output <: (usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + let hax_temp_output = out in + zeta_i, hax_temp_output -+ + +-let ntt_binomially_sampled_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +#push-options "--ifuel 0 --z3rlimit 1500" +#restart-solver +let ntt_binomially_sampled_ring_element re = -+ let _:Prims.unit = () <: Prims.unit in -+ let zeta_i:usize = sz 1 in + let _:Prims.unit = () <: Prims.unit in + let zeta_i:usize = sz 1 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + [@ inline_let] + let inv = fun (acc:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 11207)) (i:usize) -> + (v i <= 128) /\ @@ -4045,63 +4474,104 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + assert (inv re (sz 0)); + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 11207 = + Rust_primitives.Iterators.foldi_range #_ #(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 11207) #inv ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = sz 128 -+ } -+ <: -+ Core.Ops.Range.t_Range usize) + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 128 + } + <: + Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) +- re + (cast_poly_b re) -+ (fun re j -> + (fun re j -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 11207 = cast_poly_b re in -+ let j:usize = j in + let j:usize = j in +- let t:i32 = +- (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ] <: i32) *! +- (-1600l) + let t:i32_b (7*1600) = + mul_i32_b (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j +! sz 128 <: usize ]) + (-1600l <: i32_b 1600) -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (11207) = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (j +! sz 128 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -301,12 +404,10 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (j +! sz 128 <: usize) +- ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) -! t <: i32) + (sub_i32_b #7 #11200 (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32_b 7) t) -+ } -+ in + } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (11207) = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ j + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -314,90 +415,76 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + j +- ((re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ] <: i32) +! t <: i32) + (add_i32_b (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ j ]) t) -+ } -+ in -+ re) -+ in -+ let _:Prims.unit = () <: Prims.unit in + } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + in + re) + in + let _:Prims.unit = () <: Prims.unit in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + assert (v zeta_i = pow2 (7 - 6) - 1); + let zeta_i, re = -+ ntt_at_layer_3_ zeta_i re (sz 6) -+ in + ntt_at_layer_3_ zeta_i re (sz 6) + in +- let zeta_i:usize = tmp0 in +- let hoist8:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist8 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3_ zeta_i re (sz 5) -+ in + ntt_at_layer_3_ zeta_i re (sz 5) + in +- let zeta_i:usize = tmp0 in +- let hoist9:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist9 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3_ zeta_i re (sz 4) -+ in + ntt_at_layer_3_ zeta_i re (sz 4) + in +- let zeta_i:usize = tmp0 in +- let hoist10:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist10 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3_ zeta_i re (sz 3) -+ in + ntt_at_layer_3_ zeta_i re (sz 3) + in +- let zeta_i:usize = tmp0 in +- let hoist11:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist11 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3_ zeta_i re (sz 2) -+ in + ntt_at_layer_3_ zeta_i re (sz 2) + in +- let zeta_i:usize = tmp0 in +- let hoist12:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist12 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3_ zeta_i re (sz 1) -+ in + ntt_at_layer_3_ zeta_i re (sz 1) + in +- let zeta_i:usize = tmp0 in +- let hoist13:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist13 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (6*3328+11207) = re in + [@ inline_let] + let inv = fun (acc:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (6*3328+11207))) (i:usize) -> @@ -4112,177 +4582,258 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + assert (inv re (sz 0)); + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (6*3328+11207) = + Rust_primitives.Iterators.foldi_range #_ #(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (6*3328+11207)) #inv ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ re -+ (fun re i -> + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + } + <: + Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + re + (fun re i -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (6*3328+11207) = re in + let rei:i32_b (v v_BARRETT_R) = cast_i32_b #(6*3328+11207) #(v v_BARRETT_R) (re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ]) in + let rei: i32_b (6*3328+11207) = cast_i32_b #3328 #(6*3328+11207) ( + Libcrux.Kem.Kyber.Arithmetic.barrett_reduce rei) in -+ let i:usize = i in + let i:usize = i in + let re_coeffs:t_Array (i32_b (6*3328+11207)) (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + i rei in -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- i +- (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] +- <: +- i32) +- <: +- i32) +- <: +- t_Array i32 (sz 256) +- } +- <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + = re_coeffs + }) -+ in + in +- re + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = down_cast_poly_b #(6*3328+11207) #3328 re in + re +#pop-options + -+ + +-let ntt_multiply (lhs rhs: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +#push-options "--z3rlimit 100" +let ntt_multiply lhs rhs = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 1 = -+ Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + in +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 = -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end -+ = -+ Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! sz 4 <: usize -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end +@@ -408,34 +495,31 @@ + Core.Ops.Range.t_Range usize) + <: + Core.Ops.Range.t_Range usize) +- out + (cast_poly_b out) -+ (fun out i -> + (fun out i -> +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 = out in -+ let i:usize = i in + let i:usize = i in +- let product:(i32 & i32) = + assert (v i * 4 + 4 <= 256); + let product = -+ ntt_multiply_binomials ((lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i -+ <: -+ usize ] -+ <: + ntt_multiply_binomials ((lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i + <: + usize ] + <: +- i32), + i32_b 3328), -+ (lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1 -+ <: -+ usize ] -+ <: + (lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1 + <: + usize ] + <: +- i32) +- <: +- (i32 & i32)) +- ((rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i <: usize ] <: i32), + i32_b 3328)) + ((rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ sz 4 *! i <: usize ] <: i32_b 3328), -+ (rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1 -+ <: -+ usize ] -+ <: + (rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 1 + <: + usize ] + <: +- i32) +- <: +- (i32 & i32)) +- (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32) + i32_b 3328)) + (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32_b 1664) -+ in + in +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 = -+ { -+ out with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (sz 4 *! i <: usize) -+ product._1 -+ } -+ <: + { + out with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -446,9 +530,9 @@ + product._1 + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 -+ in + in +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 = -+ { -+ out with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! i <: usize) +! sz 1 <: usize) -+ product._2 -+ } -+ <: + { + out with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -459,41 +543,29 @@ + product._2 + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 -+ in + in +- let product:(i32 & i32) = + let product = -+ ntt_multiply_binomials ((lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i -+ <: -+ usize) +! -+ sz 2 -+ <: + ntt_multiply_binomials ((lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 2 + <: +- usize ] +- <: +- i32), + usize ]), -+ (lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3 -+ <: + (lhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3 + <: +- usize ] +- <: +- i32) +- <: +- (i32 & i32)) + usize ])) + -+ ((rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 2 -+ <: + ((rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 2 + <: +- usize ] +- <: +- i32), + usize ]), -+ (rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3 -+ <: + (rhs.Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ (sz 4 *! i <: usize) +! sz 3 + <: +- usize ] +- <: +- i32) +- <: +- (i32 & i32)) +- (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ] <: i32) +- <: +- i32) + usize ])) + (Core.Ops.Arith.Neg.neg (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! i <: usize ]) <: i32_b 1664) + -+ in + in +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 = -+ { -+ out with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! i <: usize) +! sz 2 <: usize) -+ product._1 -+ } -+ <: + { + out with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -504,9 +576,9 @@ + product._1 + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 -+ in + in +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 = -+ { -+ out with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! i <: usize) +! sz 3 <: usize) -+ product._2 -+ } -+ <: + { + out with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -517,72 +589,55 @@ + product._2 + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3328 -+ in -+ out) -+ in -+ out + in + out) + in + out +#pop-options -+ + +-let ntt_vector_u +- (v_VECTOR_U_COMPRESSION_FACTOR: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- = +#push-options "--ifuel 0 --z3rlimit 200" +let ntt_vector_u v_VECTOR_U_COMPRESSION_FACTOR re = -+ let _:Prims.unit = () <: Prims.unit in -+ let zeta_i:usize = sz 0 in + let _:Prims.unit = () <: Prims.unit in + let zeta_i:usize = sz 0 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 7) -+ in + ntt_at_layer_3328_ zeta_i re (sz 7) + in +- let zeta_i:usize = tmp0 in +- let hoist14:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist14 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 6) -+ in + ntt_at_layer_3328_ zeta_i re (sz 6) + in +- let zeta_i:usize = tmp0 in +- let hoist15:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist15 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 5) -+ in + ntt_at_layer_3328_ zeta_i re (sz 5) + in +- let zeta_i:usize = tmp0 in +- let hoist16:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist16 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 4) -+ in + ntt_at_layer_3328_ zeta_i re (sz 4) + in +- let zeta_i:usize = tmp0 in +- let hoist17:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist17 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 3) -+ in + ntt_at_layer_3328_ zeta_i re (sz 3) + in +- let zeta_i:usize = tmp0 in +- let hoist18:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist18 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 2) -+ in + ntt_at_layer_3328_ zeta_i re (sz 2) + in +- let zeta_i:usize = tmp0 in +- let hoist19:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist19 in +- let tmp0, out:(usize & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = + let zeta_i, re = -+ ntt_at_layer_3328_ zeta_i re (sz 1) -+ in + ntt_at_layer_3328_ zeta_i re (sz 1) + in +- let zeta_i:usize = tmp0 in +- let hoist20:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = out in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = hoist20 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + [@ inline_let] + let inv = fun (acc:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (8*3328))) (i:usize) -> + (v i <= 256) /\ @@ -4292,33 +4843,43 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fst extraction-edited/Libcrux.Kem.Kyb + assert (inv re (sz 0)); + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (8*3328) = + Rust_primitives.Iterators.foldi_range #_ #(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (8*3328)) #inv ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ re -+ (fun re i -> + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + } + <: + Core.Ops.Range.t_Range usize) +- <: +- Core.Ops.Range.t_Range usize) + re + (fun re i -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (8*3328) = re in -+ let i:usize = i in -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ i -+ (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re + let i:usize = i in + { + re with +@@ -592,15 +647,10 @@ + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + i + (Libcrux.Kem.Kyber.Arithmetic.barrett_reduce (re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ] +- <: +- i32) +- <: +- i32) +- <: +- t_Array i32 (sz 256) + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients.[ i ])) -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b (8*3328)) -+ in + in +- re + down_cast_poly_b #(8*3328) #3328 re +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:45:43.340554005 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:45:43.357553627 +0100 +--- extraction/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:53:07.077952983 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:53:07.105952534 +0100 @@ -2,223 +2,80 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -4611,25 +5172,34 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Ntt.fsti extraction-edited/Libcrux.Kem.Ky + (ensures fun _ -> True) + diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Kem.Kyber.Sampling.fst ---- extraction/Libcrux.Kem.Kyber.Sampling.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:45:43.397552738 +0100 -@@ -0,0 +1,350 @@ -+module Libcrux.Kem.Kyber.Sampling -+#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -+open Core -+open FStar.Mul -+ +--- extraction/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:53:07.099952630 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:53:07.148951844 +0100 +@@ -3,27 +3,34 @@ + open Core + open FStar.Mul + +-let rejection_sampling_panic_with_diagnostic (_: Prims.unit) = +let rejection_sampling_panic_with_diagnostic () : Prims.unit = + admit(); // This should never be reachable -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" -+ <: -+ Rust_primitives.Hax.t_Never) -+ + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" + <: + Rust_primitives.Hax.t_Never) + +#push-options "--ifuel 0 --z3rlimit 100" -+let sample_from_binomial_distribution_2_ (randomness: t_Slice u8) = + let sample_from_binomial_distribution_2_ (randomness: t_Slice u8) = +- let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +- = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let sampled: t_PolynomialRingElement_b 3 = + cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact randomness (sz 4) <: Core.Slice.Iter.t_ChunksExact u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) + + let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3 in + [@ inline_let] @@ -4643,49 +5213,62 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + Rust_primitives.Iterators.foldi_chunks_exact #u8 #acc_t #inv + sl + chunk_len -+ sampled -+ (fun sampled temp_1_ -> + sampled + (fun sampled temp_1_ -> +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in +- let chunk_number, byte_chunk:(usize & t_Slice u8) = temp_1_ in + let chunk_number, byte_chunk:(usize & t_Array u8 chunk_len) = temp_1_ in + assert(chunk_number <. sz 32); -+ let (random_bits_as_u32: u32):u32 = -+ (((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |. -+ ((cast (byte_chunk.[ sz 1 ] <: u8) <: u32) <>! 1l <: u32) &. 1431655765ul in + let odd_bits:u32 = (random_bits_as_u32 >>! 1l <: u32) &. 1431655765ul in + logand_lemma (random_bits_as_u32 >>! 1l <: u32) 1431655765ul; + assert(odd_bits <=. 1431655765ul); -+ let coin_toss_outcomes:u32 = even_bits +! odd_bits in + let coin_toss_outcomes:u32 = even_bits +! odd_bits in +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_step_by +- ({ + let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3 in + [@ inline_let] + let inv : acc_t -> u32 -> Type = fun acc i -> True in + Rust_primitives.Iterators.foldi_range_step_by #u32_inttype #(acc_t) #inv ({ -+ Core.Ops.Range.f_start = 0ul; -+ Core.Ops.Range.f_end = Core.Num.impl__u32__BITS + Core.Ops.Range.f_start = 0ul; + Core.Ops.Range.f_end = Core.Num.impl__u32__BITS +- } +- <: +- Core.Ops.Range.t_Range u32) +- (sz 4) +- <: +- Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range u32)) +- <: +- Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range u32)) + } + <: + Core.Ops.Range.t_Range u32) + (sz 4) -+ sampled -+ (fun sampled outcome_set -> -+ let outcome_set:u32 = outcome_set in + sampled + (fun sampled outcome_set -> +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in + let outcome_set:u32 = outcome_set in + assert (v outcome_set + 4 <= 32); + let out_1 = ((coin_toss_outcomes >>! outcome_set <: u32) &. 3ul <: u32) in -+ let outcome_1_:i32 = + let outcome_1_:i32 = +- cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 3ul <: u32) <: i32 + cast out_1 <: i32 -+ in + in + let out_2 = ((coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) &. 3ul <: u32) in -+ let outcome_2_:i32 = + let outcome_2_:i32 = +- cast ((coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) &. 3ul <: u32) +- <: +- i32 + cast out_2 <: i32 -+ in + in + logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 3ul; + assert (v out_1 >= 0); + assert (v out_1 <= 3); @@ -4700,7 +5283,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + Math.Lemmas.small_modulo_lemma_1 (v out_2) (pow2 32); + assert (v outcome_2_ == v out_2); + assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 3); -+ let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in + let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + assert (outcome_set <. 32ul); + assert (v (outcome_set >>! 2l <: u32) = v outcome_set / 4); + assert (v (outcome_set >>! 2l <: u32) < 8); @@ -4710,30 +5294,41 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + assert (8 * v chunk_number + 8 <= 256); + assert (8 * v chunk_number + v offset < 256); + let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3 = -+ { -+ sampled with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! chunk_number <: usize) +! offset <: usize) -+ (outcome_1_ -! outcome_2_ <: i32) -+ } -+ <: + { + sampled with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -73,29 +104,36 @@ + (outcome_1_ -! outcome_2_ <: i32) + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 3 -+ in -+ sampled)) + in + sampled)) +- in +- let _:Prims.unit = () <: Prims.unit in +- sampled + in + let _:Prims.unit = () <: Prims.unit in + admit(); // P-F + sampled +#pop-options -+ + +#push-options "--ifuel 0 --z3rlimit 200" -+let sample_from_binomial_distribution_3_ (randomness: t_Slice u8) = + let sample_from_binomial_distribution_3_ (randomness: t_Slice u8) = +- let (sampled: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement +- = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let sampled:t_PolynomialRingElement_b 7 = + (Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO) -+ in + in +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact randomness (sz 3) <: Core.Slice.Iter.t_ChunksExact u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) + let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 in + [@ inline_let] + let inv = fun (acc:acc_t) (i:usize) -> True in @@ -4746,27 +5341,37 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + Rust_primitives.Iterators.foldi_chunks_exact #u8 #acc_t #inv + sl + chunk_len -+ sampled -+ (fun sampled temp_1_ -> + sampled + (fun sampled temp_1_ -> +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in +- let chunk_number, byte_chunk:(usize & t_Slice u8) = temp_1_ in + let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 = sampled in + let chunk_number, byte_chunk:(usize & t_Array u8 chunk_len) = temp_1_ in -+ let (random_bits_as_u24: u32):u32 = -+ ((cast (byte_chunk.[ sz 0 ] <: u8) <: u32) |. -+ ((cast (byte_chunk.[ sz 1 ] <: u8) <: u32) <>! 1l <: u32) &. 2396745ul in + let second_bits:u32 = (random_bits_as_u24 >>! 1l <: u32) &. 2396745ul in + logand_lemma (random_bits_as_u24 >>! 1l <: u32) 2396745ul; + assert (second_bits <=. 2396745ul); -+ let third_bits:u32 = (random_bits_as_u24 >>! 2l <: u32) &. 2396745ul in + let third_bits:u32 = (random_bits_as_u24 >>! 2l <: u32) &. 2396745ul in + logand_lemma (random_bits_as_u24 >>! 2l <: u32) 2396745ul; + assert (third_bits <=. 2396745ul); -+ let coin_toss_outcomes:u32 = (first_bits +! second_bits <: u32) +! third_bits in + let coin_toss_outcomes:u32 = (first_bits +! second_bits <: u32) +! third_bits in +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_step_by +- ({ Core.Ops.Range.f_start = 0l; Core.Ops.Range.f_end = 24l } +- <: +- Core.Ops.Range.t_Range i32) +- (sz 6) +- <: +- Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range i32)) +- <: +- Core.Iter.Adapters.Step_by.t_StepBy (Core.Ops.Range.t_Range i32)) + let acc_t = Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 in + [@ inline_let] + let inv : acc_t -> i32 -> Type = fun acc i -> True in @@ -4777,25 +5382,25 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + <: + Core.Ops.Range.t_Range i32) + (sz 6) -+ sampled -+ (fun sampled outcome_set -> + sampled + (fun sampled outcome_set -> +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = sampled in + let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 = sampled in -+ let outcome_set:i32 = outcome_set in -+ let outcome_1_:i32 = -+ cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 7ul <: u32) <: i32 -+ in -+ let outcome_2_:i32 = -+ cast ((coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) &. 7ul <: u32) -+ <: -+ i32 -+ in + let outcome_set:i32 = outcome_set in + let outcome_1_:i32 = + cast ((coin_toss_outcomes >>! outcome_set <: u32) &. 7ul <: u32) <: i32 +@@ -128,8 +173,22 @@ + <: + i32 + in + logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 7ul; + Math.Lemmas.small_modulo_lemma_1 (v ((coin_toss_outcomes >>! outcome_set <: u32) &. 7ul <: u32)) (pow2 32); + assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 7); + logand_lemma (coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) 7ul; + Math.Lemmas.small_modulo_lemma_1 (v ((coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) &. 7ul <: u32)) (pow2 32); + assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 7); -+ let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in + let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in +- let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + assert (outcome_set <. 24l); + assert (v (outcome_set /! 6l <: i32) = v outcome_set / 6); + assert (v (outcome_set /! 6l <: i32) < 4); @@ -4805,74 +5410,83 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fst extraction-edited/Libcrux.Ke + assert (4 * v chunk_number + 4 <= 256); + assert (4 * v chunk_number + v offset < 256); + let sampled:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 = -+ { -+ sampled with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! chunk_number <: usize) +! offset <: usize) -+ (outcome_1_ -! outcome_2_ <: i32) -+ } -+ <: + { + sampled with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -140,15 +199,18 @@ + (outcome_1_ -! outcome_2_ <: i32) + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement_b 7 -+ in -+ sampled)) -+ in -+ let _:Prims.unit = () <: Prims.unit in + in + sampled)) + in + let _:Prims.unit = () <: Prims.unit in + admit(); -+ sampled + sampled +#pop-options -+ -+let sample_from_binomial_distribution (v_ETA: usize) (randomness: t_Slice u8) = -+ let _:Prims.unit = () <: Prims.unit in + + let sample_from_binomial_distribution (v_ETA: usize) (randomness: t_Slice u8) = + let _:Prims.unit = () <: Prims.unit in + Rust_primitives.Integers.mk_int_equiv_lemma #u32_inttype (v v_ETA); -+ match cast (v_ETA <: usize) <: u32 with -+ | 2ul -> sample_from_binomial_distribution_2_ randomness -+ | 3ul -> sample_from_binomial_distribution_3_ randomness -+ | _ -> -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -+ -+ <: -+ Rust_primitives.Hax.t_Never) -+ + match cast (v_ETA <: usize) <: u32 with + | 2ul -> sample_from_binomial_distribution_2_ randomness + | 3ul -> sample_from_binomial_distribution_3_ randomness +@@ -158,46 +220,62 @@ + <: + Rust_primitives.Hax.t_Never) + +#push-options "--z3rlimit 50" -+let sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) = -+ let (sampled_coefficients: usize):usize = sz 0 in + let sample_from_uniform_distribution (randomness: t_Array u8 (sz 840)) = + let (sampled_coefficients: usize):usize = sz 0 in +- let (out: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + let (out: Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement):Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ = + = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in -+ let done:bool = false in + in + let done:bool = false in +- let done, out, sampled_coefficients:(bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & + let acc_t = (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) in + [@ inline_let] + let inv = fun (acc:acc_t) -> True in + let sl : t_Slice u8 = randomness in + let chunk_len = sz 3 in + let done, out, sampled_coefficients:(bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & -+ usize) = + usize) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Slice.impl__chunks ( +- Rust_primitives.unsize randomness <: t_Slice u8) +- (sz 3) +- <: +- Core.Slice.Iter.t_Chunks u8) +- <: +- Core.Slice.Iter.t_Chunks u8) + Rust_primitives.Iterators.fold_chunks_exact #u8 #acc_t #inv + sl + chunk_len -+ (done, out, sampled_coefficients -+ <: + (done, out, sampled_coefficients + <: +- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize)) -+ (fun temp_0_ bytes -> -+ let done, out, sampled_coefficients:(bool & + (fun temp_0_ bytes -> + let done, out, sampled_coefficients:(bool & +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & -+ usize) = -+ temp_0_ -+ in + usize) = + temp_0_ + in +- let bytes:t_Slice u8 = bytes in + let bytes:t_Array u8 chunk_len = bytes in -+ if ~.done <: bool -+ then -+ let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in -+ let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in -+ let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + if ~.done <: bool + then + let b1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + assert(v b1 >= 0 /\ v b1 < pow2 8); + assert(v b2 >= 0 /\ v b2 < pow2 8); + assert(v b3 >= 0 /\ v b3 < pow2 8); -+ let d1:i32 = ((b2 &. 15l <: i32) <= v b1); + assert (v d1 >= 0); -+ let d2:i32 = (b3 <>! 4l <: i32) in + let d2:i32 = (b3 <>! 4l <: i32) in +- let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & + logor_lemma (b3 <>! 4l <: i32); + assert (v d2 >= v b3 * pow2 4); + assert (v d2 >= 0); + let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & -+ usize) = -+ if -+ d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && -+ sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ then + usize) = + if + d1 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && + sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ out with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ sampled_coefficients -+ d1 -+ } -+ <: + { + out with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -208,23 +286,23 @@ + d1 + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ out, sampled_coefficients +! sz 1 -+ <: + in + out, sampled_coefficients +! sz 1 + <: +- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) -+ else -+ out, sampled_coefficients -+ <: + else + out, sampled_coefficients + <: +- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) -+ in + in +- let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & + let out, sampled_coefficients:(Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & -+ usize) = -+ if -+ d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && -+ sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ then + usize) = + if + d2 <. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS && + sampled_coefficients <. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then +- let out:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let out:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ out with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ sampled_coefficients -+ d2 -+ } -+ <: + { + out with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -235,31 +313,31 @@ + d2 + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ let sampled_coefficients:usize = sampled_coefficients +! sz 1 in -+ out, sampled_coefficients -+ <: + in + let sampled_coefficients:usize = sampled_coefficients +! sz 1 in + out, sampled_coefficients + <: +- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) -+ else -+ out, sampled_coefficients -+ <: + else + out, sampled_coefficients + <: +- (Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) -+ in -+ if sampled_coefficients =. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT -+ then -+ let done:bool = true in -+ done, out, sampled_coefficients -+ <: + in + if sampled_coefficients =. Libcrux.Kem.Kyber.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients + <: +- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) -+ else -+ done, out, sampled_coefficients -+ <: + else + done, out, sampled_coefficients + <: +- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize) + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize) -+ else -+ done, out, sampled_coefficients -+ <: + else + done, out, sampled_coefficients + <: +- (bool & Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement & usize)) + (bool & Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement & usize)) -+ in -+ let _:Prims.unit = -+ if ~.done -+ then -+ let _:Prims.unit = rejection_sampling_panic_with_diagnostic () in -+ () -+ in -+ let _:Prims.unit = () <: Prims.unit in + in + let _:Prims.unit = + if ~.done +@@ -268,4 +346,5 @@ + () + in + let _:Prims.unit = () <: Prims.unit in +- out + out +#pop-options diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:45:43.336554094 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:45:43.406552538 +0100 +--- extraction/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:53:07.069953111 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:53:07.158951684 +0100 @@ -3,77 +3,37 @@ open Core open FStar.Mul @@ -5067,14 +5688,15 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Sampling.fsti extraction-edited/Libcrux.K +// (ensures fun result -> (forall i. v (result.f_coefficients.[i]) >= 0)) + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.Kem.Kyber.Serialize.fst ---- extraction/Libcrux.Kem.Kyber.Serialize.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:45:43.364553471 +0100 -@@ -0,0 +1,1474 @@ -+module Libcrux.Kem.Kyber.Serialize +--- extraction/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:53:07.084952871 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:53:07.114952389 +0100 +@@ -1,8 +1,15 @@ + module Libcrux.Kem.Kyber.Serialize +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" -+open Core -+open FStar.Mul -+ + open Core + open FStar.Mul + +open Libcrux.Kem.Kyber.Arithmetic + +open MkSeq @@ -5082,109 +5704,82 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + +#push-options "--z3rlimit 180" +[@@"opaque_to_smt"] -+let compress_coefficients_10_ (coefficient1 coefficient2 coefficient3 coefficient4: i32) = -+ let coef1:u8 = cast (coefficient1 &. 255l <: i32) <: u8 in -+ let coef2:u8 = -+ ((cast (coefficient2 &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) -+ in -+ let coef3:u8 = -+ ((cast (coefficient3 &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) -+ in -+ let coef4:u8 = -+ ((cast (coefficient4 &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) -+ in -+ let coef5:u8 = cast ((coefficient4 >>! 2l <: i32) &. 255l <: i32) <: u8 in + let compress_coefficients_10_ (coefficient1 coefficient2 coefficient3 coefficient4: i32) = + let coef1:u8 = cast (coefficient1 &. 255l <: i32) <: u8 in + let coef2:u8 = +@@ -18,12 +25,14 @@ + (cast ((coefficient3 >>! 4l <: i32) &. 63l <: i32) <: u8) + in + let coef5:u8 = cast ((coefficient4 >>! 2l <: i32) &. 255l <: i32) <: u8 in + bit_vec_equal_intro_principle (); -+ coef1, coef2, coef3, coef4, coef5 <: (u8 & u8 & u8 & u8 & u8) + coef1, coef2, coef3, coef4, coef5 <: (u8 & u8 & u8 & u8 & u8) +#pop-options -+ + +#push-options "--ifuel 1 --z3rlimit 600 --split_queries always" +[@@"opaque_to_smt"] -+let compress_coefficients_11_ + let compress_coefficients_11_ +- (coefficient1 coefficient2 coefficient3 coefficient4 coefficient5 coefficient6 coefficient7 coefficient8: +- i32) +- = + coefficient1 coefficient2 coefficient3 coefficient4 coefficient5 coefficient6 coefficient7 coefficient8 = -+ let coef1:u8 = cast (coefficient1 <: i32) <: u8 in -+ let coef2:u8 = -+ ((cast (coefficient2 &. 31l <: i32) <: u8) <>! 8l <: i32) <: u8) -+ in -+ let coef3:u8 = -+ ((cast (coefficient3 &. 3l <: i32) <: u8) <>! 5l <: i32) <: u8) -+ in -+ let coef4:u8 = cast ((coefficient3 >>! 2l <: i32) &. 255l <: i32) <: u8 in -+ let coef5:u8 = -+ ((cast (coefficient4 &. 127l <: i32) <: u8) <>! 10l <: i32) <: u8) -+ in -+ let coef6:u8 = -+ ((cast (coefficient5 &. 15l <: i32) <: u8) <>! 7l <: i32) <: u8) -+ in -+ let coef7:u8 = -+ ((cast (coefficient6 &. 1l <: i32) <: u8) <>! 4l <: i32) <: u8) -+ in -+ let coef8:u8 = cast ((coefficient6 >>! 1l <: i32) &. 255l <: i32) <: u8 in -+ let coef9:u8 = -+ ((cast (coefficient7 &. 63l <: i32) <: u8) <>! 9l <: i32) <: u8) -+ in -+ let coef10:u8 = -+ ((cast (coefficient8 &. 7l <: i32) <: u8) <>! 6l <: i32) <: u8) -+ in -+ let coef11:u8 = cast (coefficient8 >>! 3l <: i32) <: u8 in + let coef1:u8 = cast (coefficient1 <: i32) <: u8 in + let coef2:u8 = + ((cast (coefficient2 &. 31l <: i32) <: u8) <>! 6l <: i32) <: u8) + in + let coef11:u8 = cast (coefficient8 >>! 3l <: i32) <: u8 in + bit_vec_equal_intro_principle (); -+ coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11 -+ <: -+ (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) + coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11 + <: + (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) +#pop-options -+ + +-let compress_coefficients_3_ (coefficient1 coefficient2: u16) = +#push-options "--z3rlimit 20" +[@@"opaque_to_smt"] +let compress_coefficients_3_ coefficient1 coefficient2 = -+ let coef1:u8 = cast (coefficient1 &. 255us <: u16) <: u8 in + let coef1:u8 = cast (coefficient1 &. 255us <: u16) <: u8 in + get_bit_pow2_minus_one_u16 255 (sz 0); -+ let coef2:u8 = -+ cast ((coefficient1 >>! 8l <: u16) |. ((coefficient2 &. 15us <: u16) <>! 4l <: u16) &. 255us <: u16) <: u8 in + let coef2:u8 = + cast ((coefficient1 >>! 8l <: u16) |. ((coefficient2 &. 15us <: u16) <>! 4l <: u16) &. 255us <: u16) <: u8 in +- coef1, coef2, coef3 <: (u8 & u8 & u8) + bit_vec_equal_intro_principle (); + coef1, coef2, coef3 <: (u8 & u8 & u8) +#pop-options -+ + +#push-options "--z3rlimit 60 --split_queries always" +[@@"opaque_to_smt"] -+let compress_coefficients_5_ + let compress_coefficients_5_ +- (coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8: +- u8) +- = + coefficient2 coefficient1 coefficient4 coefficient3 coefficient5 coefficient7 coefficient6 coefficient8 + = -+ let coef1:u8 = ((coefficient2 &. 7uy <: u8) <>! 3l <: u8) -+ in -+ let coef3:u8 = ((coefficient5 &. 15uy <: u8) <>! 1l <: u8) in -+ let coef4:u8 = -+ (((coefficient7 &. 3uy <: u8) <>! 4l <: u8) -+ in -+ let coef5:u8 = (coefficient8 <>! 2l <: u8) in + let coef1:u8 = ((coefficient2 &. 7uy <: u8) <>! 4l <: u8) + in + let coef5:u8 = (coefficient8 <>! 2l <: u8) in + bit_vec_equal_intro_principle (); -+ coef1, coef2, coef3, coef4, coef5 <: (u8 & u8 & u8 & u8 & u8) + coef1, coef2, coef3, coef4, coef5 <: (u8 & u8 & u8 & u8 & u8) +#pop-options -+ + +-let decompress_coefficients_10_ (byte2 byte1 byte3 byte4 byte5: i32) = +#push-options "--z3rlimit 500" +[@@"opaque_to_smt"] +let decompress_coefficients_10_ byte2 byte1 byte3 byte4 byte5 = -+ let coefficient1:i32 = ((byte2 &. 3l <: i32) <>! 2l <: i32) in -+ let coefficient3:i32 = ((byte4 &. 63l <: i32) <>! 4l <: i32) in -+ let coefficient4:i32 = (byte5 <>! 6l <: i32) in + let coefficient1:i32 = ((byte2 &. 3l <: i32) <>! 2l <: i32) in + let coefficient3:i32 = ((byte4 &. 63l <: i32) <>! 4l <: i32) in + let coefficient4:i32 = (byte5 <>! 6l <: i32) in +- coefficient1, coefficient2, coefficient3, coefficient4 <: (i32 & i32 & i32 & i32) + lemma_get_bit_bounded' coefficient1 10; + lemma_get_bit_bounded' coefficient2 10; + lemma_get_bit_bounded' coefficient3 10; @@ -5192,23 +5787,20 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + bit_vec_equal_intro_principle (); + coefficient1, coefficient2, coefficient3, coefficient4 +#pop-options -+ + +#push-options "--z3rlimit 300" +[@@"opaque_to_smt"] -+let decompress_coefficients_11_ + let decompress_coefficients_11_ +- (byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 byte11: i32) +- = + byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 byte11 = -+ let coefficient1:i32 = ((byte2 &. 7l <: i32) <>! 3l <: i32) in -+ let coefficient3:i32 = -+ (((byte5 &. 1l <: i32) <>! 6l <: i32) -+ in -+ let coefficient4:i32 = ((byte6 &. 15l <: i32) <>! 1l <: i32) in -+ let coefficient5:i32 = ((byte7 &. 127l <: i32) <>! 4l <: i32) in -+ let coefficient6:i32 = -+ (((byte9 &. 3l <: i32) <>! 7l <: i32) -+ in -+ let coefficient7:i32 = ((byte10 &. 31l <: i32) <>! 2l <: i32) in -+ let coefficient8:i32 = (byte11 <>! 5l <: i32) in + let coefficient1:i32 = ((byte2 &. 7l <: i32) <>! 3l <: i32) in + let coefficient3:i32 = +@@ -109,6 +137,15 @@ + in + let coefficient7:i32 = ((byte10 &. 31l <: i32) <>! 2l <: i32) in + let coefficient8:i32 = (byte11 <>! 5l <: i32) in + bit_vec_equal_intro_principle (); + lemma_get_bit_bounded' coefficient1 11; + lemma_get_bit_bounded' coefficient2 11; @@ -5218,21 +5810,26 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + lemma_get_bit_bounded' coefficient6 11; + lemma_get_bit_bounded' coefficient7 11; + lemma_get_bit_bounded' coefficient8 11; -+ coefficient1, -+ coefficient2, -+ coefficient3, -+ coefficient4, -+ coefficient5, -+ coefficient6, -+ coefficient7, -+ coefficient8 + coefficient1, + coefficient2, + coefficient3, +@@ -117,15 +154,22 @@ + coefficient6, + coefficient7, + coefficient8 +- <: +- (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) +#pop-options -+ + +-let decompress_coefficients_4_ (byte: u8) = +#push-options "--z3rlimit 50" +[@@"opaque_to_smt"] +let decompress_coefficients_4_ byte = -+ let coefficient1:i32 = cast (byte &. 15uy <: u8) <: i32 in -+ let coefficient2:i32 = cast ((byte >>! 4l <: u8) &. 15uy <: u8) <: i32 in + let coefficient1:i32 = cast (byte &. 15uy <: u8) <: i32 in + let coefficient2:i32 = cast ((byte >>! 4l <: u8) &. 15uy <: u8) <: i32 in +- coefficient1, coefficient2 <: (i32 & i32) +- +-let decompress_coefficients_5_ (byte1 byte2 byte3 byte4 byte5: i32) = + lemma_get_bit_bounded' coefficient1 4; + lemma_get_bit_bounded' coefficient2 4; + bit_vec_equal_intro_principle (); @@ -5242,14 +5839,13 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K +#push-options "--z3rlimit 400" +[@@"opaque_to_smt"] +let decompress_coefficients_5_ byte1 byte2 byte3 byte4 byte5 = -+ let coefficient1:i32 = byte1 &. 31l in -+ let coefficient2:i32 = ((byte2 &. 3l <: i32) <>! 5l <: i32) in -+ let coefficient3:i32 = (byte2 >>! 2l <: i32) &. 31l in -+ let coefficient4:i32 = ((byte3 &. 15l <: i32) <>! 7l <: i32) in -+ let coefficient5:i32 = ((byte4 &. 1l <: i32) <>! 4l <: i32) in -+ let coefficient6:i32 = (byte4 >>! 1l <: i32) &. 31l in -+ let coefficient7:i32 = ((byte5 &. 7l <: i32) <>! 6l <: i32) in -+ let coefficient8:i32 = byte5 >>! 3l in + let coefficient1:i32 = byte1 &. 31l in + let coefficient2:i32 = ((byte2 &. 3l <: i32) <>! 5l <: i32) in + let coefficient3:i32 = (byte2 >>! 2l <: i32) &. 31l in +@@ -134,6 +178,15 @@ + let coefficient6:i32 = (byte4 >>! 1l <: i32) &. 31l in + let coefficient7:i32 = ((byte5 &. 7l <: i32) <>! 6l <: i32) in + let coefficient8:i32 = byte5 >>! 3l in + bit_vec_equal_intro_principle (); + lemma_get_bit_bounded' coefficient1 5; + lemma_get_bit_bounded' coefficient2 5; @@ -5259,16 +5855,17 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + lemma_get_bit_bounded' coefficient6 5; + lemma_get_bit_bounded' coefficient7 5; + lemma_get_bit_bounded' coefficient8 5; -+ coefficient1, -+ coefficient2, -+ coefficient3, -+ coefficient4, -+ coefficient5, -+ coefficient6, -+ coefficient7, -+ coefficient8 + coefficient1, + coefficient2, + coefficient3, +@@ -142,31 +195,54 @@ + coefficient6, + coefficient7, + coefficient8 +- <: +- (i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) +#pop-options -+ + +let cast_bound_lemma + #t #u + (n: int_t t) @@ -5298,7 +5895,10 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + +#push-options "--fuel 0 --ifuel 1 --query_stats --z3rlimit 100" +[@@"opaque_to_smt"] -+let compress_then_serialize_10_ + let compress_then_serialize_10_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- = + v_OUT_LEN + re + = @@ -5306,74 +5906,36 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + let inv = fun (acc: t_Array u8 v_OUT_LEN) (i: usize) -> + True + in -+ let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in -+ let serialized:t_Array u8 v_OUT_LEN = + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact (Rust_primitives.unsize re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- <: +- t_Slice i32) +- (sz 4) +- <: +- Core.Slice.Iter.t_ChunksExact i32) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +- serialized + Rust_primitives.Iterators.foldi_chunks_exact #_ #accT #inv + (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients) + (sz 4) + (serialized) -+ (fun serialized temp_1_ -> -+ let serialized:t_Array u8 v_OUT_LEN = serialized in + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in +- let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let i, coefficients:(usize & _) = temp_1_ in -+ let coefficient1:i32 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32 -+ ) -+ <: -+ u16) -+ in -+ let coefficient2:i32 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32 -+ ) -+ <: -+ u16) -+ in -+ let coefficient3:i32 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ] <: i32 -+ ) -+ <: -+ u16) -+ in -+ let coefficient4:i32 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ] <: i32 -+ ) -+ <: -+ u16) -+ in -+ let coef1, coef2, coef3, coef4, coef5:(u8 & u8 & u8 & u8 & u8) = -+ compress_coefficients_10_ coefficient1 coefficient2 coefficient3 coefficient4 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ (sz 5 *! i <: usize) -+ coef1 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 1 <: usize) -+ coef2 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 2 <: usize) -+ coef3 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 3 <: usize) -+ coef4 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 4 <: usize) -+ coef5 -+ in -+ serialized) -+ in -+ serialized + let coefficient1:i32 = + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 10uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32 +@@ -226,79 +302,96 @@ + serialized) + in + serialized +#pop-options + +#push-options "--fuel 0 --ifuel 0 --z3rlimit 30" @@ -5399,302 +5961,186 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + let s = update_at_usize s (offset +! sz 4) i4 in + s +#pop-options -+ + +#push-options "--fuel 0 --ifuel 1 --z3rlimit 100 --query_stats --split_queries no" -+let compress_then_serialize_11_ + let compress_then_serialize_11_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- = + v_OUT_LEN re + = + let inv = fun (acc: t_Array u8 v_OUT_LEN) (i: usize) -> True in -+ let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in -+ let serialized:t_Array u8 v_OUT_LEN = + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact (Rust_primitives.unsize re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- <: +- t_Slice i32) +- (sz 8) +- <: +- Core.Slice.Iter.t_ChunksExact i32) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #inv + (Rust_primitives.unsize re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients) + (sz 8) -+ serialized -+ (fun serialized temp_1_ -> -+ let serialized:t_Array u8 v_OUT_LEN = serialized in + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in +- let i, coefficients:(usize & t_Slice i32) = temp_1_ in +- let coefficient1:i32 = + let i, coefficients:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.wfFieldElement (sz 8)) = temp_1_ in + let coefficient1 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32 + ) + <: + u16) + in +- let coefficient2:i32 = + let coefficient2 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32 + ) + <: + u16) + in +- let coefficient3:i32 = + let coefficient3 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ] <: i32 + ) + <: + u16) + in +- let coefficient4:i32 = + let coefficient4 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ] <: i32 + ) + <: + u16) + in +- let coefficient5:i32 = + let coefficient5 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 4 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 4 ] <: i32 + ) + <: + u16) + in +- let coefficient6:i32 = + let coefficient6 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 5 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 5 ] <: i32 + ) + <: + u16) + in +- let coefficient7:i32 = + let coefficient7 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 6 ] <: i32 -+ ) -+ <: -+ u16) -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 6 ] <: i32 + ) + <: + u16) + in +- let coefficient8:i32 = + let coefficient8 = -+ Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ] <: i32 -+ ) -+ <: -+ u16) -+ in -+ let coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11:(u8 & u8 & -+ u8 & -+ u8 & -+ u8 & -+ u8 & -+ u8 & -+ u8 & -+ u8 & -+ u8 & -+ u8) = -+ compress_coefficients_11_ coefficient1 -+ coefficient2 -+ coefficient3 -+ coefficient4 -+ coefficient5 -+ coefficient6 -+ coefficient7 -+ coefficient8 -+ in + Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 11uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ] <: i32 + ) +@@ -324,6 +417,8 @@ + coefficient7 + coefficient8 + in + assert_spinoff (v i < 32 ==> 11 * v i + 11 <= 32 * 11); + assert_spinoff (v i < 32 ==> range (v (sz 11) * v i) usize_inttype); -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ (sz 11 *! i <: usize) -+ coef1 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 1 <: usize) -+ coef2 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 2 <: usize) -+ coef3 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 3 <: usize) -+ coef4 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 4 <: usize) -+ coef5 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 5 <: usize) -+ coef6 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 6 <: usize) -+ coef7 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 7 <: usize) -+ coef8 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 8 <: usize) -+ coef9 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 9 <: usize) -+ coef10 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 11 *! i <: usize) +! sz 10 <: usize) -+ coef11 -+ in -+ serialized) -+ in -+ serialized + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11 *! i <: usize) +@@ -382,29 +477,20 @@ + serialized) + in + serialized +#pop-options -+ + +-let compress_then_serialize_4_ +- (v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- = +let compress_then_serialize_4_ v_OUT_LEN re = -+ let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let accT = t_Array u8 v_OUT_LEN in + let inv (acc: accT) (i: usize) = True in -+ let serialized:t_Array u8 v_OUT_LEN = + let serialized:t_Array u8 v_OUT_LEN = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact (Rust_primitives.unsize re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- <: +- t_Slice i32) +- (sz 2) +- <: +- Core.Slice.Iter.t_ChunksExact i32) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #inv + (Rust_primitives.unsize re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients) + (sz 2) -+ serialized -+ (fun serialized temp_1_ -> -+ let serialized:t_Array u8 v_OUT_LEN = serialized in + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in +- let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let i, coefficients:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.wfFieldElement (sz 2)) = temp_1_ in -+ let coefficient1:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 4uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient2:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 4uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ i -+ ((coefficient2 < -+ let serialized:t_Array u8 v_OUT_LEN = serialized in + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in +- let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let i, coefficients:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.wfFieldElement (sz 8)) = temp_1_ in -+ let coefficient1:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient2:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient3:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 2 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient4:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 3 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient5:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 4 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient6:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 5 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coefficient7:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 6 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in + let coefficient1:u8 = + cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] +@@ -544,6 +623,14 @@ + <: + u8 + in + let coefficient8' = Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ] + <: @@ -5703,144 +6149,149 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + u16) + <: + i32 in -+ let coefficient8:u8 = -+ cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy -+ (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ] -+ <: -+ i32) -+ <: -+ u16) -+ <: -+ i32) -+ <: -+ u8 -+ in -+ let coef1, coef2, coef3, coef4, coef5:(u8 & u8 & u8 & u8 & u8) = -+ compress_coefficients_5_ coefficient2 -+ coefficient1 -+ coefficient4 -+ coefficient3 -+ coefficient5 -+ coefficient7 -+ coefficient6 -+ coefficient8 -+ in + let coefficient8:u8 = + cast (Libcrux.Kem.Kyber.Compress.compress_ciphertext_coefficient 5uy + (Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 7 ] +@@ -566,6 +653,8 @@ + coefficient6 + coefficient8 + in + assert_spinoff (v i < 32 ==> 5 * v i + 5 <= 32 * 5); + assert_spinoff (v i < 32 ==> range (v (sz 5) * v i) usize_inttype); -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ (sz 5 *! i <: usize) -+ coef1 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 1 <: usize) -+ coef2 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 2 <: usize) -+ coef3 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 3 <: usize) -+ coef4 -+ in -+ let serialized:t_Array u8 v_OUT_LEN = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ ((sz 5 *! i <: usize) +! sz 4 <: usize) -+ coef5 -+ in -+ serialized) -+ in -+ serialized -+ + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) +@@ -595,35 +684,24 @@ + in + serialized + +-let compress_then_serialize_message (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +let compress_then_serialize_message re = -+ let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let accT = t_Array u8 (sz 32) in + let inv (acc: accT) (i: usize) = True in -+ let serialized:t_Array u8 (sz 32) = + let serialized:t_Array u8 (sz 32) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact (Rust_primitives.unsize re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- <: +- t_Slice i32) +- (sz 8) +- <: +- Core.Slice.Iter.t_ChunksExact i32) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #inv + (re.Libcrux.Kem.Kyber.Arithmetic.f_coefficients) + (sz 8) -+ serialized -+ (fun serialized temp_1_ -> -+ let serialized:t_Array u8 (sz 32) = serialized in + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 32) = serialized in +- let i, coefficients:(usize & t_Slice i32) = temp_1_ in +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__iter coefficients <: Core.Slice.Iter.t_Iter i32) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Iter i32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Iter i32)) + let i, coefficients:(usize & t_Array Libcrux.Kem.Kyber.Arithmetic.wfFieldElement _) = temp_1_ in + Rust_primitives.Iterators.foldi_slice #_ #_ #(fun _ _ -> True) + coefficients -+ serialized -+ (fun serialized temp_1_ -> -+ let serialized:t_Array u8 (sz 32) = serialized in + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 32) = serialized in +- let j, coefficient:(usize & i32) = temp_1_ in + let j, coefficient:(usize & Libcrux.Kem.Kyber.Arithmetic.wfFieldElement) = temp_1_ in -+ let coefficient:u16 = -+ Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative coefficient -+ in -+ let coefficient_compressed:u8 = -+ Libcrux.Kem.Kyber.Compress.compress_message_coefficient coefficient -+ in -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized -+ i -+ ((serialized.[ i ] <: u8) |. (coefficient_compressed < compress_then_serialize_10_ v_OUT_LEN re -+ | 11ul -> compress_then_serialize_11_ v_OUT_LEN re -+ | _ -> -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -+ <: -+ Rust_primitives.Hax.t_Never) -+ + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> compress_then_serialize_10_ v_OUT_LEN re + | 11ul -> compress_then_serialize_11_ v_OUT_LEN re + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +- + <: + Rust_primitives.Hax.t_Never) + +-let compress_then_serialize_ring_element_v +- (v_COMPRESSION_FACTOR v_OUT_LEN: usize) +- (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) +- = +let compress_then_serialize_ring_element_v #p v_COMPRESSION_FACTOR v_OUT_LEN re = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR); + let res = + assert ( + (v (cast (v_COMPRESSION_FACTOR <: usize) <: u32) == 4) \/ + (v (cast (v_COMPRESSION_FACTOR <: usize) <: u32) == 5) + ); -+ match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with -+ | 4ul -> compress_then_serialize_4_ v_OUT_LEN re -+ | 5ul -> compress_then_serialize_5_ v_OUT_LEN re -+ | _ -> -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -+ -+ <: -+ Rust_primitives.Hax.t_Never) + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 4ul -> compress_then_serialize_4_ v_OUT_LEN re + | 5ul -> compress_then_serialize_5_ v_OUT_LEN re +@@ -665,32 +751,49 @@ + + <: + Rust_primitives.Hax.t_Never) + in + admit (); // P-F + res -+ + +-let deserialize_then_decompress_10_ (serialized: t_Slice u8) = +#push-options "--z3rlimit 160" +let deserialize_then_decompress_10_ serialized = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact serialized (sz 5) <: Core.Slice.Iter.t_ChunksExact u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) + let accT = Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement in + let inv (acc: accT) (i: usize) = True in + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #inv + serialized + (sz 5) -+ re -+ (fun re temp_1_ -> + re + (fun re temp_1_ -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in +- let i, bytes:(usize & t_Slice u8) = temp_1_ in +- let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in +- let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in +- let byte3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in +- let byte4:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in +- let byte5:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in +- let coefficient1, coefficient2, coefficient3, coefficient4:(i32 & i32 & i32 & i32) = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in + let i, bytes:(usize & t_Array u8 (sz 5)) = temp_1_ in + let byte1: int_t_d i32_inttype 8 = cast (bytes.[ sz 0 ] <: u8) <: i32 in @@ -5849,8 +6300,9 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + let byte4: int_t_d i32_inttype 8 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte5: int_t_d i32_inttype 8 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let coefficient1, coefficient2, coefficient3, coefficient4 = -+ decompress_coefficients_10_ byte2 byte1 byte3 byte4 byte5 -+ in + decompress_coefficients_10_ byte2 byte1 byte3 byte4 byte5 + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let coefficient1 = (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient1 + <: + i32) in @@ -5866,75 +6318,117 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + assert_spinoff (v i < 64 ==> 4 * v i + 4 <= 256); + assert_spinoff (v i < 64 ==> range (v (sz 4) * v i) usize_inttype); + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (sz 4 *! i <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -698,14 +801,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (sz 4 *! i <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient1 +- <: +- i32) + coefficient1 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! i <: usize) +! sz 1 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -713,14 +814,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 4 *! i <: usize) +! sz 1 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient2 +- <: +- i32) + coefficient2 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! i <: usize) +! sz 2 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -728,14 +827,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 4 *! i <: usize) +! sz 2 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient3 +- <: +- i32) + coefficient3 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 4 *! i <: usize) +! sz 3 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -743,44 +840,43 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 4 *! i <: usize) +! sz 3 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 10uy coefficient4 +- <: +- i32) + coefficient4 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ re) -+ in -+ re + in + re) + in + re +#pop-options -+ + +-let deserialize_then_decompress_11_ (serialized: t_Slice u8) = +#push-options "--z3rlimit 100 --ifuel 0" +let deserialize_then_decompress_11_ serialized + : Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact serialized (sz 11) <: Core.Slice.Iter.t_ChunksExact u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #(fun _ _ -> True) + serialized + (sz 11) -+ re -+ (fun re temp_1_ -> + re + (fun re temp_1_ -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in +- let i, bytes:(usize & t_Slice u8) = temp_1_ in +- let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in +- let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in +- let byte3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in +- let byte4:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in +- let byte5:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in +- let byte6:i32 = cast (bytes.[ sz 5 ] <: u8) <: i32 in +- let byte7:i32 = cast (bytes.[ sz 6 ] <: u8) <: i32 in +- let byte8:i32 = cast (bytes.[ sz 7 ] <: u8) <: i32 in +- let byte9:i32 = cast (bytes.[ sz 8 ] <: u8) <: i32 in +- let byte10:i32 = cast (bytes.[ sz 9 ] <: u8) <: i32 in +- let byte11:i32 = cast (bytes.[ sz 10 ] <: u8) <: i32 in + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in + let i, bytes:(usize & t_Array u8 (sz 11)) = temp_1_ in + assert (v i < 32); @@ -5949,18 +6443,19 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + let byte9: int_t_d i32_inttype 8 = cast (bytes.[ sz 8 ] <: u8) <: i32 in + let byte10: int_t_d i32_inttype 8 = cast (bytes.[ sz 9 ] <: u8) <: i32 in + let byte11: int_t_d i32_inttype 8 = cast (bytes.[ sz 10 ] <: u8) <: i32 in -+ let -+ coefficient1, -+ coefficient2, -+ coefficient3, -+ coefficient4, -+ coefficient5, -+ coefficient6, -+ coefficient7, + let + coefficient1, + coefficient2, +@@ -789,11 +885,21 @@ + coefficient5, + coefficient6, + coefficient7, +- coefficient8:(i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) = + coefficient8 = -+ decompress_coefficients_11_ byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 -+ byte11 -+ in + decompress_coefficients_11_ byte2 byte1 byte3 byte5 byte4 byte6 byte7 byte9 byte8 byte10 + byte11 + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let coefficient1 = Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient1 in + let coefficient2 = Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient2 in + let coefficient3 = Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient3 in @@ -5972,176 +6467,238 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + assert_spinoff (8 * v i + 8 <= 256); + assert_spinoff (range (v (sz 8) * v i) usize_inttype); + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (sz 8 *! i <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -801,14 +907,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (sz 8 *! i <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient1 +- <: +- i32) + coefficient1 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 1 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -816,14 +920,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 1 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient2 +- <: +- i32) + coefficient2 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 2 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -831,14 +933,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 2 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient3 +- <: +- i32) + coefficient3 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 3 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -846,14 +946,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 3 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient4 +- <: +- i32) + coefficient4 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 4 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -861,14 +959,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 4 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient5 +- <: +- i32) + coefficient5 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 5 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -876,14 +972,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 5 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient6 +- <: +- i32) + coefficient6 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 6 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -891,14 +985,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 6 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient7 +- <: +- i32) + coefficient7 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 7 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -906,35 +998,33 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 7 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 11uy coefficient8 +- <: +- i32) + coefficient8 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ re) -+ in -+ re + in + re) + in + re +#pop-options -+ + +-let deserialize_then_decompress_4_ (serialized: t_Slice u8) = +#push-options "--z3rlimit 100" +let deserialize_then_decompress_4_ serialized = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__iter serialized <: Core.Slice.Iter.t_Iter u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Iter u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Iter u8)) + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Rust_primitives.Iterators.foldi_slice #_ #_ #(fun _ _ -> True) + serialized -+ re -+ (fun re temp_1_ -> + re + (fun re temp_1_ -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in -+ let i, byte:(usize & u8) = temp_1_ in + let i, byte:(usize & u8) = temp_1_ in +- let coefficient1, coefficient2:(i32 & i32) = decompress_coefficients_4_ byte in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let coefficient1, coefficient2 = decompress_coefficients_4_ byte in + assert_spinoff (v i < 128 ==> 2 * v i + 1 < 256); + assert_spinoff (v i < 128 ==> range (v (sz 2) * v i) usize_inttype); + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (sz 2 *! i <: usize) -+ (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 4uy coefficient1 -+ <: -+ i32) -+ } -+ <: + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -947,9 +1037,9 @@ + i32) + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 2 *! i <: usize) +! sz 1 <: usize) -+ (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 4uy coefficient2 -+ <: -+ i32) -+ } -+ <: + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -962,33 +1052,32 @@ + i32) + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ re) -+ in -+ re + in + re) + in + re +#pop-options -+ + +-let deserialize_then_decompress_5_ (serialized: t_Slice u8) = +#push-options "--z3rlimit 150" +let deserialize_then_decompress_5_ serialized = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact serialized (sz 5) <: Core.Slice.Iter.t_ChunksExact u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #(fun _ _ -> True) + serialized (sz 5) -+ re -+ (fun re temp_1_ -> + re + (fun re temp_1_ -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in +- let i, bytes:(usize & t_Slice u8) = temp_1_ in +- let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in +- let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in +- let byte3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in +- let byte4:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in +- let byte5:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in + let i, bytes:(usize & t_Array u8 (sz 5)) = temp_1_ in + assert (v i < 32); @@ -6150,17 +6707,18 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + let byte3 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let byte4 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte5 = cast (bytes.[ sz 4 ] <: u8) <: i32 in -+ let -+ coefficient1, -+ coefficient2, -+ coefficient3, -+ coefficient4, -+ coefficient5, -+ coefficient6, -+ coefficient7, + let + coefficient1, + coefficient2, +@@ -997,10 +1086,25 @@ + coefficient5, + coefficient6, + coefficient7, +- coefficient8:(i32 & i32 & i32 & i32 & i32 & i32 & i32 & i32) = + coefficient8 = -+ decompress_coefficients_5_ byte1 byte2 byte3 byte4 byte5 -+ in + decompress_coefficients_5_ byte1 byte2 byte3 byte4 byte5 + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let coefficient1 = Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient1 in + let coefficient2 = Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient2 in + let coefficient3 = Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient3 in @@ -6177,206 +6735,272 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + mul_in_range 8 (v i); + assert_spinoff (v i < 32 ==> range (v (sz 8) * v i) usize_inttype); + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (sz 8 *! i <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1008,14 +1112,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (sz 8 *! i <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient1 +- <: +- i32) + coefficient1 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 1 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1023,14 +1125,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 1 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient2 +- <: +- i32) + coefficient2 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 2 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1038,14 +1138,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 2 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient3 +- <: +- i32) + coefficient3 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 3 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1053,14 +1151,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 3 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient4 +- <: +- i32) + coefficient4 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 4 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1068,14 +1164,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 4 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient5 +- <: +- i32) + coefficient5 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 5 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1083,14 +1177,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 5 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient6 +- <: +- i32) + coefficient6 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 6 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1098,14 +1190,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 6 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient7 +- <: +- i32) + coefficient7 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! sz 7 <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1113,33 +1203,27 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + ((sz 8 *! i <: usize) +! sz 7 <: usize) +- (Libcrux.Kem.Kyber.Compress.decompress_ciphertext_coefficient 5uy coefficient8 +- <: +- i32) + coefficient8 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ re) -+ in -+ re + in + re) + in + re +#pop-options -+ + +#push-options "--z3rlimit 60" -+let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) = + let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) = +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Iter.Traits.Collect.f_into_iter serialized +- <: +- Core.Array.Iter.t_IntoIter u8 (sz 32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Array.Iter.t_IntoIter u8 (sz 32))) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Array.Iter.t_IntoIter u8 (sz 32))) + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Rust_primitives.Iterators.foldi_slice #_ #_ #(fun _ _ -> True) + serialized -+ re -+ (fun re temp_1_ -> + re + (fun re temp_1_ -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in -+ let i, byte:(usize & u8) = temp_1_ in -+ Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ -+ Core.Ops.Range.f_start = sz 0; -+ Core.Ops.Range.f_end = sz 8 -+ } -+ <: -+ Core.Ops.Range.t_Range usize) -+ <: -+ Core.Ops.Range.t_Range usize) -+ re -+ (fun re j -> + let i, byte:(usize & u8) = temp_1_ in + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; +@@ -1151,10 +1235,11 @@ + Core.Ops.Range.t_Range usize) + re + (fun re j -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in -+ let j:usize = j in -+ let coefficient_compressed:i32 = cast ((byte >>! j <: u8) &. 1uy <: u8) <: i32 in + let j:usize = j in + let coefficient_compressed:i32 = cast ((byte >>! j <: u8) &. 1uy <: u8) <: i32 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + lemma_get_bit_bounded' coefficient_compressed 1; + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ ((sz 8 *! i <: usize) +! j <: usize) -+ (Libcrux.Kem.Kyber.Compress.decompress_message_coefficient coefficient_compressed -+ -+ <: -+ i32) -+ } -+ <: + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1168,19 +1253,20 @@ + i32) + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ re) -+ <: + in + re) + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement) -+ in + in + admit(); //P-F -+ re + re +#pop-options -+ + +-let deserialize_then_decompress_ring_element_u +- (v_COMPRESSION_FACTOR: usize) +- (serialized: t_Slice u8) +- = +let deserialize_then_decompress_ring_element_u v_COMPRESSION_FACTOR serialized = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR); + assert (v (cast (v_COMPRESSION_FACTOR <: usize) <: u32) == 10 \/ v (cast (v_COMPRESSION_FACTOR <: usize) <: u32) == 11); -+ match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with -+ | 10ul -> deserialize_then_decompress_10_ serialized -+ | 11ul -> deserialize_then_decompress_11_ serialized -+ | _ -> -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -+ -+ <: -+ Rust_primitives.Hax.t_Never) -+ + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> deserialize_then_decompress_10_ serialized + | 11ul -> deserialize_then_decompress_11_ serialized +@@ -1190,11 +1276,11 @@ + <: + Rust_primitives.Hax.t_Never) + +-let deserialize_then_decompress_ring_element_v +- (v_COMPRESSION_FACTOR: usize) +- (serialized: t_Slice u8) +- = +let deserialize_then_decompress_ring_element_v v_COMPRESSION_FACTOR serialized = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in + mk_int_equiv_lemma #u32_inttype (v v_COMPRESSION_FACTOR); + assert (v (cast (v_COMPRESSION_FACTOR <: usize) <: u32) == 4 \/ v (cast (v_COMPRESSION_FACTOR <: usize) <: u32) == 5); + let res = -+ match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with -+ | 4ul -> deserialize_then_decompress_4_ serialized -+ | 5ul -> deserialize_then_decompress_5_ serialized -+ | _ -> -+ Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -+ -+ <: -+ Rust_primitives.Hax.t_Never) + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 4ul -> deserialize_then_decompress_4_ serialized + | 5ul -> deserialize_then_decompress_5_ serialized +@@ -1203,27 +1289,32 @@ + + <: + Rust_primitives.Hax.t_Never) + in + admit(); //P-F + res -+ + +-let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8) = +#push-options "--z3rlimit 220" +let deserialize_to_uncompressed_ring_element (serialized: t_Slice u8) = -+ let _:Prims.unit = () <: Prims.unit in + let _:Prims.unit = () <: Prims.unit in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Libcrux.Kem.Kyber.Arithmetic.cast_poly_b Libcrux.Kem.Kyber.Arithmetic.impl__PolynomialRingElement__ZERO -+ in + in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact serialized (sz 3) <: Core.Slice.Iter.t_ChunksExact u8) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact u8)) + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = + Rust_primitives.Iterators.foldi_chunks_exact #_ #_ #(fun _ _ -> True) + serialized + (sz 3) -+ re -+ (fun re temp_1_ -> + re + (fun re temp_1_ -> +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = re in +- let i, bytes:(usize & t_Slice u8) = temp_1_ in +- let byte1:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in +- let byte2:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in +- let byte3:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in +- let re:Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement = + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = re in + let i, bytes:(usize & t_Array u8 (sz 3)) = temp_1_ in + let byte1:int_t_d i32_inttype 8 = cast (bytes.[ sz 0 ] <: u8) <: i32 in @@ -6387,36 +7011,56 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + lemma_get_bit_bounded' coef1 11; + lemma_get_bit_bounded' coef2 11; + let re:Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement = -+ { -+ re with -+ Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ = -+ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re -+ .Libcrux.Kem.Kyber.Arithmetic.f_coefficients -+ (sz 2 *! i <: usize) + { + re with + Libcrux.Kem.Kyber.Arithmetic.f_coefficients +@@ -1231,12 +1322,12 @@ + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux.Kem.Kyber.Arithmetic.f_coefficients + (sz 2 *! i <: usize) +- (((byte2 &. 15l <: i32) <>! 4l <: i32) &. 15l <: i32) <: i32) + coef2 -+ } -+ <: + } + <: +- Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement + Libcrux.Kem.Kyber.Arithmetic.wfPolynomialRingElement -+ in -+ re) -+ in -+ re + in + re) + in + re +#pop-options -+ + +-let serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) = +- let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in +- let serialized:t_Array u8 (sz 384) = +- Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter (Core.Iter.Traits.Iterator.f_enumerate +- (Core.Slice.impl__chunks_exact (Rust_primitives.unsize re +- .Libcrux.Kem.Kyber.Arithmetic.f_coefficients +- <: +- t_Slice i32) +- (sz 2) +- <: +- Core.Slice.Iter.t_ChunksExact i32) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +- <: +- Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_ChunksExact i32)) +module A = Libcrux.Kem.Kyber.Arithmetic + +#push-options "--z3rlimit 50 --fuel 0 --ifuel 0 --retry 0 --split_queries no" @@ -6512,7 +7156,35 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + ) + (re.A.f_coefficients <: t_Array _ (sz 256)) + (sz 2) -+ serialized + serialized +- (fun serialized temp_1_ -> +- let serialized:t_Array u8 (sz 384) = serialized in +- let i, coefficients:(usize & t_Slice i32) = temp_1_ in +- let coefficient1:u16 = +- Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 0 ] <: i32) +- in +- let coefficient2:u16 = +- Libcrux.Kem.Kyber.Arithmetic.to_unsigned_representative (coefficients.[ sz 1 ] <: i32) +- in +- let coef1, coef2, coef3:(u8 & u8 & u8) = +- compress_coefficients_3_ coefficient1 coefficient2 +- in +- let serialized:t_Array u8 (sz 384) = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized +- (sz 3 *! i <: usize) +- coef1 +- in +- let serialized:t_Array u8 (sz 384) = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized +- ((sz 3 *! i <: usize) +! sz 1 <: usize) +- coef2 +- in +- let serialized:t_Array u8 (sz 384) = +- Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized +- ((sz 3 *! i <: usize) +! sz 2 <: usize) +- coef3 +- in +- serialized) + (fun serialized it -> let i, coefficients = it in + + let coefficient1 = A.to_unsigned_representative (coefficients.[ sz 0 ] <: i32) in @@ -6535,7 +7207,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + (bit_vec_of_int_t_array full_coefficients 12) + 0 0 (v i * 2 * 12) (3 * 8); + serialized' <: t_Array u8 (sz 384)) -+ in + in +- serialized + serialized +#pop-options + @@ -6545,8 +7218,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fst extraction-edited/Libcrux.K + + diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:45:43.332554183 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:45:43.393552827 +0100 +--- extraction/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:53:07.064953191 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:53:07.144951908 +0100 @@ -2,118 +2,191 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -6808,8 +7481,8 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Serialize.fsti extraction-edited/Libcrux. + + // (ensures (fun res -> res == Spec.Kyber.byte_encode 12 (Libcrux.Kem.Kyber.Arithmetic.wf_poly_to_spec_poly re))) diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.Kyber.Types.fst ---- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:45:43.334554139 +0100 -+++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:45:43.387552960 +0100 +--- extraction/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:53:07.067953143 +0100 ++++ extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:53:07.137952020 +0100 @@ -50,7 +50,9 @@ let impl_6__len (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) : usize = v_SIZE @@ -6845,7 +7518,7 @@ diff -ruN extraction/Libcrux.Kem.Kyber.Types.fst extraction-edited/Libcrux.Kem.K type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_platform.Platform.fsti --- extraction/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-19 11:45:43.382553071 +0100 ++++ extraction-edited/Libcrux_platform.Platform.fsti 2024-02-19 11:53:07.133952085 +0100 @@ -0,0 +1,20 @@ +module Libcrux_platform.Platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -6869,7 +7542,7 @@ diff -ruN extraction/Libcrux_platform.Platform.fsti extraction-edited/Libcrux_pl +val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst --- extraction/MkSeq.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/MkSeq.fst 2024-02-19 11:45:43.360553561 +0100 ++++ extraction-edited/MkSeq.fst 2024-02-19 11:53:07.108952486 +0100 @@ -0,0 +1,91 @@ +module MkSeq +open Core @@ -6964,7 +7637,7 @@ diff -ruN extraction/MkSeq.fst extraction-edited/MkSeq.fst +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction/Spec.Kyber.fst extraction-edited/Spec.Kyber.fst --- extraction/Spec.Kyber.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-edited/Spec.Kyber.fst 2024-02-19 11:45:43.394552805 +0100 ++++ extraction-edited/Spec.Kyber.fst 2024-02-19 11:53:07.146951876 +0100 @@ -0,0 +1,430 @@ +module Spec.Kyber +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" diff --git a/proofs/fstar/extraction-secret-independent.patch b/proofs/fstar/extraction-secret-independent.patch index 639281e8..960f2393 100644 --- a/proofs/fstar/extraction-secret-independent.patch +++ b/proofs/fstar/extraction-secret-independent.patch @@ -1,5 +1,5 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq.fst ---- extraction-edited/BitVecEq.fst 2024-02-19 11:45:43.372553294 +0100 +--- extraction-edited/BitVecEq.fst 2024-02-19 11:53:07.122952261 +0100 +++ extraction-secret-independent/BitVecEq.fst 1970-01-01 01:00:00.000000000 +0100 @@ -1,12 +0,0 @@ -module BitVecEq @@ -15,7 +15,7 @@ diff -ruN extraction-edited/BitVecEq.fst extraction-secret-independent/BitVecEq. - - diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq.fsti ---- extraction-edited/BitVecEq.fsti 2024-02-19 11:45:43.404552582 +0100 +--- extraction-edited/BitVecEq.fsti 2024-02-19 11:53:07.157951700 +0100 +++ extraction-secret-independent/BitVecEq.fsti 1970-01-01 01:00:00.000000000 +0100 @@ -1,294 +0,0 @@ -module BitVecEq @@ -313,8 +313,8 @@ diff -ruN extraction-edited/BitVecEq.fsti extraction-secret-independent/BitVecEq - = admit () -*) diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Libcrux.Digest.fsti ---- extraction-edited/Libcrux.Digest.fsti 2024-02-19 11:45:43.400552671 +0100 -+++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-19 11:45:43.425552115 +0100 +--- extraction-edited/Libcrux.Digest.fsti 2024-02-19 11:53:07.152951780 +0100 ++++ extraction-secret-independent/Libcrux.Digest.fsti 2024-02-19 11:53:07.179951347 +0100 @@ -1,31 +1,41 @@ module Libcrux.Digest #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -385,8 +385,8 @@ diff -ruN extraction-edited/Libcrux.Digest.fsti extraction-secret-independent/Li + +val shake256 (v_LEN: usize) (data: t_Slice u8) : t_Array u8 v_LEN diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:45:43.384553027 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:45:43.457551404 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:53:07.134952068 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fst 2024-02-19 11:53:07.208950881 +0100 @@ -1,356 +1,81 @@ module Libcrux.Kem.Kyber.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -783,8 +783,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fst extraction-secret-i - - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:45:43.375553227 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:45:43.448551603 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:53:07.125952213 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Arithmetic.fsti 2024-02-19 11:53:07.200951010 +0100 @@ -3,32 +3,10 @@ open Core open FStar.Mul @@ -1141,8 +1141,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Arithmetic.fsti extraction-secret- + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:45:43.366553427 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:45:43.436551870 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:53:07.115952373 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fst 2024-02-19 11:53:07.188951202 +0100 @@ -1,79 +1,39 @@ module Libcrux.Kem.Kyber.Compress -#set-options "--fuel 0 --ifuel 0 --z3rlimit 200" @@ -1247,8 +1247,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fst extraction-secret-ind + (Core.Ops.Arith.Neg.neg fe <: i32) &. + ((Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS +! 1l <: i32) /! 2l <: i32) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:45:43.395552782 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:45:43.458551381 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:53:07.147951860 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Compress.fsti 2024-02-19 11:53:07.209950865 +0100 @@ -3,42 +3,44 @@ open Core open FStar.Mul @@ -1320,8 +1320,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Compress.fsti extraction-secret-in - (fun result -> v result >= 0 /\ v result < 3329) + : Prims.Pure i32 (requires fe =. 0l || fe =. 1l) (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:45:43.378553160 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:45:43.417552293 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:53:07.128952165 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fst 2024-02-19 11:53:07.172951459 +0100 @@ -4,163 +4,61 @@ open FStar.Mul @@ -1510,8 +1510,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fst extraction-s -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:45:43.385553005 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:45:43.451551537 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:53:07.135952052 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Constant_time_ops.fsti 2024-02-19 11:53:07.202950978 +0100 @@ -20,26 +20,30 @@ val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) @@ -1555,7 +1555,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Constant_time_ops.fsti extraction- + result = rhs <: bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst --- extraction-edited/Libcrux.Kem.Kyber.Conversions.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-19 11:45:43.416552315 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Conversions.fst 2024-02-19 11:53:07.169951507 +0100 @@ -0,0 +1,87 @@ +module Libcrux.Kem.Kyber.Conversions +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -1646,8 +1646,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Conversions.fst extraction-secret- + cast (fe +! ((fe >>! 15l <: i32) &. Libcrux.Kem.Kyber.Constants.v_FIELD_MODULUS <: i32)) <: u16 \ Pas de fin de ligne à la fin du fichier diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/Libcrux.Kem.Kyber.fst ---- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-19 11:45:43.370553338 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-19 11:45:43.432551960 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.fst 2024-02-19 11:53:07.120952293 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fst 2024-02-19 11:53:07.185951250 +0100 @@ -1,29 +1,12 @@ module Libcrux.Kem.Kyber -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -1926,8 +1926,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fst extraction-secret-independent/ - + (Core.Convert.f_into public_key <: Libcrux.Kem.Kyber.Types.t_KyberPublicKey v_PUBLIC_KEY_SIZE) diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent/Libcrux.Kem.Kyber.fsti ---- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-19 11:45:43.398552716 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-19 11:45:43.442551737 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.fsti 2024-02-19 11:53:07.150951812 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.fsti 2024-02-19 11:53:07.194951106 +0100 @@ -4,90 +4,37 @@ open FStar.Mul @@ -2036,8 +2036,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.fsti extraction-secret-independent + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:45:43.376553205 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:45:43.441551759 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:53:07.127952181 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fst 2024-02-19 11:53:07.192951138 +0100 @@ -3,28 +3,18 @@ open Core open FStar.Mul @@ -2105,8 +2105,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fst extraction-secr - out + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:45:43.403552604 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:45:43.416552315 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:53:07.155951732 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Hash_functions.fsti 2024-02-19 11:53:07.171951475 +0100 @@ -3,17 +3,12 @@ open Core open FStar.Mul @@ -2133,7 +2133,7 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Hash_functions.fsti extraction-sec + : Prims.Pure (t_Array (t_Array u8 (sz 840)) v_K) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst --- extraction-edited/Libcrux.Kem.Kyber.Helper.fst 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-19 11:45:43.450551559 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Helper.fst 2024-02-19 11:53:07.201950994 +0100 @@ -0,0 +1,6 @@ +module Libcrux.Kem.Kyber.Helper +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" @@ -2142,8 +2142,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Helper.fst extraction-secret-indep + + diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:45:43.401552649 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:45:43.445551670 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:53:07.153951764 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fst 2024-02-19 11:53:07.197951058 +0100 @@ -1,5 +1,5 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -2858,8 +2858,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fst extraction-secret-inde - res - diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:45:43.391552871 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:45:43.413552382 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:53:07.142951940 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ind_cpa.fsti 2024-02-19 11:53:07.167951539 +0100 @@ -1,151 +1,80 @@ module Libcrux.Kem.Kyber.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -3061,8 +3061,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ind_cpa.fsti extraction-secret-ind + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:45:43.361553538 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:45:43.422552182 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:53:07.110952454 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fst 2024-02-19 11:53:07.176951395 +0100 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -3111,8 +3111,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fst extraction-secret-in (sz 3168) (sz 1568) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-19 11:45:43.363553494 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-19 11:45:43.437551848 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-19 11:53:07.112952421 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber1024.fsti 2024-02-19 11:53:07.189951186 +0100 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ @@ -3158,8 +3158,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber1024.fsti extraction-secret-i Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:45:43.381553093 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:45:43.461551315 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:53:07.131952117 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fst 2024-02-19 11:53:07.212950817 +0100 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -3208,8 +3208,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fst extraction-secret-ind (sz 1632) (sz 800) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-19 11:45:43.358553605 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-19 11:45:43.420552226 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-19 11:53:07.107952502 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber512.fsti 2024-02-19 11:53:07.175951411 +0100 @@ -63,32 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ @@ -3255,8 +3255,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber512.fsti extraction-secret-in Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:45:43.379553138 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:45:43.455551448 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:53:07.130952133 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fst 2024-02-19 11:53:07.207950897 +0100 @@ -3,37 +3,22 @@ open Core open FStar.Mul @@ -3305,8 +3305,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fst extraction-secret-ind (sz 2400) (sz 1184) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:45:43.369553360 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:45:43.426552093 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:53:07.119952309 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Kyber768.fsti 2024-02-19 11:53:07.181951315 +0100 @@ -63,33 +63,27 @@ Libcrux.Kem.Kyber.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ @@ -3355,8 +3355,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Kyber768.fsti extraction-secret-in - (ensures (fun kp -> (kp.f_sk.f_value,kp.f_pk.f_value) == Spec.Kyber.kyber768_generate_keypair randomness)) + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:45:43.407552515 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:45:43.430552004 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:53:07.160951652 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fst 2024-02-19 11:53:07.184951266 +0100 @@ -3,418 +3,432 @@ open Core open FStar.Mul @@ -4165,8 +4165,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fst extraction-secret-indep - admit(); //P-F v_A_transpose diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:45:43.390552893 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:45:43.452551515 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:53:07.140951972 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Matrix.fsti 2024-02-19 11:53:07.204950946 +0100 @@ -3,71 +3,39 @@ open Core open FStar.Mul @@ -4269,8 +4269,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Matrix.fsti extraction-secret-inde + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:45:43.373553271 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:45:43.439551804 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:53:07.124952229 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fst 2024-02-19 11:53:07.191951154 +0100 @@ -1,130 +1,56 @@ module Libcrux.Kem.Kyber.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" @@ -5201,8 +5201,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fst extraction-secret-independ -#pop-options + re diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:45:43.357553627 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:45:43.459551359 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:53:07.105952534 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Ntt.fsti 2024-02-19 11:53:07.211950833 +0100 @@ -2,80 +2,224 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -5496,8 +5496,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Ntt.fsti extraction-secret-indepen + <: + bool)) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:45:43.397552738 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:45:43.412552404 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:53:07.148951844 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fst 2024-02-19 11:53:07.165951571 +0100 @@ -3,34 +3,27 @@ open Core open FStar.Mul @@ -5934,8 +5934,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fst extraction-secret-ind -#pop-options + out diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:45:43.406552538 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:45:43.447551626 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:53:07.158951684 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Sampling.fsti 2024-02-19 11:53:07.198951042 +0100 @@ -3,37 +3,77 @@ open Core open FStar.Mul @@ -6036,8 +6036,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Sampling.fsti extraction-secret-in + Prims.l_True + (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:45:43.364553471 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:45:43.428552048 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:53:07.114952389 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fst 2024-02-19 11:53:07.182951299 +0100 @@ -1,15 +1,8 @@ module Libcrux.Kem.Kyber.Serialize -#set-options "--fuel 0 --ifuel 0 --z3rlimit 50 --retry 3" @@ -7573,8 +7573,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fst extraction-secret-in - + serialized diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti ---- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:45:43.393552827 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:45:43.419552249 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:53:07.144951908 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Serialize.fsti 2024-02-19 11:53:07.174951427 +0100 @@ -2,191 +2,118 @@ #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core @@ -7836,8 +7836,8 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Serialize.fsti extraction-secret-i +val serialize_uncompressed_ring_element (re: Libcrux.Kem.Kyber.Arithmetic.t_PolynomialRingElement) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst ---- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:45:43.387552960 +0100 -+++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:45:43.423552160 +0100 +--- extraction-edited/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:53:07.137952020 +0100 ++++ extraction-secret-independent/Libcrux.Kem.Kyber.Types.fst 2024-02-19 11:53:07.178951363 +0100 @@ -3,31 +3,31 @@ open Core open FStar.Mul @@ -8106,14 +8106,14 @@ diff -ruN extraction-edited/Libcrux.Kem.Kyber.Types.fst extraction-secret-indepe : t_Array u8 v_PRIVATE_KEY_SIZE = impl_12__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff -ruN extraction-edited/Libcrux_platform.fsti extraction-secret-independent/Libcrux_platform.fsti --- extraction-edited/Libcrux_platform.fsti 1970-01-01 01:00:00.000000000 +0100 -+++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-19 11:45:43.434551915 +0100 ++++ extraction-secret-independent/Libcrux_platform.fsti 2024-02-19 11:53:07.187951218 +0100 @@ -0,0 +1,4 @@ +module Libcrux_platform +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" + +val simd256_support : unit -> bool diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-independent/Libcrux_platform.Platform.fsti ---- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-19 11:45:43.382553071 +0100 +--- extraction-edited/Libcrux_platform.Platform.fsti 2024-02-19 11:53:07.133952085 +0100 +++ extraction-secret-independent/Libcrux_platform.Platform.fsti 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -module Libcrux_platform.Platform @@ -8137,7 +8137,7 @@ diff -ruN extraction-edited/Libcrux_platform.Platform.fsti extraction-secret-ind - -val simd128_support: Prims.unit -> Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst ---- extraction-edited/MkSeq.fst 2024-02-19 11:45:43.360553561 +0100 +--- extraction-edited/MkSeq.fst 2024-02-19 11:53:07.108952486 +0100 +++ extraction-secret-independent/MkSeq.fst 1970-01-01 01:00:00.000000000 +0100 @@ -1,91 +0,0 @@ -module MkSeq @@ -8232,7 +8232,7 @@ diff -ruN extraction-edited/MkSeq.fst extraction-secret-independent/MkSeq.fst - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff -ruN extraction-edited/Spec.Kyber.fst extraction-secret-independent/Spec.Kyber.fst ---- extraction-edited/Spec.Kyber.fst 2024-02-19 11:45:43.394552805 +0100 +--- extraction-edited/Spec.Kyber.fst 2024-02-19 11:53:07.146951876 +0100 +++ extraction-secret-independent/Spec.Kyber.fst 1970-01-01 01:00:00.000000000 +0100 @@ -1,430 +0,0 @@ -module Spec.Kyber