diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index 1b0c6bd15..ca57fcc63 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -40,6 +40,7 @@ jobs: steps: - uses: actions/checkout@v4 + - uses: taiki-e/install-action@cargo-hack - name: Update dependencies run: cargo update @@ -47,6 +48,12 @@ jobs: - run: echo "RUST_TARGET_FLAG=" > $GITHUB_ENV if: ${{ matrix.bits == 64 }} + - run: echo 'EXCLUDE_FEATURES=--exclude-features simd256' > $GITHUB_ENV + if: ${{ matrix.os == 'macos-latest' }} + + - run: echo 'EXCLUDE_FEATURES=--exclude-features simd128' > $GITHUB_ENV + if: ${{ matrix.os != 'macos-latest' }} + - name: 🛠️ Setup Rust Nightly run: rustup toolchain install nightly @@ -150,6 +157,17 @@ jobs: cargo clean cargo test --features kyber --verbose $RUST_TARGET_FLAG + - name: 🏃🏻‍♀️ Cargo Check Features + if: ${{ matrix.bits == 64 }} + run: | + cargo clean + cargo hack check --feature-powerset $EXCLUDE_FEATURES --verbose --no-dev-deps $RUST_TARGET_FLAG + + - name: 🏃🏻‍♀️ Cargo Test Features + if: ${{ matrix.bits == 64 }} + run: | + cargo clean + cargo hack test --each-feature $EXCLUDE_FEATURES --verbose $RUST_TARGET_FLAG benchmarks: strategy: diff --git a/Cargo.toml b/Cargo.toml index 5c73a2917..01ccd1388 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,7 +14,8 @@ members = [ "libcrux-kem", "libcrux-hmac", "libcrux-hkdf", - "libcrux-ecdh", "libcrux-psq", + "libcrux-ecdh", + "libcrux-psq", ] [workspace.package] diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2.fsti index 2a049de11..166c93c21 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2.fsti @@ -3,12 +3,6 @@ module Libcrux_intrinsics.Avx2 open Core open FStar.Mul -unfold -let t_Vec128 = Core.Core_arch.X86.t____m128i - -unfold -let t_Vec256 = Core.Core_arch.X86.t____m256i - val mm256_add_epi16 (lhs rhs: Core.Core_arch.X86.t____m256i) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-kem/Cargo.toml b/libcrux-kem/Cargo.toml index e59c608a3..b04979223 100644 --- a/libcrux-kem/Cargo.toml +++ b/libcrux-kem/Cargo.toml @@ -17,10 +17,10 @@ libcrux-sha3 = { version = "0.0.2-pre.2", path = "../libcrux-sha3" } libcrux-ecdh = { version = "0.0.2-pre.2", path = "../libcrux-ecdh" } rand = { version = "0.8" } - [features] -tests = [] # Expose functions for testing. +tests = [] # Expose functions for testing. kyber = ["libcrux-ml-kem/kyber"] +pre-verification = ["libcrux-ml-kem/pre-verification"] [dev-dependencies] libcrux-kem = { version = "0.0.2-pre.2", path = "./", features = ["tests"] } diff --git a/libcrux-kem/src/kem.rs b/libcrux-kem/src/kem.rs index 578c7e86f..51265f62a 100644 --- a/libcrux-kem/src/kem.rs +++ b/libcrux-kem/src/kem.rs @@ -827,6 +827,26 @@ impl Ct { ct_x.try_into().map_err(|_| Error::InvalidCiphertext)?, )) } + #[cfg(feature = "kyber")] + Algorithm::X25519Kyber768Draft00 => { + let key: [u8; MlKem768Ciphertext::len() + 32] = + bytes.try_into().map_err(|_| Error::InvalidCiphertext)?; + let (xct, kct) = key.split_at(32); + Ok(Self::X25519Kyber768Draft00( + kct.try_into().map_err(|_| Error::InvalidCiphertext)?, + xct.try_into().map_err(|_| Error::InvalidCiphertext)?, + )) + } + #[cfg(feature = "kyber")] + Algorithm::XWingKyberDraft02 => { + let key: [u8; MlKem768Ciphertext::len() + 32] = + bytes.try_into().map_err(|_| Error::InvalidCiphertext)?; + let (ct_m, ct_x) = key.split_at(MlKem768Ciphertext::len()); + Ok(Self::XWingKyberDraft02( + ct_m.try_into().map_err(|_| Error::InvalidCiphertext)?, + ct_x.try_into().map_err(|_| Error::InvalidCiphertext)?, + )) + } Algorithm::MlKem1024 => bytes .try_into() .map_err(|_| Error::InvalidCiphertext) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 335565410..0e9cab467 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -7,13 +7,13 @@ pub(crate) fn H(input: &[u8]) -> [u8; OUTPUT_LENGTH] } pub(crate) mod H_128 { - use libcrux_sha3::portable::{incremental, KeccakState1}; + use libcrux_sha3::portable::{incremental, KeccakState}; const BLOCK_SIZE: usize = 168; const FIVE_BLOCKS_SIZE: usize = BLOCK_SIZE * 5; #[inline(always)] - pub(crate) fn new(seed: [u8; 34]) -> KeccakState1 { + pub(crate) fn new(seed: [u8; 34]) -> KeccakState { let mut state = incremental::shake128_init(); incremental::shake128_absorb_final(&mut state, &seed); @@ -21,7 +21,7 @@ pub(crate) mod H_128 { } #[inline(always)] - pub(crate) fn squeeze_first_five_blocks(state: &mut KeccakState1) -> [u8; FIVE_BLOCKS_SIZE] { + pub(crate) fn squeeze_first_five_blocks(state: &mut KeccakState) -> [u8; FIVE_BLOCKS_SIZE] { let mut out = [0u8; FIVE_BLOCKS_SIZE]; incremental::shake128_squeeze_first_five_blocks(state, &mut out); @@ -29,7 +29,7 @@ pub(crate) mod H_128 { } #[inline(always)] - pub(crate) fn squeeze_next_block(state: &mut KeccakState1) -> [u8; BLOCK_SIZE] { + pub(crate) fn squeeze_next_block(state: &mut KeccakState) -> [u8; BLOCK_SIZE] { let mut out = [0u8; BLOCK_SIZE]; incremental::shake128_squeeze_next_block(state, &mut out); diff --git a/libcrux-ml-kem/Cargo.toml b/libcrux-ml-kem/Cargo.toml index aba4166bb..972207efc 100644 --- a/libcrux-ml-kem/Cargo.toml +++ b/libcrux-ml-kem/Cargo.toml @@ -29,15 +29,28 @@ libcrux-intrinsics = { version = "0.0.2-pre.2", path = "../libcrux-intrinsics" } hax-lib = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax/" } [features] +# By default all variants and std are enabled. default = ["std", "mlkem512", "mlkem768", "mlkem1024"] + +# Hardware features can be force enabled. +# It is not recommended to use these. This crate performs CPU feature detection +# and enables the features when they are available. simd128 = ["libcrux-sha3/simd128"] simd256 = ["libcrux-sha3/simd256"] + +# Features for the different key sizes of ML-KEM mlkem512 = [] mlkem768 = [] mlkem1024 = [] -std = [] + +# Enable Round 3 Kyber in addition to ML-KEM kyber = [] +# Code that is not yet verified +pre-verification = [] + +std = [] + [dev-dependencies] rand = { version = "0.8" } serde_json = { version = "1.0" } @@ -48,3 +61,26 @@ criterion = "0.5" [[bench]] name = "ml-kem" harness = false + +[[example]] +name = "encapsulate" +required-features = ["mlkem768"] + +[[example]] +name = "decapsulate" +required-features = ["mlkem768"] + +[[example]] +name = "keygen" +required-features = ["mlkem768"] + +[package.metadata."docs.rs"] +features = ["pre-verification", "kyber"] +rustdoc-args = ["--cfg", "doc_cfg"] + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = [ + 'cfg(hax)', + 'cfg(eurydice)', + 'cfg(doc_cfg)', +] } diff --git a/libcrux-ml-kem/c.sh b/libcrux-ml-kem/c.sh index 73e296a44..1299cf49b 100755 --- a/libcrux-ml-kem/c.sh +++ b/libcrux-ml-kem/c.sh @@ -19,7 +19,9 @@ clean=0 config=c.yaml out=c glue=$EURYDICE_HOME/include/eurydice_glue.h -features= +features="--cargo-arg=--features=pre-verification" +eurydice_glue=1 +unrolling=16 # Parse command line arguments. all_args=("$@") @@ -32,7 +34,9 @@ while [ $# -gt 0 ]; do --config) config="$2"; shift ;; --out) out="$2"; shift ;; --glue) glue="$2"; shift ;; - --mlkem768) features="--cargo-arg=--no-default-features --cargo-arg=--features=mlkem768" ;; + --mlkem768) features="${features} --cargo-arg=--no-default-features --cargo-arg=--features=mlkem768" ;; + --no-glue) eurydice_glue=0 ;; + --no-unrolling) unrolling=0 ;; esac shift done @@ -70,8 +74,10 @@ if [[ "$clean" = 1 ]]; then fi echo "Running eurydice ..." -$EURYDICE_HOME/eurydice --config ../$config ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc -cp $EURYDICE_HOME/include/eurydice_glue.h . +$EURYDICE_HOME/eurydice --config ../$config -funroll-loops $unrolling ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc +if [[ "$eurydice_glue" = 1 ]]; then + cp $EURYDICE_HOME/include/eurydice_glue.h . +fi clang-format --style=Google -i *.c *.h clang-format --style=Google -i internal/*.h @@ -81,7 +87,11 @@ clang-format --style=Google -i intrinsics/*.h [[ -z "$CHARON_REV" && -d $CHARON_HOME/.git ]] && export CHARON_REV=$(git -C $CHARON_HOME rev-parse HEAD) [[ -z "$EURYDICE_REV" && -d $EURYDICE_HOME/.git ]] && export EURYDICE_REV=$(git -C $EURYDICE_HOME rev-parse HEAD) [[ -z "$KRML_REV" && -d $KRML_HOME/.git ]] && export KRML_REV=$(git -C $KRML_HOME rev-parse HEAD) -[[ -z "$FSTAR_REV" && -d $FSTAR_HOME/.git ]] && export FSTAR_REV=$(git -C $FSTAR_HOME rev-parse HEAD) +if [[ -z "$FSTAR_REV" && -d $FSTAR_HOME/.git ]]; then + export FSTAR_REV=$(git -C $FSTAR_HOME rev-parse HEAD) +else + export FSTAR_REV=$(fstar.exe --version | grep commit | sed 's/commit=\(.*\)/\1/') +fi rm -f code_gen.txt echo "This code was generated with the following tools:" >> code_gen.txt echo -n "Charon: " >> code_gen.txt diff --git a/libcrux-ml-kem/c/benches/sha3.cc b/libcrux-ml-kem/c/benches/sha3.cc index b2712feae..dc6a5d9e8 100644 --- a/libcrux-ml-kem/c/benches/sha3.cc +++ b/libcrux-ml-kem/c/benches/sha3.cc @@ -71,13 +71,13 @@ shake128_34_504(benchmark::State &state) Eurydice_slice last[4] = {EURYDICE_SLICE(input, 0, 34), EURYDICE_SLICE(input, 0, 34), EURYDICE_SLICE(input, 0, 34), EURYDICE_SLICE(input, 0, 34)}; Eurydice_slice out[4] = {EURYDICE_SLICE(digest0, 0, 504), EURYDICE_SLICE(digest1, 0, 504), EURYDICE_SLICE(digest2, 0, 504), EURYDICE_SLICE(digest3, 0, 504)}; - libcrux_sha3_avx2_x4_incremental_KeccakState4 st = libcrux_sha3_avx2_x4_incremental_shake128_init(); + libcrux_sha3_avx2_x4_incremental_KeccakState st = libcrux_sha3_avx2_x4_incremental_shake128_init(); libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168size_t_31uint8_t(&st, last); libcrux_sha3_generic_keccak_squeeze_first_three_blocks__core_core_arch_x86___m256i_4size_t_168size_t(&st, out); for (auto _ : state) { - libcrux_sha3_avx2_x4_incremental_KeccakState4 st = libcrux_sha3_avx2_x4_incremental_shake128_init(); + libcrux_sha3_avx2_x4_incremental_KeccakState st = libcrux_sha3_avx2_x4_incremental_shake128_init(); libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168size_t_31uint8_t(&st, last); libcrux_sha3_generic_keccak_squeeze_first_three_blocks__core_core_arch_x86___m256i_4size_t_168size_t(&st, out); } diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index 48604c8bf..6d88a77bf 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -1,5 +1,5 @@ This code was generated with the following tools: -Charon: ae55966c01a1a4b185a1a34da7861ba5db74c8ad -Eurydice: bbfd102bbfbc3e4c362953f093dbfd65e2fbc10c +Charon: 23f20c184e51015582b7918ea4f1eb063b28daba +Eurydice: 30fdb50add4dabaee90051878c166bac8c5ac26a Karamel: 42a431696cd32d41155d7e484720eb71fd5dc7b1 -F*: f09228ef9a64ac4ef383ee0e10656ccb612db2ee +F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty diff --git a/libcrux-ml-kem/c/eurydice_glue.h b/libcrux-ml-kem/c/eurydice_glue.h index 0e51e219d..ed8c1f0f9 100644 --- a/libcrux-ml-kem/c/eurydice_glue.h +++ b/libcrux-ml-kem/c/eurydice_glue.h @@ -85,7 +85,7 @@ typedef struct { #define Eurydice_array_eq(sz, a1, a2, t, _, _ret_t) \ (memcmp(a1, a2, sz * sizeof(t)) == 0) -#define core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq \ +#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq \ Eurydice_array_eq #define core_slice___Slice_T___split_at(slice, mid, element_type, ret_t) \ @@ -135,6 +135,21 @@ core_convert_num___core__convert__From_i32__for_i64__59__from(int32_t x) { return x; } +static inline uint64_t +core_convert_num___core__convert__From_u8__for_u64__66__from(uint8_t x) { + return x; +} + +static inline uint64_t +core_convert_num___core__convert__From_u16__for_u64__70__from(uint16_t x) { + return x; +} + +static inline size_t +core_convert_num___core__convert__From_u16__for_usize__96__from(uint16_t x) { + return x; +} + static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { #ifdef _MSC_VER return __popcnt(x0); @@ -163,9 +178,14 @@ static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) { return (*p) >> v; } -// ITERATORS +#define core_num_nonzero_private_NonZeroUsizeInner size_t +static inline core_num_nonzero_private_NonZeroUsizeInner +core_num_nonzero_private___core__clone__Clone_for_core__num__nonzero__private__NonZeroUsizeInner__26__clone( + core_num_nonzero_private_NonZeroUsizeInner *x0) { + return *x0; +} -#define core_num_nonzero_NonZeroUsize size_t +// ITERATORS #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \ (((iter_ptr)->start == (iter_ptr)->end) \ ? (CLITERAL(ret_t){.tag = core_option_None}) \ @@ -183,6 +203,9 @@ static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) { #define Eurydice_into_iter(x, t, _ret_t) (x) #define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter \ Eurydice_into_iter +// This name changed on 20240627 +#define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter \ + Eurydice_into_iter typedef struct { Eurydice_slice slice; @@ -214,11 +237,15 @@ static inline Eurydice_slice chunk_next(Eurydice_chunks *chunks, .chunk_size = sz_}) #define core_slice_iter_Chunks Eurydice_chunks #define core_slice_iter_ChunksExact Eurydice_chunks -#define core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next( \ - iter, t, ret_t) \ - (((iter)->slice.len == 0) ? ((ret_t){.tag = core_option_None}) \ - : ((ret_t){.tag = core_option_Some, \ +#define Eurydice_chunks_next(iter, t, ret_t) \ + (((iter)->slice.len == 0) ? ((ret_t){.tag = core_option_None}) \ + : ((ret_t){.tag = core_option_Some, \ .f0 = chunk_next(iter, sizeof(t))})) +#define core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next \ + Eurydice_chunks_next +// This name changed on 20240627 +#define core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___71__next \ + Eurydice_chunks_next #define core_slice_iter__core__slice__iter__ChunksExact__a__T__89__next( \ iter, t, _ret_t) \ core_slice_iter__core__slice__iter__Chunks__a__T__70__next(iter, t) diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index 093f9f802..8ac7a4ebd 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_core_H @@ -138,19 +138,6 @@ uint8_t * libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___800size_t( libcrux_ml_kem_types_MlKemPublicKey____800size_t *self); -typedef struct - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_s { - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag; - union { - uint8_t case_Ok[32U]; - core_array_TryFromSliceError case_Err; - } val; -} core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError; - -void core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError self, - uint8_t ret[32U]); - uint8_t libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( Eurydice_slice lhs, Eurydice_slice rhs); @@ -173,7 +160,7 @@ void libcrux_ml_kem_utils_into_padded_array___64size_t(Eurydice_slice slice, typedef struct core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_s { - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag; + core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_tags tag; union { uint8_t case_Ok[24U]; core_array_TryFromSliceError case_Err; @@ -186,7 +173,7 @@ void core_result__core__result__Result_T__E___unwrap__uint8_t_24size_t__core_arr typedef struct core_result_Result__uint8_t_20size_t__core_array_TryFromSliceError_s { - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag; + core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_tags tag; union { uint8_t case_Ok[20U]; core_array_TryFromSliceError case_Err; @@ -199,7 +186,7 @@ void core_result__core__result__Result_T__E___unwrap__uint8_t_20size_t__core_arr typedef struct core_result_Result__uint8_t_10size_t__core_array_TryFromSliceError_s { - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag; + core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_tags tag; union { uint8_t case_Ok[10U]; core_array_TryFromSliceError case_Err; @@ -212,7 +199,7 @@ void core_result__core__result__Result_T__E___unwrap__uint8_t_10size_t__core_arr typedef struct core_result_Result__int16_t_16size_t__core_array_TryFromSliceError_s { - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag; + core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_tags tag; union { int16_t case_Ok[16U]; core_array_TryFromSliceError case_Err; diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 24d4a429d..ac8d14aac 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h deleted file mode 100644 index 8915c212b..000000000 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#ifndef __internal_libcrux_mlkem_neon_H -#define __internal_libcrux_mlkem_neon_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include "../libcrux_mlkem_neon.h" -#include "eurydice_glue.h" -#include "internal/libcrux_core.h" -#include "internal/libcrux_mlkem_portable.h" - -bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t_1184size_t( - uint8_t *public_key); - -libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( - uint8_t randomness[64U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, - uint8_t randomness[32U]); - -void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); - -bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t_1568size_t( - uint8_t *public_key); - -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t( - uint8_t randomness[64U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *public_key, - uint8_t randomness[32U]); - -void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t( - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t *private_key, - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); - -bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_800size_t( - uint8_t *public_key); - -libcrux_ml_kem_types_MlKemKeyPair____1632size_t__800size_t -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t( - uint8_t randomness[64U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____800size_t *public_key, - uint8_t randomness[32U]); - -void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t( - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t *private_key, - libcrux_ml_kem_types_MlKemCiphertext____768size_t *ciphertext, - uint8_t ret[32U]); - -#if defined(__cplusplus) -} -#endif - -#define __internal_libcrux_mlkem_neon_H_DEFINED -#endif diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index 0662c723b..18964fd55 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 01c4ca99c..29a372894 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_sha3_avx2_H @@ -18,7 +18,7 @@ extern "C" { #include "intrinsics/libcrux_intrinsics_avx2.h" typedef libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - libcrux_sha3_avx2_x4_incremental_KeccakState4; + libcrux_sha3_avx2_x4_incremental_KeccakState; void libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168size_t_31uint8_t( libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index 8e4e0d5a5..9a5805f02 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __internal_libcrux_sha3_internal_H @@ -16,7 +16,7 @@ extern "C" { #include "eurydice_glue.h" typedef libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t - libcrux_sha3_portable_KeccakState1; + libcrux_sha3_portable_KeccakState; static inline libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t libcrux_sha3_portable_incremental_shake128_init(void) { @@ -178,7 +178,7 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( } static inline libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t -libcrux_sha3_portable___core__clone__Clone_for_libcrux_sha3__portable__KeccakState1___clone( +libcrux_sha3_portable___core__clone__Clone_for_libcrux_sha3__portable__KeccakState___clone( libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *self) { return self[0U]; } diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 89b41da15..23efe21cf 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "internal/libcrux_core.h" @@ -242,20 +242,6 @@ libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice__ return self->value; } -void core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError self, - uint8_t ret[32U]) { - if (self.tag == core_result_Ok) { - uint8_t f0[32U]; - memcpy(f0, self.val.case_Ok, (size_t)32U * sizeof(uint8_t)); - memcpy(ret, f0, (size_t)32U * sizeof(uint8_t)); - } else { - KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, - "unwrap not Ok"); - KRML_HOST_EXIT(255U); - } -} - uint8_t libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( Eurydice_slice lhs, Eurydice_slice rhs) { diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index 8479cc61a..f4c2f05d1 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_core_H @@ -128,11 +128,11 @@ typedef struct #define core_result_Err 1 typedef uint8_t - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags; + core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_tags; typedef struct core_result_Result__uint8_t_8size_t__core_array_TryFromSliceError_s { - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError_tags tag; + core_result_Result__uint8_t_24size_t__core_array_TryFromSliceError_tags tag; union { uint8_t case_Ok[8U]; core_array_TryFromSliceError case_Err; diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index aecc7ff99..922027378 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index 79a0ba4a3..ac85f2519 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index 6e1f7cf1b..3452114a6 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c deleted file mode 100644 index b7cd6975a..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c +++ /dev/null @@ -1,55 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#include "libcrux_mlkem1024_neon.h" - -void libcrux_ml_kem_mlkem1024_neon_decapsulate( - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t *private_key, - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, - uint8_t ret[32U]) { - uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t( - private_key, ciphertext, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ -libcrux_ml_kem_mlkem1024_neon_encapsulate( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *public_key, - uint8_t randomness[32U]) { - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - uu____0, uu____1); -} - -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_mlkem1024_neon_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t( - uu____0); -} - -core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1568size_t__ -libcrux_ml_kem_mlkem1024_neon_validate_public_key( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t public_key) { - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1568size_t__ - uu____0; - if (libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___4size_t_1536size_t_1568size_t( - public_key.value)) { - uu____0 = (CLITERAL( - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1568size_t__){ - .tag = core_option_Some, .f0 = public_key}); - } else { - uu____0 = (CLITERAL( - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1568size_t__){ - .tag = core_option_None}); - } - return uu____0; -} diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h deleted file mode 100644 index a4ee49a6d..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#ifndef __libcrux_mlkem1024_neon_H -#define __libcrux_mlkem1024_neon_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include "eurydice_glue.h" -#include "libcrux_core.h" -#include "libcrux_mlkem512_neon.h" - -void libcrux_ml_kem_mlkem1024_neon_decapsulate( - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t *private_key, - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ -libcrux_ml_kem_mlkem1024_neon_encapsulate( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *public_key, - uint8_t randomness[32U]); - -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_mlkem1024_neon_generate_key_pair(uint8_t randomness[64U]); - -core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1568size_t__ -libcrux_ml_kem_mlkem1024_neon_validate_public_key( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t public_key); - -#if defined(__cplusplus) -} -#endif - -#define __libcrux_mlkem1024_neon_H_DEFINED -#endif diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index e251029d2..671517730 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_mlkem1024_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index 8f0c49a3c..6e842d3ff 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index e124f3c61..f15e2be11 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index 30b6b8577..25e974408 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index 9568c423b..6ff1c669d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_neon.c b/libcrux-ml-kem/c/libcrux_mlkem512_neon.c deleted file mode 100644 index 46ec1bb1b..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem512_neon.c +++ /dev/null @@ -1,163 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#include "libcrux_mlkem512_neon.h" - -#include "internal/libcrux_mlkem_neon.h" - -void libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t( - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t *private_key, - libcrux_ml_kem_types_MlKemCiphertext____768size_t *ciphertext, - uint8_t ret[32U]) { - uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t( - private_key, ciphertext, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_mlkem512_neon_decapsulate( - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t *private_key, - libcrux_ml_kem_types_MlKemCiphertext____768size_t *ciphertext, - uint8_t ret[32U]) { - uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t( - private_key, ciphertext, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____800size_t *public_key, - uint8_t randomness[32U]) { - libcrux_ml_kem_types_MlKemPublicKey____800size_t *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - uu____0, uu____1); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ -libcrux_ml_kem_mlkem512_neon_encapsulate( - libcrux_ml_kem_types_MlKemPublicKey____800size_t *public_key, - uint8_t randomness[32U]) { - libcrux_ml_kem_types_MlKemPublicKey____800size_t *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - uu____0, uu____1); -} - -libcrux_ml_kem_types_MlKemKeyPair____1632size_t__800size_t -libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t( - uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t( - uu____0); -} - -libcrux_ml_kem_types_MlKemKeyPair____1632size_t__800size_t -libcrux_ml_kem_mlkem512_neon_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t( - uu____0); -} - -bool libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___2size_t_768size_t_800size_t( - uint8_t *public_key) { - return libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_800size_t( - public_key); -} - -core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___800size_t__ -libcrux_ml_kem_mlkem512_neon_validate_public_key( - libcrux_ml_kem_types_MlKemPublicKey____800size_t public_key) { - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___800size_t__ uu____0; - if (libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___2size_t_768size_t_800size_t( - public_key.value)) { - uu____0 = (CLITERAL( - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___800size_t__){ - .tag = core_option_Some, .f0 = public_key}); - } else { - uu____0 = (CLITERAL( - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___800size_t__){ - .tag = core_option_None}); - } - return uu____0; -} - -bool libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___3size_t_1152size_t_1184size_t( - uint8_t *public_key) { - return libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t_1184size_t( - public_key); -} - -libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( - uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( - uu____0); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, - uint8_t randomness[32U]) { - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - uu____0, uu____1); -} - -void libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( - private_key, ciphertext, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -bool libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___4size_t_1536size_t_1568size_t( - uint8_t *public_key) { - return libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t_1568size_t( - public_key); -} - -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t( - uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t( - uu____0); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *public_key, - uint8_t randomness[32U]) { - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - uu____0, uu____1); -} - -void libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t( - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t *private_key, - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, - uint8_t ret[32U]) { - uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t( - private_key, ciphertext, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_neon.h b/libcrux-ml-kem/c/libcrux_mlkem512_neon.h deleted file mode 100644 index 869fc7a62..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem512_neon.h +++ /dev/null @@ -1,89 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#ifndef __libcrux_mlkem512_neon_H -#define __libcrux_mlkem512_neon_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include "eurydice_glue.h" -#include "libcrux_core.h" - -void libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t( - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t *private_key, - libcrux_ml_kem_types_MlKemCiphertext____768size_t *ciphertext, - uint8_t ret[32U]); - -void libcrux_ml_kem_mlkem512_neon_decapsulate( - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t *private_key, - libcrux_ml_kem_types_MlKemCiphertext____768size_t *ciphertext, - uint8_t ret[32U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____800size_t *public_key, - uint8_t randomness[32U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ -libcrux_ml_kem_mlkem512_neon_encapsulate( - libcrux_ml_kem_types_MlKemPublicKey____800size_t *public_key, - uint8_t randomness[32U]); - -libcrux_ml_kem_types_MlKemKeyPair____1632size_t__800size_t -libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t( - uint8_t randomness[64U]); - -libcrux_ml_kem_types_MlKemKeyPair____1632size_t__800size_t -libcrux_ml_kem_mlkem512_neon_generate_key_pair(uint8_t randomness[64U]); - -bool libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___2size_t_768size_t_800size_t( - uint8_t *public_key); - -core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___800size_t__ -libcrux_ml_kem_mlkem512_neon_validate_public_key( - libcrux_ml_kem_types_MlKemPublicKey____800size_t public_key); - -bool libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___3size_t_1152size_t_1184size_t( - uint8_t *public_key); - -libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( - uint8_t randomness[64U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, - uint8_t randomness[32U]); - -void libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); - -bool libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___4size_t_1536size_t_1568size_t( - uint8_t *public_key); - -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t( - uint8_t randomness[64U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *public_key, - uint8_t randomness[32U]); - -void libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t( - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t *private_key, - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); - -#if defined(__cplusplus) -} -#endif - -#define __libcrux_mlkem512_neon_H_DEFINED -#endif diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index a1cd60442..90a3fa4e6 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_mlkem512_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index f2b28a543..1349dbf90 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index 628dcfd94..e65cbce2d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 8711236f3..45e781db4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index 4cfb0e522..a0f3922ec 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_neon.c b/libcrux-ml-kem/c/libcrux_mlkem768_neon.c deleted file mode 100644 index eccf2c366..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem768_neon.c +++ /dev/null @@ -1,54 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#include "libcrux_mlkem768_neon.h" - -void libcrux_ml_kem_mlkem768_neon_decapsulate( - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_instantiations_neon_decapsulate___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( - private_key, ciphertext, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_mlkem768_neon_encapsulate( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, - uint8_t randomness[32U]) { - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_neon_encapsulate___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - uu____0, uu____1); -} - -libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_mlkem768_neon_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_neon_generate_keypair___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( - uu____0); -} - -core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1184size_t__ -libcrux_ml_kem_mlkem768_neon_validate_public_key( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t public_key) { - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1184size_t__ - uu____0; - if (libcrux_ml_kem_ind_cca_instantiations_neon_validate_public_key___3size_t_1152size_t_1184size_t( - public_key.value)) { - uu____0 = (CLITERAL( - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1184size_t__){ - .tag = core_option_Some, .f0 = public_key}); - } else { - uu____0 = (CLITERAL( - core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1184size_t__){ - .tag = core_option_None}); - } - return uu____0; -} diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_neon.h b/libcrux-ml-kem/c/libcrux_mlkem768_neon.h deleted file mode 100644 index 1c5ff9ad4..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem768_neon.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#ifndef __libcrux_mlkem768_neon_H -#define __libcrux_mlkem768_neon_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include "eurydice_glue.h" -#include "libcrux_core.h" -#include "libcrux_mlkem512_neon.h" - -void libcrux_ml_kem_mlkem768_neon_decapsulate( - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); - -K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_mlkem768_neon_encapsulate( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, - uint8_t randomness[32U]); - -libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_mlkem768_neon_generate_key_pair(uint8_t randomness[64U]); - -core_option_Option__libcrux_ml_kem_types_MlKemPublicKey___1184size_t__ -libcrux_ml_kem_mlkem768_neon_validate_public_key( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t public_key); - -#if defined(__cplusplus) -} -#endif - -#define __libcrux_mlkem768_neon_H_DEFINED -#endif diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index 06c10258e..e30258c83 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_mlkem768_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index 9b34ba945..4b45aaf57 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index 6a91b8914..e95360259 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "internal/libcrux_mlkem_avx2.h" @@ -1761,7 +1761,7 @@ bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_avx2_SIMD Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } @@ -1788,52 +1788,41 @@ closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_ libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector)); } -static inline libcrux_sha3_avx2_x4_incremental_KeccakState4 +static inline libcrux_sha3_avx2_x4_incremental_KeccakState shake128_init_absorb___3size_t(uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t state = libcrux_sha3_avx2_x4_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = &state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - uu____0, uu____1, uu____2, uu____3, + &state, + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice)); return state; } static inline void shake128_squeeze_three_blocks___3size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[3U][504U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; uint8_t out1[504U] = {0U}; uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[504U]; - memcpy(uu____4, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____5[504U]; - memcpy(uu____5, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____6[504U]; - memcpy(uu____6, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____0[504U]; + memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____1[504U]; + memcpy(uu____1, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____2[504U]; + memcpy(uu____2, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)504U * sizeof(uint8_t)); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); } @@ -1879,33 +1868,27 @@ sample_from_uniform_distribution_next__libcrux_ml_kem_vector_avx2_SIMD256Vector_ } static inline void shake128_squeeze_block___3size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[3U][168U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; uint8_t out1[168U] = {0U}; uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[168U]; - memcpy(uu____4, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____5[168U]; - memcpy(uu____5, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____6[168U]; - memcpy(uu____6, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____0[168U]; + memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____1[168U]; + memcpy(uu____1, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____2[168U]; + memcpy(uu____2, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)168U * sizeof(uint8_t)); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); } @@ -1990,7 +1973,7 @@ sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_fu int16_t out[3U][272U] = {{0U}}; uint8_t uu____0[3U][34U]; memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); - libcrux_sha3_avx2_x4_incremental_KeccakState4 xof_state = + libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = shake128_init_absorb___3size_t(uu____0); uint8_t randomness0[3U][504U]; shake128_squeeze_three_blocks___3size_t(&xof_state, randomness0); @@ -2096,32 +2079,24 @@ static inline void PRFxN___3size_t_128size_t(uint8_t (*input)[33U], uint8_t out1[128U] = {0U}; uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____6 = - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_shake256( - uu____0, uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____7[128U]; - memcpy(uu____7, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____7, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____8[128U]; - memcpy(uu____8, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____8, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____9[128U]; - memcpy(uu____9, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____9, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____0[128U]; + memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____1[128U]; + memcpy(uu____1, out1, (size_t)128U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____2[128U]; + memcpy(uu____2, out2, (size_t)128U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)128U * sizeof(uint8_t)); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); } @@ -2745,38 +2720,35 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_avx2_SIMD256Vecto memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); uint8_t public_key[1184U]; memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[2400U]; serialize_kem_secret_key__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_2400size_t( - uu____1, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[2400U]; - memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + uint8_t uu____1[2400U]; + memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____2400size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___2400size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____3 = private_key; - uint8_t uu____4[1184U]; - memcpy(uu____4, public_key, (size_t)1184U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____2 = private_key; + uint8_t uu____3[1184U]; + memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___2400size_t_1184size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1184size_t( - uu____4)); + uu____3)); } static inline void entropy_preprocess__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static inline void @@ -3074,10 +3046,11 @@ compute_vector_u__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( static core_core_arch_x86___m256i decompress_1__libcrux_ml_kem_vector_avx2_SIMD256Vector( core_core_arch_x86___m256i v) { + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ZERO(); return libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___bitwise_and_with_constant( libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___sub( - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ZERO(), - &v), + uu____0, &v), (int16_t)1665); } @@ -3636,13 +3609,11 @@ encrypt__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_ static inline void kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t( Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ @@ -4387,11 +4358,10 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vecto uint8_t shared_secret[32U]; kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t( shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); @@ -4525,7 +4495,7 @@ bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_avx2_SIMD Eurydice_array_to_subslice_from((size_t)1568U, public_key, (size_t)1536U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1568U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } @@ -4552,55 +4522,44 @@ closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_ libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector)); } -static inline libcrux_sha3_avx2_x4_incremental_KeccakState4 +static inline libcrux_sha3_avx2_x4_incremental_KeccakState shake128_init_absorb___4size_t(uint8_t input[4U][34U]) { libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t state = libcrux_sha3_avx2_x4_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = &state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - uu____0, uu____1, uu____2, uu____3, + &state, + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)34U, input[3U], uint8_t, Eurydice_slice)); return state; } static inline void shake128_squeeze_three_blocks___4size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[4U][504U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[4U][504U]) { uint8_t out[4U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; uint8_t out1[504U] = {0U}; uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[504U]; - memcpy(uu____4, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____5[504U]; - memcpy(uu____5, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____6[504U]; - memcpy(uu____6, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____7[504U]; - memcpy(uu____7, out3, (size_t)504U * sizeof(uint8_t)); - memcpy(out[3U], uu____7, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____0[504U]; + memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____1[504U]; + memcpy(uu____1, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____2[504U]; + memcpy(uu____2, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____3[504U]; + memcpy(uu____3, out3, (size_t)504U * sizeof(uint8_t)); + memcpy(out[3U], uu____3, (size_t)504U * sizeof(uint8_t)); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[504U])); } @@ -4646,36 +4605,30 @@ sample_from_uniform_distribution_next__libcrux_ml_kem_vector_avx2_SIMD256Vector_ } static inline void shake128_squeeze_block___4size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[4U][168U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[4U][168U]) { uint8_t out[4U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; uint8_t out1[168U] = {0U}; uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[168U]; - memcpy(uu____4, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____5[168U]; - memcpy(uu____5, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____6[168U]; - memcpy(uu____6, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____7[168U]; - memcpy(uu____7, out3, (size_t)168U * sizeof(uint8_t)); - memcpy(out[3U], uu____7, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____0[168U]; + memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____1[168U]; + memcpy(uu____1, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____2[168U]; + memcpy(uu____2, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____3[168U]; + memcpy(uu____3, out3, (size_t)168U * sizeof(uint8_t)); + memcpy(out[3U], uu____3, (size_t)168U * sizeof(uint8_t)); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[168U])); } @@ -4740,7 +4693,7 @@ sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_fu int16_t out[4U][272U] = {{0U}}; uint8_t uu____0[4U][34U]; memcpy(uu____0, seeds, (size_t)4U * sizeof(uint8_t[34U])); - libcrux_sha3_avx2_x4_incremental_KeccakState4 xof_state = + libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = shake128_init_absorb___4size_t(uu____0); uint8_t randomness0[4U][504U]; shake128_squeeze_three_blocks___4size_t(&xof_state, randomness0); @@ -4846,35 +4799,27 @@ static inline void PRFxN___4size_t_128size_t(uint8_t (*input)[33U], uint8_t out1[128U] = {0U}; uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[3U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____6 = - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_shake256( - uu____0, uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[3U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____7[128U]; - memcpy(uu____7, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____7, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____8[128U]; - memcpy(uu____8, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____8, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____9[128U]; - memcpy(uu____9, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____9, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____10[128U]; - memcpy(uu____10, out3, (size_t)128U * sizeof(uint8_t)); - memcpy(out[3U], uu____10, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____0[128U]; + memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____1[128U]; + memcpy(uu____1, out1, (size_t)128U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____2[128U]; + memcpy(uu____2, out2, (size_t)128U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____3[128U]; + memcpy(uu____3, out3, (size_t)128U * sizeof(uint8_t)); + memcpy(out[3U], uu____3, (size_t)128U * sizeof(uint8_t)); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[128U])); } @@ -5176,38 +5121,35 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_avx2_SIMD256Vecto memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1536U * sizeof(uint8_t)); uint8_t public_key[1568U]; memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1536U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[3168U]; serialize_kem_secret_key__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_4size_t_3168size_t( - uu____1, + Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[3168U]; - memcpy(uu____2, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); + uint8_t uu____1[3168U]; + memcpy(uu____1, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____3168size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___3168size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t uu____3 = private_key; - uint8_t uu____4[1568U]; - memcpy(uu____4, public_key, (size_t)1568U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____3168size_t uu____2 = private_key; + uint8_t uu____3[1568U]; + memcpy(uu____3, public_key, (size_t)1568U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___3168size_t_1568size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1568size_t( - uu____4)); + uu____3)); } static inline void entropy_preprocess__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_4size_t( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static inline void @@ -5587,13 +5529,11 @@ encrypt__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_ static inline void kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_4size_t_1568size_t( Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ @@ -5924,11 +5864,10 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vecto uint8_t shared_secret[32U]; kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_4size_t_1568size_t( shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); @@ -6062,7 +6001,7 @@ bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_avx2_SIMD Eurydice_array_to_subslice_from((size_t)800U, public_key, (size_t)768U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)800U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } @@ -6089,49 +6028,38 @@ closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_ libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector)); } -static inline libcrux_sha3_avx2_x4_incremental_KeccakState4 +static inline libcrux_sha3_avx2_x4_incremental_KeccakState shake128_init_absorb___2size_t(uint8_t input[2U][34U]) { libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t state = libcrux_sha3_avx2_x4_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = &state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - uu____0, uu____1, uu____2, uu____3, + &state, + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice)); return state; } static inline void shake128_squeeze_three_blocks___2size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[2U][504U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[2U][504U]) { uint8_t out[2U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; uint8_t out1[504U] = {0U}; uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[504U]; - memcpy(uu____4, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____5[504U]; - memcpy(uu____5, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____0[504U]; + memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____1[504U]; + memcpy(uu____1, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)504U * sizeof(uint8_t)); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[504U])); } @@ -6177,30 +6105,24 @@ sample_from_uniform_distribution_next__libcrux_ml_kem_vector_avx2_SIMD256Vector_ } static inline void shake128_squeeze_block___2size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[2U][168U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[2U][168U]) { uint8_t out[2U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; uint8_t out1[168U] = {0U}; uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[168U]; - memcpy(uu____4, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____5[168U]; - memcpy(uu____5, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____0[168U]; + memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____1[168U]; + memcpy(uu____1, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)168U * sizeof(uint8_t)); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[168U])); } @@ -6265,7 +6187,7 @@ sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_fu int16_t out[2U][272U] = {{0U}}; uint8_t uu____0[2U][34U]; memcpy(uu____0, seeds, (size_t)2U * sizeof(uint8_t[34U])); - libcrux_sha3_avx2_x4_incremental_KeccakState4 xof_state = + libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = shake128_init_absorb___2size_t(uu____0); uint8_t randomness0[2U][504U]; shake128_squeeze_three_blocks___2size_t(&xof_state, randomness0); @@ -6371,29 +6293,21 @@ static inline void PRFxN___2size_t_192size_t(uint8_t (*input)[33U], uint8_t out1[192U] = {0U}; uint8_t out2[192U] = {0U}; uint8_t out3[192U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)192U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)192U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____6 = - Eurydice_array_to_slice((size_t)192U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_shake256( - uu____0, uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)192U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)192U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)192U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)192U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____7[192U]; - memcpy(uu____7, out0, (size_t)192U * sizeof(uint8_t)); - memcpy(out[0U], uu____7, (size_t)192U * sizeof(uint8_t)); - uint8_t uu____8[192U]; - memcpy(uu____8, out1, (size_t)192U * sizeof(uint8_t)); - memcpy(out[1U], uu____8, (size_t)192U * sizeof(uint8_t)); + uint8_t uu____0[192U]; + memcpy(uu____0, out0, (size_t)192U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)192U * sizeof(uint8_t)); + uint8_t uu____1[192U]; + memcpy(uu____1, out1, (size_t)192U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)192U * sizeof(uint8_t)); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[192U])); } @@ -6706,38 +6620,35 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_avx2_SIMD256Vecto memcpy(ind_cpa_private_key, uu____0.fst, (size_t)768U * sizeof(uint8_t)); uint8_t public_key[800U]; memcpy(public_key, uu____0.snd, (size_t)800U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)768U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[1632U]; serialize_kem_secret_key__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_2size_t_1632size_t( - uu____1, + Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)800U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[1632U]; - memcpy(uu____2, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); + uint8_t uu____1[1632U]; + memcpy(uu____1, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____1632size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___1632size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t uu____3 = private_key; - uint8_t uu____4[800U]; - memcpy(uu____4, public_key, (size_t)800U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____1632size_t uu____2 = private_key; + uint8_t uu____3[800U]; + memcpy(uu____3, public_key, (size_t)800U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___1632size_t_800size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___800size_t( - uu____4)); + uu____3)); } static inline void entropy_preprocess__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_2size_t( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static inline void @@ -6782,29 +6693,21 @@ static inline void PRFxN___2size_t_128size_t(uint8_t (*input)[33U], uint8_t out1[128U] = {0U}; uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____6 = - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_shake256( - uu____0, uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____7[128U]; - memcpy(uu____7, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____7, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____8[128U]; - memcpy(uu____8, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____8, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____0[128U]; + memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____1[128U]; + memcpy(uu____1, out1, (size_t)128U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)128U * sizeof(uint8_t)); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[128U])); } @@ -7103,13 +7006,11 @@ encrypt__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_ static inline void kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_2size_t_768size_t( Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ @@ -7399,11 +7300,10 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vecto uint8_t shared_secret[32U]; kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_2size_t_768size_t( shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index c5d6f33e3..653e4cb97 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_neon.c b/libcrux-ml-kem/c/libcrux_mlkem_neon.c deleted file mode 100644 index 3f1c6d45c..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem_neon.c +++ /dev/null @@ -1,7571 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#include "internal/libcrux_mlkem_neon.h" - -#include "internal/libcrux_core.h" -#include "internal/libcrux_mlkem_portable.h" - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_vector_type_ZERO(void) { - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)0); - return (CLITERAL(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .low = uu____0, - .high = libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)0)}); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO( - void) { - return libcrux_ml_kem_vector_neon_vector_type_ZERO(); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_vector_type_from_i16_array(Eurydice_slice array) { - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vld1q_s16(Eurydice_slice_subslice( - array, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)8U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - return (CLITERAL(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .low = uu____0, - .high = libcrux_intrinsics_arm64__vld1q_s16(Eurydice_slice_subslice( - array, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)8U, - .end = (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice))}); -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___from_i16_array( - Eurydice_slice array) { - return libcrux_ml_kem_vector_neon_vector_type_from_i16_array(array); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_add( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs) { - lhs.low = libcrux_intrinsics_arm64__vaddq_s16(lhs.low, rhs->low); - lhs.high = libcrux_intrinsics_arm64__vaddq_s16(lhs.high, rhs->high); - return lhs; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs) { - return libcrux_ml_kem_vector_neon_arithmetic_add(lhs, rhs); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_sub( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs) { - lhs.low = libcrux_intrinsics_arm64__vsubq_s16(lhs.low, rhs->low); - lhs.high = libcrux_intrinsics_arm64__vsubq_s16(lhs.high, rhs->high); - return lhs; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs) { - return libcrux_ml_kem_vector_neon_arithmetic_sub(lhs, rhs); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c) { - v.low = libcrux_intrinsics_arm64__vmulq_n_s16(v.low, c); - v.high = libcrux_intrinsics_arm64__vmulq_n_s16(v.high, c); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c) { - return libcrux_ml_kem_vector_neon_arithmetic_multiply_by_constant(v, c); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c) { - core_core_arch_arm_shared_neon_int16x8_t c0 = - libcrux_intrinsics_arm64__vdupq_n_s16(c); - v.low = libcrux_intrinsics_arm64__vandq_s16(v.low, c0); - v.high = libcrux_intrinsics_arm64__vandq_s16(v.high, c0); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___bitwise_and_with_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c) { - return libcrux_ml_kem_vector_neon_arithmetic_bitwise_and_with_constant(v, c); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_int16x8_t c = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)3329); - core_core_arch_arm_shared_neon_uint16x8_t m0 = - libcrux_intrinsics_arm64__vcgeq_s16(v.low, c); - core_core_arch_arm_shared_neon_uint16x8_t m1 = - libcrux_intrinsics_arm64__vcgeq_s16(v.high, c); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = c; - core_core_arch_arm_shared_neon_int16x8_t c0 = - libcrux_intrinsics_arm64__vandq_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u16(m0)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = c; - core_core_arch_arm_shared_neon_int16x8_t c1 = - libcrux_intrinsics_arm64__vandq_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u16(m1)); - v.low = libcrux_intrinsics_arm64__vsubq_s16(v.low, c0); - v.high = libcrux_intrinsics_arm64__vsubq_s16(v.high, c1); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___cond_subtract_3329( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return libcrux_ml_kem_vector_neon_arithmetic_cond_subtract_3329(v); -} - -inline core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t v) { - core_core_arch_arm_shared_neon_int16x8_t adder = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)1024); - core_core_arch_arm_shared_neon_int16x8_t vec = - libcrux_intrinsics_arm64__vqdmulhq_n_s16( - v, LIBCRUX_ML_KEM_VECTOR_NEON_ARITHMETIC_BARRETT_MULTIPLIER); - core_core_arch_arm_shared_neon_int16x8_t vec0 = - libcrux_intrinsics_arm64__vaddq_s16(vec, adder); - core_core_arch_arm_shared_neon_int16x8_t quotient = - libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)11, vec0, core_core_arch_arm_shared_neon_int16x8_t); - core_core_arch_arm_shared_neon_int16x8_t sub = - libcrux_intrinsics_arm64__vmulq_n_s16( - quotient, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_intrinsics_arm64__vsubq_s16(v, sub); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - v.low = libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce_int16x8_t(v.low); - v.high = - libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce_int16x8_t(v.high); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce(v); -} - -inline core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_montgomery_reduce_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t low, - core_core_arch_arm_shared_neon_int16x8_t high) { - core_core_arch_arm_shared_neon_int16x8_t k = - libcrux_intrinsics_arm64__vreinterpretq_s16_u16( - libcrux_intrinsics_arm64__vmulq_n_u16( - libcrux_intrinsics_arm64__vreinterpretq_u16_s16(low), - (uint16_t) - LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R)); - core_core_arch_arm_shared_neon_int16x8_t c = - libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)1, - libcrux_intrinsics_arm64__vqdmulhq_n_s16( - k, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS), - core_core_arch_arm_shared_neon_int16x8_t); - return libcrux_intrinsics_arm64__vsubq_s16(high, c); -} - -inline core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t v, int16_t c) { - core_core_arch_arm_shared_neon_int16x8_t v_low = - libcrux_intrinsics_arm64__vmulq_n_s16(v, c); - core_core_arch_arm_shared_neon_int16x8_t v_high = - libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)1, libcrux_intrinsics_arm64__vqdmulhq_n_s16(v, c), - core_core_arch_arm_shared_neon_int16x8_t); - return libcrux_ml_kem_vector_neon_arithmetic_montgomery_reduce_int16x8_t( - v_low, v_high); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c) { - v.low = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant_int16x8_t( - v.low, c); - v.high = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant_int16x8_t( - v.high, c); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c) { - return libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant( - v, c); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_compress_compress_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_int16x8_t half = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)1664); - core_core_arch_arm_shared_neon_int16x8_t quarter = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)832); - core_core_arch_arm_shared_neon_int16x8_t shifted = - libcrux_intrinsics_arm64__vsubq_s16(half, v.low); - core_core_arch_arm_shared_neon_int16x8_t mask0 = - libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)15, shifted, core_core_arch_arm_shared_neon_int16x8_t); - core_core_arch_arm_shared_neon_int16x8_t shifted_to_positive = - libcrux_intrinsics_arm64__veorq_s16(mask0, shifted); - core_core_arch_arm_shared_neon_int16x8_t shifted_positive_in_range = - libcrux_intrinsics_arm64__vsubq_s16(shifted_to_positive, quarter); - v.low = libcrux_intrinsics_arm64__vreinterpretq_s16_u16( - libcrux_intrinsics_arm64__vshrq_n_u16( - (int32_t)15, - libcrux_intrinsics_arm64__vreinterpretq_u16_s16( - shifted_positive_in_range), - core_core_arch_arm_shared_neon_uint16x8_t)); - core_core_arch_arm_shared_neon_int16x8_t shifted0 = - libcrux_intrinsics_arm64__vsubq_s16(half, v.high); - core_core_arch_arm_shared_neon_int16x8_t mask = - libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)15, shifted0, core_core_arch_arm_shared_neon_int16x8_t); - core_core_arch_arm_shared_neon_int16x8_t shifted_to_positive0 = - libcrux_intrinsics_arm64__veorq_s16(mask, shifted0); - core_core_arch_arm_shared_neon_int16x8_t shifted_positive_in_range0 = - libcrux_intrinsics_arm64__vsubq_s16(shifted_to_positive0, quarter); - v.high = libcrux_intrinsics_arm64__vreinterpretq_s16_u16( - libcrux_intrinsics_arm64__vshrq_n_u16( - (int32_t)15, - libcrux_intrinsics_arm64__vreinterpretq_u16_s16( - shifted_positive_in_range0), - core_core_arch_arm_shared_neon_uint16x8_t)); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___compress_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return libcrux_ml_kem_vector_neon_compress_compress_1(v); -} - -inline int16_t -libcrux_ml_kem_vector_neon_compress_mask_n_least_significant_bits( - int16_t coefficient_bits) { - int16_t uu____0; - switch (coefficient_bits) { - case 4: { - uu____0 = (int16_t)15; - break; - } - case 5: { - uu____0 = (int16_t)31; - break; - } - case 10: { - uu____0 = (int16_t)1023; - break; - } - case 11: { - uu____0 = (int16_t)2047; - break; - } - default: { - int16_t x = coefficient_bits; - uu____0 = ((int16_t)1 << (uint32_t)x) - (int16_t)1; - } - } - return uu____0; -} - -inline core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t v, - core_core_arch_arm_shared_neon_int16x8_t c) { - core_core_arch_arm_shared_neon_int16x8_t v_low = - libcrux_intrinsics_arm64__vmulq_s16(v, c); - core_core_arch_arm_shared_neon_int16x8_t v_high = - libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)1, libcrux_intrinsics_arm64__vqdmulhq_s16(v, c), - core_core_arch_arm_shared_neon_int16x8_t); - return libcrux_ml_kem_vector_neon_arithmetic_montgomery_reduce_int16x8_t( - v_low, v_high); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4) { - int16_t zetas[8U] = {zeta1, zeta1, zeta3, zeta3, zeta2, zeta2, zeta4, zeta4}; - core_core_arch_arm_shared_neon_int16x8_t zeta = - libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, zetas, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int32x4_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t dup_a = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn1q_s32( - uu____0, - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.high))); - core_core_arch_arm_shared_neon_int32x4_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t dup_b = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn2q_s32( - uu____1, - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.high))); - core_core_arch_arm_shared_neon_int16x8_t t = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t(dup_b, - zeta); - core_core_arch_arm_shared_neon_int16x8_t b = - libcrux_intrinsics_arm64__vsubq_s16(dup_a, t); - core_core_arch_arm_shared_neon_int16x8_t a = - libcrux_intrinsics_arm64__vaddq_s16(dup_a, t); - core_core_arch_arm_shared_neon_int32x4_t uu____2 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(a); - v.low = libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn1q_s32( - uu____2, libcrux_intrinsics_arm64__vreinterpretq_s32_s16(b))); - core_core_arch_arm_shared_neon_int32x4_t uu____3 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(a); - v.high = libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn2q_s32( - uu____3, libcrux_intrinsics_arm64__vreinterpretq_s32_s16(b))); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4) { - return libcrux_ml_kem_vector_neon_ntt_ntt_layer_1_step(a, zeta1, zeta2, zeta3, - zeta4); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2) { - int16_t zetas[8U] = {zeta1, zeta1, zeta1, zeta1, zeta2, zeta2, zeta2, zeta2}; - core_core_arch_arm_shared_neon_int16x8_t zeta = - libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, zetas, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int64x2_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t dup_a = - libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn1q_s64( - uu____0, - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.high))); - core_core_arch_arm_shared_neon_int64x2_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t dup_b = - libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn2q_s64( - uu____1, - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.high))); - core_core_arch_arm_shared_neon_int16x8_t t = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t(dup_b, - zeta); - core_core_arch_arm_shared_neon_int16x8_t b = - libcrux_intrinsics_arm64__vsubq_s16(dup_a, t); - core_core_arch_arm_shared_neon_int16x8_t a = - libcrux_intrinsics_arm64__vaddq_s16(dup_a, t); - core_core_arch_arm_shared_neon_int64x2_t uu____2 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(a); - v.low = libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn1q_s64( - uu____2, libcrux_intrinsics_arm64__vreinterpretq_s64_s16(b))); - core_core_arch_arm_shared_neon_int64x2_t uu____3 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(a); - v.high = libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn2q_s64( - uu____3, libcrux_intrinsics_arm64__vreinterpretq_s64_s16(b))); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2) { - return libcrux_ml_kem_vector_neon_ntt_ntt_layer_2_step(a, zeta1, zeta2); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta) { - core_core_arch_arm_shared_neon_int16x8_t zeta0 = - libcrux_intrinsics_arm64__vdupq_n_s16(zeta); - core_core_arch_arm_shared_neon_int16x8_t t = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t( - v.high, zeta0); - v.high = libcrux_intrinsics_arm64__vsubq_s16(v.low, t); - v.low = libcrux_intrinsics_arm64__vaddq_s16(v.low, t); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta) { - return libcrux_ml_kem_vector_neon_ntt_ntt_layer_3_step(a, zeta); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4) { - int16_t zetas[8U] = {zeta1, zeta1, zeta3, zeta3, zeta2, zeta2, zeta4, zeta4}; - core_core_arch_arm_shared_neon_int16x8_t zeta = - libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, zetas, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int32x4_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t a0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn1q_s32( - uu____0, - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.high))); - core_core_arch_arm_shared_neon_int32x4_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t b0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn2q_s32( - uu____1, - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(v.high))); - core_core_arch_arm_shared_neon_int16x8_t b_minus_a = - libcrux_intrinsics_arm64__vsubq_s16(b0, a0); - core_core_arch_arm_shared_neon_int16x8_t a = - libcrux_intrinsics_arm64__vaddq_s16(a0, b0); - core_core_arch_arm_shared_neon_int16x8_t a1 = - libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce_int16x8_t(a); - core_core_arch_arm_shared_neon_int16x8_t b = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t( - b_minus_a, zeta); - core_core_arch_arm_shared_neon_int32x4_t uu____2 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(a1); - v.low = libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn1q_s32( - uu____2, libcrux_intrinsics_arm64__vreinterpretq_s32_s16(b))); - core_core_arch_arm_shared_neon_int32x4_t uu____3 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16(a1); - v.high = libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn2q_s32( - uu____3, libcrux_intrinsics_arm64__vreinterpretq_s32_s16(b))); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4) { - return libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_1_step(a, zeta1, zeta2, - zeta3, zeta4); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2) { - int16_t zetas[8U] = {zeta1, zeta1, zeta1, zeta1, zeta2, zeta2, zeta2, zeta2}; - core_core_arch_arm_shared_neon_int16x8_t zeta = - libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, zetas, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int64x2_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t a0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn1q_s64( - uu____0, - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.high))); - core_core_arch_arm_shared_neon_int64x2_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.low); - core_core_arch_arm_shared_neon_int16x8_t b0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn2q_s64( - uu____1, - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(v.high))); - core_core_arch_arm_shared_neon_int16x8_t b_minus_a = - libcrux_intrinsics_arm64__vsubq_s16(b0, a0); - core_core_arch_arm_shared_neon_int16x8_t a = - libcrux_intrinsics_arm64__vaddq_s16(a0, b0); - core_core_arch_arm_shared_neon_int16x8_t b = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t( - b_minus_a, zeta); - core_core_arch_arm_shared_neon_int64x2_t uu____2 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(a); - v.low = libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn1q_s64( - uu____2, libcrux_intrinsics_arm64__vreinterpretq_s64_s16(b))); - core_core_arch_arm_shared_neon_int64x2_t uu____3 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s16(a); - v.high = libcrux_intrinsics_arm64__vreinterpretq_s16_s64( - libcrux_intrinsics_arm64__vtrn2q_s64( - uu____3, libcrux_intrinsics_arm64__vreinterpretq_s64_s16(b))); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2) { - return libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_2_step(a, zeta1, zeta2); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta) { - core_core_arch_arm_shared_neon_int16x8_t zeta0 = - libcrux_intrinsics_arm64__vdupq_n_s16(zeta); - core_core_arch_arm_shared_neon_int16x8_t b_minus_a = - libcrux_intrinsics_arm64__vsubq_s16(v.high, v.low); - v.low = libcrux_intrinsics_arm64__vaddq_s16(v.low, v.high); - v.high = libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t( - b_minus_a, zeta0); - return v; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta) { - return libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_3_step(a, zeta); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_multiply( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4) { - int16_t zetas[8U] = {zeta1, zeta3, -zeta1, -zeta3, - zeta2, zeta4, -zeta2, -zeta4}; - core_core_arch_arm_shared_neon_int16x8_t zeta = - libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, zetas, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int16x8_t a0 = - libcrux_intrinsics_arm64__vtrn1q_s16(lhs->low, lhs->high); - core_core_arch_arm_shared_neon_int16x8_t a1 = - libcrux_intrinsics_arm64__vtrn2q_s16(lhs->low, lhs->high); - core_core_arch_arm_shared_neon_int16x8_t b0 = - libcrux_intrinsics_arm64__vtrn1q_s16(rhs->low, rhs->high); - core_core_arch_arm_shared_neon_int16x8_t b1 = - libcrux_intrinsics_arm64__vtrn2q_s16(rhs->low, rhs->high); - core_core_arch_arm_shared_neon_int16x8_t a1b1 = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t(a1, - b1); - core_core_arch_arm_shared_neon_int16x4_t uu____0 = - libcrux_intrinsics_arm64__vget_low_s16(a1b1); - core_core_arch_arm_shared_neon_int32x4_t a1b1_low = - libcrux_intrinsics_arm64__vmull_s16( - uu____0, libcrux_intrinsics_arm64__vget_low_s16(zeta)); - core_core_arch_arm_shared_neon_int32x4_t a1b1_high = - libcrux_intrinsics_arm64__vmull_high_s16(a1b1, zeta); - core_core_arch_arm_shared_neon_int32x4_t uu____1 = a1b1_low; - core_core_arch_arm_shared_neon_int16x4_t uu____2 = - libcrux_intrinsics_arm64__vget_low_s16(a0); - core_core_arch_arm_shared_neon_int16x8_t fst_low = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vmlal_s16( - uu____1, uu____2, libcrux_intrinsics_arm64__vget_low_s16(b0))); - core_core_arch_arm_shared_neon_int16x8_t fst_high = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vmlal_high_s16(a1b1_high, a0, b0)); - core_core_arch_arm_shared_neon_int16x4_t uu____3 = - libcrux_intrinsics_arm64__vget_low_s16(a0); - core_core_arch_arm_shared_neon_int32x4_t a0b1_low = - libcrux_intrinsics_arm64__vmull_s16( - uu____3, libcrux_intrinsics_arm64__vget_low_s16(b1)); - core_core_arch_arm_shared_neon_int32x4_t a0b1_high = - libcrux_intrinsics_arm64__vmull_high_s16(a0, b1); - core_core_arch_arm_shared_neon_int32x4_t uu____4 = a0b1_low; - core_core_arch_arm_shared_neon_int16x4_t uu____5 = - libcrux_intrinsics_arm64__vget_low_s16(a1); - core_core_arch_arm_shared_neon_int16x8_t snd_low = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vmlal_s16( - uu____4, uu____5, libcrux_intrinsics_arm64__vget_low_s16(b0))); - core_core_arch_arm_shared_neon_int16x8_t snd_high = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vmlal_high_s16(a0b1_high, a1, b0)); - core_core_arch_arm_shared_neon_int16x8_t fst_low16 = - libcrux_intrinsics_arm64__vtrn1q_s16(fst_low, fst_high); - core_core_arch_arm_shared_neon_int16x8_t fst_high16 = - libcrux_intrinsics_arm64__vtrn2q_s16(fst_low, fst_high); - core_core_arch_arm_shared_neon_int16x8_t snd_low16 = - libcrux_intrinsics_arm64__vtrn1q_s16(snd_low, snd_high); - core_core_arch_arm_shared_neon_int16x8_t snd_high16 = - libcrux_intrinsics_arm64__vtrn2q_s16(snd_low, snd_high); - core_core_arch_arm_shared_neon_int16x8_t fst = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_reduce_int16x8_t( - fst_low16, fst_high16); - core_core_arch_arm_shared_neon_int16x8_t snd = - libcrux_ml_kem_vector_neon_arithmetic_montgomery_reduce_int16x8_t( - snd_low16, snd_high16); - core_core_arch_arm_shared_neon_int32x4_t low0 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn1q_s16(fst, snd)); - core_core_arch_arm_shared_neon_int32x4_t high0 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn2q_s16(fst, snd)); - core_core_arch_arm_shared_neon_int16x8_t low1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn1q_s32(low0, high0)); - core_core_arch_arm_shared_neon_int16x8_t high1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_s32( - libcrux_intrinsics_arm64__vtrn2q_s32(low0, high0)); - uint8_t indexes[16U] = {0U, 1U, 2U, 3U, 8U, 9U, 10U, 11U, - 4U, 5U, 6U, 7U, 12U, 13U, 14U, 15U}; - core_core_arch_arm_shared_neon_uint8x16_t index = - libcrux_intrinsics_arm64__vld1q_u8(Eurydice_array_to_slice( - (size_t)16U, indexes, uint8_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int16x8_t low2 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u8( - libcrux_intrinsics_arm64__vqtbl1q_u8( - libcrux_intrinsics_arm64__vreinterpretq_u8_s16(low1), index)); - core_core_arch_arm_shared_neon_int16x8_t high2 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u8( - libcrux_intrinsics_arm64__vqtbl1q_u8( - libcrux_intrinsics_arm64__vreinterpretq_u8_s16(high1), index)); - return (CLITERAL(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .low = low2, .high = high2}); -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_multiply( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4) { - return libcrux_ml_kem_vector_neon_ntt_ntt_multiply(lhs, rhs, zeta1, zeta2, - zeta3, zeta4); -} - -inline void libcrux_ml_kem_vector_neon_serialize_serialize_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[2U]) { - int16_t shifter[8U] = {(int16_t)0, (int16_t)1, (int16_t)2, (int16_t)3, - (int16_t)4, (int16_t)5, (int16_t)6, (int16_t)7}; - core_core_arch_arm_shared_neon_int16x8_t shift = - libcrux_intrinsics_arm64__vld1q_s16(Eurydice_array_to_slice( - (size_t)8U, shifter, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int16x8_t low0 = - libcrux_intrinsics_arm64__vshlq_s16(v.low, shift); - core_core_arch_arm_shared_neon_int16x8_t high0 = - libcrux_intrinsics_arm64__vshlq_s16(v.high, shift); - int16_t low = libcrux_intrinsics_arm64__vaddvq_s16(low0); - int16_t high = libcrux_intrinsics_arm64__vaddvq_s16(high0); - ret[0U] = (uint8_t)low; - ret[1U] = (uint8_t)high; -} - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[2U]) { - uint8_t ret0[2U]; - libcrux_ml_kem_vector_neon_serialize_serialize_1(a, ret0); - memcpy(ret, ret0, (size_t)2U * sizeof(uint8_t)); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_1(Eurydice_slice a) { - core_core_arch_arm_shared_neon_int16x8_t one = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)1); - core_core_arch_arm_shared_neon_int16x8_t low0 = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)Eurydice_slice_index( - a, (size_t)0U, uint8_t, uint8_t *, uint8_t)); - core_core_arch_arm_shared_neon_int16x8_t high0 = - libcrux_intrinsics_arm64__vdupq_n_s16((int16_t)Eurydice_slice_index( - a, (size_t)1U, uint8_t, uint8_t *, uint8_t)); - int16_t shifter[8U] = {(int16_t)0, (int16_t)255, (int16_t)-2, (int16_t)-3, - (int16_t)-4, (int16_t)-5, (int16_t)-6, (int16_t)-7}; - core_core_arch_arm_shared_neon_int16x8_t shift = - libcrux_intrinsics_arm64__vld1q_s16(Eurydice_array_to_slice( - (size_t)8U, shifter, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_int16x8_t low = - libcrux_intrinsics_arm64__vshlq_s16(low0, shift); - core_core_arch_arm_shared_neon_int16x8_t high = - libcrux_intrinsics_arm64__vshlq_s16(high0, shift); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vandq_s16(low, one); - return (CLITERAL(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .low = uu____0, .high = libcrux_intrinsics_arm64__vandq_s16(high, one)}); -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_1( - Eurydice_slice a) { - return libcrux_ml_kem_vector_neon_serialize_deserialize_1(a); -} - -inline void libcrux_ml_kem_vector_neon_serialize_serialize_4( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[8U]) { - int16_t shifter[8U] = {(int16_t)0, (int16_t)4, (int16_t)8, (int16_t)12, - (int16_t)0, (int16_t)4, (int16_t)8, (int16_t)12}; - core_core_arch_arm_shared_neon_int16x8_t shift = - libcrux_intrinsics_arm64__vld1q_s16(Eurydice_array_to_slice( - (size_t)8U, shifter, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_uint16x8_t lowt = - libcrux_intrinsics_arm64__vshlq_u16( - libcrux_intrinsics_arm64__vreinterpretq_u16_s16(v.low), shift); - core_core_arch_arm_shared_neon_uint16x8_t hight = - libcrux_intrinsics_arm64__vshlq_u16( - libcrux_intrinsics_arm64__vreinterpretq_u16_s16(v.high), shift); - uint64_t sum0 = (uint64_t)libcrux_intrinsics_arm64__vaddv_u16( - libcrux_intrinsics_arm64__vget_low_u16(lowt)); - uint64_t sum1 = (uint64_t)libcrux_intrinsics_arm64__vaddv_u16( - libcrux_intrinsics_arm64__vget_high_u16(lowt)); - uint64_t sum2 = (uint64_t)libcrux_intrinsics_arm64__vaddv_u16( - libcrux_intrinsics_arm64__vget_low_u16(hight)); - uint64_t sum3 = (uint64_t)libcrux_intrinsics_arm64__vaddv_u16( - libcrux_intrinsics_arm64__vget_high_u16(hight)); - uint64_t sum = ((sum0 | sum1 << 16U) | sum2 << 32U) | sum3 << 48U; - uint8_t ret0[8U]; - core_num__u64_9__to_le_bytes(sum, ret0); - memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_4( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[8U]) { - uint8_t ret0[8U]; - libcrux_ml_kem_vector_neon_serialize_serialize_4(a, ret0); - memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_4(Eurydice_slice v) { - uint8_t ret[8U]; - core_result_Result__uint8_t_8size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, v, Eurydice_slice, uint8_t[8U], void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_8size_t__core_array_TryFromSliceError( - dst, ret); - uint64_t input = core_num__u64_9__from_le_bytes(ret); - int16_t low[8U] = {0U}; - int16_t high[8U] = {0U}; - low[0U] = (int16_t)(input & 15ULL); - low[1U] = (int16_t)(input >> 4U & 15ULL); - low[2U] = (int16_t)(input >> 8U & 15ULL); - low[3U] = (int16_t)(input >> 12U & 15ULL); - low[4U] = (int16_t)(input >> 16U & 15ULL); - low[5U] = (int16_t)(input >> 20U & 15ULL); - low[6U] = (int16_t)(input >> 24U & 15ULL); - low[7U] = (int16_t)(input >> 28U & 15ULL); - high[0U] = (int16_t)(input >> 32U & 15ULL); - high[1U] = (int16_t)(input >> 36U & 15ULL); - high[2U] = (int16_t)(input >> 40U & 15ULL); - high[3U] = (int16_t)(input >> 44U & 15ULL); - high[4U] = (int16_t)(input >> 48U & 15ULL); - high[5U] = (int16_t)(input >> 52U & 15ULL); - high[6U] = (int16_t)(input >> 56U & 15ULL); - high[7U] = (int16_t)(input >> 60U & 15ULL); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lit; - lit.low = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, low, int16_t, Eurydice_slice)); - lit.high = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, high, int16_t, Eurydice_slice)); - return lit; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_4( - Eurydice_slice a) { - return libcrux_ml_kem_vector_neon_serialize_deserialize_4(a); -} - -inline void libcrux_ml_kem_vector_neon_vector_type_to_i16_array( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t ret[16U]) { - int16_t out[16U] = {0U}; - libcrux_intrinsics_arm64__vst1q_s16( - Eurydice_array_to_subslice((size_t)16U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)8U}), - int16_t, core_ops_range_Range__size_t, - Eurydice_slice), - v.low); - libcrux_intrinsics_arm64__vst1q_s16( - Eurydice_array_to_subslice((size_t)16U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)8U, .end = (size_t)16U}), - int16_t, core_ops_range_Range__size_t, - Eurydice_slice), - v.high); - memcpy(ret, out, (size_t)16U * sizeof(int16_t)); -} - -inline void libcrux_ml_kem_vector_neon_serialize_serialize_5( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[10U]) { - uint8_t res[10U] = {0U}; - int16_t out[16U]; - libcrux_ml_kem_vector_neon_vector_type_to_i16_array(v, out); - res[0U] = (uint8_t)(out[0U] | out[1U] << 5U); - res[1U] = (uint8_t)((out[1U] >> 3U | out[2U] << 2U) | out[3U] << 7U); - res[2U] = (uint8_t)(out[3U] >> 1U | out[4U] << 4U); - res[3U] = (uint8_t)((out[4U] >> 4U | out[5U] << 1U) | out[6U] << 6U); - res[4U] = (uint8_t)(out[6U] >> 2U | out[7U] << 3U); - res[5U] = (uint8_t)(out[(size_t)8U + (size_t)0U] | - out[(size_t)8U + (size_t)1U] << 5U); - res[6U] = (uint8_t)((out[(size_t)8U + (size_t)1U] >> 3U | - out[(size_t)8U + (size_t)2U] << 2U) | - out[(size_t)8U + (size_t)3U] << 7U); - res[7U] = (uint8_t)(out[(size_t)8U + (size_t)3U] >> 1U | - out[(size_t)8U + (size_t)4U] << 4U); - res[8U] = (uint8_t)((out[(size_t)8U + (size_t)4U] >> 4U | - out[(size_t)8U + (size_t)5U] << 1U) | - out[(size_t)8U + (size_t)6U] << 6U); - res[9U] = (uint8_t)(out[(size_t)8U + (size_t)6U] >> 2U | - out[(size_t)8U + (size_t)7U] << 3U); - memcpy(ret, res, (size_t)10U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_5( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[10U]) { - uint8_t ret0[10U]; - libcrux_ml_kem_vector_neon_serialize_serialize_5(a, ret0); - memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t)); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_5(Eurydice_slice v) { - uint8_t input0[8U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)8U, input0, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)5U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)5U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - uint8_t uu____1[8U]; - memcpy(uu____1, input0, (size_t)8U * sizeof(uint8_t)); - uint64_t low64 = core_num__u64_9__from_le_bytes(uu____1); - uint8_t input1[8U] = {0U}; - Eurydice_slice uu____2 = Eurydice_array_to_subslice( - (size_t)8U, input1, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)5U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)5U, .end = (size_t)10U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - uint8_t uu____3[8U]; - memcpy(uu____3, input1, (size_t)8U * sizeof(uint8_t)); - uint64_t high64 = core_num__u64_9__from_le_bytes(uu____3); - int16_t low[8U] = {0U}; - int16_t high[8U] = {0U}; - low[0U] = (int16_t)(low64 & 31ULL); - low[1U] = (int16_t)(low64 >> 5U & 31ULL); - low[2U] = (int16_t)(low64 >> 10U & 31ULL); - low[3U] = (int16_t)(low64 >> 15U & 31ULL); - low[4U] = (int16_t)(low64 >> 20U & 31ULL); - low[5U] = (int16_t)(low64 >> 25U & 31ULL); - low[6U] = (int16_t)(low64 >> 30U & 31ULL); - low[7U] = (int16_t)(low64 >> 35U & 31ULL); - high[0U] = (int16_t)(high64 & 31ULL); - high[1U] = (int16_t)(high64 >> 5U & 31ULL); - high[2U] = (int16_t)(high64 >> 10U & 31ULL); - high[3U] = (int16_t)(high64 >> 15U & 31ULL); - high[4U] = (int16_t)(high64 >> 20U & 31ULL); - high[5U] = (int16_t)(high64 >> 25U & 31ULL); - high[6U] = (int16_t)(high64 >> 30U & 31ULL); - high[7U] = (int16_t)(high64 >> 35U & 31ULL); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lit; - lit.low = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, low, int16_t, Eurydice_slice)); - lit.high = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, high, int16_t, Eurydice_slice)); - return lit; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_5( - Eurydice_slice a) { - return libcrux_ml_kem_vector_neon_serialize_deserialize_5(a); -} - -inline void libcrux_ml_kem_vector_neon_serialize_serialize_10( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[20U]) { - core_core_arch_arm_shared_neon_int32x4_t low00 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn1q_s16(v.low, v.low)); - core_core_arch_arm_shared_neon_int32x4_t low10 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn2q_s16(v.low, v.low)); - core_core_arch_arm_shared_neon_int32x4_t mixt = - libcrux_intrinsics_arm64__vsliq_n_s32( - (int32_t)10, low00, low10, core_core_arch_arm_shared_neon_int32x4_t); - core_core_arch_arm_shared_neon_int64x2_t low0 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn1q_s32(mixt, mixt)); - core_core_arch_arm_shared_neon_int64x2_t low1 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn2q_s32(mixt, mixt)); - core_core_arch_arm_shared_neon_int64x2_t low_mix = - libcrux_intrinsics_arm64__vsliq_n_s64( - (int32_t)20, low0, low1, core_core_arch_arm_shared_neon_int64x2_t); - core_core_arch_arm_shared_neon_int32x4_t high00 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn1q_s16(v.high, v.high)); - core_core_arch_arm_shared_neon_int32x4_t high10 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn2q_s16(v.high, v.high)); - core_core_arch_arm_shared_neon_int32x4_t mixt0 = - libcrux_intrinsics_arm64__vsliq_n_s32( - (int32_t)10, high00, high10, - core_core_arch_arm_shared_neon_int32x4_t); - core_core_arch_arm_shared_neon_int64x2_t high0 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn1q_s32(mixt0, mixt0)); - core_core_arch_arm_shared_neon_int64x2_t high1 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn2q_s32(mixt0, mixt0)); - core_core_arch_arm_shared_neon_int64x2_t high_mix = - libcrux_intrinsics_arm64__vsliq_n_s64( - (int32_t)20, high0, high1, core_core_arch_arm_shared_neon_int64x2_t); - uint8_t result32[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)16U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_intrinsics_arm64__vst1q_u8( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_u8_s64(low_mix)); - Eurydice_slice uu____1 = Eurydice_array_to_subslice( - (size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)16U, - .end = (size_t)32U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_intrinsics_arm64__vst1q_u8( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_u8_s64(high_mix)); - uint8_t result[20U] = {0U}; - Eurydice_slice uu____2 = Eurydice_array_to_subslice( - (size_t)20U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)5U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)5U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_array_to_subslice( - (size_t)20U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)5U, - .end = (size_t)10U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____3, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)8U, .end = (size_t)13U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____4 = Eurydice_array_to_subslice( - (size_t)20U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)10U, - .end = (size_t)15U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)16U, .end = (size_t)21U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = Eurydice_array_to_subslice( - (size_t)20U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)15U, - .end = (size_t)20U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____5, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)24U, .end = (size_t)29U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - memcpy(ret, result, (size_t)20U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_10( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[20U]) { - uint8_t ret0[20U]; - libcrux_ml_kem_vector_neon_serialize_serialize_10(a, ret0); - memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t)); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_10(Eurydice_slice v) { - uint8_t input0[8U] = {0U}; - uint8_t input1[8U] = {0U}; - uint8_t input2[4U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)8U, input0, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)8U, input1, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____1, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)8U, .end = (size_t)16U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)4U, input2, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)16U, .end = (size_t)20U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - uint8_t uu____3[8U]; - memcpy(uu____3, input0, (size_t)8U * sizeof(uint8_t)); - uint64_t input00 = core_num__u64_9__from_le_bytes(uu____3); - uint8_t uu____4[8U]; - memcpy(uu____4, input1, (size_t)8U * sizeof(uint8_t)); - uint64_t input10 = core_num__u64_9__from_le_bytes(uu____4); - uint8_t uu____5[4U]; - memcpy(uu____5, input2, (size_t)4U * sizeof(uint8_t)); - uint32_t input20 = core_num__u32_8__from_le_bytes(uu____5); - int16_t low[8U] = {0U}; - int16_t high[8U] = {0U}; - low[0U] = (int16_t)(input00 & 1023ULL); - low[1U] = (int16_t)(input00 >> 10U & 1023ULL); - low[2U] = (int16_t)(input00 >> 20U & 1023ULL); - low[3U] = (int16_t)(input00 >> 30U & 1023ULL); - low[4U] = (int16_t)(input00 >> 40U & 1023ULL); - low[5U] = (int16_t)(input00 >> 50U & 1023ULL); - low[6U] = (int16_t)((input00 >> 60U | input10 << 4U) & 1023ULL); - low[7U] = (int16_t)(input10 >> 6U & 1023ULL); - high[0U] = (int16_t)(input10 >> 16U & 1023ULL); - high[1U] = (int16_t)(input10 >> 26U & 1023ULL); - high[2U] = (int16_t)(input10 >> 36U & 1023ULL); - high[3U] = (int16_t)(input10 >> 46U & 1023ULL); - high[4U] = (int16_t)(((uint32_t)(input10 >> 56U) | input20 << 8U) & 1023U); - high[5U] = (int16_t)(input20 >> 2U & 1023U); - high[6U] = (int16_t)(input20 >> 12U & 1023U); - high[7U] = (int16_t)(input20 >> 22U & 1023U); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lit; - lit.low = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, low, int16_t, Eurydice_slice)); - lit.high = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, high, int16_t, Eurydice_slice)); - return lit; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_10( - Eurydice_slice a) { - return libcrux_ml_kem_vector_neon_serialize_deserialize_10(a); -} - -inline void libcrux_ml_kem_vector_neon_serialize_serialize_11( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[22U]) { - int16_t input[16U]; - libcrux_ml_kem_vector_neon_vector_type_to_i16_array(v, input); - uint8_t result[22U] = {0U}; - result[0U] = (uint8_t)input[0U]; - result[1U] = (uint8_t)(input[0U] >> 8U | input[1U] << 3U); - result[2U] = (uint8_t)(input[1U] >> 5U | input[2U] << 6U); - result[3U] = (uint8_t)(input[2U] >> 2U); - result[4U] = (uint8_t)(input[2U] >> 10U | input[3U] << 1U); - result[5U] = (uint8_t)(input[3U] >> 7U | input[4U] << 4U); - result[6U] = (uint8_t)(input[4U] >> 4U | input[5U] << 7U); - result[7U] = (uint8_t)(input[5U] >> 1U); - result[8U] = (uint8_t)(input[5U] >> 9U | input[6U] << 2U); - result[9U] = (uint8_t)(input[6U] >> 6U | input[7U] << 5U); - result[10U] = (uint8_t)(input[7U] >> 3U); - result[(size_t)11U + (size_t)0U] = (uint8_t)input[(size_t)8U + (size_t)0U]; - result[(size_t)11U + (size_t)1U] = - (uint8_t)(input[(size_t)8U + (size_t)0U] >> 8U | - input[(size_t)8U + (size_t)1U] << 3U); - result[(size_t)11U + (size_t)2U] = - (uint8_t)(input[(size_t)8U + (size_t)1U] >> 5U | - input[(size_t)8U + (size_t)2U] << 6U); - result[(size_t)11U + (size_t)3U] = - (uint8_t)(input[(size_t)8U + (size_t)2U] >> 2U); - result[(size_t)11U + (size_t)4U] = - (uint8_t)(input[(size_t)8U + (size_t)2U] >> 10U | - input[(size_t)8U + (size_t)3U] << 1U); - result[(size_t)11U + (size_t)5U] = - (uint8_t)(input[(size_t)8U + (size_t)3U] >> 7U | - input[(size_t)8U + (size_t)4U] << 4U); - result[(size_t)11U + (size_t)6U] = - (uint8_t)(input[(size_t)8U + (size_t)4U] >> 4U | - input[(size_t)8U + (size_t)5U] << 7U); - result[(size_t)11U + (size_t)7U] = - (uint8_t)(input[(size_t)8U + (size_t)5U] >> 1U); - result[(size_t)11U + (size_t)8U] = - (uint8_t)(input[(size_t)8U + (size_t)5U] >> 9U | - input[(size_t)8U + (size_t)6U] << 2U); - result[(size_t)11U + (size_t)9U] = - (uint8_t)(input[(size_t)8U + (size_t)6U] >> 6U | - input[(size_t)8U + (size_t)7U] << 5U); - result[(size_t)11U + (size_t)10U] = - (uint8_t)(input[(size_t)8U + (size_t)7U] >> 3U); - memcpy(ret, result, (size_t)22U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_11( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[22U]) { - uint8_t ret0[22U]; - libcrux_ml_kem_vector_neon_serialize_serialize_11(a, ret0); - memcpy(ret, ret0, (size_t)22U * sizeof(uint8_t)); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_11(Eurydice_slice v) { - uint8_t input0[8U] = {0U}; - uint8_t input1[8U] = {0U}; - uint8_t input2[8U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)8U, input0, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)8U, input1, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____1, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)8U, .end = (size_t)16U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_array_to_subslice( - (size_t)8U, input2, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)6U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)16U, .end = (size_t)22U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - uint8_t uu____3[8U]; - memcpy(uu____3, input0, (size_t)8U * sizeof(uint8_t)); - uint64_t input00 = core_num__u64_9__from_le_bytes(uu____3); - uint8_t uu____4[8U]; - memcpy(uu____4, input1, (size_t)8U * sizeof(uint8_t)); - uint64_t input10 = core_num__u64_9__from_le_bytes(uu____4); - uint8_t uu____5[8U]; - memcpy(uu____5, input2, (size_t)8U * sizeof(uint8_t)); - uint64_t input20 = core_num__u64_9__from_le_bytes(uu____5); - int16_t low[8U] = {0U}; - int16_t high[8U] = {0U}; - low[0U] = (int16_t)(input00 & 2047ULL); - low[1U] = (int16_t)(input00 >> 11U & 2047ULL); - low[2U] = (int16_t)(input00 >> 22U & 2047ULL); - low[3U] = (int16_t)(input00 >> 33U & 2047ULL); - low[4U] = (int16_t)(input00 >> 44U & 2047ULL); - low[5U] = (int16_t)((input00 >> 55U | input10 << 9U) & 2047ULL); - low[6U] = (int16_t)(input10 >> 2U & 2047ULL); - low[7U] = (int16_t)(input10 >> 13U & 2047ULL); - high[0U] = (int16_t)(input10 >> 24U & 2047ULL); - high[1U] = (int16_t)(input10 >> 35U & 2047ULL); - high[2U] = (int16_t)(input10 >> 46U & 2047ULL); - high[3U] = (int16_t)((input10 >> 57U | input20 << 7U) & 2047ULL); - high[4U] = (int16_t)(input20 >> 4U & 2047ULL); - high[5U] = (int16_t)(input20 >> 15U & 2047ULL); - high[6U] = (int16_t)(input20 >> 26U & 2047ULL); - high[7U] = (int16_t)(input20 >> 37U & 2047ULL); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lit; - lit.low = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, low, int16_t, Eurydice_slice)); - lit.high = libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, high, int16_t, Eurydice_slice)); - return lit; -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_11( - Eurydice_slice a) { - return libcrux_ml_kem_vector_neon_serialize_deserialize_11(a); -} - -inline void libcrux_ml_kem_vector_neon_serialize_serialize_12( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[24U]) { - core_core_arch_arm_shared_neon_int32x4_t low00 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn1q_s16(v.low, v.low)); - core_core_arch_arm_shared_neon_int32x4_t low10 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn2q_s16(v.low, v.low)); - core_core_arch_arm_shared_neon_int32x4_t mixt = - libcrux_intrinsics_arm64__vsliq_n_s32( - (int32_t)12, low00, low10, core_core_arch_arm_shared_neon_int32x4_t); - core_core_arch_arm_shared_neon_int64x2_t low0 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn1q_s32(mixt, mixt)); - core_core_arch_arm_shared_neon_int64x2_t low1 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn2q_s32(mixt, mixt)); - core_core_arch_arm_shared_neon_int64x2_t low_mix = - libcrux_intrinsics_arm64__vsliq_n_s64( - (int32_t)24, low0, low1, core_core_arch_arm_shared_neon_int64x2_t); - core_core_arch_arm_shared_neon_int32x4_t high00 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn1q_s16(v.high, v.high)); - core_core_arch_arm_shared_neon_int32x4_t high10 = - libcrux_intrinsics_arm64__vreinterpretq_s32_s16( - libcrux_intrinsics_arm64__vtrn2q_s16(v.high, v.high)); - core_core_arch_arm_shared_neon_int32x4_t mixt0 = - libcrux_intrinsics_arm64__vsliq_n_s32( - (int32_t)12, high00, high10, - core_core_arch_arm_shared_neon_int32x4_t); - core_core_arch_arm_shared_neon_int64x2_t high0 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn1q_s32(mixt0, mixt0)); - core_core_arch_arm_shared_neon_int64x2_t high1 = - libcrux_intrinsics_arm64__vreinterpretq_s64_s32( - libcrux_intrinsics_arm64__vtrn2q_s32(mixt0, mixt0)); - core_core_arch_arm_shared_neon_int64x2_t high_mix = - libcrux_intrinsics_arm64__vsliq_n_s64( - (int32_t)24, high0, high1, core_core_arch_arm_shared_neon_int64x2_t); - uint8_t result32[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)16U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_intrinsics_arm64__vst1q_u8( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_u8_s64(low_mix)); - Eurydice_slice uu____1 = Eurydice_array_to_subslice( - (size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)16U, - .end = (size_t)32U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_intrinsics_arm64__vst1q_u8( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_u8_s64(high_mix)); - uint8_t result[24U] = {0U}; - Eurydice_slice uu____2 = Eurydice_array_to_subslice( - (size_t)24U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)6U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)6U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_array_to_subslice( - (size_t)24U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)6U, - .end = (size_t)12U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____3, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)8U, .end = (size_t)14U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____4 = Eurydice_array_to_subslice( - (size_t)24U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)12U, - .end = (size_t)18U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)16U, .end = (size_t)22U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = Eurydice_array_to_subslice( - (size_t)24U, result, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)18U, - .end = (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____5, - Eurydice_array_to_subslice((size_t)32U, result32, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)24U, .end = (size_t)30U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - memcpy(ret, result, (size_t)24U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_12( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[24U]) { - uint8_t ret0[24U]; - libcrux_ml_kem_vector_neon_serialize_serialize_12(a, ret0); - memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t)); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_12(Eurydice_slice v) { - uint8_t indexes[16U] = {0U, 1U, 1U, 2U, 3U, 4U, 4U, 5U, - 6U, 7U, 7U, 8U, 9U, 10U, 10U, 11U}; - core_core_arch_arm_shared_neon_uint8x16_t index_vec = - libcrux_intrinsics_arm64__vld1q_u8(Eurydice_array_to_slice( - (size_t)16U, indexes, uint8_t, Eurydice_slice)); - int16_t shifts[8U] = {(int16_t)0, (int16_t)-4, (int16_t)0, (int16_t)-4, - (int16_t)0, (int16_t)-4, (int16_t)0, (int16_t)-4}; - core_core_arch_arm_shared_neon_int16x8_t shift_vec = - libcrux_intrinsics_arm64__vld1q_s16( - Eurydice_array_to_slice((size_t)8U, shifts, int16_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_uint16x8_t mask12 = - libcrux_intrinsics_arm64__vdupq_n_u16(4095U); - uint8_t input0[16U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)16U, input0, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)12U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)12U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - core_core_arch_arm_shared_neon_uint8x16_t input_vec0 = - libcrux_intrinsics_arm64__vld1q_u8(Eurydice_array_to_slice( - (size_t)16U, input0, uint8_t, Eurydice_slice)); - uint8_t input1[16U] = {0U}; - Eurydice_slice uu____1 = Eurydice_array_to_subslice( - (size_t)16U, input1, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)12U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____1, - Eurydice_slice_subslice(v, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)12U, .end = (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *); - core_core_arch_arm_shared_neon_uint8x16_t input_vec1 = - libcrux_intrinsics_arm64__vld1q_u8(Eurydice_array_to_slice( - (size_t)16U, input1, uint8_t, Eurydice_slice)); - core_core_arch_arm_shared_neon_uint16x8_t moved0 = - libcrux_intrinsics_arm64__vreinterpretq_u16_u8( - libcrux_intrinsics_arm64__vqtbl1q_u8(input_vec0, index_vec)); - core_core_arch_arm_shared_neon_uint16x8_t shifted0 = - libcrux_intrinsics_arm64__vshlq_u16(moved0, shift_vec); - core_core_arch_arm_shared_neon_int16x8_t low = - libcrux_intrinsics_arm64__vreinterpretq_s16_u16( - libcrux_intrinsics_arm64__vandq_u16(shifted0, mask12)); - core_core_arch_arm_shared_neon_uint16x8_t moved1 = - libcrux_intrinsics_arm64__vreinterpretq_u16_u8( - libcrux_intrinsics_arm64__vqtbl1q_u8(input_vec1, index_vec)); - core_core_arch_arm_shared_neon_uint16x8_t shifted1 = - libcrux_intrinsics_arm64__vshlq_u16(moved1, shift_vec); - core_core_arch_arm_shared_neon_int16x8_t high = - libcrux_intrinsics_arm64__vreinterpretq_s16_u16( - libcrux_intrinsics_arm64__vandq_u16(shifted1, mask12)); - return (CLITERAL(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .low = low, .high = high}); -} - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_12( - Eurydice_slice a) { - return libcrux_ml_kem_vector_neon_serialize_deserialize_12(a); -} - -inline size_t libcrux_ml_kem_vector_neon_rej_sample(Eurydice_slice a, - Eurydice_slice result) { - size_t sampled = (size_t)0U; - core_slice_iter_Chunks iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( - core_slice___Slice_T___chunks(a, (size_t)3U, uint8_t, - core_slice_iter_Chunks), - core_slice_iter_Chunks, core_slice_iter_Chunks); - while (true) { - core_option_Option__Eurydice_slice_uint8_t uu____0 = - core_slice_iter___core__iter__traits__iterator__Iterator_for_core__slice__iter__Chunks__a__T___70__next( - &iter, uint8_t, core_option_Option__Eurydice_slice_uint8_t); - if (uu____0.tag == core_option_None) { - break; - } else { - Eurydice_slice bytes = uu____0.f0; - int16_t b1 = (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t); - int16_t b2 = (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t); - int16_t b3 = (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t); - int16_t d1 = (b2 & (int16_t)15) << 8U | b1; - int16_t d2 = b3 << 4U | b2 >> 4U; - bool uu____1; - int16_t uu____2; - bool uu____3; - size_t uu____4; - int16_t uu____5; - size_t uu____6; - int16_t uu____7; - if (d1 < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS) { - if (sampled < (size_t)16U) { - int16_t uu____8 = d1; - Eurydice_slice_index(result, sampled, int16_t, int16_t *, int16_t) = - uu____8; - sampled++; - uu____2 = d2; - uu____7 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; - uu____1 = uu____2 < uu____7; - if (uu____1) { - uu____4 = sampled; - uu____3 = uu____4 < (size_t)16U; - if (uu____3) { - uu____5 = d2; - uu____6 = sampled; - Eurydice_slice_index(result, uu____6, int16_t, int16_t *, - int16_t) = uu____5; - sampled++; - continue; - } - } - continue; - } - } - uu____2 = d2; - uu____7 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; - uu____1 = uu____2 < uu____7; - if (uu____1) { - uu____4 = sampled; - uu____3 = uu____4 < (size_t)16U; - if (uu____3) { - uu____5 = d2; - uu____6 = sampled; - Eurydice_slice_index(result, uu____6, int16_t, int16_t *, int16_t) = - uu____5; - sampled++; - continue; - } - } - } - } - return sampled; -} - -size_t -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - Eurydice_slice a, Eurydice_slice out) { - return libcrux_ml_kem_vector_neon_rej_sample(a, out); -} - -inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_vector_type___core__clone__Clone_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___clone( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *self) { - return self[0U]; -} - -static libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(void) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - lit; - lit.coefficients[0U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[1U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[2U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[3U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[4U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[5U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[6U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[7U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[8U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[9U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[10U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[11U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[12U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[13U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[14U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - lit.coefficients[15U] = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(); - return lit; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)24U, .end = i0 * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_12( - bytes); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___cond_subtract_3329( - coefficient); - re.coefficients[i0] = uu____0; - } - return re; -} - -static inline void -deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1184size_t_3size_t( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice ring_element = Eurydice_slice_subslice( - public_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - ring_element); - deserialized_pk[i0] = uu____0; - } - memcpy( - ret, deserialized_pk, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -shift_right___15int32_t( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - v.low = libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)15, v.low, core_core_arch_arm_shared_neon_int16x8_t); - v.high = libcrux_intrinsics_arm64__vshrq_n_s16( - (int32_t)15, v.high, core_core_arch_arm_shared_neon_int16x8_t); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -shift_right___15int32_t0( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return shift_right___15int32_t(v); -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a) { - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector t = - shift_right___15int32_t0(a); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector fm = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___bitwise_and_with_constant( - t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - a, &fm); -} - -static inline void -serialize_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - uint8_t ret[384U]) { - uint8_t serialized[384U] = {0U}; - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re->coefficients[i0]); - uint8_t bytes[24U]; - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_12( - coefficient, bytes); - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)384U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)24U * i0, .end = (size_t)24U * i0 + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); - } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); -} - -static inline void -serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - key[3U], - uint8_t ret[1152U]) { - uint8_t out[1152U] = {0U}; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = key[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)1152U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret0[384U]; - serialize_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - } - memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); -} - -static inline void -serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t_1184size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[3U], - Eurydice_slice seed_for_a, uint8_t ret[1184U]) { - uint8_t public_key_serialized[1184U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)1184U, public_key_serialized, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)1152U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1[3U]; - memcpy( - uu____1, t_as_ntt, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t ret0[1152U]; - serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t( - uu____1, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized, - (size_t)1152U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); - memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); -} - -bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t_1184size_t( - uint8_t *public_key) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[3U]; - deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1184size_t_3size_t( - Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0[3U]; - memcpy( - uu____0, deserialized_pk, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t public_key_serialized[1184U]; - serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t_1184size_t( - uu____0, - Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), - public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( - (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); -} - -static inline void G___3size_t(Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_neon_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); -} - -static void -closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret0[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - memcpy( - ret, ret0, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -typedef struct Simd128Hash_s { - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - shake128_state[2U]; -} Simd128Hash; - -static inline Simd128Hash shake128_init_absorb___3size_t( - uint8_t input[3U][34U]) { - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - uu____0 = libcrux_sha3_neon_x2_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - state[2U] = {uu____0, libcrux_sha3_neon_x2_incremental_shake128_init()}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____1 = state; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - uu____1, uu____2, - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice)); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____3 = &state[1U]; - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - uu____3, uu____4, - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice)); - Simd128Hash lit; - memcpy( - lit.shake128_state, state, - (size_t)2U * - sizeof( - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t)); - return lit; -} - -static inline void shake128_squeeze_three_blocks___3size_t( - Simd128Hash *self, uint8_t ret[3U][504U]) { - uint8_t out[3U][504U] = {{0U}}; - uint8_t out0[504U] = {0U}; - uint8_t out1[504U] = {0U}; - uint8_t out2[504U] = {0U}; - uint8_t out3[504U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____0 = self->shake128_state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice)); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____2 = &self->shake128_state[1U]; - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - uu____2, uu____3, - Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[504U]; - memcpy(uu____4, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____5[504U]; - memcpy(uu____5, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____6[504U]; - memcpy(uu____6, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)504U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); -} - -static inline bool -sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_504size_t( - uint8_t randomness[3U][504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)504U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -static inline void shake128_squeeze_block___3size_t(Simd128Hash *self, - uint8_t ret[3U][168U]) { - uint8_t out[3U][168U] = {{0U}}; - uint8_t out0[168U] = {0U}; - uint8_t out1[168U] = {0U}; - uint8_t out2[168U] = {0U}; - uint8_t out3[168U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____0 = self->shake128_state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - uu____0, uu____1, - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice)); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____2 = &self->shake128_state[1U]; - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - uu____2, uu____3, - Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[168U]; - memcpy(uu____4, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____5[168U]; - memcpy(uu____5, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____6[168U]; - memcpy(uu____6, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)168U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); -} - -static inline bool -sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_168size_t( - uint8_t randomness[3U][168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)168U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -from_i16_array__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___from_i16_array( - Eurydice_slice_subslice( - a, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)16U, - .end = (i0 + (size_t)1U) * (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - result.coefficients[i0] = uu____0; - } - return result; -} - -static libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t0( - int16_t s[272U]) { - return from_i16_array__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_array_to_subslice((size_t)272U, s, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)256U}), - int16_t, core_ops_range_Range__size_t, - Eurydice_slice)); -} - -static inline void -sample_from_xof__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - uint8_t seeds[3U][34U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - size_t sampled_coefficients[3U] = {0U}; - int16_t out[3U][272U] = {{0U}}; - uint8_t uu____0[3U][34U]; - memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); - Simd128Hash xof_state = shake128_init_absorb___3size_t(uu____0); - uint8_t randomness0[3U][504U]; - shake128_squeeze_three_blocks___3size_t(&xof_state, randomness0); - uint8_t uu____1[3U][504U]; - memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U])); - bool done = - sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_504size_t( - uu____1, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[3U][168U]; - shake128_squeeze_block___3size_t(&xof_state, randomness); - uint8_t uu____2[3U][168U]; - memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U])); - done = - sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_168size_t( - uu____2, sampled_coefficients, out); - } - } - int16_t uu____3[3U][272U]; - memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret0[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = - closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t0( - uu____3[i]);); - memcpy( - ret, ret0, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void -sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - uint8_t seed[34U], bool transpose, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U][3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[3U][3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - A_transpose[i]);); - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t seeds[3U][34U]; KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; - seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - sampled[3U]; - sample_from_xof__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - uu____1, sampled); - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - sample = sampled[j]; - if (transpose) { - A_transpose[j][i1] = sample; - } else { - A_transpose[i1][j] = sample; - } - }); - memcpy( - ret, A_transpose, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [3U])); -} - -typedef struct - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t_s { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - fst[3U]; - uint8_t snd; -} __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t; - -static inline void PRFxN___3size_t_128size_t(uint8_t (*input)[33U], - uint8_t ret[3U][128U]) { - uint8_t out[3U][128U] = {{0U}}; - uint8_t out0[128U] = {0U}; - uint8_t out1[128U] = {0U}; - uint8_t out2[128U] = {0U}; - uint8_t out3[128U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice)); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____3, uu____4, uu____5, - Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____6[128U]; - memcpy(uu____6, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____6, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____7[128U]; - memcpy(uu____7, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____7, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____8[128U]; - memcpy(uu____8, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____8, (size_t)128U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -sample_from_binomial_distribution_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; - for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)4U; - i0++) { - size_t chunk_number = i0; - Eurydice_slice byte_chunk = Eurydice_slice_subslice( - randomness, - (CLITERAL(core_ops_range_Range__size_t){ - .start = chunk_number * (size_t)4U, - .end = chunk_number * (size_t)4U + (size_t)4U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint32_t uu____0 = (uint32_t)Eurydice_slice_index( - byte_chunk, (size_t)0U, uint8_t, uint8_t *, uint8_t); - uint32_t uu____1 = - uu____0 | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, - uint8_t, uint8_t *, uint8_t) - << 8U; - uint32_t uu____2 = - uu____1 | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, - uint8_t, uint8_t *, uint8_t) - << 16U; - uint32_t random_bits_as_u32 = - uu____2 | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, - uint8_t, uint8_t *, uint8_t) - << 24U; - uint32_t even_bits = random_bits_as_u32 & 1431655765U; - uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U; - uint32_t coin_toss_outcomes = even_bits + odd_bits; - for (uint32_t i = 0U; i < CORE_NUM__U32_8__BITS / 4U; i++) { - uint32_t outcome_set = i; - uint32_t outcome_set0 = outcome_set * 4U; - int16_t outcome_1 = - (int16_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 3U); - int16_t outcome_2 = - (int16_t)(coin_toss_outcomes >> (uint32_t)(outcome_set0 + 2U) & 3U); - size_t offset = (size_t)(outcome_set0 >> 2U); - sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; - } - } - return from_i16_array__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t, - Eurydice_slice)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -sample_from_binomial_distribution_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice randomness) { - int16_t sampled_i16s[256U] = {0U}; - for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)3U; - i0++) { - size_t chunk_number = i0; - Eurydice_slice byte_chunk = Eurydice_slice_subslice( - randomness, - (CLITERAL(core_ops_range_Range__size_t){ - .start = chunk_number * (size_t)3U, - .end = chunk_number * (size_t)3U + (size_t)3U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint32_t uu____0 = (uint32_t)Eurydice_slice_index( - byte_chunk, (size_t)0U, uint8_t, uint8_t *, uint8_t); - uint32_t uu____1 = - uu____0 | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, - uint8_t, uint8_t *, uint8_t) - << 8U; - uint32_t random_bits_as_u24 = - uu____1 | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, - uint8_t, uint8_t *, uint8_t) - << 16U; - uint32_t first_bits = random_bits_as_u24 & 2396745U; - uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U; - uint32_t third_bits = random_bits_as_u24 >> 2U & 2396745U; - uint32_t coin_toss_outcomes = first_bits + second_bits + third_bits; - for (int32_t i = (int32_t)0; i < (int32_t)24 / (int32_t)6; i++) { - int32_t outcome_set = i; - int32_t outcome_set0 = outcome_set * (int32_t)6; - int16_t outcome_1 = - (int16_t)(coin_toss_outcomes >> (uint32_t)outcome_set0 & 7U); - int16_t outcome_2 = (int16_t)(coin_toss_outcomes >> - (uint32_t)(outcome_set0 + (int32_t)3) & - 7U); - size_t offset = (size_t)(outcome_set0 / (int32_t)6); - sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; - } - } - return from_i16_array__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t, - Eurydice_slice)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_slice randomness) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0; - uu____0 = - sample_from_binomial_distribution_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - randomness); - return uu____0; -} - -static inline void -ntt_at_layer_7__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; - for (size_t i = (size_t)0U; i < step; i++) { - size_t j = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector t = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___multiply_by_constant( - re->coefficients[j + step], (int16_t)-1600); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - re->coefficients[j], &t); - re->coefficients[j + step] = uu____0; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____1 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - re->coefficients[j], &t); - re->coefficients[j] = uu____1; - } -} - -typedef struct - __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_s { - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector fst; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector snd; -} __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector; - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -montgomery_multiply_fe__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t fer) { - return libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - v, fer); -} - -static inline __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -ntt_layer_int_vec_step__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector b, int16_t zeta_r) { - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector t = - montgomery_multiply_fe__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - b, zeta_r); - b = libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - a, &t); - a = libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - a, &t); - return (CLITERAL( - __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .fst = a, .snd = b}); -} - -static inline void -ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - size_t layer) { - size_t step = (size_t)1U << (uint32_t)layer; - for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { - size_t round = i0; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = offset / (size_t)16U; - size_t step_vec = step / (size_t)16U; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { - size_t j = i; - __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - ntt_layer_int_vec_step__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R - [zeta_i[0U]]); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector x = uu____0.fst; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; - } - } -} - -static inline void -ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_3_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); - re->coefficients[round] = uu____0;); -} - -static inline void -ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_2_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)1U;); -} - -static inline void -ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_1_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)3U;); -} - -static inline void -poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - self->coefficients[i0]); - self->coefficients[i0] = uu____0; - } -} - -static inline void -ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - ntt_at_layer_7__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); - size_t zeta_i = (size_t)1U; - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)4U); - ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); -} - -static inline __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t -sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_2size_t_128size_t( - uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - re_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); - uint8_t prf_outputs[3U][128U]; - PRFxN___3size_t_128size_t(prf_inputs, prf_outputs); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; - ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____2[3U]; - memcpy( - uu____2, re_as_ntt, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t - lit; - memcpy( - lit.fst, uu____2, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - lit.snd = domain_separator; - return lit; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - out = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_multiply( - &self->coefficients[i0], &rhs->coefficients[i0], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + - (size_t)4U * i0], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + - (size_t)4U * i0 + - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + - (size_t)4U * i0 + - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + - (size_t)4U * i0 + - (size_t)3U]); - out.coefficients[i0] = uu____0; - } - return out; -} - -static inline void -add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *rhs) { - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - self->coefficients[i0], &rhs->coefficients[i0]); - self->coefficients[i0] = uu____0; - } -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -to_standard_domain__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); -} - -static inline void -add_standard_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t j = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient_normal_form = - to_standard_domain__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - self->coefficients[j]); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - coefficient_normal_form, &error->coefficients[j])); - self->coefficients[j] = uu____0; - } -} - -static inline void -compute_As_plus_e__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector ( - *matrix_A)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for ( - size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [3U], - size_t); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *row = matrix_A[i1]; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *matrix_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - matrix_element, &s_as_ntt[j]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result[i1], &product); - } - add_standard_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &result[i1], &error_as_ntt[i1]); - } - memcpy( - ret, result, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static libcrux_ml_kem_utils_extraction_helper_Keypair768 -generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t( - Eurydice_slice key_generation_seed) { - uint8_t hashed[64U]; - G___3size_t(key_generation_seed, hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[3U][3U]; - uint8_t ret[34U]; - libcrux_ml_kem_utils_into_padded_array___34size_t(seed_for_A, ret); - sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - ret, true, A_transpose); - uint8_t prf_input[33U]; - libcrux_ml_kem_utils_into_padded_array___33size_t(seed_for_secret_and_error, - prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t - uu____2 = - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_2size_t_128size_t( - uu____1, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[3U]; - memcpy( - secret_as_ntt, uu____2.fst, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_as_ntt[3U]; - memcpy( - error_as_ntt, - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_2size_t_128size_t( - uu____3, domain_separator) - .fst, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[3U]; - compute_As_plus_e__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____4[3U]; - memcpy( - uu____4, t_as_ntt, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t public_key_serialized[1184U]; - serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t_1184size_t( - uu____4, seed_for_A, public_key_serialized); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____5[3U]; - memcpy( - uu____5, secret_as_ntt, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t secret_key_serialized[1152U]; - serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1152size_t( - uu____5, secret_key_serialized); - uint8_t uu____6[1152U]; - memcpy(uu____6, secret_key_serialized, (size_t)1152U * sizeof(uint8_t)); - uint8_t uu____7[1184U]; - memcpy(uu____7, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, uu____6, (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, uu____7, (size_t)1184U * sizeof(uint8_t)); - return lit; -} - -static inline void H___3size_t(Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_neon_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -serialize_kem_secret_key__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_2400size_t( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[2400U]) { - uint8_t out[2400U] = {0U}; - size_t pointer = (size_t)0U; - uint8_t *uu____0 = out; - size_t uu____1 = pointer; - size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)2400U, uu____0, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____1, - .end = uu____2 + - core_slice___Slice_T___len(private_key, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); - uint8_t *uu____3 = out; - size_t uu____4 = pointer; - size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)2400U, uu____3, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____4, - .end = uu____5 + - core_slice___Slice_T___len(public_key, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice( - (size_t)2400U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = pointer, - .end = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret0[32U]; - H___3size_t(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = out; - size_t uu____8 = pointer; - size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)2400U, uu____7, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____8, - .end = uu____9 + core_slice___Slice_T___len( - implicit_rejection_value, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); - memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); -} - -libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( - uint8_t randomness[64U]) { - Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice( - (size_t)64U, randomness, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, - .end = LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( - (size_t)64U, randomness, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); - libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t( - ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1152U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); - uint8_t public_key[1184U]; - memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice); - uint8_t secret_key_serialized[2400U]; - serialize_kem_secret_key__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_2400size_t( - uu____1, - Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, - Eurydice_slice), - implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[2400U]; - memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t private_key = - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___2400size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____3 = private_key; - uint8_t uu____4[1184U]; - memcpy(uu____4, public_key, (size_t)1184U * sizeof(uint8_t)); - return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___2400size_t_1184size_t( - uu____3, - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1184size_t( - uu____4)); -} - -static inline void -entropy_preprocess__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1152size_t_3size_t( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice ring_element = Eurydice_slice_subslice( - public_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - ring_element); - deserialized_pk[i0] = uu____0; - } - memcpy( - ret, deserialized_pk, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t -sample_ring_element_cbd__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_128size_t_2size_t( - uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_1[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - error_1[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); - uint8_t prf_outputs[3U][128U]; - PRFxN___3size_t_128size_t(prf_inputs, prf_outputs); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____2[3U]; - memcpy( - uu____2, error_1, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t - lit; - memcpy( - lit.fst, uu____2, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - lit.snd = domain_separator; - return lit; -} - -static inline void PRF___3size_t_128size_t(Eurydice_slice input, - uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - uint8_t dummy[128U] = {0U}; - Eurydice_slice uu____0 = input; - Eurydice_slice uu____1 = input; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)128U, dummy, uint8_t, Eurydice_slice)); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); -} - -static inline void -invert_ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_1_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)3U;); -} - -static inline void -invert_ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_2_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)1U;); -} - -static inline void -invert_ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_3_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); - re->coefficients[round] = uu____0;); -} - -static inline __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -inv_ntt_layer_int_vec_step_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector b, int16_t zeta_r) { - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a_minus_b = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - b, &a); - a = libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - a, &b)); - b = montgomery_multiply_fe__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - a_minus_b, zeta_r); - return (CLITERAL( - __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector){ - .fst = a, .snd = b}); -} - -static inline void -invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - size_t layer) { - size_t step = (size_t)1U << (uint32_t)layer; - for (size_t i0 = (size_t)0U; i0 < (size_t)128U >> (uint32_t)layer; i0++) { - size_t round = i0; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - size_t offset = round * step * (size_t)2U; - size_t offset_vec = - offset / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - size_t step_vec = - step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { - size_t j = i; - __libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - inv_ntt_layer_int_vec_step_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re->coefficients[j], re->coefficients[j + step_vec], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R - [zeta_i[0U]]); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector x = uu____0.fst; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector y = uu____0.snd; - re->coefficients[j] = x; - re->coefficients[j + step_vec] = y; - } - } -} - -static inline void -invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - size_t zeta_i = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)7U); - poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); -} - -static inline void -add_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t j = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient_normal_form = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - self->coefficients[j], (int16_t)1441); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - coefficient_normal_form, &error->coefficients[j])); - self->coefficients[j] = uu____0; - } -} - -static inline void -compute_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector ( - *a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for ( - size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [3U], - size_t); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *row = a_as_ntt[i1]; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - a_element, &r_as_ntt[j]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result[i1], &product); - } - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result[i1]); - add_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &result[i1], &error_1[i1]); - } - memcpy( - ret, result, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___bitwise_and_with_constant( - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO(), - &v), - (int16_t)1665); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - uint8_t serialized[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient_compressed = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_1( - Eurydice_array_to_subslice( - (size_t)32U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)2U * i0, - .end = (size_t)2U * i0 + (size_t)2U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - decompress_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - coefficient_compressed); - re.coefficients[i0] = uu____0;); - return re; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -add_message_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *message, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient_normal_form = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - result.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector tmp = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - self->coefficients[i0], &message->coefficients[i0]); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector tmp0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - coefficient_normal_form, &tmp); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - tmp0); - result.coefficients[i0] = uu____0; - } - return result; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compute_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result, &product);); - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result); - result = - add_message_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - error_2, message, result); - return result; -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -compress_int32x4_t___10int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t half = - libcrux_intrinsics_arm64__vdupq_n_u32(1664U); - core_core_arch_arm_shared_neon_uint32x4_t compressed = - libcrux_intrinsics_arm64__vshlq_n_u32( - (int32_t)10, v, core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t compressed0 = - libcrux_intrinsics_arm64__vaddq_u32(compressed, half); - core_core_arch_arm_shared_neon_uint32x4_t compressed1 = - libcrux_intrinsics_arm64__vreinterpretq_u32_s32( - libcrux_intrinsics_arm64__vqdmulhq_n_s32( - libcrux_intrinsics_arm64__vreinterpretq_s32_u32(compressed0), - (int32_t)10321340)); - core_core_arch_arm_shared_neon_uint32x4_t compressed2 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)4, compressed1, core_core_arch_arm_shared_neon_uint32x4_t); - return compressed2; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___10int32_t(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_int16x8_t mask = - libcrux_intrinsics_arm64__vdupq_n_s16( - libcrux_ml_kem_vector_neon_compress_mask_n_least_significant_bits( - (int16_t)(int32_t)10)); - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - compress_int32x4_t___10int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - compress_int32x4_t___10int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - compress_int32x4_t___10int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - compress_int32x4_t___10int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - core_core_arch_arm_shared_neon_int16x8_t low = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - core_core_arch_arm_shared_neon_int16x8_t high = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - v.low = libcrux_intrinsics_arm64__vandq_s16(low, mask); - v.high = libcrux_intrinsics_arm64__vandq_s16(high, mask); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___10int32_t0(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return compress___10int32_t(v); -} - -static inline void -compress_then_serialize_10__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - uint8_t ret[320U]) { - uint8_t serialized[320U] = {0U}; - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - compress___10int32_t0( - to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re->coefficients[i0])); - uint8_t bytes[20U]; - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_10( - coefficient, bytes); - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)320U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)20U * i0, .end = (size_t)20U * i0 + (size_t)20U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); - } - memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -compress_int32x4_t___11int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t half = - libcrux_intrinsics_arm64__vdupq_n_u32(1664U); - core_core_arch_arm_shared_neon_uint32x4_t compressed = - libcrux_intrinsics_arm64__vshlq_n_u32( - (int32_t)11, v, core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t compressed0 = - libcrux_intrinsics_arm64__vaddq_u32(compressed, half); - core_core_arch_arm_shared_neon_uint32x4_t compressed1 = - libcrux_intrinsics_arm64__vreinterpretq_u32_s32( - libcrux_intrinsics_arm64__vqdmulhq_n_s32( - libcrux_intrinsics_arm64__vreinterpretq_s32_u32(compressed0), - (int32_t)10321340)); - core_core_arch_arm_shared_neon_uint32x4_t compressed2 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)4, compressed1, core_core_arch_arm_shared_neon_uint32x4_t); - return compressed2; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___11int32_t(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_int16x8_t mask = - libcrux_intrinsics_arm64__vdupq_n_s16( - libcrux_ml_kem_vector_neon_compress_mask_n_least_significant_bits( - (int16_t)(int32_t)11)); - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - compress_int32x4_t___11int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - compress_int32x4_t___11int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - compress_int32x4_t___11int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - compress_int32x4_t___11int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - core_core_arch_arm_shared_neon_int16x8_t low = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - core_core_arch_arm_shared_neon_int16x8_t high = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - v.low = libcrux_intrinsics_arm64__vandq_s16(low, mask); - v.high = libcrux_intrinsics_arm64__vandq_s16(high, mask); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___11int32_t0(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return compress___11int32_t(v); -} - -static inline void -compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - uint8_t ret[320U]) { - uint8_t uu____0[320U]; - compress_then_serialize_10__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_320size_t( - re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); -} - -static void -compress_then_serialize_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_960size_t_10size_t_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - input[3U], - Eurydice_slice out) { - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice( - out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * ((size_t)960U / (size_t)3U), - .end = (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret[320U]; - compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t_320size_t( - &re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); - } -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -compress_int32x4_t___4int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t half = - libcrux_intrinsics_arm64__vdupq_n_u32(1664U); - core_core_arch_arm_shared_neon_uint32x4_t compressed = - libcrux_intrinsics_arm64__vshlq_n_u32( - (int32_t)4, v, core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t compressed0 = - libcrux_intrinsics_arm64__vaddq_u32(compressed, half); - core_core_arch_arm_shared_neon_uint32x4_t compressed1 = - libcrux_intrinsics_arm64__vreinterpretq_u32_s32( - libcrux_intrinsics_arm64__vqdmulhq_n_s32( - libcrux_intrinsics_arm64__vreinterpretq_s32_u32(compressed0), - (int32_t)10321340)); - core_core_arch_arm_shared_neon_uint32x4_t compressed2 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)4, compressed1, core_core_arch_arm_shared_neon_uint32x4_t); - return compressed2; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___4int32_t(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_int16x8_t mask = - libcrux_intrinsics_arm64__vdupq_n_s16( - libcrux_ml_kem_vector_neon_compress_mask_n_least_significant_bits( - (int16_t)(int32_t)4)); - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - compress_int32x4_t___4int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - compress_int32x4_t___4int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - compress_int32x4_t___4int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - compress_int32x4_t___4int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - core_core_arch_arm_shared_neon_int16x8_t low = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - core_core_arch_arm_shared_neon_int16x8_t high = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - v.low = libcrux_intrinsics_arm64__vandq_s16(low, mask); - v.high = libcrux_intrinsics_arm64__vandq_s16(high, mask); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___4int32_t0(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return compress___4int32_t(v); -} - -static inline void -compress_then_serialize_4__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re, - Eurydice_slice serialized) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - compress___4int32_t0( - to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re.coefficients[i0])); - uint8_t bytes[8U]; - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_4( - coefficient, bytes); - Eurydice_slice uu____0 = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)8U * i0, .end = (size_t)8U * i0 + (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); - } -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -compress_int32x4_t___5int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t half = - libcrux_intrinsics_arm64__vdupq_n_u32(1664U); - core_core_arch_arm_shared_neon_uint32x4_t compressed = - libcrux_intrinsics_arm64__vshlq_n_u32( - (int32_t)5, v, core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t compressed0 = - libcrux_intrinsics_arm64__vaddq_u32(compressed, half); - core_core_arch_arm_shared_neon_uint32x4_t compressed1 = - libcrux_intrinsics_arm64__vreinterpretq_u32_s32( - libcrux_intrinsics_arm64__vqdmulhq_n_s32( - libcrux_intrinsics_arm64__vreinterpretq_s32_u32(compressed0), - (int32_t)10321340)); - core_core_arch_arm_shared_neon_uint32x4_t compressed2 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)4, compressed1, core_core_arch_arm_shared_neon_uint32x4_t); - return compressed2; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___5int32_t(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_int16x8_t mask = - libcrux_intrinsics_arm64__vdupq_n_s16( - libcrux_ml_kem_vector_neon_compress_mask_n_least_significant_bits( - (int16_t)(int32_t)5)); - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - compress_int32x4_t___5int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - compress_int32x4_t___5int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - compress_int32x4_t___5int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - compress_int32x4_t___5int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - core_core_arch_arm_shared_neon_int16x8_t low = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - core_core_arch_arm_shared_neon_int16x8_t high = - libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - v.low = libcrux_intrinsics_arm64__vandq_s16(low, mask); - v.high = libcrux_intrinsics_arm64__vandq_s16(high, mask); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compress___5int32_t0(libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return compress___5int32_t(v); -} - -static inline void -compress_then_serialize_5__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re, - Eurydice_slice serialized) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficients = - compress___5int32_t0( - to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re.coefficients[i0])); - uint8_t bytes[10U]; - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_5( - coefficients, bytes); - Eurydice_slice uu____0 = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)10U * i0, .end = (size_t)10U * i0 + (size_t)10U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)10U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); - } -} - -static inline void -compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_128size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re, - Eurydice_slice out) { - compress_then_serialize_4__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re, out); -} - -static void -encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, - uint8_t ret[1088U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[3U]; - deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1152size_t_3size_t( - Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t, - Eurydice_slice), - t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[3U][3U]; - uint8_t ret0[34U]; - libcrux_ml_kem_utils_into_padded_array___34size_t(seed, ret0); - sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - ret0, false, A_transpose); - uint8_t prf_input[33U]; - libcrux_ml_kem_utils_into_padded_array___33size_t(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t - uu____1 = - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_2size_t_128size_t( - uu____0, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - r_as_ntt[3U]; - memcpy( - r_as_ntt, uu____1.fst, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t__uint8_t - uu____3 = - sample_ring_element_cbd__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_128size_t_2size_t( - uu____2, domain_separator0); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_1[3U]; - memcpy( - error_1, uu____3.fst, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator = uu____3.snd; - prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - PRF___3size_t_128size_t( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_2 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, - Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u[3U]; - compute_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - A_transpose, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - message_as_ring_element = - deserialize_then_decompress_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - uu____4); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - v = compute_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); - uint8_t ciphertext[1088U] = {0U}; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____5[3U]; - memcpy( - uu____5, u, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - compress_then_serialize_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_960size_t_10size_t_320size_t( - uu____5, Eurydice_array_to_subslice( - (size_t)1088U, ciphertext, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)960U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____6 = v; - compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_128size_t( - uu____6, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, Eurydice_slice)); - memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); -} - -static inline void -kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t( - Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, - uint8_t randomness[32U]) { - uint8_t randomness0[32U]; - entropy_preprocess__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); - uint8_t to_hash[64U]; - libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - uint8_t ret[32U]; - H___3size_t( - Eurydice_array_to_slice( - (size_t)1184U, - libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___1184size_t( - public_key), - uint8_t, Eurydice_slice), - ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); - uint8_t hashed[64U]; - G___3size_t( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret = uu____1.fst; - Eurydice_slice pseudorandomness = uu____1.snd; - Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, - libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___1184size_t( - public_key), - uint8_t, Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); - uint8_t ciphertext[1088U]; - encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___2__from___1088size_t( - uu____4); - uint8_t shared_secret_array[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t( - shared_secret, shared_secret_array); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -decompress_uint32x4_t___10int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t coeff = - libcrux_intrinsics_arm64__vdupq_n_u32( - 1U << (uint32_t)((int32_t)10 - (int32_t)1)); - core_core_arch_arm_shared_neon_uint32x4_t decompressed = - libcrux_intrinsics_arm64__vmulq_n_u32( - v, (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - core_core_arch_arm_shared_neon_uint32x4_t decompressed0 = - libcrux_intrinsics_arm64__vaddq_u32(decompressed, coeff); - core_core_arch_arm_shared_neon_uint32x4_t decompressed1 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)10, decompressed0, - core_core_arch_arm_shared_neon_uint32x4_t); - return decompressed1; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___10int32_t( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - decompress_uint32x4_t___10int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - decompress_uint32x4_t___10int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - decompress_uint32x4_t___10int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - decompress_uint32x4_t___10int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - v.low = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - v.high = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___10int32_t0( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return decompress_ciphertext_coefficient___10int32_t(v); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_10__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)20U; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)20U, .end = i0 * (size_t)20U + (size_t)20U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_10( - bytes); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - decompress_ciphertext_coefficient___10int32_t0(coefficient); - re.coefficients[i0] = uu____0; - } - return re; -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -decompress_uint32x4_t___11int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t coeff = - libcrux_intrinsics_arm64__vdupq_n_u32( - 1U << (uint32_t)((int32_t)11 - (int32_t)1)); - core_core_arch_arm_shared_neon_uint32x4_t decompressed = - libcrux_intrinsics_arm64__vmulq_n_u32( - v, (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - core_core_arch_arm_shared_neon_uint32x4_t decompressed0 = - libcrux_intrinsics_arm64__vaddq_u32(decompressed, coeff); - core_core_arch_arm_shared_neon_uint32x4_t decompressed1 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)11, decompressed0, - core_core_arch_arm_shared_neon_uint32x4_t); - return decompressed1; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___11int32_t( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - decompress_uint32x4_t___11int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - decompress_uint32x4_t___11int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - decompress_uint32x4_t___11int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - decompress_uint32x4_t___11int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - v.low = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - v.high = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___11int32_t0( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return decompress_ciphertext_coefficient___11int32_t(v); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_11__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)22U; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)22U, .end = i0 * (size_t)22U + (size_t)22U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_11( - bytes); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - decompress_ciphertext_coefficient___11int32_t0(coefficient); - re.coefficients[i0] = uu____0; - } - return re; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0; - uu____0 = - deserialize_then_decompress_10__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - serialized); - return uu____0; -} - -static inline void -ntt_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - size_t zeta_i = (size_t)0U; - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)7U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)4U); - ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); -} - -static inline void -deserialize_then_decompress_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1088size_t_10size_t( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - u_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / - (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U); - i++) { - size_t i0 = i; - Eurydice_slice u_bytes = Eurydice_array_to_subslice( - (size_t)1088U, ciphertext, - (CLITERAL(core_ops_range_Range__size_t){ - .start = - i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U), - .end = i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U) + - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t( - u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t( - &u_as_ntt[i0]); - } - memcpy( - ret, u_as_ntt, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -decompress_uint32x4_t___4int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t coeff = - libcrux_intrinsics_arm64__vdupq_n_u32( - 1U << (uint32_t)((int32_t)4 - (int32_t)1)); - core_core_arch_arm_shared_neon_uint32x4_t decompressed = - libcrux_intrinsics_arm64__vmulq_n_u32( - v, (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - core_core_arch_arm_shared_neon_uint32x4_t decompressed0 = - libcrux_intrinsics_arm64__vaddq_u32(decompressed, coeff); - core_core_arch_arm_shared_neon_uint32x4_t decompressed1 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)4, decompressed0, core_core_arch_arm_shared_neon_uint32x4_t); - return decompressed1; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___4int32_t( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - decompress_uint32x4_t___4int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - decompress_uint32x4_t___4int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - decompress_uint32x4_t___4int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - decompress_uint32x4_t___4int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - v.low = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - v.high = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___4int32_t0( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return decompress_ciphertext_coefficient___4int32_t(v); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_4__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)8U; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)8U, .end = i0 * (size_t)8U + (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_4( - bytes); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - decompress_ciphertext_coefficient___4int32_t0(coefficient); - re.coefficients[i0] = uu____0; - } - return re; -} - -static inline core_core_arch_arm_shared_neon_uint32x4_t -decompress_uint32x4_t___5int32_t(core_core_arch_arm_shared_neon_uint32x4_t v) { - core_core_arch_arm_shared_neon_uint32x4_t coeff = - libcrux_intrinsics_arm64__vdupq_n_u32( - 1U << (uint32_t)((int32_t)5 - (int32_t)1)); - core_core_arch_arm_shared_neon_uint32x4_t decompressed = - libcrux_intrinsics_arm64__vmulq_n_u32( - v, (uint32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - core_core_arch_arm_shared_neon_uint32x4_t decompressed0 = - libcrux_intrinsics_arm64__vaddq_u32(decompressed, coeff); - core_core_arch_arm_shared_neon_uint32x4_t decompressed1 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)5, decompressed0, core_core_arch_arm_shared_neon_uint32x4_t); - return decompressed1; -} - -static inline libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___5int32_t( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - core_core_arch_arm_shared_neon_uint32x4_t mask16 = - libcrux_intrinsics_arm64__vdupq_n_u32(65535U); - core_core_arch_arm_shared_neon_uint32x4_t low00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), mask16); - core_core_arch_arm_shared_neon_uint32x4_t low10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.low), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t high00 = - libcrux_intrinsics_arm64__vandq_u32( - libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), mask16); - core_core_arch_arm_shared_neon_uint32x4_t high10 = - libcrux_intrinsics_arm64__vshrq_n_u32( - (int32_t)16, libcrux_intrinsics_arm64__vreinterpretq_u32_s16(v.high), - core_core_arch_arm_shared_neon_uint32x4_t); - core_core_arch_arm_shared_neon_uint32x4_t low0 = - decompress_uint32x4_t___5int32_t(low00); - core_core_arch_arm_shared_neon_uint32x4_t low1 = - decompress_uint32x4_t___5int32_t(low10); - core_core_arch_arm_shared_neon_uint32x4_t high0 = - decompress_uint32x4_t___5int32_t(high00); - core_core_arch_arm_shared_neon_uint32x4_t high1 = - decompress_uint32x4_t___5int32_t(high10); - core_core_arch_arm_shared_neon_int16x8_t uu____0 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low0); - v.low = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____0, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(low1)); - core_core_arch_arm_shared_neon_int16x8_t uu____1 = - libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high0); - v.high = libcrux_intrinsics_arm64__vtrn1q_s16( - uu____1, libcrux_intrinsics_arm64__vreinterpretq_s16_u32(high1)); - return v; -} - -static libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -decompress_ciphertext_coefficient___5int32_t0( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v) { - return decompress_ciphertext_coefficient___5int32_t(v); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_5__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)10U; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)10U, .end = i0 * (size_t)10U + (size_t)10U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_5( - bytes); - re.coefficients[i0] = uu____0; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____1 = - decompress_ciphertext_coefficient___5int32_t0(re.coefficients[i0]); - re.coefficients[i0] = uu____1; - } - return re; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0; - uu____0 = - deserialize_then_decompress_4__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - serialized); - return uu____0; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { - size_t i0 = i; - Eurydice_slice bytes = Eurydice_slice_subslice( - serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * (size_t)24U, .end = i0 * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_12( - bytes); - re.coefficients[i0] = uu____0; - } - return re; -} - -static inline void -deserialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - secret_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice secret_bytes = Eurydice_slice_subslice( - secret_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - secret_bytes); - secret_as_ntt[i0] = uu____0; - } - memcpy( - ret, secret_as_ntt, - (size_t)3U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -subtract_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - b) { - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient_normal_form = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - b.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - self->coefficients[i0], &coefficient_normal_form)); - b.coefficients[i0] = uu____0; - } - return b; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compute_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *v, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result, &product);); - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &result); - result = - subtract_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - v, result); - return result; -} - -static inline void -compress_then_serialize_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re, - uint8_t ret[32U]) { - uint8_t serialized[32U] = {0U}; - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re.coefficients[i0]); - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient_compressed = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___compress_1( - coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_1( - coefficient_compressed, bytes); - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)32U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)2U * i0, .end = (size_t)2U * i0 + (size_t)2U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *);); - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); -} - -static void -decrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1088size_t_960size_t_10size_t_4size_t( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u_as_ntt[3U]; - deserialize_then_decompress_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1088size_t_10size_t( - ciphertext, u_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - v = deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[3U]; - deserialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - message = - compute_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - &v, secret_as_ntt, u_as_ntt); - uint8_t ret0[32U]; - compress_then_serialize_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void PRF___3size_t_32size_t(Eurydice_slice input, - uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - uint8_t dummy[32U] = {0U}; - Eurydice_slice uu____0 = input; - Eurydice_slice uu____1 = input; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)32U, dummy, uint8_t, Eurydice_slice)); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, - libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), - (size_t)1152U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_secret_key = uu____0.fst; - Eurydice_slice secret_key0 = uu____0.snd; - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 = - core_slice___Slice_T___split_at( - secret_key0, (size_t)1184U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_public_key = uu____1.fst; - Eurydice_slice secret_key = uu____1.snd; - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____2 = - core_slice___Slice_T___split_at( - secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; - Eurydice_slice implicit_rejection_value = uu____2.snd; - uint8_t decrypted[32U]; - decrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t_1088size_t_960size_t_10size_t_4size_t( - ind_cpa_secret_key, ciphertext->value, decrypted); - uint8_t to_hash0[64U]; - libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice_from( - (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); - uint8_t hashed[64U]; - G___3size_t( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____3 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret0 = uu____3.fst; - Eurydice_slice pseudorandomness = uu____3.snd; - uint8_t to_hash[1120U]; - libcrux_ml_kem_utils_into_padded_array___1120size_t(implicit_rejection_value, - to_hash); - Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( - (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( - ciphertext), - uint8_t, void *); - uint8_t implicit_rejection_shared_secret0[32U]; - PRF___3size_t_32size_t( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); - Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); - uint8_t expected_ciphertext[1088U]; - encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( - uu____5, uu____6, pseudorandomness, expected_ciphertext); - Eurydice_slice uu____7 = - libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( - ciphertext); - uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( - uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, - uint8_t, Eurydice_slice)); - uint8_t implicit_rejection_shared_secret[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_3size_t_1088size_t( - shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); - uint8_t ret0[32U]; - libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1568size_t_4size_t( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - deserialized_pk[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice ring_element = Eurydice_slice_subslice( - public_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - ring_element); - deserialized_pk[i0] = uu____0; - } - memcpy( - ret, deserialized_pk, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void -serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - key[4U], - uint8_t ret[1536U]) { - uint8_t out[1536U] = {0U}; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = key[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)1536U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret0[384U]; - serialize_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - } - memcpy(ret, out, (size_t)1536U * sizeof(uint8_t)); -} - -static inline void -serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t_1568size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[4U], - Eurydice_slice seed_for_a, uint8_t ret[1568U]) { - uint8_t public_key_serialized[1568U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)1568U, public_key_serialized, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)1536U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1[4U]; - memcpy( - uu____1, t_as_ntt, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t ret0[1536U]; - serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t( - uu____1, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1536U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice_from((size_t)1568U, public_key_serialized, - (size_t)1536U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); - memcpy(ret, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); -} - -bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t_1568size_t( - uint8_t *public_key) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[4U]; - deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1568size_t_4size_t( - Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U, - uint8_t, size_t, Eurydice_slice), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0[4U]; - memcpy( - uu____0, deserialized_pk, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t public_key_serialized[1568U]; - serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t_1568size_t( - uu____0, - Eurydice_array_to_subslice_from((size_t)1568U, public_key, (size_t)1536U, - uint8_t, size_t, Eurydice_slice), - public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( - (size_t)1568U, public_key, public_key_serialized, uint8_t, uint8_t, bool); -} - -static inline void G___4size_t(Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_neon_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); -} - -static void -closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret0[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - ret0[i] = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - memcpy( - ret, ret0, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline Simd128Hash shake128_init_absorb___4size_t( - uint8_t input[4U][34U]) { - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - uu____0 = libcrux_sha3_neon_x2_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - state[2U] = {uu____0, libcrux_sha3_neon_x2_incremental_shake128_init()}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____1 = state; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - uu____1, uu____2, - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice)); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____3 = &state[1U]; - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - uu____3, uu____4, - Eurydice_array_to_slice((size_t)34U, input[3U], uint8_t, Eurydice_slice)); - Simd128Hash lit; - memcpy( - lit.shake128_state, state, - (size_t)2U * - sizeof( - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t)); - return lit; -} - -static inline void shake128_squeeze_three_blocks___4size_t( - Simd128Hash *self, uint8_t ret[4U][504U]) { - uint8_t out[4U][504U] = {{0U}}; - uint8_t out0[504U] = {0U}; - uint8_t out1[504U] = {0U}; - uint8_t out2[504U] = {0U}; - uint8_t out3[504U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____0 = self->shake128_state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice)); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____2 = &self->shake128_state[1U]; - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - uu____2, uu____3, - Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[504U]; - memcpy(uu____4, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____5[504U]; - memcpy(uu____5, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____6[504U]; - memcpy(uu____6, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____7[504U]; - memcpy(uu____7, out3, (size_t)504U * sizeof(uint8_t)); - memcpy(out[3U], uu____7, (size_t)504U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)4U * sizeof(uint8_t[504U])); -} - -static inline bool -sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_504size_t( - uint8_t randomness[4U][504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { - KRML_MAYBE_FOR4( - i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)504U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -static inline void shake128_squeeze_block___4size_t(Simd128Hash *self, - uint8_t ret[4U][168U]) { - uint8_t out[4U][168U] = {{0U}}; - uint8_t out0[168U] = {0U}; - uint8_t out1[168U] = {0U}; - uint8_t out2[168U] = {0U}; - uint8_t out3[168U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____0 = self->shake128_state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - uu____0, uu____1, - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice)); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____2 = &self->shake128_state[1U]; - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - uu____2, uu____3, - Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[168U]; - memcpy(uu____4, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____5[168U]; - memcpy(uu____5, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____6[168U]; - memcpy(uu____6, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____7[168U]; - memcpy(uu____7, out3, (size_t)168U * sizeof(uint8_t)); - memcpy(out[3U], uu____7, (size_t)168U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)4U * sizeof(uint8_t[168U])); -} - -static inline bool -sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_168size_t( - uint8_t randomness[4U][168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { - KRML_MAYBE_FOR4( - i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)168U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -static libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t0( - int16_t s[272U]) { - return from_i16_array__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_array_to_subslice((size_t)272U, s, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)256U}), - int16_t, core_ops_range_Range__size_t, - Eurydice_slice)); -} - -static inline void -sample_from_xof__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - uint8_t seeds[4U][34U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - size_t sampled_coefficients[4U] = {0U}; - int16_t out[4U][272U] = {{0U}}; - uint8_t uu____0[4U][34U]; - memcpy(uu____0, seeds, (size_t)4U * sizeof(uint8_t[34U])); - Simd128Hash xof_state = shake128_init_absorb___4size_t(uu____0); - uint8_t randomness0[4U][504U]; - shake128_squeeze_three_blocks___4size_t(&xof_state, randomness0); - uint8_t uu____1[4U][504U]; - memcpy(uu____1, randomness0, (size_t)4U * sizeof(uint8_t[504U])); - bool done = - sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_504size_t( - uu____1, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[4U][168U]; - shake128_squeeze_block___4size_t(&xof_state, randomness); - uint8_t uu____2[4U][168U]; - memcpy(uu____2, randomness, (size_t)4U * sizeof(uint8_t[168U])); - done = - sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_168size_t( - uu____2, sampled_coefficients, out); - } - } - int16_t uu____3[4U][272U]; - memcpy(uu____3, out, (size_t)4U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret0[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - ret0[i] = - closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t0( - uu____3[i]);); - memcpy( - ret, ret0, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void -sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - uint8_t seed[34U], bool transpose, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U][4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[4U][4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - A_transpose[i]);); - KRML_MAYBE_FOR4( - i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t seeds[4U][34U]; KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; - seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[4U][34U]; - memcpy(uu____1, seeds, (size_t)4U * sizeof(uint8_t[34U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - sampled[4U]; - sample_from_xof__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - uu____1, sampled); - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - sample = sampled[j]; - if (transpose) { - A_transpose[j][i1] = sample; - } else { - A_transpose[i1][j] = sample; - } - }); - memcpy( - ret, A_transpose, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [4U])); -} - -typedef struct - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t_s { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - fst[4U]; - uint8_t snd; -} __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t; - -static inline void PRFxN___4size_t_128size_t(uint8_t (*input)[33U], - uint8_t ret[4U][128U]) { - uint8_t out[4U][128U] = {{0U}}; - uint8_t out0[128U] = {0U}; - uint8_t out1[128U] = {0U}; - uint8_t out2[128U] = {0U}; - uint8_t out3[128U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice)); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)33U, input[3U], uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____3, uu____4, uu____5, - Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____6[128U]; - memcpy(uu____6, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____6, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____7[128U]; - memcpy(uu____7, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____7, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____8[128U]; - memcpy(uu____8, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____8, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____9[128U]; - memcpy(uu____9, out3, (size_t)128U * sizeof(uint8_t)); - memcpy(out[3U], uu____9, (size_t)128U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)4U * sizeof(uint8_t[128U])); -} - -static inline __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t -sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_2size_t_128size_t( - uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re_as_ntt[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - re_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - uint8_t prf_inputs[4U][33U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); - uint8_t prf_outputs[4U][128U]; - PRFxN___4size_t_128size_t(prf_inputs, prf_outputs); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; - ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____2[4U]; - memcpy( - uu____2, re_as_ntt, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t - lit; - memcpy( - lit.fst, uu____2, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - lit.snd = domain_separator; - return lit; -} - -static inline void -add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *rhs) { - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - self->coefficients[i0], &rhs->coefficients[i0]); - self->coefficients[i0] = uu____0; - } -} - -static inline void -compute_As_plus_e__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector ( - *matrix_A)[4U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - result[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for ( - size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [4U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [4U], - size_t); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *row = matrix_A[i1]; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *matrix_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - matrix_element, &s_as_ntt[j]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result[i1], &product); - } - add_standard_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &result[i1], &error_as_ntt[i1]); - } - memcpy( - ret, result, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static libcrux_ml_kem_utils_extraction_helper_Keypair1024 -generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1536size_t_1568size_t_1536size_t_2size_t_128size_t( - Eurydice_slice key_generation_seed) { - uint8_t hashed[64U]; - G___4size_t(key_generation_seed, hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[4U][4U]; - uint8_t ret[34U]; - libcrux_ml_kem_utils_into_padded_array___34size_t(seed_for_A, ret); - sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - ret, true, A_transpose); - uint8_t prf_input[33U]; - libcrux_ml_kem_utils_into_padded_array___33size_t(seed_for_secret_and_error, - prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t - uu____2 = - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_2size_t_128size_t( - uu____1, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[4U]; - memcpy( - secret_as_ntt, uu____2.fst, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_as_ntt[4U]; - memcpy( - error_as_ntt, - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_2size_t_128size_t( - uu____3, domain_separator) - .fst, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[4U]; - compute_As_plus_e__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____4[4U]; - memcpy( - uu____4, t_as_ntt, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t public_key_serialized[1568U]; - serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t_1568size_t( - uu____4, seed_for_A, public_key_serialized); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____5[4U]; - memcpy( - uu____5, secret_as_ntt, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t secret_key_serialized[1536U]; - serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1536size_t( - uu____5, secret_key_serialized); - uint8_t uu____6[1536U]; - memcpy(uu____6, secret_key_serialized, (size_t)1536U * sizeof(uint8_t)); - uint8_t uu____7[1568U]; - memcpy(uu____7, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair1024 lit; - memcpy(lit.fst, uu____6, (size_t)1536U * sizeof(uint8_t)); - memcpy(lit.snd, uu____7, (size_t)1568U * sizeof(uint8_t)); - return lit; -} - -static inline void H___4size_t(Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_neon_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -serialize_kem_secret_key__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_3168size_t( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[3168U]) { - uint8_t out[3168U] = {0U}; - size_t pointer = (size_t)0U; - uint8_t *uu____0 = out; - size_t uu____1 = pointer; - size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)3168U, uu____0, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____1, - .end = uu____2 + - core_slice___Slice_T___len(private_key, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); - uint8_t *uu____3 = out; - size_t uu____4 = pointer; - size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)3168U, uu____3, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____4, - .end = uu____5 + - core_slice___Slice_T___len(public_key, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice( - (size_t)3168U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = pointer, - .end = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret0[32U]; - H___4size_t(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = out; - size_t uu____8 = pointer; - size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)3168U, uu____7, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____8, - .end = uu____9 + core_slice___Slice_T___len( - implicit_rejection_value, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); - memcpy(ret, out, (size_t)3168U * sizeof(uint8_t)); -} - -libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1536size_t_3168size_t_1568size_t_1536size_t_2size_t_128size_t( - uint8_t randomness[64U]) { - Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice( - (size_t)64U, randomness, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, - .end = LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( - (size_t)64U, randomness, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); - libcrux_ml_kem_utils_extraction_helper_Keypair1024 uu____0 = - generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1536size_t_1568size_t_1536size_t_2size_t_128size_t( - ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[1536U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1536U * sizeof(uint8_t)); - uint8_t public_key[1568U]; - memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1536U, ind_cpa_private_key, uint8_t, Eurydice_slice); - uint8_t secret_key_serialized[3168U]; - serialize_kem_secret_key__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_3168size_t( - uu____1, - Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t, - Eurydice_slice), - implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[3168U]; - memcpy(uu____2, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t private_key = - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___3168size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t uu____3 = private_key; - uint8_t uu____4[1568U]; - memcpy(uu____4, public_key, (size_t)1568U * sizeof(uint8_t)); - return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___3168size_t_1568size_t( - uu____3, - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1568size_t( - uu____4)); -} - -static inline void -entropy_preprocess__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1536size_t_4size_t( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - deserialized_pk[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice ring_element = Eurydice_slice_subslice( - public_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - ring_element); - deserialized_pk[i0] = uu____0; - } - memcpy( - ret, deserialized_pk, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t -sample_ring_element_cbd__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_128size_t_2size_t( - uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_1[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - error_1[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - uint8_t prf_inputs[4U][33U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); - uint8_t prf_outputs[4U][128U]; - PRFxN___4size_t_128size_t(prf_inputs, prf_outputs); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____2[4U]; - memcpy( - uu____2, error_1, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t - lit; - memcpy( - lit.fst, uu____2, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - lit.snd = domain_separator; - return lit; -} - -static inline void PRF___4size_t_128size_t(Eurydice_slice input, - uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - uint8_t dummy[128U] = {0U}; - Eurydice_slice uu____0 = input; - Eurydice_slice uu____1 = input; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)128U, dummy, uint8_t, Eurydice_slice)); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); -} - -static inline void -invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - size_t zeta_i = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)7U); - poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); -} - -static inline void -compute_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector ( - *a_as_ntt)[4U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - result[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for ( - size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [4U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [4U], - size_t); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *row = a_as_ntt[i1]; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - a_element, &r_as_ntt[j]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result[i1], &product); - } - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result[i1]); - add_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &result[i1], &error_1[i1]); - } - memcpy( - ret, result, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compute_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result, &product);); - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result); - result = - add_message_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - error_2, message, result); - return result; -} - -static inline void -compress_then_serialize_11__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_352size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - uint8_t ret[352U]) { - uint8_t serialized[352U] = {0U}; - for (size_t i = (size_t)0U; - i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficient = - compress___11int32_t0( - to_unsigned_representative__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re->coefficients[i0])); - uint8_t bytes[22U]; - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_11( - coefficient, bytes); - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)352U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)22U * i0, .end = (size_t)22U * i0 + (size_t)22U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)22U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); - } - memcpy(ret, serialized, (size_t)352U * sizeof(uint8_t)); -} - -static inline void -compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_11size_t_352size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re, - uint8_t ret[352U]) { - uint8_t uu____0[352U]; - compress_then_serialize_11__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_352size_t( - re, uu____0); - memcpy(ret, uu____0, (size_t)352U * sizeof(uint8_t)); -} - -static void -compress_then_serialize_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1408size_t_11size_t_352size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - input[4U], - Eurydice_slice out) { - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)4U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice( - out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * ((size_t)1408U / (size_t)4U), - .end = (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret[352U]; - compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_11size_t_352size_t( - &re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)352U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); - } -} - -static inline void -compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_5size_t_160size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re, - Eurydice_slice out) { - compress_then_serialize_5__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - re, out); -} - -static void -encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, - uint8_t ret[1568U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[4U]; - deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_1536size_t_4size_t( - Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t, - Eurydice_slice), - t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1536U, uint8_t, size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[4U][4U]; - uint8_t ret0[34U]; - libcrux_ml_kem_utils_into_padded_array___34size_t(seed, ret0); - sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - ret0, false, A_transpose); - uint8_t prf_input[33U]; - libcrux_ml_kem_utils_into_padded_array___33size_t(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t - uu____1 = - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_2size_t_128size_t( - uu____0, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - r_as_ntt[4U]; - memcpy( - r_as_ntt, uu____1.fst, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t__uint8_t - uu____3 = - sample_ring_element_cbd__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_128size_t_2size_t( - uu____2, domain_separator0); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_1[4U]; - memcpy( - error_1, uu____3.fst, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator = uu____3.snd; - prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - PRF___4size_t_128size_t( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_2 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, - Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u[4U]; - compute_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - A_transpose, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - message_as_ring_element = - deserialize_then_decompress_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - uu____4); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - v = compute_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); - uint8_t ciphertext[1568U] = {0U}; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____5[4U]; - memcpy( - uu____5, u, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - compress_then_serialize_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1408size_t_11size_t_352size_t( - uu____5, Eurydice_array_to_subslice( - (size_t)1568U, ciphertext, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)1408U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____6 = v; - compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_5size_t_160size_t( - uu____6, - Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, (size_t)1408U, - uint8_t, size_t, Eurydice_slice)); - memcpy(ret, ciphertext, (size_t)1568U * sizeof(uint8_t)); -} - -static inline void -kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t( - Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_4size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____1568size_t *public_key, - uint8_t randomness[32U]) { - uint8_t randomness0[32U]; - entropy_preprocess__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); - uint8_t to_hash[64U]; - libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - uint8_t ret[32U]; - H___4size_t( - Eurydice_array_to_slice( - (size_t)1568U, - libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___1568size_t( - public_key), - uint8_t, Eurydice_slice), - ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); - uint8_t hashed[64U]; - G___4size_t( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret = uu____1.fst; - Eurydice_slice pseudorandomness = uu____1.snd; - Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1568U, - libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___1568size_t( - public_key), - uint8_t, Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); - uint8_t ciphertext[1568U]; - encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[1568U]; - memcpy(uu____4, ciphertext, (size_t)1568U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext ciphertext0 = - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___2__from___1568size_t( - uu____4); - uint8_t shared_secret_array[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t( - shared_secret, shared_secret_array); - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_11size_t( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0; - uu____0 = - deserialize_then_decompress_11__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - serialized); - return uu____0; -} - -static inline void -ntt_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_11size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - size_t zeta_i = (size_t)0U; - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)7U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)4U); - ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(&zeta_i, - re); - poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); -} - -static inline void -deserialize_then_decompress_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1568size_t_11size_t( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u_as_ntt[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - u_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / - (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)11U / (size_t)8U); - i++) { - size_t i0 = i; - Eurydice_slice u_bytes = Eurydice_array_to_subslice( - (size_t)1568U, ciphertext, - (CLITERAL(core_ops_range_Range__size_t){ - .start = - i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)11U / (size_t)8U), - .end = i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)11U / (size_t)8U) + - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)11U / (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_11size_t( - u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_11size_t( - &u_as_ntt[i0]); - } - memcpy( - ret, u_as_ntt, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_5size_t( - Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0; - uu____0 = - deserialize_then_decompress_5__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - serialized); - return uu____0; -} - -static inline void -deserialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[4U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[4U]; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, - secret_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice secret_bytes = Eurydice_slice_subslice( - secret_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - secret_bytes); - secret_as_ntt[i0] = uu____0; - } - memcpy( - ret, secret_as_ntt, - (size_t)4U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compute_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *v, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result, &product);); - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &result); - result = - subtract_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - v, result); - return result; -} - -static void -decrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1568size_t_1408size_t_11size_t_5size_t( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u_as_ntt[4U]; - deserialize_then_decompress_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1568size_t_11size_t( - ciphertext, u_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - v = deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_5size_t( - Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, - (size_t)1408U, uint8_t, size_t, - Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[4U]; - deserialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - message = - compute_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - &v, secret_as_ntt, u_as_ntt); - uint8_t ret0[32U]; - compress_then_serialize_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void PRF___4size_t_32size_t(Eurydice_slice input, - uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - uint8_t dummy[32U] = {0U}; - Eurydice_slice uu____0 = input; - Eurydice_slice uu____1 = input; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)32U, dummy, uint8_t, Eurydice_slice)); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_4size_t_3168size_t_1536size_t_1568size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t_1600size_t( - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t *private_key, - libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, - uint8_t ret[32U]) { - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)3168U, private_key->value, uint8_t, - Eurydice_slice), - (size_t)1536U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_secret_key = uu____0.fst; - Eurydice_slice secret_key0 = uu____0.snd; - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 = - core_slice___Slice_T___split_at( - secret_key0, (size_t)1568U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_public_key = uu____1.fst; - Eurydice_slice secret_key = uu____1.snd; - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____2 = - core_slice___Slice_T___split_at( - secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; - Eurydice_slice implicit_rejection_value = uu____2.snd; - uint8_t decrypted[32U]; - decrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_1568size_t_1408size_t_11size_t_5size_t( - ind_cpa_secret_key, ciphertext->value, decrypted); - uint8_t to_hash0[64U]; - libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice_from( - (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); - uint8_t hashed[64U]; - G___4size_t( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____3 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret0 = uu____3.fst; - Eurydice_slice pseudorandomness = uu____3.snd; - uint8_t to_hash[1600U]; - libcrux_ml_kem_utils_into_padded_array___1600size_t(implicit_rejection_value, - to_hash); - Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( - (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1568size_t( - ciphertext), - uint8_t, void *); - uint8_t implicit_rejection_shared_secret0[32U]; - PRF___4size_t_32size_t( - Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); - Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); - uint8_t expected_ciphertext[1568U]; - encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t_1536size_t_1408size_t_160size_t_11size_t_5size_t_352size_t_2size_t_128size_t_2size_t_128size_t( - uu____5, uu____6, pseudorandomness, expected_ciphertext); - Eurydice_slice uu____7 = - libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1568size_t( - ciphertext); - uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1568size_t( - uu____7, Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, - uint8_t, Eurydice_slice)); - uint8_t implicit_rejection_shared_secret[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_4size_t_1568size_t( - shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); - uint8_t ret0[32U]; - libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_800size_t_2size_t( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - deserialized_pk[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice ring_element = Eurydice_slice_subslice( - public_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - ring_element); - deserialized_pk[i0] = uu____0; - } - memcpy( - ret, deserialized_pk, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void -serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - key[2U], - uint8_t ret[768U]) { - uint8_t out[768U] = {0U}; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = key[i0]; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)768U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = (i0 + (size_t)1U) * - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret0[384U]; - serialize_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - } - memcpy(ret, out, (size_t)768U * sizeof(uint8_t)); -} - -static inline void -serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_800size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[2U], - Eurydice_slice seed_for_a, uint8_t ret[800U]) { - uint8_t public_key_serialized[800U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)800U, public_key_serialized, - (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, - .end = (size_t)768U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1[2U]; - memcpy( - uu____1, t_as_ntt, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t ret0[768U]; - serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t( - uu____1, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)768U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice_from((size_t)800U, public_key_serialized, - (size_t)768U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); - memcpy(ret, public_key_serialized, (size_t)800U * sizeof(uint8_t)); -} - -bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_800size_t( - uint8_t *public_key) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[2U]; - deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_800size_t_2size_t( - Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U, - uint8_t, size_t, Eurydice_slice), - deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0[2U]; - memcpy( - uu____0, deserialized_pk, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t public_key_serialized[800U]; - serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_800size_t( - uu____0, - Eurydice_array_to_subslice_from((size_t)800U, public_key, (size_t)768U, - uint8_t, size_t, Eurydice_slice), - public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( - (size_t)800U, public_key, public_key_serialized, uint8_t, uint8_t, bool); -} - -static inline void G___2size_t(Eurydice_slice input, uint8_t ret[64U]) { - uint8_t digest[64U] = {0U}; - libcrux_sha3_neon_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); - memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); -} - -static void -closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret0[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - ret0[i] = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - memcpy( - ret, ret0, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline Simd128Hash shake128_init_absorb___2size_t( - uint8_t input[2U][34U]) { - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - uu____0 = libcrux_sha3_neon_x2_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - state[2U] = {uu____0, libcrux_sha3_neon_x2_incremental_shake128_init()}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____1 = state; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - uu____1, uu____2, - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice)); - Simd128Hash lit; - memcpy( - lit.shake128_state, state, - (size_t)2U * - sizeof( - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t)); - return lit; -} - -static inline void shake128_squeeze_three_blocks___2size_t( - Simd128Hash *self, uint8_t ret[2U][504U]) { - uint8_t out[2U][504U] = {{0U}}; - uint8_t out0[504U] = {0U}; - uint8_t out1[504U] = {0U}; - uint8_t out2[504U] = {0U}; - LowStar_Ignore_ignore(out2, uint8_t[504U], void *); - uint8_t out3[504U] = {0U}; - LowStar_Ignore_ignore(out3, uint8_t[504U], void *); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____0 = self->shake128_state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice)); - uint8_t uu____2[504U]; - memcpy(uu____2, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____2, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____3[504U]; - memcpy(uu____3, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____3, (size_t)504U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)2U * sizeof(uint8_t[504U])); -} - -static inline bool -sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_504size_t( - uint8_t randomness[2U][504U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { - KRML_MAYBE_FOR2( - i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)504U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -static inline void shake128_squeeze_block___2size_t(Simd128Hash *self, - uint8_t ret[2U][168U]) { - uint8_t out[2U][168U] = {{0U}}; - uint8_t out0[168U] = {0U}; - uint8_t out1[168U] = {0U}; - uint8_t out2[168U] = {0U}; - LowStar_Ignore_ignore(out2, uint8_t[168U], void *); - uint8_t out3[168U] = {0U}; - LowStar_Ignore_ignore(out3, uint8_t[168U], void *); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_arm_shared_neon_uint64x2_t__2size_t - *uu____0 = self->shake128_state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - uu____0, uu____1, - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice)); - uint8_t uu____2[168U]; - memcpy(uu____2, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____2, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____3[168U]; - memcpy(uu____3, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____3, (size_t)168U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)2U * sizeof(uint8_t[168U])); -} - -static inline bool -sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_168size_t( - uint8_t randomness[2U][168U], size_t *sampled_coefficients, - int16_t (*out)[272U]) { - KRML_MAYBE_FOR2( - i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)168U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); - return done; -} - -static libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t0( - int16_t s[272U]) { - return from_i16_array__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - Eurydice_array_to_subslice((size_t)272U, s, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)256U}), - int16_t, core_ops_range_Range__size_t, - Eurydice_slice)); -} - -static inline void -sample_from_xof__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - uint8_t seeds[2U][34U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - size_t sampled_coefficients[2U] = {0U}; - int16_t out[2U][272U] = {{0U}}; - uint8_t uu____0[2U][34U]; - memcpy(uu____0, seeds, (size_t)2U * sizeof(uint8_t[34U])); - Simd128Hash xof_state = shake128_init_absorb___2size_t(uu____0); - uint8_t randomness0[2U][504U]; - shake128_squeeze_three_blocks___2size_t(&xof_state, randomness0); - uint8_t uu____1[2U][504U]; - memcpy(uu____1, randomness0, (size_t)2U * sizeof(uint8_t[504U])); - bool done = - sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_504size_t( - uu____1, sampled_coefficients, out); - while (true) { - if (done) { - break; - } else { - uint8_t randomness[2U][168U]; - shake128_squeeze_block___2size_t(&xof_state, randomness); - uint8_t uu____2[2U][168U]; - memcpy(uu____2, randomness, (size_t)2U * sizeof(uint8_t[168U])); - done = - sample_from_uniform_distribution_next__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_168size_t( - uu____2, sampled_coefficients, out); - } - } - int16_t uu____3[2U][272U]; - memcpy(uu____3, out, (size_t)2U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret0[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - ret0[i] = - closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t0( - uu____3[i]);); - memcpy( - ret, ret0, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void -sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - uint8_t seed[34U], bool transpose, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U][2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[2U][2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - closure__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - A_transpose[i]);); - KRML_MAYBE_FOR2( - i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t seeds[2U][34U]; KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t j = i; - seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[2U][34U]; - memcpy(uu____1, seeds, (size_t)2U * sizeof(uint8_t[34U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - sampled[2U]; - sample_from_xof__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - uu____1, sampled); - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - sample = sampled[j]; - if (transpose) { - A_transpose[j][i1] = sample; - } else { - A_transpose[i1][j] = sample; - } - }); - memcpy( - ret, A_transpose, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [2U])); -} - -typedef struct - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t_s { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - fst[2U]; - uint8_t snd; -} __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t; - -static inline void PRFxN___2size_t_192size_t(uint8_t (*input)[33U], - uint8_t ret[2U][192U]) { - uint8_t out[2U][192U] = {{0U}}; - uint8_t out0[192U] = {0U}; - uint8_t out1[192U] = {0U}; - uint8_t out2[192U] = {0U}; - LowStar_Ignore_ignore(out2, uint8_t[192U], void *); - uint8_t out3[192U] = {0U}; - LowStar_Ignore_ignore(out3, uint8_t[192U], void *); - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)192U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)192U, out1, uint8_t, Eurydice_slice)); - uint8_t uu____3[192U]; - memcpy(uu____3, out0, (size_t)192U * sizeof(uint8_t)); - memcpy(out[0U], uu____3, (size_t)192U * sizeof(uint8_t)); - uint8_t uu____4[192U]; - memcpy(uu____4, out1, (size_t)192U * sizeof(uint8_t)); - memcpy(out[1U], uu____4, (size_t)192U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)2U * sizeof(uint8_t[192U])); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - Eurydice_slice randomness) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0; - uu____0 = - sample_from_binomial_distribution_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - randomness); - return uu____0; -} - -static inline __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t -sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_3size_t_192size_t( - uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re_as_ntt[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - re_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - uint8_t prf_inputs[2U][33U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); - uint8_t prf_outputs[2U][192U]; - PRFxN___2size_t_192size_t(prf_inputs, prf_outputs); - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_3size_t( - Eurydice_array_to_slice((size_t)192U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; - ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____2[2U]; - memcpy( - uu____2, re_as_ntt, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t - lit; - memcpy( - lit.fst, uu____2, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - lit.snd = domain_separator; - return lit; -} - -static inline void -add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *rhs) { - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector uu____0 = - libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - self->coefficients[i0], &rhs->coefficients[i0]); - self->coefficients[i0] = uu____0; - } -} - -static inline void -compute_As_plus_e__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector ( - *matrix_A)[2U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - result[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for ( - size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [2U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [2U], - size_t); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *row = matrix_A[i1]; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *matrix_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - matrix_element, &s_as_ntt[j]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result[i1], &product); - } - add_standard_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &result[i1], &error_as_ntt[i1]); - } - memcpy( - ret, result, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static libcrux_ml_kem_utils_extraction_helper_Keypair512 -generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_800size_t_768size_t_3size_t_192size_t( - Eurydice_slice key_generation_seed) { - uint8_t hashed[64U]; - G___2size_t(key_generation_seed, hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice seed_for_A = uu____0.fst; - Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[2U][2U]; - uint8_t ret[34U]; - libcrux_ml_kem_utils_into_padded_array___34size_t(seed_for_A, ret); - sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - ret, true, A_transpose); - uint8_t prf_input[33U]; - libcrux_ml_kem_utils_into_padded_array___33size_t(seed_for_secret_and_error, - prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t - uu____2 = - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_3size_t_192size_t( - uu____1, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[2U]; - memcpy( - secret_as_ntt, uu____2.fst, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_as_ntt[2U]; - memcpy( - error_as_ntt, - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_3size_t_192size_t( - uu____3, domain_separator) - .fst, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[2U]; - compute_As_plus_e__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____4[2U]; - memcpy( - uu____4, t_as_ntt, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t public_key_serialized[800U]; - serialize_public_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_800size_t( - uu____4, seed_for_A, public_key_serialized); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____5[2U]; - memcpy( - uu____5, secret_as_ntt, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t secret_key_serialized[768U]; - serialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t( - uu____5, secret_key_serialized); - uint8_t uu____6[768U]; - memcpy(uu____6, secret_key_serialized, (size_t)768U * sizeof(uint8_t)); - uint8_t uu____7[800U]; - memcpy(uu____7, public_key_serialized, (size_t)800U * sizeof(uint8_t)); - libcrux_ml_kem_utils_extraction_helper_Keypair512 lit; - memcpy(lit.fst, uu____6, (size_t)768U * sizeof(uint8_t)); - memcpy(lit.snd, uu____7, (size_t)800U * sizeof(uint8_t)); - return lit; -} - -static inline void H___2size_t(Eurydice_slice input, uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - libcrux_sha3_neon_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -serialize_kem_secret_key__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_1632size_t( - Eurydice_slice private_key, Eurydice_slice public_key, - Eurydice_slice implicit_rejection_value, uint8_t ret[1632U]) { - uint8_t out[1632U] = {0U}; - size_t pointer = (size_t)0U; - uint8_t *uu____0 = out; - size_t uu____1 = pointer; - size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)1632U, uu____0, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____1, - .end = uu____2 + - core_slice___Slice_T___len(private_key, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); - uint8_t *uu____3 = out; - size_t uu____4 = pointer; - size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)1632U, uu____3, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____4, - .end = uu____5 + - core_slice___Slice_T___len(public_key, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); - Eurydice_slice uu____6 = Eurydice_array_to_subslice( - (size_t)1632U, out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = pointer, - .end = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret0[32U]; - H___2size_t(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; - uint8_t *uu____7 = out; - size_t uu____8 = pointer; - size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice( - (size_t)1632U, uu____7, - (CLITERAL(core_ops_range_Range__size_t){ - .start = uu____8, - .end = uu____9 + core_slice___Slice_T___len( - implicit_rejection_value, uint8_t, size_t)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); - memcpy(ret, out, (size_t)1632U * sizeof(uint8_t)); -} - -libcrux_ml_kem_types_MlKemKeyPair____1632size_t__800size_t -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_1632size_t_800size_t_768size_t_3size_t_192size_t( - uint8_t randomness[64U]) { - Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice( - (size_t)64U, randomness, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, - .end = LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( - (size_t)64U, randomness, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); - libcrux_ml_kem_utils_extraction_helper_Keypair512 uu____0 = - generate_keypair__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_800size_t_768size_t_3size_t_192size_t( - ind_cpa_keypair_randomness); - uint8_t ind_cpa_private_key[768U]; - memcpy(ind_cpa_private_key, uu____0.fst, (size_t)768U * sizeof(uint8_t)); - uint8_t public_key[800U]; - memcpy(public_key, uu____0.snd, (size_t)800U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)768U, ind_cpa_private_key, uint8_t, Eurydice_slice); - uint8_t secret_key_serialized[1632U]; - serialize_kem_secret_key__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_1632size_t( - uu____1, - Eurydice_array_to_slice((size_t)800U, public_key, uint8_t, - Eurydice_slice), - implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[1632U]; - memcpy(uu____2, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t private_key = - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___1632size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t uu____3 = private_key; - uint8_t uu____4[800U]; - memcpy(uu____4, public_key, (size_t)800U * sizeof(uint8_t)); - return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___1632size_t_800size_t( - uu____3, - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___800size_t( - uu____4)); -} - -static inline void -entropy_preprocess__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void -deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_768size_t_2size_t( - Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - deserialized_pk[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - deserialized_pk[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice ring_element = Eurydice_slice_subslice( - public_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - ring_element); - deserialized_pk[i0] = uu____0; - } - memcpy( - ret, deserialized_pk, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void PRFxN___2size_t_128size_t(uint8_t (*input)[33U], - uint8_t ret[2U][128U]) { - uint8_t out[2U][128U] = {{0U}}; - uint8_t out0[128U] = {0U}; - uint8_t out1[128U] = {0U}; - uint8_t out2[128U] = {0U}; - LowStar_Ignore_ignore(out2, uint8_t[128U], void *); - uint8_t out3[128U] = {0U}; - LowStar_Ignore_ignore(out3, uint8_t[128U], void *); - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice)); - uint8_t uu____3[128U]; - memcpy(uu____3, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____3, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____4[128U]; - memcpy(uu____4, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____4, (size_t)128U * sizeof(uint8_t)); - memcpy(ret, out, (size_t)2U * sizeof(uint8_t[128U])); -} - -static inline __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t -sample_ring_element_cbd__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_128size_t_2size_t( - uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_1[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - error_1[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - uint8_t prf_inputs[2U][33U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); - uint8_t prf_outputs[2U][128U]; - PRFxN___2size_t_128size_t(prf_inputs, prf_outputs); - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____1 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____2[2U]; - memcpy( - uu____2, error_1, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t - lit; - memcpy( - lit.fst, uu____2, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - lit.snd = domain_separator; - return lit; -} - -static inline void PRF___2size_t_128size_t(Eurydice_slice input, - uint8_t ret[128U]) { - uint8_t digest[128U] = {0U}; - uint8_t dummy[128U] = {0U}; - Eurydice_slice uu____0 = input; - Eurydice_slice uu____1 = input; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)128U, dummy, uint8_t, Eurydice_slice)); - memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); -} - -static inline void -invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *re) { - size_t zeta_i = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_2__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_3__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &zeta_i, re, (size_t)7U); - poly_barrett_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(re); -} - -static inline void -compute_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector ( - *a_as_ntt)[2U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - result[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for ( - size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [2U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - [2U], - size_t); - i0++) { - size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *row = a_as_ntt[i1]; - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - a_element, &r_as_ntt[j]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result[i1], &product); - } - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result[i1]); - add_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &result[i1], &error_1[i1]); - } - memcpy( - ret, result, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compute_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &t_as_ntt[i0], &r_as_ntt[i0]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result, &product);); - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result); - result = - add_message_error_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - error_2, message, result); - return result; -} - -static void -compress_then_serialize_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_640size_t_10size_t_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - input[2U], - Eurydice_slice out) { - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)2U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, - size_t); - i++) { - size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - re = input[i0]; - Eurydice_slice uu____0 = Eurydice_slice_subslice( - out, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * ((size_t)640U / (size_t)2U), - .end = (i0 + (size_t)1U) * ((size_t)640U / (size_t)2U)}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - uint8_t ret[320U]; - compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t_320size_t( - &re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); - } -} - -static void -encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, - uint8_t ret[768U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - t_as_ntt[2U]; - deserialize_ring_elements_reduced__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_768size_t_2size_t( - Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t, - Eurydice_slice), - t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)768U, uint8_t, size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - A_transpose[2U][2U]; - uint8_t ret0[34U]; - libcrux_ml_kem_utils_into_padded_array___34size_t(seed, ret0); - sample_matrix_A__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - ret0, false, A_transpose); - uint8_t prf_input[33U]; - libcrux_ml_kem_utils_into_padded_array___33size_t(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t - uu____1 = - sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_3size_t_192size_t( - uu____0, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - r_as_ntt[2U]; - memcpy( - r_as_ntt, uu____1.fst, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - __libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t__uint8_t - uu____3 = - sample_ring_element_cbd__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_128size_t_2size_t( - uu____2, domain_separator0); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_1[2U]; - memcpy( - error_1, uu____3.fst, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - uint8_t domain_separator = uu____3.snd; - prf_input[32U] = domain_separator; - uint8_t prf_output[128U]; - PRF___2size_t_128size_t( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - error_2 = - sample_from_binomial_distribution__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, - Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u[2U]; - compute_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - A_transpose, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - message_as_ring_element = - deserialize_then_decompress_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - uu____4); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - v = compute_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); - uint8_t ciphertext[768U] = {0U}; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____5[2U]; - memcpy( - uu____5, u, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); - compress_then_serialize_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_640size_t_10size_t_320size_t( - uu____5, Eurydice_array_to_subslice( - (size_t)768U, ciphertext, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = (size_t)640U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____6 = v; - compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t_128size_t( - uu____6, - Eurydice_array_to_subslice_from((size_t)768U, ciphertext, (size_t)640U, - uint8_t, size_t, Eurydice_slice)); - memcpy(ret, ciphertext, (size_t)768U * sizeof(uint8_t)); -} - -static inline void -kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t( - Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_2size_t_768size_t_800size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - libcrux_ml_kem_types_MlKemPublicKey____800size_t *public_key, - uint8_t randomness[32U]) { - uint8_t randomness0[32U]; - entropy_preprocess__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); - uint8_t to_hash[64U]; - libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); - Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( - (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - uint8_t ret[32U]; - H___2size_t( - Eurydice_array_to_slice( - (size_t)800U, - libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___800size_t( - public_key), - uint8_t, Eurydice_slice), - ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); - uint8_t hashed[64U]; - G___2size_t( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret = uu____1.fst; - Eurydice_slice pseudorandomness = uu____1.snd; - Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)800U, - libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemPublicKey_SIZE__18__as_slice___800size_t( - public_key), - uint8_t, Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); - uint8_t ciphertext[768U]; - encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[768U]; - memcpy(uu____4, ciphertext, (size_t)768U * sizeof(uint8_t)); - libcrux_ml_kem_types_MlKemCiphertext____768size_t ciphertext0 = - libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___2__from___768size_t( - uu____4); - uint8_t shared_secret_array[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t( - shared_secret, shared_secret_array); - libcrux_ml_kem_types_MlKemCiphertext____768size_t uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; -} - -static inline void -deserialize_then_decompress_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_10size_t( - uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u_as_ntt[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - u_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / - (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U); - i++) { - size_t i0 = i; - Eurydice_slice u_bytes = Eurydice_array_to_subslice( - (size_t)768U, ciphertext, - (CLITERAL(core_ops_range_Range__size_t){ - .start = - i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U), - .end = i0 * (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U) + - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * - (size_t)10U / (size_t)8U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t( - u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_10size_t( - &u_as_ntt[i0]); - } - memcpy( - ret, u_as_ntt, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline void -deserialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - ret[2U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[2U]; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, - secret_as_ntt[i] = - ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector();); - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; - i++) { - size_t i0 = i; - Eurydice_slice secret_bytes = Eurydice_slice_subslice( - secret_key, - (CLITERAL(core_ops_range_Range__size_t){ - .start = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + - LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - uu____0 = - deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - secret_bytes); - secret_as_ntt[i0] = uu____0; - } - memcpy( - ret, secret_as_ntt, - (size_t)2U * - sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector)); -} - -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -compute_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *v, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - result = ZERO__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector(); - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - product = - ntt_multiply__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - &secret_as_ntt[i0], &u_as_ntt[i0]); - add_to_ring_element__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result, &product);); - invert_ntt_montgomery__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &result); - result = - subtract_reduce__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - v, result); - return result; -} - -static void -decrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_640size_t_10size_t_4size_t( - Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - u_as_ntt[2U]; - deserialize_then_decompress_u__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_10size_t( - ciphertext, u_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - v = deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_4size_t( - Eurydice_array_to_subslice_from((size_t)768U, ciphertext, - (size_t)640U, uint8_t, size_t, - Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - secret_as_ntt[2U]; - deserialize_secret_key__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector - message = - compute_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t( - &v, secret_as_ntt, u_as_ntt); - uint8_t ret0[32U]; - compress_then_serialize_message__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector( - message, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} - -static inline void PRF___2size_t_32size_t(Eurydice_slice input, - uint8_t ret[32U]) { - uint8_t digest[32U] = {0U}; - uint8_t dummy[32U] = {0U}; - Eurydice_slice uu____0 = input; - Eurydice_slice uu____1 = input; - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice); - libcrux_sha3_neon_x2_shake256( - uu____0, uu____1, uu____2, - Eurydice_array_to_slice((size_t)32U, dummy, uint8_t, Eurydice_slice)); - memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); -} - -void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_libcrux_ml_kem_ind_cca_MlKem_2size_t_1632size_t_768size_t_800size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t_800size_t( - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t *private_key, - libcrux_ml_kem_types_MlKemCiphertext____768size_t *ciphertext, - uint8_t ret[32U]) { - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)1632U, private_key->value, uint8_t, - Eurydice_slice), - (size_t)768U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_secret_key = uu____0.fst; - Eurydice_slice secret_key0 = uu____0.snd; - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____1 = - core_slice___Slice_T___split_at( - secret_key0, (size_t)800U, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_public_key = uu____1.fst; - Eurydice_slice secret_key = uu____1.snd; - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____2 = - core_slice___Slice_T___split_at( - secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; - Eurydice_slice implicit_rejection_value = uu____2.snd; - uint8_t decrypted[32U]; - decrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_2size_t_768size_t_640size_t_10size_t_4size_t( - ind_cpa_secret_key, ciphertext->value, decrypted); - uint8_t to_hash0[64U]; - libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice_from( - (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); - uint8_t hashed[64U]; - G___2size_t( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____3 = - core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, - K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret0 = uu____3.fst; - Eurydice_slice pseudorandomness = uu____3.snd; - uint8_t to_hash[800U]; - libcrux_ml_kem_utils_into_padded_array___800size_t(implicit_rejection_value, - to_hash); - Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( - (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___768size_t( - ciphertext), - uint8_t, void *); - uint8_t implicit_rejection_shared_secret0[32U]; - PRF___2size_t_32size_t( - Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); - Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); - uint8_t expected_ciphertext[768U]; - encrypt__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t_768size_t_640size_t_128size_t_10size_t_4size_t_320size_t_3size_t_192size_t_2size_t_128size_t( - uu____5, uu____6, pseudorandomness, expected_ciphertext); - Eurydice_slice uu____7 = - libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___768size_t( - ciphertext); - uint8_t selector = - libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___768size_t( - uu____7, Eurydice_array_to_slice((size_t)768U, expected_ciphertext, - uint8_t, Eurydice_slice)); - uint8_t implicit_rejection_shared_secret[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); - uint8_t shared_secret[32U]; - kdf__libcrux_ml_kem_hash_functions_neon_Simd128Hash_2size_t_768size_t( - shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); - uint8_t ret0[32U]; - libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), - selector, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); -} diff --git a/libcrux-ml-kem/c/libcrux_mlkem_neon.h b/libcrux-ml-kem/c/libcrux_mlkem_neon.h deleted file mode 100644 index 0d427dbd8..000000000 --- a/libcrux-ml-kem/c/libcrux_mlkem_neon.h +++ /dev/null @@ -1,301 +0,0 @@ -/* - This file was generated by KaRaMeL - KaRaMeL invocation: /Users/bhargava/Desktop/repositories/eurydice/eurydice - --config ../c.yaml ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* - version: 0e2a116d KaRaMeL version: 018dcd1d - */ - -#ifndef __libcrux_mlkem_neon_H -#define __libcrux_mlkem_neon_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include "eurydice_glue.h" -#include "libcrux_core.h" -#include "libcrux_mlkem_portable.h" -#include "libcrux_sha3_neon.h" - -typedef struct libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_s { - core_core_arch_arm_shared_neon_int16x8_t low; - core_core_arch_arm_shared_neon_int16x8_t high; -} libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector; - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_vector_type_ZERO(void); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ZERO( - void); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_vector_type_from_i16_array(Eurydice_slice array); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___from_i16_array( - Eurydice_slice array); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_add( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___add( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_sub( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___sub( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_bitwise_and_with_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___bitwise_and_with_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_cond_subtract_3329( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___cond_subtract_3329( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v); - -#define LIBCRUX_ML_KEM_VECTOR_NEON_ARITHMETIC_BARRETT_MULTIPLIER \ - ((int16_t)20159) - -core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_barrett_reduce( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___barrett_reduce( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v); - -core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_montgomery_reduce_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t low, - core_core_arch_arm_shared_neon_int16x8_t high); - -core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___montgomery_multiply_by_constant( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_compress_compress_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___compress_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v); - -int16_t libcrux_ml_kem_vector_neon_compress_mask_n_least_significant_bits( - int16_t coefficient_bits); - -core_core_arch_arm_shared_neon_int16x8_t -libcrux_ml_kem_vector_neon_arithmetic_montgomery_multiply_int16x8_t( - core_core_arch_arm_shared_neon_int16x8_t v, - core_core_arch_arm_shared_neon_int16x8_t c); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_1_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta1, - int16_t zeta2); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_2_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta1, - int16_t zeta2); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t zeta); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___inv_ntt_layer_3_step( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, int16_t zeta); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_ntt_ntt_multiply( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___ntt_multiply( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *lhs, - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *rhs, int16_t zeta1, - int16_t zeta2, int16_t zeta3, int16_t zeta4); - -void libcrux_ml_kem_vector_neon_serialize_serialize_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[2U]); - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_1( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[2U]); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_1(Eurydice_slice a); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_1( - Eurydice_slice a); - -void libcrux_ml_kem_vector_neon_serialize_serialize_4( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[8U]); - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_4( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[8U]); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_4(Eurydice_slice v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_4( - Eurydice_slice a); - -void libcrux_ml_kem_vector_neon_vector_type_to_i16_array( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, int16_t ret[16U]); - -void libcrux_ml_kem_vector_neon_serialize_serialize_5( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[10U]); - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_5( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[10U]); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_5(Eurydice_slice v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_5( - Eurydice_slice a); - -void libcrux_ml_kem_vector_neon_serialize_serialize_10( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[20U]); - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_10( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[20U]); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_10(Eurydice_slice v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_10( - Eurydice_slice a); - -void libcrux_ml_kem_vector_neon_serialize_serialize_11( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[22U]); - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_11( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[22U]); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_11(Eurydice_slice v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_11( - Eurydice_slice a); - -void libcrux_ml_kem_vector_neon_serialize_serialize_12( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector v, uint8_t ret[24U]); - -void libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___serialize_12( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector a, uint8_t ret[24U]); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_serialize_deserialize_12(Eurydice_slice v); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___deserialize_12( - Eurydice_slice a); - -size_t libcrux_ml_kem_vector_neon_rej_sample(Eurydice_slice a, - Eurydice_slice result); - -size_t -libcrux_ml_kem_vector_neon___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___rej_sample( - Eurydice_slice a, Eurydice_slice out); - -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector -libcrux_ml_kem_vector_neon_vector_type___core__clone__Clone_for_libcrux_ml_kem__vector__neon__vector_type__SIMD128Vector___clone( - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector *self); - -typedef struct - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector_s { - libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector coefficients[16U]; -} libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector; - -#if defined(__cplusplus) -} -#endif - -#define __libcrux_mlkem_neon_H_DEFINED -#endif diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 48acd7696..0b24895b8 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "internal/libcrux_mlkem_portable.h" @@ -694,7 +694,7 @@ inline libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}), @@ -2529,7 +2529,7 @@ bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_ Eurydice_array_to_subslice_from((size_t)1568U, public_key, (size_t)1536U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1568U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } @@ -2570,19 +2570,17 @@ static inline PortableHash____4size_t shake128_init_absorb___4size_t( state[i] = libcrux_sha3_portable_incremental_shake128_init();); KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &state[i0]; libcrux_sha3_portable_incremental_shake128_absorb_final( - uu____0, Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____1[4U]; + &state[i0], Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, + Eurydice_slice));); + libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____0[4U]; memcpy( - uu____1, state, + uu____0, state, (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); PortableHash____4size_t lit; memcpy( - lit.shake128_state, uu____1, + lit.shake128_state, uu____0, (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); return lit; @@ -2593,11 +2591,10 @@ static inline void shake128_squeeze_three_blocks___4size_t( uint8_t out[4U][504U] = {{0U}}; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - uu____0, Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[504U])); } @@ -2645,13 +2642,11 @@ sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_typ static inline void shake128_squeeze_block___4size_t( PortableHash____4size_t *self, uint8_t ret[4U][168U]) { uint8_t out[4U][168U] = {{0U}}; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - uu____0, Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[168U])); } @@ -2839,13 +2834,12 @@ typedef struct static inline void PRFxN___4size_t_128size_t(uint8_t (*input)[33U], uint8_t ret[4U][128U]) { uint8_t out[4U][128U] = {{0U}}; - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_slice((size_t)128U, out[i0], - uint8_t, Eurydice_slice); - libcrux_sha3_portable_shake256( - uu____0, Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, + Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[128U])); } @@ -3484,38 +3478,35 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_vector_t memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1536U * sizeof(uint8_t)); uint8_t public_key[1568U]; memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1536U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[3168U]; serialize_kem_secret_key__libcrux_ml_kem_hash_functions_portable_PortableHash___4size_t___4size_t_3168size_t( - uu____1, + Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[3168U]; - memcpy(uu____2, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); + uint8_t uu____1[3168U]; + memcpy(uu____1, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____3168size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___3168size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____3168size_t uu____3 = private_key; - uint8_t uu____4[1568U]; - memcpy(uu____4, public_key, (size_t)1568U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____3168size_t uu____2 = private_key; + uint8_t uu____3[1568U]; + memcpy(uu____3, public_key, (size_t)1568U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___3168size_t_1568size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1568size_t( - uu____4)); + uu____3)); } static inline void entropy_preprocess__libcrux_ml_kem_hash_functions_portable_PortableHash___4size_t___4size_t( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static inline void @@ -3824,10 +3815,11 @@ compute_vector_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_4siz static libcrux_ml_kem_vector_portable_vector_type_PortableVector decompress_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); return libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___bitwise_and_with_constant( libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( - libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(), - &v), + uu____0, &v), (int16_t)1665); } @@ -4227,13 +4219,11 @@ encrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_ke static inline void kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___4size_t___4size_t_1568size_t( Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } K___libcrux_ml_kem_types_MlKemCiphertext___1568size_t___uint8_t_32size_t_ @@ -4833,11 +4823,10 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_t uint8_t shared_secret[32U]; kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___4size_t___4size_t_1568size_t( shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); @@ -4972,7 +4961,7 @@ bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_ Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } @@ -5013,19 +5002,17 @@ static inline PortableHash____3size_t shake128_init_absorb___3size_t( state[i] = libcrux_sha3_portable_incremental_shake128_init();); KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &state[i0]; libcrux_sha3_portable_incremental_shake128_absorb_final( - uu____0, Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____1[3U]; + &state[i0], Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, + Eurydice_slice));); + libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____0[3U]; memcpy( - uu____1, state, + uu____0, state, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); PortableHash____3size_t lit; memcpy( - lit.shake128_state, uu____1, + lit.shake128_state, uu____0, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); return lit; @@ -5036,11 +5023,10 @@ static inline void shake128_squeeze_three_blocks___3size_t( uint8_t out[3U][504U] = {{0U}}; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - uu____0, Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); } @@ -5088,13 +5074,11 @@ sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_typ static inline void shake128_squeeze_block___3size_t( PortableHash____3size_t *self, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - uu____0, Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); } @@ -5260,13 +5244,12 @@ typedef struct static inline void PRFxN___3size_t_128size_t(uint8_t (*input)[33U], uint8_t ret[3U][128U]) { uint8_t out[3U][128U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_slice((size_t)128U, out[i0], - uint8_t, Eurydice_slice); - libcrux_sha3_portable_shake256( - uu____0, Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, + Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); } @@ -5573,38 +5556,35 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_vector_t memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); uint8_t public_key[1184U]; memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[2400U]; serialize_kem_secret_key__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2400size_t( - uu____1, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[2400U]; - memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + uint8_t uu____1[2400U]; + memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____2400size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___2400size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____3 = private_key; - uint8_t uu____4[1184U]; - memcpy(uu____4, public_key, (size_t)1184U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____2 = private_key; + uint8_t uu____3[1184U]; + memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___2400size_t_1184size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1184size_t( - uu____4)); + uu____3)); } static inline void entropy_preprocess__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static inline void @@ -5997,13 +5977,11 @@ encrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_ke static inline void kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t( Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ @@ -6343,11 +6321,10 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_t uint8_t shared_secret[32U]; kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t( shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); @@ -6482,7 +6459,7 @@ bool libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_ Eurydice_array_to_subslice_from((size_t)800U, public_key, (size_t)768U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)800U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } @@ -6523,19 +6500,17 @@ static inline PortableHash____2size_t shake128_init_absorb___2size_t( state[i] = libcrux_sha3_portable_incremental_shake128_init();); KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &state[i0]; libcrux_sha3_portable_incremental_shake128_absorb_final( - uu____0, Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____1[2U]; + &state[i0], Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, + Eurydice_slice));); + libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____0[2U]; memcpy( - uu____1, state, + uu____0, state, (size_t)2U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); PortableHash____2size_t lit; memcpy( - lit.shake128_state, uu____1, + lit.shake128_state, uu____0, (size_t)2U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); return lit; @@ -6546,11 +6521,10 @@ static inline void shake128_squeeze_three_blocks___2size_t( uint8_t out[2U][504U] = {{0U}}; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - uu____0, Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[504U])); } @@ -6598,13 +6572,11 @@ sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_typ static inline void shake128_squeeze_block___2size_t( PortableHash____2size_t *self, uint8_t ret[2U][168U]) { uint8_t out[2U][168U] = {{0U}}; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - uu____0, Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[168U])); } @@ -6770,13 +6742,12 @@ typedef struct static inline void PRFxN___2size_t_192size_t(uint8_t (*input)[33U], uint8_t ret[2U][192U]) { uint8_t out[2U][192U] = {{0U}}; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_slice((size_t)192U, out[i0], - uint8_t, Eurydice_slice); - libcrux_sha3_portable_shake256( - uu____0, Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)192U, out[i0], uint8_t, + Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[192U])); } @@ -7094,38 +7065,35 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_vector_t memcpy(ind_cpa_private_key, uu____0.fst, (size_t)768U * sizeof(uint8_t)); uint8_t public_key[800U]; memcpy(public_key, uu____0.snd, (size_t)800U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)768U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[1632U]; serialize_kem_secret_key__libcrux_ml_kem_hash_functions_portable_PortableHash___2size_t___2size_t_1632size_t( - uu____1, + Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)800U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[1632U]; - memcpy(uu____2, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); + uint8_t uu____1[1632U]; + memcpy(uu____1, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____1632size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___1632size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____1632size_t uu____3 = private_key; - uint8_t uu____4[800U]; - memcpy(uu____4, public_key, (size_t)800U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____1632size_t uu____2 = private_key; + uint8_t uu____3[800U]; + memcpy(uu____3, public_key, (size_t)800U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___1632size_t_800size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___800size_t( - uu____4)); + uu____3)); } static inline void entropy_preprocess__libcrux_ml_kem_hash_functions_portable_PortableHash___2size_t___2size_t( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } static inline void @@ -7167,13 +7135,12 @@ deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_vector_type_Po static inline void PRFxN___2size_t_128size_t(uint8_t (*input)[33U], uint8_t ret[2U][128U]) { uint8_t out[2U][128U] = {{0U}}; - KRML_MAYBE_FOR2( - i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_slice((size_t)128U, out[i0], - uint8_t, Eurydice_slice); - libcrux_sha3_portable_shake256( - uu____0, Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, + Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, + Eurydice_slice));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[128U])); } @@ -7482,13 +7449,11 @@ encrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_ke static inline void kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___2size_t___2size_t_768size_t( Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t ret0[32U]; - core_result_Result__uint8_t_32size_t__core_array_TryFromSliceError dst; - Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U], - void *); - core_result__core__result__Result_T__E___unwrap__uint8_t_32size_t__core_array_TryFromSliceError( - dst, ret0); - memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } K___libcrux_ml_kem_types_MlKemCiphertext___768size_t___uint8_t_32size_t_ @@ -7784,11 +7749,10 @@ void libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_t uint8_t shared_secret[32U]; kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___2size_t___2size_t_768size_t( shared_secret0, shared_secret); - Eurydice_slice uu____9 = Eurydice_array_to_slice((size_t)32U, shared_secret, - uint8_t, Eurydice_slice); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____9, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 6d65ad32f..68b2d4d50 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index 06eaedd42..7559883ef 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index 10b22fbaa..bcbd6859d 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "internal/libcrux_sha3_avx2.h" @@ -1002,8 +1002,7 @@ static inline void pi__core_core_arch_x86___m256i_4size_t( libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t *s) { core_core_arch_x86___m256i old[5U][5U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)5U, s->st, old, core_core_arch_x86___m256i[5U], void *); + memcpy(old, s->st, (size_t)5U * sizeof(core_core_arch_x86___m256i[5U])); s->st[0U][1U] = old[1U][1U]; s->st[0U][2U] = old[2U][2U]; s->st[0U][3U] = old[3U][3U]; @@ -1078,17 +1077,15 @@ static inline void absorb_block__core_core_arch_x86___m256i_4size_t_136size_t( static inline void load_block_full___136size_t( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - core_core_arch_x86___m256i(*uu____0)[5U] = s; - Eurydice_slice uu____1 = Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice); - Eurydice_slice buf[4U] = {uu____1, uu____2, uu____3, + Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[1U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[2U], + uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t, Eurydice_slice)}; - load_block___136size_t(uu____0, buf); + load_block___136size_t(s, buf); } static inline void load_block_full___136size_t0( @@ -1106,21 +1103,22 @@ absorb_final__core_core_arch_x86___m256i_4size_t_136size_t_31uint8_t( Eurydice_slice last[4U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[4U][200U] = {{0U}}; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i0], - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = last_len}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], - uint8_t, void *); - blocks[i0][last_len] = 31U; - blocks[i0][(size_t)136U - (size_t)1U] = - (uint32_t)blocks[i0][(size_t)136U - (size_t)1U] | 128U;); - core_core_arch_x86___m256i(*uu____1)[5U] = s->st; - uint8_t uu____2[4U][200U]; - memcpy(uu____2, blocks, (size_t)4U * sizeof(uint8_t[200U])); - load_block_full___136size_t0(uu____1, uu____2); + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)200U, blocks[i0], + (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, + .end = last_len}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, + void *); + blocks[i0][last_len] = 31U; size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;); + core_core_arch_x86___m256i(*uu____3)[5U] = s->st; + uint8_t uu____4[4U][200U]; + memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U])); + load_block_full___136size_t0(uu____3, uu____4); keccakf1600__core_core_arch_x86___m256i_4size_t(s); } @@ -1204,55 +1202,55 @@ static inline void store_block___136size_t(core_core_arch_x86___m256i (*s)[5U], uint8_t u8s[32U] = {0U}; size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____0, s[i0][j0]); - Eurydice_slice uu____1 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), + s[i0][j0]); + Eurydice_slice uu____0 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____1, + uu____0, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice( + Eurydice_slice uu____1 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____2, + uu____1, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice( + Eurydice_slice uu____2 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____3, + uu____2, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____4 = Eurydice_slice_subslice( + Eurydice_slice uu____3 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____4, + uu____3, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)24U, .end = (size_t)32U}), @@ -1265,55 +1263,55 @@ static inline void store_block___136size_t(core_core_arch_x86___m256i (*s)[5U], ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) / (size_t)5U; size_t j = ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U; - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____5, s[i][j]); - Eurydice_slice uu____6 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), + s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____6, + uu____4, Eurydice_array_to_subslice((size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_slice_subslice( + Eurydice_slice uu____5 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____7, + uu____5, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____8 = Eurydice_slice_subslice( + Eurydice_slice uu____6 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____8, + uu____6, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____9 = Eurydice_slice_subslice( + Eurydice_slice uu____7 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____9, + uu____7, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)24U, @@ -1329,29 +1327,24 @@ static inline void store_block_full___136size_t( uint8_t out1[200U] = {0U}; uint8_t out2[200U] = {0U}; uint8_t out3[200U] = {0U}; - core_core_arch_x86___m256i(*uu____0)[5U] = s; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)200U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)200U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)200U, out2, uint8_t, Eurydice_slice); Eurydice_slice buf[4U] = { - uu____1, uu____2, uu____3, + Eurydice_array_to_slice((size_t)200U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)200U, out3, uint8_t, Eurydice_slice)}; - store_block___136size_t(uu____0, buf); - uint8_t uu____4[200U]; - memcpy(uu____4, out0, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____5[200U]; - memcpy(uu____5, out1, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____6[200U]; - memcpy(uu____6, out2, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____7[200U]; - memcpy(uu____7, out3, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____4, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[1U], uu____5, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[2U], uu____6, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[3U], uu____7, (size_t)200U * sizeof(uint8_t)); + store_block___136size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out0, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____1[200U]; + memcpy(uu____1, out1, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____2[200U]; + memcpy(uu____2, out2, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____3[200U]; + memcpy(uu____3, out3, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[1U], uu____1, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[2U], uu____2, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[3U], uu____3, (size_t)200U * sizeof(uint8_t)); } static inline void store_block_full___136size_t0( @@ -1466,7 +1459,7 @@ keccak__core_core_arch_x86___m256i_4size_t_136size_t_31uint8_t( memcpy(o1, uu____4.snd, (size_t)4U * sizeof(Eurydice_slice)); squeeze_first_block__core_core_arch_x86___m256i_4size_t_136size_t(&s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1717,17 +1710,15 @@ static inline void load_block___168size_t(core_core_arch_x86___m256i (*s)[5U], static inline void load_block_full___168size_t( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - core_core_arch_x86___m256i(*uu____0)[5U] = s; - Eurydice_slice uu____1 = Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice); - Eurydice_slice buf[4U] = {uu____1, uu____2, uu____3, + Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[1U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[2U], + uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t, Eurydice_slice)}; - load_block___168size_t(uu____0, buf); + load_block___168size_t(s, buf); } static inline void load_block_full___168size_t0( @@ -1745,21 +1736,22 @@ libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168 Eurydice_slice last[4U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[4U][200U] = {{0U}}; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i0], - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = last_len}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], - uint8_t, void *); - blocks[i0][last_len] = 31U; - blocks[i0][(size_t)168U - (size_t)1U] = - (uint32_t)blocks[i0][(size_t)168U - (size_t)1U] | 128U;); - core_core_arch_x86___m256i(*uu____1)[5U] = s->st; - uint8_t uu____2[4U][200U]; - memcpy(uu____2, blocks, (size_t)4U * sizeof(uint8_t[200U])); - load_block_full___168size_t0(uu____1, uu____2); + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)200U, blocks[i0], + (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, + .end = last_len}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, + void *); + blocks[i0][last_len] = 31U; size_t uu____1 = i0; + size_t uu____2 = (size_t)168U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;); + core_core_arch_x86___m256i(*uu____3)[5U] = s->st; + uint8_t uu____4[4U][200U]; + memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U])); + load_block_full___168size_t0(uu____3, uu____4); keccakf1600__core_core_arch_x86___m256i_4size_t(s); } @@ -1853,55 +1845,55 @@ static inline void store_block___168size_t(core_core_arch_x86___m256i (*s)[5U], uint8_t u8s[32U] = {0U}; size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____0, s[i0][j0]); - Eurydice_slice uu____1 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), + s[i0][j0]); + Eurydice_slice uu____0 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____1, + uu____0, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice( + Eurydice_slice uu____1 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____2, + uu____1, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice( + Eurydice_slice uu____2 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____3, + uu____2, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____4 = Eurydice_slice_subslice( + Eurydice_slice uu____3 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____4, + uu____3, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)24U, .end = (size_t)32U}), @@ -1914,55 +1906,55 @@ static inline void store_block___168size_t(core_core_arch_x86___m256i (*s)[5U], ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) / (size_t)5U; size_t j = ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U; - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____5, s[i][j]); - Eurydice_slice uu____6 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), + s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____6, + uu____4, Eurydice_array_to_subslice((size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_slice_subslice( + Eurydice_slice uu____5 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____7, + uu____5, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____8 = Eurydice_slice_subslice( + Eurydice_slice uu____6 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____8, + uu____6, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____9 = Eurydice_slice_subslice( + Eurydice_slice uu____7 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____9, + uu____7, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)24U, diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index b6697bbc7..0280b1762 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index a32d29910..0a2911da7 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_internal_H @@ -234,10 +234,9 @@ static inline void libcrux_sha3_portable_keccak_load_block___168size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___168size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___168size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___168size_t(s, buf); } static inline void @@ -825,8 +824,7 @@ static inline void libcrux_sha3_generic_keccak_theta_rho__uint64_t_1size_t( static inline void libcrux_sha3_generic_keccak_pi__uint64_t_1size_t( libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *s) { uint64_t old[5U][5U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)5U, s->st, old, uint64_t[5U], void *); + memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); s->st[0U][1U] = old[1U][1U]; s->st[0U][2U] = old[2U][2U]; s->st[0U][3U] = old[3U][3U]; @@ -901,14 +899,15 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_168size_t_31uint8_t( uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); blocks[i][last_len] = 31U; - blocks[i][(size_t)168U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)168U - (size_t)1U] | 128U; + size_t uu____1 = i; + size_t uu____2 = (size_t)168U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___168size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -977,13 +976,12 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_168size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___168size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___168size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___168size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -1087,7 +1085,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_168size_t_31uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_168size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1170,10 +1168,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_104size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___104size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___104size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___104size_t(s, buf); } static inline void @@ -1200,14 +1197,15 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_104size_t_6uint8_t( uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); blocks[i][last_len] = 6U; - blocks[i][(size_t)104U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)104U - (size_t)1U] | 128U; + size_t uu____1 = i; + size_t uu____2 = (size_t)104U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___104size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1232,13 +1230,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___104size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___104size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___104size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___104size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -1365,7 +1362,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_104size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_104size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1448,10 +1445,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_144size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___144size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___144size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___144size_t(s, buf); } static inline void @@ -1478,14 +1474,15 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_144size_t_6uint8_t( uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); blocks[i][last_len] = 6U; - blocks[i][(size_t)144U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)144U - (size_t)1U] | 128U; + size_t uu____1 = i; + size_t uu____2 = (size_t)144U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___144size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1510,13 +1507,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___144size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___144size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___144size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___144size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -1643,7 +1639,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_144size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_144size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1726,10 +1722,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_136size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___136size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___136size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___136size_t(s, buf); } static inline void @@ -1756,14 +1751,15 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_136size_t_31uint8_t( uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); blocks[i][last_len] = 31U; - blocks[i][(size_t)136U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)136U - (size_t)1U] | 128U; + size_t uu____1 = i; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___136size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1788,13 +1784,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___136size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___136size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___136size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___136size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -1921,7 +1916,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_136size_t_31uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_136size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1973,14 +1968,15 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_136size_t_6uint8_t( uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); blocks[i][last_len] = 6U; - blocks[i][(size_t)136U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)136U - (size_t)1U] | 128U; + size_t uu____1 = i; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___136size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -2030,7 +2026,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_136size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_136size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -2113,10 +2109,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_72size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___72size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___72size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___72size_t(s, buf); } static inline void @@ -2143,14 +2138,15 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_72size_t_6uint8_t( uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); blocks[i][last_len] = 6U; - blocks[i][(size_t)72U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)72U - (size_t)1U] | 128U; + size_t uu____1 = i; + size_t uu____2 = (size_t)72U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___72size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -2175,13 +2171,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___72size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___72size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___72size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___72size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -2308,7 +2303,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_72size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_72size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index f36816787..2fbb85911 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #include "libcrux_sha3_neon.h" @@ -30,7 +30,7 @@ inline void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, KRML_HOST_EXIT(255U); } -inline libcrux_sha3_neon_x2_incremental_KeccakState2 +inline libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_shake128_init(void) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -38,7 +38,7 @@ libcrux_sha3_neon_x2_incremental_shake128_init(void) { } inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice data0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -46,7 +46,7 @@ inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( } inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice out0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -55,7 +55,7 @@ inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice out0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index 281c9682e..9a803b376 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL - KaRaMeL invocation: /home/karthik/eurydice/eurydice --config ../c.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: f09228ef KaRaMeL - version: 42a43169 + KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../c.yaml + ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_neon_H @@ -23,23 +23,23 @@ void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data); void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice out0, Eurydice_slice out1); -typedef struct libcrux_sha3_neon_x2_incremental_KeccakState2_s { +typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t state[2U]; -} libcrux_sha3_neon_x2_incremental_KeccakState2; +} libcrux_sha3_neon_x2_incremental_KeccakState; -libcrux_sha3_neon_x2_incremental_KeccakState2 +libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_shake128_init(void); void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice data0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1); void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice out0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1); void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice out0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1); void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data); diff --git a/libcrux-ml-kem/cg.yaml b/libcrux-ml-kem/cg.yaml index d4b5be5a8..f7833c76c 100644 --- a/libcrux-ml-kem/cg.yaml +++ b/libcrux-ml-kem/cg.yaml @@ -48,50 +48,6 @@ files: monomorphizations_using: - [libcrux_sha3, "*"] - # Common parts of SHA3 (this catches stuff that hasn't matched above). Must - # # come after the (more precise) patterns above concerning platform-specific hash_functions - # - name: libcrux_sha3_internal - # api: - # patterns: - # - [libcrux_sha3, "*"] - # monomorphizations_of: - # - [libcrux_sha3, "*"] - # monomorphizations_using: - # - [libcrux_sha3, "*"] - # inline_static: true - - # MLKEM: HASH FUNCTIONS (as used by mlkem) - - # - name: libcrux_mlkem_avx2 - # api: - # - [libcrux_ml_kem, vector, avx2, "*"] - # - [libcrux_ml_kem, hash_functions, avx2, "*"] - # private: - # monomorphizations_using: - # - [libcrux_ml_kem, vector, avx2, "*"] - # - [libcrux_ml_kem, hash_functions, avx2, "*"] - # monomorphizations_of: - # - [libcrux_ml_kem, vector, avx2, "*"] - # - [libcrux_ml_kem, hash_functions, avx2, "*"] - - # # This covers slightly more than the two bundles above, but this greatly - # # simplifies our lives. - # - name: libcrux_mlkem_portable - # inline_static: true - # api: - # patterns: - # - [libcrux_ml_kem, vector, "*"] - # - [libcrux_ml_kem, hash_functions, portable, "*"] - # - [ libcrux_ml_kem, polynomial, "*" ] - # monomorphizations_using: - # - [ libcrux_ml_kem, polynomial, "*" ] - # - [libcrux_ml_kem, vector, "*"] - # - [libcrux_ml_kem, hash_functions, portable, "*"] - # monomorphizations_of: - # - [ libcrux_ml_kem, polynomial, "*" ] - # - [libcrux_ml_kem, vector, "*"] - # - [libcrux_ml_kem, hash_functions, portable, "*"] - # MLKEM: MISC NON-ARCHITECTURE SPECIFIC HEADERS - name: libcrux_core inline_static: true @@ -139,7 +95,6 @@ files: - [libcrux_ml_kem, "*"] - [libcrux_ml_kem, vector, "*"] - [libcrux_ml_kem, hash_functions, portable, "*"] - # - [libcrux_ml_kem, polynomial, "*" ] - [libcrux_ml_kem, mlkem768, portable, "*"] - [libcrux_ml_kem, ind_cca, instantiations, portable, "*"] monomorphizations_of: diff --git a/libcrux-ml-kem/cg/README.md b/libcrux-ml-kem/cg/README.md index 3e2297c0d..b18d42280 100644 --- a/libcrux-ml-kem/cg/README.md +++ b/libcrux-ml-kem/cg/README.md @@ -5,11 +5,15 @@ This folder contains the extracted ML-KEM C code. ## Generating C code The C code is generated from Rust using [Charon], [Eurydice] and [Karamel]. -The [c.sh](../c.sh) bash script drives the extraction, using the [c.yaml](../c.yaml) +The [c.sh](../c.sh) bash script drives the extraction, using the [cg.yaml](../cg.yaml) configuration file. While running the commands separately is possible, it is not recommended because the script sets all necessary configuration flags. +```bash +./c.sh --config cg.yaml --out cg --mlkem768 --no-glue --no-unrolling +``` + ## Build Make sure to use `CC=clang CXX=clang++` when benchmarking on Linux to get full performance. diff --git a/libcrux-ml-kem/cg/benches/sha3.cc b/libcrux-ml-kem/cg/benches/sha3.cc index b7c9d7777..734b245c4 100644 --- a/libcrux-ml-kem/cg/benches/sha3.cc +++ b/libcrux-ml-kem/cg/benches/sha3.cc @@ -68,13 +68,13 @@ shake128_34_504(benchmark::State &state) Eurydice_slice last[4] = {EURYDICE_SLICE(input, 0, 34), EURYDICE_SLICE(input, 0, 34), EURYDICE_SLICE(input, 0, 34), EURYDICE_SLICE(input, 0, 34)}; Eurydice_slice out[4] = {EURYDICE_SLICE(digest0, 0, 504), EURYDICE_SLICE(digest1, 0, 504), EURYDICE_SLICE(digest2, 0, 504), EURYDICE_SLICE(digest3, 0, 504)}; - libcrux_sha3_avx2_x4_incremental_KeccakState4 st = libcrux_sha3_avx2_x4_incremental_shake128_init(); + libcrux_sha3_avx2_x4_incremental_KeccakState st = libcrux_sha3_avx2_x4_incremental_shake128_init(); libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168size_t_31uint8_t(&st, last); libcrux_sha3_generic_keccak_squeeze_first_three_blocks__core_core_arch_x86___m256i_4size_t_168size_t(&st, out); for (auto _ : state) { - libcrux_sha3_avx2_x4_incremental_KeccakState4 st = libcrux_sha3_avx2_x4_incremental_shake128_init(); + libcrux_sha3_avx2_x4_incremental_KeccakState st = libcrux_sha3_avx2_x4_incremental_shake128_init(); libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168size_t_31uint8_t(&st, last); libcrux_sha3_generic_keccak_squeeze_first_three_blocks__core_core_arch_x86___m256i_4size_t_168size_t(&st, out); } diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index bad6ff16d..ec6d47b7f 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -10,7 +10,6 @@ extern "C" { #include #include -#include "karamel/lowstar_endianness.h" #include "karamel/target.h" // SLICES, ARRAYS, ETC. @@ -77,7 +76,7 @@ typedef struct { #define Eurydice_array_eq(sz, a1, a2, t, _, _ret_t) \ (memcmp(a1, a2, sz * sizeof(t)) == 0) -#define core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq \ +#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq \ Eurydice_array_eq #define core_slice___Slice_T___split_at(slice, mid, element_type, ret_t) \ @@ -106,10 +105,12 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, // CORE STUFF (conversions, endianness, ...) static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { - store64_le(buf, v); + memcpy(buf, &v, sizeof(v)); } static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { - return load64_le(buf); + uint64_t v; + memcpy(&v, buf, sizeof(v)); + return v; } static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { @@ -128,14 +129,6 @@ static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) { return x - y; } - -// static inline uint8_t Eurydice_bitand_pv_u8(uint8_t *p, uint8_t v) { -// return (*p) & v; -// } -// static inline uint8_t Eurydice_shr_pv_u8(uint8_t *p, int32_t v) { -// return (*p) >> v; -// } - // ITERATORS #define Eurydice_range_iter_next(iter_ptr, t, ret_t) \ @@ -149,7 +142,7 @@ static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x, uint8_t y) { // See note in karamel/lib/Inlining.ml if you change this #define Eurydice_into_iter(x, t, _ret_t) (x) -#define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter \ +#define core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter \ Eurydice_into_iter #if defined(__cplusplus) diff --git a/libcrux-ml-kem/cg/karamel/lowstar_endianness.h b/libcrux-ml-kem/cg/karamel/lowstar_endianness.h deleted file mode 100644 index 1aa2ccd64..000000000 --- a/libcrux-ml-kem/cg/karamel/lowstar_endianness.h +++ /dev/null @@ -1,231 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -#ifndef __LOWSTAR_ENDIANNESS_H -#define __LOWSTAR_ENDIANNESS_H - -#include -#include - -/******************************************************************************/ -/* Implementing C.fst (part 2: endian-ness macros) */ -/******************************************************************************/ - -/* ... for Linux */ -#if defined(__linux__) || defined(__CYGWIN__) || defined (__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) -# include - -/* ... for OSX */ -#elif defined(__APPLE__) -# include -# define htole64(x) OSSwapHostToLittleInt64(x) -# define le64toh(x) OSSwapLittleToHostInt64(x) -# define htobe64(x) OSSwapHostToBigInt64(x) -# define be64toh(x) OSSwapBigToHostInt64(x) - -# define htole16(x) OSSwapHostToLittleInt16(x) -# define le16toh(x) OSSwapLittleToHostInt16(x) -# define htobe16(x) OSSwapHostToBigInt16(x) -# define be16toh(x) OSSwapBigToHostInt16(x) - -# define htole32(x) OSSwapHostToLittleInt32(x) -# define le32toh(x) OSSwapLittleToHostInt32(x) -# define htobe32(x) OSSwapHostToBigInt32(x) -# define be32toh(x) OSSwapBigToHostInt32(x) - -/* ... for Solaris */ -#elif defined(__sun__) -# include -# define htole64(x) LE_64(x) -# define le64toh(x) LE_64(x) -# define htobe64(x) BE_64(x) -# define be64toh(x) BE_64(x) - -# define htole16(x) LE_16(x) -# define le16toh(x) LE_16(x) -# define htobe16(x) BE_16(x) -# define be16toh(x) BE_16(x) - -# define htole32(x) LE_32(x) -# define le32toh(x) LE_32(x) -# define htobe32(x) BE_32(x) -# define be32toh(x) BE_32(x) - -/* ... for the BSDs */ -#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) -# include -#elif defined(__OpenBSD__) -# include - -/* ... for Windows (MSVC)... not targeting XBOX 360! */ -#elif defined(_MSC_VER) - -# include -# define htobe16(x) _byteswap_ushort(x) -# define htole16(x) (x) -# define be16toh(x) _byteswap_ushort(x) -# define le16toh(x) (x) - -# define htobe32(x) _byteswap_ulong(x) -# define htole32(x) (x) -# define be32toh(x) _byteswap_ulong(x) -# define le32toh(x) (x) - -# define htobe64(x) _byteswap_uint64(x) -# define htole64(x) (x) -# define be64toh(x) _byteswap_uint64(x) -# define le64toh(x) (x) - -/* ... for Windows (GCC-like, e.g. mingw or clang) */ -#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) && \ - (defined(__GNUC__) || defined(__clang__)) - -# define htobe16(x) __builtin_bswap16(x) -# define htole16(x) (x) -# define be16toh(x) __builtin_bswap16(x) -# define le16toh(x) (x) - -# define htobe32(x) __builtin_bswap32(x) -# define htole32(x) (x) -# define be32toh(x) __builtin_bswap32(x) -# define le32toh(x) (x) - -# define htobe64(x) __builtin_bswap64(x) -# define htole64(x) (x) -# define be64toh(x) __builtin_bswap64(x) -# define le64toh(x) (x) - -/* ... generic big-endian fallback code */ -/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always big-endian */ -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || defined(_AIX) - -/* byte swapping code inspired by: - * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h - * */ - -# define htobe32(x) (x) -# define be32toh(x) (x) -# define htole32(x) \ - (__extension__({ \ - uint32_t _temp = (x); \ - ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ - ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ - })) -# define le32toh(x) (htole32((x))) - -# define htobe64(x) (x) -# define be64toh(x) (x) -# define htole64(x) \ - (__extension__({ \ - uint64_t __temp = (x); \ - uint32_t __low = htobe32((uint32_t)__temp); \ - uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ - (((uint64_t)__low) << 32) | __high; \ - })) -# define le64toh(x) (htole64((x))) - -/* ... generic little-endian fallback code */ -#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ - -# define htole32(x) (x) -# define le32toh(x) (x) -# define htobe32(x) \ - (__extension__({ \ - uint32_t _temp = (x); \ - ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ - ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ - })) -# define be32toh(x) (htobe32((x))) - -# define htole64(x) (x) -# define le64toh(x) (x) -# define htobe64(x) \ - (__extension__({ \ - uint64_t __temp = (x); \ - uint32_t __low = htobe32((uint32_t)__temp); \ - uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ - (((uint64_t)__low) << 32) | __high; \ - })) -# define be64toh(x) (htobe64((x))) - -/* ... couldn't determine endian-ness of the target platform */ -#else -# error "Please define __BYTE_ORDER__!" - -#endif /* defined(__linux__) || ... */ - -/* Loads and stores. These avoid undefined behavior due to unaligned memory - * accesses, via memcpy. */ - -inline static uint16_t load16(uint8_t *b) { - uint16_t x; - memcpy(&x, b, 2); - return x; -} - -inline static uint32_t load32(uint8_t *b) { - uint32_t x; - memcpy(&x, b, 4); - return x; -} - -inline static uint64_t load64(uint8_t *b) { - uint64_t x; - memcpy(&x, b, 8); - return x; -} - -inline static void store16(uint8_t *b, uint16_t i) { - memcpy(b, &i, 2); -} - -inline static void store32(uint8_t *b, uint32_t i) { - memcpy(b, &i, 4); -} - -inline static void store64(uint8_t *b, uint64_t i) { - memcpy(b, &i, 8); -} - -/* Legacy accessors so that this header can serve as an implementation of - * C.Endianness */ -#define load16_le(b) (le16toh(load16(b))) -#define store16_le(b, i) (store16(b, htole16(i))) -#define load16_be(b) (be16toh(load16(b))) -#define store16_be(b, i) (store16(b, htobe16(i))) - -#define load32_le(b) (le32toh(load32(b))) -#define store32_le(b, i) (store32(b, htole32(i))) -#define load32_be(b) (be32toh(load32(b))) -#define store32_be(b, i) (store32(b, htobe32(i))) - -#define load64_le(b) (le64toh(load64(b))) -#define store64_le(b, i) (store64(b, htole64(i))) -#define load64_be(b) (be64toh(load64(b))) -#define store64_be(b, i) (store64(b, htobe64(i))) - -/* Co-existence of LowStar.Endianness and FStar.Endianness generates name - * conflicts, because of course both insist on having no prefixes. Until a - * prefix is added, or until we truly retire FStar.Endianness, solve this issue - * in an elegant way. */ -#define load16_le0 load16_le -#define store16_le0 store16_le -#define load16_be0 load16_be -#define store16_be0 store16_be - -#define load32_le0 load32_le -#define store32_le0 store32_le -#define load32_be0 load32_be -#define store32_be0 store32_be - -#define load64_le0 load64_le -#define store64_le0 store64_le -#define load64_be0 load64_be -#define store64_be0 store64_be - -#define load128_le0 load128_le -#define store128_le0 store128_le -#define load128_be0 load128_be -#define store128_be0 store128_be - -#endif diff --git a/libcrux-ml-kem/cg/karamel/target.h b/libcrux-ml-kem/cg/karamel/target.h index d53314766..804507b80 100644 --- a/libcrux-ml-kem/cg/karamel/target.h +++ b/libcrux-ml-kem/cg/karamel/target.h @@ -4,27 +4,6 @@ #ifndef __KRML_TARGET_H #define __KRML_TARGET_H -#include -#include -#include -#include -#include -#include -#include - -/* Since KaRaMeL emits the inline keyword unconditionally, we follow the - * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this - * __inline__ to ensure the code compiles with -std=c90 and earlier. */ -#ifdef __GNUC__ -# define inline __inline__ -#endif - -/******************************************************************************/ -/* Macros that KaRaMeL will generate. */ -/******************************************************************************/ - -/* For "bare" targets that do not have a C stdlib, the user might want to use - * [-add-early-include '"mydefinitions.h"'] and override these. */ #ifndef KRML_HOST_PRINTF # define KRML_HOST_PRINTF printf #endif @@ -42,344 +21,4 @@ # define KRML_HOST_EXIT exit #endif -#ifndef KRML_HOST_MALLOC -# define KRML_HOST_MALLOC malloc -#endif - -#ifndef KRML_HOST_CALLOC -# define KRML_HOST_CALLOC calloc -#endif - -#ifndef KRML_HOST_FREE -# define KRML_HOST_FREE free -#endif - -#ifndef KRML_HOST_IGNORE -# define KRML_HOST_IGNORE(x) (void)(x) -#endif - -#ifndef KRML_MAYBE_UNUSED_VAR -# define KRML_MAYBE_UNUSED_VAR(x) KRML_HOST_IGNORE(x) -#endif - -#ifndef KRML_MAYBE_UNUSED -# if defined(__GNUC__) -# define KRML_MAYBE_UNUSED __attribute__((unused)) -# else -# define KRML_MAYBE_UNUSED -# endif -#endif - -#ifndef KRML_NOINLINE -# if defined(_MSC_VER) -# define KRML_NOINLINE __declspec(noinline) -# elif defined (__GNUC__) -# define KRML_NOINLINE __attribute__((noinline,unused)) -# else -# define KRML_NOINLINE -# warning "The KRML_NOINLINE macro is not defined for this toolchain!" -# warning "The compiler may defeat side-channel resistance with optimizations." -# warning "Please locate target.h and try to fill it out with a suitable definition for this compiler." -# endif -#endif - -#ifndef KRML_PRE_ALIGN -# ifdef _MSC_VER -# define KRML_PRE_ALIGN(X) __declspec(align(X)) -# else -# define KRML_PRE_ALIGN(X) -# endif -#endif - -#ifndef KRML_POST_ALIGN -# ifdef _MSC_VER -# define KRML_POST_ALIGN(X) -# else -# define KRML_POST_ALIGN(X) __attribute__((aligned(X))) -# endif -#endif - -/* MinGW-W64 does not support C11 aligned_alloc, but it supports - * MSVC's _aligned_malloc. - */ -#ifndef KRML_ALIGNED_MALLOC -# ifdef __MINGW32__ -# include <_mingw.h> -# endif -# if ( \ - defined(_MSC_VER) || \ - (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) -# define KRML_ALIGNED_MALLOC(X, Y) _aligned_malloc(Y, X) -# else -# define KRML_ALIGNED_MALLOC(X, Y) aligned_alloc(X, Y) -# endif -#endif - -/* Since aligned allocations with MinGW-W64 are done with - * _aligned_malloc (see above), such pointers must be freed with - * _aligned_free. - */ -#ifndef KRML_ALIGNED_FREE -# ifdef __MINGW32__ -# include <_mingw.h> -# endif -# if ( \ - defined(_MSC_VER) || \ - (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) -# define KRML_ALIGNED_FREE(X) _aligned_free(X) -# else -# define KRML_ALIGNED_FREE(X) free(X) -# endif -#endif - -#ifndef KRML_HOST_TIME - -# include - -/* Prims_nat not yet in scope */ -inline static int32_t krml_time(void) { - return (int32_t)time(NULL); -} - -# define KRML_HOST_TIME krml_time -#endif - -/* In statement position, exiting is easy. */ -#define KRML_EXIT \ - do { \ - KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \ - KRML_HOST_EXIT(254); \ - } while (0) - -/* In expression position, use the comma-operator and a malloc to return an - * expression of the right size. KaRaMeL passes t as the parameter to the macro. - */ -#define KRML_EABORT(t, msg) \ - (KRML_HOST_PRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \ - KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t)))) - -/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of - * *elements*. Do an ugly, run-time check (some of which KaRaMeL can eliminate). - */ -#if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 4)) -# define _KRML_CHECK_SIZE_PRAGMA \ - _Pragma("GCC diagnostic ignored \"-Wtype-limits\"") -#else -# define _KRML_CHECK_SIZE_PRAGMA -#endif - -#define KRML_CHECK_SIZE(size_elt, sz) \ - do { \ - _KRML_CHECK_SIZE_PRAGMA \ - if (((size_t)(sz)) > ((size_t)(SIZE_MAX / (size_elt)))) { \ - KRML_HOST_PRINTF( \ - "Maximum allocatable size exceeded, aborting before overflow at " \ - "%s:%d\n", \ - __FILE__, __LINE__); \ - KRML_HOST_EXIT(253); \ - } \ - } while (0) - -#if defined(_MSC_VER) && _MSC_VER < 1900 -# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) \ - _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) -#else -# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) -#endif - -#if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 4)) -# define KRML_DEPRECATED(x) __attribute__((deprecated(x))) -#elif defined(__GNUC__) -/* deprecated attribute is not defined in GCC < 4.5. */ -# define KRML_DEPRECATED(x) -#elif defined(_MSC_VER) -# define KRML_DEPRECATED(x) __declspec(deprecated(x)) -#endif - -/* Macros for prettier unrolling of loops */ -#define KRML_LOOP1(i, n, x) { \ - x \ - i += n; \ - (void) i; \ -} - -#define KRML_LOOP2(i, n, x) \ - KRML_LOOP1(i, n, x) \ - KRML_LOOP1(i, n, x) - -#define KRML_LOOP3(i, n, x) \ - KRML_LOOP2(i, n, x) \ - KRML_LOOP1(i, n, x) - -#define KRML_LOOP4(i, n, x) \ - KRML_LOOP2(i, n, x) \ - KRML_LOOP2(i, n, x) - -#define KRML_LOOP5(i, n, x) \ - KRML_LOOP4(i, n, x) \ - KRML_LOOP1(i, n, x) - -#define KRML_LOOP6(i, n, x) \ - KRML_LOOP4(i, n, x) \ - KRML_LOOP2(i, n, x) - -#define KRML_LOOP7(i, n, x) \ - KRML_LOOP4(i, n, x) \ - KRML_LOOP3(i, n, x) - -#define KRML_LOOP8(i, n, x) \ - KRML_LOOP4(i, n, x) \ - KRML_LOOP4(i, n, x) - -#define KRML_LOOP9(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP1(i, n, x) - -#define KRML_LOOP10(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP2(i, n, x) - -#define KRML_LOOP11(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP3(i, n, x) - -#define KRML_LOOP12(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP4(i, n, x) - -#define KRML_LOOP13(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP5(i, n, x) - -#define KRML_LOOP14(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP6(i, n, x) - -#define KRML_LOOP15(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP7(i, n, x) - -#define KRML_LOOP16(i, n, x) \ - KRML_LOOP8(i, n, x) \ - KRML_LOOP8(i, n, x) - -#define KRML_UNROLL_FOR(i, z, n, k, x) \ - do { \ - uint32_t i = z; \ - KRML_LOOP##n(i, k, x) \ - } while (0) - -#define KRML_ACTUAL_FOR(i, z, n, k, x) \ - do { \ - for (uint32_t i = z; i < n; i += k) { \ - x \ - } \ - } while (0) - -#ifndef KRML_UNROLL_MAX -# define KRML_UNROLL_MAX 16 -#endif - -/* 1 is the number of loop iterations, i.e. (n - z)/k as evaluated by krml */ -#if 0 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR0(i, z, n, k, x) -#else -# define KRML_MAYBE_FOR0(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 1 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR1(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 1, k, x) -#else -# define KRML_MAYBE_FOR1(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 2 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR2(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 2, k, x) -#else -# define KRML_MAYBE_FOR2(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 3 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR3(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 3, k, x) -#else -# define KRML_MAYBE_FOR3(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 4 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR4(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 4, k, x) -#else -# define KRML_MAYBE_FOR4(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 5 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR5(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 5, k, x) -#else -# define KRML_MAYBE_FOR5(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 6 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR6(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 6, k, x) -#else -# define KRML_MAYBE_FOR6(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 7 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR7(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 7, k, x) -#else -# define KRML_MAYBE_FOR7(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 8 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR8(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 8, k, x) -#else -# define KRML_MAYBE_FOR8(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 9 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR9(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 9, k, x) -#else -# define KRML_MAYBE_FOR9(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 10 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR10(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 10, k, x) -#else -# define KRML_MAYBE_FOR10(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 11 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR11(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 11, k, x) -#else -# define KRML_MAYBE_FOR11(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 12 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR12(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 12, k, x) -#else -# define KRML_MAYBE_FOR12(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 13 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR13(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 13, k, x) -#else -# define KRML_MAYBE_FOR13(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 14 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR14(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 14, k, x) -#else -# define KRML_MAYBE_FOR14(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 15 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR15(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 15, k, x) -#else -# define KRML_MAYBE_FOR15(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif - -#if 16 <= KRML_UNROLL_MAX -# define KRML_MAYBE_FOR16(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 16, k, x) -#else -# define KRML_MAYBE_FOR16(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) -#endif #endif diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index 3722fd4b3..d822e5644 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../cg.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 409fe455 + -funroll-loops 0 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index e65c8602b..26dd84eab 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../cg.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 409fe455 + -funroll-loops 0 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_avx2_H @@ -676,10 +676,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, (int16_t)1 << 12U, (int16_t)1 << 13U, - (int16_t)1 << 14U, (int16_t)1 << 15U, (int16_t)1 << 8U, + (int16_t)1 << 14U, (int16_t)-32768, (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, (int16_t)1 << 11U, (int16_t)1 << 12U, (int16_t)1 << 13U, (int16_t)1 << 14U, - (int16_t)1 << 15U); + (int16_t)-32768); core_core_arch_x86___m256i coefficients_in_msb = libcrux_intrinsics_avx2_mm256_mullo_epi16(coefficients, shift_lsb_to_msb); return libcrux_intrinsics_avx2_mm256_srli_epi16( @@ -1920,14 +1920,15 @@ libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_avx2_SIMD256Vector( libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector *re, size_t _layer, size_t _initial_coefficient_bound) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ntt_layer_3_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); - re->coefficients[round] = uu____0;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ntt_layer_3_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); + re->coefficients[round] = uu____0; + } } __attribute__((target("avx2"))) @@ -1937,16 +1938,18 @@ libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_avx2_SIMD256Vector( libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector *re, size_t _layer, size_t _initial_coefficient_bound) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ntt_layer_2_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)1U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ntt_layer_2_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + } } __attribute__((target("avx2"))) @@ -1956,20 +1959,22 @@ libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_avx2_SIMD256Vector( libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector *re, size_t _layer, size_t _initial_coefficient_bound) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ntt_layer_1_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)3U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ntt_layer_1_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)3U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] + (size_t)3U; + } } __attribute__((target("avx2"))) @@ -2019,10 +2024,10 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u__libcrux_ml_kem_vector_avx2 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector u_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - u_as_ntt[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + u_as_ntt[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, @@ -2294,10 +2299,10 @@ libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_avx2_SIMD25 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector secret_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - secret_as_ntt[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + secret_as_ntt[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2384,20 +2389,22 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1__libcrux_ml_kem_vector_avx2_SIMD libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector *re, size_t _layer) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___inv_ntt_layer_1_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)3U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___inv_ntt_layer_1_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)3U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] - (size_t)3U; + } } __attribute__((target("avx2"))) @@ -2407,16 +2414,18 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2__libcrux_ml_kem_vector_avx2_SIMD libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector *re, size_t _layer) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___inv_ntt_layer_2_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)1U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___inv_ntt_layer_2_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + } } __attribute__((target("avx2"))) @@ -2426,14 +2435,15 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3__libcrux_ml_kem_vector_avx2_SIMD libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector *re, size_t _layer) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___inv_ntt_layer_3_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); - re->coefficients[round] = uu____0;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___inv_ntt_layer_3_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); + re->coefficients[round] = uu____0; + } } __attribute__((target("avx2"))) @@ -2545,14 +2555,15 @@ libcrux_ml_kem_matrix_compute_message__libcrux_ml_kem_vector_avx2_SIMD256Vector_ libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector result = libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector - product = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_avx2_SIMD256Vector( - &secret_as_ntt[i0], &u_as_ntt[i0]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( - &result, &product);); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector + product = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_avx2_SIMD256Vector( + &secret_as_ntt[i0], &u_as_ntt[i0]); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( + &result, &product); + } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( &result); result = @@ -2597,26 +2608,27 @@ libcrux_ml_kem_serialize_compress_then_serialize_message__libcrux_ml_kem_vector_ re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - core_core_arch_x86___m256i coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_avx2_SIMD256Vector( - re.coefficients[i0]); - core_core_arch_x86___m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___compress_1( - coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___serialize_1( - coefficient_compressed, bytes); - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)32U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)2U * i0, .end = (size_t)2U * i0 + (size_t)2U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *);); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t i0 = i; + core_core_arch_x86___m256i coefficient = + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_avx2_SIMD256Vector( + re.coefficients[i0]); + core_core_arch_x86___m256i coefficient_compressed = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___compress_1( + coefficient); + uint8_t bytes[2U]; + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___serialize_1( + coefficient_compressed, bytes); + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)32U, serialized, + (CLITERAL(core_ops_range_Range__size_t){ + .start = (size_t)2U * i0, .end = (size_t)2U * i0 + (size_t)2U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + core_slice___Slice_T___copy_from_slice( + uu____0, + Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), + uint8_t, void *); + } memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } @@ -2712,10 +2724,10 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vecto ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector deserialized_pk[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + deserialized_pk[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2756,10 +2768,10 @@ libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_avx2_SIMD25 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector ret0[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + ret0[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } memcpy( ret, ret0, (size_t)3U * @@ -2767,25 +2779,20 @@ libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_avx2_SIMD25 libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector)); } -typedef libcrux_sha3_avx2_x4_incremental_KeccakState4 +typedef libcrux_sha3_avx2_x4_incremental_KeccakState libcrux_ml_kem_hash_functions_avx2_Simd256Hash; __attribute__((target("avx2"))) -static inline libcrux_sha3_avx2_x4_incremental_KeccakState4 +static inline libcrux_sha3_avx2_x4_incremental_KeccakState libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___shake128_init_absorb___3size_t( uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t state = libcrux_sha3_avx2_x4_incremental_shake128_init(); - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = &state; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - uu____0, uu____1, uu____2, uu____3, + &state, + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice)); return state; } @@ -2793,33 +2800,27 @@ libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for __attribute__((target("avx2"))) static inline void libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___shake128_squeeze_three_blocks___3size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[3U][504U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; uint8_t out0[504U] = {0U}; uint8_t out1[504U] = {0U}; uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[504U]; - memcpy(uu____4, out0, (size_t)504U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____5[504U]; - memcpy(uu____5, out1, (size_t)504U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)504U * sizeof(uint8_t)); - uint8_t uu____6[504U]; - memcpy(uu____6, out2, (size_t)504U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____0[504U]; + memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____1[504U]; + memcpy(uu____1, out1, (size_t)504U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)504U * sizeof(uint8_t)); + uint8_t uu____2[504U]; + memcpy(uu____2, out2, (size_t)504U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)504U * sizeof(uint8_t)); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); } @@ -2828,73 +2829,70 @@ static inline bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t_504size_t( uint8_t randomness[3U][504U], size_t *sampled_coefficients, int16_t (*out)[272U]) { - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)504U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { + size_t r = i; + if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)504U, randomness[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = r * (size_t)24U, + .end = r * (size_t)24U + (size_t)24U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + size_t sampled = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___rej_sample( + uu____0, + Eurydice_array_to_subslice( + (size_t)272U, out[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = sampled_coefficients[i1], + .end = sampled_coefficients[i1] + (size_t)16U}), + int16_t, core_ops_range_Range__size_t, Eurydice_slice)); + size_t uu____1 = i1; + sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; + } + } + } + bool done = true; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + if (sampled_coefficients[i0] >= + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + sampled_coefficients[i0] = + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; + } else { + done = false; + } + } return done; } __attribute__((target("avx2"))) static inline void libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___shake128_squeeze_block___3size_t( - libcrux_sha3_avx2_x4_incremental_KeccakState4 *self, - uint8_t ret[3U][168U]) { + libcrux_sha3_avx2_x4_incremental_KeccakState *self, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; uint8_t out0[168U] = {0U}; uint8_t out1[168U] = {0U}; uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; - libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - *uu____0 = self; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - uu____0, uu____1, uu____2, uu____3, + self, + Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____4[168U]; - memcpy(uu____4, out0, (size_t)168U * sizeof(uint8_t)); - memcpy(out[0U], uu____4, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____5[168U]; - memcpy(uu____5, out1, (size_t)168U * sizeof(uint8_t)); - memcpy(out[1U], uu____5, (size_t)168U * sizeof(uint8_t)); - uint8_t uu____6[168U]; - memcpy(uu____6, out2, (size_t)168U * sizeof(uint8_t)); - memcpy(out[2U], uu____6, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____0[168U]; + memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____1[168U]; + memcpy(uu____1, out1, (size_t)168U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)168U * sizeof(uint8_t)); + uint8_t uu____2[168U]; + memcpy(uu____2, out2, (size_t)168U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)168U * sizeof(uint8_t)); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); } @@ -2903,40 +2901,43 @@ static inline bool libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t_168size_t( uint8_t randomness[3U][168U], size_t *sampled_coefficients, int16_t (*out)[272U]) { - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)168U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { + size_t r = i; + if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)168U, randomness[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = r * (size_t)24U, + .end = r * (size_t)24U + (size_t)24U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + size_t sampled = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___rej_sample( + uu____0, + Eurydice_array_to_subslice( + (size_t)272U, out[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = sampled_coefficients[i1], + .end = sampled_coefficients[i1] + (size_t)16U}), + int16_t, core_ops_range_Range__size_t, Eurydice_slice)); + size_t uu____1 = i1; + sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; + } + } + } + bool done = true; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + if (sampled_coefficients[i0] >= + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + sampled_coefficients[i0] = + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; + } else { + done = false; + } + } return done; } @@ -2985,7 +2986,7 @@ libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vecto int16_t out[3U][272U] = {{0U}}; uint8_t uu____0[3U][34U]; memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); - libcrux_sha3_avx2_x4_incremental_KeccakState4 xof_state = + libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___shake128_init_absorb___3size_t( uu____0); uint8_t randomness0[3U][504U]; @@ -3014,11 +3015,11 @@ libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vecto memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector ret0[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = - libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( - uu____3[i]);); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + ret0[i] = + libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( + uu____3[i]); + } memcpy( ret, ret0, (size_t)3U * @@ -3034,45 +3035,50 @@ libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_avx2_SIMD256Vector_ ret[3U][3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector A_transpose[3U][3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( - i, A_transpose[i]);); - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t seeds[3U][34U]; KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; - seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( + i, A_transpose[i]); + } + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + uint8_t uu____0[34U]; + memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + uint8_t seeds[3U][34U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t)); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t j = i; + seeds[j][32U] = (uint8_t)i1; + seeds[j][33U] = (uint8_t)j; + } + uint8_t uu____1[3U][34U]; + memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector + sampled[3U]; + libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( + uu____1, sampled); + for ( + size_t i = (size_t)0U; + i < + core_slice___Slice_T___len( + Eurydice_array_to_slice( + (size_t)3U, sampled, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector, + Eurydice_slice), + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector, + size_t); + i++) { + size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector - sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( - uu____1, sampled); - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector - sample = sampled[j]; - if (transpose) { - A_transpose[j][i1] = sample; - } else { - A_transpose[i1][j] = sample; - } - }); + sample = sampled[j]; + if (transpose) { + A_transpose[j][i1] = sample; + } else { + A_transpose[i1][j] = sample; + } + } + } memcpy( ret, A_transpose, (size_t)3U * @@ -3104,32 +3110,24 @@ libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for uint8_t out1[128U] = {0U}; uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice); - Eurydice_slice uu____4 = - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____6 = - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice); libcrux_sha3_avx2_x4_shake256( - uu____0, uu____1, uu____2, uu____3, uu____4, uu____5, uu____6, + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); - uint8_t uu____7[128U]; - memcpy(uu____7, out0, (size_t)128U * sizeof(uint8_t)); - memcpy(out[0U], uu____7, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____8[128U]; - memcpy(uu____8, out1, (size_t)128U * sizeof(uint8_t)); - memcpy(out[1U], uu____8, (size_t)128U * sizeof(uint8_t)); - uint8_t uu____9[128U]; - memcpy(uu____9, out2, (size_t)128U * sizeof(uint8_t)); - memcpy(out[2U], uu____9, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____0[128U]; + memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); + memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____1[128U]; + memcpy(uu____1, out1, (size_t)128U * sizeof(uint8_t)); + memcpy(out[1U], uu____1, (size_t)128U * sizeof(uint8_t)); + uint8_t uu____2[128U]; + memcpy(uu____2, out2, (size_t)128U * sizeof(uint8_t)); + memcpy(out[2U], uu____2, (size_t)128U * sizeof(uint8_t)); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); } @@ -3293,32 +3291,35 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_avx2_SI uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector re_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - re_as_ntt[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + re_as_ntt[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } uint8_t uu____0[33U]; memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + prf_inputs[i0][32U] = domain_separator; + domain_separator = (uint32_t)domain_separator + 1U; + } uint8_t prf_outputs[3U][128U]; libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___PRFxN___3size_t_128size_t( prf_inputs, prf_outputs); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector - uu____1 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_avx2_SIMD256Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_avx2_SIMD256Vector( - &re_as_ntt[i0]);); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector + uu____1 = + libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_avx2_SIMD256Vector_2size_t( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, + Eurydice_slice)); + re_as_ntt[i0] = uu____1; + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_avx2_SIMD256Vector( + &re_as_ntt[i0]); + } libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector uu____2[3U]; memcpy( @@ -3350,30 +3351,33 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd__libcrux_ml_kem_vector_avx2_SIMD2 uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector error_1[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - error_1[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + error_1[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } uint8_t uu____0[33U]; memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + prf_inputs[i0][32U] = domain_separator; + domain_separator = (uint32_t)domain_separator + 1U; + } uint8_t prf_outputs[3U][128U]; libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___PRFxN___3size_t_128size_t( prf_inputs, prf_outputs); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector - uu____1 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_avx2_SIMD256Vector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - error_1[i0] = uu____1;); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector + uu____1 = + libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_avx2_SIMD256Vector_2size_t( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, + Eurydice_slice)); + error_1[i0] = uu____1; + } libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector uu____2[3U]; memcpy( @@ -3444,10 +3448,10 @@ libcrux_ml_kem_matrix_compute_vector_u__libcrux_ml_kem_vector_avx2_SIMD256Vector ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector result[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + result[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } for ( size_t i0 = (size_t)0U; i0 < @@ -3501,10 +3505,11 @@ __attribute__((target("avx2"))) static inline core_core_arch_x86___m256i libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_avx2_SIMD256Vector( core_core_arch_x86___m256i v) { + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ZERO(); return libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___bitwise_and_with_constant( libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___sub( - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___ZERO(), - &v), + uu____0, &v), (int16_t)1665); } @@ -3515,20 +3520,21 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message__libcrux_ml_kem_vec libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector re = libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - core_core_arch_x86___m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___deserialize_1( - Eurydice_array_to_subslice( - (size_t)32U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)2U * i0, - .end = (size_t)2U * i0 + (size_t)2U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - core_core_arch_x86___m256i uu____0 = - libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_avx2_SIMD256Vector( - coefficient_compressed); - re.coefficients[i0] = uu____0;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t i0 = i; + core_core_arch_x86___m256i coefficient_compressed = + libcrux_ml_kem_vector_avx2___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__avx2__SIMD256Vector___deserialize_1( + Eurydice_array_to_subslice( + (size_t)32U, serialized, + (CLITERAL(core_ops_range_Range__size_t){ + .start = (size_t)2U * i0, + .end = (size_t)2U * i0 + (size_t)2U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); + core_core_arch_x86___m256i uu____0 = + libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_avx2_SIMD256Vector( + coefficient_compressed); + re.coefficients[i0] = uu____0; + } return re; } @@ -3575,14 +3581,15 @@ libcrux_ml_kem_matrix_compute_ring_element_v__libcrux_ml_kem_vector_avx2_SIMD256 libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector result = libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector - product = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_avx2_SIMD256Vector( - &t_as_ntt[i0], &r_as_ntt[i0]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( - &result, &product);); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector + product = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_avx2_SIMD256Vector( + &t_as_ntt[i0], &r_as_ntt[i0]); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( + &result, &product); + } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_avx2_SIMD256Vector_3size_t( &result); result = @@ -4130,7 +4137,19 @@ libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux __attribute__((target("avx2"))) static inline void -libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( +libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t( + Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_, + uint8_t ret[32U]) { + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +} + +__attribute__((target("avx2"))) +static inline void +libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = @@ -4174,7 +4193,7 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_lib Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret = uu____3.fst; + Eurydice_slice shared_secret0 = uu____3.fst; Eurydice_slice pseudorandomness = uu____3.snd; uint8_t to_hash[1120U]; libcrux_ml_kem_utils_into_padded_array___1120size_t(implicit_rejection_value, @@ -4187,10 +4206,10 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_lib libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( ciphertext), uint8_t, void *); - uint8_t implicit_rejection_shared_secret[32U]; + uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___PRF___3size_t_32size_t( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; uint8_t uu____6[32U]; memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); @@ -4204,10 +4223,18 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_lib libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice)); - Eurydice_slice uu____8 = shared_secret; + uint8_t implicit_rejection_shared_secret[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, + uint8_t, Eurydice_slice), + ciphertext, implicit_rejection_shared_secret); + uint8_t shared_secret[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t( + shared_secret0, ciphertext, shared_secret); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____8, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); @@ -4220,7 +4247,7 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate___3size_t_2400size_t_1152 libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( + libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( private_key, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -4235,6 +4262,17 @@ static inline void libcrux_ml_kem_mlkem768_avx2_decapsulate( memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +__attribute__((target("avx2"))) +static inline void +libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___entropy_preprocess__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( + Eurydice_slice randomness, uint8_t ret[32U]) { + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +} + __attribute__((target("avx2"))) static inline void libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__avx2__Simd256Hash___H___3size_t( @@ -4248,12 +4286,17 @@ libcrux_ml_kem_hash_functions_avx2___libcrux_ml_kem__hash_functions__Hash_K__for __attribute__((target("avx2"))) static inline K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( +libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, uint8_t randomness[32U]) { + uint8_t randomness0[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___entropy_preprocess__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), + randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, + Eurydice_slice), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, @@ -4287,20 +4330,19 @@ libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_lib public_key), uint8_t, Eurydice_slice); uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); uint8_t uu____4[1088U]; memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___2__from___1088size_t( uu____4); + uint8_t shared_secret_array[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t( + shared_secret, &ciphertext0, shared_secret_array); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; uint8_t uu____6[32U]; memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ lit; @@ -4317,7 +4359,7 @@ libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate___3size_t_1088size_t_1184 libcrux_ml_kem_types_MlKemPublicKey____1184size_t *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( + return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_avx2_SIMD256Vector_libcrux_ml_kem_hash_functions_avx2_Simd256Hash_libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( uu____0, uu____1); } @@ -4382,10 +4424,10 @@ libcrux_ml_kem_matrix_compute_As_plus_e__libcrux_ml_kem_vector_avx2_SIMD256Vecto ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector result[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + result[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } for ( size_t i0 = (size_t)0U; i0 < @@ -4701,26 +4743,25 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_avx2_SIMD256Vecto memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); uint8_t public_key[1184U]; memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[2400U]; libcrux_ml_kem_ind_cca_serialize_kem_secret_key__libcrux_ml_kem_hash_functions_avx2_Simd256Hash_3size_t_2400size_t( - uu____1, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[2400U]; - memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + uint8_t uu____1[2400U]; + memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____2400size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___2400size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____3 = private_key; - uint8_t uu____4[1184U]; - memcpy(uu____4, public_key, (size_t)1184U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____2 = private_key; + uint8_t uu____3[1184U]; + memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___2400size_t_1184size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1184size_t( - uu____4)); + uu____3)); } __attribute__((target("avx2"))) @@ -4757,10 +4798,10 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vecto ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_avx2_SIMD256Vector deserialized_pk[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + deserialized_pk[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_avx2_SIMD256Vector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -4809,7 +4850,7 @@ libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_avx2_SIMD256Ve Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index ba79f1774..f8ee1b1c3 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../cg.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 409fe455 + -funroll-loops 0 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_mlkem768_portable_H @@ -22,7 +22,7 @@ extern "C" { (LIBCRUX_ML_KEM_HASH_FUNCTIONS_BLOCK_SIZE * (size_t)3U) typedef struct libcrux_ml_kem_hash_functions_neon_Simd128Hash_s { - libcrux_sha3_neon_x2_incremental_KeccakState2 shake128_state[2U]; + libcrux_sha3_neon_x2_incremental_KeccakState shake128_state[2U]; } libcrux_ml_kem_hash_functions_neon_Simd128Hash; #define LIBCRUX_ML_KEM_IND_CCA_ENCAPS_SEED_SIZE \ @@ -597,13 +597,13 @@ static const uint8_t {0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U, 9U, 10U, 11U, 12U, 13U, 14U, 15U}}; -typedef struct libcrux_ml_kem_vector_portable_PortableVector_s { +typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_s { int16_t elements[16U]; -} libcrux_ml_kem_vector_portable_PortableVector; +} libcrux_ml_kem_vector_portable_vector_type_PortableVector; -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_zero(void) { - libcrux_ml_kem_vector_portable_PortableVector lit; +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_zero(void) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; lit.elements[0U] = (int16_t)0; lit.elements[1U] = (int16_t)0; lit.elements[2U] = (int16_t)0; @@ -623,15 +623,16 @@ libcrux_ml_kem_vector_zero(void) { return lit; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO( void) { - return libcrux_ml_kem_vector_zero(); + return libcrux_ml_kem_vector_portable_vector_type_zero(); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_from_i16_array(Eurydice_slice array) { - libcrux_ml_kem_vector_portable_PortableVector lit; +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type_from_i16_array( + Eurydice_slice array) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; int16_t ret[16U]; core_result_Result__int16_t_16size_t__core_array_TryFromSliceError dst; Eurydice_slice_to_array2( @@ -648,15 +649,16 @@ libcrux_ml_kem_vector_from_i16_array(Eurydice_slice array) { return lit; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___from_i16_array( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___from_i16_array( Eurydice_slice array) { - return libcrux_ml_kem_vector_from_i16_array(array); + return libcrux_ml_kem_vector_portable_vector_type_from_i16_array(array); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_add(libcrux_ml_kem_vector_portable_PortableVector lhs, - libcrux_ml_kem_vector_portable_PortableVector *rhs) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -666,16 +668,17 @@ libcrux_ml_kem_vector_add(libcrux_ml_kem_vector_portable_PortableVector lhs, return lhs; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( - libcrux_ml_kem_vector_portable_PortableVector lhs, - libcrux_ml_kem_vector_portable_PortableVector *rhs) { - return libcrux_ml_kem_vector_add(lhs, rhs); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { + return libcrux_ml_kem_vector_portable_arithmetic_add(lhs, rhs); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_sub(libcrux_ml_kem_vector_portable_PortableVector lhs, - libcrux_ml_kem_vector_portable_PortableVector *rhs) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -685,16 +688,16 @@ libcrux_ml_kem_vector_sub(libcrux_ml_kem_vector_portable_PortableVector lhs, return lhs; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___sub( - libcrux_ml_kem_vector_portable_PortableVector lhs, - libcrux_ml_kem_vector_portable_PortableVector *rhs) { - return libcrux_ml_kem_vector_sub(lhs, rhs); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { + return libcrux_ml_kem_vector_portable_arithmetic_sub(lhs, rhs); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_multiply_by_constant( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t c) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -704,15 +707,15 @@ libcrux_ml_kem_vector_multiply_by_constant( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___multiply_by_constant( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t c) { - return libcrux_ml_kem_vector_multiply_by_constant(v, c); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { + return libcrux_ml_kem_vector_portable_arithmetic_multiply_by_constant(v, c); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t c) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -722,17 +725,18 @@ libcrux_ml_kem_vector_bitwise_and_with_constant( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___bitwise_and_with_constant( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t c) { - return libcrux_ml_kem_vector_bitwise_and_with_constant(v, c); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { + return libcrux_ml_kem_vector_portable_arithmetic_bitwise_and_with_constant(v, + c); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_cond_subtract_3329( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR}), @@ -753,92 +757,109 @@ libcrux_ml_kem_vector_cond_subtract_3329( } } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___cond_subtract_3329( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_cond_subtract_3329(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___cond_subtract_3329( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v); } -#define LIBCRUX_ML_KEM_VECTOR_BARRETT_MULTIPLIER ((int32_t)20159) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER \ + ((int32_t)20159) -#define LIBCRUX_ML_KEM_VECTOR_BARRETT_SHIFT ((int32_t)26) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT ((int32_t)26) -#define LIBCRUX_ML_KEM_VECTOR_BARRETT_R \ - ((int32_t)1 << (uint32_t)LIBCRUX_ML_KEM_VECTOR_BARRETT_SHIFT) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R \ + ((int32_t)1 << (uint32_t) \ + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT) -static inline int16_t libcrux_ml_kem_vector_barrett_reduce_element( +static inline int16_t +libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value) { - int32_t t = (int32_t)value * LIBCRUX_ML_KEM_VECTOR_BARRETT_MULTIPLIER + - (LIBCRUX_ML_KEM_VECTOR_BARRETT_R >> 1U); + int32_t t = (int32_t)value * + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_MULTIPLIER + + (LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_R >> 1U); int16_t quotient = - (int16_t)(t >> (uint32_t)LIBCRUX_ML_KEM_VECTOR_BARRETT_SHIFT); + (int16_t)(t >> + (uint32_t) + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT); return value - quotient * LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_barrett_reduce( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = - libcrux_ml_kem_vector_barrett_reduce_element(v.elements[i0]); + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[i0]); v.elements[i0] = uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_barrett_reduce(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(v); } -#define LIBCRUX_ML_KEM_VECTOR_MONTGOMERY_SHIFT (16U) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT (16U) -#define LIBCRUX_ML_KEM_VECTOR_MONTGOMERY_R \ - ((int32_t)1 << (uint32_t)LIBCRUX_ML_KEM_VECTOR_MONTGOMERY_SHIFT) +#define LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_R \ + ((int32_t)1 << (uint32_t) \ + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT) -static inline int16_t libcrux_ml_kem_vector_montgomery_reduce_element( +static inline int16_t +libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value) { int32_t k = (int32_t)(int16_t)value * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; int32_t k_times_modulus = (int32_t)(int16_t)k * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; - int16_t c = (int16_t)(k_times_modulus >> - (uint32_t)LIBCRUX_ML_KEM_VECTOR_MONTGOMERY_SHIFT); + int16_t c = + (int16_t)(k_times_modulus >> + (uint32_t) + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); int16_t value_high = - (int16_t)(value >> (uint32_t)LIBCRUX_ML_KEM_VECTOR_MONTGOMERY_SHIFT); + (int16_t)(value >> + (uint32_t) + LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT); return value_high - c; } -static inline int16_t libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( +static inline int16_t +libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer) { - return libcrux_ml_kem_vector_montgomery_reduce_element((int32_t)fe * - (int32_t)fer); + return libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)fe * (int32_t)fer); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t c) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t c) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(v.elements[i0], c); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[i0], c); v.elements[i0] = uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___montgomery_multiply_by_constant( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t r) { - return libcrux_ml_kem_vector_montgomery_multiply_by_constant(v, r); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___montgomery_multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r) { + return libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_by_constant( + v, r); } -static inline uint8_t libcrux_ml_kem_vector_compress_message_coefficient( +static inline uint8_t +libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( uint16_t fe) { int16_t shifted = (int16_t)1664 - (int16_t)fe; int16_t mask = shifted >> 15U; @@ -847,80 +868,92 @@ static inline uint8_t libcrux_ml_kem_vector_compress_message_coefficient( return (uint8_t)(shifted_positive_in_range >> 15U & (int16_t)1); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_compress_1( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_compress_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - uint8_t uu____0 = libcrux_ml_kem_vector_compress_message_coefficient( - (uint16_t)v.elements[i0]); + uint8_t uu____0 = + libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( + (uint16_t)v.elements[i0]); v.elements[i0] = (int16_t)uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress_1( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_compress_1(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress_1(v); } -static inline uint32_t libcrux_ml_kem_vector_get_n_least_significant_bits( +static inline uint32_t +libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits( uint8_t n, uint32_t value) { return value & ((1U << (uint32_t)n) - 1U); } -static inline int16_t libcrux_ml_kem_vector_compress_ciphertext_coefficient( +static inline int16_t +libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( uint8_t coefficient_bits, uint16_t fe) { uint64_t compressed = (uint64_t)fe << (uint32_t)coefficient_bits; compressed = compressed + 1664ULL; compressed = compressed * 10321340ULL; compressed = compressed >> 35U; - return (int16_t)libcrux_ml_kem_vector_get_n_least_significant_bits( - coefficient_bits, (uint32_t)compressed); + return (int16_t) + libcrux_ml_kem_vector_portable_arithmetic_get_n_least_significant_bits( + coefficient_bits, (uint32_t)compressed); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - int16_t t = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[2U], zeta0); + int16_t t = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[2U], zeta0); v.elements[2U] = v.elements[0U] - t; v.elements[0U] = v.elements[0U] + t; - int16_t t0 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[3U], zeta0); + int16_t t0 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[3U], zeta0); v.elements[3U] = v.elements[1U] - t0; v.elements[1U] = v.elements[1U] + t0; - int16_t t1 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[6U], zeta1); + int16_t t1 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[6U], zeta1); v.elements[6U] = v.elements[4U] - t1; v.elements[4U] = v.elements[4U] + t1; - int16_t t2 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[7U], zeta1); + int16_t t2 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[7U], zeta1); v.elements[7U] = v.elements[5U] - t2; v.elements[5U] = v.elements[5U] + t2; - int16_t t3 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)2U], zeta2); + int16_t t3 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)2U], zeta2); v.elements[(size_t)8U + (size_t)2U] = v.elements[(size_t)8U + (size_t)0U] - t3; v.elements[(size_t)8U + (size_t)0U] = v.elements[(size_t)8U + (size_t)0U] + t3; - int16_t t4 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)3U], zeta2); + int16_t t4 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)3U], zeta2); v.elements[(size_t)8U + (size_t)3U] = v.elements[(size_t)8U + (size_t)1U] - t4; v.elements[(size_t)8U + (size_t)1U] = v.elements[(size_t)8U + (size_t)1U] + t4; - int16_t t5 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)6U], zeta3); + int16_t t5 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)6U], zeta3); v.elements[(size_t)8U + (size_t)6U] = v.elements[(size_t)8U + (size_t)4U] - t5; v.elements[(size_t)8U + (size_t)4U] = v.elements[(size_t)8U + (size_t)4U] + t5; - int16_t t6 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)7U], zeta3); + int16_t t6 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)7U], zeta3); v.elements[(size_t)8U + (size_t)7U] = v.elements[(size_t)8U + (size_t)5U] - t6; v.elements[(size_t)8U + (size_t)5U] = @@ -928,53 +961,62 @@ libcrux_ml_kem_vector_ntt_layer_1_step( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_layer_1_step( - libcrux_ml_kem_vector_portable_PortableVector a, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3); + return libcrux_ml_kem_vector_portable_ntt_ntt_layer_1_step(a, zeta0, zeta1, + zeta2, zeta3); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, int16_t zeta1) { - int16_t t = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[4U], zeta0); + int16_t t = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[4U], zeta0); v.elements[4U] = v.elements[0U] - t; v.elements[0U] = v.elements[0U] + t; - int16_t t0 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[5U], zeta0); + int16_t t0 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[5U], zeta0); v.elements[5U] = v.elements[1U] - t0; v.elements[1U] = v.elements[1U] + t0; - int16_t t1 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[6U], zeta0); + int16_t t1 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[6U], zeta0); v.elements[6U] = v.elements[2U] - t1; v.elements[2U] = v.elements[2U] + t1; - int16_t t2 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[7U], zeta0); + int16_t t2 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[7U], zeta0); v.elements[7U] = v.elements[3U] - t2; v.elements[3U] = v.elements[3U] + t2; - int16_t t3 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)4U], zeta1); + int16_t t3 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)4U], zeta1); v.elements[(size_t)8U + (size_t)4U] = v.elements[(size_t)8U + (size_t)0U] - t3; v.elements[(size_t)8U + (size_t)0U] = v.elements[(size_t)8U + (size_t)0U] + t3; - int16_t t4 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)5U], zeta1); + int16_t t4 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)5U], zeta1); v.elements[(size_t)8U + (size_t)5U] = v.elements[(size_t)8U + (size_t)1U] - t4; v.elements[(size_t)8U + (size_t)1U] = v.elements[(size_t)8U + (size_t)1U] + t4; - int16_t t5 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)6U], zeta1); + int16_t t5 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)6U], zeta1); v.elements[(size_t)8U + (size_t)6U] = v.elements[(size_t)8U + (size_t)2U] - t5; v.elements[(size_t)8U + (size_t)2U] = v.elements[(size_t)8U + (size_t)2U] + t5; - int16_t t6 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[(size_t)8U + (size_t)7U], zeta1); + int16_t t6 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[(size_t)8U + (size_t)7U], zeta1); v.elements[(size_t)8U + (size_t)7U] = v.elements[(size_t)8U + (size_t)3U] - t6; v.elements[(size_t)8U + (size_t)3U] = @@ -982,248 +1024,289 @@ libcrux_ml_kem_vector_ntt_layer_2_step( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_layer_2_step( - libcrux_ml_kem_vector_portable_PortableVector a, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_ntt_layer_2_step(a, zeta0, zeta1); + return libcrux_ml_kem_vector_portable_ntt_ntt_layer_2_step(a, zeta0, zeta1); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t zeta) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { int16_t t = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(v.elements[8U], zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[8U], zeta); v.elements[8U] = v.elements[0U] - t; v.elements[0U] = v.elements[0U] + t; int16_t t0 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(v.elements[9U], zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[9U], zeta); v.elements[9U] = v.elements[1U] - t0; v.elements[1U] = v.elements[1U] + t0; - int16_t t1 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[10U], zeta); + int16_t t1 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[10U], zeta); v.elements[10U] = v.elements[2U] - t1; v.elements[2U] = v.elements[2U] + t1; - int16_t t2 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[11U], zeta); + int16_t t2 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[11U], zeta); v.elements[11U] = v.elements[3U] - t2; v.elements[3U] = v.elements[3U] + t2; - int16_t t3 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[12U], zeta); + int16_t t3 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[12U], zeta); v.elements[12U] = v.elements[4U] - t3; v.elements[4U] = v.elements[4U] + t3; - int16_t t4 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[13U], zeta); + int16_t t4 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[13U], zeta); v.elements[13U] = v.elements[5U] - t4; v.elements[5U] = v.elements[5U] + t4; - int16_t t5 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[14U], zeta); + int16_t t5 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[14U], zeta); v.elements[14U] = v.elements[6U] - t5; v.elements[6U] = v.elements[6U] + t5; - int16_t t6 = libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer( - v.elements[15U], zeta); + int16_t t6 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + v.elements[15U], zeta); v.elements[15U] = v.elements[7U] - t6; v.elements[7U] = v.elements[7U] + t6; return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_layer_3_step( - libcrux_ml_kem_vector_portable_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_ntt_layer_3_step(a, zeta); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { + return libcrux_ml_kem_vector_portable_ntt_ntt_layer_3_step(a, zeta); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { int16_t a_minus_b = v.elements[2U] - v.elements[0U]; - int16_t uu____0 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[0U] + v.elements[2U]); + int16_t uu____0 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[0U] + v.elements[2U]); v.elements[0U] = uu____0; int16_t uu____1 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); v.elements[2U] = uu____1; int16_t a_minus_b0 = v.elements[3U] - v.elements[1U]; - int16_t uu____2 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[1U] + v.elements[3U]); + int16_t uu____2 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[1U] + v.elements[3U]); v.elements[1U] = uu____2; int16_t uu____3 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b0, zeta0); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta0); v.elements[3U] = uu____3; int16_t a_minus_b1 = v.elements[6U] - v.elements[4U]; - int16_t uu____4 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[4U] + v.elements[6U]); + int16_t uu____4 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[4U] + v.elements[6U]); v.elements[4U] = uu____4; int16_t uu____5 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b1, zeta1); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta1); v.elements[6U] = uu____5; int16_t a_minus_b2 = v.elements[7U] - v.elements[5U]; - int16_t uu____6 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[5U] + v.elements[7U]); + int16_t uu____6 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[5U] + v.elements[7U]); v.elements[5U] = uu____6; int16_t uu____7 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b2, zeta1); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta1); v.elements[7U] = uu____7; int16_t a_minus_b3 = v.elements[(size_t)8U + (size_t)2U] - v.elements[(size_t)8U + (size_t)0U]; - int16_t uu____8 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[(size_t)8U + (size_t)0U] + - v.elements[(size_t)8U + (size_t)2U]); + int16_t uu____8 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[(size_t)8U + (size_t)0U] + + v.elements[(size_t)8U + (size_t)2U]); v.elements[(size_t)8U + (size_t)0U] = uu____8; int16_t uu____9 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b3, zeta2); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b3, zeta2); v.elements[(size_t)8U + (size_t)2U] = uu____9; int16_t a_minus_b4 = v.elements[(size_t)8U + (size_t)3U] - v.elements[(size_t)8U + (size_t)1U]; - int16_t uu____10 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[(size_t)8U + (size_t)1U] + - v.elements[(size_t)8U + (size_t)3U]); + int16_t uu____10 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[(size_t)8U + (size_t)1U] + + v.elements[(size_t)8U + (size_t)3U]); v.elements[(size_t)8U + (size_t)1U] = uu____10; int16_t uu____11 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b4, zeta2); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b4, zeta2); v.elements[(size_t)8U + (size_t)3U] = uu____11; int16_t a_minus_b5 = v.elements[(size_t)8U + (size_t)6U] - v.elements[(size_t)8U + (size_t)4U]; - int16_t uu____12 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[(size_t)8U + (size_t)4U] + - v.elements[(size_t)8U + (size_t)6U]); + int16_t uu____12 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[(size_t)8U + (size_t)4U] + + v.elements[(size_t)8U + (size_t)6U]); v.elements[(size_t)8U + (size_t)4U] = uu____12; int16_t uu____13 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b5, zeta3); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b5, zeta3); v.elements[(size_t)8U + (size_t)6U] = uu____13; int16_t a_minus_b6 = v.elements[(size_t)8U + (size_t)7U] - v.elements[(size_t)8U + (size_t)5U]; - int16_t uu____14 = libcrux_ml_kem_vector_barrett_reduce_element( - v.elements[(size_t)8U + (size_t)5U] + - v.elements[(size_t)8U + (size_t)7U]); + int16_t uu____14 = + libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( + v.elements[(size_t)8U + (size_t)5U] + + v.elements[(size_t)8U + (size_t)7U]); v.elements[(size_t)8U + (size_t)5U] = uu____14; int16_t uu____15 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b6, zeta3); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b6, zeta3); v.elements[(size_t)8U + (size_t)7U] = uu____15; return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___inv_ntt_layer_1_step( - libcrux_ml_kem_vector_portable_PortableVector a, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___inv_ntt_layer_1_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, - zeta3); + return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_1_step( + a, zeta0, zeta1, zeta2, zeta3); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta0, int16_t zeta1) { int16_t a_minus_b = v.elements[4U] - v.elements[0U]; v.elements[0U] = v.elements[0U] + v.elements[4U]; int16_t uu____0 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b, zeta0); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta0); v.elements[4U] = uu____0; int16_t a_minus_b0 = v.elements[5U] - v.elements[1U]; v.elements[1U] = v.elements[1U] + v.elements[5U]; int16_t uu____1 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b0, zeta0); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta0); v.elements[5U] = uu____1; int16_t a_minus_b1 = v.elements[6U] - v.elements[2U]; v.elements[2U] = v.elements[2U] + v.elements[6U]; int16_t uu____2 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b1, zeta0); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta0); v.elements[6U] = uu____2; int16_t a_minus_b2 = v.elements[7U] - v.elements[3U]; v.elements[3U] = v.elements[3U] + v.elements[7U]; int16_t uu____3 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b2, zeta0); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta0); v.elements[7U] = uu____3; int16_t a_minus_b3 = v.elements[(size_t)8U + (size_t)4U] - v.elements[(size_t)8U + (size_t)0U]; v.elements[(size_t)8U + (size_t)0U] = v.elements[(size_t)8U + (size_t)0U] + v.elements[(size_t)8U + (size_t)4U]; int16_t uu____4 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b3, zeta1); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b3, zeta1); v.elements[(size_t)8U + (size_t)4U] = uu____4; int16_t a_minus_b4 = v.elements[(size_t)8U + (size_t)5U] - v.elements[(size_t)8U + (size_t)1U]; v.elements[(size_t)8U + (size_t)1U] = v.elements[(size_t)8U + (size_t)1U] + v.elements[(size_t)8U + (size_t)5U]; int16_t uu____5 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b4, zeta1); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b4, zeta1); v.elements[(size_t)8U + (size_t)5U] = uu____5; int16_t a_minus_b5 = v.elements[(size_t)8U + (size_t)6U] - v.elements[(size_t)8U + (size_t)2U]; v.elements[(size_t)8U + (size_t)2U] = v.elements[(size_t)8U + (size_t)2U] + v.elements[(size_t)8U + (size_t)6U]; int16_t uu____6 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b5, zeta1); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b5, zeta1); v.elements[(size_t)8U + (size_t)6U] = uu____6; int16_t a_minus_b6 = v.elements[(size_t)8U + (size_t)7U] - v.elements[(size_t)8U + (size_t)3U]; v.elements[(size_t)8U + (size_t)3U] = v.elements[(size_t)8U + (size_t)3U] + v.elements[(size_t)8U + (size_t)7U]; int16_t uu____7 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b6, zeta1); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b6, zeta1); v.elements[(size_t)8U + (size_t)7U] = uu____7; return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___inv_ntt_layer_2_step( - libcrux_ml_kem_vector_portable_PortableVector a, int16_t zeta0, +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___inv_ntt_layer_2_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta0, int16_t zeta1) { - return libcrux_ml_kem_vector_inv_ntt_layer_2_step(a, zeta0, zeta1); + return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_2_step(a, zeta0, + zeta1); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t zeta) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t zeta) { int16_t a_minus_b = v.elements[8U] - v.elements[0U]; v.elements[0U] = v.elements[0U] + v.elements[8U]; int16_t uu____0 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b, zeta); v.elements[8U] = uu____0; int16_t a_minus_b0 = v.elements[9U] - v.elements[1U]; v.elements[1U] = v.elements[1U] + v.elements[9U]; int16_t uu____1 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b0, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b0, zeta); v.elements[9U] = uu____1; int16_t a_minus_b1 = v.elements[10U] - v.elements[2U]; v.elements[2U] = v.elements[2U] + v.elements[10U]; int16_t uu____2 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b1, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b1, zeta); v.elements[10U] = uu____2; int16_t a_minus_b2 = v.elements[11U] - v.elements[3U]; v.elements[3U] = v.elements[3U] + v.elements[11U]; int16_t uu____3 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b2, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b2, zeta); v.elements[11U] = uu____3; int16_t a_minus_b3 = v.elements[12U] - v.elements[4U]; v.elements[4U] = v.elements[4U] + v.elements[12U]; int16_t uu____4 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b3, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b3, zeta); v.elements[12U] = uu____4; int16_t a_minus_b4 = v.elements[13U] - v.elements[5U]; v.elements[5U] = v.elements[5U] + v.elements[13U]; int16_t uu____5 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b4, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b4, zeta); v.elements[13U] = uu____5; int16_t a_minus_b5 = v.elements[14U] - v.elements[6U]; v.elements[6U] = v.elements[6U] + v.elements[14U]; int16_t uu____6 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b5, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b5, zeta); v.elements[14U] = uu____6; int16_t a_minus_b6 = v.elements[15U] - v.elements[7U]; v.elements[7U] = v.elements[7U] + v.elements[15U]; int16_t uu____7 = - libcrux_ml_kem_vector_montgomery_multiply_fe_by_fer(a_minus_b6, zeta); + libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( + a_minus_b6, zeta); v.elements[15U] = uu____7; return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___inv_ntt_layer_3_step( - libcrux_ml_kem_vector_portable_PortableVector a, int16_t zeta) { - return libcrux_ml_kem_vector_inv_ntt_layer_3_step(a, zeta); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___inv_ntt_layer_3_step( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta) { + return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } typedef struct K___int16_t_int16_t_s { @@ -1231,30 +1314,35 @@ typedef struct K___int16_t_int16_t_s { int16_t snd; } K___int16_t_int16_t; -static inline K___int16_t_int16_t libcrux_ml_kem_vector_ntt_multiply_binomials( +static inline K___int16_t_int16_t +libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( K___int16_t_int16_t _, K___int16_t_int16_t _0, int16_t zeta) { int16_t a0 = _.fst; int16_t a1 = _.snd; int16_t b0 = _0.fst; int16_t b1 = _0.snd; int32_t uu____0 = (int32_t)a0 * (int32_t)b0; - int16_t uu____1 = libcrux_ml_kem_vector_montgomery_reduce_element( - uu____0 + (int32_t)libcrux_ml_kem_vector_montgomery_reduce_element( - (int32_t)a1 * (int32_t)b1) * - (int32_t)zeta); + int16_t uu____1 = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + uu____0 + + (int32_t) + libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)a1 * (int32_t)b1) * + (int32_t)zeta); return (CLITERAL(K___int16_t_int16_t){ .fst = uu____1, - .snd = libcrux_ml_kem_vector_montgomery_reduce_element( - (int32_t)a0 * (int32_t)b1 + (int32_t)a1 * (int32_t)b0)}); -} - -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_ntt_multiply( - libcrux_ml_kem_vector_portable_PortableVector *lhs, - libcrux_ml_kem_vector_portable_PortableVector *rhs, int16_t zeta0, - int16_t zeta1, int16_t zeta2, int16_t zeta3) { - libcrux_ml_kem_vector_portable_PortableVector out = - libcrux_ml_kem_vector_zero(); + .snd = + libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( + (int32_t)a0 * (int32_t)b1 + (int32_t)a1 * (int32_t)b0)}); +} + +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_ntt_ntt_multiply( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector out = + libcrux_ml_kem_vector_portable_vector_type_zero(); K___int16_t_int16_t lit0; lit0.fst = lhs->elements[0U]; lit0.snd = lhs->elements[1U]; @@ -1262,7 +1350,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit1.fst = rhs->elements[0U]; lit1.snd = rhs->elements[1U]; K___int16_t_int16_t product = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit0, lit1, zeta0); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit0, lit1, + zeta0); out.elements[0U] = product.fst; out.elements[1U] = product.snd; K___int16_t_int16_t lit2; @@ -1272,7 +1361,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit3.fst = rhs->elements[2U]; lit3.snd = rhs->elements[3U]; K___int16_t_int16_t product0 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit2, lit3, -zeta0); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit2, lit3, + -zeta0); out.elements[2U] = product0.fst; out.elements[3U] = product0.snd; K___int16_t_int16_t lit4; @@ -1282,7 +1372,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit5.fst = rhs->elements[4U]; lit5.snd = rhs->elements[5U]; K___int16_t_int16_t product1 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit4, lit5, zeta1); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit4, lit5, + zeta1); out.elements[4U] = product1.fst; out.elements[5U] = product1.snd; K___int16_t_int16_t lit6; @@ -1292,7 +1383,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit7.fst = rhs->elements[6U]; lit7.snd = rhs->elements[7U]; K___int16_t_int16_t product2 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit6, lit7, -zeta1); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit6, lit7, + -zeta1); out.elements[6U] = product2.fst; out.elements[7U] = product2.snd; K___int16_t_int16_t lit8; @@ -1302,7 +1394,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit9.fst = rhs->elements[(size_t)8U + (size_t)0U]; lit9.snd = rhs->elements[(size_t)8U + (size_t)1U]; K___int16_t_int16_t product3 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit8, lit9, zeta2); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit8, lit9, + zeta2); out.elements[(size_t)8U + (size_t)0U] = product3.fst; out.elements[(size_t)8U + (size_t)1U] = product3.snd; K___int16_t_int16_t lit10; @@ -1312,7 +1405,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit11.fst = rhs->elements[(size_t)8U + (size_t)2U]; lit11.snd = rhs->elements[(size_t)8U + (size_t)3U]; K___int16_t_int16_t product4 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit10, lit11, -zeta2); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit10, lit11, + -zeta2); out.elements[(size_t)8U + (size_t)2U] = product4.fst; out.elements[(size_t)8U + (size_t)3U] = product4.snd; K___int16_t_int16_t lit12; @@ -1322,7 +1416,8 @@ libcrux_ml_kem_vector_ntt_multiply( lit13.fst = rhs->elements[(size_t)8U + (size_t)4U]; lit13.snd = rhs->elements[(size_t)8U + (size_t)5U]; K___int16_t_int16_t product5 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit12, lit13, zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit12, lit13, + zeta3); out.elements[(size_t)8U + (size_t)4U] = product5.fst; out.elements[(size_t)8U + (size_t)5U] = product5.snd; K___int16_t_int16_t lit14; @@ -1332,54 +1427,61 @@ libcrux_ml_kem_vector_ntt_multiply( lit.fst = rhs->elements[(size_t)8U + (size_t)6U]; lit.snd = rhs->elements[(size_t)8U + (size_t)7U]; K___int16_t_int16_t product6 = - libcrux_ml_kem_vector_ntt_multiply_binomials(lit14, lit, -zeta3); + libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials(lit14, lit, + -zeta3); out.elements[(size_t)8U + (size_t)6U] = product6.fst; out.elements[(size_t)8U + (size_t)7U] = product6.snd; return out; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_multiply( - libcrux_ml_kem_vector_portable_PortableVector *lhs, - libcrux_ml_kem_vector_portable_PortableVector *rhs, int16_t zeta0, - int16_t zeta1, int16_t zeta2, int16_t zeta3) { - return libcrux_ml_kem_vector_ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, - zeta3); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_multiply( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *lhs, + libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs, + int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { + return libcrux_ml_kem_vector_portable_ntt_ntt_multiply(lhs, rhs, zeta0, zeta1, + zeta2, zeta3); } -static inline void libcrux_ml_kem_vector_serialize_1( - libcrux_ml_kem_vector_portable_PortableVector v, uint8_t ret[2U]) { +static inline void libcrux_ml_kem_vector_portable_serialize_serialize_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, + uint8_t ret[2U]) { uint8_t result[2U] = {0U}; - KRML_MAYBE_FOR8( - i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i; - size_t uu____0 = (size_t)0U; - result[uu____0] = (uint32_t)result[uu____0] | - (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0;); - KRML_MAYBE_FOR8(i, (size_t)8U, (size_t)16U, (size_t)1U, size_t i0 = i; - size_t uu____1 = (size_t)1U; - result[uu____1] = (uint32_t)result[uu____1] | - (uint32_t)(uint8_t)v.elements[i0] - << (uint32_t)(i0 - (size_t)8U);); + for (size_t i = (size_t)0U; i < (size_t)8U; i++) { + size_t i0 = i; + size_t uu____0 = (size_t)0U; + result[uu____0] = (uint32_t)result[uu____0] | + (uint32_t)(uint8_t)v.elements[i0] << (uint32_t)i0; + } + for (size_t i = (size_t)8U; i < (size_t)16U; i++) { + size_t i0 = i; + size_t uu____1 = (size_t)1U; + result[uu____1] = + (uint32_t)result[uu____1] | (uint32_t)(uint8_t)v.elements[i0] + << (uint32_t)(i0 - (size_t)8U); + } memcpy(ret, result, (size_t)2U * sizeof(uint8_t)); } static inline void -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_1( - libcrux_ml_kem_vector_portable_PortableVector a, uint8_t ret[2U]) { +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_1( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + uint8_t ret[2U]) { uint8_t ret0[2U]; - libcrux_ml_kem_vector_serialize_1(a, ret0); + libcrux_ml_kem_vector_portable_serialize_serialize_1(a, ret0); memcpy(ret, ret0, (size_t)2U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_deserialize_1(Eurydice_slice v) { - libcrux_ml_kem_vector_portable_PortableVector result = - libcrux_ml_kem_vector_zero(); - KRML_MAYBE_FOR8(i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i; - uint8_t *uu____0 = &Eurydice_slice_index( - v, (size_t)0U, uint8_t, uint8_t *, uint8_t); - result.elements[i0] = - (int16_t)((uint32_t)uu____0[0U] >> (uint32_t)i0 & 1U);); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + libcrux_ml_kem_vector_portable_vector_type_zero(); + for (size_t i = (size_t)0U; i < (size_t)8U; i++) { + size_t i0 = i; + uint8_t *uu____0 = + &Eurydice_slice_index(v, (size_t)0U, uint8_t, uint8_t *, uint8_t); + result.elements[i0] = (int16_t)((uint32_t)uu____0[0U] >> (uint32_t)i0 & 1U); + } for (size_t i = (size_t)8U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -1391,14 +1493,15 @@ libcrux_ml_kem_vector_deserialize_1(Eurydice_slice v) { return result; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_1( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_1( Eurydice_slice a) { - return libcrux_ml_kem_vector_deserialize_1(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_1(a); } -static inline void libcrux_ml_kem_vector_serialize_4( - libcrux_ml_kem_vector_portable_PortableVector v, uint8_t ret[8U]) { +static inline void libcrux_ml_kem_vector_portable_serialize_serialize_4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, + uint8_t ret[8U]) { uint8_t result[8U] = {0U}; result[0U] = (uint32_t)(uint8_t)v.elements[1U] << 4U | (uint32_t)(uint8_t)v.elements[0U]; @@ -1420,17 +1523,18 @@ static inline void libcrux_ml_kem_vector_serialize_4( } static inline void -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_4( - libcrux_ml_kem_vector_portable_PortableVector a, uint8_t ret[8U]) { +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + uint8_t ret[8U]) { uint8_t ret0[8U]; - libcrux_ml_kem_vector_serialize_4(a, ret0); + libcrux_ml_kem_vector_portable_serialize_serialize_4(a, ret0); memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_deserialize_4(Eurydice_slice bytes) { - libcrux_ml_kem_vector_portable_PortableVector v = - libcrux_ml_kem_vector_zero(); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); uint8_t *uu____0 = &Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t); v.elements[0U] = (int16_t)((uint32_t)uu____0[0U] & 15U); @@ -1482,14 +1586,15 @@ libcrux_ml_kem_vector_deserialize_4(Eurydice_slice bytes) { return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_4( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_4( Eurydice_slice a) { - return libcrux_ml_kem_vector_deserialize_4(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_4(a); } -static inline void libcrux_ml_kem_vector_serialize_5( - libcrux_ml_kem_vector_portable_PortableVector v, uint8_t ret[10U]) { +static inline void libcrux_ml_kem_vector_portable_serialize_serialize_5( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, + uint8_t ret[10U]) { uint8_t result[10U] = {0U}; result[0U] = (uint8_t)((v.elements[1U] & (int16_t)7) << 5U | v.elements[0U]); result[1U] = @@ -1521,17 +1626,18 @@ static inline void libcrux_ml_kem_vector_serialize_5( } static inline void -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_5( - libcrux_ml_kem_vector_portable_PortableVector a, uint8_t ret[10U]) { +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_5( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + uint8_t ret[10U]) { uint8_t ret0[10U]; - libcrux_ml_kem_vector_serialize_5(a, ret0); + libcrux_ml_kem_vector_portable_serialize_serialize_5(a, ret0); memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_deserialize_5(Eurydice_slice bytes) { - libcrux_ml_kem_vector_portable_PortableVector v = - libcrux_ml_kem_vector_zero(); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector v = + libcrux_ml_kem_vector_portable_vector_type_zero(); uint8_t *uu____0 = &Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t); v.elements[0U] = (int16_t)((uint32_t)uu____0[0U] & 31U); @@ -1622,14 +1728,15 @@ libcrux_ml_kem_vector_deserialize_5(Eurydice_slice bytes) { return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_5( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_5( Eurydice_slice a) { - return libcrux_ml_kem_vector_deserialize_5(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_5(a); } -static inline void libcrux_ml_kem_vector_serialize_10( - libcrux_ml_kem_vector_portable_PortableVector v, uint8_t ret[20U]) { +static inline void libcrux_ml_kem_vector_portable_serialize_serialize_10( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, + uint8_t ret[20U]) { uint8_t result[20U] = {0U}; result[0U] = (uint8_t)(v.elements[0U] & (int16_t)255); result[1U] = (uint32_t)(uint8_t)(v.elements[1U] & (int16_t)63) << 2U | @@ -1687,17 +1794,18 @@ static inline void libcrux_ml_kem_vector_serialize_10( } static inline void -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_10( - libcrux_ml_kem_vector_portable_PortableVector a, uint8_t ret[20U]) { +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_10( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + uint8_t ret[20U]) { uint8_t ret0[20U]; - libcrux_ml_kem_vector_serialize_10(a, ret0); + libcrux_ml_kem_vector_portable_serialize_serialize_10(a, ret0); memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_deserialize_10(Eurydice_slice bytes) { - libcrux_ml_kem_vector_portable_PortableVector result = - libcrux_ml_kem_vector_zero(); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + libcrux_ml_kem_vector_portable_vector_type_zero(); int16_t uu____0 = ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) & (int16_t)3) @@ -1817,14 +1925,15 @@ libcrux_ml_kem_vector_deserialize_10(Eurydice_slice bytes) { return result; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_10( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_10( Eurydice_slice a) { - return libcrux_ml_kem_vector_deserialize_10(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_10(a); } -static inline void libcrux_ml_kem_vector_serialize_11( - libcrux_ml_kem_vector_portable_PortableVector v, uint8_t ret[22U]) { +static inline void libcrux_ml_kem_vector_portable_serialize_serialize_11( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, + uint8_t ret[22U]) { uint8_t result[22U] = {0U}; result[0U] = (uint8_t)v.elements[0U]; result[1U] = (uint32_t)(uint8_t)(v.elements[1U] & (int16_t)31) << 3U | @@ -1882,17 +1991,18 @@ static inline void libcrux_ml_kem_vector_serialize_11( } static inline void -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_11( - libcrux_ml_kem_vector_portable_PortableVector a, uint8_t ret[22U]) { +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_11( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + uint8_t ret[22U]) { uint8_t ret0[22U]; - libcrux_ml_kem_vector_serialize_11(a, ret0); + libcrux_ml_kem_vector_portable_serialize_serialize_11(a, ret0); memcpy(ret, ret0, (size_t)22U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_deserialize_11(Eurydice_slice bytes) { - libcrux_ml_kem_vector_portable_PortableVector result = - libcrux_ml_kem_vector_zero(); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + libcrux_ml_kem_vector_portable_vector_type_zero(); int16_t uu____0 = ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) & (int16_t)7) @@ -2030,14 +2140,15 @@ libcrux_ml_kem_vector_deserialize_11(Eurydice_slice bytes) { return result; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_11( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_11( Eurydice_slice a) { - return libcrux_ml_kem_vector_deserialize_11(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_11(a); } -static inline void libcrux_ml_kem_vector_serialize_12( - libcrux_ml_kem_vector_portable_PortableVector v, uint8_t ret[24U]) { +static inline void libcrux_ml_kem_vector_portable_serialize_serialize_12( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, + uint8_t ret[24U]) { uint8_t result[24U] = {0U}; result[0U] = (uint8_t)(v.elements[0U] & (int16_t)255); result[1U] = @@ -2083,17 +2194,18 @@ static inline void libcrux_ml_kem_vector_serialize_12( } static inline void -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_12( - libcrux_ml_kem_vector_portable_PortableVector a, uint8_t ret[24U]) { +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_12( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + uint8_t ret[24U]) { uint8_t ret0[24U]; - libcrux_ml_kem_vector_serialize_12(a, ret0); + libcrux_ml_kem_vector_portable_serialize_serialize_12(a, ret0); memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_deserialize_12(Eurydice_slice bytes) { - libcrux_ml_kem_vector_portable_PortableVector re = - libcrux_ml_kem_vector_zero(); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector re = + libcrux_ml_kem_vector_portable_vector_type_zero(); int16_t byte0 = (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t); int16_t byte1 = (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, @@ -2161,14 +2273,14 @@ libcrux_ml_kem_vector_deserialize_12(Eurydice_slice bytes) { return re; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_12( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_12( Eurydice_slice a) { - return libcrux_ml_kem_vector_deserialize_12(a); + return libcrux_ml_kem_vector_portable_serialize_deserialize_12(a); } -static inline size_t libcrux_ml_kem_vector_rej_sample(Eurydice_slice a, - Eurydice_slice result) { +static inline size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( + Eurydice_slice a, Eurydice_slice result) { size_t sampled = (size_t)0U; for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(a, uint8_t, size_t) / (size_t)3U; i++) { @@ -2232,9 +2344,9 @@ static inline size_t libcrux_ml_kem_vector_rej_sample(Eurydice_slice a, } static inline size_t -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___rej_sample( +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___rej_sample( Eurydice_slice a, Eurydice_slice out) { - return libcrux_ml_kem_vector_rej_sample(a, out); + return libcrux_ml_kem_vector_portable_sampling_rej_sample(a, out); } #define LIBCRUX_ML_KEM_MLKEM768_VECTOR_U_COMPRESSION_FACTOR_768 ((size_t)10U) @@ -2301,59 +2413,59 @@ typedef libcrux_ml_kem_types_MlKemPublicKey____1184size_t LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE) typedef struct - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_s { - libcrux_ml_kem_vector_portable_PortableVector coefficients[16U]; -} libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_s { + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients[16U]; +} libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector; -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector( void) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector lit; lit.coefficients[0U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[1U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[2U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[3U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[4U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[5U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[6U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[7U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[8U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[9U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[10U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[11U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[12U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[13U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[14U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); lit.coefficients[15U] = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(); + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); return lit; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1088size_t_10size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1088size_t_10size_t( size_t _) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_decompress_ciphertext_coefficient___10int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___10int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -2366,18 +2478,19 @@ libcrux_ml_kem_vector_decompress_ciphertext_coefficient___10int32_t( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___10int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_decompress_ciphertext_coefficient___10int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___10int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___10int32_t( + v); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_10__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_10__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)20U; @@ -2388,20 +2501,20 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_10__libcrux_ml_kem_vector_p (CLITERAL(core_ops_range_Range__size_t){ .start = i0 * (size_t)20U, .end = i0 * (size_t)20U + (size_t)20U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_10( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_10( bytes); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___10int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___10int32_t( coefficient); re.coefficients[i0] = uu____0; } return re; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_decompress_ciphertext_coefficient___11int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___11int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -2414,18 +2527,19 @@ libcrux_ml_kem_vector_decompress_ciphertext_coefficient___11int32_t( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___11int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_decompress_ciphertext_coefficient___11int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___11int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___11int32_t( + v); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_11__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_11__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)22U; @@ -2436,61 +2550,62 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_11__libcrux_ml_kem_vector_p (CLITERAL(core_ops_range_Range__size_t){ .start = i0 * (size_t)22U, .end = i0 * (size_t)22U + (size_t)22U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_11( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_11( bytes); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___11int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___11int32_t( coefficient); re.coefficients[i0] = uu____0; } return re; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_portable_PortableVector_10size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_10size_t( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0; uu____0 = - libcrux_ml_kem_serialize_deserialize_then_decompress_10__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_deserialize_then_decompress_10__libcrux_ml_kem_vector_portable_vector_type_PortableVector( serialized); return uu____0; } typedef struct - K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector_s { - libcrux_ml_kem_vector_portable_PortableVector fst; - libcrux_ml_kem_vector_portable_PortableVector snd; -} K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector; - -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_traits_montgomery_multiply_fe__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_vector_portable_PortableVector v, int16_t fer) { - return libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___montgomery_multiply_by_constant( + K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector_s { + libcrux_ml_kem_vector_portable_vector_type_PortableVector fst; + libcrux_ml_kem_vector_portable_vector_type_PortableVector snd; +} K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector; + +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_traits_montgomery_multiply_fe__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t fer) { + return libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___montgomery_multiply_by_constant( v, fer); } -static inline K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_ntt_ntt_layer_int_vec_step__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_vector_portable_PortableVector a, - libcrux_ml_kem_vector_portable_PortableVector b, int16_t zeta_r) { - libcrux_ml_kem_vector_portable_PortableVector t = - libcrux_ml_kem_vector_traits_montgomery_multiply_fe__libcrux_ml_kem_vector_portable_PortableVector( +static inline K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_ntt_ntt_layer_int_vec_step__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector b, + int16_t zeta_r) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector t = + libcrux_ml_kem_vector_traits_montgomery_multiply_fe__libcrux_ml_kem_vector_portable_vector_type_PortableVector( b, zeta_r); - b = libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___sub( + b = libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( a, &t); - a = libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + a = libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( a, &t); return (CLITERAL( - K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector){ + K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector){ .fst = a, .snd = b}); } static inline void -libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t layer, size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; @@ -2502,14 +2617,14 @@ libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableV size_t step_vec = step / (size_t)16U; for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { size_t j = i; - K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector + K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_ntt_ntt_layer_int_vec_step__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_layer_int_vec_step__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re->coefficients[j], re->coefficients[j + step_vec], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R [zeta_i[0U]]); - libcrux_ml_kem_vector_portable_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_PortableVector y = uu____0.snd; + libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; + libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; re->coefficients[j] = x; re->coefficients[j + step_vec] = y; } @@ -2517,109 +2632,114 @@ libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableV } static inline void -libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t _layer, size_t _initial_coefficient_bound) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_layer_3_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); - re->coefficients[round] = uu____0;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_layer_3_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); + re->coefficients[round] = uu____0; + } } static inline void -libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t _layer, size_t _initial_coefficient_bound) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_layer_2_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)1U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_layer_2_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + } } static inline void -libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t _layer, size_t _initial_coefficient_bound) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_layer_1_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)3U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] + (size_t)1U; + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_layer_1_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + + (size_t)3U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] + (size_t)3U; + } } static inline void -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( self->coefficients[i0]); self->coefficients[i0] = uu____0; } } static inline void -libcrux_ml_kem_ntt_ntt_vector_u__libcrux_ml_kem_vector_portable_PortableVector_10size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_ntt_ntt_vector_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_10size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re) { size_t zeta_i = (size_t)0U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)7U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)6U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)5U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)4U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)3U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)2U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)1U, (size_t)3328U); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re); } static inline void -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1088size_t_10size_t( +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1088size_t_10size_t( uint8_t *ciphertext, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector u_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - u_as_ntt[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + u_as_ntt[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, @@ -2640,24 +2760,24 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u__libcrux_ml_kem_vector_port LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_portable_PortableVector_10size_t( + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_10size_t( u_bytes); u_as_ntt[i0] = uu____0; - libcrux_ml_kem_ntt_ntt_vector_u__libcrux_ml_kem_vector_portable_PortableVector_10size_t( + libcrux_ml_kem_ntt_ntt_vector_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_10size_t( &u_as_ntt[i0]); } memcpy( ret, u_as_ntt, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_decompress_ciphertext_coefficient___4int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___4int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -2670,18 +2790,19 @@ libcrux_ml_kem_vector_decompress_ciphertext_coefficient___4int32_t( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___4int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_decompress_ciphertext_coefficient___4int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___4int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___4int32_t( + v); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_4__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_4__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)8U; i++) { @@ -2691,20 +2812,20 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_4__libcrux_ml_kem_vector_po (CLITERAL(core_ops_range_Range__size_t){ .start = i0 * (size_t)8U, .end = i0 * (size_t)8U + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_4( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_4( bytes); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___4int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___4int32_t( coefficient); re.coefficients[i0] = uu____0; } return re; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_decompress_ciphertext_coefficient___5int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___5int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -2717,18 +2838,19 @@ libcrux_ml_kem_vector_decompress_ciphertext_coefficient___5int32_t( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___5int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_decompress_ciphertext_coefficient___5int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___5int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient___5int32_t( + v); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_5__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_5__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)10U; @@ -2739,41 +2861,41 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_5__libcrux_ml_kem_vector_po (CLITERAL(core_ops_range_Range__size_t){ .start = i0 * (size_t)10U, .end = i0 * (size_t)10U + (size_t)10U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_5( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_5( bytes); re.coefficients[i0] = uu____0; - libcrux_ml_kem_vector_portable_PortableVector uu____1 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___decompress_ciphertext_coefficient___5int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___decompress_ciphertext_coefficient___5int32_t( re.coefficients[i0]); re.coefficients[i0] = uu____1; } return re; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_portable_PortableVector_4size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_portable_vector_type_PortableVector_4size_t( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0; uu____0 = - libcrux_ml_kem_serialize_deserialize_then_decompress_4__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_deserialize_then_decompress_4__libcrux_ml_kem_vector_portable_vector_type_PortableVector( serialized); return uu____0; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure__libcrux_ml_kem_vector_portable_PortableVector_3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( size_t _) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; @@ -2784,8 +2906,8 @@ libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element__libcrux_ml_ke (CLITERAL(core_ops_range_Range__size_t){ .start = i0 * (size_t)24U, .end = i0 * (size_t)24U + (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_12( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_12( bytes); re.coefficients[i0] = uu____0; } @@ -2793,16 +2915,16 @@ libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element__libcrux_ml_ke } static inline void -libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t( +libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( Eurydice_slice secret_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector secret_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - secret_as_ntt[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + secret_as_ntt[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -2815,9 +2937,9 @@ libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_portable_Po .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( secret_bytes); secret_as_ntt[i0] = uu____0; } @@ -2825,23 +2947,23 @@ libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_portable_Po ret, secret_as_ntt, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector out = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ntt_multiply( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ntt_multiply( &self->coefficients[i0], &rhs->coefficients[i0], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + (size_t)4U * i0], @@ -2860,104 +2982,111 @@ libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vec } static inline void -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *rhs) { for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_portable_PortableVector, Eurydice_slice), - libcrux_ml_kem_vector_portable_PortableVector, size_t); + i < core_slice___Slice_T___len( + Eurydice_array_to_slice( + (size_t)16U, self->coefficients, + libcrux_ml_kem_vector_portable_vector_type_PortableVector, + Eurydice_slice), + libcrux_ml_kem_vector_portable_vector_type_PortableVector, + size_t); i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( self->coefficients[i0], &rhs->coefficients[i0]); self->coefficients[i0] = uu____0; } } static inline void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t _layer) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___inv_ntt_layer_1_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)1U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)2U], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)3U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___inv_ntt_layer_1_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)2U], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)3U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] - (size_t)3U; + } } static inline void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t _layer) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___inv_ntt_layer_2_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)1U;); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___inv_ntt_layer_2_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - + (size_t)1U]); + re->coefficients[round] = uu____0; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + } } static inline void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t _layer) { - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; - zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___inv_ntt_layer_3_step( - re->coefficients[round], - libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); - re->coefficients[round] = uu____0;); -} - -static inline K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_vector_portable_PortableVector a, - libcrux_ml_kem_vector_portable_PortableVector b, int16_t zeta_r) { - libcrux_ml_kem_vector_portable_PortableVector a_minus_b = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___sub( + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t round = i; + zeta_i[0U] = zeta_i[0U] - (size_t)1U; + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___inv_ntt_layer_3_step( + re->coefficients[round], + libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); + re->coefficients[round] = uu____0; + } +} + +static inline K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a, + libcrux_ml_kem_vector_portable_vector_type_PortableVector b, + int16_t zeta_r) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a_minus_b = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( b, &a); - a = libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + a = libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( a, &b)); - b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe__libcrux_ml_kem_vector_portable_PortableVector( + b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe__libcrux_ml_kem_vector_portable_vector_type_PortableVector( a_minus_b, zeta_r); return (CLITERAL( - K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector){ + K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector){ .fst = a, .snd = b}); } static inline void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( size_t *zeta_i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, size_t layer) { size_t step = (size_t)1U << (uint32_t)layer; @@ -2971,14 +3100,14 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_port step / LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { size_t j = i; - K___libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_vector_portable_PortableVector + K___libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re->coefficients[j], re->coefficients[j + step_vec], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R [zeta_i[0U]]); - libcrux_ml_kem_vector_portable_PortableVector x = uu____0.fst; - libcrux_ml_kem_vector_portable_PortableVector y = uu____0.snd; + libcrux_ml_kem_vector_portable_vector_type_PortableVector x = uu____0.fst; + libcrux_ml_kem_vector_portable_vector_type_PortableVector y = uu____0.snd; re->coefficients[j] = x; re->coefficients[j + step_vec] = y; } @@ -2986,80 +3115,82 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_port } static inline void -libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re) { size_t zeta_i = LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)1U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)2U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)3U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)4U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)5U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)6U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)7U); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___subtract_reduce__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___subtract_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient_normal_form = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___montgomery_multiply_by_constant( - b.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector + coefficient_normal_form = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___montgomery_multiply_by_constant( + b.coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( self->coefficients[i0], &coefficient_normal_form)); b.coefficients[i0] = uu____0; } return b; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_matrix_compute_message__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_matrix_compute_message__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *v, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *secret_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector result = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - product = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_PortableVector( - &secret_as_ntt[i0], &u_as_ntt[i0]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - &result, &product);); - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + product = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + &secret_as_ntt[i0], &u_as_ntt[i0]); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + &result, &product); + } + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( &result); result = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___subtract_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___subtract_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( v, result); return result; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_shift_right___15int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_arithmetic_shift_right___15int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; @@ -3068,76 +3199,78 @@ libcrux_ml_kem_vector_shift_right___15int32_t( return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___shift_right___15int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_shift_right___15int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___shift_right___15int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_arithmetic_shift_right___15int32_t(v); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_vector_portable_PortableVector a) { - libcrux_ml_kem_vector_portable_PortableVector t = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___shift_right___15int32_t( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector t = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___shift_right___15int32_t( a); - libcrux_ml_kem_vector_portable_PortableVector fm = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___bitwise_and_with_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector fm = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___bitwise_and_with_constant( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + return libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( a, &fm); } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_message__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_message__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( - re.coefficients[i0]); - libcrux_ml_kem_vector_portable_PortableVector coefficient_compressed = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress_1( - coefficient); - uint8_t bytes[2U]; - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_1( - coefficient_compressed, bytes); - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)32U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)2U * i0, .end = (size_t)2U * i0 + (size_t)2U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *);); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t i0 = i; + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + re.coefficients[i0]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector + coefficient_compressed = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress_1( + coefficient); + uint8_t bytes[2U]; + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_1( + coefficient_compressed, bytes); + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)32U, serialized, + (CLITERAL(core_ops_range_Range__size_t){ + .start = (size_t)2U * i0, .end = (size_t)2U * i0 + (size_t)2U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + core_slice___Slice_T___copy_from_slice( + uu____0, + Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), + uint8_t, void *); + } memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } static inline void -libcrux_ml_kem_ind_cpa_decrypt__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1088size_t_960size_t_10size_t_4size_t( +libcrux_ml_kem_ind_cpa_decrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1088size_t_960size_t_10size_t_4size_t( Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1088size_t_10size_t( + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1088size_t_10size_t( ciphertext, u_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - v = libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_portable_PortableVector_4size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + v = libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v__libcrux_ml_kem_vector_portable_vector_type_PortableVector_4size_t( Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, uint8_t, size_t, Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector secret_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_ind_cpa_deserialize_secret_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector message = - libcrux_ml_kem_matrix_compute_message__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_matrix_compute_message__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( &v, secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_compress_then_serialize_message__libcrux_ml_kem_vector_portable_vector_type_PortableVector( message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -3162,18 +3295,18 @@ libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K_ memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure__libcrux_ml_kem_vector_portable_PortableVector_1152size_t_3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_1152size_t_3size_t( size_t _i) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; @@ -3184,11 +3317,11 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vec (CLITERAL(core_ops_range_Range__size_t){ .start = i0 * (size_t)24U, .end = i0 * (size_t)24U + (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_12( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_12( bytes); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___cond_subtract_3329( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___cond_subtract_3329( coefficient); re.coefficients[i0] = uu____0; } @@ -3196,16 +3329,16 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vec } static inline void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_PortableVector_1152size_t_3size_t( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_vector_type_PortableVector_1152size_t_3size_t( Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector deserialized_pk[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + deserialized_pk[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -3218,9 +3351,9 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vecto .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( ring_element); deserialized_pk[i0] = uu____0; } @@ -3228,31 +3361,31 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vecto ret, deserialized_pk, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_matrix_sample_matrix_A_closure_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_matrix_sample_matrix_A_closure_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( size_t _j) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } static inline void -libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( +libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( size_t _i, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret0[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + ret0[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } memcpy( ret, ret0, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } typedef struct @@ -3264,24 +3397,23 @@ static inline libcrux_ml_kem_hash_functions_portable_PortableHash____3size_t libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____shake128_init_absorb___3size_t( uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t state[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - state[i] = libcrux_sha3_portable_incremental_shake128_init();); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &state[i0]; - libcrux_sha3_portable_incremental_shake128_absorb_final( - uu____0, Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____1[3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + state[i] = libcrux_sha3_portable_incremental_shake128_init(); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &state[i0], Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, + Eurydice_slice)); + } + libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t uu____0[3U]; memcpy( - uu____1, state, + uu____0, state, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); libcrux_ml_kem_hash_functions_portable_PortableHash____3size_t lit; memcpy( - lit.shake128_state, uu____1, + lit.shake128_state, uu____0, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t)); return lit; @@ -3292,54 +3424,57 @@ libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K_ libcrux_ml_kem_hash_functions_portable_PortableHash____3size_t *self, uint8_t ret[3U][504U]) { uint8_t out[3U][504U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; - libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( - uu____0, Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, + Eurydice_slice)); + } memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); } static inline bool -libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_PortableVector_3size_t_504size_t( +libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_504size_t( uint8_t randomness[3U][504U], size_t *sampled_coefficients, int16_t (*out)[272U]) { - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)504U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)504U / (size_t)24U; i++) { + size_t r = i; + if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)504U, randomness[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = r * (size_t)24U, + .end = r * (size_t)24U + (size_t)24U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + size_t sampled = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___rej_sample( + uu____0, + Eurydice_array_to_subslice( + (size_t)272U, out[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = sampled_coefficients[i1], + .end = sampled_coefficients[i1] + (size_t)16U}), + int16_t, core_ops_range_Range__size_t, Eurydice_slice)); + size_t uu____1 = i1; + sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; + } + } + } + bool done = true; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + if (sampled_coefficients[i0] >= + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + sampled_coefficients[i0] = + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; + } else { + done = false; + } + } return done; } @@ -3348,68 +3483,71 @@ libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K_ libcrux_ml_kem_hash_functions_portable_PortableHash____3size_t *self, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *uu____0 = - &self->shake128_state[i0]; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - uu____0, Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &self->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, + Eurydice_slice)); + } memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); } static inline bool -libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_PortableVector_3size_t_168size_t( +libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_168size_t( uint8_t randomness[3U][168U], size_t *sampled_coefficients, int16_t (*out)[272U]) { - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { - size_t r = i; - if (sampled_coefficients[i1] < - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)168U, randomness[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = r * (size_t)24U, - .end = r * (size_t)24U + (size_t)24U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - size_t sampled = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___rej_sample( - uu____0, - Eurydice_array_to_subslice( - (size_t)272U, out[i1], - (CLITERAL(core_ops_range_Range__size_t){ - .start = sampled_coefficients[i1], - .end = sampled_coefficients[i1] + (size_t)16U}), - int16_t, core_ops_range_Range__size_t, Eurydice_slice)); - size_t uu____1 = i1; - sampled_coefficients[uu____1] = - sampled_coefficients[uu____1] + sampled; - } - }); - bool done = true; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - if (sampled_coefficients[i0] >= + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)24U; i++) { + size_t r = i; + if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - sampled_coefficients[i0] = - LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; - } else { done = false; }); + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)168U, randomness[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = r * (size_t)24U, + .end = r * (size_t)24U + (size_t)24U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + size_t sampled = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___rej_sample( + uu____0, + Eurydice_array_to_subslice( + (size_t)272U, out[i1], + (CLITERAL(core_ops_range_Range__size_t){ + .start = sampled_coefficients[i1], + .end = sampled_coefficients[i1] + (size_t)16U}), + int16_t, core_ops_range_Range__size_t, Eurydice_slice)); + size_t uu____1 = i1; + sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; + } + } + } + bool done = true; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + if (sampled_coefficients[i0] >= + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { + sampled_coefficients[i0] = + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT; + } else { + done = false; + } + } return done; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector result = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___from_i16_array( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___from_i16_array( Eurydice_slice_subslice( a, (CLITERAL(core_ops_range_Range__size_t){ @@ -3421,10 +3559,10 @@ libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vec return result; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( int16_t s[272U]) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_PortableVector( + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_array_to_subslice((size_t)272U, s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)256U}), @@ -3433,9 +3571,9 @@ libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_portable_ } static inline void -libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( +libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( uint8_t seeds[3U][34U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { size_t sampled_coefficients[3U] = {0U}; int16_t out[3U][272U] = {{0U}}; @@ -3450,7 +3588,7 @@ libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_portable_Portable uint8_t uu____1[3U][504U]; memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U])); bool done = - libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_PortableVector_3size_t_504size_t( + libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_504size_t( uu____1, sampled_coefficients, out); while (true) { if (done) { @@ -3462,109 +3600,114 @@ libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_portable_Portable uint8_t uu____2[3U][168U]; memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U])); done = - libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_PortableVector_3size_t_168size_t( + libcrux_ml_kem_sampling_sample_from_uniform_distribution_next__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_168size_t( uu____2, sampled_coefficients, out); } } int16_t uu____3[3U][272U]; memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret0[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = - libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( - uu____3[i]);); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + ret0[i] = + libcrux_ml_kem_sampling_sample_from_xof_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + uu____3[i]); + } memcpy( ret, ret0, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } static inline void -libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( +libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( uint8_t seed[34U], bool transpose, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U][3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector A_transpose[3U][3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( - i, A_transpose[i]);); - KRML_MAYBE_FOR3( - i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); - uint8_t seeds[3U][34U]; KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; - seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( - uu____1, sampled); - for ( - size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice( - (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, - size_t); - i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - sample = sampled[j]; - if (transpose) { - A_transpose[j][i1] = sample; - } else { - A_transpose[i1][j] = sample; - } - }); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + libcrux_ml_kem_matrix_sample_matrix_A_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + i, A_transpose[i]); + } + for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { + size_t i1 = i0; + uint8_t uu____0[34U]; + memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + uint8_t seeds[3U][34U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t)); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t j = i; + seeds[j][32U] = (uint8_t)i1; + seeds[j][33U] = (uint8_t)j; + } + uint8_t uu____1[3U][34U]; + memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + sampled[3U]; + libcrux_ml_kem_sampling_sample_from_xof__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + uu____1, sampled); + for ( + size_t i = (size_t)0U; + i < + core_slice___Slice_T___len( + Eurydice_array_to_slice( + (size_t)3U, sampled, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, + Eurydice_slice), + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, + size_t); + i++) { + size_t j = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + sample = sampled[j]; + if (transpose) { + A_transpose[j][i1] = sample; + } else { + A_transpose[i1][j] = sample; + } + } + } memcpy( ret, A_transpose, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector [3U])); } typedef struct - K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t_s { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t_s { + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector fst[3U]; uint8_t snd; -} K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t; +} K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t; -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( size_t _i) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } static inline void libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____PRFxN___3size_t_128size_t( uint8_t (*input)[33U], uint8_t ret[3U][128U]) { uint8_t out[3U][128U] = {{0U}}; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_slice((size_t)128U, out[i0], - uint8_t, Eurydice_slice); - libcrux_sha3_portable_shake256( - uu____0, Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, + Eurydice_slice)); + } memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_sampling_sample_from_binomial_distribution_2__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_sampling_sample_from_binomial_distribution_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; @@ -3606,13 +3749,13 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2__libcrux_ml_kem_vect sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_PortableVector( + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_sampling_sample_from_binomial_distribution_3__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_sampling_sample_from_binomial_distribution_3__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; @@ -3652,164 +3795,170 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3__libcrux_ml_kem_vect sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_PortableVector( + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___from_i16_array__libcrux_ml_kem_vector_portable_vector_type_PortableVector( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_PortableVector_2size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_vector_type_PortableVector_2size_t( Eurydice_slice randomness) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0; uu____0 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution_2__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_sampling_sample_from_binomial_distribution_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( randomness); return uu____0; } static inline void -libcrux_ml_kem_ntt_ntt_at_layer_7__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_ntt_ntt_at_layer_7__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; i < step; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_PortableVector t = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___multiply_by_constant( + libcrux_ml_kem_vector_portable_vector_type_PortableVector t = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___multiply_by_constant( re->coefficients[j + step], (int16_t)-1600); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___sub( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( re->coefficients[j], &t); re->coefficients[j + step] = uu____0; - libcrux_ml_kem_vector_portable_PortableVector uu____1 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( re->coefficients[j], &t); re->coefficients[j] = uu____1; } } static inline void -libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re) { - libcrux_ml_kem_ntt_ntt_at_layer_7__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_7__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re); size_t zeta_i = (size_t)1U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)6U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)5U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_4_plus__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)4U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_3__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)3U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_2__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)2U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_ntt_ntt_at_layer_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &zeta_i, re, (size_t)1U, (size_t)3U); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___poly_barrett_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re); } -static inline K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t -libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( +static inline K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t +libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re_as_ntt[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - re_as_ntt[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + re_as_ntt[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } uint8_t uu____0[33U]; memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + prf_inputs[i0][32U] = domain_separator; + domain_separator = (uint32_t)domain_separator + 1U; + } uint8_t prf_outputs[3U][128U]; libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____PRFxN___3size_t_128size_t( prf_inputs, prf_outputs); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - uu____1 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_PortableVector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_portable_PortableVector( - &re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + uu____1 = + libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_vector_type_PortableVector_2size_t( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, + Eurydice_slice)); + re_as_ntt[i0] = uu____1; + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + &re_as_ntt[i0]); + } + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____2[3U]; memcpy( uu____2, re_as_ntt, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); - K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); + K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t lit; memcpy( lit.fst, uu____2, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); lit.snd = domain_separator; return lit; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_128size_t_2size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_128size_t_2size_t( size_t _i) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } -static inline K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t -libcrux_ml_kem_ind_cpa_sample_ring_element_cbd__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_128size_t_2size_t( +static inline K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t +libcrux_ml_kem_ind_cpa_sample_ring_element_cbd__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_128size_t_2size_t( uint8_t prf_input[33U], uint8_t domain_separator) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector error_1[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - error_1[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + error_1[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } uint8_t uu____0[33U]; memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - prf_inputs[i0][32U] = domain_separator; - domain_separator = (uint32_t)domain_separator + 1U;); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + prf_inputs[i0][32U] = domain_separator; + domain_separator = (uint32_t)domain_separator + 1U; + } uint8_t prf_outputs[3U][128U]; libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____PRFxN___3size_t_128size_t( prf_inputs, prf_outputs); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - uu____1 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_PortableVector_2size_t( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], - uint8_t, Eurydice_slice)); - error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + uu____1 = + libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_vector_type_PortableVector_2size_t( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, + Eurydice_slice)); + error_1[i0] = uu____1; + } + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____2[3U]; memcpy( uu____2, error_1, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); - K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); + K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t lit; memcpy( lit.fst, uu____2, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); lit.snd = domain_separator; return lit; } @@ -3824,63 +3973,64 @@ libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K_ memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_matrix_compute_vector_u_closure__libcrux_ml_kem_vector_portable_PortableVector_3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_matrix_compute_vector_u_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( size_t _i) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } static inline void -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_error_reduce__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_error_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient_normal_form = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___montgomery_multiply_by_constant( - self->coefficients[j], (int16_t)1441); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector + coefficient_normal_form = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___montgomery_multiply_by_constant( + self->coefficients[j], (int16_t)1441); + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( coefficient_normal_form, &error->coefficients[j])); self->coefficients[j] = uu____0; } } static inline void -libcrux_ml_kem_matrix_compute_vector_u__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector ( +libcrux_ml_kem_matrix_compute_vector_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ( *a_as_ntt)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *error_1, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector result[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + result[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } for ( size_t i0 = (size_t)0U; i0 < core_slice___Slice_T___len( Eurydice_array_to_slice( (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector [3U], Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector [3U], size_t); i0++) { size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *row = a_as_ntt[i1]; for ( size_t i = (size_t)0U; @@ -3888,157 +4038,163 @@ libcrux_ml_kem_matrix_compute_vector_u__libcrux_ml_kem_vector_portable_PortableV core_slice___Slice_T___len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, size_t); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *a_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector product = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_vector_type_PortableVector( a_element, &r_as_ntt[j]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( &result[i1], &product); } - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( &result[i1]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_error_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_error_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &result[i1], &error_1[i1]); } memcpy( ret, result, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___bitwise_and_with_constant( - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___sub( - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___ZERO(), - &v), +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___ZERO(); + return libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___bitwise_and_with_constant( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___sub( + uu____0, &v), (int16_t)1665); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_then_decompress_message__libcrux_ml_kem_vector_portable_PortableVector( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_then_decompress_message__libcrux_ml_kem_vector_portable_vector_type_PortableVector( uint8_t serialized[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); - KRML_MAYBE_FOR16( - i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient_compressed = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___deserialize_1( - Eurydice_array_to_subslice( - (size_t)32U, serialized, - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)2U * i0, - .end = (size_t)2U * i0 + (size_t)2U}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_portable_PortableVector( - coefficient_compressed); - re.coefficients[i0] = uu____0;); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + for (size_t i = (size_t)0U; i < (size_t)16U; i++) { + size_t i0 = i; + libcrux_ml_kem_vector_portable_vector_type_PortableVector + coefficient_compressed = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___deserialize_1( + Eurydice_array_to_subslice( + (size_t)32U, serialized, + (CLITERAL(core_ops_range_Range__size_t){ + .start = (size_t)2U * i0, + .end = (size_t)2U * i0 + (size_t)2U}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_traits_decompress_1__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + coefficient_compressed); + re.coefficients[i0] = uu____0; + } return re; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_message_error_reduce__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_message_error_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *message, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector result) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient_normal_form = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___montgomery_multiply_by_constant( - result.coefficients[i0], (int16_t)1441); - libcrux_ml_kem_vector_portable_PortableVector tmp = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector + coefficient_normal_form = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___montgomery_multiply_by_constant( + result.coefficients[i0], (int16_t)1441); + libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( self->coefficients[i0], &message->coefficients[i0]); - libcrux_ml_kem_vector_portable_PortableVector tmp0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector tmp0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( coefficient_normal_form, &tmp); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( tmp0); result.coefficients[i0] = uu____0; } return result; } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_matrix_compute_ring_element_v__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_matrix_compute_ring_element_v__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *t_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *r_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *error_2, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector result = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - product = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_PortableVector( - &t_as_ntt[i0], &r_as_ntt[i0]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - &result, &product);); - libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + product = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + &t_as_ntt[i0], &r_as_ntt[i0]); + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + &result, &product); + } + libcrux_ml_kem_invert_ntt_invert_ntt_montgomery__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( &result); result = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_message_error_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_message_error_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( error_2, message, result); return result; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_compress___10int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_compress___10int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int16_t uu____0 = libcrux_ml_kem_vector_compress_ciphertext_coefficient( - (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]); + int16_t uu____0 = + libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( + (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]); v.elements[i0] = uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___10int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_compress___10int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___10int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress___10int32_t(v); } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_10__libcrux_ml_kem_vector_portable_PortableVector_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_10__libcrux_ml_kem_vector_portable_vector_type_PortableVector_320size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, uint8_t ret[320U]) { uint8_t serialized[320U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___10int32_t( - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___10int32_t( + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re->coefficients[i0])); uint8_t bytes[20U]; - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_10( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_10( coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice( (size_t)320U, serialized, @@ -4053,40 +4209,41 @@ libcrux_ml_kem_serialize_compress_then_serialize_10__libcrux_ml_kem_vector_porta memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_compress___11int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_compress___11int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int16_t uu____0 = libcrux_ml_kem_vector_compress_ciphertext_coefficient( - (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]); + int16_t uu____0 = + libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( + (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]); v.elements[i0] = uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___11int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_compress___11int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___11int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress___11int32_t(v); } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_11__libcrux_ml_kem_vector_portable_PortableVector_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_11__libcrux_ml_kem_vector_portable_vector_type_PortableVector_320size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, uint8_t ret[320U]) { uint8_t serialized[320U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___11int32_t( - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___11int32_t( + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re->coefficients[i0])); uint8_t bytes[22U]; - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_11( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_11( coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice( (size_t)320U, serialized, @@ -4102,19 +4259,19 @@ libcrux_ml_kem_serialize_compress_then_serialize_11__libcrux_ml_kem_vector_porta } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_portable_PortableVector_10size_t_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_10size_t_320size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, uint8_t ret[320U]) { uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10__libcrux_ml_kem_vector_portable_PortableVector_320size_t( + libcrux_ml_kem_serialize_compress_then_serialize_10__libcrux_ml_kem_vector_portable_vector_type_PortableVector_320size_t( re, uu____0); memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); } static inline void -libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable_PortableVector_3size_t_960size_t_10size_t_320size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_960size_t_10size_t_320size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector input[3U], Eurydice_slice out) { for ( @@ -4123,13 +4280,13 @@ libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable core_slice___Slice_T___len( Eurydice_array_to_slice( (size_t)3U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, size_t); i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice( out, @@ -4138,7 +4295,7 @@ libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable .end = (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U)}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); uint8_t ret[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_portable_PortableVector_10size_t_320size_t( + libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_10size_t_320size_t( &re, ret); core_slice___Slice_T___copy_from_slice( uu____0, @@ -4147,39 +4304,40 @@ libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable } } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_compress___4int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_compress___4int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int16_t uu____0 = libcrux_ml_kem_vector_compress_ciphertext_coefficient( - (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]); + int16_t uu____0 = + libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( + (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]); v.elements[i0] = uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___4int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_compress___4int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___4int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress___4int32_t(v); } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_4__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_4__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___4int32_t( - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___4int32_t( + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re.coefficients[i0])); uint8_t bytes[8U]; - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_4( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_4( coefficient, bytes); Eurydice_slice uu____0 = Eurydice_slice_subslice( serialized, @@ -4193,39 +4351,40 @@ libcrux_ml_kem_serialize_compress_then_serialize_4__libcrux_ml_kem_vector_portab } } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_compress___5int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_compress_compress___5int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int16_t uu____0 = libcrux_ml_kem_vector_compress_ciphertext_coefficient( - (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]); + int16_t uu____0 = + libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( + (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]); v.elements[i0] = uu____0; } return v; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___5int32_t( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector_compress___5int32_t(v); +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___5int32_t( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable_compress_compress___5int32_t(v); } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_5__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_5__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficients = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___compress___5int32_t( - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___compress___5int32_t( + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re.coefficients[i0])); uint8_t bytes[10U]; - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_5( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_5( coefficients, bytes); Eurydice_slice uu____0 = Eurydice_slice_subslice( serialized, @@ -4240,102 +4399,102 @@ libcrux_ml_kem_serialize_compress_then_serialize_5__libcrux_ml_kem_vector_portab } static inline void -libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_portable_PortableVector_4size_t_128size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_portable_vector_type_PortableVector_4size_t_128size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re, Eurydice_slice out) { - libcrux_ml_kem_serialize_compress_then_serialize_4__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_compress_then_serialize_4__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re, out); } static inline void -libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( +libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector t_as_ntt[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_PortableVector_1152size_t_3size_t( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_vector_type_PortableVector_1152size_t_3size_t( Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice), t_as_ntt); Eurydice_slice seed = Eurydice_slice_subslice_from( public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector A_transpose[3U][3U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array___34size_t(seed, ret0); - libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( ret0, false, A_transpose); uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array___33size_t(randomness, prf_input); uint8_t uu____0[33U]; memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t + K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t uu____1 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( uu____0, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector r_as_ntt[3U]; memcpy( r_as_ntt, uu____1.fst, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t domain_separator0 = uu____1.snd; uint8_t uu____2[33U]; memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t + K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t uu____3 = - libcrux_ml_kem_ind_cpa_sample_ring_element_cbd__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_128size_t_2size_t( + libcrux_ml_kem_ind_cpa_sample_ring_element_cbd__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_128size_t_2size_t( uu____2, domain_separator0); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector error_1[3U]; memcpy( error_1, uu____3.fst, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____PRF___3size_t_128size_t( Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), prf_output); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector error_2 = - libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_PortableVector_2size_t( + libcrux_ml_kem_sampling_sample_from_binomial_distribution__libcrux_ml_kem_vector_portable_vector_type_PortableVector_2size_t( Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector u[3U]; - libcrux_ml_kem_matrix_compute_vector_u__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_matrix_compute_vector_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( A_transpose, r_as_ntt, error_1, u); uint8_t uu____4[32U]; memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_deserialize_then_decompress_message__libcrux_ml_kem_vector_portable_vector_type_PortableVector( uu____4); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector - v = libcrux_ml_kem_matrix_compute_ring_element_v__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector + v = libcrux_ml_kem_matrix_compute_ring_element_v__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); uint8_t ciphertext[1088U] = {0U}; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____5[3U]; memcpy( uu____5, u, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); - libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable_PortableVector_3size_t_960size_t_10size_t_320size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); + libcrux_ml_kem_ind_cpa_compress_then_serialize_u__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_960size_t_10size_t_320size_t( uu____5, Eurydice_array_to_subslice( (size_t)1088U, ciphertext, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)960U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____6 = v; - libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_portable_PortableVector_4size_t_128size_t( + libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v__libcrux_ml_kem_vector_portable_vector_type_PortableVector_4size_t_128size_t( uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, uint8_t, size_t, Eurydice_slice)); @@ -4343,7 +4502,18 @@ libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_PortableVector_li } static inline void -libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( +libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t( + Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_, + uint8_t ret[32U]) { + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + shared_secret, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +} + +static inline void +libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t uu____0 = @@ -4367,7 +4537,7 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_PortableVecto Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1088size_t_960size_t_10size_t_4size_t( + libcrux_ml_kem_ind_cpa_decrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1088size_t_960size_t_10size_t_4size_t( ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array___64size_t( @@ -4387,7 +4557,7 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_PortableVecto Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); - Eurydice_slice shared_secret = uu____3.fst; + Eurydice_slice shared_secret0 = uu____3.fst; Eurydice_slice pseudorandomness = uu____3.snd; uint8_t to_hash[1120U]; libcrux_ml_kem_utils_into_padded_array___1120size_t(implicit_rejection_value, @@ -4400,15 +4570,15 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_PortableVecto libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( ciphertext), uint8_t, void *); - uint8_t implicit_rejection_shared_secret[32U]; + uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____PRF___3size_t_32size_t( Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; uint8_t uu____6[32U]; memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( + libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( uu____5, uu____6, pseudorandomness, expected_ciphertext); Eurydice_slice uu____7 = libcrux_ml_kem_types___core__convert__AsRef__Slice_u8___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___1__as_ref___1088size_t( @@ -4417,10 +4587,18 @@ libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_PortableVecto libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time___1088size_t( uu____7, Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, Eurydice_slice)); - Eurydice_slice uu____8 = shared_secret; + uint8_t implicit_rejection_shared_secret[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t( + Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, + uint8_t, Eurydice_slice), + ciphertext, implicit_rejection_shared_secret); + uint8_t shared_secret[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t( + shared_secret0, ciphertext, shared_secret); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( - uu____8, + Eurydice_array_to_slice((size_t)32U, shared_secret, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, uint8_t, Eurydice_slice), selector, ret0); @@ -4432,7 +4610,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate___3size_t_2400size_t_ libcrux_ml_kem_types_MlKemPrivateKey____2400size_t *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t ret0[32U]; - libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( + libcrux_ml_kem_ind_cca_decapsulate__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___libcrux_ml_kem_ind_cca_MlKem_3size_t_2400size_t_1152size_t_1184size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t_1120size_t( private_key, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -4446,6 +4624,16 @@ static inline void libcrux_ml_kem_mlkem768_portable_decapsulate( memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +static inline void +libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___entropy_preprocess__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + Eurydice_slice randomness, uint8_t ret[32U]) { + uint8_t out[32U] = {0U}; + core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), + randomness, uint8_t, void *); + memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); +} + static inline void libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____H___3size_t( Eurydice_slice input, uint8_t ret[32U]) { @@ -4457,12 +4645,17 @@ libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K_ } static inline K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ -libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( +libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( libcrux_ml_kem_types_MlKemPublicKey____1184size_t *public_key, uint8_t randomness[32U]) { + uint8_t randomness0[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___entropy_preprocess__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), + randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array___64size_t( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, + Eurydice_slice), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, @@ -4496,20 +4689,19 @@ libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_portable_PortableVecto public_key), uint8_t, Eurydice_slice); uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( + libcrux_ml_kem_ind_cpa_encrypt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); uint8_t uu____4[1088U]; memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); - libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = + libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemCiphertext_SIZE___2__from___1088size_t( uu____4); + uint8_t shared_secret_array[32U]; + libcrux_ml_kem_ind_cca___libcrux_ml_kem__ind_cca__Variant_for_libcrux_ml_kem__ind_cca__MlKem___kdf__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t( + shared_secret, &ciphertext0, shared_secret_array); + libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; uint8_t uu____6[32U]; memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); K___libcrux_ml_kem_types_MlKemCiphertext___1088size_t___uint8_t_32size_t_ lit; @@ -4525,7 +4717,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate___3size_t_1088size_t_ libcrux_ml_kem_types_MlKemPublicKey____1184size_t *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( + return libcrux_ml_kem_ind_cca_encapsulate__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___libcrux_ml_kem_ind_cca_MlKem_3size_t_1088size_t_1184size_t_1152size_t_960size_t_128size_t_10size_t_4size_t_320size_t_2size_t_128size_t_2size_t_128size_t( uu____0, uu____1); } @@ -4540,70 +4732,71 @@ libcrux_ml_kem_mlkem768_portable_encapsulate( uu____0, uu____1); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_matrix_compute_As_plus_e_closure__libcrux_ml_kem_vector_portable_PortableVector_3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_matrix_compute_As_plus_e_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( size_t _i) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_traits_to_standard_domain__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_vector_portable_PortableVector v) { - return libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___montgomery_multiply_by_constant( +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_traits_to_standard_domain__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + return libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___montgomery_multiply_by_constant( v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } static inline void -libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_standard_error_reduce__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_standard_error_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *self, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *error) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient_normal_form = - libcrux_ml_kem_vector_traits_to_standard_domain__libcrux_ml_kem_vector_portable_PortableVector( - self->coefficients[j]); - libcrux_ml_kem_vector_portable_PortableVector uu____0 = - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___barrett_reduce( - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___add( + libcrux_ml_kem_vector_portable_vector_type_PortableVector + coefficient_normal_form = + libcrux_ml_kem_vector_traits_to_standard_domain__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + self->coefficients[j]); + libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___barrett_reduce( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___add( coefficient_normal_form, &error->coefficients[j])); self->coefficients[j] = uu____0; } } static inline void -libcrux_ml_kem_matrix_compute_As_plus_e__libcrux_ml_kem_vector_portable_PortableVector_3size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector ( +libcrux_ml_kem_matrix_compute_As_plus_e__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ( *matrix_A)[3U], - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *s_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *error_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector result[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + result[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } for ( size_t i0 = (size_t)0U; i0 < core_slice___Slice_T___len( Eurydice_array_to_slice( (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector [3U], Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector [3U], size_t); i0++) { size_t i1 = i0; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *row = matrix_A[i1]; for ( size_t i = (size_t)0U; @@ -4611,45 +4804,45 @@ libcrux_ml_kem_matrix_compute_As_plus_e__libcrux_ml_kem_vector_portable_Portable core_slice___Slice_T___len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, size_t); i++) { size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *matrix_element = &row[j]; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector product = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ntt_multiply__libcrux_ml_kem_vector_portable_vector_type_PortableVector( matrix_element, &s_as_ntt[j]); - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_to_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( &result[i1], &product); } - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_standard_error_reduce__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___add_standard_error_reduce__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &result[i1], &error_as_ntt[i1]); } memcpy( ret, result, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } static inline void -libcrux_ml_kem_serialize_serialize_uncompressed_ring_element__libcrux_ml_kem_vector_portable_PortableVector( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_serialize_serialize_uncompressed_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector *re, uint8_t ret[384U]) { uint8_t serialized[384U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - libcrux_ml_kem_vector_portable_PortableVector coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = + libcrux_ml_kem_vector_traits_to_unsigned_representative__libcrux_ml_kem_vector_portable_vector_type_PortableVector( re->coefficients[i0]); uint8_t bytes[24U]; - libcrux_ml_kem_vector___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__PortableVector___serialize_12( + libcrux_ml_kem_vector_portable___libcrux_ml_kem__vector__traits__Operations_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___serialize_12( coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice( (size_t)384U, serialized, @@ -4665,8 +4858,8 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element__libcrux_ml_kem_vec } static inline void -libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector key[3U], uint8_t ret[1152U]) { uint8_t out[1152U] = {0U}; @@ -4676,13 +4869,13 @@ libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_Port core_slice___Slice_T___len( Eurydice_array_to_slice( (size_t)3U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector, + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector, size_t); i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice( (size_t)1152U, out, @@ -4692,7 +4885,7 @@ libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_Port LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); uint8_t ret0[384U]; - libcrux_ml_kem_serialize_serialize_uncompressed_ring_element__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_serialize_uncompressed_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( &re, ret0); core_slice___Slice_T___copy_from_slice( uu____0, @@ -4703,8 +4896,8 @@ libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_Port } static inline void -libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t_1184size_t( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector +libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t_1184size_t( + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector t_as_ntt[3U], Eurydice_slice seed_for_a, uint8_t ret[1184U]) { uint8_t public_key_serialized[1184U] = {0U}; @@ -4713,15 +4906,15 @@ libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_Port (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = (size_t)1152U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1[3U]; memcpy( uu____1, t_as_ntt, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t ret0[1152U]; - libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t( + libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t( uu____1, ret0); core_slice___Slice_T___copy_from_slice( uu____0, @@ -4736,7 +4929,7 @@ libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_Port } static inline libcrux_ml_kem_utils_extraction_helper_Keypair768 -libcrux_ml_kem_ind_cpa_generate_keypair__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t( +libcrux_ml_kem_ind_cpa_generate_keypair__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable___libcrux_ml_kem__hash_functions__Hash_K__for_libcrux_ml_kem__hash_functions__portable__PortableHash_K____G___3size_t( @@ -4748,64 +4941,64 @@ libcrux_ml_kem_ind_cpa_generate_keypair__libcrux_ml_kem_vector_portable_Portable K___Eurydice_slice_uint8_t_Eurydice_slice_uint8_t); Eurydice_slice seed_for_A = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector A_transpose[3U][3U]; uint8_t ret[34U]; libcrux_ml_kem_utils_into_padded_array___34size_t(seed_for_A, ret); - libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( + libcrux_ml_kem_matrix_sample_matrix_A__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t( ret, true, A_transpose); uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array___33size_t(seed_for_secret_and_error, prf_input); uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector_3size_t__uint8_t + K___libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t__uint8_t uu____2 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( uu____1, 0U); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector secret_as_ntt[3U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t domain_separator = uu____2.snd; uint8_t uu____3[33U]; memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector error_as_ntt[3U]; memcpy( error_as_ntt, - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2size_t_128size_t( uu____3, domain_separator) .fst, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector t_as_ntt[3U]; - libcrux_ml_kem_matrix_compute_As_plus_e__libcrux_ml_kem_vector_portable_PortableVector_3size_t( + libcrux_ml_kem_matrix_compute_As_plus_e__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t( A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____4[3U]; memcpy( uu____4, t_as_ntt, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t_1184size_t( + libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t_1184size_t( uu____4, seed_for_A, public_key_serialized); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____5[3U]; memcpy( uu____5, secret_as_ntt, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t secret_key_serialized[1152U]; - libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t( + libcrux_ml_kem_ind_cpa_serialize_secret_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t( uu____5, secret_key_serialized); uint8_t uu____6[1152U]; memcpy(uu____6, secret_key_serialized, (size_t)1152U * sizeof(uint8_t)); @@ -4879,7 +5072,7 @@ libcrux_ml_kem_ind_cca_serialize_kem_secret_key__libcrux_ml_kem_hash_functions_p } static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( +libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice( (size_t)64U, randomness, @@ -4892,32 +5085,31 @@ libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_Portable LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, size_t, Eurydice_slice); libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = - libcrux_ml_kem_ind_cpa_generate_keypair__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t( + libcrux_ml_kem_ind_cpa_generate_keypair__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_1184size_t_1152size_t_2size_t_128size_t( ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1152U]; memcpy(ind_cpa_private_key, uu____0.fst, (size_t)1152U * sizeof(uint8_t)); uint8_t public_key[1184U]; memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); - Eurydice_slice uu____1 = Eurydice_array_to_slice( - (size_t)1152U, ind_cpa_private_key, uint8_t, Eurydice_slice); uint8_t secret_key_serialized[2400U]; libcrux_ml_kem_ind_cca_serialize_kem_secret_key__libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_2400size_t( - uu____1, + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, + Eurydice_slice), Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, Eurydice_slice), implicit_rejection_value, secret_key_serialized); - uint8_t uu____2[2400U]; - memcpy(uu____2, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + uint8_t uu____1[2400U]; + memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey____2400size_t private_key = libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPrivateKey_SIZE___8__from___2400size_t( - uu____2); - libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____3 = private_key; - uint8_t uu____4[1184U]; - memcpy(uu____4, public_key, (size_t)1184U * sizeof(uint8_t)); + uu____1); + libcrux_ml_kem_types_MlKemPrivateKey____2400size_t uu____2 = private_key; + uint8_t uu____3[1184U]; + memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types__libcrux_ml_kem__types__MlKemKeyPair_PRIVATE_KEY_SIZE__PUBLIC_KEY_SIZE___from___2400size_t_1184size_t( - uu____3, + uu____2, libcrux_ml_kem_types___core__convert__From__Array_u8__SIZE___for_libcrux_ml_kem__types__MlKemPublicKey_SIZE___14__from___1184size_t( - uu____4)); + uu____3)); } static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair @@ -4925,7 +5117,7 @@ libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair___3size_t_1152si uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( + return libcrux_ml_kem_ind_cca_generate_keypair__libcrux_ml_kem_vector_portable_vector_type_PortableVector_libcrux_ml_kem_hash_functions_portable_PortableHash___3size_t___3size_t_1152size_t_2400size_t_1184size_t_1152size_t_2size_t_128size_t( uu____0); } @@ -4937,23 +5129,23 @@ libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { uu____0); } -static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure__libcrux_ml_kem_vector_portable_PortableVector_1184size_t_3size_t( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure__libcrux_ml_kem_vector_portable_vector_type_PortableVector_1184size_t_3size_t( size_t _i) { - return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector(); + return libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); } static inline void -libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_PortableVector_1184size_t_3size_t( +libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_vector_type_PortableVector_1184size_t_3size_t( Eurydice_slice public_key, - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[3U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector deserialized_pk[3U]; - KRML_MAYBE_FOR3( - i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = - libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_PortableVector();); + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + deserialized_pk[i] = + libcrux_ml_kem_polynomial__libcrux_ml_kem__polynomial__PolynomialRingElement_Vector__TraitClause_0___ZERO__libcrux_ml_kem_vector_portable_vector_type_PortableVector(); + } for (size_t i = (size_t)0U; i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -4966,9 +5158,9 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vecto .end = i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_portable_PortableVector( + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element__libcrux_ml_kem_vector_portable_vector_type_PortableVector( ring_element); deserialized_pk[i0] = uu____0; } @@ -4976,39 +5168,39 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vecto ret, deserialized_pk, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); } static inline bool -libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t_1184size_t( +libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t_1184size_t( uint8_t *public_key) { - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector deserialized_pk[3U]; - libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_PortableVector_1184size_t_3size_t( + libcrux_ml_kem_serialize_deserialize_ring_elements_reduced__libcrux_ml_kem_vector_portable_vector_type_PortableVector_1184size_t_3size_t( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice), deserialized_pk); - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0[3U]; memcpy( uu____0, deserialized_pk, (size_t)3U * sizeof( - libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_PortableVector)); + libcrux_ml_kem_polynomial_PolynomialRingElement__libcrux_ml_kem_vector_portable_vector_type_PortableVector)); uint8_t public_key_serialized[1184U]; - libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t_1184size_t( + libcrux_ml_kem_ind_cpa_serialize_public_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t_1184size_t( uu____0, Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice), public_key_serialized); - return core_array_equality___core__cmp__PartialEq__Array_B__N___for__Array_A__N____eq( + return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } static inline bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_public_key___3size_t_1152size_t_1184size_t( uint8_t *public_key) { - return libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_PortableVector_3size_t_1152size_t_1184size_t( + return libcrux_ml_kem_ind_cca_validate_public_key__libcrux_ml_kem_vector_portable_vector_type_PortableVector_3size_t_1152size_t_1184size_t( public_key); } @@ -5030,17 +5222,19 @@ libcrux_ml_kem_mlkem768_portable_validate_public_key( return uu____0; } -static inline libcrux_ml_kem_vector_portable_PortableVector -libcrux_ml_kem_vector_portable___core__clone__Clone_for_libcrux_ml_kem__vector__portable__PortableVector___clone( - libcrux_ml_kem_vector_portable_PortableVector *self) { +static inline libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_vector_portable_vector_type___core__clone__Clone_for_libcrux_ml_kem__vector__portable__vector_type__PortableVector___clone( + libcrux_ml_kem_vector_portable_vector_type_PortableVector *self) { return self[0U]; } -typedef int16_t libcrux_ml_kem_vector_MontgomeryFieldElement; +typedef int16_t libcrux_ml_kem_vector_portable_vector_type_FieldElement; -typedef int16_t libcrux_ml_kem_vector_FieldElementTimesMontgomeryR; +typedef int16_t + libcrux_ml_kem_vector_portable_arithmetic_MontgomeryFieldElement; -typedef int16_t libcrux_ml_kem_vector_FieldElement; +typedef int16_t + libcrux_ml_kem_vector_portable_arithmetic_FieldElementTimesMontgomeryR; #if defined(__cplusplus) } diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index 51717b013..1e8f134ed 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../cg.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 409fe455 + -funroll-loops 0 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_avx2_H @@ -1252,8 +1252,7 @@ libcrux_sha3_generic_keccak_pi__core_core_arch_x86___m256i_4size_t( libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t *s) { core_core_arch_x86___m256i old[5U][5U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)5U, s->st, old, core_core_arch_x86___m256i[5U], void *); + memcpy(old, s->st, (size_t)5U * sizeof(core_core_arch_x86___m256i[5U])); s->st[0U][1U] = old[1U][1U]; s->st[0U][2U] = old[2U][2U]; s->st[0U][3U] = old[3U][3U]; @@ -1287,14 +1286,17 @@ libcrux_sha3_generic_keccak_chi__core_core_arch_x86___m256i_4size_t( *s) { core_core_arch_x86___m256i old[5U][5U]; memcpy(old, s->st, (size_t)5U * sizeof(core_core_arch_x86___m256i[5U])); - KRML_MAYBE_FOR5( - i0, (size_t)0U, (size_t)5U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR5( - i, (size_t)0U, (size_t)5U, (size_t)1U, size_t j = i; - core_core_arch_x86___m256i uu____0 = - libcrux_sha3_simd_avx2___libcrux_sha3__traits__internal__KeccakItem_4__usize__for_core__core_arch__x86____m256i___and_not_xor( - s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], - old[i1][(j + (size_t)1U) % (size_t)5U]); - s->st[i1][j] = uu____0;);); + for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t j = i; + core_core_arch_x86___m256i uu____0 = + libcrux_sha3_simd_avx2___libcrux_sha3__traits__internal__KeccakItem_4__usize__for_core__core_arch__x86____m256i___and_not_xor( + s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], + old[i1][(j + (size_t)1U) % (size_t)5U]); + s->st[i1][j] = uu____0; + } + } } __attribute__((target("avx2"))) @@ -1342,17 +1344,15 @@ libcrux_sha3_generic_keccak_absorb_block__core_core_arch_x86___m256i_4size_t_136 __attribute__((target("avx2"))) static inline void libcrux_sha3_simd_avx2_load_block_full___136size_t( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - core_core_arch_x86___m256i(*uu____0)[5U] = s; - Eurydice_slice uu____1 = Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice); - Eurydice_slice buf[4U] = {uu____1, uu____2, uu____3, + Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[1U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[2U], + uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t, Eurydice_slice)}; - libcrux_sha3_simd_avx2_load_block___136size_t(uu____0, buf); + libcrux_sha3_simd_avx2_load_block___136size_t(s, buf); } __attribute__((target("avx2"))) @@ -1373,22 +1373,24 @@ libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_136 Eurydice_slice last[4U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[4U][200U] = {{0U}}; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i0], - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = last_len}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], - uint8_t, void *); - blocks[i0][last_len] = 31U; - blocks[i0][(size_t)136U - (size_t)1U] = - (uint32_t)blocks[i0][(size_t)136U - (size_t)1U] | 128U;); - core_core_arch_x86___m256i(*uu____1)[5U] = s->st; - uint8_t uu____2[4U][200U]; - memcpy(uu____2, blocks, (size_t)4U * sizeof(uint8_t[200U])); + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)200U, blocks[i0], + (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, + .end = last_len}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + core_core_arch_x86___m256i(*uu____3)[5U] = s->st; + uint8_t uu____4[4U][200U]; + memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U])); libcrux_sha3_simd_avx2___libcrux_sha3__traits__internal__KeccakItem_4__usize__for_core__core_arch__x86____m256i___load_block_full___136size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__core_core_arch_x86___m256i_4size_t( s); } @@ -1474,55 +1476,55 @@ static inline void libcrux_sha3_simd_avx2_store_block___136size_t( uint8_t u8s[32U] = {0U}; size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____0, s[i0][j0]); - Eurydice_slice uu____1 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), + s[i0][j0]); + Eurydice_slice uu____0 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____1, + uu____0, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice( + Eurydice_slice uu____1 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____2, + uu____1, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice( + Eurydice_slice uu____2 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____3, + uu____2, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____4 = Eurydice_slice_subslice( + Eurydice_slice uu____3 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____4, + uu____3, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)24U, .end = (size_t)32U}), @@ -1535,55 +1537,55 @@ static inline void libcrux_sha3_simd_avx2_store_block___136size_t( ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) / (size_t)5U; size_t j = ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U; - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____5, s[i][j]); - Eurydice_slice uu____6 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), + s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____6, + uu____4, Eurydice_array_to_subslice((size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_slice_subslice( + Eurydice_slice uu____5 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____7, + uu____5, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____8 = Eurydice_slice_subslice( + Eurydice_slice uu____6 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____8, + uu____6, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____9 = Eurydice_slice_subslice( + Eurydice_slice uu____7 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____9, + uu____7, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)24U, @@ -1600,29 +1602,24 @@ static inline void libcrux_sha3_simd_avx2_store_block_full___136size_t( uint8_t out1[200U] = {0U}; uint8_t out2[200U] = {0U}; uint8_t out3[200U] = {0U}; - core_core_arch_x86___m256i(*uu____0)[5U] = s; - Eurydice_slice uu____1 = - Eurydice_array_to_slice((size_t)200U, out0, uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = - Eurydice_array_to_slice((size_t)200U, out1, uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = - Eurydice_array_to_slice((size_t)200U, out2, uint8_t, Eurydice_slice); Eurydice_slice buf[4U] = { - uu____1, uu____2, uu____3, + Eurydice_array_to_slice((size_t)200U, out0, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, out1, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, out2, uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)200U, out3, uint8_t, Eurydice_slice)}; - libcrux_sha3_simd_avx2_store_block___136size_t(uu____0, buf); - uint8_t uu____4[200U]; - memcpy(uu____4, out0, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____5[200U]; - memcpy(uu____5, out1, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____6[200U]; - memcpy(uu____6, out2, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____7[200U]; - memcpy(uu____7, out3, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____4, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[1U], uu____5, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[2U], uu____6, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[3U], uu____7, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_simd_avx2_store_block___136size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out0, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____1[200U]; + memcpy(uu____1, out1, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____2[200U]; + memcpy(uu____2, out2, (size_t)200U * sizeof(uint8_t)); + uint8_t uu____3[200U]; + memcpy(uu____3, out3, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[1U], uu____1, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[2U], uu____2, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[3U], uu____3, (size_t)200U * sizeof(uint8_t)); } __attribute__((target("avx2"))) @@ -1643,17 +1640,20 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last__core_core_arch_x86___m256i_4 uint8_t b[4U][200U]; libcrux_sha3_simd_avx2___libcrux_sha3__traits__internal__KeccakItem_4__usize__for_core__core_arch__x86____m256i___store_block_full___136size_t( s->st, b); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = out[i0]; uint8_t *uu____1 = b[i0]; - core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *);); + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range__size_t lit; + lit.start = (size_t)0U; + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); + core_slice___Slice_T___copy_from_slice( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range__size_t, + Eurydice_slice), + uint8_t, void *); + } } __attribute__((target("avx2"))) @@ -1696,17 +1696,20 @@ libcrux_sha3_generic_keccak_squeeze_last__core_core_arch_x86___m256i_4size_t_136 uint8_t b[4U][200U]; libcrux_sha3_simd_avx2___libcrux_sha3__traits__internal__KeccakItem_4__usize__for_core__core_arch__x86____m256i___store_block_full___136size_t( s.st, b); - KRML_MAYBE_FOR4( - i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = out[i0]; uint8_t *uu____1 = b[i0]; - core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range__size_t, - Eurydice_slice), - uint8_t, void *);); + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; + core_ops_range_Range__size_t lit; + lit.start = (size_t)0U; + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); + core_slice___Slice_T___copy_from_slice( + uu____0, + Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, + core_ops_range_Range__size_t, + Eurydice_slice), + uint8_t, void *); + } } __attribute__((target("avx2"))) @@ -1758,7 +1761,7 @@ libcrux_sha3_generic_keccak_keccak__core_core_arch_x86___m256i_4size_t_136size_t libcrux_sha3_generic_keccak_squeeze_first_block__core_core_arch_x86___m256i_4size_t_136size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1799,7 +1802,7 @@ static inline void libcrux_sha3_avx2_x4_shake256( } typedef libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t - libcrux_sha3_avx2_x4_incremental_KeccakState4; + libcrux_sha3_avx2_x4_incremental_KeccakState; __attribute__((target("avx2"))) static inline libcrux_sha3_generic_keccak_KeccakState__core_core_arch_x86___m256i__4size_t @@ -2020,17 +2023,15 @@ static inline void libcrux_sha3_simd_avx2_load_block___168size_t( __attribute__((target("avx2"))) static inline void libcrux_sha3_simd_avx2_load_block_full___168size_t( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - core_core_arch_x86___m256i(*uu____0)[5U] = s; - Eurydice_slice uu____1 = Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____2 = Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice); - Eurydice_slice uu____3 = Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice); - Eurydice_slice buf[4U] = {uu____1, uu____2, uu____3, + Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[1U], + uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)200U, blocks[2U], + uint8_t, Eurydice_slice), Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t, Eurydice_slice)}; - libcrux_sha3_simd_avx2_load_block___168size_t(uu____0, buf); + libcrux_sha3_simd_avx2_load_block___168size_t(s, buf); } __attribute__((target("avx2"))) @@ -2051,22 +2052,24 @@ libcrux_sha3_generic_keccak_absorb_final__core_core_arch_x86___m256i_4size_t_168 Eurydice_slice last[4U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[4U][200U] = {{0U}}; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i0], - (CLITERAL(core_ops_range_Range__size_t){ - .start = (size_t)0U, .end = last_len}), - uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], - uint8_t, void *); - blocks[i0][last_len] = 31U; - blocks[i0][(size_t)168U - (size_t)1U] = - (uint32_t)blocks[i0][(size_t)168U - (size_t)1U] | 128U;); - core_core_arch_x86___m256i(*uu____1)[5U] = s->st; - uint8_t uu____2[4U][200U]; - memcpy(uu____2, blocks, (size_t)4U * sizeof(uint8_t[200U])); + for (size_t i = (size_t)0U; i < (size_t)4U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = Eurydice_array_to_subslice( + (size_t)200U, blocks[i0], + (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, + .end = last_len}), + uint8_t, core_ops_range_Range__size_t, Eurydice_slice); + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)168U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; + } + core_core_arch_x86___m256i(*uu____3)[5U] = s->st; + uint8_t uu____4[4U][200U]; + memcpy(uu____4, blocks, (size_t)4U * sizeof(uint8_t[200U])); libcrux_sha3_simd_avx2___libcrux_sha3__traits__internal__KeccakItem_4__usize__for_core__core_arch__x86____m256i___load_block_full___168size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__core_core_arch_x86___m256i_4size_t( s); } @@ -2163,55 +2166,55 @@ static inline void libcrux_sha3_simd_avx2_store_block___168size_t( uint8_t u8s[32U] = {0U}; size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U; - Eurydice_slice uu____0 = - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____0, s[i0][j0]); - Eurydice_slice uu____1 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), + s[i0][j0]); + Eurydice_slice uu____0 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____1, + uu____0, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice( + Eurydice_slice uu____1 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____2, + uu____1, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice( + Eurydice_slice uu____2 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____3, + uu____2, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____4 = Eurydice_slice_subslice( + Eurydice_slice uu____3 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start, .end = start + (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____4, + uu____3, Eurydice_array_to_subslice((size_t)32U, u8s, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)24U, .end = (size_t)32U}), @@ -2224,55 +2227,55 @@ static inline void libcrux_sha3_simd_avx2_store_block___168size_t( ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) / (size_t)5U; size_t j = ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U; - Eurydice_slice uu____5 = - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice); - libcrux_intrinsics_avx2_mm256_storeu_si256_u8(uu____5, s[i][j]); - Eurydice_slice uu____6 = Eurydice_slice_subslice( + libcrux_intrinsics_avx2_mm256_storeu_si256_u8( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), + s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice( out[0U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____6, + uu____4, Eurydice_array_to_subslice((size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){ .start = (size_t)0U, .end = (size_t)8U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_slice_subslice( + Eurydice_slice uu____5 = Eurydice_slice_subslice( out[1U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____7, + uu____5, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)8U, .end = (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____8 = Eurydice_slice_subslice( + Eurydice_slice uu____6 = Eurydice_slice_subslice( out[2U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____8, + uu____6, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)16U, .end = (size_t)24U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice), uint8_t, void *); - Eurydice_slice uu____9 = Eurydice_slice_subslice( + Eurydice_slice uu____7 = Eurydice_slice_subslice( out[3U], (CLITERAL(core_ops_range_Range__size_t){.start = start + (size_t)8U, .end = start + (size_t)16U}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); core_slice___Slice_T___copy_from_slice( - uu____9, + uu____7, Eurydice_array_to_subslice( (size_t)32U, u8s0, (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)24U, diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index dc6234dd4..53df0e9b0 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -1,8 +1,8 @@ /* This file was generated by KaRaMeL KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../cg.yaml - ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: - KaRaMeL version: 409fe455 + -funroll-loops 0 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version: + KaRaMeL version: 42a43169 */ #ifndef __libcrux_sha3_portable_H @@ -817,8 +817,7 @@ static inline void libcrux_sha3_generic_keccak_theta_rho__uint64_t_1size_t( static inline void libcrux_sha3_generic_keccak_pi__uint64_t_1size_t( libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *s) { uint64_t old[5U][5U]; - core_array___core__clone__Clone_for__Array_T__N___20__clone( - (size_t)5U, s->st, old, uint64_t[5U], void *); + memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); s->st[0U][1U] = old[1U][1U]; s->st[0U][2U] = old[2U][2U]; s->st[0U][3U] = old[3U][3U]; @@ -849,14 +848,17 @@ static inline void libcrux_sha3_generic_keccak_chi__uint64_t_1size_t( libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *s) { uint64_t old[5U][5U]; memcpy(old, s->st, (size_t)5U * sizeof(uint64_t[5U])); - KRML_MAYBE_FOR5( - i0, (size_t)0U, (size_t)5U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR5( - i, (size_t)0U, (size_t)5U, (size_t)1U, size_t j = i; - uint64_t uu____0 = - libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___and_not_xor( - s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], - old[i1][(j + (size_t)1U) % (size_t)5U]); - s->st[i1][j] = uu____0;);); + for (size_t i0 = (size_t)0U; i0 < (size_t)5U; i0++) { + size_t i1 = i0; + for (size_t i = (size_t)0U; i < (size_t)5U; i++) { + size_t j = i; + uint64_t uu____0 = + libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___and_not_xor( + s->st[i1][j], old[i1][(j + (size_t)2U) % (size_t)5U], + old[i1][(j + (size_t)1U) % (size_t)5U]); + s->st[i1][j] = uu____0; + } + } } static inline void libcrux_sha3_generic_keccak_iota__uint64_t_1size_t( @@ -892,10 +894,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_72size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___72size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___72size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___72size_t(s, buf); } static inline void @@ -913,23 +914,24 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_72size_t_6uint8_t( Eurydice_slice last[1U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[1U][200U] = {{0U}}; - { - size_t i = (size_t)0U; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i], + (size_t)200U, blocks[i0], (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = last_len}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); - blocks[i][last_len] = 6U; - blocks[i][(size_t)72U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)72U - (size_t)1U] | 128U; + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)72U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___72size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -954,13 +956,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___72size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___72size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___72size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___72size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -978,13 +979,13 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last__uint64_t_1size_t_72size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___72size_t( s->st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -1025,13 +1026,13 @@ libcrux_sha3_generic_keccak_squeeze_last__uint64_t_1size_t_72size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___72size_t( s.st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -1087,7 +1088,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_72size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_72size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1177,10 +1178,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_136size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___136size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___136size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___136size_t(s, buf); } static inline void @@ -1198,23 +1198,24 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_136size_t_6uint8_t( Eurydice_slice last[1U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[1U][200U] = {{0U}}; - { - size_t i = (size_t)0U; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i], + (size_t)200U, blocks[i0], (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = last_len}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); - blocks[i][last_len] = 6U; - blocks[i][(size_t)136U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)136U - (size_t)1U] | 128U; + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___136size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1239,13 +1240,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___136size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___136size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___136size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___136size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -1263,13 +1263,13 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last__uint64_t_1size_t_136size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___136size_t( s->st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -1310,13 +1310,13 @@ libcrux_sha3_generic_keccak_squeeze_last__uint64_t_1size_t_136size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___136size_t( s.st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -1372,7 +1372,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_136size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_136size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1422,23 +1422,24 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_136size_t_31uint8_t( Eurydice_slice last[1U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[1U][200U] = {{0U}}; - { - size_t i = (size_t)0U; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i], + (size_t)200U, blocks[i0], (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = last_len}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); - blocks[i][last_len] = 31U; - blocks[i][(size_t)136U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)136U - (size_t)1U] | 128U; + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)136U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___136size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1488,7 +1489,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_136size_t_31uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_136size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -1556,13 +1557,13 @@ static inline void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, } typedef libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t - libcrux_sha3_portable_KeccakState1; + libcrux_sha3_portable_KeccakState; -typedef struct libcrux_sha3_neon_x2_incremental_KeccakState2_s { +typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t state[2U]; -} libcrux_sha3_neon_x2_incremental_KeccakState2; +} libcrux_sha3_neon_x2_incremental_KeccakState; -static inline libcrux_sha3_neon_x2_incremental_KeccakState2 +static inline libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_shake128_init(void) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -1570,7 +1571,7 @@ libcrux_sha3_neon_x2_incremental_shake128_init(void) { } static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice data0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -1578,7 +1579,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( } static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice out0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -1587,7 +1588,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( - libcrux_sha3_neon_x2_incremental_KeccakState2 *s, Eurydice_slice out0, + libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -1624,10 +1625,9 @@ static inline void libcrux_sha3_portable_keccak_load_block___168size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___168size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___168size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___168size_t(s, buf); } static inline void @@ -1645,23 +1645,24 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_168size_t_31uint8_t( Eurydice_slice last[1U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[1U][200U] = {{0U}}; - { - size_t i = (size_t)0U; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i], + (size_t)200U, blocks[i0], (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = last_len}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); - blocks[i][last_len] = 31U; - blocks[i][(size_t)168U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)168U - (size_t)1U] | 128U; + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 31U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)168U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___168size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1839,10 +1840,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_144size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___144size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___144size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___144size_t(s, buf); } static inline void @@ -1860,23 +1860,24 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_144size_t_6uint8_t( Eurydice_slice last[1U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[1U][200U] = {{0U}}; - { - size_t i = (size_t)0U; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i], + (size_t)200U, blocks[i0], (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = last_len}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); - blocks[i][last_len] = 6U; - blocks[i][(size_t)144U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)144U - (size_t)1U] | 128U; + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)144U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___144size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -1901,13 +1902,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___144size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___144size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___144size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___144size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -1925,13 +1925,13 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last__uint64_t_1size_t_144size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___144size_t( s->st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -1972,13 +1972,13 @@ libcrux_sha3_generic_keccak_squeeze_last__uint64_t_1size_t_144size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___144size_t( s.st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -2034,7 +2034,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_144size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_144size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -2124,10 +2124,9 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_104size_t( static inline void libcrux_sha3_portable_keccak_load_block_full___104size_t( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_load_block___104size_t(uu____0, buf); + libcrux_sha3_portable_keccak_load_block___104size_t(s, buf); } static inline void @@ -2145,23 +2144,24 @@ libcrux_sha3_generic_keccak_absorb_final__uint64_t_1size_t_104size_t_6uint8_t( Eurydice_slice last[1U]) { size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); uint8_t blocks[1U][200U] = {{0U}}; - { - size_t i = (size_t)0U; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; Eurydice_slice uu____0 = Eurydice_array_to_subslice( - (size_t)200U, blocks[i], + (size_t)200U, blocks[i0], (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)0U, .end = last_len}), uint8_t, core_ops_range_Range__size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); - blocks[i][last_len] = 6U; - blocks[i][(size_t)104U - (size_t)1U] = - (uint32_t)blocks[i][(size_t)104U - (size_t)1U] | 128U; + core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, void *); + blocks[i0][last_len] = 6U; + size_t uu____1 = i0; + size_t uu____2 = (size_t)104U - (size_t)1U; + blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U; } - uint64_t(*uu____1)[5U] = s->st; - uint8_t uu____2[1U][200U]; - memcpy(uu____2, blocks, (size_t)1U * sizeof(uint8_t[200U])); + uint64_t(*uu____3)[5U] = s->st; + uint8_t uu____4[1U][200U]; + memcpy(uu____4, blocks, (size_t)1U * sizeof(uint8_t[200U])); libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___load_block_full___104size_t( - uu____1, uu____2); + uu____3, uu____4); libcrux_sha3_generic_keccak_keccakf1600__uint64_t_1size_t(s); } @@ -2186,13 +2186,12 @@ static inline void libcrux_sha3_portable_keccak_store_block___104size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___104size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___104size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___104size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -2210,13 +2209,13 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last__uint64_t_1size_t_104size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___104size_t( s->st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -2257,13 +2256,13 @@ libcrux_sha3_generic_keccak_squeeze_last__uint64_t_1size_t_104size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___104size_t( s.st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -2319,7 +2318,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_104size_t_6uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_104size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -2435,13 +2434,12 @@ libcrux_sha3_generic_keccak_absorb_block__uint64_t_1size_t_168size_t( static inline void libcrux_sha3_portable_keccak_store_block_full___168size_t( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; - uint64_t(*uu____0)[5U] = s; Eurydice_slice buf[1U] = { Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; - libcrux_sha3_portable_keccak_store_block___168size_t(uu____0, buf); - uint8_t uu____1[200U]; - memcpy(uu____1, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____1, (size_t)200U * sizeof(uint8_t)); + libcrux_sha3_portable_keccak_store_block___168size_t(s, buf); + uint8_t uu____0[200U]; + memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); } static inline void @@ -2459,13 +2457,13 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last__uint64_t_1size_t_168size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___168size_t( s->st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -2483,13 +2481,13 @@ libcrux_sha3_generic_keccak_squeeze_last__uint64_t_1size_t_168size_t( uint8_t b[1U][200U]; libcrux_sha3_portable_keccak___libcrux_sha3__traits__internal__KeccakItem_1__usize__for_u64___store_block_full___168size_t( s.st, b); - { - size_t i = (size_t)0U; - Eurydice_slice uu____0 = out[i]; - uint8_t *uu____1 = b[i]; + for (size_t i = (size_t)0U; i < (size_t)1U; i++) { + size_t i0 = i; + Eurydice_slice uu____0 = out[i0]; + uint8_t *uu____1 = b[i0]; core_ops_range_Range__size_t lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); + lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); core_slice___Slice_T___copy_from_slice( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, @@ -2545,7 +2543,7 @@ libcrux_sha3_generic_keccak_keccak__uint64_t_1size_t_168size_t_31uint8_t( libcrux_sha3_generic_keccak_squeeze_first_block__uint64_t_1size_t_168size_t( &s, o0); core_ops_range_Range__size_t iter = - core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I___into_iter( + core_iter_traits_collect___core__iter__traits__collect__IntoIterator_for_I__1__into_iter( (CLITERAL(core_ops_range_Range__size_t){.start = (size_t)1U, .end = blocks}), core_ops_range_Range__size_t, core_ops_range_Range__size_t); @@ -2671,7 +2669,7 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( } static inline libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t -libcrux_sha3_portable___core__clone__Clone_for_libcrux_sha3__portable__KeccakState1___clone( +libcrux_sha3_portable___core__clone__Clone_for_libcrux_sha3__portable__KeccakState___clone( libcrux_sha3_generic_keccak_KeccakState__uint64_t__1size_t *self) { return self[0U]; } diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index 037f0ae47..67c3c26ea 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -101,11 +101,17 @@ def __call__(self, parser, args, values, option_string=None) -> None: ) # Extract ml-kem - include_str = "+** -libcrux_ml_kem::types::index_impls::**" + include_str = ( + "+** -libcrux_ml_kem::types::index_impls::** -libcrux_ml_kem::kem::**" + ) interface_include = "+**" cargo_hax_into = [ "cargo", "hax", + "-C", + "--features", + "pre-verification", + ";", "into", "-i", include_str, diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index 560d2964d..fa256358d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -3,35 +3,35 @@ module Libcrux_ml_kem.Constant_time_ops open Core open FStar.Mul -/// Return 1 if the bytes of `lhs` and `rhs` do not exactly -/// match and 0 otherwise. -val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) +/// Return 1 if `value` is not zero and 0 otherwise. +val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (ensures fun result -> let result:u8 = result in - Hax_lib.implies (lhs =. rhs <: bool) + Hax_lib.implies (value =. 0uy <: bool) (fun temp_0_ -> let _:Prims.unit = temp_0_ in result =. 0uy <: bool) && - Hax_lib.implies (lhs <>. rhs <: bool) + Hax_lib.implies (value <>. 0uy <: bool) (fun temp_0_ -> let _:Prims.unit = temp_0_ in result =. 1uy <: bool)) -/// Return 1 if `value` is not zero and 0 otherwise. -val is_non_zero (value: u8) +/// Return 1 if the bytes of `lhs` and `rhs` do not exactly +/// match and 0 otherwise. +val compare_ciphertexts_in_constant_time (v_CIPHERTEXT_SIZE: usize) (lhs rhs: t_Slice u8) : Prims.Pure u8 Prims.l_True (ensures fun result -> let result:u8 = result in - Hax_lib.implies (value =. 0uy <: bool) + Hax_lib.implies (lhs =. rhs <: bool) (fun temp_0_ -> let _:Prims.unit = temp_0_ in result =. 0uy <: bool) && - Hax_lib.implies (value <>. 0uy <: bool) + Hax_lib.implies (lhs <>. rhs <: bool) (fun temp_0_ -> let _:Prims.unit = temp_0_ in result =. 1uy <: bool)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti index 210ffc329..76d143aad 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti @@ -4,24 +4,24 @@ open Core open FStar.Mul /// Each field element needs floor(log_2(FIELD_MODULUS)) + 1 = 12 bits to represent -let v_BITS_PER_COEFFICIENT: usize = Rust_primitives.Hax.dropped_body +let v_BITS_PER_COEFFICIENT: usize = sz 12 + +/// Coefficients per ring element +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 /// Bits required per (uncompressed) ring element -let v_BITS_PER_RING_ELEMENT: usize = Rust_primitives.Hax.dropped_body +let v_BITS_PER_RING_ELEMENT: usize = v_COEFFICIENTS_IN_RING_ELEMENT *! sz 12 /// Bytes required per (uncompressed) ring element -let v_BYTES_PER_RING_ELEMENT: usize = Rust_primitives.Hax.dropped_body - -/// Coefficients per ring element -let v_COEFFICIENTS_IN_RING_ELEMENT: usize = Rust_primitives.Hax.dropped_body +let v_BYTES_PER_RING_ELEMENT: usize = v_BITS_PER_RING_ELEMENT /! sz 8 -let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = sz 32 /// SHA3 512 digest size -let v_G_DIGEST_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_G_DIGEST_SIZE: usize = sz 64 /// SHA3 256 digest size -let v_H_DIGEST_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_H_DIGEST_SIZE: usize = sz 32 /// The size of an ML-KEM shared secret. -let v_SHARED_SECRET_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_SHARED_SECRET_SIZE: usize = sz 32 diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti index 2a80b014d..d0edb5a66 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -6,10 +6,10 @@ open FStar.Mul /// The state. /// It's only used for SHAKE128. /// All other functions don't actually use any members. -type t_Simd256Hash = { f_shake128_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 } +type t_Simd256Hash = { f_shake128_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = +let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash #t_Simd256Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); @@ -201,13 +201,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = in () in - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 = + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = Libcrux_sha3.Avx2.X4.Incremental.shake128_init () in - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 = + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = match cast (v_K <: usize) <: u8 with | 2uy -> - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 = + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = Libcrux_sha3.Avx2.X4.Incremental.shake128_absorb_final state (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) @@ -216,7 +216,7 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = in state | 3uy -> - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 = + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = Libcrux_sha3.Avx2.X4.Incremental.shake128_absorb_final state (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) @@ -225,7 +225,7 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = in state | 4uy -> - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 = + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = Libcrux_sha3.Avx2.X4.Incremental.shake128_absorb_final state (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) @@ -265,7 +265,7 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = let out1:t_Array u8 (sz 504) = Rust_primitives.Hax.repeat 0uy (sz 504) in let out2:t_Array u8 (sz 504) = Rust_primitives.Hax.repeat 0uy (sz 504) in let out3:t_Array u8 (sz 504) = Rust_primitives.Hax.repeat 0uy (sz 504) in - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 & + let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & t_Array u8 (sz 504) & t_Array u8 (sz 504) & t_Array u8 (sz 504) & @@ -349,7 +349,7 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState4 & + let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti index 6fda7a42c..45f0d5928 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -7,11 +7,11 @@ open FStar.Mul /// It's only used for SHAKE128. /// All other functions don't actually use any members. type t_Simd128Hash = { - f_shake128_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) + f_shake128_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = +let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash #t_Simd128Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); @@ -214,7 +214,7 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = in () in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = let list = [ Libcrux_sha3.Neon.X2.Incremental.shake128_init (); @@ -224,67 +224,67 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = match cast (v_K <: usize) <: u8 with | 2uy -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state (sz 0) (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in state | 3uy -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state (sz 0) (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state (sz 1) (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 1 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in state | 4uy -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state (sz 0) (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) (Rust_primitives.unsize (input.[ sz 0 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 1 ] <: t_Array u8 (sz 34)) <: t_Slice u8) <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state (sz 1) (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 1 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) (Rust_primitives.unsize (input.[ sz 2 ] <: t_Array u8 (sz 34)) <: t_Slice u8) (Rust_primitives.unsize (input.[ sz 3 ] <: t_Array u8 (sz 34)) <: t_Slice u8) <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in state | _ -> state @@ -327,13 +327,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = t_Simd128Hash) = match cast (v_K <: usize) <: u8 with | 2uy -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 504) & t_Array u8 (sz 504)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_three_blocks (self .f_shake128_state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 out1 in @@ -365,13 +365,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = t_Array u8 (sz 504) & t_Simd128Hash) | 3uy -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 504) & t_Array u8 (sz 504)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_three_blocks (self .f_shake128_state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 out1 in @@ -390,13 +390,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = let out0:t_Array u8 (sz 504) = tmp1 in let out1:t_Array u8 (sz 504) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 504) & t_Array u8 (sz 504)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_three_blocks (self .f_shake128_state.[ sz 1 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 out3 in @@ -431,13 +431,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = t_Array u8 (sz 504) & t_Simd128Hash) | 4uy -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 504) & t_Array u8 (sz 504)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_three_blocks (self .f_shake128_state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 out1 in @@ -456,13 +456,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = let out0:t_Array u8 (sz 504) = tmp1 in let out1:t_Array u8 (sz 504) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 504) & t_Array u8 (sz 504)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_three_blocks (self .f_shake128_state.[ sz 1 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 out3 in @@ -544,13 +544,12 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = t_Simd128Hash) = match cast (v_K <: usize) <: u8 with | 2uy -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & - t_Array u8 (sz 168) & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 out1 in @@ -582,13 +581,12 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = t_Array u8 (sz 168) & t_Simd128Hash) | 3uy -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & - t_Array u8 (sz 168) & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 out1 in @@ -607,13 +605,12 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = let out0:t_Array u8 (sz 168) = tmp1 in let out1:t_Array u8 (sz 168) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & - t_Array u8 (sz 168) & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ sz 1 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 out3 in @@ -648,13 +645,12 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = t_Array u8 (sz 168) & t_Simd128Hash) | 4uy -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & - t_Array u8 (sz 168) & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ sz 0 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 out1 in @@ -673,13 +669,12 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = let out0:t_Array u8 (sz 168) = tmp1 in let out1:t_Array u8 (sz 168) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 & - t_Array u8 (sz 168) & + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ sz 1 ] <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2) + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 out3 in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti index d76d909e8..3ea14e98e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -7,11 +7,11 @@ open FStar.Mul /// It's only used for SHAKE128. /// All other functions don't actually use any members. type t_PortableHash (v_K: usize) = { - f_shake128_state:t_Array Libcrux_sha3.Portable.t_KeccakState1 v_K + f_shake128_state:t_Array Libcrux_sha3.Portable.t_KeccakState v_K } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K = +let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash #(t_PortableHash v_K) v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); @@ -107,13 +107,13 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K in () in - let state:t_Array Libcrux_sha3.Portable.t_KeccakState1 v_K = + let state:t_Array Libcrux_sha3.Portable.t_KeccakState v_K = Rust_primitives.Hax.repeat (Libcrux_sha3.Portable.Incremental.shake128_init () <: - Libcrux_sha3.Portable.t_KeccakState1) + Libcrux_sha3.Portable.t_KeccakState) v_K in - let state:t_Array Libcrux_sha3.Portable.t_KeccakState1 v_K = + let state:t_Array Libcrux_sha3.Portable.t_KeccakState v_K = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range usize) ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_K } @@ -123,18 +123,18 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K Core.Ops.Range.t_Range usize) state (fun state i -> - let state:t_Array Libcrux_sha3.Portable.t_KeccakState1 v_K = state in + let state:t_Array Libcrux_sha3.Portable.t_KeccakState v_K = state in let i:usize = i in Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state i (Libcrux_sha3.Portable.Incremental.shake128_absorb_final (state.[ i ] <: - Libcrux_sha3.Portable.t_KeccakState1) + Libcrux_sha3.Portable.t_KeccakState) (Rust_primitives.unsize (input.[ i ] <: t_Array u8 (sz 34)) <: t_Slice u8) <: - Libcrux_sha3.Portable.t_KeccakState1) + Libcrux_sha3.Portable.t_KeccakState) <: - t_Array Libcrux_sha3.Portable.t_KeccakState1 v_K) + t_Array Libcrux_sha3.Portable.t_KeccakState v_K) in { f_shake128_state = state } <: t_PortableHash v_K); f_shake128_squeeze_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); @@ -178,11 +178,11 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K (fun temp_0_ i -> let out, self:(t_Array (t_Array u8 (sz 504)) v_K & t_PortableHash v_K) = temp_0_ in let i:usize = i in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState1 & t_Array u8 (sz 504)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 504)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_three_blocks (self .f_shake128_state.[ i ] <: - Libcrux_sha3.Portable.t_KeccakState1) + Libcrux_sha3.Portable.t_KeccakState) (out.[ i ] <: t_Array u8 (sz 504)) in let self:t_PortableHash v_K = @@ -245,11 +245,11 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K (fun temp_0_ i -> let out, self:(t_Array (t_Array u8 (sz 168)) v_K & t_PortableHash v_K) = temp_0_ in let i:usize = i in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState1 & t_Array u8 (sz 168)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block (self.f_shake128_state.[ i ] <: - Libcrux_sha3.Portable.t_KeccakState1) + Libcrux_sha3.Portable.t_KeccakState) (out.[ i ] <: t_Array u8 (sz 168)) in let self:t_PortableHash v_K = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti index 9c5c2c468..f4fd2612e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti @@ -9,7 +9,7 @@ open FStar.Mul /// - AVX2 /// - NEON /// - Portable -class t_Hash (v_Self: Type0) (v_K: usize) = { +class t_Hash (#v_Self: Type0) (v_K: usize) = { f_G_pre:t_Slice u8 -> bool; f_G_post:t_Slice u8 -> t_Array u8 (sz 64) -> bool; f_G:x0: t_Slice u8 @@ -51,7 +51,7 @@ class t_Hash (v_Self: Type0) (v_K: usize) = { } /// The SHA3 block size. -let v_BLOCK_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_BLOCK_SIZE: usize = sz 168 /// The size of 3 SHA3 blocks. -let v_THREE_BLOCKS: usize = Rust_primitives.Hax.dropped_body +let v_THREE_BLOCKS: usize = v_BLOCK_SIZE *! sz 3 diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index 1b7adcd0d..f82013fbd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -7,6 +7,7 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector.Avx2 in () @@ -21,7 +22,7 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - private_key ciphertext + #Libcrux_ml_kem.Ind_cca.t_MlKem private_key ciphertext let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -33,7 +34,7 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - public_key randomness + #Libcrux_ml_kem.Ind_cca.t_MlKem public_key randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 5c35e7373..50e6fd92f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -3,11 +3,13 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 open Core open FStar.Mul -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Vector.Avx2 in + () /// Portable decapsulate val decapsulate @@ -17,7 +19,6 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -/// Portable encapsualte val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) @@ -27,6 +28,12 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Portable generate key pair. val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index e94abdbc5..1179aa8f4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -7,6 +7,7 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Ind_cca in let open Libcrux_ml_kem.Vector in () @@ -21,7 +22,8 @@ let decapsulate v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE #Libcrux_ml_kem.Vector.Portable.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) private_key ciphertext + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem + private_key ciphertext let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -33,7 +35,8 @@ let encapsulate v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Ind_cca.t_MlKem + public_key randomness let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index 417351f41..999e59e04 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -3,11 +3,13 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable open Core open FStar.Mul -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Ind_cca in + let open Libcrux_ml_kem.Vector in + () /// Portable decapsulate val decapsulate @@ -17,7 +19,6 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -/// Portable encapsualte val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) @@ -27,6 +28,12 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Portable generate key pair. val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index f94109b2d..15f4b79b7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -3,11 +3,6 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing open Core open FStar.Mul -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -24,6 +19,11 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 0b2ab9311..375453be9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -157,13 +157,14 @@ let validate_public_key let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: t_Variant v_Scheme) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = @@ -259,23 +260,41 @@ let decapsulate t_Slice u8) (Rust_primitives.unsize expected_ciphertext <: t_Slice u8) in - Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret + let implicit_rejection_shared_secret:t_Array u8 (sz 32) = + f_kdf #v_Scheme + v_K + v_CIPHERTEXT_SIZE + #v_Hasher + (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) + ciphertext + in + let shared_secret:t_Array u8 (sz 32) = + f_kdf #v_Scheme v_K v_CIPHERTEXT_SIZE #v_Hasher shared_secret ciphertext + in + Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time (Rust_primitives.unsize shared_secret + + <: + t_Slice u8) (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) selector let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: t_Variant v_Scheme) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = + let randomness:t_Array u8 (sz 32) = + f_entropy_preprocess #v_Scheme v_K #v_Hasher (Rust_primitives.unsize randomness <: t_Slice u8) + in let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (Rust_primitives.unsize randomness <: t_Slice u8) in @@ -323,14 +342,15 @@ let encapsulate <: t_Slice u8) randomness pseudorandomness in - let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + ciphertext + in let shared_secret_array:t_Array u8 (sz 32) = - Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret + f_kdf #v_Scheme v_K v_CIPHERTEXT_SIZE #v_Hasher shared_secret ciphertext in - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - ciphertext, - shared_secret_array + ciphertext, shared_secret_array <: (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 2731071c5..5842b2921 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -7,19 +7,17 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Hash_functions in + let open Libcrux_ml_kem.Types in let open Libcrux_ml_kem.Vector.Traits in () -/// An ML-KEM shared secret. -/// A byte array of size [`SHARED_SECRET_SIZE`]. -unfold -let t_MlKemSharedSecret = t_Array u8 (sz 32) - /// Seed size for encapsulation -let v_ENCAPS_SEED_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_ENCAPS_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /// Seed size for key generation -let v_KEY_GENERATION_SEED_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_KEY_GENERATION_SEED_SIZE: usize = + Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /// Serialize the secret key. val serialize_kem_secret_key @@ -29,6 +27,13 @@ val serialize_kem_secret_key (private_key public_key implicit_rejection_value: t_Slice u8) : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) +/// Implements [`Variant`], to perform the ML-KEM-specific actions +/// during encapsulation and decapsulation. +/// Specifically, +/// * during encapsulation, the initial randomness is used without prior hashing, +/// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext. +type t_MlKem = | MlKem : t_MlKem + val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) @@ -36,12 +41,155 @@ val validate_public_key (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// This trait collects differences in specification between ML-KEM +/// (Draft FIPS 203) and the Round 3 CRYSTALS-Kyber submission in the +/// NIST PQ competition. +/// cf. FIPS 203 (Draft), section 1.3 +class t_Variant (#v_Self: Type0) = { + f_kdf_pre: + v_K: usize -> + v_CIPHERTEXT_SIZE: usize -> + #v_Hasher: Type0 -> + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE + -> bool; + f_kdf_post: + v_K: usize -> + v_CIPHERTEXT_SIZE: usize -> + #v_Hasher: Type0 -> + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> + t_Array u8 (sz 32) + -> bool; + f_kdf: + v_K: usize -> + v_CIPHERTEXT_SIZE: usize -> + #v_Hasher: Type0 -> + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> + x0: t_Slice u8 -> + x1: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE + -> Prims.Pure (t_Array u8 (sz 32)) + (f_kdf_pre v_K v_CIPHERTEXT_SIZE v_Hasher i1 x0 x1) + (fun result -> f_kdf_post v_K v_CIPHERTEXT_SIZE v_Hasher i1 x0 x1 result); + f_entropy_preprocess_pre: + v_K: usize -> + #v_Hasher: Type0 -> + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> + t_Slice u8 + -> bool; + f_entropy_preprocess_post: + v_K: usize -> + #v_Hasher: Type0 -> + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> + t_Slice u8 -> + t_Array u8 (sz 32) + -> bool; + f_entropy_preprocess: + v_K: usize -> + #v_Hasher: Type0 -> + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> + x0: t_Slice u8 + -> Prims.Pure (t_Array u8 (sz 32)) + (f_entropy_preprocess_pre v_K v_Hasher i3 x0) + (fun result -> f_entropy_preprocess_post v_K v_Hasher i3 x0 result) +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: t_Variant #t_MlKem = + { + f_kdf_pre + = + (fun + (v_K: usize) + (v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (shared_secret: t_Slice u8) + (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + -> + true); + f_kdf_post + = + (fun + (v_K: usize) + (v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (shared_secret: t_Slice u8) + (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + (out: t_Array u8 (sz 32)) + -> + true); + f_kdf + = + (fun + (v_K: usize) + (v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (shared_secret: t_Slice u8) + (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + -> + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 (sz 32)) shared_secret + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)); + f_entropy_preprocess_pre + = + (fun + (v_K: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (randomness: t_Slice u8) + -> + true); + f_entropy_preprocess_post + = + (fun + (v_K: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (randomness: t_Slice u8) + (out: t_Array u8 (sz 32)) + -> + true); + f_entropy_preprocess + = + fun + (v_K: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (randomness: t_Slice u8) + -> + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 (sz 32)) randomness + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } + val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: t_Variant v_Scheme |} (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) @@ -49,9 +197,10 @@ val decapsulate val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: t_Variant v_Scheme |} (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index 7b73f0062..9a3df2743 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -10,32 +10,50 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// This function implements Algorithm 14 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. -/// Algorithm 14 is reproduced below: -/// ```plaintext -/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. -/// Output: message m ∈ 𝔹^{32}. -/// c₁ ← c[0 : 32dᵤk] -/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] -/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) -/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) -/// ŝ ← ByteDecode₁₂(dkₚₖₑ) -/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) -/// m ← ByteEncode₁(Compress₁(w)) -/// return m -/// ``` -/// The NIST FIPS 203 standard can be found at -/// . -val decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) +/// Sample a vector of ring elements from a centered binomial distribution. +val sample_ring_element_cbd + (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sample a vector of ring elements from a centered binomial distribution and +/// convert them into their NTT representations. +val sample_vector_cbd_then_ntt + (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (prf_input: t_Array u8 (sz 33)) + (domain_separator: u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Call [`compress_then_serialize_ring_element_u`] on each ring element. +val compress_then_serialize_u + (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +val deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True + (fun _ -> Prims.l_True) /// This function implements Algorithm 13 of the /// NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. @@ -83,6 +101,60 @@ val encrypt (randomness: t_Slice u8) : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +val deserialize_secret_key + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True + (fun _ -> Prims.l_True) + +/// This function implements Algorithm 14 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. +/// Algorithm 14 is reproduced below: +/// ```plaintext +/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// Output: message m ∈ 𝔹^{32}. +/// c₁ ← c[0 : 32dᵤk] +/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] +/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) +/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) +/// ŝ ← ByteDecode₁₂(dkₚₖₑ) +/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) +/// m ← ByteEncode₁(Compress₁(w)) +/// return m +/// ``` +/// The NIST FIPS 203 standard can be found at +/// . +val decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Call [`serialize_uncompressed_ring_element`] for each ring element. +val serialize_secret_key + (v_K v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + /// This function implements most of Algorithm 12 of the /// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. /// We say "most of" since Algorithm 12 samples the required randomness within @@ -126,75 +198,3 @@ val generate_keypair : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Call [`compress_then_serialize_ring_element_u`] on each ring element. -val compress_then_serialize_u - (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (out: t_Slice u8) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -val deserialize_secret_key - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element -/// in the `ciphertext`. -val deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Sample a vector of ring elements from a centered binomial distribution. -val sample_ring_element_cbd - (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (prf_input: t_Array u8 (sz 33)) - (domain_separator: u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Sample a vector of ring elements from a centered binomial distribution and -/// convert them into their NTT representations. -val sample_vector_cbd_then_ntt - (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (prf_input: t_Array u8 (sz 33)) - (domain_separator: u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Call [`serialize_uncompressed_ring_element`] for each ring element. -val serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 9b53942d2..dce9ae911 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -23,21 +23,6 @@ val compute_As_plus_e Prims.l_True (fun _ -> Prims.l_True) -/// The following functions compute various expressions involving -/// vectors and matrices. The computation of these expressions has been -/// abstracted away into these functions in order to save on loop iterations. -/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) -val compute_message - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message val compute_ring_element_v (v_K: usize) @@ -61,6 +46,21 @@ val compute_vector_u Prims.l_True (fun _ -> Prims.l_True) +/// The following functions compute various expressions involving +/// vectors and matrices. The computation of these expressions has been +/// abstracted away into these functions in order to save on loop iterations. +/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) +val compute_message + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + val sample_matrix_A (v_K: usize) (#v_Vector #v_Hasher: Type0) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index f8c25b6fe..cbeae42d0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -3,47 +3,64 @@ module Libcrux_ml_kem.Mlkem1024 open Core open FStar.Mul -let v_C1_BLOCK_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_ETA1: usize = sz 2 -let v_C1_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 -let v_C2_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_ETA2: usize = sz 2 -let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 -let v_CPA_PKE_PUBLIC_KEY_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_RANK_1024_: usize = sz 4 -let v_CPA_PKE_SECRET_KEY_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_SECRET_KEY_SIZE_1024_: usize = + ((v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA1: usize = Rust_primitives.Hax.dropped_body +let v_RANKED_BYTES_PER_RING_ELEMENT_1024_: usize = + (v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 -let v_ETA1_RANDOMNESS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_T_AS_NTT_ENCODED_SIZE_1024_: usize = + ((v_RANK_1024_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA2: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_PUBLIC_KEY_SIZE_1024_: usize = v_T_AS_NTT_ENCODED_SIZE_1024_ +! sz 32 -let v_ETA2_RANDOMNESS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_SECRET_KEY_SIZE_1024_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_1024_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_1024_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_VECTOR_U_COMPRESSION_FACTOR_1024_: usize = sz 11 -let v_RANKED_BYTES_PER_RING_ELEMENT_1024_: usize = Rust_primitives.Hax.dropped_body +let v_C1_BLOCK_SIZE_1024_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_U_COMPRESSION_FACTOR_1024_ + <: + usize) /! + sz 8 -let v_RANK_1024_: usize = Rust_primitives.Hax.dropped_body +let v_C1_SIZE_1024_: usize = v_C1_BLOCK_SIZE_1024_ *! v_RANK_1024_ -let v_SECRET_KEY_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_VECTOR_V_COMPRESSION_FACTOR_1024_: usize = sz 5 -let v_T_AS_NTT_ENCODED_SIZE_1024_: usize = Rust_primitives.Hax.dropped_body +let v_C2_SIZE_1024_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_V_COMPRESSION_FACTOR_1024_ + <: + usize) /! + sz 8 -let v_VECTOR_U_COMPRESSION_FACTOR_1024_: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_CIPHERTEXT_SIZE_1024_: usize = v_C1_SIZE_1024_ +! v_C2_SIZE_1024_ -let v_VECTOR_V_COMPRESSION_FACTOR_1024_: usize = Rust_primitives.Hax.dropped_body - -/// An ML-KEM 1024 Ciphertext -unfold -let t_MlKem1024Ciphertext = Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) - -/// An ML-KEM 1024 Private key -unfold -let t_MlKem1024PrivateKey = Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168) +let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_1024_ /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. @@ -53,10 +70,6 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -/// An ML-KEM 1024 Public key -unfold -let t_MlKem1024PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) - /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. /// The input is a reference to an [`MlKem1024PublicKey`] and [`SHARED_SECRET_SIZE`] @@ -75,10 +88,6 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 Prims.l_True (fun _ -> Prims.l_True) -/// Am ML-KEM 1024 Key pair -unfold -let t_MlKem1024KeyPair = Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) - /// Generate ML-KEM 1024 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size /// [`KEY_GENERATION_SEED_SIZE`]. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index 155d70c2a..eda388fe6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -3,47 +3,64 @@ module Libcrux_ml_kem.Mlkem512 open Core open FStar.Mul -let v_C1_BLOCK_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_ETA1: usize = sz 3 -let v_C1_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 -let v_C2_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_ETA2: usize = sz 2 -let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 -let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_RANK_512_: usize = sz 2 -let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA1: usize = Rust_primitives.Hax.dropped_body +let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = + (v_RANK_512_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 -let v_ETA1_RANDOMNESS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_T_AS_NTT_ENCODED_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA2: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32 -let v_ETA2_RANDOMNESS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_SECRET_KEY_SIZE_512_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 -let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = Rust_primitives.Hax.dropped_body +let v_C1_BLOCK_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_U_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_RANK_512_: usize = Rust_primitives.Hax.dropped_body +let v_C1_SIZE_512_: usize = v_C1_BLOCK_SIZE_512_ *! v_RANK_512_ -let v_SECRET_KEY_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 -let v_T_AS_NTT_ENCODED_SIZE_512_: usize = Rust_primitives.Hax.dropped_body +let v_C2_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_V_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_ -let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = Rust_primitives.Hax.dropped_body - -/// An ML-KEM 512 Ciphertext -unfold -let t_MlKem512Ciphertext = Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) - -/// An ML-KEM 512 Private key -unfold -let t_MlKem512PrivateKey = Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632) +let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. @@ -53,10 +70,6 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -/// An ML-KEM 512 Public key -unfold -let t_MlKem512PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800) - /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. /// The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] @@ -75,10 +88,6 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8 Prims.l_True (fun _ -> Prims.l_True) -/// Am ML-KEM 512 Key pair -unfold -let t_MlKem512KeyPair = Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) - /// Generate ML-KEM 512 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size /// [`KEY_GENERATION_SEED_SIZE`]. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index 6260bb2fe..733e47524 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -3,47 +3,64 @@ module Libcrux_ml_kem.Mlkem768 open Core open FStar.Mul -let v_C1_BLOCK_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_ETA1: usize = sz 2 -let v_C1_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 -let v_C2_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_ETA2: usize = sz 2 -let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 -let v_CPA_PKE_PUBLIC_KEY_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_RANK_768_: usize = sz 3 -let v_CPA_PKE_SECRET_KEY_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_SECRET_KEY_SIZE_768_: usize = + ((v_RANK_768_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA1: usize = Rust_primitives.Hax.dropped_body +let v_RANKED_BYTES_PER_RING_ELEMENT_768_: usize = + (v_RANK_768_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 -let v_ETA1_RANDOMNESS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_T_AS_NTT_ENCODED_SIZE_768_: usize = + ((v_RANK_768_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA2: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_PUBLIC_KEY_SIZE_768_: usize = v_T_AS_NTT_ENCODED_SIZE_768_ +! sz 32 -let v_ETA2_RANDOMNESS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_SECRET_KEY_SIZE_768_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_768_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_768_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_VECTOR_U_COMPRESSION_FACTOR_768_: usize = sz 10 -let v_RANKED_BYTES_PER_RING_ELEMENT_768_: usize = Rust_primitives.Hax.dropped_body +let v_C1_BLOCK_SIZE_768_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_U_COMPRESSION_FACTOR_768_ + <: + usize) /! + sz 8 -let v_RANK_768_: usize = Rust_primitives.Hax.dropped_body +let v_C1_SIZE_768_: usize = v_C1_BLOCK_SIZE_768_ *! v_RANK_768_ -let v_SECRET_KEY_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_VECTOR_V_COMPRESSION_FACTOR_768_: usize = sz 4 -let v_T_AS_NTT_ENCODED_SIZE_768_: usize = Rust_primitives.Hax.dropped_body +let v_C2_SIZE_768_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_V_COMPRESSION_FACTOR_768_ + <: + usize) /! + sz 8 -let v_VECTOR_U_COMPRESSION_FACTOR_768_: usize = Rust_primitives.Hax.dropped_body +let v_CPA_PKE_CIPHERTEXT_SIZE_768_: usize = v_C1_SIZE_768_ +! v_C2_SIZE_768_ -let v_VECTOR_V_COMPRESSION_FACTOR_768_: usize = Rust_primitives.Hax.dropped_body - -/// An ML-KEM 768 Ciphertext -unfold -let t_MlKem768Ciphertext = Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) - -/// An ML-KEM 768 Private key -unfold -let t_MlKem768PrivateKey = Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400) +let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_768_ /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. @@ -53,10 +70,6 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -/// An ML-KEM 768 Public key -unfold -let t_MlKem768PublicKey = Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) - /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. /// The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] @@ -75,19 +88,15 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 Prims.l_True (fun _ -> Prims.l_True) -/// Am ML-KEM 768 Key pair -unfold -let t_MlKem768KeyPair = Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) - /// Generate ML-KEM 768 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size /// [`KEY_GENERATION_SEED_SIZE`]. /// This function uses CPU feature detection to pick the most efficient version /// on each platform. To use a specific version with your own feature detection /// use one of the following -/// - [`generate_key_pair_avx2`] -/// - [`generate_key_pair_neon`] -/// - [`generate_key_pair_portable`] +/// - `generate_key_pair_avx2` +/// - `generate_key_pair_neon` +/// - `generate_key_pair_portable` /// This function returns an [`MlKem768KeyPair`]. val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index 80bc1336c..51dae0e12 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -9,9 +9,28 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let v_VECTORS_IN_RING_ELEMENT: usize = Rust_primitives.Hax.dropped_body +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = + let list = + [ + (-1044s); (-758s); (-359s); (-1517s); 1493s; 1422s; 287s; 202s; (-171s); 622s; 1577s; 182s; + 962s; (-1202s); (-1474s); 1468s; 573s; (-1325s); 264s; 383s; (-829s); 1458s; (-1602s); (-130s); + (-681s); 1017s; 732s; 608s; (-1542s); 411s; (-205s); (-1571s); 1223s; 652s; (-552s); 1015s; + (-1293s); 1491s; (-282s); (-1544s); 516s; (-8s); (-320s); (-666s); (-1618s); (-1162s); 126s; + 1469s; (-853s); (-90s); (-271s); 830s; 107s; (-1421s); (-247s); (-951s); (-398s); 961s; + (-1508s); (-725s); 448s; (-1065s); 677s; (-1275s); (-1103s); 430s; 555s; 843s; (-1251s); 871s; + 1550s; 105s; 422s; 587s; 177s; (-235s); (-291s); (-460s); 1574s; 1653s; (-246s); 778s; 1159s; + (-147s); (-777s); 1483s; (-602s); 1119s; (-1590s); 644s; (-872s); 349s; 418s; 329s; (-156s); + (-75s); 817s; 1097s; 603s; 610s; 1322s; (-1285s); (-1465s); 384s; (-1215s); (-136s); 1218s; + (-1335s); (-874s); 220s; (-1187s); (-1659s); (-1185s); (-1530s); (-1278s); 794s; (-1510s); + (-854s); (-870s); 478s; (-108s); (-308s); 996s; 991s; 958s; (-1460s); 1522s; 1628s + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128); + Rust_primitives.Hax.array_of_list 128 list -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = Rust_primitives.Hax.dropped_body +let v_VECTORS_IN_RING_ELEMENT: usize = + Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! + Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR type t_PolynomialRingElement (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti index 2f9d5a51d..5f5ac19d3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti @@ -54,15 +54,6 @@ val sample_from_uniform_distribution_next Prims.l_True (fun _ -> Prims.l_True) -val sample_from_binomial_distribution - (v_ETA: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (randomness: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets @@ -117,6 +108,15 @@ val sample_from_binomial_distribution_3_ (requires (Core.Slice.impl__len #u8 randomness <: usize) =. (sz 3 *! sz 64 <: usize)) (fun _ -> Prims.l_True) +val sample_from_binomial_distribution + (v_ETA: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (randomness: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + val sample_from_xof (v_K: usize) (#v_Vector #v_Hasher: Type0) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index b7aa994d8..f4e2ef812 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -58,18 +58,6 @@ val compress_then_serialize_ring_element_v (out: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -/// This function deserializes ring elements and reduces the result by the field -/// modulus. -/// This function MUST NOT be used on secret inputs. -val deserialize_ring_elements_reduced - (v_PUBLIC_KEY_SIZE v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: t_Slice u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - Prims.l_True - (fun _ -> Prims.l_True) - val deserialize_then_decompress_10_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -138,6 +126,18 @@ val deserialize_to_reduced_ring_element Prims.l_True (fun _ -> Prims.l_True) +/// This function deserializes ring elements and reduces the result by the field +/// modulus. +/// This function MUST NOT be used on secret inputs. +val deserialize_ring_elements_reduced + (v_PUBLIC_KEY_SIZE v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: t_Slice u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True + (fun _ -> Prims.l_True) + val deserialize_to_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 8ef0918fa..b329bf404 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -3,6 +3,12 @@ module Libcrux_ml_kem.Types open Core open FStar.Mul +let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_12__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_18__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value let impl_12__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value @@ -15,6 +21,14 @@ let impl__from (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE +let impl__into_parts + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + = + self.f_sk, self.f_pk + <: + (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + let impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index 9cdbe7435..dc15da28f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -3,11 +3,23 @@ module Libcrux_ml_kem.Types open Core open FStar.Mul +/// The number of bytes +val impl_6__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_12__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_18__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef #(t_MlKemCiphertext v_SIZE) #(t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); @@ -15,7 +27,7 @@ let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_2 (v_SIZE: usize) : Core.Convert.t_From #(t_MlKemCiphertext v_SIZE) #(t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -23,7 +35,7 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_3 (v_SIZE: usize) : Core.Convert.t_From #(t_MlKemCiphertext v_SIZE) #(t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -34,7 +46,7 @@ let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = +let impl_4 (v_SIZE: usize) : Core.Convert.t_From #(t_Array u8 v_SIZE) #(t_MlKemCiphertext v_SIZE) = { f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true); f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -49,7 +61,7 @@ val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_7 (v_SIZE: usize) : Core.Convert.t_AsRef #(t_MlKemPrivateKey v_SIZE) #(t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); @@ -57,7 +69,7 @@ let impl_7 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_8 (v_SIZE: usize) : Core.Convert.t_From #(t_MlKemPrivateKey v_SIZE) #(t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -65,7 +77,7 @@ let impl_8 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_9 (v_SIZE: usize) : Core.Convert.t_From #(t_MlKemPrivateKey v_SIZE) #(t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -76,7 +88,7 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = +let impl_10 (v_SIZE: usize) : Core.Convert.t_From #(t_Array u8 v_SIZE) #(t_MlKemPrivateKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -91,7 +103,7 @@ val impl_12__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_13 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_13 (v_SIZE: usize) : Core.Convert.t_AsRef #(t_MlKemPublicKey v_SIZE) #(t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); @@ -99,7 +111,7 @@ let impl_13 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_14 (v_SIZE: usize) : Core.Convert.t_From #(t_MlKemPublicKey v_SIZE) #(t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -107,7 +119,7 @@ let impl_14 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_15 (v_SIZE: usize) : Core.Convert.t_From #(t_MlKemPublicKey v_SIZE) #(t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -118,7 +130,7 @@ let impl_15 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = +let impl_16 (v_SIZE: usize) : Core.Convert.t_From #(t_Array u8 v_SIZE) #(t_MlKemPublicKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -130,7 +142,7 @@ val impl_18__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom #(t_MlKemCiphertext v_SIZE) #(t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -156,7 +168,7 @@ let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) ( } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_11 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_11 (v_SIZE: usize) : Core.Convert.t_TryFrom #(t_MlKemPrivateKey v_SIZE) #(t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -182,7 +194,7 @@ let impl_11 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_17 (v_SIZE: usize) : Core.Convert.t_TryFrom #(t_MlKemPublicKey v_SIZE) #(t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -222,6 +234,14 @@ val impl__from Prims.l_True (fun _ -> Prims.l_True) +/// Separate this key into the public and private key. +val impl__into_parts + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + /// Creates a new [`MlKemKeyPair`]. val impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti index b808a037f..d7e59b4b2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti @@ -3,19 +3,28 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic open Core open FStar.Mul -let v_BARRETT_MULTIPLIER: i16 = Rust_primitives.Hax.dropped_body +let v_BARRETT_MULTIPLIER: i16 = 20159s val add (lhs rhs: Core.Core_arch.X86.t____m256i) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) +val bitwise_and_with_constant (vector: Core.Core_arch.X86.t____m256i) (constant: i16) + : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) + +val multiply_by_constant (vector: Core.Core_arch.X86.t____m256i) (constant: i16) + : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) + +val shift_right (v_SHIFT_BY: i32) (vector: Core.Core_arch.X86.t____m256i) + : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) + +val sub (lhs rhs: Core.Core_arch.X86.t____m256i) + : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) + /// See Section 3.2 of the implementation notes document for an explanation /// of this code. val barrett_reduce (vector: Core.Core_arch.X86.t____m256i) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (vector: Core.Core_arch.X86.t____m256i) (constant: i16) - : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - val cond_subtract_3329_ (vector: Core.Core_arch.X86.t____m256i) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) @@ -30,12 +39,3 @@ val montgomery_multiply_m128i_by_constants (v c: Core.Core_arch.X86.t____m128i) val montgomery_reduce_i32s (v: Core.Core_arch.X86.t____m256i) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - -val multiply_by_constant (vector: Core.Core_arch.X86.t____m256i) (constant: i16) - : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - -val shift_right (v_SHIFT_BY: i32) (vector: Core.Core_arch.X86.t____m256i) - : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - -val sub (lhs rhs: Core.Core_arch.X86.t____m256i) - : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti index efc3482e9..cf82ca72e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fsti @@ -3,6 +3,9 @@ module Libcrux_ml_kem.Vector.Avx2.Compress open Core open FStar.Mul +val mulhi_mm256_epi32 (lhs rhs: Core.Core_arch.X86.t____m256i) + : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) + val compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: Core.Core_arch.X86.t____m256i) @@ -15,6 +18,3 @@ val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: Core.Core_arch.X86.t____m256i) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - -val mulhi_mm256_epi32 (lhs rhs: Core.Core_arch.X86.t____m256i) - : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti index 75b8e11b7..5b5d55f76 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti @@ -3,6 +3,8 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt open Core open FStar.Mul +let ntt_multiply__PERMUTE_WITH: i32 = 216l + val inv_ntt_layer_1_step (vector: Core.Core_arch.X86.t____m256i) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) @@ -23,5 +25,3 @@ val ntt_layer_3_step (vector: Core.Core_arch.X86.t____m256i) (zeta: i16) val ntt_multiply (lhs rhs: Core.Core_arch.X86.t____m256i) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - -let ntt_multiply__PERMUTE_WITH: i32 = Rust_primitives.Hax.dropped_body diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti index ec0c98177..2304c3b28 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti @@ -3,14 +3,8 @@ module Libcrux_ml_kem.Vector.Avx2.Portable open Core open FStar.Mul -unfold -let t_FieldElement = i16 - type t_PortableVector = { f_elements:t_Array i16 (sz 16) } -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) - val from_i16_array (array: t_Array i16 (sz 16)) : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) @@ -21,3 +15,6 @@ val to_i16_array (v: t_PortableVector) : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti index 2d6f3898e..40b7a961d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fsti @@ -9,9 +9,6 @@ val deserialize_1_ (bytes: t_Slice u8) val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) - val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) @@ -27,14 +24,17 @@ val serialize_1_ (vector: Core.Core_arch.X86.t____m256i) val serialize_10_ (vector: Core.Core_arch.X86.t____m256i) : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_11_ (vector: Core.Core_arch.X86.t____m256i) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - val serialize_12_ (vector: Core.Core_arch.X86.t____m256i) : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_5_ (vector: Core.Core_arch.X86.t____m256i) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_4_ (vector: Core.Core_arch.X86.t____m256i) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_5_ (vector: Core.Core_arch.X86.t____m256i) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Core.Core_arch.X86.t____m256i Prims.l_True (fun _ -> Prims.l_True) + +val serialize_11_ (vector: Core.Core_arch.X86.t____m256i) + : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index 7d65a411a..cc388fd66 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -14,7 +14,7 @@ val to_i16_array (v: t_SIMD256Vector) val zero: Prims.unit -> Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations #t_SIMD256Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti index fbf536a4b..ce3906fea 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti @@ -4,4 +4,2021 @@ open Core open FStar.Mul let v_REJECTION_SAMPLE_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 256) = - Rust_primitives.Hax.dropped_body + let list = + [ + (let list = + [ + 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); + Rust_primitives.Hax.array_of_list 256 list diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index 5c09d7209..679937d54 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -3,7 +3,7 @@ module Libcrux_ml_kem.Vector.Traits open Core open FStar.Mul -class t_Operations (v_Self: Type0) = { +class t_Operations (#v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; f_ZERO_pre:Prims.unit -> bool; @@ -181,13 +181,13 @@ class t_Operations (v_Self: Type0) = { (fun result -> f_rej_sample_post x0 x1 result) } -let v_FIELD_ELEMENTS_IN_VECTOR: usize = Rust_primitives.Hax.dropped_body +let v_FIELD_ELEMENTS_IN_VECTOR: usize = sz 16 -let v_FIELD_MODULUS: i16 = Rust_primitives.Hax.dropped_body +let v_FIELD_MODULUS: i16 = 3329s -let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = Rust_primitives.Hax.dropped_body +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209ul -let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = Rust_primitives.Hax.dropped_body +let v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353s val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fst index c80c01c5c..aa2871040 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fst @@ -76,18 +76,23 @@ let ntt_multiply_binomials (a0, a1: (i16 & i16)) (b0, b1: (i16 & i16)) (zeta: i1 let rej_sample (a: t_Slice u8) (result: t_Slice i16) = let sampled:usize = sz 0 in let result, sampled:(t_Slice i16 & usize) = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks - u8) - (Core.Slice.impl__chunks #u8 a (sz 3) <: Core.Slice.Iter.t_Chunks u8) + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Ops.Range.t_Range + usize) + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = (Core.Slice.impl__len #u8 a <: usize) /! sz 3 <: usize + } + <: + Core.Ops.Range.t_Range usize) <: - Core.Slice.Iter.t_Chunks u8) + Core.Ops.Range.t_Range usize) (result, sampled <: (t_Slice i16 & usize)) - (fun temp_0_ bytes -> + (fun temp_0_ i -> let result, sampled:(t_Slice i16 & usize) = temp_0_ in - let bytes:t_Slice u8 = bytes in - let b1:i16 = cast (bytes.[ sz 0 ] <: u8) <: i16 in - let b2:i16 = cast (bytes.[ sz 1 ] <: u8) <: i16 in - let b3:i16 = cast (bytes.[ sz 2 ] <: u8) <: i16 in + let i:usize = i in + let b1:i16 = cast (a.[ (i *! sz 3 <: usize) +! sz 0 <: usize ] <: u8) <: i16 in + let b2:i16 = cast (a.[ (i *! sz 3 <: usize) +! sz 1 <: usize ] <: u8) <: i16 in + let b3:i16 = cast (a.[ (i *! sz 3 <: usize) +! sz 2 <: usize ] <: u8) <: i16 in let d1:i16 = ((b2 &. 15s <: i16) <>! 4l <: i16) in let result, sampled:(t_Slice i16 & usize) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fsti index 39f142807..df37aa96e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.fsti @@ -9,33 +9,16 @@ let _ = let open Libcrux_ml_kem.Vector.Portable in () -/// Values having this type hold a representative 'x' of the Kyber field. -/// We use 'fe' as a shorthand for this type. -unfold -let t_FieldElement = i16 - -/// If 'x' denotes a value of type `fe`, values having this type hold a -/// representative y ≡ x·MONTGOMERY_R (mod FIELD_MODULUS). -/// We use 'fer' as a shorthand for this type. -unfold -let t_FieldElementTimesMontgomeryR = i16 - -/// If 'x' denotes a value of type `fe`, values having this type hold a -/// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). -/// We use 'mfe' as a shorthand for this type -unfold -let t_MontgomeryFieldElement = i16 - /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ -let v_BARRETT_MULTIPLIER: i32 = Rust_primitives.Hax.dropped_body +let v_BARRETT_MULTIPLIER: i32 = 20159l -let v_BARRETT_R: i32 = Rust_primitives.Hax.dropped_body +let v_BARRETT_SHIFT: i32 = 26l -let v_BARRETT_SHIFT: i32 = Rust_primitives.Hax.dropped_body +let v_BARRETT_R: i32 = 1l <. (Core.Ops.Arith.Neg.neg Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) && result <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) -val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) - : Prims.Pure i16 - (requires - (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy || - coefficient_bits =. 11uy) && - fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16)) - (ensures - fun result -> - let result:i16 = result in - result >=. 0s && - result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16)) - /// The `compress_*` functions implement the `Compress` function specified in the NIST FIPS /// 203 standard (Page 18, Expression 4.5), which is defined as: /// ```plaintext @@ -105,14 +76,17 @@ val get_n_least_significant_bits (n: u8) (value: u32) let result:u32 = result in result <. (Core.Num.impl__u32__pow 2ul (Core.Convert.f_into #u8 #u32 n <: u32) <: u32)) -/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to -/// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to -/// `x · y`, as follows: -/// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` -/// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative -/// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. -val montgomery_multiply_fe_by_fer (fe fer: i16) - : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) +val compress_ciphertext_coefficient (coefficient_bits: u8) (fe: u16) + : Prims.Pure i16 + (requires + (coefficient_bits =. 4uy || coefficient_bits =. 5uy || coefficient_bits =. 10uy || + coefficient_bits =. 11uy) && + fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: u16)) + (ensures + fun result -> + let result:i16 = result in + result >=. 0s && + result <. (Core.Num.impl__i16__pow 2s (cast (coefficient_bits <: u8) <: u32) <: i16)) /// Signed Montgomery Reduction /// Given an input `value`, `montgomery_reduce` outputs a representative `o` @@ -147,6 +121,15 @@ val montgomery_reduce_element (value: i32) i16) && result <=. ((3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) /! 2s <: i16)) +/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to +/// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to +/// `x · y`, as follows: +/// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` +/// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative +/// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. +val montgomery_multiply_fe_by_fer (fe fer: i16) + : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) + /// Compute the product of two Kyber binomials with respect to the /// modulus `X² - zeta`. /// This function almost implements Algorithm 11 of the @@ -206,36 +189,6 @@ val decompress_ciphertext_coefficient Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_ (v: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_10_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_12_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_4_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - val from_i16_array (array: t_Slice i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector Prims.l_True @@ -285,13 +238,6 @@ val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.t_PortableVector) (zeta: Prims.l_True (fun _ -> Prims.l_True) -val ntt_multiply - (lhs rhs: Libcrux_ml_kem.Vector.Portable.t_PortableVector) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector - Prims.l_True - (fun _ -> Prims.l_True) - val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.t_PortableVector) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) @@ -323,8 +269,45 @@ val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.t_PortableVector) val zero: Prims.unit -> Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector Prims.l_True (fun _ -> Prims.l_True) +val deserialize_1_ (v: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_10_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_12_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_4_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_multiply + (lhs rhs: Libcrux_ml_kem.Vector.Portable.t_PortableVector) + (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Portable.t_PortableVector = +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations #Libcrux_ml_kem.Vector.Portable.t_PortableVector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; diff --git a/libcrux-ml-kem/src/cfg.rs b/libcrux-ml-kem/src/cfg.rs new file mode 100644 index 000000000..af6c980df --- /dev/null +++ b/libcrux-ml-kem/src/cfg.rs @@ -0,0 +1,32 @@ +/// Macro to simplify feature gating of verified code that should only be enabled +/// when unverified code is disabled. +macro_rules! cfg_verified { + ($($item:item)*) => { + $( + #[cfg(not(feature = "pre-verification"))] + #[allow(missing_docs)] + $item + )* + } +} + +/// Macro to simplify `pre-verification` feature gating +macro_rules! cfg_pre_verification { + ($($item:item)*) => { + $( + #[cfg(feature = "pre-verification")] + $item + )* + } +} + +/// Macro to simplify `kyber` feature gating +#[cfg(feature = "pre-verification")] +macro_rules! cfg_kyber { + ($($item:item)*) => { + $( + #[cfg(feature = "kyber")] + $item + )* + } +} diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index d22029642..7ab7b6ece 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -47,7 +47,7 @@ pub(crate) mod portable { shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks, shake128_squeeze_next_block, }, - KeccakState1, + KeccakState, }; /// The state. @@ -55,7 +55,7 @@ pub(crate) mod portable { /// It's only used for SHAKE128. /// All other functions don't actually use any members. pub(crate) struct PortableHash { - shake128_state: [KeccakState1; K], + shake128_state: [KeccakState; K], } impl Hash for PortableHash { @@ -132,7 +132,7 @@ pub(crate) mod portable { pub(crate) mod avx2 { use super::*; use libcrux_sha3::{ - avx2::x4::{self, incremental::KeccakState4}, + avx2::x4::{self, incremental::KeccakState}, portable, }; @@ -141,7 +141,7 @@ pub(crate) mod avx2 { /// It's only used for SHAKE128. /// All other functions don't actually use any members. pub(crate) struct Simd256Hash { - shake128_state: KeccakState4, + shake128_state: KeccakState, } impl Hash for Simd256Hash { @@ -314,14 +314,14 @@ pub(crate) mod avx2 { /// A SIMD128 implementation of [`Hash`] for NEON pub(crate) mod neon { use super::*; - use libcrux_sha3::neon::x2::{self, incremental::KeccakState2}; + use libcrux_sha3::neon::x2::{self, incremental::KeccakState}; /// The state. /// /// It's only used for SHAKE128. /// All other functions don't actually use any members. pub(crate) struct Simd128Hash { - shake128_state: [KeccakState2; 2], + shake128_state: [KeccakState; 2], } impl Hash for Simd128Hash { diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index 34fcd5bc7..f5d5883dc 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -301,11 +301,15 @@ impl Variant for MlKem { shared_secret: &[u8], _: &MlKemCiphertext, ) -> [u8; 32] { - shared_secret.try_into().unwrap() + let mut out = [0u8; 32]; + out.copy_from_slice(shared_secret); + out } #[inline(always)] fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { - randomness.try_into().unwrap() + let mut out = [0u8; 32]; + out.copy_from_slice(randomness); + out } } diff --git a/libcrux-ml-kem/src/kem.rs b/libcrux-ml-kem/src/kem.rs new file mode 100644 index 000000000..e99d4d1ee --- /dev/null +++ b/libcrux-ml-kem/src/kem.rs @@ -0,0 +1,28 @@ +// hacspec code: don't let clippy touch it. +#[allow(clippy::all)] +pub mod kyber; + +// // TODO: These functions are currently exposed simply in order to make NIST KAT +// // testing possible without an implementation of the NIST AES-CTR DRBG. Remove them +// // (and change the visibility of the exported functions to pub(crate)) the +// // moment we have an implementation of one. This is tracked by: +// // https://github.com/cryspen/libcrux/issues/36 +// #[cfg(feature = "tests")] +// pub mod deterministic { +// pub use super::kyber::kyber1024::decapsulate as kyber1024_decapsulate_derand; +// pub use super::kyber::kyber1024::encapsulate as kyber1024_encapsulate_derand; +// pub use super::kyber::kyber1024::generate_key_pair as kyber1024_generate_keypair_derand; +// pub use super::kyber::kyber512::decapsulate as kyber512_decapsulate_derand; +// pub use super::kyber::kyber512::encapsulate as kyber512_encapsulate_derand; +// pub use super::kyber::kyber512::generate_key_pair as kyber512_generate_keypair_derand; +// pub use super::kyber::kyber768::decapsulate as kyber768_decapsulate_derand; +// pub use super::kyber::kyber768::encapsulate as kyber768_encapsulate_derand; +// pub use super::kyber::kyber768::generate_key_pair as kyber768_generate_keypair_derand; +// } + +// #[cfg(feature = "tests")] +// pub use kyber::{ +// kyber1024::validate_public_key as ml_kem1024_validate_public_key, +// kyber512::validate_public_key as ml_kem512_validate_public_key, +// kyber768::validate_public_key as ml_kem768_validate_public_key, +// }; diff --git a/libcrux-ml-kem/src/kem/kyber.rs b/libcrux-ml-kem/src/kem/kyber.rs new file mode 100644 index 000000000..e63fb7f92 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber.rs @@ -0,0 +1,358 @@ +// This module is declared here since otherwise, hax reports the following error: +// +// The THIR body of item +// DefId(0:986 ~ libcrux[92b3]::kem::kyber768::parameters::COEFFICIENTS_IN_RING_ELEMENT) +// was stolen. +// +// This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27 +pub(crate) mod constants; + +/// Helpers for verification and extraction +mod helper; + +mod arithmetic; +mod compress; +mod constant_time_ops; +mod hash_functions; +mod ind_cpa; +mod matrix; +mod ntt; +mod sampling; +mod serialize; +mod types; + +// Variants +#[cfg(feature = "mlkem1024")] +pub mod kyber1024; +#[cfg(feature = "mlkem512")] +pub mod kyber512; +#[cfg(feature = "mlkem768")] +pub mod kyber768; + +pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey}; + +// TODO: We should make this an actual type as opposed to alias so we can enforce +// some checks at the type level. This is being tracked in: +// https://github.com/cryspen/libcrux/issues/123 +pub type MlKemSharedSecret = [u8; SHARED_SECRET_SIZE]; + +use self::{ + arithmetic::PolynomialRingElement, + constant_time_ops::{ + compare_ciphertexts_in_constant_time, select_shared_secret_in_constant_time, + }, + constants::{CPA_PKE_KEY_GENERATION_SEED_SIZE, H_DIGEST_SIZE, SHARED_SECRET_SIZE}, + hash_functions::{G, H, PRF}, + ind_cpa::{into_padded_array, serialize_public_key}, + serialize::deserialize_ring_elements_reduced, +}; + +/// Seed size for key generation +pub(crate) const KEY_GENERATION_SEED_SIZE: usize = + CPA_PKE_KEY_GENERATION_SEED_SIZE + SHARED_SECRET_SIZE; + +/// Serialize the secret key. +#[inline(always)] +fn serialize_kem_secret_key( + private_key: &[u8], + public_key: &[u8], + implicit_rejection_value: &[u8], +) -> [u8; SERIALIZED_KEY_LEN] { + let mut out = [0u8; SERIALIZED_KEY_LEN]; + let mut pointer = 0; + out[pointer..pointer + private_key.len()].copy_from_slice(private_key); + pointer += private_key.len(); + out[pointer..pointer + public_key.len()].copy_from_slice(public_key); + pointer += public_key.len(); + out[pointer..pointer + H_DIGEST_SIZE].copy_from_slice(&H(public_key)); + pointer += H_DIGEST_SIZE; + out[pointer..pointer + implicit_rejection_value.len()] + .copy_from_slice(implicit_rejection_value); + out +} + +pub(super) fn validate_public_key< + const K: usize, + const RANKED_BYTES_PER_RING_ELEMENT: usize, + const PUBLIC_KEY_SIZE: usize, +>( + public_key: &[u8; PUBLIC_KEY_SIZE], +) -> bool { + let deserialized_pk = deserialize_ring_elements_reduced::( + &public_key[..RANKED_BYTES_PER_RING_ELEMENT], + ); + + let public_key_serialized = + serialize_public_key::( + deserialized_pk, + &public_key[RANKED_BYTES_PER_RING_ELEMENT..], + ); + + *public_key == public_key_serialized +} + +pub struct MlKemState { + secret_as_ntt: [PolynomialRingElement; K], + t_as_ntt: [PolynomialRingElement; K], + a_transpose: [[PolynomialRingElement; K]; K], + rej: [u8; 32], + ind_cpa_public_key_hash: [u8; 32], +} + +pub(super) fn generate_keypair_unpacked< + const K: usize, + const CPA_PRIVATE_KEY_SIZE: usize, + const PRIVATE_KEY_SIZE: usize, + const PUBLIC_KEY_SIZE: usize, + const BYTES_PER_RING_ELEMENT: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, +>( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> (MlKemState, MlKemPublicKey) { + let ind_cpa_keypair_randomness = &randomness[0..CPA_PKE_KEY_GENERATION_SEED_SIZE]; + let implicit_rejection_value = &randomness[CPA_PKE_KEY_GENERATION_SEED_SIZE..]; + + let ((secret_as_ntt, t_as_ntt, a_transpose), ind_cpa_public_key) = + ind_cpa::generate_keypair_unpacked::< + K, + PUBLIC_KEY_SIZE, + BYTES_PER_RING_ELEMENT, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(ind_cpa_keypair_randomness); + + let ind_cpa_public_key_hash = H(&ind_cpa_public_key); + + let rej: [u8; 32] = implicit_rejection_value.try_into().unwrap(); + let pubkey: MlKemPublicKey = MlKemPublicKey::from(ind_cpa_public_key); + ( + MlKemState { + secret_as_ntt, + t_as_ntt, + a_transpose, + rej, + ind_cpa_public_key_hash, + }, + pubkey, + ) +} + +pub(super) fn generate_keypair< + const K: usize, + const CPA_PRIVATE_KEY_SIZE: usize, + const PRIVATE_KEY_SIZE: usize, + const PUBLIC_KEY_SIZE: usize, + const BYTES_PER_RING_ELEMENT: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, +>( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> MlKemKeyPair { + let ind_cpa_keypair_randomness = &randomness[0..CPA_PKE_KEY_GENERATION_SEED_SIZE]; + let implicit_rejection_value = &randomness[CPA_PKE_KEY_GENERATION_SEED_SIZE..]; + + let (ind_cpa_private_key, public_key) = ind_cpa::generate_keypair::< + K, + CPA_PRIVATE_KEY_SIZE, + PUBLIC_KEY_SIZE, + BYTES_PER_RING_ELEMENT, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(ind_cpa_keypair_randomness); + + let secret_key_serialized = + serialize_kem_secret_key(&ind_cpa_private_key, &public_key, implicit_rejection_value); + let private_key: MlKemPrivateKey = + MlKemPrivateKey::from(secret_key_serialized); + + MlKemKeyPair::from(private_key, public_key.into()) +} + +pub(super) fn encapsulate< + const K: usize, + const CIPHERTEXT_SIZE: usize, + const PUBLIC_KEY_SIZE: usize, + const T_AS_NTT_ENCODED_SIZE: usize, + const C1_SIZE: usize, + const C2_SIZE: usize, + const VECTOR_U_COMPRESSION_FACTOR: usize, + const VECTOR_V_COMPRESSION_FACTOR: usize, + const VECTOR_U_BLOCK_LEN: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, + const ETA2: usize, + const ETA2_RANDOMNESS_SIZE: usize, +>( + public_key: &MlKemPublicKey, + randomness: [u8; SHARED_SECRET_SIZE], +) -> (MlKemCiphertext, MlKemSharedSecret) { + let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness); + to_hash[H_DIGEST_SIZE..].copy_from_slice(&H(public_key.as_slice())); + + let hashed = G(&to_hash); + let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); + + let ciphertext = ind_cpa::encrypt::< + K, + CIPHERTEXT_SIZE, + T_AS_NTT_ENCODED_SIZE, + C1_SIZE, + C2_SIZE, + VECTOR_U_COMPRESSION_FACTOR, + VECTOR_V_COMPRESSION_FACTOR, + VECTOR_U_BLOCK_LEN, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(public_key.as_slice(), randomness, pseudorandomness); + + let mut shared_secret_array = [0u8; SHARED_SECRET_SIZE]; + shared_secret_array.copy_from_slice(shared_secret); + (ciphertext.into(), shared_secret_array) +} + +pub(super) fn decapsulate_unpacked< + const K: usize, + const SECRET_KEY_SIZE: usize, + const CPA_SECRET_KEY_SIZE: usize, + const PUBLIC_KEY_SIZE: usize, + const CIPHERTEXT_SIZE: usize, + const T_AS_NTT_ENCODED_SIZE: usize, + const C1_SIZE: usize, + const C2_SIZE: usize, + const VECTOR_U_COMPRESSION_FACTOR: usize, + const VECTOR_V_COMPRESSION_FACTOR: usize, + const C1_BLOCK_SIZE: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, + const ETA2: usize, + const ETA2_RANDOMNESS_SIZE: usize, + const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, +>( + state: &MlKemState, + ciphertext: &MlKemCiphertext, +) -> MlKemSharedSecret { + let secret_as_ntt: &[PolynomialRingElement; K] = &state.secret_as_ntt; + let t_as_ntt: &[PolynomialRingElement; K] = &state.t_as_ntt; + let a_transpose: &[[PolynomialRingElement; K]; K] = &state.a_transpose; + let implicit_rejection_value: &[u8] = &state.rej; + let ind_cpa_public_key_hash: &[u8] = &state.ind_cpa_public_key_hash; + + let decrypted = ind_cpa::decrypt_unpacked::< + K, + CIPHERTEXT_SIZE, + C1_SIZE, + VECTOR_U_COMPRESSION_FACTOR, + VECTOR_V_COMPRESSION_FACTOR, + >(secret_as_ntt, &ciphertext.value); + + let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); + to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash); + + let hashed = G(&to_hash); + let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); + + let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] = + into_padded_array(&implicit_rejection_value); + to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref()); + let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = PRF(&to_hash); + + let expected_ciphertext = ind_cpa::encrypt_unpacked::< + K, + CIPHERTEXT_SIZE, + T_AS_NTT_ENCODED_SIZE, + C1_SIZE, + C2_SIZE, + VECTOR_U_COMPRESSION_FACTOR, + VECTOR_V_COMPRESSION_FACTOR, + C1_BLOCK_SIZE, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(t_as_ntt, a_transpose, decrypted, pseudorandomness); + + let selector = compare_ciphertexts_in_constant_time::( + ciphertext.as_ref(), + &expected_ciphertext, + ); + + select_shared_secret_in_constant_time( + shared_secret, + &implicit_rejection_shared_secret, + selector, + ) +} + +pub(super) fn decapsulate< + const K: usize, + const SECRET_KEY_SIZE: usize, + const CPA_SECRET_KEY_SIZE: usize, + const PUBLIC_KEY_SIZE: usize, + const CIPHERTEXT_SIZE: usize, + const T_AS_NTT_ENCODED_SIZE: usize, + const C1_SIZE: usize, + const C2_SIZE: usize, + const VECTOR_U_COMPRESSION_FACTOR: usize, + const VECTOR_V_COMPRESSION_FACTOR: usize, + const C1_BLOCK_SIZE: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, + const ETA2: usize, + const ETA2_RANDOMNESS_SIZE: usize, + const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize, +>( + secret_key: &MlKemPrivateKey, + ciphertext: &MlKemCiphertext, +) -> MlKemSharedSecret { + let (ind_cpa_secret_key, secret_key) = secret_key.split_at(CPA_SECRET_KEY_SIZE); + let (ind_cpa_public_key, secret_key) = secret_key.split_at(PUBLIC_KEY_SIZE); + let (ind_cpa_public_key_hash, implicit_rejection_value) = secret_key.split_at(H_DIGEST_SIZE); + + let decrypted = ind_cpa::decrypt::< + K, + CIPHERTEXT_SIZE, + C1_SIZE, + VECTOR_U_COMPRESSION_FACTOR, + VECTOR_V_COMPRESSION_FACTOR, + >(ind_cpa_secret_key, &ciphertext.value); + + let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); + to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash); + + let hashed = G(&to_hash); + let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); + + let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] = + into_padded_array(&implicit_rejection_value); + to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref()); + let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = PRF(&to_hash); + + let expected_ciphertext = ind_cpa::encrypt::< + K, + CIPHERTEXT_SIZE, + T_AS_NTT_ENCODED_SIZE, + C1_SIZE, + C2_SIZE, + VECTOR_U_COMPRESSION_FACTOR, + VECTOR_V_COMPRESSION_FACTOR, + C1_BLOCK_SIZE, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(ind_cpa_public_key, decrypted, pseudorandomness); + + let selector = compare_ciphertexts_in_constant_time::( + ciphertext.as_ref(), + &expected_ciphertext, + ); + + select_shared_secret_in_constant_time( + shared_secret, + &implicit_rejection_shared_secret, + selector, + ) +} diff --git a/libcrux-ml-kem/src/kem/kyber/PERFORMANCE.md b/libcrux-ml-kem/src/kem/kyber/PERFORMANCE.md new file mode 100644 index 000000000..93bf98dd9 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/PERFORMANCE.md @@ -0,0 +1,8 @@ +N.B.: All measurements were taken on an M1 MacBook Air with 16 GB of memory. + +| | Key Generation (µs) | Encapsulation (µs) | Decapsulation (µs) | +|:----------|----------------------:|---------------------:|---------------------:| +| libcrux | 30.671 | 36.31 | 36.3 | +| BoringSSL | 33.8152 | 28.7323 | 35.2664 | +| CIRCL | 39.785 | 44.517 | 49.626 | +| PQClean | 30.671 | 38.511 | 43.458 | \ No newline at end of file diff --git a/libcrux-ml-kem/src/kem/kyber/arithmetic.rs b/libcrux-ml-kem/src/kem/kyber/arithmetic.rs new file mode 100644 index 000000000..de38ff72d --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/arithmetic.rs @@ -0,0 +1,201 @@ +use crate::hax_utils::hax_debug_assert; + +use super::constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS}; + +/// Values having this type hold a representative 'x' of the Kyber field. +/// We use 'fe' as a shorthand for this type. +pub(crate) type FieldElement = i32; + +const MONTGOMERY_SHIFT: u8 = 16; +const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT; + +/// If 'x' denotes a value of type `fe`, values having this type hold a +/// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). +/// We use 'mfe' as a shorthand for this type +pub(crate) type MontgomeryFieldElement = i32; + +/// If 'x' denotes a value of type `fe`, values having this type hold a +/// representative y ≡ x·MONTGOMERY_R (mod FIELD_MODULUS). +/// We use 'fer' as a shorthand for this type. +pub(crate) type FieldElementTimesMontgomeryR = i32; + +#[cfg_attr(hax, hax_lib::requires(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT))] +#[cfg_attr(hax, hax_lib::ensures(|result| result < 2u32.pow(n.into())))] +#[inline(always)] +pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 { + hax_debug_assert!(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT); + + value & ((1 << n) - 1) +} + +const BARRETT_SHIFT: i64 = 26; +const BARRETT_R: i64 = 1 << BARRETT_SHIFT; + +/// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ +const BARRETT_MULTIPLIER: i64 = 20159; + +/// Signed Barrett Reduction +/// +/// Given an input `value`, `barrett_reduce` outputs a representative `result` +/// such that: +/// +/// - result ≡ value (mod FIELD_MODULUS) +/// - the absolute value of `result` is bound as follows: +/// +/// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) +/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. + +#[cfg_attr(hax, hax_lib::requires((i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R)))] +#[cfg_attr(hax, hax_lib::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))] +pub(crate) fn barrett_reduce(value: FieldElement) -> FieldElement { + hax_debug_assert!( + i64::from(value) > -BARRETT_R && i64::from(value) < BARRETT_R, + "value is {value}" + ); + + let t = (i64::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1); + let quotient = (t >> BARRETT_SHIFT) as i32; + + let result = value - (quotient * FIELD_MODULUS); + + hax_debug_assert!( + result > -FIELD_MODULUS && result < FIELD_MODULUS, + "value is {value}" + ); + + result +} + +const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMERY_R + +/// Signed Montgomery Reduction +/// +/// Given an input `value`, `montgomery_reduce` outputs a representative `o` +/// such that: +/// +/// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) +/// - the absolute value of `o` is bound as follows: +/// +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) +/// +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. +#[cfg_attr(hax, hax_lib::requires(value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R))] +#[cfg_attr(hax, hax_lib::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))] +pub(crate) fn montgomery_reduce(value: FieldElement) -> MontgomeryFieldElement { + // This forces hax to extract code for MONTGOMERY_R before it extracts code + // for this function. The removal of this line is being tracked in: + // https://github.com/cryspen/libcrux/issues/134 + let _ = MONTGOMERY_R; + + hax_debug_assert!( + value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R, + "value is {value}" + ); + + let t = get_n_least_significant_bits(MONTGOMERY_SHIFT, value as u32) + * INVERSE_OF_MODULUS_MOD_MONTGOMERY_R; + let k = get_n_least_significant_bits(MONTGOMERY_SHIFT, t) as i16; + + let k_times_modulus = (k as i32) * FIELD_MODULUS; + + let c = k_times_modulus >> MONTGOMERY_SHIFT; + let value_high = value >> MONTGOMERY_SHIFT; + + value_high - c +} + +/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to +/// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to +/// `x · y`, as follows: +/// +/// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` +/// +/// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative +/// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. +#[inline(always)] +pub(crate) fn montgomery_multiply_fe_by_fer( + fe: FieldElement, + fer: FieldElementTimesMontgomeryR, +) -> FieldElement { + montgomery_reduce(fe * fer) +} + +/// This is calculated as (MONTGOMERY_R)^2 mod FIELD_MODULUS +const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i32 = 1353; + +/// If x is some field element of the Kyber field and `mfe` is congruent to +/// x · MONTGOMERY_R^{-1}, this procedure outputs a value that is congruent to +/// `x`, as follows: +/// +/// mfe · MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS ≡ x · MONTGOMERY_R^{-1} * (MONTGOMERY_R)^2 (mod FIELD_MODULUS) +/// => mfe · MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS ≡ x · MONTGOMERY_R (mod FIELD_MODULUS) +/// +/// `montgomery_reduce` takes the value `x · MONTGOMERY_R` and outputs a representative +/// `x · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x (mod FIELD_MODULUS)` +#[inline(always)] +pub(crate) fn to_standard_domain(mfe: MontgomeryFieldElement) -> FieldElement { + montgomery_reduce(mfe * MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS) +} + +/// Given a field element `fe` such that -FIELD_MODULUS ≤ fe < FIELD_MODULUS, +/// output `o` such that: +/// - `o` is congruent to `fe` +/// - 0 ≤ `o` FIELD_MODULUS +#[cfg_attr(hax, hax_lib::requires(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS))] +#[cfg_attr(hax, hax_lib::ensures(|result| result >= 0 && result < (FIELD_MODULUS as u16)))] +#[inline(always)] +pub(crate) fn to_unsigned_representative(fe: FieldElement) -> u16 { + hax_debug_assert!(fe >= -FIELD_MODULUS && fe < FIELD_MODULUS); + (fe + (FIELD_MODULUS & (fe >> 31))) as u16 +} + +#[derive(Clone, Copy)] +pub struct PolynomialRingElement { + pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_RING_ELEMENT], +} + +impl PolynomialRingElement { + pub const ZERO: Self = Self { + coefficients: [0i32; 256], // FIXME: hax issue, this is COEFFICIENTS_IN_RING_ELEMENT + }; +} + +/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise +/// sum of their constituent coefficients. +#[cfg_attr(hax, hax_lib::requires( + hax_lib::forall(|i:usize| + hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, || + (lhs.coefficients[i].abs() <= ((K as i32) - 1) * FIELD_MODULUS) && + (rhs.coefficients[i].abs() <= FIELD_MODULUS) + +))))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::forall(|i:usize| + hax_lib::implies(i < result.coefficients.len(), || + result.coefficients[i].abs() <= (K as i32) * FIELD_MODULUS +))))] +pub(crate) fn add_to_ring_element( + mut lhs: PolynomialRingElement, + rhs: &PolynomialRingElement, +) -> PolynomialRingElement { + hax_debug_assert!(lhs + .coefficients + .into_iter() + .all(|coefficient| coefficient.abs() <= ((K as i32) - 1) * FIELD_MODULUS)); + hax_debug_assert!(rhs + .coefficients + .into_iter() + .all(|coefficient| coefficient.abs() < FIELD_MODULUS)); + + for i in 0..lhs.coefficients.len() { + lhs.coefficients[i] += rhs.coefficients[i]; + } + + hax_debug_assert!(lhs + .coefficients + .into_iter() + .all(|coefficient| coefficient.abs() <= (K as i32) * FIELD_MODULUS)); + + lhs +} diff --git a/libcrux-ml-kem/src/kem/kyber/compress.rs b/libcrux-ml-kem/src/kem/kyber/compress.rs new file mode 100644 index 000000000..dd1ebd4d3 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/compress.rs @@ -0,0 +1,135 @@ +use crate::hax_utils::hax_debug_assert; + +use super::{ + arithmetic::{get_n_least_significant_bits, FieldElement}, + constants::FIELD_MODULUS, +}; + +/// The `compress_*` functions implement the `Compress` function specified in the NIST FIPS +/// 203 standard (Page 18, Expression 4.5), which is defined as: +/// +/// ```plaintext +/// Compress_d: ℤq -> ℤ_{2ᵈ} +/// Compress_d(x) = ⌈(2ᵈ/q)·x⌋ +/// ``` +/// +/// Since `⌈x⌋ = ⌊x + 1/2⌋` we have: +/// +/// ```plaintext +/// Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋ +/// = ⌊(2^{d+1}·x + q) / 2q⌋ +/// ``` +/// +/// For further information about the function implementations, consult the +/// `implementation_notes.pdf` document in this directory. +/// +/// The NIST FIPS 203 standard can be found at +/// . + +#[cfg_attr(hax, hax_lib::requires(fe < (FIELD_MODULUS as u16)))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::implies(833 <= fe && fe <= 2596, || result == 1) && + hax_lib::implies(!(833 <= fe && fe <= 2596), || result == 0) +))] +pub(super) fn compress_message_coefficient(fe: u16) -> u8 { + // The approach used here is inspired by: + // https://github.com/cloudflare/circl/blob/main/pke/kyber/internal/common/poly.go#L150 + + // If 833 <= fe <= 2496, + // then -832 <= shifted <= 831 + let shifted: i16 = 1664 - (fe as i16); + + // If shifted < 0, then + // (shifted >> 15) ^ shifted = flip_bits(shifted) = -shifted - 1, and so + // if -832 <= shifted < 0 then 0 < shifted_positive <= 831 + // + // If shifted >= 0 then + // (shifted >> 15) ^ shifted = shifted, and so + // if 0 <= shifted <= 831 then 0 <= shifted_positive <= 831 + let mask = shifted >> 15; + let shifted_to_positive = mask ^ shifted; + + let shifted_positive_in_range = shifted_to_positive - 832; + + // If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which means + // the most significant bit of shifted_positive_in_range will be 1. + ((shifted_positive_in_range >> 15) & 1) as u8 +} + +#[cfg_attr(hax, + hax_lib::requires( + (coefficient_bits == 4 || + coefficient_bits == 5 || + coefficient_bits == 10 || + coefficient_bits == 11) && + fe < (FIELD_MODULUS as u16)))] +#[cfg_attr(hax, + hax_lib::ensures( + |result| result >= 0 && result < 2i32.pow(coefficient_bits as u32)))] +pub(super) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) -> FieldElement { + hax_debug_assert!( + coefficient_bits == 4 + || coefficient_bits == 5 + || coefficient_bits == 10 + || coefficient_bits == 11 + ); + hax_debug_assert!(fe <= (FIELD_MODULUS as u16)); + + // This has to be constant time due to: + // https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ + let mut compressed = (fe as u64) << coefficient_bits; + compressed += 1664 as u64; + + compressed *= 10_321_340; + compressed >>= 35; + + get_n_least_significant_bits(coefficient_bits, compressed as u32) as FieldElement +} + +/// The `decompress_*` functions implement the `Decompress` function specified in the NIST FIPS +/// 203 standard (Page 18, Expression 4.6), which is defined as: +/// +/// ```plaintext +/// Decompress_d: ℤ_{2ᵈ} -> ℤq +/// Decompress_d(y) = ⌈(q/2ᵈ)·y⌋ +/// ``` +/// +/// Since `⌈x⌋ = ⌊x + 1/2⌋` we have: +/// +/// ```plaintext +/// Decompress_d(y) = ⌊(q/2ᵈ)·y + 1/2⌋ +/// = ⌊(2·y·q + 2ᵈ) / 2^{d+1})⌋ +/// ``` +/// +/// For further information about the function implementations, consult the +/// `implementation_notes.pdf` document in this directory. +/// +/// The NIST FIPS 203 standard can be found at +/// . + +#[cfg_attr(hax, hax_lib::requires((fe == 0) || (fe == 1)))] +#[inline(always)] +pub(super) fn decompress_message_coefficient(fe: FieldElement) -> FieldElement { + -fe & ((FIELD_MODULUS + 1) / 2) +} + +#[cfg_attr(hax, hax_lib::requires((coefficient_bits == 4 || coefficient_bits == 5 || coefficient_bits == 10 || coefficient_bits == 11) && (fe >= 0) && (fe < 2i32.pow(coefficient_bits as u32))))] +#[cfg_attr(hax, hax_lib::ensures(|result| result < FIELD_MODULUS))] +pub(super) fn decompress_ciphertext_coefficient( + coefficient_bits: u8, + fe: FieldElement, +) -> FieldElement { + hax_debug_assert!( + coefficient_bits == 4 + || coefficient_bits == 5 + || coefficient_bits == 10 + || coefficient_bits == 11 + ); + hax_debug_assert!(fe >= 0 && fe <= 2i32.pow(coefficient_bits as u32)); + + let mut decompressed = (fe as u32) * (FIELD_MODULUS as u32); + decompressed = (decompressed << 1) + (1 << coefficient_bits); + decompressed >>= coefficient_bits + 1; + + decompressed as FieldElement +} diff --git a/libcrux-ml-kem/src/kem/kyber/constant_time_ops.rs b/libcrux-ml-kem/src/kem/kyber/constant_time_ops.rs new file mode 100644 index 000000000..66b667dad --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/constant_time_ops.rs @@ -0,0 +1,64 @@ +use super::constants::SHARED_SECRET_SIZE; +use crate::hax_utils::hax_debug_assert; + +// Examine the output that LLVM produces for this code from time to time to ensure +// operations are not being optimized away/constant-timedness is not being broken. + +/// Return 1 if `value` is not zero and 0 otherwise. +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::implies(value == 0, || result == 0) && + hax_lib::implies(value != 0, || result == 1) +))] +#[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. +fn is_non_zero(value: u8) -> u8 { + let value = value as u16; + + let result = ((value | (!value).wrapping_add(1)) >> 8) & 1; + + result as u8 +} + +/// Return 1 if the bytes of `lhs` and `rhs` do not exactly +/// match and 0 otherwise. +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::implies(lhs == rhs, || result == 0) && + hax_lib::implies(lhs != rhs, || result == 1) +))] +pub(crate) fn compare_ciphertexts_in_constant_time( + lhs: &[u8], + rhs: &[u8], +) -> u8 { + hax_debug_assert!(lhs.len() == rhs.len()); + hax_debug_assert!(lhs.len() == CIPHERTEXT_SIZE); + + let mut r: u8 = 0; + for i in 0..CIPHERTEXT_SIZE { + r |= lhs[i] ^ rhs[i]; + } + + is_non_zero(r) +} + +/// If `selector` is not zero, return the bytes in `rhs`; return the bytes in +/// `lhs` otherwise. +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::implies(selector == 0, || result == lhs) && + hax_lib::implies(selector != 0, || result == rhs) +))] +pub(crate) fn select_shared_secret_in_constant_time( + lhs: &[u8], + rhs: &[u8], + selector: u8, +) -> [u8; SHARED_SECRET_SIZE] { + hax_debug_assert!(lhs.len() == rhs.len()); + hax_debug_assert!(lhs.len() == SHARED_SECRET_SIZE); + + let mask = is_non_zero(selector).wrapping_sub(1); + let mut out = [0u8; SHARED_SECRET_SIZE]; + + for i in 0..SHARED_SECRET_SIZE { + out[i] = (lhs[i] & mask) | (rhs[i] & !mask); + } + + out +} diff --git a/libcrux-ml-kem/src/kem/kyber/constants.rs b/libcrux-ml-kem/src/kem/kyber/constants.rs new file mode 100644 index 000000000..a48705a2f --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/constants.rs @@ -0,0 +1,35 @@ +/// Field modulus: 3329 +pub(crate) const FIELD_MODULUS: i32 = 3329; + +/// Each field element needs floor(log_2(FIELD_MODULUS)) + 1 = 12 bits to represent +pub(crate) const BITS_PER_COEFFICIENT: usize = 12; + +/// Coefficients per ring element +pub(crate) const COEFFICIENTS_IN_RING_ELEMENT: usize = 256; + +/// Bits required per (uncompressed) ring element +pub(crate) const BITS_PER_RING_ELEMENT: usize = COEFFICIENTS_IN_RING_ELEMENT * 12; + +/// Bytes required per (uncompressed) ring element +pub(crate) const BYTES_PER_RING_ELEMENT: usize = BITS_PER_RING_ELEMENT / 8; + +/// PKE message size +pub(crate) const SHARED_SECRET_SIZE: usize = 32; + +pub(crate) const CPA_PKE_KEY_GENERATION_SEED_SIZE: usize = 32; + +// [hax]: hacspec/hacspec-v2#27 stealing error +// Using these functions causes stealing errors in hax. +// /// Compute serialized length for output size of ByteEncode +// pub(in crate::kem::kyber) const fn serialized_len() -> usize { +// OUT_LEN * K +// } + +// /// Compute block length for output block size of ByteEncode u (c1) +// pub(in crate::kem::kyber) const fn block_len() -> usize { +// (COEFFICIENTS_IN_RING_ELEMENT * FACTOR) / 8 +// } + +// XXX: Eurydice can't handle this. +// digest_size(Algorithm::Sha3_256); +pub(crate) const H_DIGEST_SIZE: usize = 32; diff --git a/libcrux-ml-kem/src/kem/kyber/hash_functions.rs b/libcrux-ml-kem/src/kem/kyber/hash_functions.rs new file mode 100644 index 000000000..57e930c87 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/hash_functions.rs @@ -0,0 +1,116 @@ +#![allow(non_snake_case)] + +use super::constants::H_DIGEST_SIZE; +const G_DIGEST_SIZE: usize = 64; + +use libcrux_sha3::portable::{ + self, + incremental::{ + shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks, + shake128_squeeze_next_block, + }, + KeccakState, +}; +pub(crate) fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { + let mut digest = [0u8; G_DIGEST_SIZE]; + portable::sha512(&mut digest, input); + digest +} + +pub(crate) fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { + let mut digest = [0u8; H_DIGEST_SIZE]; + portable::sha256(&mut digest, input); + digest +} + +pub(crate) fn PRF(input: &[u8]) -> [u8; LEN] { + let mut digest = [0u8; LEN]; + portable::shake256(&mut digest, input); + digest +} + +// #[inline(always)] +// pub(crate) fn absorb(input: [[u8; 34]; K]) -> Shake128StateX4 { +// debug_assert!(K == 2 || K == 3 || K == 4); + +// let mut state = Shake128StateX4::new(); +// // XXX: We need to do this dance to get it through hax and eurydice for now. +// let mut data: [&[u8]; K] = [&[0u8]; K]; +// for i in 0..K { +// data[i] = &input[i] as &[u8]; +// } +// state.absorb_final(data); +// state +// } + +#[inline(always)] +pub(crate) fn absorb(input: [[u8; 34]; K]) -> [KeccakState; K] { + debug_assert!(K == 2 || K == 3 || K == 4); + + let mut state = [shake128_init(); K]; + for i in 0..K { + shake128_absorb_final(&mut state[i], &input[i]); + } + state +} + +const BLOCK_SIZE: usize = 168; +const THREE_BLOCKS: usize = BLOCK_SIZE * 3; + +// #[inline(always)] +// pub(crate) fn squeeze_three_blocks( +// xof_state: &mut Shake128StateX4, +// ) -> [[u8; THREE_BLOCKS]; K] { +// let output: [[u8; THREE_BLOCKS]; K] = xof_state.squeeze_blocks(); +// let mut out = [[0u8; THREE_BLOCKS]; K]; +// for i in 0..K { +// out[i] = output[i]; +// } +// out +// } + +#[inline(always)] +pub(crate) fn squeeze_three_blocks( + xof_state: &mut [KeccakState; K], +) -> [[u8; THREE_BLOCKS]; K] { + debug_assert!(K == 2 || K == 3 || K == 4); + + let mut out = [[0u8; THREE_BLOCKS]; K]; + for i in 0..K { + shake128_squeeze_first_three_blocks(&mut xof_state[i], &mut out[i]); + } + out +} + +// #[inline(always)] +// pub(crate) fn squeeze_block( +// xof_state: &mut Shake128StateX4, +// ) -> [[u8; BLOCK_SIZE]; K] { +// let output: [[u8; BLOCK_SIZE]; K] = xof_state.squeeze_blocks(); +// let mut out = [[0u8; BLOCK_SIZE]; K]; +// for i in 0..K { +// out[i] = output[i]; +// } +// out +// } + +#[inline(always)] +pub(crate) fn squeeze_block( + xof_state: &mut [KeccakState; K], +) -> [[u8; BLOCK_SIZE]; K] { + debug_assert!(K == 2 || K == 3 || K == 4); + + let mut out = [[0u8; BLOCK_SIZE]; K]; + for i in 0..K { + shake128_squeeze_next_block(&mut xof_state[i], &mut out[i]); + } + out +} + +/// Free the memory of the state. +/// +/// **NOTE:** That this needs to be done manually for now. +#[inline(always)] +pub(crate) fn free_state(_xof_state: [KeccakState; K]) { + // xof_state.free_memory(); +} diff --git a/libcrux-ml-kem/src/kem/kyber/helper.rs b/libcrux-ml-kem/src/kem/kyber/helper.rs new file mode 100644 index 000000000..47fa920aa --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/helper.rs @@ -0,0 +1,59 @@ +/// The following macros are defined so that the extraction from Rust to C code +/// can go through. + +#[cfg(not(hax))] +#[doc(hidden)] +macro_rules! cloop { + (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { + for $i in 0..$val.$values.len() / ($($chunk_size)*) { + let $chunk = &$val.$values[$i*($($chunk_size)*) .. $i*($($chunk_size)*)+($($chunk_size)*)]; + $body + } + }; + (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { + for $i in 0..$val.len() / ($($chunk_size)*) { + let $chunk = &$val[$i*($($chunk_size)*) .. $i*($($chunk_size)*)+($($chunk_size)*)]; + $body + } + }; + (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { + for $i in 0..$val.len() { + let $item = &$val[$i]; + $body + } + }; + (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { + for $i in 0..$val.len() { + let $item = $val[$i]; + $body + } + }; + (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { + for $i in $start..$end / $step { + let $i = $i * $step; + $body + } + }; +} + +#[cfg(hax)] +#[doc(hidden)] +macro_rules! cloop { + (for ($i:ident, $chunk:ident) in $val:ident.$values:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { + for ($i, $chunk) in $val.$values.chunks_exact($($chunk_size),*).enumerate() $body + }; + (for ($i:ident, $chunk:ident) in $val:ident.chunks_exact($($chunk_size:expr),*).enumerate() $body:block) => { + for ($i, $chunk) in $val.chunks_exact($($chunk_size),*).enumerate() $body + }; + (for ($i:ident, $item:ident) in $val:ident.iter().enumerate() $body:block) => { + for ($i, $item) in $val.iter().enumerate() $body + }; + (for ($i:ident, $item:ident) in $val:ident.into_iter().enumerate() $body:block) => { + for ($i, $item) in $val.into_iter().enumerate() $body + }; + (for $i:ident in ($start:literal..$end:expr).step_by($step:literal) $body:block) => { + for $i in ($start..$end).step_by($step) $body + }; +} + +pub(super) use cloop; diff --git a/libcrux-ml-kem/src/kem/kyber/implementation_notes.pdf b/libcrux-ml-kem/src/kem/kyber/implementation_notes.pdf new file mode 100644 index 000000000..adc843026 Binary files /dev/null and b/libcrux-ml-kem/src/kem/kyber/implementation_notes.pdf differ diff --git a/libcrux-ml-kem/src/kem/kyber/ind_cpa.rs b/libcrux-ml-kem/src/kem/kyber/ind_cpa.rs new file mode 100644 index 000000000..88605b8b1 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/ind_cpa.rs @@ -0,0 +1,508 @@ +use super::{ + arithmetic::{to_unsigned_representative, PolynomialRingElement}, + constants::{BYTES_PER_RING_ELEMENT, COEFFICIENTS_IN_RING_ELEMENT, SHARED_SECRET_SIZE}, + hash_functions::{G, PRF}, + helper::cloop, + matrix::*, + ntt::*, + sampling::sample_from_binomial_distribution, + serialize::{ + compress_then_serialize_message, compress_then_serialize_ring_element_u, + compress_then_serialize_ring_element_v, deserialize_ring_elements_reduced, + deserialize_then_decompress_message, deserialize_then_decompress_ring_element_u, + deserialize_then_decompress_ring_element_v, deserialize_to_uncompressed_ring_element, + serialize_uncompressed_ring_element, + }, +}; + +/// Pad the `slice` with `0`s at the end. +#[inline(always)] +pub(super) fn into_padded_array(slice: &[u8]) -> [u8; LEN] { + debug_assert!(slice.len() <= LEN); + let mut out = [0u8; LEN]; + out[0..slice.len()].copy_from_slice(slice); + out +} + +/// Concatenate `t` and `ρ` into the public key. +#[inline(always)] +pub(super) fn serialize_public_key< + const K: usize, + const RANKED_BYTES_PER_RING_ELEMENT: usize, + const PUBLIC_KEY_SIZE: usize, +>( + t_as_ntt: [PolynomialRingElement; K], + seed_for_a: &[u8], +) -> [u8; PUBLIC_KEY_SIZE] { + let mut public_key_serialized = [0u8; PUBLIC_KEY_SIZE]; + public_key_serialized[0..RANKED_BYTES_PER_RING_ELEMENT].copy_from_slice( + &serialize_secret_key::(t_as_ntt), + ); + public_key_serialized[RANKED_BYTES_PER_RING_ELEMENT..].copy_from_slice(seed_for_a); + public_key_serialized +} + +/// Call [`serialize_uncompressed_ring_element`] for each ring element. +#[inline(always)] +fn serialize_secret_key( + key: [PolynomialRingElement; K], +) -> [u8; OUT_LEN] { + let mut out = [0u8; OUT_LEN]; + + cloop! { + for (i, re) in key.into_iter().enumerate() { + out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT] + .copy_from_slice(&serialize_uncompressed_ring_element(re)); + } + } + + out +} + +/// Sample a vector of ring elements from a centered binomial distribution. +#[inline(always)] +fn sample_ring_element_cbd( + prf_input: &mut [u8; 33], + domain_separator: &mut u8, +) -> [PolynomialRingElement; K] { + let mut error_1 = [PolynomialRingElement::ZERO; K]; + for i in 0..K { + prf_input[32] = *domain_separator; + *domain_separator += 1; + + let prf_output: [u8; ETA2_RANDOMNESS_SIZE] = PRF(prf_input); + error_1[i] = sample_from_binomial_distribution::(&prf_output); + } + error_1 +} + +/// Sample a vector of ring elements from a centered binomial distribution and +/// convert them into their NTT representations. +#[inline(always)] +fn sample_vector_cbd_then_ntt< + const K: usize, + const ETA: usize, + const ETA_RANDOMNESS_SIZE: usize, +>( + mut prf_input: [u8; 33], + mut domain_separator: u8, +) -> ([PolynomialRingElement; K], u8) { + let mut re_as_ntt = [PolynomialRingElement::ZERO; K]; + for i in 0..K { + prf_input[32] = domain_separator; + domain_separator += 1; + + let prf_output: [u8; ETA_RANDOMNESS_SIZE] = PRF(&prf_input); + + let r = sample_from_binomial_distribution::(&prf_output); + re_as_ntt[i] = ntt_binomially_sampled_ring_element(r); + } + (re_as_ntt, domain_separator) +} + +/// This function implements most of Algorithm 12 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. +/// +/// We say "most of" since Algorithm 12 samples the required randomness within +/// the function itself, whereas this implementation expects it to be provided +/// through the `key_generation_seed` parameter. +/// +/// Algorithm 12 is reproduced below: +/// +/// ```plaintext +/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. +/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// +/// d ←$ B +/// (ρ,σ) ← G(d) +/// N ← 0 +/// for (i ← 0; i < k; i++) +/// for(j ← 0; j < k; j++) +/// Â[i,j] ← SampleNTT(XOF(ρ, i, j)) +/// end for +/// end for +/// for(i ← 0; i < k; i++) +/// s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) +/// N ← N + 1 +/// end for +/// for(i ← 0; i < k; i++) +/// e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) +/// N ← N + 1 +/// end for +/// ŝ ← NTT(s) +/// ê ← NTT(e) +/// t̂ ← Â◦ŝ + ê +/// ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ +/// dkₚₖₑ ← ByteEncode₁₂(ŝ) +/// ``` +/// +/// The NIST FIPS 203 standard can be found at +/// . +#[allow(non_snake_case)] +pub(super) fn generate_keypair_unpacked< + const K: usize, + const PUBLIC_KEY_SIZE: usize, + const RANKED_BYTES_PER_RING_ELEMENT: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, +>( + key_generation_seed: &[u8], +) -> ( + ( + [PolynomialRingElement; K], + [PolynomialRingElement; K], + [[PolynomialRingElement; K]; K], + ), + [u8; PUBLIC_KEY_SIZE], +) { + // (ρ,σ) := G(d) + let hashed = G(key_generation_seed); + let (seed_for_A, seed_for_secret_and_error) = hashed.split_at(32); + + let a_transpose = sample_matrix_A(into_padded_array(seed_for_A), true); + + let prf_input: [u8; 33] = into_padded_array(seed_for_secret_and_error); + let (mut secret_as_ntt, domain_separator) = + sample_vector_cbd_then_ntt::(prf_input, 0); + let (error_as_ntt, _) = + sample_vector_cbd_then_ntt::(prf_input, domain_separator); + + // tˆ := Aˆ ◦ sˆ + eˆ + let mut t_as_ntt = compute_As_plus_e(&a_transpose, &secret_as_ntt, &error_as_ntt); + + // pk := (Encode_12(tˆ mod^{+}q) || ρ) + let public_key_serialized = serialize_public_key::< + K, + RANKED_BYTES_PER_RING_ELEMENT, + PUBLIC_KEY_SIZE, + >(t_as_ntt, &seed_for_A); + + // Need to do the following otherwise it violates invariants in NTT (the values are expected to be >=0 and <4096). + // Maybe we can remove these reductions later if we make those constraints looser + for i in 0..K { + for j in 0..COEFFICIENTS_IN_RING_ELEMENT { + secret_as_ntt[i].coefficients[j] = + to_unsigned_representative(secret_as_ntt[i].coefficients[j]) as i32; + t_as_ntt[i].coefficients[j] = + to_unsigned_representative(t_as_ntt[i].coefficients[j]) as i32; + } + } + + // We also need to transpose the A array. + let mut a_matrix = a_transpose; + for i in 0..K { + for j in 0..K { + a_matrix[i][j] = a_transpose[j][i]; + } + } + + ((secret_as_ntt, t_as_ntt, a_matrix), public_key_serialized) +} + +#[allow(non_snake_case)] +pub(super) fn generate_keypair< + const K: usize, + const PRIVATE_KEY_SIZE: usize, + const PUBLIC_KEY_SIZE: usize, + const RANKED_BYTES_PER_RING_ELEMENT: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, +>( + key_generation_seed: &[u8], +) -> ([u8; PRIVATE_KEY_SIZE], [u8; PUBLIC_KEY_SIZE]) { + let ((secret_as_ntt, _t_as_ntt, _a_transpose), public_key_serialized) = + generate_keypair_unpacked::< + K, + PUBLIC_KEY_SIZE, + RANKED_BYTES_PER_RING_ELEMENT, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(key_generation_seed); + + // sk := Encode_12(sˆ mod^{+}q) + let secret_key_serialized = serialize_secret_key(secret_as_ntt); + + (secret_key_serialized, public_key_serialized) +} + +/// Call [`compress_then_serialize_ring_element_u`] on each ring element. +fn compress_then_serialize_u< + const K: usize, + const OUT_LEN: usize, + const COMPRESSION_FACTOR: usize, + const BLOCK_LEN: usize, +>( + input: [PolynomialRingElement; K], +) -> [u8; OUT_LEN] { + let mut out = [0u8; OUT_LEN]; + cloop! { + for (i, re) in input.into_iter().enumerate() { + out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)].copy_from_slice( + &compress_then_serialize_ring_element_u::(re), + ); + } + } + + out +} + +/// This function implements Algorithm 13 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. +/// +/// Algorithm 13 is reproduced below: +/// +/// ```plaintext +/// Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. +/// Input: message m ∈ 𝔹^{32}. +/// Input: encryption randomness r ∈ 𝔹^{32}. +/// Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// +/// N ← 0 +/// t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) +/// ρ ← ekₚₖₑ[384k: 384k + 32] +/// for (i ← 0; i < k; i++) +/// for(j ← 0; j < k; j++) +/// Â[i,j] ← SampleNTT(XOF(ρ, i, j)) +/// end for +/// end for +/// for(i ← 0; i < k; i++) +/// r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) +/// N ← N + 1 +/// end for +/// for(i ← 0; i < k; i++) +/// e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) +/// N ← N + 1 +/// end for +/// e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) +/// r̂ ← NTT(r) +/// u ← NTT-¹(Âᵀ ◦ r̂) + e₁ +/// μ ← Decompress₁(ByteDecode₁(m))) +/// v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ +/// c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) +/// c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) +/// return c ← (c₁ ‖ c₂) +/// ``` +/// +/// The NIST FIPS 203 standard can be found at +/// . +#[allow(non_snake_case)] +pub(crate) fn encrypt_unpacked< + const K: usize, + const CIPHERTEXT_SIZE: usize, + const T_AS_NTT_ENCODED_SIZE: usize, + const C1_LEN: usize, + const C2_LEN: usize, + const U_COMPRESSION_FACTOR: usize, + const V_COMPRESSION_FACTOR: usize, + const BLOCK_LEN: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, + const ETA2: usize, + const ETA2_RANDOMNESS_SIZE: usize, +>( + t_as_ntt: &[PolynomialRingElement; K], + a_transpose: &[[PolynomialRingElement; K]; K], + message: [u8; SHARED_SECRET_SIZE], + randomness: &[u8], +) -> [u8; CIPHERTEXT_SIZE] { + // for i from 0 to k−1 do + // r[i] := CBD{η1}(PRF(r, N)) + // N := N + 1 + // end for + // rˆ := NTT(r) + let mut prf_input: [u8; 33] = into_padded_array(randomness); + let (r_as_ntt, mut domain_separator) = + sample_vector_cbd_then_ntt::(prf_input, 0); + + // for i from 0 to k−1 do + // e1[i] := CBD_{η2}(PRF(r,N)) + // N := N + 1 + // end for + let error_1 = sample_ring_element_cbd::( + &mut prf_input, + &mut domain_separator, + ); + + // e_2 := CBD{η2}(PRF(r, N)) + prf_input[32] = domain_separator; + let prf_output: [u8; ETA2_RANDOMNESS_SIZE] = PRF(&prf_input); + let error_2 = sample_from_binomial_distribution::(&prf_output); + + // u := NTT^{-1}(AˆT ◦ rˆ) + e_1 + let u = compute_vector_u(&a_transpose, &r_as_ntt, &error_1); + + // v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1) + let message_as_ring_element = deserialize_then_decompress_message(message); + let v = compute_ring_element_v(&t_as_ntt, &r_as_ntt, &error_2, &message_as_ring_element); + + // c_1 := Encode_{du}(Compress_q(u,d_u)) + let c1 = compress_then_serialize_u::(u); + + // c_2 := Encode_{dv}(Compress_q(v,d_v)) + let c2 = compress_then_serialize_ring_element_v::(v); + + let mut ciphertext: [u8; CIPHERTEXT_SIZE] = into_padded_array(&c1); + ciphertext[C1_LEN..].copy_from_slice(c2.as_slice()); + + ciphertext +} + +#[allow(non_snake_case)] +pub(crate) fn encrypt< + const K: usize, + const CIPHERTEXT_SIZE: usize, + const T_AS_NTT_ENCODED_SIZE: usize, + const C1_LEN: usize, + const C2_LEN: usize, + const U_COMPRESSION_FACTOR: usize, + const V_COMPRESSION_FACTOR: usize, + const BLOCK_LEN: usize, + const ETA1: usize, + const ETA1_RANDOMNESS_SIZE: usize, + const ETA2: usize, + const ETA2_RANDOMNESS_SIZE: usize, +>( + public_key: &[u8], + message: [u8; SHARED_SECRET_SIZE], + randomness: &[u8], +) -> [u8; CIPHERTEXT_SIZE] { + // tˆ := Decode_12(pk) + let t_as_ntt = deserialize_ring_elements_reduced::( + &public_key[..T_AS_NTT_ENCODED_SIZE], + ); + + // ρ := pk + 12·k·n / 8 + // for i from 0 to k−1 do + // for j from 0 to k − 1 do + // AˆT[i][j] := Parse(XOF(ρ, i, j)) + // end for + // end for + let seed = &public_key[T_AS_NTT_ENCODED_SIZE..]; + // ρ := pk + 12·k·n / 8 + // for i from 0 to k−1 do + // for j from 0 to k − 1 do + // AˆT[i][j] := Parse(XOF(ρ, i, j)) + // end for + // end for + let a_transpose = sample_matrix_A(into_padded_array(seed), false); + + encrypt_unpacked::< + K, + CIPHERTEXT_SIZE, + T_AS_NTT_ENCODED_SIZE, + C1_LEN, + C2_LEN, + U_COMPRESSION_FACTOR, + V_COMPRESSION_FACTOR, + BLOCK_LEN, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(&t_as_ntt, &a_transpose, message, randomness) +} + +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +#[inline(always)] +fn deserialize_then_decompress_u< + const K: usize, + const CIPHERTEXT_SIZE: usize, + const U_COMPRESSION_FACTOR: usize, +>( + ciphertext: &[u8; CIPHERTEXT_SIZE], +) -> [PolynomialRingElement; K] { + let mut u_as_ntt = [PolynomialRingElement::ZERO; K]; + cloop! { + for (i, u_bytes) in ciphertext + .chunks_exact((COEFFICIENTS_IN_RING_ELEMENT * U_COMPRESSION_FACTOR) / 8) + .enumerate() + { + let u = deserialize_then_decompress_ring_element_u::(u_bytes); + u_as_ntt[i] = ntt_vector_u::(u); + } + } + u_as_ntt +} + +/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +#[inline(always)] +fn deserialize_secret_key(secret_key: &[u8]) -> [PolynomialRingElement; K] { + let mut secret_as_ntt = [PolynomialRingElement::ZERO; K]; + cloop! { + for (i, secret_bytes) in secret_key.chunks_exact(BYTES_PER_RING_ELEMENT).enumerate() { + secret_as_ntt[i] = deserialize_to_uncompressed_ring_element(secret_bytes); + } + } + secret_as_ntt +} + +/// This function implements Algorithm 14 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. +/// +/// Algorithm 14 is reproduced below: +/// +/// ```plaintext +/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// Output: message m ∈ 𝔹^{32}. +/// +/// c₁ ← c[0 : 32dᵤk] +/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] +/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) +/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) +/// ŝ ← ByteDecode₁₂(dkₚₖₑ) +/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) +/// m ← ByteEncode₁(Compress₁(w)) +/// return m +/// ``` +/// +/// The NIST FIPS 203 standard can be found at +/// . +#[allow(non_snake_case)] +pub(super) fn decrypt_unpacked< + const K: usize, + const CIPHERTEXT_SIZE: usize, + const VECTOR_U_ENCODED_SIZE: usize, + const U_COMPRESSION_FACTOR: usize, + const V_COMPRESSION_FACTOR: usize, +>( + secret_as_ntt: &[PolynomialRingElement; K], + ciphertext: &[u8; CIPHERTEXT_SIZE], +) -> [u8; SHARED_SECRET_SIZE] { + // u := Decompress_q(Decode_{d_u}(c), d_u) + let u_as_ntt = + deserialize_then_decompress_u::(ciphertext); + + // v := Decompress_q(Decode_{d_v}(c + d_u·k·n / 8), d_v) + let v = deserialize_then_decompress_ring_element_v::( + &ciphertext[VECTOR_U_ENCODED_SIZE..], + ); + + // m := Encode_1(Compress_q(v − NTT^{−1}(sˆT ◦ NTT(u)) , 1)) + let message = compute_message(&v, &secret_as_ntt, &u_as_ntt); + compress_then_serialize_message(message) +} + +#[allow(non_snake_case)] +pub(super) fn decrypt< + const K: usize, + const CIPHERTEXT_SIZE: usize, + const VECTOR_U_ENCODED_SIZE: usize, + const U_COMPRESSION_FACTOR: usize, + const V_COMPRESSION_FACTOR: usize, +>( + secret_key: &[u8], + ciphertext: &[u8; CIPHERTEXT_SIZE], +) -> [u8; SHARED_SECRET_SIZE] { + // sˆ := Decode_12(sk) + let secret_as_ntt = deserialize_secret_key::(secret_key); + + decrypt_unpacked::< + K, + CIPHERTEXT_SIZE, + VECTOR_U_ENCODED_SIZE, + U_COMPRESSION_FACTOR, + V_COMPRESSION_FACTOR, + >(&secret_as_ntt, ciphertext) +} diff --git a/libcrux-ml-kem/src/kem/kyber/kyber1024.rs b/libcrux-ml-kem/src/kem/kyber/kyber1024.rs new file mode 100644 index 000000000..f67682fe5 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/kyber1024.rs @@ -0,0 +1,160 @@ +use super::{constants::*, *}; + +// Kyber 1024 parameters +const RANK_1024: usize = 4; +const RANKED_BYTES_PER_RING_ELEMENT_1024: usize = RANK_1024 * BITS_PER_RING_ELEMENT / 8; +const T_AS_NTT_ENCODED_SIZE_1024: usize = + (RANK_1024 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +const VECTOR_U_COMPRESSION_FACTOR_1024: usize = 11; +// [hax]: hacspec/hacspec-v2#27 stealing error +// block_len::(); +const C1_BLOCK_SIZE_1024: usize = + (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_1024) / 8; +// [hax]: hacspec/hacspec-v2#27 stealing error +// serialized_len::(); +const C1_SIZE_1024: usize = C1_BLOCK_SIZE_1024 * RANK_1024; +const VECTOR_V_COMPRESSION_FACTOR_1024: usize = 5; +// [hax]: hacspec/hacspec-v2#27 stealing error +// block_len::() +const C2_SIZE_1024: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_1024) / 8; +const CPA_PKE_SECRET_KEY_SIZE_1024: usize = + (RANK_1024 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +const CPA_PKE_PUBLIC_KEY_SIZE_1024: usize = T_AS_NTT_ENCODED_SIZE_1024 + 32; +const CPA_PKE_CIPHERTEXT_SIZE_1024: usize = C1_SIZE_1024 + C2_SIZE_1024; +const SECRET_KEY_SIZE_1024: usize = CPA_PKE_SECRET_KEY_SIZE_1024 + + CPA_PKE_PUBLIC_KEY_SIZE_1024 + + H_DIGEST_SIZE + + SHARED_SECRET_SIZE; + +const ETA1: usize = 2; +const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; +const ETA2: usize = 2; +const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; + +const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_1024; + +// Kyber 1024 types +pub type MlKem1024Ciphertext = MlKemCiphertext; +pub type MlKem1024PrivateKey = MlKemPrivateKey; +pub type MlKem1024PublicKey = MlKemPublicKey; + +/// Validate a public key. +/// +/// Returns `Some(public_key)` if valid, and `None` otherwise. +pub fn validate_public_key(public_key: MlKem1024PublicKey) -> Option { + if super::validate_public_key::< + RANK_1024, + RANKED_BYTES_PER_RING_ELEMENT_1024, + CPA_PKE_PUBLIC_KEY_SIZE_1024, + >(&public_key.value) + { + Some(public_key) + } else { + None + } +} + +/// Generate ML-KEM 1024 Key Pair +pub fn generate_key_pair( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> MlKemKeyPair { + generate_keypair::< + RANK_1024, + CPA_PKE_SECRET_KEY_SIZE_1024, + SECRET_KEY_SIZE_1024, + CPA_PKE_PUBLIC_KEY_SIZE_1024, + RANKED_BYTES_PER_RING_ELEMENT_1024, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(randomness) +} + +pub type MlKem1024State = MlKemState; + +pub fn generate_key_pair_unpacked( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> (MlKem1024State, MlKem1024PublicKey) { + generate_keypair_unpacked::< + RANK_1024, + CPA_PKE_SECRET_KEY_SIZE_1024, + SECRET_KEY_SIZE_1024, + CPA_PKE_PUBLIC_KEY_SIZE_1024, + RANKED_BYTES_PER_RING_ELEMENT_1024, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(randomness) +} + +/// Encapsulate ML-KEM 1024 +pub fn encapsulate( + public_key: &MlKemPublicKey, + randomness: [u8; SHARED_SECRET_SIZE], +) -> ( + MlKemCiphertext, + MlKemSharedSecret, +) { + super::encapsulate::< + RANK_1024, + CPA_PKE_CIPHERTEXT_SIZE_1024, + CPA_PKE_PUBLIC_KEY_SIZE_1024, + T_AS_NTT_ENCODED_SIZE_1024, + C1_SIZE_1024, + C2_SIZE_1024, + VECTOR_U_COMPRESSION_FACTOR_1024, + VECTOR_V_COMPRESSION_FACTOR_1024, + C1_BLOCK_SIZE_1024, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(public_key, randomness) +} + +/// Decapsulate ML-KEM 1024 +pub fn decapsulate( + secret_key: &MlKemPrivateKey, + ciphertext: &MlKemCiphertext, +) -> [u8; SHARED_SECRET_SIZE] { + super::decapsulate::< + RANK_1024, + SECRET_KEY_SIZE_1024, + CPA_PKE_SECRET_KEY_SIZE_1024, + CPA_PKE_PUBLIC_KEY_SIZE_1024, + CPA_PKE_CIPHERTEXT_SIZE_1024, + T_AS_NTT_ENCODED_SIZE_1024, + C1_SIZE_1024, + C2_SIZE_1024, + VECTOR_U_COMPRESSION_FACTOR_1024, + VECTOR_V_COMPRESSION_FACTOR_1024, + C1_BLOCK_SIZE_1024, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + IMPLICIT_REJECTION_HASH_INPUT_SIZE, + >(secret_key, ciphertext) +} + +pub fn decapsulate_unpacked( + state: &MlKem1024State, + ciphertext: &MlKemCiphertext, +) -> [u8; SHARED_SECRET_SIZE] { + super::decapsulate_unpacked::< + RANK_1024, + SECRET_KEY_SIZE_1024, + CPA_PKE_SECRET_KEY_SIZE_1024, + CPA_PKE_PUBLIC_KEY_SIZE_1024, + CPA_PKE_CIPHERTEXT_SIZE_1024, + T_AS_NTT_ENCODED_SIZE_1024, + C1_SIZE_1024, + C2_SIZE_1024, + VECTOR_U_COMPRESSION_FACTOR_1024, + VECTOR_V_COMPRESSION_FACTOR_1024, + C1_BLOCK_SIZE_1024, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + IMPLICIT_REJECTION_HASH_INPUT_SIZE, + >(state, ciphertext) +} diff --git a/libcrux-ml-kem/src/kem/kyber/kyber512.rs b/libcrux-ml-kem/src/kem/kyber/kyber512.rs new file mode 100644 index 000000000..8edce7f47 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/kyber512.rs @@ -0,0 +1,158 @@ +use super::{constants::*, *}; + +// Kyber 512 parameters +const RANK_512: usize = 2; +const RANKED_BYTES_PER_RING_ELEMENT_512: usize = RANK_512 * BITS_PER_RING_ELEMENT / 8; +const T_AS_NTT_ENCODED_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +const VECTOR_U_COMPRESSION_FACTOR_512: usize = 10; +// [hax]: hacspec/hacspec-v2#27 stealing error +// block_len::() +const C1_BLOCK_SIZE_512: usize = + (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_512) / 8; +// [hax]: hacspec/hacspec-v2#27 stealing error +// serialized_len::() +const C1_SIZE_512: usize = C1_BLOCK_SIZE_512 * RANK_512; +const VECTOR_V_COMPRESSION_FACTOR_512: usize = 4; +// [hax]: hacspec/hacspec-v2#27 stealing error +// block_len::() +const C2_SIZE_512: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_512) / 8; +const CPA_PKE_SECRET_KEY_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = T_AS_NTT_ENCODED_SIZE_512 + 32; +const CPA_PKE_CIPHERTEXT_SIZE_512: usize = C1_SIZE_512 + C2_SIZE_512; +const SECRET_KEY_SIZE_512: usize = + CPA_PKE_SECRET_KEY_SIZE_512 + CPA_PKE_PUBLIC_KEY_SIZE_512 + H_DIGEST_SIZE + SHARED_SECRET_SIZE; + +const ETA1: usize = 3; +const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; +const ETA2: usize = 2; +const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; + +const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_512; + +// Kyber 512 types +pub type MlKem512Ciphertext = MlKemCiphertext; +pub type MlKem512PrivateKey = MlKemPrivateKey; +pub type MlKem512PublicKey = MlKemPublicKey; + +/// Validate a public key. +/// +/// Returns `Some(public_key)` if valid, and `None` otherwise. +pub fn validate_public_key(public_key: MlKem512PublicKey) -> Option { + if super::validate_public_key::< + RANK_512, + RANKED_BYTES_PER_RING_ELEMENT_512, + CPA_PKE_PUBLIC_KEY_SIZE_512, + >(&public_key.value) + { + Some(public_key) + } else { + None + } +} + +/// Generate ML-KEM 512 Key Pair +pub fn generate_key_pair( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> MlKemKeyPair { + generate_keypair::< + RANK_512, + CPA_PKE_SECRET_KEY_SIZE_512, + SECRET_KEY_SIZE_512, + CPA_PKE_PUBLIC_KEY_SIZE_512, + RANKED_BYTES_PER_RING_ELEMENT_512, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(randomness) +} + +pub type MlKem512State = MlKemState; + +pub fn generate_key_pair_unpacked( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> (MlKem512State, MlKem512PublicKey) { + generate_keypair_unpacked::< + RANK_512, + CPA_PKE_SECRET_KEY_SIZE_512, + SECRET_KEY_SIZE_512, + CPA_PKE_PUBLIC_KEY_SIZE_512, + RANKED_BYTES_PER_RING_ELEMENT_512, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(randomness) +} + +/// Encapsulate ML-KEM 512 +pub fn encapsulate( + public_key: &MlKemPublicKey, + randomness: [u8; SHARED_SECRET_SIZE], +) -> ( + MlKemCiphertext, + MlKemSharedSecret, +) { + super::encapsulate::< + RANK_512, + CPA_PKE_CIPHERTEXT_SIZE_512, + CPA_PKE_PUBLIC_KEY_SIZE_512, + T_AS_NTT_ENCODED_SIZE_512, + C1_SIZE_512, + C2_SIZE_512, + VECTOR_U_COMPRESSION_FACTOR_512, + VECTOR_V_COMPRESSION_FACTOR_512, + C1_BLOCK_SIZE_512, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(public_key, randomness) +} + +/// Decapsulate ML-KEM 512 +pub fn decapsulate( + secret_key: &MlKemPrivateKey, + ciphertext: &MlKemCiphertext, +) -> [u8; SHARED_SECRET_SIZE] { + super::decapsulate::< + RANK_512, + SECRET_KEY_SIZE_512, + CPA_PKE_SECRET_KEY_SIZE_512, + CPA_PKE_PUBLIC_KEY_SIZE_512, + CPA_PKE_CIPHERTEXT_SIZE_512, + T_AS_NTT_ENCODED_SIZE_512, + C1_SIZE_512, + C2_SIZE_512, + VECTOR_U_COMPRESSION_FACTOR_512, + VECTOR_V_COMPRESSION_FACTOR_512, + C1_BLOCK_SIZE_512, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + IMPLICIT_REJECTION_HASH_INPUT_SIZE, + >(secret_key, ciphertext) +} + +pub fn decapsulate_unpacked( + state: &MlKem512State, + ciphertext: &MlKemCiphertext, +) -> [u8; SHARED_SECRET_SIZE] { + super::decapsulate_unpacked::< + RANK_512, + SECRET_KEY_SIZE_512, + CPA_PKE_SECRET_KEY_SIZE_512, + CPA_PKE_PUBLIC_KEY_SIZE_512, + CPA_PKE_CIPHERTEXT_SIZE_512, + T_AS_NTT_ENCODED_SIZE_512, + C1_SIZE_512, + C2_SIZE_512, + VECTOR_U_COMPRESSION_FACTOR_512, + VECTOR_V_COMPRESSION_FACTOR_512, + C1_BLOCK_SIZE_512, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + IMPLICIT_REJECTION_HASH_INPUT_SIZE, + >(state, ciphertext) +} diff --git a/libcrux-ml-kem/src/kem/kyber/kyber768.rs b/libcrux-ml-kem/src/kem/kyber/kyber768.rs new file mode 100644 index 000000000..7d9f5b131 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/kyber768.rs @@ -0,0 +1,178 @@ +use super::{constants::*, *}; + +// Kyber 768 parameters +const RANK_768: usize = 3; +const RANKED_BYTES_PER_RING_ELEMENT_768: usize = RANK_768 * BITS_PER_RING_ELEMENT / 8; +const T_AS_NTT_ENCODED_SIZE_768: usize = + (RANK_768 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +const VECTOR_U_COMPRESSION_FACTOR_768: usize = 10; +// [hax]: hacspec/hacspec-v2#27 stealing error +// block_len::() +const C1_BLOCK_SIZE_768: usize = + (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_768) / 8; +// [hax]: hacspec/hacspec-v2#27 stealing error +// serialized_len::(); +const C1_SIZE_768: usize = C1_BLOCK_SIZE_768 * RANK_768; +const VECTOR_V_COMPRESSION_FACTOR_768: usize = 4; +// [hax]: hacspec/hacspec-v2#27 stealing error +// block_len::() +const C2_SIZE_768: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_768) / 8; +const CPA_PKE_SECRET_KEY_SIZE_768: usize = + (RANK_768 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +const CPA_PKE_PUBLIC_KEY_SIZE_768: usize = T_AS_NTT_ENCODED_SIZE_768 + 32; +// These two are used in the hybrid kem. This could probably be improved. +pub(crate) const CPA_PKE_CIPHERTEXT_SIZE_768: usize = C1_SIZE_768 + C2_SIZE_768; +pub(crate) const SECRET_KEY_SIZE_768: usize = + CPA_PKE_SECRET_KEY_SIZE_768 + CPA_PKE_PUBLIC_KEY_SIZE_768 + H_DIGEST_SIZE + SHARED_SECRET_SIZE; + +const ETA1: usize = 2; +const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; +const ETA2: usize = 2; +const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; + +const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_768; + +// Kyber 768 types +pub type MlKem768Ciphertext = MlKemCiphertext; +pub type MlKem768PrivateKey = MlKemPrivateKey; +pub type MlKem768PublicKey = MlKemPublicKey; + +/// Validate a public key. +/// +/// Returns `Some(public_key)` if valid, and `None` otherwise. +pub fn validate_public_key(public_key: MlKem768PublicKey) -> Option { + if super::validate_public_key::< + RANK_768, + RANKED_BYTES_PER_RING_ELEMENT_768, + CPA_PKE_PUBLIC_KEY_SIZE_768, + >(&public_key.value) + { + Some(public_key) + } else { + None + } +} + +/// Generate ML-KEM 768 Key Pair +pub fn generate_key_pair( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> MlKemKeyPair { + generate_keypair::< + RANK_768, + CPA_PKE_SECRET_KEY_SIZE_768, + SECRET_KEY_SIZE_768, + CPA_PKE_PUBLIC_KEY_SIZE_768, + RANKED_BYTES_PER_RING_ELEMENT_768, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(randomness) +} + +pub type MlKem768State = MlKemState; + +pub fn generate_key_pair_unpacked( + randomness: [u8; KEY_GENERATION_SEED_SIZE], +) -> (MlKem768State, MlKem768PublicKey) { + generate_keypair_unpacked::< + RANK_768, + CPA_PKE_SECRET_KEY_SIZE_768, + SECRET_KEY_SIZE_768, + CPA_PKE_PUBLIC_KEY_SIZE_768, + RANKED_BYTES_PER_RING_ELEMENT_768, + ETA1, + ETA1_RANDOMNESS_SIZE, + >(randomness) +} + +/// Encapsulate ML-KEM 768 +pub fn encapsulate( + public_key: &MlKemPublicKey, + randomness: [u8; SHARED_SECRET_SIZE], +) -> ( + MlKemCiphertext, + MlKemSharedSecret, +) { + super::encapsulate::< + RANK_768, + CPA_PKE_CIPHERTEXT_SIZE_768, + CPA_PKE_PUBLIC_KEY_SIZE_768, + T_AS_NTT_ENCODED_SIZE_768, + C1_SIZE_768, + C2_SIZE_768, + VECTOR_U_COMPRESSION_FACTOR_768, + VECTOR_V_COMPRESSION_FACTOR_768, + C1_BLOCK_SIZE_768, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + >(public_key, randomness) +} + +/// Decapsulate ML-KEM 768 +pub fn decapsulate( + secret_key: &MlKemPrivateKey, + ciphertext: &MlKemCiphertext, +) -> [u8; SHARED_SECRET_SIZE] { + super::decapsulate::< + RANK_768, + SECRET_KEY_SIZE_768, + CPA_PKE_SECRET_KEY_SIZE_768, + CPA_PKE_PUBLIC_KEY_SIZE_768, + CPA_PKE_CIPHERTEXT_SIZE_768, + T_AS_NTT_ENCODED_SIZE_768, + C1_SIZE_768, + C2_SIZE_768, + VECTOR_U_COMPRESSION_FACTOR_768, + VECTOR_V_COMPRESSION_FACTOR_768, + C1_BLOCK_SIZE_768, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + IMPLICIT_REJECTION_HASH_INPUT_SIZE, + >(secret_key, ciphertext) +} + +pub fn decapsulate_unpacked( + state: &MlKem768State, + ciphertext: &MlKemCiphertext, +) -> [u8; SHARED_SECRET_SIZE] { + super::decapsulate_unpacked::< + RANK_768, + SECRET_KEY_SIZE_768, + CPA_PKE_SECRET_KEY_SIZE_768, + CPA_PKE_PUBLIC_KEY_SIZE_768, + CPA_PKE_CIPHERTEXT_SIZE_768, + T_AS_NTT_ENCODED_SIZE_768, + C1_SIZE_768, + C2_SIZE_768, + VECTOR_U_COMPRESSION_FACTOR_768, + VECTOR_V_COMPRESSION_FACTOR_768, + C1_BLOCK_SIZE_768, + ETA1, + ETA1_RANDOMNESS_SIZE, + ETA2, + ETA2_RANDOMNESS_SIZE, + IMPLICIT_REJECTION_HASH_INPUT_SIZE, + >(state, ciphertext) +} + +#[cfg(test)] +mod tests { + use rand_core::{OsRng, RngCore}; + + use super::{ + kyber768::{generate_key_pair, validate_public_key}, + KEY_GENERATION_SEED_SIZE, + }; + + #[test] + fn pk_validation() { + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + OsRng.fill_bytes(&mut randomness); + + let key_pair = generate_key_pair(randomness); + assert!(validate_public_key(key_pair.pk).is_some()); + } +} diff --git a/libcrux-ml-kem/src/kem/kyber/matrix.rs b/libcrux-ml-kem/src/kem/kyber/matrix.rs new file mode 100644 index 000000000..15f624e6d --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/matrix.rs @@ -0,0 +1,158 @@ +use super::{ + arithmetic::{ + add_to_ring_element, barrett_reduce, montgomery_reduce, to_standard_domain, + PolynomialRingElement, + }, + constants::COEFFICIENTS_IN_RING_ELEMENT, + helper::cloop, + ntt::{invert_ntt_montgomery, ntt_multiply}, + sampling::sample_from_xof, +}; + +#[inline(always)] +#[allow(non_snake_case)] +pub(in crate::kem::kyber) fn sample_matrix_A( + seed: [u8; 34], + transpose: bool, +) -> [[PolynomialRingElement; K]; K] { + let mut A_transpose = [[PolynomialRingElement::ZERO; K]; K]; + + for i in 0..K { + let mut seeds = [seed; K]; + for j in 0..K { + seeds[j][32] = i as u8; + seeds[j][33] = j as u8; + } + let sampled = sample_from_xof(seeds); + for j in 0..K { + // A[i][j] = A_transpose[j][i] + if transpose { + A_transpose[j][i] = sampled[j]; + } else { + A_transpose[i][j] = sampled[j]; + } + } + } + + A_transpose +} + +/// The following functions compute various expressions involving +/// vectors and matrices. The computation of these expressions has been +/// abstracted away into these functions in order to save on loop iterations. + +/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) +#[inline(always)] +pub(in crate::kem::kyber) fn compute_message( + v: &PolynomialRingElement, + secret_as_ntt: &[PolynomialRingElement; K], + u_as_ntt: &[PolynomialRingElement; K], +) -> PolynomialRingElement { + let mut result = PolynomialRingElement::ZERO; + + for i in 0..K { + let product = ntt_multiply(&secret_as_ntt[i], &u_as_ntt[i]); + result = add_to_ring_element::(result, &product); + } + + result = invert_ntt_montgomery::(result); + + for i in 0..COEFFICIENTS_IN_RING_ELEMENT { + let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441); + result.coefficients[i] = barrett_reduce(v.coefficients[i] - coefficient_normal_form); + } + + result +} + +/// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +#[inline(always)] +pub(in crate::kem::kyber) fn compute_ring_element_v( + t_as_ntt: &[PolynomialRingElement; K], + r_as_ntt: &[PolynomialRingElement; K], + error_2: &PolynomialRingElement, + message: &PolynomialRingElement, +) -> PolynomialRingElement { + let mut result = PolynomialRingElement::ZERO; + + for i in 0..K { + let product = ntt_multiply(&t_as_ntt[i], &r_as_ntt[i]); + result = add_to_ring_element::(result, &product); + } + + result = invert_ntt_montgomery::(result); + + for i in 0..COEFFICIENTS_IN_RING_ELEMENT { + let coefficient_normal_form = montgomery_reduce(result.coefficients[i] * 1441); + result.coefficients[i] = barrett_reduce( + coefficient_normal_form + error_2.coefficients[i] + message.coefficients[i], + ); + } + + result +} + +/// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +#[inline(always)] +pub(in crate::kem::kyber) fn compute_vector_u( + a_as_ntt: &[[PolynomialRingElement; K]; K], + r_as_ntt: &[PolynomialRingElement; K], + error_1: &[PolynomialRingElement; K], +) -> [PolynomialRingElement; K] { + let mut result = [PolynomialRingElement::ZERO; K]; + + cloop! { + for (i, row) in a_as_ntt.iter().enumerate() { + cloop! { + for (j, a_element) in row.iter().enumerate() { + let product = ntt_multiply(a_element, &r_as_ntt[j]); + result[i] = add_to_ring_element::(result[i], &product); + } + } + + result[i] = invert_ntt_montgomery::(result[i]); + + for j in 0..COEFFICIENTS_IN_RING_ELEMENT { + let coefficient_normal_form = montgomery_reduce(result[i].coefficients[j] * 1441); + + result[i].coefficients[j] = + barrett_reduce(coefficient_normal_form + error_1[i].coefficients[j]); + } + } + } + + result +} + +/// Compute  ◦ ŝ + ê +#[inline(always)] +#[allow(non_snake_case)] +pub(in crate::kem::kyber) fn compute_As_plus_e( + matrix_A: &[[PolynomialRingElement; K]; K], + s_as_ntt: &[PolynomialRingElement; K], + error_as_ntt: &[PolynomialRingElement; K], +) -> [PolynomialRingElement; K] { + let mut result = [PolynomialRingElement::ZERO; K]; + + cloop! { + for (i, row) in matrix_A.iter().enumerate() { + cloop! { + for (j, matrix_element) in row.iter().enumerate() { + let product = ntt_multiply(matrix_element, &s_as_ntt[j]); + result[i] = add_to_ring_element::(result[i], &product); + } + } + + for j in 0..COEFFICIENTS_IN_RING_ELEMENT { + // The coefficients are of the form aR^{-1} mod q, which means + // calling to_montgomery_domain() on them should return a mod q. + let coefficient_normal_form = to_standard_domain(result[i].coefficients[j]); + + result[i].coefficients[j] = + barrett_reduce(coefficient_normal_form + error_as_ntt[i].coefficients[j]) + } + } + } + + result +} diff --git a/libcrux-ml-kem/src/kem/kyber/ntt.rs b/libcrux-ml-kem/src/kem/kyber/ntt.rs new file mode 100644 index 000000000..6d154211e --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/ntt.rs @@ -0,0 +1,341 @@ +use crate::hax_utils::hax_debug_assert; + +use super::{ + arithmetic::{ + barrett_reduce, montgomery_multiply_fe_by_fer, montgomery_reduce, FieldElement, + FieldElementTimesMontgomeryR, MontgomeryFieldElement, PolynomialRingElement, + }, + constants::COEFFICIENTS_IN_RING_ELEMENT, +}; +#[cfg(hax)] +use crate::kem::kyber::constants::FIELD_MODULUS; + +const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 128] = [ + -1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468, + 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, + 1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469, + -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, + -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246, + 778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, + 603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185, + -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628, +]; + +/// Represents an intermediate polynomial splitting step in the NTT. All +/// resulting coefficients are in the normal domain since the zetas have been +/// multiplied by MONTGOMERY_R. +#[inline(always)] +fn ntt_at_layer( + zeta_i: &mut usize, + mut re: PolynomialRingElement, + layer: usize, + _initial_coefficient_bound: usize, +) -> PolynomialRingElement { + let step = 1 << layer; + + for round in 0..(128 >> layer) { + *zeta_i += 1; + + let offset = round * step * 2; + + for j in offset..offset + step { + let t = montgomery_multiply_fe_by_fer( + re.coefficients[j + step], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ); + re.coefficients[j + step] = re.coefficients[j] - t; + re.coefficients[j] = re.coefficients[j] + t; + } + } + + hax_debug_assert!(re.coefficients.into_iter().all(|coefficient| { + coefficient.abs() + < _initial_coefficient_bound as i32 + ((8 - layer as i32) * ((3 * FIELD_MODULUS) / 2)) + })); + + re +} + +/// See [`ntt_at_layer`]. +#[inline(always)] +fn ntt_at_layer_3( + zeta_i: &mut usize, + re: PolynomialRingElement, + layer: usize, +) -> PolynomialRingElement { + ntt_at_layer(zeta_i, re, layer, 3) +} + +/// See [`ntt_at_layer`]. +#[inline(always)] +fn ntt_at_layer_3328( + zeta_i: &mut usize, + re: PolynomialRingElement, + layer: usize, +) -> PolynomialRingElement { + ntt_at_layer(zeta_i, re, layer, 3328) +} + +/// Use the Cooley–Tukey butterfly to compute an in-place NTT representation +/// of a `KyberPolynomialRingElement`. +/// +/// This function operates only on those which were produced by binomial +/// sampling, and thus those which have small coefficients. The small +/// coefficients let us skip the first round of Montgomery reductions. +#[cfg_attr(hax, hax_lib::requires( + hax_lib::forall(|i:usize| + hax_lib::implies(i < re.coefficients.len(), || re.coefficients[i].abs() <= 3 +))))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::forall(|i:usize| + hax_lib::implies(i < result.coefficients.len(), || + result.coefficients[i].abs() < FIELD_MODULUS +))))] +#[inline(always)] +pub(in crate::kem::kyber) fn ntt_binomially_sampled_ring_element( + mut re: PolynomialRingElement, +) -> PolynomialRingElement { + hax_debug_assert!(re + .coefficients + .into_iter() + .all(|coefficient| coefficient.abs() <= 3)); + + // Due to the small coefficient bound, we can skip the first round of + // Montgomery reductions. + let mut zeta_i = 1; + + for j in 0..128 { + // Multiply by the appropriate zeta in the normal domain. + let t = re.coefficients[j + 128] * -1600; + + re.coefficients[j + 128] = re.coefficients[j] - t; + re.coefficients[j] = re.coefficients[j] + t; + } + + hax_debug_assert!(re + .coefficients + .into_iter() + .all(|coefficient| { coefficient.abs() < 3 + ((3 * FIELD_MODULUS) / 2) })); + + re = ntt_at_layer_3(&mut zeta_i, re, 6); + re = ntt_at_layer_3(&mut zeta_i, re, 5); + re = ntt_at_layer_3(&mut zeta_i, re, 4); + re = ntt_at_layer_3(&mut zeta_i, re, 3); + re = ntt_at_layer_3(&mut zeta_i, re, 2); + re = ntt_at_layer_3(&mut zeta_i, re, 1); + + for i in 0..COEFFICIENTS_IN_RING_ELEMENT { + re.coefficients[i] = barrett_reduce(re.coefficients[i]); + } + + re +} + +/// Use the Cooley–Tukey butterfly to compute an in-place NTT representation +/// of a `KyberPolynomialRingElement`. +/// +/// This function operates on the ring element that partly constitutes +/// the ciphertext. +#[cfg_attr(hax, hax_lib::requires( + hax_lib::forall(|i:usize| + hax_lib::implies(i < re.coefficients.len(), || re.coefficients[i].abs() <= 3328 +))))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::forall(|i:usize| + hax_lib::implies(i < result.coefficients.len(), || + result.coefficients[i].abs() < FIELD_MODULUS +))))] +#[inline(always)] +pub(in crate::kem::kyber) fn ntt_vector_u( + mut re: PolynomialRingElement, +) -> PolynomialRingElement { + hax_debug_assert!(re + .coefficients + .into_iter() + .all(|coefficient| coefficient.abs() <= 3328)); + + let mut zeta_i = 0; + + re = ntt_at_layer_3328(&mut zeta_i, re, 7); + re = ntt_at_layer_3328(&mut zeta_i, re, 6); + re = ntt_at_layer_3328(&mut zeta_i, re, 5); + re = ntt_at_layer_3328(&mut zeta_i, re, 4); + re = ntt_at_layer_3328(&mut zeta_i, re, 3); + re = ntt_at_layer_3328(&mut zeta_i, re, 2); + re = ntt_at_layer_3328(&mut zeta_i, re, 1); + + for i in 0..COEFFICIENTS_IN_RING_ELEMENT { + re.coefficients[i] = barrett_reduce(re.coefficients[i]); + } + + re +} + +#[inline(always)] +fn invert_ntt_at_layer( + zeta_i: &mut usize, + mut re: PolynomialRingElement, + layer: usize, +) -> PolynomialRingElement { + let step = 1 << layer; + + for round in 0..(128 >> layer) { + *zeta_i -= 1; + + let offset = round * step * 2; + + for j in offset..offset + step { + let a_minus_b = re.coefficients[j + step] - re.coefficients[j]; + + // Instead of dividing by 2 here, we just divide by + // 2^7 in one go in the end. + re.coefficients[j] = re.coefficients[j] + re.coefficients[j + step]; + re.coefficients[j + step] = + montgomery_reduce(a_minus_b * ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); + } + } + + re +} + +/// Use the Gentleman-Sande butterfly to invert, in-place, the NTT representation +/// of a `KyberPolynomialRingElement`. The coefficients of the output +/// ring element are in the Montgomery domain. +#[inline(always)] +pub(crate) fn invert_ntt_montgomery( + mut re: PolynomialRingElement, +) -> PolynomialRingElement { + // We only ever call this function after matrix/vector multiplication + hax_debug_assert!(re + .coefficients + .into_iter() + .all(|coefficient| coefficient.abs() < (K as i32) * FIELD_MODULUS)); + + let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT / 2; + + re = invert_ntt_at_layer(&mut zeta_i, re, 1); + re = invert_ntt_at_layer(&mut zeta_i, re, 2); + re = invert_ntt_at_layer(&mut zeta_i, re, 3); + re = invert_ntt_at_layer(&mut zeta_i, re, 4); + re = invert_ntt_at_layer(&mut zeta_i, re, 5); + re = invert_ntt_at_layer(&mut zeta_i, re, 6); + re = invert_ntt_at_layer(&mut zeta_i, re, 7); + + hax_debug_assert!( + re.coefficients[0].abs() < 128 * (K as i32) * FIELD_MODULUS + && re.coefficients[1].abs() < 128 * (K as i32) * FIELD_MODULUS + ); + hax_debug_assert!(re + .coefficients + .into_iter() + .enumerate() + .skip(2) + .all(|(i, coefficient)| coefficient.abs() < (128 / (1 << i.ilog2())) * FIELD_MODULUS)); + + for i in 0..2 { + re.coefficients[i] = barrett_reduce(re.coefficients[i]); + } + re +} + +/// Compute the product of two Kyber binomials with respect to the +/// modulus `X² - zeta`. +/// +/// This function almost implements Algorithm 11 of the +/// NIST FIPS 203 standard, which is reproduced below: +/// +/// ```plaintext +/// Input: a₀, a₁, b₀, b₁ ∈ ℤq. +/// Input: γ ∈ ℤq. +/// Output: c₀, c₁ ∈ ℤq. +/// +/// c₀ ← a₀·b₀ + a₁·b₁·γ +/// c₁ ← a₀·b₁ + a₁·b₀ +/// return c₀, c₁ +/// ``` +/// We say "almost" because the coefficients output by this function are in +/// the Montgomery domain (unlike in the specification). +/// +/// The NIST FIPS 203 standard can be found at +/// . +#[inline(always)] +fn ntt_multiply_binomials( + (a0, a1): (FieldElement, FieldElement), + (b0, b1): (FieldElement, FieldElement), + zeta: FieldElementTimesMontgomeryR, +) -> (MontgomeryFieldElement, MontgomeryFieldElement) { + ( + montgomery_reduce(a0 * b0 + montgomery_reduce(a1 * b1) * zeta), + montgomery_reduce(a0 * b1 + a1 * b0), + ) +} + +/// Given two `KyberPolynomialRingElement`s in their NTT representations, +/// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, +/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: +/// +/// ```plaintext +/// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1)) +/// ``` +/// +/// This function almost implements Algorithm 10 of the +/// NIST FIPS 203 standard, which is reproduced below: +/// +/// ```plaintext +/// Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. +/// Output: An array ĥ ∈ ℤq. +/// +/// for(i ← 0; i < 128; i++) +/// (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], ζ^(2·BitRev₇(i) + 1)) +/// end for +/// return ĥ +/// ``` +/// We say "almost" because the coefficients of the ring element output by +/// this function are in the Montgomery domain. +/// +/// The NIST FIPS 203 standard can be found at +/// . +#[cfg_attr(hax, hax_lib::requires( + hax_lib::forall(|i:usize| + hax_lib::implies(i < COEFFICIENTS_IN_RING_ELEMENT, || + (lhs.coefficients[i] >= 0 && lhs.coefficients[i] < 4096) && + (rhs.coefficients[i].abs() <= FIELD_MODULUS) + +))))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::forall(|i:usize| + hax_lib::implies(i < result.coefficients.len(), || + result.coefficients[i].abs() <= FIELD_MODULUS +))))] +#[inline(always)] +pub(crate) fn ntt_multiply( + lhs: &PolynomialRingElement, + rhs: &PolynomialRingElement, +) -> PolynomialRingElement { + hax_debug_assert!(lhs + .coefficients + .into_iter() + .all(|coefficient| coefficient >= 0 && coefficient < 4096)); + + let mut out = PolynomialRingElement::ZERO; + + for i in 0..(COEFFICIENTS_IN_RING_ELEMENT / 4) { + let product = ntt_multiply_binomials( + (lhs.coefficients[4 * i], lhs.coefficients[4 * i + 1]), + (rhs.coefficients[4 * i], rhs.coefficients[4 * i + 1]), + ZETAS_TIMES_MONTGOMERY_R[64 + i], + ); + out.coefficients[4 * i] = product.0; + out.coefficients[4 * i + 1] = product.1; + + let product = ntt_multiply_binomials( + (lhs.coefficients[4 * i + 2], lhs.coefficients[4 * i + 3]), + (rhs.coefficients[4 * i + 2], rhs.coefficients[4 * i + 3]), + -ZETAS_TIMES_MONTGOMERY_R[64 + i], + ); + out.coefficients[4 * i + 2] = product.0; + out.coefficients[4 * i + 3] = product.1; + } + + out +} diff --git a/libcrux-ml-kem/src/kem/kyber/sampling.rs b/libcrux-ml-kem/src/kem/kyber/sampling.rs new file mode 100644 index 000000000..64e74d517 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/sampling.rs @@ -0,0 +1,240 @@ +use super::{ + arithmetic::{FieldElement, PolynomialRingElement}, + constants::{COEFFICIENTS_IN_RING_ELEMENT, FIELD_MODULUS}, + hash_functions::*, + helper::cloop, +}; +use crate::hax_utils::hax_debug_assert; + +/// If `bytes` contains a set of uniformly random bytes, this function +/// uniformly samples a ring element `â` that is treated as being the NTT representation +/// of the corresponding polynomial `a`. +/// +/// Since rejection sampling is used, it is possible the supplied bytes are +/// not enough to sample the element, in which case an `Err` is returned and the +/// caller must try again with a fresh set of bytes. +/// +/// This function partially implements Algorithm 6 of the NIST FIPS 203 standard, +/// We say "partially" because this implementation only accepts a finite set of +/// bytes as input and returns an error if the set is not enough; Algorithm 6 of +/// the FIPS 203 standard on the other hand samples from an infinite stream of bytes +/// until the ring element is filled. Algorithm 6 is reproduced below: +/// +/// ```plaintext +/// Input: byte stream B ∈ 𝔹*. +/// Output: array â ∈ ℤ₂₅₆. +/// +/// i ← 0 +/// j ← 0 +/// while j < 256 do +/// d₁ ← B[i] + 256·(B[i+1] mod 16) +/// d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] +/// if d₁ < q then +/// â[j] ← d₁ +/// j ← j + 1 +/// end if +/// if d₂ < q and j < 256 then +/// â[j] ← d₂ +/// j ← j + 1 +/// end if +/// i ← i + 3 +/// end while +/// return â +/// ``` +/// +/// The NIST FIPS 203 standard can be found at +/// . +fn sample_from_uniform_distribution_next( + randomness: [[u8; N]; K], + sampled_coefficients: &mut [usize; K], + out: &mut [PolynomialRingElement; K], +) -> bool { + let mut done = true; + for i in 0..K { + for bytes in randomness[i].chunks(3) { + let b1 = bytes[0] as i32; + let b2 = bytes[1] as i32; + let b3 = bytes[2] as i32; + + let d1 = ((b2 & 0xF) << 8) | b1; + let d2 = (b3 << 4) | (b2 >> 4); + + if d1 < FIELD_MODULUS && sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { + out[i].coefficients[sampled_coefficients[i]] = d1; + sampled_coefficients[i] += 1 + } + if d2 < FIELD_MODULUS && sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { + out[i].coefficients[sampled_coefficients[i]] = d2; + sampled_coefficients[i] += 1; + } + } + if sampled_coefficients[i] < COEFFICIENTS_IN_RING_ELEMENT { + done = false + } + } + done +} + +pub(super) fn sample_from_xof(seeds: [[u8; 34]; K]) -> [PolynomialRingElement; K] { + let mut sampled_coefficients: [usize; K] = [0; K]; + let mut out: [PolynomialRingElement; K] = [PolynomialRingElement::ZERO; K]; + + let mut xof_state = absorb(seeds); + let randomness = squeeze_three_blocks(&mut xof_state); + + let mut done = + sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); + + // Requiring more than 5 blocks to sample a ring element should be very + // unlikely according to: + // https://eprint.iacr.org/2023/708.pdf + // To avoid failing here, we squeeze more blocks out of the state until + // we have enough. + while !done { + let randomness = squeeze_block(&mut xof_state); + done = + sample_from_uniform_distribution_next(randomness, &mut sampled_coefficients, &mut out); + } + // XXX: We have to manually free the state here due to a Eurydice issue. + free_state(xof_state); + + out +} + +/// Given a series of uniformly random bytes in `randomness`, for some number `eta`, +/// the `sample_from_binomial_distribution_{eta}` functions sample +/// a ring element from a binomial distribution centered at 0 that uses two sets +/// of `eta` coin flips. If, for example, +/// `eta = ETA`, each ring coefficient is a value `v` such +/// such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: +/// +/// ```plaintext +/// - If v < 0, Pr[v] = Pr[-v] +/// - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) +/// ``` +/// +/// The values `v < 0` are mapped to the appropriate `KyberFieldElement`. +/// +/// The expected value is: +/// +/// ```plaintext +/// E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + (ETA)Pr[ETA] +/// = 0 since Pr[-v] = Pr[v] when v < 0. +/// ``` +/// +/// And the variance is: +/// +/// ```plaintext +/// Var(X) = E[(X - E[X])^2] +/// = E[X^2] +/// = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2^(2 * ETA)) +/// = ETA / 2 +/// ``` +/// +/// This function implements Algorithm 7 of the NIST FIPS 203 standard, which is +/// reproduced below: +/// +/// ```plaintext +/// Input: byte array B ∈ 𝔹^{64η}. +/// Output: array f ∈ ℤ₂₅₆. +/// +/// b ← BytesToBits(B) +/// for (i ← 0; i < 256; i++) +/// x ← ∑(j=0 to η - 1) b[2iη + j] +/// y ← ∑(j=0 to η - 1) b[2iη + η + j] +/// f[i] ← x−y mod q +/// end for +/// return f +/// ``` +/// +/// The NIST FIPS 203 standard can be found at +/// . +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 2 * 64))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::forall(|i:usize| + hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 2 +))))] +fn sample_from_binomial_distribution_2(randomness: &[u8]) -> PolynomialRingElement { + let mut sampled: PolynomialRingElement = PolynomialRingElement::ZERO; + + cloop! { + for (chunk_number, byte_chunk) in randomness.chunks_exact(4).enumerate() { + let random_bits_as_u32: u32 = (byte_chunk[0] as u32) + | (byte_chunk[1] as u32) << 8 + | (byte_chunk[2] as u32) << 16 + | (byte_chunk[3] as u32) << 24; + + let even_bits = random_bits_as_u32 & 0x55555555; + let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555; + + let coin_toss_outcomes = even_bits + odd_bits; + + cloop! { + for outcome_set in (0..u32::BITS).step_by(4) { + let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as FieldElement; + let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as FieldElement; + + let offset = (outcome_set >> 2) as usize; + sampled.coefficients[8 * chunk_number + offset] = outcome_1 - outcome_2; + } + } + } + } + + hax_debug_assert!(sampled + .coefficients + .into_iter() + .all(|coefficient| coefficient >= -2 && coefficient <= 2)); + sampled +} + +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 3 * 64))] +#[cfg_attr(hax, hax_lib::ensures(|result| + hax_lib::forall(|i:usize| + hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 3 +))))] +fn sample_from_binomial_distribution_3(randomness: &[u8]) -> PolynomialRingElement { + let mut sampled: PolynomialRingElement = PolynomialRingElement::ZERO; + + cloop! { + for (chunk_number, byte_chunk) in randomness.chunks_exact(3).enumerate() { + let random_bits_as_u24: u32 = + (byte_chunk[0] as u32) | (byte_chunk[1] as u32) << 8 | (byte_chunk[2] as u32) << 16; + + let first_bits = random_bits_as_u24 & 0x00249249; + let second_bits = (random_bits_as_u24 >> 1) & 0x00249249; + let third_bits = (random_bits_as_u24 >> 2) & 0x00249249; + + let coin_toss_outcomes = first_bits + second_bits + third_bits; + + cloop! { + for outcome_set in (0..24).step_by(6) { + let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as FieldElement; + let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as FieldElement; + + let offset = (outcome_set / 6) as usize; + sampled.coefficients[4 * chunk_number + offset] = outcome_1 - outcome_2; + } + } + } + } + + hax_debug_assert!(sampled + .coefficients + .into_iter() + .all(|coefficient| coefficient >= -3 && coefficient <= 3)); + sampled +} + +#[inline(always)] +pub(super) fn sample_from_binomial_distribution( + randomness: &[u8], +) -> PolynomialRingElement { + hax_debug_assert!(randomness.len() == ETA * 64); + + match ETA as u32 { + 2 => sample_from_binomial_distribution_2(randomness), + 3 => sample_from_binomial_distribution_3(randomness), + _ => unreachable!(), + } +} diff --git a/libcrux-ml-kem/src/kem/kyber/serialize.rs b/libcrux-ml-kem/src/kem/kyber/serialize.rs new file mode 100644 index 000000000..6943b8164 --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/serialize.rs @@ -0,0 +1,623 @@ +use super::{ + arithmetic::{to_unsigned_representative, FieldElement, PolynomialRingElement}, + compress::{ + compress_ciphertext_coefficient, compress_message_coefficient, + decompress_ciphertext_coefficient, decompress_message_coefficient, + }, + constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + helper::cloop, +}; +use crate::hax_utils::hax_debug_assert; + +#[inline(always)] +pub(super) fn compress_then_serialize_message( + re: PolynomialRingElement, +) -> [u8; SHARED_SECRET_SIZE] { + let mut serialized = [0u8; SHARED_SECRET_SIZE]; + + cloop! { + for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() { + cloop! { + for (j, coefficient) in coefficients.iter().enumerate() { + let coefficient = to_unsigned_representative(*coefficient); + + let coefficient_compressed = compress_message_coefficient(coefficient); + + serialized[i] |= coefficient_compressed << j + } + } + } + } + + serialized +} +#[inline(always)] +pub(super) fn deserialize_then_decompress_message( + serialized: [u8; SHARED_SECRET_SIZE], +) -> PolynomialRingElement { + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, byte) in serialized.into_iter().enumerate() { + for j in 0..8 { + let coefficient_compressed = ((byte >> j) & 0x1) as FieldElement; + re.coefficients[8 * i + j] = decompress_message_coefficient(coefficient_compressed); + } + } + } + + re +} + +#[inline(always)] +pub(super) fn serialize_uncompressed_ring_element( + re: PolynomialRingElement, +) -> [u8; BYTES_PER_RING_ELEMENT] { + let mut serialized = [0u8; BYTES_PER_RING_ELEMENT]; + + cloop! { + for (i, coefficients) in re.coefficients.chunks_exact(2).enumerate() { + let coefficient1 = to_unsigned_representative(coefficients[0]); + let coefficient2 = to_unsigned_representative(coefficients[1]); + + let (coef1, coef2, coef3) = compress_coefficients_3(coefficient1, coefficient2); + serialized[3 * i] = coef1; + serialized[3 * i + 1] = coef2; + serialized[3 * i + 2] = coef3; + } + } + + serialized +} + +#[inline(always)] +fn compress_coefficients_3(coefficient1: u16, coefficient2: u16) -> (u8, u8, u8) { + let coef1 = (coefficient1 & 0xFF) as u8; + let coef2 = ((coefficient1 >> 8) | ((coefficient2 & 0x0F) << 4)) as u8; + let coef3 = ((coefficient2 >> 4) & 0xFF) as u8; + (coef1, coef2, coef3) +} + +#[inline(always)] +pub(super) fn deserialize_to_uncompressed_ring_element(serialized: &[u8]) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, bytes) in serialized.chunks_exact(3).enumerate() { + let byte1 = bytes[0] as FieldElement; + let byte2 = bytes[1] as FieldElement; + let byte3 = bytes[2] as FieldElement; + + re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF); + re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F); + } + } + + re +} + +/// Only use with public values. +/// +/// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. +#[inline(always)] +fn deserialize_to_reduced_ring_element(ring_element: &[u8]) -> PolynomialRingElement { + hax_debug_assert!(ring_element.len() == BYTES_PER_RING_ELEMENT); + + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, bytes) in ring_element.chunks_exact(3).enumerate() { + let byte1 = bytes[0] as FieldElement; + let byte2 = bytes[1] as FieldElement; + let byte3 = bytes[2] as FieldElement; + + // The modulus here is ok because the input must be public. + // XXX: The awkward code here is necessary to work around Charon shortcomings. + re.coefficients[2 * i] = (byte2 & 0x0F) << 8 | (byte1 & 0xFF); + let tmp = re.coefficients[2 * i] % 3329; // FIELD_MODULUS + re.coefficients[2 * i] = tmp; + + re.coefficients[2 * i + 1] = (byte3 << 4) | ((byte2 >> 4) & 0x0F); + let tmp = re.coefficients[2 * i + 1] % 3329; // FIELD_MODULUS + re.coefficients[2 * i + 1] = tmp; + } + } + + re +} + +/// This function deserializes ring elements and reduces the result by the field +/// modulus. +/// +/// This function MUST NOT be used on secret inputs. +#[inline(always)] +pub(super) fn deserialize_ring_elements_reduced( + public_key: &[u8], +) -> [PolynomialRingElement; K] { + let mut deserialized_pk = [PolynomialRingElement::ZERO; K]; + cloop! { + for (i, ring_element) in public_key + .chunks_exact(BYTES_PER_RING_ELEMENT) + .enumerate() + { + deserialized_pk[i] =deserialize_to_reduced_ring_element(ring_element); + } + } + deserialized_pk +} + +#[inline(always)] +fn compress_then_serialize_10(re: PolynomialRingElement) -> [u8; OUT_LEN] { + let mut serialized = [0u8; OUT_LEN]; + + cloop! { + for (i, coefficients) in re.coefficients.chunks_exact(4).enumerate() { + let coefficient1 = + compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[0])); + let coefficient2 = + compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[1])); + let coefficient3 = + compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[2])); + let coefficient4 = + compress_ciphertext_coefficient(10, to_unsigned_representative(coefficients[3])); + + let (coef1, coef2, coef3, coef4, coef5) = + compress_coefficients_10(coefficient1, coefficient2, coefficient3, coefficient4); + serialized[5 * i] = coef1; + serialized[5 * i + 1] = coef2; + serialized[5 * i + 2] = coef3; + serialized[5 * i + 3] = coef4; + serialized[5 * i + 4] = coef5; + } + } + + serialized +} + +#[inline(always)] +fn compress_coefficients_10( + coefficient1: i32, + coefficient2: i32, + coefficient3: i32, + coefficient4: i32, +) -> (u8, u8, u8, u8, u8) { + let coef1 = (coefficient1 & 0xFF) as u8; + let coef2 = ((coefficient2 & 0x3F) as u8) << 2 | ((coefficient1 >> 8) & 0x03) as u8; + let coef3 = ((coefficient3 & 0x0F) as u8) << 4 | ((coefficient2 >> 6) & 0x0F) as u8; + let coef4 = ((coefficient4 & 0x03) as u8) << 6 | ((coefficient3 >> 4) & 0x3F) as u8; + let coef5 = ((coefficient4 >> 2) & 0xFF) as u8; + (coef1, coef2, coef3, coef4, coef5) +} + +#[inline(always)] +fn compress_then_serialize_11(re: PolynomialRingElement) -> [u8; OUT_LEN] { + let mut serialized = [0u8; OUT_LEN]; + + cloop! { + for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() { + let coefficient1 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[0])); + let coefficient2 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[1])); + let coefficient3 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[2])); + let coefficient4 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[3])); + let coefficient5 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[4])); + let coefficient6 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[5])); + let coefficient7 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[6])); + let coefficient8 = + compress_ciphertext_coefficient(11, to_unsigned_representative(coefficients[7])); + + let (coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11) = + compress_coefficients_11( + coefficient1, + coefficient2, + coefficient3, + coefficient4, + coefficient5, + coefficient6, + coefficient7, + coefficient8, + ); + serialized[11 * i] = coef1; + serialized[11 * i + 1] = coef2; + serialized[11 * i + 2] = coef3; + serialized[11 * i + 3] = coef4; + serialized[11 * i + 4] = coef5; + serialized[11 * i + 5] = coef6; + serialized[11 * i + 6] = coef7; + serialized[11 * i + 7] = coef8; + serialized[11 * i + 8] = coef9; + serialized[11 * i + 9] = coef10; + serialized[11 * i + 10] = coef11; + } + } + + serialized +} + +#[inline(always)] +fn compress_coefficients_11( + coefficient1: i32, + coefficient2: i32, + coefficient3: i32, + coefficient4: i32, + coefficient5: i32, + coefficient6: i32, + coefficient7: i32, + coefficient8: i32, +) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) { + let coef1 = coefficient1 as u8; + let coef2 = ((coefficient2 & 0x1F) as u8) << 3 | ((coefficient1 >> 8) as u8); + let coef3 = ((coefficient3 & 0x3) as u8) << 6 | ((coefficient2 >> 5) as u8); + let coef4 = ((coefficient3 >> 2) & 0xFF) as u8; + let coef5 = ((coefficient4 & 0x7F) as u8) << 1 | (coefficient3 >> 10) as u8; + let coef6 = ((coefficient5 & 0xF) as u8) << 4 | (coefficient4 >> 7) as u8; + let coef7 = ((coefficient6 & 0x1) as u8) << 7 | (coefficient5 >> 4) as u8; + let coef8 = ((coefficient6 >> 1) & 0xFF) as u8; + let coef9 = ((coefficient7 & 0x3F) as u8) << 2 | (coefficient6 >> 9) as u8; + let coef10 = ((coefficient8 & 0x7) as u8) << 5 | (coefficient7 >> 6) as u8; + let coef11 = (coefficient8 >> 3) as u8; + ( + coef1, coef2, coef3, coef4, coef5, coef6, coef7, coef8, coef9, coef10, coef11, + ) +} +#[inline(always)] +pub(super) fn compress_then_serialize_ring_element_u< + const COMPRESSION_FACTOR: usize, + const OUT_LEN: usize, +>( + re: PolynomialRingElement, +) -> [u8; OUT_LEN] { + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + + match COMPRESSION_FACTOR as u32 { + 10 => compress_then_serialize_10(re), + 11 => compress_then_serialize_11(re), + _ => unreachable!(), + } +} + +#[inline(always)] +fn compress_then_serialize_4(re: PolynomialRingElement) -> [u8; OUT_LEN] { + let mut serialized = [0u8; OUT_LEN]; + + cloop! { + for (i, coefficients) in re.coefficients.chunks_exact(2).enumerate() { + let coefficient1 = + compress_ciphertext_coefficient(4, to_unsigned_representative(coefficients[0])) as u8; + let coefficient2 = + compress_ciphertext_coefficient(4, to_unsigned_representative(coefficients[1])) as u8; + + serialized[i] = (coefficient2 << 4) | coefficient1; + } + } + + serialized +} + +#[inline(always)] +fn compress_then_serialize_5(re: PolynomialRingElement) -> [u8; OUT_LEN] { + let mut serialized = [0u8; OUT_LEN]; + + cloop! { + for (i, coefficients) in re.coefficients.chunks_exact(8).enumerate() { + let coefficient1 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[0])) as u8; + let coefficient2 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[1])) as u8; + let coefficient3 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[2])) as u8; + let coefficient4 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[3])) as u8; + let coefficient5 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[4])) as u8; + let coefficient6 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[5])) as u8; + let coefficient7 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[6])) as u8; + let coefficient8 = + compress_ciphertext_coefficient(5, to_unsigned_representative(coefficients[7])) as u8; + + let (coef1, coef2, coef3, coef4, coef5) = compress_coefficients_5( + coefficient2, + coefficient1, + coefficient4, + coefficient3, + coefficient5, + coefficient7, + coefficient6, + coefficient8, + ); + serialized[5 * i] = coef1; + serialized[5 * i + 1] = coef2; + serialized[5 * i + 2] = coef3; + serialized[5 * i + 3] = coef4; + serialized[5 * i + 4] = coef5; + } + } + + serialized +} + +#[inline(always)] +fn compress_coefficients_5( + coefficient2: u8, + coefficient1: u8, + coefficient4: u8, + coefficient3: u8, + coefficient5: u8, + coefficient7: u8, + coefficient6: u8, + coefficient8: u8, +) -> (u8, u8, u8, u8, u8) { + let coef1 = (coefficient2 & 0x7) << 5 | coefficient1; + let coef2 = ((coefficient4 & 1) << 7) | (coefficient3 << 2) | (coefficient2 >> 3); + let coef3 = ((coefficient5 & 0xF) << 4) | (coefficient4 >> 1); + let coef4 = ((coefficient7 & 0x3) << 6) | (coefficient6 << 1) | (coefficient5 >> 4); + let coef5 = (coefficient8 << 3) | (coefficient7 >> 2); + (coef1, coef2, coef3, coef4, coef5) +} + +#[inline(always)] +pub(super) fn compress_then_serialize_ring_element_v< + const COMPRESSION_FACTOR: usize, + const OUT_LEN: usize, +>( + re: PolynomialRingElement, +) -> [u8; OUT_LEN] { + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + + match COMPRESSION_FACTOR as u32 { + 4 => compress_then_serialize_4(re), + 5 => compress_then_serialize_5(re), + _ => unreachable!(), + } +} + +#[inline(always)] +fn deserialize_then_decompress_10(serialized: &[u8]) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8); + + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, bytes) in serialized.chunks_exact(5).enumerate() { + let byte1 = bytes[0] as FieldElement; + let byte2 = bytes[1] as FieldElement; + let byte3 = bytes[2] as FieldElement; + let byte4 = bytes[3] as FieldElement; + let byte5 = bytes[4] as FieldElement; + + let (coefficient1, coefficient2, coefficient3, coefficient4) = + decompress_coefficients_10(byte2, byte1, byte3, byte4, byte5); + + re.coefficients[4 * i] = decompress_ciphertext_coefficient(10, coefficient1); + re.coefficients[4 * i + 1] = decompress_ciphertext_coefficient(10, coefficient2); + re.coefficients[4 * i + 2] = decompress_ciphertext_coefficient(10, coefficient3); + re.coefficients[4 * i + 3] = decompress_ciphertext_coefficient(10, coefficient4); + } + } + + re +} + +#[inline(always)] +fn decompress_coefficients_10( + byte2: i32, + byte1: i32, + byte3: i32, + byte4: i32, + byte5: i32, +) -> (i32, i32, i32, i32) { + let coefficient1 = (byte2 & 0x03) << 8 | (byte1 & 0xFF); + let coefficient2 = (byte3 & 0x0F) << 6 | (byte2 >> 2); + let coefficient3 = (byte4 & 0x3F) << 4 | (byte3 >> 4); + let coefficient4 = (byte5 << 2) | (byte4 >> 6); + (coefficient1, coefficient2, coefficient3, coefficient4) +} + +#[inline(always)] +fn deserialize_then_decompress_11(serialized: &[u8]) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8); + + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, bytes) in serialized.chunks_exact(11).enumerate() { + let byte1 = bytes[0] as FieldElement; + let byte2 = bytes[1] as FieldElement; + let byte3 = bytes[2] as FieldElement; + let byte4 = bytes[3] as FieldElement; + let byte5 = bytes[4] as FieldElement; + let byte6 = bytes[5] as FieldElement; + let byte7 = bytes[6] as FieldElement; + let byte8 = bytes[7] as FieldElement; + let byte9 = bytes[8] as FieldElement; + let byte10 = bytes[9] as FieldElement; + let byte11 = bytes[10] as FieldElement; + + let ( + coefficient1, + coefficient2, + coefficient3, + coefficient4, + coefficient5, + coefficient6, + coefficient7, + coefficient8, + ) = decompress_coefficients_11( + byte2, byte1, byte3, byte5, byte4, byte6, byte7, byte9, byte8, byte10, byte11, + ); + + re.coefficients[8 * i] = decompress_ciphertext_coefficient(11, coefficient1); + re.coefficients[8 * i + 1] = decompress_ciphertext_coefficient(11, coefficient2); + re.coefficients[8 * i + 2] = decompress_ciphertext_coefficient(11, coefficient3); + re.coefficients[8 * i + 3] = decompress_ciphertext_coefficient(11, coefficient4); + re.coefficients[8 * i + 4] = decompress_ciphertext_coefficient(11, coefficient5); + re.coefficients[8 * i + 5] = decompress_ciphertext_coefficient(11, coefficient6); + re.coefficients[8 * i + 6] = decompress_ciphertext_coefficient(11, coefficient7); + re.coefficients[8 * i + 7] = decompress_ciphertext_coefficient(11, coefficient8); + } + } + + re +} + +#[inline(always)] +fn decompress_coefficients_11( + byte2: i32, + byte1: i32, + byte3: i32, + byte5: i32, + byte4: i32, + byte6: i32, + byte7: i32, + byte9: i32, + byte8: i32, + byte10: i32, + byte11: i32, +) -> (i32, i32, i32, i32, i32, i32, i32, i32) { + let coefficient1 = (byte2 & 0x7) << 8 | byte1; + let coefficient2 = (byte3 & 0x3F) << 5 | (byte2 >> 3); + let coefficient3 = (byte5 & 0x1) << 10 | (byte4 << 2) | (byte3 >> 6); + let coefficient4 = (byte6 & 0xF) << 7 | (byte5 >> 1); + let coefficient5 = (byte7 & 0x7F) << 4 | (byte6 >> 4); + let coefficient6 = (byte9 & 0x3) << 9 | (byte8 << 1) | (byte7 >> 7); + let coefficient7 = (byte10 & 0x1F) << 6 | (byte9 >> 2); + let coefficient8 = (byte11 << 3) | (byte10 >> 5); + ( + coefficient1, + coefficient2, + coefficient3, + coefficient4, + coefficient5, + coefficient6, + coefficient7, + coefficient8, + ) +} + +#[inline(always)] +pub(super) fn deserialize_then_decompress_ring_element_u( + serialized: &[u8], +) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + + match COMPRESSION_FACTOR as u32 { + 10 => deserialize_then_decompress_10(serialized), + 11 => deserialize_then_decompress_11(serialized), + _ => unreachable!(), + } +} + +#[inline(always)] +fn deserialize_then_decompress_4(serialized: &[u8]) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8); + + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, byte) in serialized.iter().enumerate() { + let (coefficient1, coefficient2) = decompress_coefficients_4(byte); + + re.coefficients[2 * i] = decompress_ciphertext_coefficient(4, coefficient1); + re.coefficients[2 * i + 1] = decompress_ciphertext_coefficient(4, coefficient2); + } + } + + re +} + +#[inline(always)] +fn decompress_coefficients_4(byte: &u8) -> (i32, i32) { + let coefficient1 = (byte & 0x0F) as FieldElement; + let coefficient2 = ((byte >> 4) & 0x0F) as FieldElement; + (coefficient1, coefficient2) +} + +#[inline(always)] +fn deserialize_then_decompress_5(serialized: &[u8]) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8); + + let mut re = PolynomialRingElement::ZERO; + + cloop! { + for (i, bytes) in serialized.chunks_exact(5).enumerate() { + let byte1 = bytes[0] as FieldElement; + let byte2 = bytes[1] as FieldElement; + let byte3 = bytes[2] as FieldElement; + let byte4 = bytes[3] as FieldElement; + let byte5 = bytes[4] as FieldElement; + + let ( + coefficient1, + coefficient2, + coefficient3, + coefficient4, + coefficient5, + coefficient6, + coefficient7, + coefficient8, + ) = decompress_coefficients_5(byte1, byte2, byte3, byte4, byte5); + + re.coefficients[8 * i] = decompress_ciphertext_coefficient(5, coefficient1); + re.coefficients[8 * i + 1] = decompress_ciphertext_coefficient(5, coefficient2); + re.coefficients[8 * i + 2] = decompress_ciphertext_coefficient(5, coefficient3); + re.coefficients[8 * i + 3] = decompress_ciphertext_coefficient(5, coefficient4); + re.coefficients[8 * i + 4] = decompress_ciphertext_coefficient(5, coefficient5); + re.coefficients[8 * i + 5] = decompress_ciphertext_coefficient(5, coefficient6); + re.coefficients[8 * i + 6] = decompress_ciphertext_coefficient(5, coefficient7); + re.coefficients[8 * i + 7] = decompress_ciphertext_coefficient(5, coefficient8); + } + } + + re +} + +#[inline(always)] +fn decompress_coefficients_5( + byte1: i32, + byte2: i32, + byte3: i32, + byte4: i32, + byte5: i32, +) -> (i32, i32, i32, i32, i32, i32, i32, i32) { + let coefficient1 = byte1 & 0x1F; + let coefficient2 = (byte2 & 0x3) << 3 | (byte1 >> 5); + let coefficient3 = (byte2 >> 2) & 0x1F; + let coefficient4 = ((byte3 & 0xF) << 1) | (byte2 >> 7); + let coefficient5 = ((byte4 & 1) << 4) | (byte3 >> 4); + let coefficient6 = (byte4 >> 1) & 0x1F; + let coefficient7 = ((byte5 & 0x7) << 2) | (byte4 >> 6); + let coefficient8 = byte5 >> 3; + ( + coefficient1, + coefficient2, + coefficient3, + coefficient4, + coefficient5, + coefficient6, + coefficient7, + coefficient8, + ) +} + +#[inline(always)] +pub(super) fn deserialize_then_decompress_ring_element_v( + serialized: &[u8], +) -> PolynomialRingElement { + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + + match COMPRESSION_FACTOR as u32 { + 4 => deserialize_then_decompress_4(serialized), + 5 => deserialize_then_decompress_5(serialized), + _ => unreachable!(), + } +} diff --git a/libcrux-ml-kem/src/kem/kyber/types.rs b/libcrux-ml-kem/src/kem/kyber/types.rs new file mode 100644 index 000000000..a3856827d --- /dev/null +++ b/libcrux-ml-kem/src/kem/kyber/types.rs @@ -0,0 +1,155 @@ +macro_rules! impl_generic_struct { + ($name:ident) => { + pub struct $name { + pub(super) value: [u8; SIZE], + } + + impl AsRef<[u8]> for $name { + fn as_ref(&self) -> &[u8] { + &self.value + } + } + + impl From<[u8; SIZE]> for $name { + fn from(value: [u8; SIZE]) -> Self { + Self { value } + } + } + + impl From<&[u8; SIZE]> for $name { + fn from(value: &[u8; SIZE]) -> Self { + Self { + value: value.clone(), + } + } + } + + impl From<$name> for [u8; SIZE] { + fn from(value: $name) -> Self { + value.value + } + } + + impl TryFrom<&[u8]> for $name { + type Error = core::array::TryFromSliceError; + + fn try_from(value: &[u8]) -> Result { + match value.try_into() { + Ok(value) => Ok(Self { value }), + Err(e) => Err(e), + } + } + } + + impl $name { + pub fn as_slice(&self) -> &[u8; SIZE] { + &self.value + } + + pub fn split_at(&self, mid: usize) -> (&[u8], &[u8]) { + self.value.split_at(mid) + } + + pub const fn len() -> usize { + SIZE + } + } + }; +} +macro_rules! impl_index_impls_for_generic_struct { + ($name:ident) => { + impl core::ops::Index for $name { + type Output = u8; + + fn index(&self, index: usize) -> &Self::Output { + &self.value[index] + } + } + + impl core::ops::Index> for $name { + type Output = [u8]; + + fn index(&self, range: core::ops::Range) -> &Self::Output { + &self.value[range] + } + } + + impl core::ops::Index> for $name { + type Output = [u8]; + + fn index(&self, range: core::ops::RangeTo) -> &Self::Output { + &self.value[range] + } + } + + impl core::ops::Index> for $name { + type Output = [u8]; + + fn index(&self, range: core::ops::RangeFrom) -> &Self::Output { + &self.value[range] + } + } + }; +} + +impl_generic_struct!(MlKemCiphertext); +impl_generic_struct!(MlKemPrivateKey); +impl_generic_struct!(MlKemPublicKey); + +// These traits are used only in `ind_cpa` for kyber cipher text. +mod index_impls { + use super::*; + impl_index_impls_for_generic_struct!(MlKemCiphertext); + impl_index_impls_for_generic_struct!(MlKemPrivateKey); + impl_index_impls_for_generic_struct!(MlKemPublicKey); +} + +/// An ML-KEM key pair +pub struct MlKemKeyPair { + pub(crate) sk: MlKemPrivateKey, + pub(crate) pk: MlKemPublicKey, +} + +impl + MlKemKeyPair +{ + /// Creates a new [`MlKemKeyPair`]. + pub fn new(sk: [u8; PRIVATE_KEY_SIZE], pk: [u8; PUBLIC_KEY_SIZE]) -> Self { + Self { + sk: sk.into(), + pk: pk.into(), + } + } + + pub fn from( + sk: MlKemPrivateKey, + pk: MlKemPublicKey, + ) -> Self { + Self { sk, pk } + } + + pub fn public_key(&self) -> &MlKemPublicKey { + &self.pk + } + + pub fn private_key(&self) -> &MlKemPrivateKey { + &self.sk + } + + pub fn pk(&self) -> &[u8; PUBLIC_KEY_SIZE] { + self.pk.as_slice() + } + + pub fn sk(&self) -> &[u8; PRIVATE_KEY_SIZE] { + self.sk.as_slice() + } + + pub fn into_parts( + self, + ) -> ( + MlKemPrivateKey, + MlKemPublicKey, + ) { + (self.sk, self.pk) + } +} diff --git a/libcrux-ml-kem/src/lib.rs b/libcrux-ml-kem/src/lib.rs index eab9061cc..7099d8953 100644 --- a/libcrux-ml-kem/src/lib.rs +++ b/libcrux-ml-kem/src/lib.rs @@ -1,113 +1,194 @@ //! # ML-KEM //! -//! This crate implements all three ML-KEM variants 512, 768, and 1024. -//! It is formally verified using [hax] and [F*]. +//! This crate implements all three ML-KEM variants 512, 768, and 1024. It is +//! formally verified using [hax](https://cryspen.com/hax) and +//! [F*](https://fstar-lang.org). //! -//! ``` -//! use rand::{rngs::OsRng, RngCore}; -//! -//! // Ensure you use good randomness. -//! // It is not recommended to use OsRng directly! -//! // Instead it is highly encouraged to use RNGs like NISTs DRBG to account for -//! // bad system entropy. -//! fn random_array() -> [u8; L] { -//! let mut rng = OsRng; -//! let mut seed = [0; L]; -//! rng.try_fill_bytes(&mut seed).unwrap(); -//! seed -//! } -//! -//! use libcrux_ml_kem::*; + +#![cfg_attr( + feature = "mlkem768", + doc = r##" +``` + use rand::{rngs::OsRng, RngCore}; + + // Ensure you use good randomness. + // It is not recommended to use OsRng directly! + // Instead it is highly encouraged to use RNGs like NISTs DRBG to account for + // bad system entropy. + fn random_array() -> [u8; L] { + let mut rng = OsRng; + let mut seed = [0; L]; + rng.try_fill_bytes(&mut seed).unwrap(); + seed + } + + use libcrux_ml_kem::*; + + // This example use ML-KEM 768. The other variants can be used the same way. + + // Generate a key pair. + let randomness = random_array(); + let key_pair = mlkem768::generate_key_pair(randomness); + + // Encapsulating a shared secret to a public key. + let randomness = random_array(); + let (ciphertext, shared_secret) = mlkem768::encapsulate(key_pair.public_key(), randomness); + + // Decapsulating a shared secret with a private key. + let shared_secret_decapsulated = mlkem768::decapsulate(key_pair.private_key(), &ciphertext); +```"## +)] //! -//! // This example use ML-KEM 768. The other variants can be used the same way. +//! ## Features //! -//! // Generate a key pair. -//! let randomness = random_array(); -//! let key_pair = mlkem768::generate_key_pair(randomness); +//! By default, all ML-KEM parameter sets are enabled. If required, they are +//! available individually under feature flags `mlkem512`, `mlkem768`, +//! `mlkem1024`. //! -//! // Encapsulating a shared secret to a public key. -//! let randomness = random_array(); -//! let (ciphertext, shared_secret) = mlkem768::encapsulate(key_pair.public_key(), randomness); +//! In addition to the verified implementations of the ML-KEM variants, the +//! feature flag `pre-verification` gives access to, as yet, unverified +//! implementations of ML-KEM that are optimized for SIMD instruction sets. //! -//! // Decapsulating a shared secret with a private key. -//! let shared_secret_decapsulated = mlkem768::decapsulate(key_pair.private_key(), &ciphertext); -//! ``` +//! ### Kyber Round 3 +//! The `kyber` flag (in combination with `pre-verification`) also gives access +//! to an, as yet, unverified implementation of Kyber as submitted in Round 3 of +//! the NIST PQ competition. //! -//! [hax]: https://cryspen.com/hax -//! [F*]: https://fstar-lang.org #![no_std] +#![deny(missing_docs)] #![forbid(unsafe_code)] #![warn(rust_2018_idioms, unused_lifetimes, unused_qualifications)] #![allow(clippy::needless_range_loop)] +// Enable doc cfg feature for doc builds. They use nightly. +#![cfg_attr(doc_cfg, feature(doc_cfg))] -#[cfg(feature = "std")] -extern crate std; +/// Feature gating helper macros +#[macro_use] +mod cfg; pub(crate) mod hax_utils; -// This module is declared here since otherwise, hax reports the following error: +// Not-yet verified ML-KEM implementation. +// This implementation has 3 different variant. +// - portable +// - neon +// - avx2 // -// The THIR body of item -// DefId(0:986 ~ libcrux[92b3]::kem::kyber768::parameters::COEFFICIENTS_IN_RING_ELEMENT) -// was stolen. -// -// This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27 -pub(crate) mod constants; - -/// Helpers for verification and extraction -mod helper; -mod utils; - -mod constant_time_ops; -mod hash_functions; -mod ind_cca; -mod ind_cpa; -mod invert_ntt; -mod matrix; -mod ntt; -mod polynomial; -mod sampling; -mod serialize; -mod types; -mod vector; - -// Variants -#[cfg(feature = "mlkem1024")] -pub mod mlkem1024; -#[cfg(feature = "mlkem512")] -pub mod mlkem512; -#[cfg(feature = "mlkem768")] -pub mod mlkem768; - -#[cfg(feature = "kyber")] -pub mod kyber512 { - //! Kyber 512 (NIST PQC Round 3) - pub use crate::mlkem512::generate_key_pair; - pub use crate::mlkem512::kyber::decapsulate; - pub use crate::mlkem512::kyber::encapsulate; - pub use crate::mlkem512::validate_public_key; -} +// When #221 is finished, the pre-verification feature will be removed and this +// implementation will be promoted to the default one. +cfg_pre_verification! { + // This module is declared here since otherwise, hax reports the following error: + // + // The THIR body of item + // DefId(0:986 ~ libcrux[92b3]::kem::kyber768::parameters::COEFFICIENTS_IN_RING_ELEMENT) + // was stolen. + // + // This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27 + pub(crate) mod constants; -#[cfg(feature = "kyber")] -pub mod kyber768 { - //! Kyber 768 (NIST PQC Round 3) - pub use crate::mlkem768::generate_key_pair; - pub use crate::mlkem768::kyber::decapsulate; - pub use crate::mlkem768::kyber::encapsulate; - pub use crate::mlkem768::validate_public_key; -} + /// Helpers for verification and extraction + mod helper; + + mod utils; + mod constant_time_ops; + mod hash_functions; + mod ind_cca; + mod ind_cpa; + mod invert_ntt; + mod matrix; + mod ntt; + mod polynomial; + mod sampling; + mod serialize; + mod types; + mod vector; + + #[cfg(feature = "mlkem512")] + #[cfg_attr(docsrs, doc(cfg(feature = "mlkem512")))] + pub mod mlkem512; -#[cfg(feature = "kyber")] -pub mod kyber1024 { - //! Kyber 1024 (NIST PQC Round 3) - pub use crate::mlkem1024::generate_key_pair; - pub use crate::mlkem1024::kyber::decapsulate; - pub use crate::mlkem1024::kyber::encapsulate; - pub use crate::mlkem1024::validate_public_key; + #[cfg(feature = "mlkem768")] + #[cfg_attr(docsrs, doc(cfg(feature = "mlkem768")))] + pub mod mlkem768; + + #[cfg(feature = "mlkem1024")] + #[cfg_attr(docsrs, doc(cfg(feature = "mlkem1024")))] + pub mod mlkem1024; + + pub use constants::SHARED_SECRET_SIZE; + + pub use ind_cca::{MlKemSharedSecret, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; + + // These types all have type aliases for the different variants. + pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey}; + + cfg_kyber! { + #[cfg(feature = "mlkem512")] + #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem512"))))] + pub mod kyber512 { + //! Kyber 512 (NIST PQC Round 3) + pub use crate::mlkem512::generate_key_pair; + pub use crate::mlkem512::kyber::decapsulate; + pub use crate::mlkem512::kyber::encapsulate; + pub use crate::mlkem512::validate_public_key; + } + + #[cfg(feature = "mlkem768")] + #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem768"))))] + pub mod kyber768 { + //! Kyber 768 (NIST PQC Round 3) + pub use crate::mlkem768::generate_key_pair; + pub use crate::mlkem768::kyber::decapsulate; + pub use crate::mlkem768::kyber::encapsulate; + pub use crate::mlkem768::validate_public_key; + } + + #[cfg(feature = "mlkem1024")] + #[cfg_attr(docsrs, doc(cfg(all(feature = "kyber", feature = "mlkem1024"))))] + pub mod kyber1024 { + //! Kyber 1024 (NIST PQC Round 3) + pub use crate::mlkem1024::generate_key_pair; + pub use crate::mlkem1024::kyber::decapsulate; + pub use crate::mlkem1024::kyber::encapsulate; + pub use crate::mlkem1024::validate_public_key; + } + } } -pub use constants::SHARED_SECRET_SIZE; -pub use ind_cca::{MlKemSharedSecret, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; -// These types all have type aliases for the different variants. -pub use types::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey}; +// Verified ML-KEM implementation. +// The proofs are in +// - correctness: ../proofs/fstar/extraction-edited +// - secret independence: ../proofs/fstar/extraction-secret-independent +// +// When #221 is completed, this code will be removed and replaced with the, then +// verified, code above. +cfg_verified! { + mod kem; + + // Variants + #[cfg(feature = "mlkem512")] + #[cfg_attr(docsrs, doc(cfg(feature = "mlkem512")))] + pub mod mlkem512 { + pub use crate::kem::kyber::kyber512::*; + } + + #[cfg(feature = "mlkem768")] + #[cfg_attr(docsrs, doc(cfg(feature = "mlkem768")))] + pub mod mlkem768 { + pub use crate::kem::kyber::kyber768::*; + } + + #[cfg(feature = "mlkem1024")] + #[cfg_attr(docsrs, doc(cfg(feature = "mlkem1024")))] + pub mod mlkem1024 { + pub use crate::kem::kyber::kyber1024::*; + } + + pub const SHARED_SECRET_SIZE: usize = kem::kyber::constants::SHARED_SECRET_SIZE; + pub use kem::kyber::MlKemSharedSecret; + pub const ENCAPS_SEED_SIZE: usize = kem::kyber::constants::SHARED_SECRET_SIZE; + pub const KEY_GENERATION_SEED_SIZE: usize = kem::kyber::KEY_GENERATION_SEED_SIZE; + // These types all have type aliases for the different variants. + pub use kem::kyber::{MlKemCiphertext, MlKemKeyPair, MlKemPrivateKey, MlKemPublicKey}; +} diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs index d1107b025..fc94f7253 100644 --- a/libcrux-ml-kem/src/mlkem1024.rs +++ b/libcrux-ml-kem/src/mlkem1024.rs @@ -42,12 +42,13 @@ pub type MlKem1024Ciphertext = MlKemCiphertext; pub type MlKem1024PrivateKey = MlKemPrivateKey; /// An ML-KEM 1024 Public key pub type MlKem1024PublicKey = MlKemPublicKey; -/// Am ML-KEM 1024 Key pair +/// An ML-KEM 1024 Key pair pub type MlKem1024KeyPair = MlKemKeyPair; // Instantiate the different functions. macro_rules! instantiate { - ($modp:ident, $p:path) => { + ($modp:ident, $p:path, $doc:expr) => { + #[doc = $doc] pub mod $modp { use super::*; use $p as p; @@ -200,11 +201,11 @@ macro_rules! instantiate { // Instantiations -instantiate! {portable, ind_cca::instantiations::portable} +instantiate! {portable, ind_cca::instantiations::portable, "Portable ML-KEM 1024"} #[cfg(feature = "simd256")] -instantiate! {avx2, ind_cca::instantiations::avx2} +instantiate! {avx2, ind_cca::instantiations::avx2, "AVX2 Optimised ML-KEM 1024"} #[cfg(feature = "simd128")] -instantiate! {neon, ind_cca::instantiations::neon} +instantiate! {neon, ind_cca::instantiations::neon, "Neon Optimised ML-KEM 1024"} /// Validate a public key. /// diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs index b2c5e057d..9dadfc704 100644 --- a/libcrux-ml-kem/src/mlkem512.rs +++ b/libcrux-ml-kem/src/mlkem512.rs @@ -40,12 +40,13 @@ pub type MlKem512Ciphertext = MlKemCiphertext; pub type MlKem512PrivateKey = MlKemPrivateKey; /// An ML-KEM 512 Public key pub type MlKem512PublicKey = MlKemPublicKey; -/// Am ML-KEM 512 Key pair +/// An ML-KEM 512 Key pair pub type MlKem512KeyPair = MlKemKeyPair; // Instantiate the different functions. macro_rules! instantiate { - ($modp:ident, $p:path) => { + ($modp:ident, $p:path, $doc:expr) => { + #[doc = $doc] pub mod $modp { use super::*; use $p as p; @@ -196,11 +197,11 @@ macro_rules! instantiate { // Instantiations -instantiate! {portable, ind_cca::instantiations::portable} +instantiate! {portable, ind_cca::instantiations::portable, "Portable ML-KEM 512"} #[cfg(feature = "simd256")] -instantiate! {avx2, ind_cca::instantiations::avx2} +instantiate! {avx2, ind_cca::instantiations::avx2, "AVX2 Optimised ML-KEM 512"} #[cfg(feature = "simd128")] -instantiate! {neon, ind_cca::instantiations::neon} +instantiate! {neon, ind_cca::instantiations::neon, "Neon Optimised ML-KEM 512"} /// Validate a public key. /// diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs index ae076d387..7805ad8d6 100644 --- a/libcrux-ml-kem/src/mlkem768.rs +++ b/libcrux-ml-kem/src/mlkem768.rs @@ -41,12 +41,13 @@ pub type MlKem768Ciphertext = MlKemCiphertext; pub type MlKem768PrivateKey = MlKemPrivateKey; /// An ML-KEM 768 Public key pub type MlKem768PublicKey = MlKemPublicKey; -/// Am ML-KEM 768 Key pair +/// An ML-KEM 768 Key pair pub type MlKem768KeyPair = MlKemKeyPair; // Instantiate the different functions. macro_rules! instantiate { - ($modp:ident, $p:path) => { + ($modp:ident, $p:path, $doc:expr) => { + #[doc = $doc] pub mod $modp { use super::*; use $p as p; @@ -196,11 +197,11 @@ macro_rules! instantiate { // Instantiations -instantiate! {portable, ind_cca::instantiations::portable} +instantiate! {portable, ind_cca::instantiations::portable, "Portable ML-KEM 768"} #[cfg(feature = "simd256")] -instantiate! {avx2, ind_cca::instantiations::avx2} +instantiate! {avx2, ind_cca::instantiations::avx2, "AVX2 Optimised ML-KEM 768"} #[cfg(feature = "simd128")] -instantiate! {neon, ind_cca::instantiations::neon} +instantiate! {neon, ind_cca::instantiations::neon, "Neon Optimised ML-KEM 768"} /// Validate a public key. /// @@ -227,9 +228,9 @@ pub fn validate_public_key(public_key: MlKem768PublicKey) -> Option usize { SIZE } diff --git a/libcrux-ml-kem/tests/kyber.rs b/libcrux-ml-kem/tests/kyber.rs index ca5ec4fa4..c2d8ea3db 100644 --- a/libcrux-ml-kem/tests/kyber.rs +++ b/libcrux-ml-kem/tests/kyber.rs @@ -1,7 +1,7 @@ /// This tests a single one of the Kyber 768 KATs that are also tested in BoringSSL. /// The values are taken from https://github.com/google/boringssl/blob/master/crypto/kyber/kyber_tests.txt. #[test] -#[cfg(feature = "kyber")] +#[cfg(all(feature = "kyber", feature = "mlkem768", feature = "pre-verification"))] fn kyber768_single_kat() { use libcrux_ml_kem::kyber768; let key_pair = kyber768::generate_key_pair(hex::decode("7c9935a0b07694aa0c6d10e4db6b1add2fd81a25ccb148032dcd739936737f2d8626ed79d451140800e03b59b956f8210e556067407d13dc90fa9e8b872bfb8f").unwrap().try_into().unwrap()); diff --git a/libcrux-ml-kem/tests/ml-kem.rs b/libcrux-ml-kem/tests/ml-kem.rs index 4e5202ae2..56d89c4f5 100644 --- a/libcrux-ml-kem/tests/ml-kem.rs +++ b/libcrux-ml-kem/tests/ml-kem.rs @@ -1,15 +1,12 @@ //! Tests for ML-KEM -use std::{ - fs::File, - io::{BufRead, BufReader}, - path::Path, -}; - -use libcrux_ml_kem::{mlkem1024, mlkem512, mlkem768}; - /// These tests are from https://github.com/C2SP/CCTV/ fn test_invalid_modulus(p: &str) { + use std::{ + fs::File, + io::{BufRead, BufReader}, + }; + let kat_file_path = file_name(p); let kat_file = File::open(kat_file_path).unwrap(); let reader = BufReader::new(kat_file); @@ -18,31 +15,44 @@ fn test_invalid_modulus(p: &str) { let pk = hex::decode(line).unwrap(); let pk = pk.as_slice(); match p { - "512" => assert!(mlkem512::validate_public_key(pk.try_into().unwrap()).is_none()), - "768" => assert!(mlkem768::validate_public_key(pk.try_into().unwrap()).is_none()), - "1024" => assert!(mlkem1024::validate_public_key(pk.try_into().unwrap()).is_none()), + #[cfg(feature = "mlkem512")] + "512" => assert!( + libcrux_ml_kem::mlkem512::validate_public_key(pk.try_into().unwrap()).is_none() + ), + #[cfg(feature = "mlkem768")] + "768" => assert!( + libcrux_ml_kem::mlkem768::validate_public_key(pk.try_into().unwrap()).is_none() + ), + #[cfg(feature = "mlkem1024")] + "1024" => assert!(libcrux_ml_kem::mlkem1024::validate_public_key( + pk.try_into().unwrap() + ) + .is_none()), _ => unreachable!(), }; } } #[test] +#[cfg(feature = "mlkem512")] fn invalid_modulus_512() { test_invalid_modulus("512"); } #[test] +#[cfg(feature = "mlkem768")] fn invalid_modulus_768() { test_invalid_modulus("768"); } #[test] +#[cfg(feature = "mlkem1024")] fn invalid_modulus_1024() { test_invalid_modulus("1024"); } fn file_name(p: &str) -> std::path::PathBuf { - Path::new("tests") + std::path::Path::new("tests") .join("kats") .join("invalid_modulus") .join(format!("ML-KEM-{}.txt", p)) diff --git a/libcrux-ml-kem/tests/nistkats.rs b/libcrux-ml-kem/tests/nistkats.rs index 0c779a3b8..0089fd7f6 100644 --- a/libcrux-ml-kem/tests/nistkats.rs +++ b/libcrux-ml-kem/tests/nistkats.rs @@ -1,6 +1,3 @@ -#[cfg(feature = "kyber")] -use libcrux_ml_kem::{kyber1024, kyber512, kyber768}; -use libcrux_ml_kem::{mlkem1024, mlkem512, mlkem768}; use serde::Deserialize; use serde_json; use std::{fs::File, io::BufReader, path::Path}; @@ -64,65 +61,91 @@ macro_rules! impl_nist_known_answer_tests { } }; } - +#[cfg(feature = "mlkem512")] impl_nist_known_answer_tests!( mlkem512_nist_known_answer_tests, "mlkem", 512, - mlkem512::generate_key_pair, - mlkem512::encapsulate, - mlkem512::decapsulate + libcrux_ml_kem::mlkem512::generate_key_pair, + libcrux_ml_kem::mlkem512::encapsulate, + libcrux_ml_kem::mlkem512::decapsulate ); +#[cfg(feature = "mlkem768")] impl_nist_known_answer_tests!( mlkem768_nist_known_answer_tests, "mlkem", 768, - mlkem768::generate_key_pair, - mlkem768::encapsulate, - mlkem768::decapsulate + libcrux_ml_kem::mlkem768::generate_key_pair, + libcrux_ml_kem::mlkem768::encapsulate, + libcrux_ml_kem::mlkem768::decapsulate ); + +#[cfg(feature = "mlkem1024")] impl_nist_known_answer_tests!( mlkem1024_nist_known_answer_tests, "mlkem", 1024, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem1024::generate_key_pair, + libcrux_ml_kem::mlkem1024::encapsulate, + libcrux_ml_kem::mlkem1024::decapsulate +); + +#[cfg(all(feature = "mlkem512", feature = "pre-verification"))] +impl_nist_known_answer_tests!( + mlkem512_nist_kats_portable, + "mlkem", + 512, + libcrux_ml_kem::mlkem512::portable::generate_key_pair, + libcrux_ml_kem::mlkem512::portable::encapsulate, + libcrux_ml_kem::mlkem512::portable::decapsulate ); +#[cfg(all(feature = "mlkem768", feature = "pre-verification"))] impl_nist_known_answer_tests!( mlkem768_nist_kats_portable, "mlkem", 768, - mlkem768::portable::generate_key_pair, - mlkem768::portable::encapsulate, - mlkem768::portable::decapsulate + libcrux_ml_kem::mlkem768::portable::generate_key_pair, + libcrux_ml_kem::mlkem768::portable::encapsulate, + libcrux_ml_kem::mlkem768::portable::decapsulate ); -#[cfg(feature = "kyber")] +#[cfg(all(feature = "mlkem1024", feature = "pre-verification"))] impl_nist_known_answer_tests!( - kyber512_nist_known_answer_tests, + mlkem1024_nist_kats_portable, + "mlkem", + 1024, + libcrux_ml_kem::mlkem1024::portable::generate_key_pair, + libcrux_ml_kem::mlkem1024::portable::encapsulate, + libcrux_ml_kem::mlkem1024::portable::decapsulate +); + +#[cfg(all(feature = "mlkem512", feature = "kyber", feature = "pre-verification"))] +impl_nist_known_answer_tests!( + kyber512_nist_kats_portable, "kyber", 512, - kyber512::generate_key_pair, - kyber512::encapsulate, - kyber512::decapsulate + libcrux_ml_kem::kyber512::generate_key_pair, + libcrux_ml_kem::kyber512::encapsulate, + libcrux_ml_kem::kyber512::decapsulate ); -#[cfg(feature = "kyber")] + +#[cfg(all(feature = "mlkem768", feature = "kyber", feature = "pre-verification"))] impl_nist_known_answer_tests!( - kyber768_nist_known_answer_tests, + kyber768_nist_kats_portable, "kyber", 768, - kyber768::generate_key_pair, - kyber768::encapsulate, - kyber768::decapsulate + libcrux_ml_kem::kyber768::generate_key_pair, + libcrux_ml_kem::kyber768::encapsulate, + libcrux_ml_kem::kyber768::decapsulate ); -#[cfg(feature = "kyber")] + +#[cfg(all(feature = "mlkem1024", feature = "kyber", feature = "pre-verification"))] impl_nist_known_answer_tests!( - kyber1024_nist_known_answer_tests, + kyber1024_nist_kats_portable, "kyber", 1024, - kyber1024::generate_key_pair, - kyber1024::encapsulate, - kyber1024::decapsulate + libcrux_ml_kem::kyber1024::generate_key_pair, + libcrux_ml_kem::kyber1024::encapsulate, + libcrux_ml_kem::kyber1024::decapsulate ); diff --git a/libcrux-ml-kem/tests/self.rs b/libcrux-ml-kem/tests/self.rs index ae4aa72e7..052311dcd 100644 --- a/libcrux-ml-kem/tests/self.rs +++ b/libcrux-ml-kem/tests/self.rs @@ -1,4 +1,5 @@ -use libcrux_ml_kem::{mlkem1024, mlkem512, mlkem768, MlKemCiphertext, MlKemPrivateKey}; +use libcrux_ml_kem::{MlKemCiphertext, MlKemPrivateKey}; + use libcrux_sha3::shake256; use rand::{rngs::OsRng, thread_rng, RngCore}; @@ -33,9 +34,9 @@ macro_rules! impl_consistency { }; } -fn modify_ciphertext( - mut ciphertext: MlKemCiphertext, -) -> MlKemCiphertext { +fn modify_ciphertext(ciphertext: MlKemCiphertext) -> MlKemCiphertext { + let mut raw_ciphertext = [0u8; LEN]; + raw_ciphertext.copy_from_slice(ciphertext.as_ref()); let mut random_u32: usize = thread_rng().next_u32().try_into().unwrap(); let mut random_byte: u8 = (random_u32 & 0xFF) as u8; @@ -45,9 +46,13 @@ fn modify_ciphertext( random_u32 >>= 8; let position = random_u32 % MlKemCiphertext::::len(); - ciphertext[position] ^= random_byte; + raw_ciphertext[position] ^= random_byte; + + let ciphertext: [u8; LEN] = raw_ciphertext[0..MlKemCiphertext::::len()] + .try_into() + .unwrap(); - ciphertext + ciphertext.into() } macro_rules! impl_modified_ciphertext { @@ -76,7 +81,8 @@ fn modify_secret_key( secret_key: &MlKemPrivateKey, modify_implicit_rejection_value: bool, ) -> MlKemPrivateKey { - let mut raw_secret_key: MlKemPrivateKey = secret_key.as_slice().into(); + let mut raw_secret_key = [0u8; LEN]; + raw_secret_key.copy_from_slice(secret_key.as_slice()); let mut random_u32: usize = thread_rng().next_u32().try_into().unwrap(); @@ -94,7 +100,11 @@ fn modify_secret_key( raw_secret_key[position] ^= random_byte; - raw_secret_key + let secret_key: [u8; LEN] = raw_secret_key[0..MlKemPrivateKey::::len()] + .try_into() + .unwrap(); + + secret_key.into() } fn compute_implicit_rejection_shared_secret( @@ -162,78 +172,88 @@ macro_rules! impl_modified_ciphertext_and_implicit_rejection_value { }; } +#[cfg(feature = "mlkem512")] impl_consistency!( consistency_512, - mlkem512::generate_key_pair, - mlkem512::encapsulate, - mlkem512::decapsulate + libcrux_ml_kem::mlkem512::generate_key_pair, + libcrux_ml_kem::mlkem512::encapsulate, + libcrux_ml_kem::mlkem512::decapsulate ); +#[cfg(feature = "mlkem768")] impl_consistency!( consistency_768, - mlkem768::generate_key_pair, - mlkem768::encapsulate, - mlkem768::decapsulate + libcrux_ml_kem::mlkem768::generate_key_pair, + libcrux_ml_kem::mlkem768::encapsulate, + libcrux_ml_kem::mlkem768::decapsulate ); +#[cfg(feature = "mlkem1024")] impl_consistency!( consistency_1024, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem1024::generate_key_pair, + libcrux_ml_kem::mlkem1024::encapsulate, + libcrux_ml_kem::mlkem1024::decapsulate ); - +#[cfg(feature = "mlkem512")] impl_modified_ciphertext!( modified_ciphertext_512, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem512::generate_key_pair, + libcrux_ml_kem::mlkem512::encapsulate, + libcrux_ml_kem::mlkem512::decapsulate ); +#[cfg(feature = "mlkem768")] impl_modified_ciphertext!( modified_ciphertext_768, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem768::generate_key_pair, + libcrux_ml_kem::mlkem768::encapsulate, + libcrux_ml_kem::mlkem768::decapsulate ); +#[cfg(feature = "mlkem1024")] impl_modified_ciphertext!( modified_ciphertext_1024, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem1024::generate_key_pair, + libcrux_ml_kem::mlkem1024::encapsulate, + libcrux_ml_kem::mlkem1024::decapsulate ); - +#[cfg(feature = "mlkem512")] impl_modified_secret_key!( modified_secret_key_512, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem512::generate_key_pair, + libcrux_ml_kem::mlkem512::encapsulate, + libcrux_ml_kem::mlkem512::decapsulate ); +#[cfg(feature = "mlkem768")] impl_modified_secret_key!( modified_secret_key_768, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem768::generate_key_pair, + libcrux_ml_kem::mlkem768::encapsulate, + libcrux_ml_kem::mlkem768::decapsulate ); +#[cfg(feature = "mlkem1024")] impl_modified_secret_key!( modified_secret_key_1024, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem1024::generate_key_pair, + libcrux_ml_kem::mlkem1024::encapsulate, + libcrux_ml_kem::mlkem1024::decapsulate ); +#[cfg(feature = "mlkem512")] impl_modified_ciphertext_and_implicit_rejection_value!( modified_ciphertext_and_implicit_rejection_value_512, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem512::generate_key_pair, + libcrux_ml_kem::mlkem512::encapsulate, + libcrux_ml_kem::mlkem512::decapsulate ); +#[cfg(feature = "mlkem768")] impl_modified_ciphertext_and_implicit_rejection_value!( modified_ciphertext_and_implicit_rejection_value_768, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem768::generate_key_pair, + libcrux_ml_kem::mlkem768::encapsulate, + libcrux_ml_kem::mlkem768::decapsulate ); +#[cfg(feature = "mlkem1024")] impl_modified_ciphertext_and_implicit_rejection_value!( modified_ciphertext_and_implicit_rejection_value_1024, - mlkem1024::generate_key_pair, - mlkem1024::encapsulate, - mlkem1024::decapsulate + libcrux_ml_kem::mlkem1024::generate_key_pair, + libcrux_ml_kem::mlkem1024::encapsulate, + libcrux_ml_kem::mlkem1024::decapsulate ); diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index 2fe5dacc8..5f13d2d92 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -30,3 +30,6 @@ harness = false criterion = "0.5.1" hex = "0.4.3" rand = "0.8.5" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(hax)', 'cfg(eurydice)'] } diff --git a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Avx2.X4.Incremental.fsti b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Avx2.X4.Incremental.fsti index 9fdd87ec7..0fb291ccb 100644 --- a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Avx2.X4.Incremental.fsti +++ b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Avx2.X4.Incremental.fsti @@ -3,42 +3,48 @@ module Libcrux_sha3.Avx2.X4.Incremental open Core open FStar.Mul -type t_KeccakState4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState2 (sz 2) } +/// The Keccak state for the incremental API. +type t_KeccakState = { + f_state:Libcrux_sha3.Generic_keccak.t_KeccakState (sz 4) Core.Core_arch.X86.t____m256i +} /// Initialise the state and perform up to 4 absorbs at the same time, -/// using two [`KeccakState4`]. +/// using two [`KeccakState`]. /// **PANICS** when `N` is not 2, 3, or 4. val v__shake128_absorb_finalxN (v_N: usize) (input: t_Array (t_Array u8 (sz 34)) v_N) - : Prims.Pure t_KeccakState4 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure t_KeccakState Prims.l_True (fun _ -> Prims.l_True) -/// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState4`]. +/// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState`]. /// Each block is of size `LEN`. /// **PANICS** when `N` is not 2, 3, or 4. -val v__shake128_squeeze3xN (v_LEN v_N: usize) (state: t_KeccakState4) - : Prims.Pure (t_KeccakState4 & t_Array (t_Array u8 v_LEN) v_N) +val v__shake128_squeeze3xN (v_LEN v_N: usize) (state: t_KeccakState) + : Prims.Pure (t_KeccakState & t_Array (t_Array u8 v_LEN) v_N) Prims.l_True (fun _ -> Prims.l_True) -/// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState4`]. +/// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState`]. /// Each block is of size `LEN`. /// **PANICS** when `N` is not 2, 3, or 4. -val v__shake128_squeezexN (v_LEN v_N: usize) (state: t_KeccakState4) - : Prims.Pure (t_KeccakState4 & t_Array (t_Array u8 v_LEN) v_N) +val v__shake128_squeezexN (v_LEN v_N: usize) (state: t_KeccakState) + : Prims.Pure (t_KeccakState & t_Array (t_Array u8 v_LEN) v_N) Prims.l_True (fun _ -> Prims.l_True) -val shake128_absorb_final (s: t_KeccakState4) (data0 data1 data2 data3: t_Slice u8) - : Prims.Pure t_KeccakState4 Prims.l_True (fun _ -> Prims.l_True) +/// Absorb +val shake128_absorb_final (s: t_KeccakState) (data0 data1 data2 data3: t_Slice u8) + : Prims.Pure t_KeccakState Prims.l_True (fun _ -> Prims.l_True) -/// Initialise the [`KeccakState4`]. -val shake128_init: Prims.unit -> Prims.Pure t_KeccakState4 Prims.l_True (fun _ -> Prims.l_True) +/// Initialise the [`KeccakState`]. +val shake128_init: Prims.unit -> Prims.Pure t_KeccakState Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (s: t_KeccakState4) (out0 out1 out2 out3: t_Slice u8) - : Prims.Pure (t_KeccakState4 & t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) +/// Squeeze three blocks +val shake128_squeeze_first_three_blocks (s: t_KeccakState) (out0 out1 out2 out3: t_Slice u8) + : Prims.Pure (t_KeccakState & t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (s: t_KeccakState4) (out0 out1 out2 out3: t_Slice u8) - : Prims.Pure (t_KeccakState4 & t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) +/// Squeeze another block +val shake128_squeeze_next_block (s: t_KeccakState) (out0 out1 out2 out3: t_Slice u8) + : Prims.Pure (t_KeccakState & t_Slice u8 & t_Slice u8 & t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Neon.X2.Incremental.fsti b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Neon.X2.Incremental.fsti index c9ca03f55..7305a3b16 100644 --- a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Neon.X2.Incremental.fsti +++ b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Neon.X2.Incremental.fsti @@ -3,45 +3,44 @@ module Libcrux_sha3.Neon.X2.Incremental open Core open FStar.Mul -unfold -let t_KeccakState2Internal = - Libcrux_sha3.Generic_keccak.t_KeccakState (sz 2) Core.Core_arch.Arm_shared.Neon.t_uint64x2_t - -type t_KeccakState2 = { - f_state:Libcrux_sha3.Generic_keccak.t_KeccakState (sz 2) - Core.Core_arch.Arm_shared.Neon.t_uint64x2_t -} +/// The Keccak state for the incremental API. +type t_KeccakState = { f_state:t_Array Libcrux_sha3.Portable.t_KeccakState (sz 2) } /// Initialise the state and perform up to 4 absorbs at the same time, /// using two [`KeccakState2`]. /// **PANICS** when `N` is not 2, 3, or 4. val v__shake128_absorb_finalxN (v_N: usize) (input: t_Array (t_Array u8 (sz 34)) v_N) - : Prims.Pure (t_Array t_KeccakState2 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array t_KeccakState (sz 2)) Prims.l_True (fun _ -> Prims.l_True) /// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState2`]. /// Each block is of size `LEN`. /// **PANICS** when `N` is not 2, 3, or 4. -val v__shake128_squeeze3xN (v_LEN v_N: usize) (state: t_Array t_KeccakState2 (sz 2)) - : Prims.Pure (t_Array t_KeccakState2 (sz 2) & t_Array (t_Array u8 v_LEN) v_N) +val v__shake128_squeeze3xN (v_LEN v_N: usize) (state: t_Array t_KeccakState (sz 2)) + : Prims.Pure (t_Array t_KeccakState (sz 2) & t_Array (t_Array u8 v_LEN) v_N) Prims.l_True (fun _ -> Prims.l_True) /// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState2`]. /// Each block is of size `LEN`. /// **PANICS** when `N` is not 2, 3, or 4. -val v__shake128_squeezexN (v_LEN v_N: usize) (state: t_Array t_KeccakState2 (sz 2)) - : Prims.Pure (t_Array t_KeccakState2 (sz 2) & t_Array (t_Array u8 v_LEN) v_N) +val v__shake128_squeezexN (v_LEN v_N: usize) (state: t_Array t_KeccakState (sz 2)) + : Prims.Pure (t_Array t_KeccakState (sz 2) & t_Array (t_Array u8 v_LEN) v_N) Prims.l_True (fun _ -> Prims.l_True) -val shake128_absorb_final (s: t_KeccakState2) (data0 data1: t_Slice u8) - : Prims.Pure t_KeccakState2 Prims.l_True (fun _ -> Prims.l_True) +/// Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. +val shake128_absorb_final (s: t_KeccakState) (data0 data1: t_Slice u8) + : Prims.Pure t_KeccakState Prims.l_True (fun _ -> Prims.l_True) /// Initialise the `KeccakState2`. -val shake128_init: Prims.unit -> Prims.Pure t_KeccakState2 Prims.l_True (fun _ -> Prims.l_True) +val shake128_init: Prims.unit -> Prims.Pure t_KeccakState Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (s: t_KeccakState2) (out0 out1: t_Slice u8) - : Prims.Pure (t_KeccakState2 & t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +/// Squeeze 2 times the first three blocks in parallel in the +/// [`KeccakState`] and return the output in `out0` and `out1`. +val shake128_squeeze_first_three_blocks (s: t_KeccakState) (out0 out1: t_Slice u8) + : Prims.Pure (t_KeccakState & t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (s: t_KeccakState2) (out0 out1: t_Slice u8) - : Prims.Pure (t_KeccakState2 & t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) +/// Squeeze 2 times the next block in parallel in the +/// [`KeccakState`] and return the output in `out0` and `out1`. +val shake128_squeeze_next_block (s: t_KeccakState) (out0 out1: t_Slice u8) + : Prims.Pure (t_KeccakState & t_Slice u8 & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.Incremental.fsti b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.Incremental.fsti index 1bf58e63e..9235132ee 100644 --- a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.Incremental.fsti +++ b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.Incremental.fsti @@ -4,27 +4,27 @@ open Core open FStar.Mul /// Absorb -val shake128_absorb_final (s: Libcrux_sha3.Portable.t_KeccakState1) (data0: t_Slice u8) - : Prims.Pure Libcrux_sha3.Portable.t_KeccakState1 Prims.l_True (fun _ -> Prims.l_True) +val shake128_absorb_final (s: Libcrux_sha3.Portable.t_KeccakState) (data0: t_Slice u8) + : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) /// Initialise the SHAKE state. val shake128_init: Prims.unit - -> Prims.Pure Libcrux_sha3.Portable.t_KeccakState1 Prims.l_True (fun _ -> Prims.l_True) + -> Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) /// Squeeze five blocks -val shake128_squeeze_first_five_blocks (s: Libcrux_sha3.Portable.t_KeccakState1) (out0: t_Slice u8) - : Prims.Pure (Libcrux_sha3.Portable.t_KeccakState1 & t_Slice u8) +val shake128_squeeze_first_five_blocks (s: Libcrux_sha3.Portable.t_KeccakState) (out0: t_Slice u8) + : Prims.Pure (Libcrux_sha3.Portable.t_KeccakState & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Squeeze three blocks -val shake128_squeeze_first_three_blocks (s: Libcrux_sha3.Portable.t_KeccakState1) (out0: t_Slice u8) - : Prims.Pure (Libcrux_sha3.Portable.t_KeccakState1 & t_Slice u8) +val shake128_squeeze_first_three_blocks (s: Libcrux_sha3.Portable.t_KeccakState) (out0: t_Slice u8) + : Prims.Pure (Libcrux_sha3.Portable.t_KeccakState & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) /// Squeeze another block -val shake128_squeeze_next_block (s: Libcrux_sha3.Portable.t_KeccakState1) (out0: t_Slice u8) - : Prims.Pure (Libcrux_sha3.Portable.t_KeccakState1 & t_Slice u8) +val shake128_squeeze_next_block (s: Libcrux_sha3.Portable.t_KeccakState) (out0: t_Slice u8) + : Prims.Pure (Libcrux_sha3.Portable.t_KeccakState & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.fsti b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.fsti index 4e914abbc..06ea85887 100644 --- a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.fsti +++ b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Portable.fsti @@ -23,4 +23,5 @@ val shake128 (digest data: t_Slice u8) val shake256 (digest data: t_Slice u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -type t_KeccakState1 = { f_state:Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64 } +/// The Keccak state for the incremental API. +type t_KeccakState = { f_state:Libcrux_sha3.Generic_keccak.t_KeccakState (sz 1) u64 } diff --git a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Traits.fsti b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Traits.fsti index 60af4096d..5ca1bdfc7 100644 --- a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Traits.fsti +++ b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.Traits.fsti @@ -11,8 +11,8 @@ let _ = /// A Keccak Item /// This holds the internal state and depends on the architecture. -class t_KeccakStateItem (v_Self: Type0) (v_N: usize) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_7919791445461910775:Libcrux_sha3.Traits.Internal.t_KeccakItem +class t_KeccakStateItem (#v_Self: Type0) (v_N: usize) = { + [@@@ FStar.Tactics.Typeclasses.no_method]_super_1179490486619621168:Libcrux_sha3.Traits.Internal.t_KeccakItem v_Self v_N } @@ -23,5 +23,4 @@ let impl (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_sha3.Traits.Internal.t_KeccakItem v_T v_N) - : t_KeccakStateItem v_T v_N = - { _super_7919791445461910775 = FStar.Tactics.Typeclasses.solve; __marker_trait = () } + : t_KeccakStateItem #v_T v_N = { _super_1179490486619621168 = FStar.Tactics.Typeclasses.solve } diff --git a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.fsti b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.fsti index 9f4daa21b..4ed67223e 100644 --- a/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.fsti +++ b/libcrux-sha3/proofs/fstar/extraction/Libcrux_sha3.fsti @@ -17,7 +17,7 @@ type t_Algorithm = | Algorithm_Sha512 : t_Algorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Core.Convert.t_From u32 t_Algorithm = +let impl_1: Core.Convert.t_From #u32 #t_Algorithm = { f_from_pre = (fun (v: t_Algorithm) -> true); f_from_post = (fun (v: t_Algorithm) (out: u32) -> true); @@ -35,21 +35,8 @@ let discriminant_Algorithm_Sha512: u32 = 4ul val t_Algorithm_cast_to_repr (x: t_Algorithm) : Prims.Pure u32 Prims.l_True (fun _ -> Prims.l_True) -/// A SHA3 224 Digest -unfold -let t_Sha3_224Digest = t_Array u8 (sz 28) - -/// A SHA3 256 Digest -unfold -let t_Sha3_256Digest = t_Array u8 (sz 32) - -/// A SHA3 384 Digest -unfold -let t_Sha3_384Digest = t_Array u8 (sz 48) - -/// A SHA3 512 Digest -unfold -let t_Sha3_512Digest = t_Array u8 (sz 64) +val from__panic_cold_explicit: Prims.unit + -> Prims.Pure Rust_primitives.Hax.t_Never Prims.l_True (fun _ -> Prims.l_True) /// Returns the output size of a digest. val digest_size (mode: t_Algorithm) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) @@ -99,7 +86,7 @@ val shake256 (v_BYTES: usize) (data: t_Slice u8) : Prims.Pure (t_Array u8 v_BYTES) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Core.Convert.t_From t_Algorithm u32 = +let impl: Core.Convert.t_From #t_Algorithm #u32 = { f_from_pre = (fun (v: u32) -> true); f_from_post = (fun (v: u32) (out: t_Algorithm) -> true); @@ -112,7 +99,7 @@ let impl: Core.Convert.t_From t_Algorithm u32 = | 3ul -> Algorithm_Sha384 <: t_Algorithm | 4ul -> Algorithm_Sha512 <: t_Algorithm | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "explicit panic" + Rust_primitives.Hax.never_to_any (from__panic_cold_explicit () <: Rust_primitives.Hax.t_Never) } diff --git a/libcrux-sha3/src/generic_keccak.rs b/libcrux-sha3/src/generic_keccak.rs index ef63a654a..ad8f52be6 100644 --- a/libcrux-sha3/src/generic_keccak.rs +++ b/libcrux-sha3/src/generic_keccak.rs @@ -44,6 +44,7 @@ pub(crate) fn theta_rho>(s: &mut KeccakSta T::xor5(s.st[0][3], s.st[1][3], s.st[2][3], s.st[3][3], s.st[4][3]), T::xor5(s.st[0][4], s.st[1][4], s.st[2][4], s.st[3][4], s.st[4][4]), ]; + #[allow(clippy::identity_op)] let t: [T; 5] = [ T::rotate_left1_and_xor(c[(0 + 4) % 5], c[(0 + 1) % 5]), T::rotate_left1_and_xor(c[(1 + 4) % 5], c[(1 + 1) % 5]), @@ -89,7 +90,7 @@ const _PI: [usize; 24] = [ #[inline(always)] pub(crate) fn pi>(s: &mut KeccakState) { - let old = s.st.clone(); + let old = s.st; s.st[0][1] = old[1][1]; s.st[0][2] = old[2][2]; s.st[0][3] = old[3][3]; @@ -119,6 +120,8 @@ pub(crate) fn pi>(s: &mut KeccakState>(s: &mut KeccakState) { let old = s.st; + + #[allow(clippy::needless_range_loop)] for i in 0..5 { for j in 0..5 { s.st[i][j] = T::and_not_xor(s.st[i][j], old[i][(j + 2) % 5], old[i][(j + 1) % 5]); @@ -191,9 +194,9 @@ pub(crate) fn absorb_final< let last_len = last[0].len(); let mut blocks = [[0u8; 200]; N]; for i in 0..N { - blocks[i][0..last_len].copy_from_slice(&last[i]); + blocks[i][0..last_len].copy_from_slice(last[i]); blocks[i][last_len] = DELIM; - blocks[i][RATE - 1] = blocks[i][RATE - 1] | 128u8; + blocks[i][RATE - 1] |= 0x80; } T::load_block_full::(&mut s.st, blocks); keccakf1600(s) diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index ae6d2aa10..dcc01ba5f 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -4,6 +4,8 @@ #![no_std] #![forbid(unsafe_code)] +#![deny(missing_docs)] + pub mod simd; mod generic_keccak; @@ -26,9 +28,16 @@ pub type Sha3_512Digest = [u8; 64]; #[cfg_attr(not(eurydice), derive(Copy, Clone, Debug, PartialEq))] #[repr(u32)] pub enum Algorithm { + /// SHA3 224 Sha224 = 1, + + /// SHA3 256 Sha256 = 2, + + /// SHA3 384 Sha384 = 3, + + /// SHA3 512 Sha512 = 4, } @@ -176,11 +185,12 @@ mod incremental {} /// A portable SHA3 implementations without platform dependent optimisations. pub mod portable { use super::*; - use generic_keccak::{keccak, KeccakState}; + use generic_keccak::{keccak, KeccakState as GenericState}; + /// The Keccak state for the incremental API. #[derive(Clone, Copy)] - pub struct KeccakState1 { - state: KeccakState<1, u64>, + pub struct KeccakState { + state: GenericState<1, u64>, } #[inline(always)] @@ -234,33 +244,33 @@ pub mod portable { /// Initialise the SHAKE state. #[inline(always)] - pub fn shake128_init() -> KeccakState1 { - KeccakState1 { - state: KeccakState::<1, u64>::new(), + pub fn shake128_init() -> KeccakState { + KeccakState { + state: GenericState::<1, u64>::new(), } } /// Absorb #[inline(always)] - pub fn shake128_absorb_final(s: &mut KeccakState1, data0: &[u8]) { + pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8]) { absorb_final::<1, u64, 168, 0x1fu8>(&mut s.state, [data0]); } /// Squeeze three blocks #[inline(always)] - pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState1, out0: &mut [u8]) { + pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState, out0: &mut [u8]) { squeeze_first_three_blocks::<1, u64, 168>(&mut s.state, [out0]) } /// Squeeze five blocks #[inline(always)] - pub fn shake128_squeeze_first_five_blocks(s: &mut KeccakState1, out0: &mut [u8]) { + pub fn shake128_squeeze_first_five_blocks(s: &mut KeccakState, out0: &mut [u8]) { squeeze_first_five_blocks::<1, u64, 168>(&mut s.state, [out0]) } /// Squeeze another block #[inline(always)] - pub fn shake128_squeeze_next_block(s: &mut KeccakState1, out0: &mut [u8]) { + pub fn shake128_squeeze_next_block(s: &mut KeccakState, out0: &mut [u8]) { squeeze_next_block::<1, u64, 168>(&mut s.state, [out0]) } } @@ -416,24 +426,29 @@ pub mod neon { pub mod incremental { #[cfg(feature = "simd128")] use crate::generic_keccak::{ - absorb_final, squeeze_first_three_blocks, squeeze_next_block, KeccakState, + absorb_final, squeeze_first_three_blocks, squeeze_next_block, + KeccakState as GenericState, }; + /// The Keccak state for the incremental API. #[cfg(feature = "simd128")] - pub struct KeccakState2 { - state: KeccakState<2, crate::simd::arm64::uint64x2_t>, + pub struct KeccakState { + state: GenericState<2, crate::simd::arm64::uint64x2_t>, } + #[cfg(feature = "simd128")] - type KeccakState2Internal = KeccakState<2, crate::simd::arm64::uint64x2_t>; + type KeccakState2Internal = GenericState<2, crate::simd::arm64::uint64x2_t>; + + /// The Keccak state for the incremental API. #[allow(dead_code)] #[cfg(not(feature = "simd128"))] - pub struct KeccakState2 { - state: [crate::portable::KeccakState1; 2], + pub struct KeccakState { + state: [crate::portable::KeccakState; 2], } /// Initialise the `KeccakState2`. #[inline(always)] - pub fn shake128_init() -> KeccakState2 { + pub fn shake128_init() -> KeccakState { #[cfg(not(feature = "simd128"))] unimplemented!(); // XXX: These functions could alternatively implement the same with @@ -444,14 +459,15 @@ pub mod neon { // [s0, s1] // } #[cfg(feature = "simd128")] - KeccakState2 { + KeccakState { state: KeccakState2Internal::new(), } } + /// Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. #[inline(always)] #[allow(unused_variables)] - pub fn shake128_absorb_final(s: &mut KeccakState2, data0: &[u8], data1: &[u8]) { + pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); // XXX: These functions could alternatively implement the same with @@ -474,7 +490,7 @@ pub mod neon { /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] #[inline(always)] - fn _shake128_absorb_finalxN(input: [[u8; 34]; N]) -> [KeccakState2; 2] { + fn _shake128_absorb_finalxN(input: [[u8; 34]; N]) -> [KeccakState; 2] { debug_assert!(N == 2 || N == 3 || N == 4); let mut state = [shake128_init(), shake128_init()]; @@ -496,10 +512,12 @@ pub mod neon { state } + /// Squeeze 2 times the first three blocks in parallel in the + /// [`KeccakState`] and return the output in `out0` and `out1`. #[allow(unused_variables)] #[inline(always)] pub fn shake128_squeeze_first_three_blocks( - s: &mut KeccakState2, + s: &mut KeccakState, out0: &mut [u8], out1: &mut [u8], ) { @@ -526,7 +544,7 @@ pub mod neon { #[allow(unused_variables, non_snake_case)] #[inline(always)] fn _shake128_squeeze3xN( - state: &mut [KeccakState2; 2], + state: &mut [KeccakState; 2], ) -> [[u8; LEN]; N] { debug_assert!(N == 2 || N == 3 || N == 4); @@ -575,10 +593,12 @@ pub mod neon { out } + /// Squeeze 2 times the next block in parallel in the + /// [`KeccakState`] and return the output in `out0` and `out1`. #[allow(unused_variables)] #[inline(always)] pub fn shake128_squeeze_next_block( - s: &mut KeccakState2, + s: &mut KeccakState, out0: &mut [u8], out1: &mut [u8], ) { @@ -605,7 +625,7 @@ pub mod neon { #[allow(unused_variables, non_snake_case)] #[inline(always)] fn _shake128_squeezexN( - state: &mut [KeccakState2; 2], + state: &mut [KeccakState; 2], ) -> [[u8; LEN]; N] { debug_assert!(N == 2 || N == 3 || N == 4); @@ -666,7 +686,7 @@ pub mod avx2 { use libcrux_intrinsics::avx2::*; /// Perform 4 SHAKE256 operations in parallel - #[allow(unused_variables)] // TODO: decide if we want to fall back here + #[allow(unused_variables, clippy::too_many_arguments)] // TODO: decide if we want to fall back here #[inline(always)] pub fn shake256( input0: &[u8], @@ -764,26 +784,32 @@ pub mod avx2 { pub mod incremental { #[cfg(feature = "simd256")] use crate::generic_keccak::{ - absorb_final, squeeze_first_three_blocks, squeeze_next_block, KeccakState, + absorb_final, squeeze_first_three_blocks, squeeze_next_block, + KeccakState as GenericState, }; #[cfg(feature = "simd256")] use libcrux_intrinsics::avx2::*; + /// The Keccak state for the incremental API. #[cfg(feature = "simd256")] - pub struct KeccakState4 { - state: KeccakState<4, Vec256>, + pub struct KeccakState { + state: GenericState<4, Vec256>, } + + /// The Keccak state for the incremental API. #[allow(dead_code)] #[cfg(all(feature = "simd128", not(feature = "simd256")))] - pub struct KeccakState4 { - state: [crate::neon::x2::incremental::KeccakState2; 2], + pub struct KeccakState { + state: [crate::neon::x2::incremental::KeccakState; 2], } + + /// The Keccak state for the incremental API. #[cfg(not(any(feature = "simd256", feature = "simd128")))] - pub type KeccakState4 = [crate::portable::KeccakState1; 4]; + pub type KeccakState = [crate::portable::KeccakState; 4]; - /// Initialise the [`KeccakState4`]. + /// Initialise the [`KeccakState`]. #[inline(always)] - pub fn shake128_init() -> KeccakState4 { + pub fn shake128_init() -> KeccakState { #[cfg(not(feature = "simd256"))] unimplemented!(); // XXX: These functions could alternatively implement the same with @@ -803,15 +829,16 @@ pub mod avx2 { // [s0, s1, s2, s3] // } #[cfg(feature = "simd256")] - KeccakState4 { - state: KeccakState::new(), + KeccakState { + state: GenericState::new(), } } + /// Absorb #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_absorb_final( - s: &mut KeccakState4, + s: &mut KeccakState, data0: &[u8], data1: &[u8], data2: &[u8], @@ -846,12 +873,12 @@ pub mod avx2 { } /// Initialise the state and perform up to 4 absorbs at the same time, - /// using two [`KeccakState4`]. + /// using two [`KeccakState`]. /// /// **PANICS** when `N` is not 2, 3, or 4. #[inline(always)] #[allow(unused_variables, non_snake_case)] - fn _shake128_absorb_finalxN(input: [[u8; 34]; N]) -> KeccakState4 { + fn _shake128_absorb_finalxN(input: [[u8; 34]; N]) -> KeccakState { debug_assert!(N == 2 || N == 3 || N == 4); let mut state = shake128_init(); @@ -877,10 +904,11 @@ pub mod avx2 { state } + /// Squeeze three blocks #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_first_three_blocks( - s: &mut KeccakState4, + s: &mut KeccakState, out0: &mut [u8], out1: &mut [u8], out2: &mut [u8], @@ -917,14 +945,14 @@ pub mod avx2 { ); } - /// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState4`]. + /// Squeeze up to 3 x 4 (N) blocks in parallel, using two [`KeccakState`]. /// Each block is of size `LEN`. /// /// **PANICS** when `N` is not 2, 3, or 4. #[inline(always)] #[allow(unused_variables, non_snake_case)] fn _shake128_squeeze3xN( - state: &mut KeccakState4, + state: &mut KeccakState, ) -> [[u8; LEN]; N] { debug_assert!(N == 2 || N == 3 || N == 4); @@ -971,10 +999,11 @@ pub mod avx2 { out } + /// Squeeze another block #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_next_block( - s: &mut KeccakState4, + s: &mut KeccakState, out0: &mut [u8], out1: &mut [u8], out2: &mut [u8], @@ -1008,14 +1037,14 @@ pub mod avx2 { squeeze_next_block::<4, Vec256, 168>(&mut s.state, [out0, out1, out2, out3]); } - /// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState4`]. + /// Squeeze up to 4 (N) blocks in parallel, using two [`KeccakState`]. /// Each block is of size `LEN`. /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] #[inline(always)] fn _shake128_squeezexN( - state: &mut KeccakState4, + state: &mut KeccakState, ) -> [[u8; LEN]; N] { debug_assert!(N == 2 || N == 3 || N == 4); diff --git a/src/digest.rs b/src/digest.rs index c7f4ff742..44313868c 100644 --- a/src/digest.rs +++ b/src/digest.rs @@ -380,7 +380,7 @@ pub fn shake256(data: &[u8]) -> [u8; LEN] { pub mod incremental_x4 { /// Incremental state - #[cfg_attr(hax, hax_lib_macros::opaque_type)] + #[cfg_attr(hax, hax_lib::opaque_type)] pub struct Shake128StateX4 { state: crate::hacl::sha3::incremental_x4::Shake128StateX4, } diff --git a/sys/platform/Cargo.toml b/sys/platform/Cargo.toml index 6766bf9b9..76b6405c3 100644 --- a/sys/platform/Cargo.toml +++ b/sys/platform/Cargo.toml @@ -11,3 +11,6 @@ description = "Platform detection crate for libcrux." [dependencies] libc = "0.2.153" + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(hax)', 'cfg(eurydice)'] } diff --git a/sys/platform/src/macos_arm.rs b/sys/platform/src/macos_arm.rs index 2edafdbdc..01ff07be3 100644 --- a/sys/platform/src/macos_arm.rs +++ b/sys/platform/src/macos_arm.rs @@ -6,7 +6,7 @@ use libc::{c_char, c_void, sysctlbyname, uname, utsname}; fn cstr(src: &[i8]) -> &str { // default to length if no `0` present let end = src.iter().position(|&c| c == 0).unwrap_or(src.len()); - unsafe { core::str::from_utf8_unchecked(core::mem::transmute(&src[0..end])) } + unsafe { core::str::from_utf8_unchecked(core::mem::transmute::<&[i8], &[u8]>(&src[0..end])) } } /// Check that we're actually on an ARM mac.