diff --git a/.gitignore b/.gitignore index 16802d82b..982c75cf3 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ benches/boringssl/build proofs/fstar/extraction/.depend proofs/fstar/extraction/#*# proofs/fstar/extraction/.#* +hax.fst.config.json fuzz/corpus fuzz/artifacts proofs/fstar/extraction/.cache diff --git a/Cargo.lock b/Cargo.lock index 8bbf720f9..1ff148870 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -701,42 +701,19 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#bea90741c55006f2649f2b4119bf7e3ce87a66e9" +source = "git+https://github.com/hacspec/hax?branch=main#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" dependencies = [ - "hax-lib-macros 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", + "hax-lib-macros", "num-bigint", "num-traits", ] -[[package]] -name = "hax-lib" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#bea90741c55006f2649f2b4119bf7e3ce87a66e9" -dependencies = [ - "hax-lib-macros 0.1.0-pre.1 (git+https://github.com/hacspec/hax/)", - "num-bigint", - "num-traits", -] - -[[package]] -name = "hax-lib-macros" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#bea90741c55006f2649f2b4119bf7e3ce87a66e9" -dependencies = [ - "hax-lib-macros-types 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", - "paste", - "proc-macro-error", - "proc-macro2", - "quote", - "syn 2.0.74", -] - [[package]] name = "hax-lib-macros" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#bea90741c55006f2649f2b4119bf7e3ce87a66e9" +source = "git+https://github.com/hacspec/hax?branch=main#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" dependencies = [ - "hax-lib-macros-types 0.1.0-pre.1 (git+https://github.com/hacspec/hax/)", + "hax-lib-macros-types", "paste", "proc-macro-error", "proc-macro2", @@ -747,19 +724,7 @@ dependencies = [ [[package]] name = "hax-lib-macros-types" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#bea90741c55006f2649f2b4119bf7e3ce87a66e9" -dependencies = [ - "proc-macro2", - "quote", - "serde", - "serde_json", - "uuid", -] - -[[package]] -name = "hax-lib-macros-types" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#bea90741c55006f2649f2b4119bf7e3ce87a66e9" +source = "git+https://github.com/hacspec/hax?branch=main#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" dependencies = [ "proc-macro2", "quote", @@ -933,8 +898,6 @@ version = "0.0.2-alpha.3" dependencies = [ "clap", "getrandom", - "hax-lib 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", - "hax-lib-macros 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", "hex", "libcrux", "libcrux-ecdh", @@ -1039,7 +1002,7 @@ name = "libcrux-ml-kem" version = "0.0.2-alpha.3" dependencies = [ "criterion", - "hax-lib 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", + "hax-lib", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1086,7 +1049,7 @@ version = "0.0.2-alpha.3" dependencies = [ "cavp", "criterion", - "hax-lib 0.1.0-pre.1 (git+https://github.com/hacspec/hax/)", + "hax-lib", "hex", "libcrux-intrinsics", "libcrux-platform", diff --git a/Cargo.toml b/Cargo.toml index b2e2765e3..5ecbea800 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -75,9 +75,9 @@ wasm-bindgen = { version = "0.2.87", optional = true } # When using the hax toolchain, we have more dependencies. # This is only required when doing proofs. -[target.'cfg(hax)'.dependencies] -hax-lib-macros = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax", branch = "main" } -hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/", branch = "main" } +# [target.'cfg(hax)'.workspace.dependencies] +[workspace.dependencies] +hax-lib = { git = "https://github.com/hacspec/hax", branch = "main" } [dev-dependencies] libcrux = { path = ".", features = ["rand", "tests"] } diff --git a/fstar-helpers/Makefile.template b/fstar-helpers/Makefile.template new file mode 100644 index 000000000..217e6140c --- /dev/null +++ b/fstar-helpers/Makefile.template @@ -0,0 +1,254 @@ +# This is a generically useful Makefile for F* that is self-contained +# +# We expect: +# 1. `fstar.exe` to be in PATH (alternatively, you can also set +# $FSTAR_HOME to be set to your F* repo/install directory) +# +# 2. `cargo`, `rustup`, `hax` and `jq` to be installed and in PATH. +# +# 3. the extracted Cargo crate to have "hax-lib" as a dependency: +# `hax-lib = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax"}` +# +# Optionally, you can set `HACL_HOME`. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +HACL_HOME ?= $(HOME)/.hax/hacl_home +# Expand variable FSTAR_BIN_DETECT now, so that we don't run this over and over + +FSTAR_BIN_DETECT := $(if $(shell command -v fstar.exe), fstar.exe, $(FSTAR_HOME)/bin/fstar.exe) +FSTAR_BIN ?= $(FSTAR_BIN_DETECT) + +GIT_ROOT_DIR := $(shell git rev-parse --show-toplevel)/ +CACHE_DIR ?= ${GIT_ROOT_DIR}.fstar-cache/checked +HINT_DIR ?= ${GIT_ROOT_DIR}.fstar-cache/hints + +# Makes command quiet by default +Q ?= @ + +# Verify the required executable are in PATH +EXECUTABLES = cargo cargo-hax jq +K := $(foreach exec,$(EXECUTABLES),\ + $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) + +export ANSI_COLOR_BLUE=\033[34m +export ANSI_COLOR_RED=\033[31m +export ANSI_COLOR_BBLUE=\033[1;34m +export ANSI_COLOR_GRAY=\033[90m +export ANSI_COLOR_TONE=\033[35m +export ANSI_COLOR_RESET=\033[0m + +ifdef NO_COLOR +export ANSI_COLOR_BLUE= +export ANSI_COLOR_RED= +export ANSI_COLOR_BBLUE= +export ANSI_COLOR_GRAY= +export ANSI_COLOR_BOLD_BLUE= +export ANSI_COLOR_TONE= +export ANSI_COLOR_RESET= +endif + +# The following is a bash script that discovers F* libraries. +# Due to incompatibilities with make 4.3, I had to make a "oneliner" bash script... +define FINDLIBS + : "Prints a path if and only if it exists. Takes one argument: the path."; \ + function print_if_exists() { \ + if [ -d "$$1" ]; then \ + echo "$$1"; \ + fi; \ + } ; \ + : "Asks Cargo all the dependencies for the current crate or workspace,"; \ + : "and extract all "root" directories for each. Takes zero argument."; \ + function dependencies() { \ + cargo metadata --format-version 1 | \ + jq -r ".packages | .[] | .manifest_path | split(\"/\") | .[:-1] | join(\"/\")"; \ + } ; \ + : "Find hax libraries *around* a given path. Takes one argument: the"; \ + : "path."; \ + function find_hax_libraries_at_path() { \ + path="$$1" ; \ + : "if there is a [proofs/fstar/extraction] subfolder, then that s a F* library" ; \ + print_if_exists "$$path/proofs/fstar/extraction" ; \ + : "Maybe the [proof-libs] folder of hax is around?" ; \ + MAYBE_PROOF_LIBS=$$(realpath -q "$$path/../proof-libs/fstar") ; \ + if [ $$? -eq 0 ]; then \ + print_if_exists "$$MAYBE_PROOF_LIBS/core" ; \ + print_if_exists "$$MAYBE_PROOF_LIBS/rust_primitives" ; \ + fi ; \ + } ; \ + { while IFS= read path; do \ + find_hax_libraries_at_path "$$path"; \ + done < <(dependencies) ; } | sort -u +endef +export FINDLIBS + +FINDLIBS_OUTPUT := $(shell bash -c '${FINDLIBS}') +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HACL_HOME)/specs $(FSTAR_INCLUDE_DIRS_EXTRA) $(FINDLIBS_OUTPUT) + +# Make sure FSTAR_INCLUDE_DIRS has the `proof-libs`, print hints and +# an error message otherwise +ifneq (,$(findstring proof-libs/fstar,$(FSTAR_INCLUDE_DIRS))) +else + K += $(info ) + ERROR := $(shell printf '${ANSI_COLOR_RED}Error: could not detect `proof-libs`!${ANSI_COLOR_RESET}') + K += $(info ${ERROR}) + ERROR := $(shell printf ' > Do you have `${ANSI_COLOR_BLUE}hax-lib${ANSI_COLOR_RESET}` in your `${ANSI_COLOR_BLUE}Cargo.toml${ANSI_COLOR_RESET}` as a ${ANSI_COLOR_BLUE}git${ANSI_COLOR_RESET} or ${ANSI_COLOR_BLUE}path${ANSI_COLOR_RESET} dependency?') + K += $(info ${ERROR}) + ERROR := $(shell printf ' ${ANSI_COLOR_BLUE}> Tip: you may want to run `cargo add --git https://github.com/hacspec/hax hax-lib`${ANSI_COLOR_RESET}') + K += $(info ${ERROR}) + K += $(info ) + K += $(error Fatal error: `proof-libs` is required.) +endif + +.PHONY: all verify clean + +all: + $(Q)rm -f .depend + $(Q)$(MAKE) .depend vscode verify + +all-keep-going: + $(Q)rm -f .depend + $(Q)$(MAKE) --keep-going .depend vscode verify + +# If $HACL_HOME doesn't exist, clone it +${HACL_HOME}: + $(Q)mkdir -p "${HACL_HOME}" + $(info Clonning Hacl* in ${HACL_HOME}...) + git clone --depth 1 https://github.com/hacl-star/hacl-star.git "${HACL_HOME}" + $(info Clonning Hacl* in ${HACL_HOME}... done!) + +# If no any F* file is detected, we run hax +ifeq "$(wildcard *.fst *fsti)" "" +$(shell cargo hax into fstar) +endif + +# By default, we process all the files in the current directory +ROOTS ?= $(wildcard *.fst *fsti) +ADMIT_MODULES ?= + +# Can be useful for debugging purposes +FINDLIBS.sh: + $(Q)echo '${FINDLIBS}' > FINDLIBS.sh +include-dirs: + $(Q)bash -c '${FINDLIBS}' + +FSTAR_FLAGS = \ + --warn_error -321-331-241-274-239-271 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR := $(FSTAR_BIN) $(FSTAR_FLAGS) + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) $(HACL_HOME) + @$(FSTAR) --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR) $(CACHE_DIR): + $(Q)mkdir -p $@ + +define HELPMESSAGE +echo "hax' default Makefile for F*" +echo "" +echo "The available targets are:" +echo "" +function target() { + printf ' ${ANSI_COLOR_BLUE}%-20b${ANSI_COLOR_RESET} %s\n' "$$1" "$$2" +} +target "all" "Verify every F* files (stops whenever an F* fails first)" +target "all-keep-going" "Verify every F* files (tries as many F* module as possible)" +target "" "" +target "run:${ANSI_COLOR_TONE} " 'Runs F* on `MyModule.fst` only' +target "" "" +target "vscode" 'Generates a `hax.fst.config.json` file' +target "${ANSI_COLOR_TONE}${ANSI_COLOR_BLUE}-in " 'Useful for Emacs, outputs the F* prefix command to be used' +target "" "" +target "clean" 'Cleanup the target' +target "include-dirs" 'List the F* include directories' +target "" "" +target "roots" 'List the F* root modules.' +echo "" +echo "Environment variables:" +target "NO_COLOR" "Set to anything to disable colors" +endef +export HELPMESSAGE + +roots: + @for root in ${ROOTS}; do \ + filename=$$(basename -- "$$root") ;\ + ext="$${filename##*.}" ;\ + noext="$${filename%.*}" ;\ + printf "${ANSI_COLOR_GRAY}$$(dirname -- "$$root")/${ANSI_COLOR_RESET}%s${ANSI_COLOR_GRAY}.${ANSI_COLOR_TONE}%s${ANSI_COLOR_RESET}\n" "$$noext" "$$ext"; \ + done + +help: ;@bash -c "$$HELPMESSAGE" +h: ;@bash -c "$$HELPMESSAGE" + +HEADER = $(Q)printf '${ANSI_COLOR_BBLUE}[CHECK] %s ${ANSI_COLOR_RESET}\n' "$(basename $(notdir $@))" + +run:%: | .depend $(HINT_DIR) $(CACHE_DIR) $(HACL_HOME) + ${HEADER} + $(Q)$(FSTAR) $(OTHERFLAGS) $(@:run:%=%) + + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(ROOTS))) +ADMIT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,${ADMIT_MODULES})) + +$(ADMIT_CHECKED): + $(Q)printf '${ANSI_COLOR_BBLUE}[${ANSI_COLOR_TONE}ADMIT${ANSI_COLOR_BBLUE}] %s ${ANSI_COLOR_RESET}\n' "$(basename $(notdir $@))" + $(Q)$(FSTAR) $(OTHERFLAGS) --admit_smt_queries true $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints || { \ + echo "" ; \ + exit 1 ; \ + } + $(Q)printf "\n\n" + +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) $(HACL_HOME) + ${HEADER} + $(Q)$(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints || { \ + echo "" ; \ + exit 1 ; \ + } + touch $@ + $(Q)printf "\n\n" + +verify: $(VERIFIED_CHECKED) $(ADMIT_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + +# Targets for VSCode +hax.fst.config.json: + $(Q)echo "$(FSTAR_INCLUDE_DIRS)" | jq --arg fstar "$(FSTAR_BIN)" -R 'split(" ") | {fstar_exe: $$fstar, includes: .}' > $@ +vscode: hax.fst.config.json + +SHELL=bash + +# Clean target +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst \ No newline at end of file diff --git a/fstar-helpers/proofs/fstar/extraction/Makefile b/fstar-helpers/proofs/fstar/extraction/Makefile new file mode 100644 index 000000000..ec420d509 --- /dev/null +++ b/fstar-helpers/proofs/fstar/extraction/Makefile @@ -0,0 +1 @@ +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/libcrux-ml-kem/Cargo.toml b/libcrux-ml-kem/Cargo.toml index 99424ea5b..1e5bf3333 100644 --- a/libcrux-ml-kem/Cargo.toml +++ b/libcrux-ml-kem/Cargo.toml @@ -25,7 +25,8 @@ libcrux-sha3 = { version = "0.0.2-alpha.3", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-alpha.3", path = "../libcrux-intrinsics" } # This is only required for verification, but we are setting it as default until some hax attributes are fixed -hax-lib = { git = "https://github.com/hacspec/hax", branch = "main" } +# [target.'cfg(hax)'.dependencies] +hax-lib.workspace = true [features] # By default all variants and std are enabled. diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index d20926d66..8f2f9d27d 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 -Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 -Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 +Charon: 0576bfc67e99aae86c51930421072688138b672b +Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 +Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 -Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 +Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a diff --git a/libcrux-ml-kem/c/eurydice_glue.h b/libcrux-ml-kem/c/eurydice_glue.h index 7fee796ff..a97683fa6 100644 --- a/libcrux-ml-kem/c/eurydice_glue.h +++ b/libcrux-ml-kem/c/eurydice_glue.h @@ -54,33 +54,33 @@ typedef struct { // which is NOT correct C syntax, so we add a dedicated phase in Eurydice that // adds an extra argument to this macro at the last minute so that we have the // correct type of *pointers* to elements. -#define Eurydice_slice_index(s, i, t, t_ptr_t, _ret_t) (((t_ptr_t)s.ptr)[i]) -#define Eurydice_slice_subslice(s, r, t, _, _ret_t) \ +#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) +#define Eurydice_slice_subslice(s, r, t, _) \ EURYDICE_SLICE((t *)s.ptr, r.start, r.end) // Variant for when the start and end indices are statically known (i.e., the // range argument `r` is a literal). -#define Eurydice_slice_subslice2(s, start, end, t, _) \ +#define Eurydice_slice_subslice2(s, start, end, t) \ EURYDICE_SLICE((t *)s.ptr, start, end) -#define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _, _ret_t) \ +#define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _) \ EURYDICE_SLICE((t *)s.ptr, 0, subslice_end_pos) -#define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _, _ret_t) \ +#define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _) \ EURYDICE_SLICE((t *)s.ptr, subslice_start_pos, s.len) -#define Eurydice_array_to_slice(end, x, t, _ret_t) \ - EURYDICE_SLICE(x, 0, \ +#define Eurydice_array_to_slice(end, x, t) \ + EURYDICE_SLICE(x, 0, \ end) /* x is already at an array type, no need for cast */ -#define Eurydice_array_to_subslice(_arraylen, x, r, t, _, _ret_t) \ +#define Eurydice_array_to_subslice(_arraylen, x, r, t, _) \ EURYDICE_SLICE((t *)x, r.start, r.end) // Same as above, variant for when start and end are statically known -#define Eurydice_array_to_subslice2(x, start, end, t, _ret_t) \ +#define Eurydice_array_to_subslice2(x, start, end, t) \ EURYDICE_SLICE((t *)x, start, end) -#define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t, _ret_t) \ +#define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t) \ EURYDICE_SLICE((t *)x, 0, r) -#define Eurydice_array_to_subslice_from(size, x, r, t, _range_t, _ret_t) \ +#define Eurydice_array_to_subslice_from(size, x, r, t, _range_t) \ EURYDICE_SLICE((t *)x, r, size) -#define Eurydice_array_repeat(dst, len, init, t, _ret_t) \ +#define Eurydice_array_repeat(dst, len, init, t) \ ERROR "should've been desugared" -#define core_slice___Slice_T___len(s, t, _ret_t) EURYDICE_SLICE_LEN(s, t) -#define core_slice___Slice_T___copy_from_slice(dst, src, t, _ret_t) \ +#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) +#define Eurydice_slice_copy(dst, src, t) \ memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) #define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \ ((Eurydice_slice){.ptr = ptr_, .len = len_}) @@ -90,25 +90,26 @@ typedef struct { (memcpy(dst, src, len * sizeof(elem_type))) #define core_array_TryFromSliceError uint8_t -#define Eurydice_array_eq(sz, a1, a2, t, _, _ret_t) \ +#define Eurydice_array_eq(sz, a1, a2, t, _) \ (memcmp(a1, a2, sz * sizeof(t)) == 0) -#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq \ - Eurydice_array_eq +#define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( \ + sz, a1, a2, t, _, _ret_t) \ + Eurydice_array_eq(sz, a1, a2, t, _) -#define core_slice___Slice_T___split_at(slice, mid, element_type, ret_t) \ - (CLITERAL(ret_t){ \ - .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid), \ +#define Eurydice_slice_split_at(slice, mid, element_type, ret_t) \ + (CLITERAL(ret_t){ \ + .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid), \ .snd = EURYDICE_SLICE((element_type *)slice.ptr, mid, slice.len)}) -#define core_slice___Slice_T___split_at_mut(slice, mid, element_type, ret_t) \ - (CLITERAL(ret_t){ \ - .fst = {.ptr = slice.ptr, .len = mid}, \ - .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \ +#define Eurydice_slice_split_at_mut(slice, mid, element_type, ret_t) \ + (CLITERAL(ret_t){ \ + .fst = {.ptr = slice.ptr, .len = mid}, \ + .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \ .len = slice.len - mid}}) // Conversion of slice to an array, rewritten (by Eurydice) to name the // destination array, since arrays are not values in C. // N.B.: see note in karamel/lib/Inlining.ml if you change this. -#define Eurydice_slice_to_array2(dst, src, _, t_arr, _ret_t) \ +#define Eurydice_slice_to_array2(dst, src, _, t_arr) \ Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ sizeof(t_arr)) diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index fac5a90e9..95fb8cd69 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __internal_libcrux_core_H @@ -136,9 +136,12 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 1568 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_ba_ed1( +Eurydice_slice libcrux_ml_kem_types_as_ref_ba_711( libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *self); +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -217,9 +220,12 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 1088 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_ba_ed0( +Eurydice_slice libcrux_ml_kem_types_as_ref_ba_710( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self); +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -289,6 +295,9 @@ with const generics uint8_t *libcrux_ml_kem_types_as_slice_f6_f2( libcrux_ml_kem_types_MlKemPublicKey_be *self); +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -320,6 +329,9 @@ with types uint8_t[32size_t], core_array_TryFromSliceError */ void core_result_unwrap_41_83(core_result_Result_00 self, uint8_t ret[32U]); +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -337,9 +349,12 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 768 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_ba_ed( +Eurydice_slice libcrux_ml_kem_types_as_ref_ba_71( libcrux_ml_kem_types_MlKemCiphertext_e8 *self); +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -348,6 +363,9 @@ with const generics void libcrux_ml_kem_utils_into_padded_array_2d0(Eurydice_slice slice, uint8_t ret[800U]); +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index e44ef6e5a..92f3e8455 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __internal_libcrux_mlkem_avx2_H @@ -48,7 +48,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f1( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b1( uint8_t randomness[64U]); /** @@ -84,7 +84,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c1( +tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b1( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]); @@ -132,7 +132,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_231( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b1( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -158,7 +158,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_c41( +void libcrux_ml_kem_ind_cca_decapsulate_201( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -186,7 +186,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f0( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b0( uint8_t randomness[64U]); /** @@ -222,7 +222,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c0( +tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b0( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *public_key, uint8_t randomness[32U]); @@ -270,7 +270,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_230( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b0( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); @@ -296,7 +296,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_c40( +void libcrux_ml_kem_ind_cca_decapsulate_200( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); @@ -324,7 +324,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b( uint8_t randomness[64U]); /** @@ -360,7 +360,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c( +tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *public_key, uint8_t randomness[32U]); @@ -408,7 +408,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_23( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -434,7 +434,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_c4( +void libcrux_ml_kem_ind_cca_decapsulate_20( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h index 3d5888d57..8aaaa97ef 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #ifndef __internal_libcrux_mlkem_neon_H @@ -34,8 +34,9 @@ with const generics bool libcrux_ml_kem_ind_cca_validate_public_key_7e1(uint8_t *public_key); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair_unpacked -with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.generate_keypair_unpacked with types +libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 2 - CPA_PRIVATE_KEY_SIZE= 768 @@ -46,7 +47,8 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 -libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b41(uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_201( + uint8_t randomness[64U]); /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair @@ -56,7 +58,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- BYTES_PER_RING_ELEMENT= 768 +- RANKED_BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ @@ -64,7 +66,7 @@ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_ind_cca_generate_keypair_721(uint8_t randomness[64U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 2 @@ -81,7 +83,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_encapsulate_unpacked_471( +tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_ad1( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *public_key, uint8_t randomness[32U]); @@ -98,7 +100,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 @@ -109,7 +111,7 @@ tuple_ec libcrux_ml_kem_ind_cca_encapsulate_281( uint8_t randomness[32U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 2 @@ -129,7 +131,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec1( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_a31( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -155,7 +157,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_821( +void libcrux_ml_kem_ind_cca_decapsulate_5b1( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -170,8 +172,9 @@ with const generics bool libcrux_ml_kem_ind_cca_validate_public_key_7e0(uint8_t *public_key); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair_unpacked -with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.generate_keypair_unpacked with types +libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 3 - CPA_PRIVATE_KEY_SIZE= 1152 @@ -182,7 +185,8 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd -libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b40(uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_200( + uint8_t randomness[64U]); /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair @@ -192,7 +196,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -200,7 +204,7 @@ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_ind_cca_generate_keypair_720(uint8_t randomness[64U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 3 @@ -217,7 +221,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_encapsulate_unpacked_470( +tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_ad0( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *public_key, uint8_t randomness[32U]); @@ -234,7 +238,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -245,7 +249,7 @@ tuple_3c libcrux_ml_kem_ind_cca_encapsulate_280( uint8_t randomness[32U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 3 @@ -265,7 +269,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec0( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_a30( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -291,7 +295,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_820( +void libcrux_ml_kem_ind_cca_decapsulate_5b0( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -306,8 +310,9 @@ with const generics bool libcrux_ml_kem_ind_cca_validate_public_key_7e(uint8_t *public_key); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair_unpacked -with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, +A monomorphic instance of +libcrux_ml_kem.ind_cca.unpacked.generate_keypair_unpacked with types +libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 4 - CPA_PRIVATE_KEY_SIZE= 1536 @@ -318,7 +323,8 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c -libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b4(uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_20( + uint8_t randomness[64U]); /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair @@ -328,7 +334,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- BYTES_PER_RING_ELEMENT= 1536 +- RANKED_BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -336,7 +342,7 @@ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_ind_cca_generate_keypair_72(uint8_t randomness[64U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 4 @@ -353,7 +359,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_encapsulate_unpacked_47( +tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_ad( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *public_key, uint8_t randomness[32U]); @@ -370,7 +376,7 @@ with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- VECTOR_U_BLOCK_LEN= 352 +- C1_BLOCK_SIZE= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -381,7 +387,7 @@ tuple_21 libcrux_ml_kem_ind_cca_encapsulate_28( uint8_t randomness[32U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 4 @@ -401,7 +407,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_a3( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); @@ -427,7 +433,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_82( +void libcrux_ml_kem_ind_cca_decapsulate_5b( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index 9f54b0800..def1624ad 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __internal_libcrux_mlkem_portable_H @@ -54,7 +54,7 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_251( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_481( uint8_t randomness[64U]); /** @@ -92,7 +92,7 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d81( +tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_841( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *public_key, uint8_t randomness[32U]); @@ -141,7 +141,7 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d1( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e1( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); @@ -167,7 +167,7 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_4f1( +void libcrux_ml_kem_ind_cca_decapsulate_e31( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); @@ -196,7 +196,7 @@ generics - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_250( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_480( uint8_t randomness[64U]); /** @@ -234,7 +234,7 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d80( +tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_840( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *public_key, uint8_t randomness[32U]); @@ -283,7 +283,7 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d0( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e0( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -309,7 +309,7 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_4f0( +void libcrux_ml_kem_ind_cca_decapsulate_e30( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -338,7 +338,7 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_25( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_48( uint8_t randomness[64U]); /** @@ -376,7 +376,7 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d8( +tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_84( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]); @@ -425,7 +425,7 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -451,7 +451,7 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_4f( +void libcrux_ml_kem_ind_cca_decapsulate_e3( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 6f37ca94f..d603711fc 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index 16040085f..03ca80d96 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __internal_libcrux_sha3_internal_H @@ -24,11 +24,17 @@ extern "C" { typedef libcrux_sha3_generic_keccak_KeccakState_48 libcrux_sha3_portable_KeccakState; +/** + Create a new SHAKE-128 state object. +*/ static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48 libcrux_sha3_portable_incremental_shake128_init(void) { return libcrux_sha3_generic_keccak_new_1e_f2(); } +/** + Absorb +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data0) { @@ -63,6 +69,9 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_7d( libcrux_sha3_generic_keccak_squeeze_next_block_1f(s, o2); } +/** + Squeeze three blocks +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { @@ -70,6 +79,9 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_7d(s, buf); } +/** + Squeeze another block +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { @@ -84,6 +96,9 @@ libcrux_sha3_portable_incremental_shake128_squeeze_next_block( typedef uint8_t libcrux_sha3_Algorithm; +/** + Returns the output size of a digest. +*/ static inline size_t libcrux_sha3_digest_size(libcrux_sha3_Algorithm mode) { size_t uu____0; switch (mode) { @@ -167,6 +182,9 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_92( libcrux_sha3_generic_keccak_squeeze_next_block_1f(s, o4); } +/** + Squeeze five blocks +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { @@ -174,6 +192,9 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_squeeze_first_five_blocks_92(s, buf); } +/** + Absorb some data for SHAKE-256 for the last time +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data) { @@ -181,11 +202,17 @@ libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_absorb_final_720(s, buf); } +/** + Create a new SHAKE-256 state object. +*/ static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48 libcrux_sha3_portable_incremental_shake256_init(void) { return libcrux_sha3_generic_keccak_new_1e_f2(); } +/** + Squeeze the first SHAKE-256 block +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out) { @@ -193,6 +220,9 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_squeeze_first_block_090(s, buf); } +/** + Squeeze the next SHAKE-256 block +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out) { diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 2528afe9b..a5f2f39b1 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -4,15 +4,18 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "internal/libcrux_core.h" +/** + Return 1 if `value` is not zero and 0 otherwise. +*/ static uint8_t inz(uint8_t value) { uint16_t value0 = (uint16_t)value; uint16_t result = (((uint32_t)value0 | @@ -25,14 +28,17 @@ static uint8_t inz(uint8_t value) { static KRML_NOINLINE uint8_t is_non_zero(uint8_t value) { return inz(value); } +/** + Return 1 if the bytes of `lhs` and `rhs` do not exactly + match and 0 otherwise. +*/ static uint8_t compare(Eurydice_slice lhs, Eurydice_slice rhs) { uint8_t r = 0U; - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(lhs, uint8_t, size_t); i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; r = (uint32_t)r | - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t) ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); + ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^ + (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *)); } return is_non_zero(r); } @@ -43,6 +49,10 @@ libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( return compare(lhs, rhs); } +/** + If `selector` is not zero, return the bytes in `rhs`; return the bytes in + `lhs` otherwise. +*/ static void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, uint8_t ret[32U]) { uint8_t mask = core_num__u8_6__wrapping_sub(is_non_zero(selector), 1U); @@ -50,11 +60,10 @@ static void select_ct(Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; i++) { size_t i0 = i; - out[i0] = - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t) & - (uint32_t)mask) | - ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t) & - (uint32_t)~mask); + out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & + (uint32_t)mask) | + ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & + (uint32_t)~mask); } memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } @@ -89,10 +98,11 @@ with const generics */ libcrux_ml_kem_types_MlKemPublicKey_1f libcrux_ml_kem_types_from_07_4c1( uint8_t value[1568U]) { - uint8_t uu____0[1568U]; - memcpy(uu____0, value, (size_t)1568U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1568U]; + memcpy(copy_of_value, value, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPublicKey_1f lit; - memcpy(lit.value, uu____0, (size_t)1568U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1568U * sizeof(uint8_t)); return lit; } @@ -124,10 +134,11 @@ with const generics */ libcrux_ml_kem_types_MlKemPrivateKey_95 libcrux_ml_kem_types_from_e7_a71( uint8_t value[3168U]) { - uint8_t uu____0[3168U]; - memcpy(uu____0, value, (size_t)3168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[3168U]; + memcpy(copy_of_value, value, (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_95 lit; - memcpy(lit.value, uu____0, (size_t)3168U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)3168U * sizeof(uint8_t)); return lit; } @@ -142,10 +153,11 @@ with const generics */ libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext libcrux_ml_kem_types_from_15_f51( uint8_t value[1568U]) { - uint8_t uu____0[1568U]; - memcpy(uu____0, value, (size_t)1568U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1568U]; + memcpy(copy_of_value, value, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext lit; - memcpy(lit.value, uu____0, (size_t)1568U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1568U * sizeof(uint8_t)); return lit; } @@ -171,12 +183,14 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 1568 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_ba_ed1( +Eurydice_slice libcrux_ml_kem_types_as_ref_ba_711( libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *self) { - return Eurydice_array_to_slice((size_t)1568U, self->value, uint8_t, - Eurydice_slice); + return Eurydice_array_to_slice((size_t)1568U, self->value, uint8_t); } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -186,12 +200,10 @@ void libcrux_ml_kem_utils_into_padded_array_2d4(Eurydice_slice slice, uint8_t ret[1600U]) { uint8_t out[1600U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)1600U * sizeof(uint8_t)); } @@ -206,10 +218,11 @@ with const generics */ libcrux_ml_kem_types_MlKemPublicKey_15 libcrux_ml_kem_types_from_07_4c0( uint8_t value[1184U]) { - uint8_t uu____0[1184U]; - memcpy(uu____0, value, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1184U]; + memcpy(copy_of_value, value, (size_t)1184U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPublicKey_15 lit; - memcpy(lit.value, uu____0, (size_t)1184U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1184U * sizeof(uint8_t)); return lit; } @@ -241,10 +254,11 @@ with const generics */ libcrux_ml_kem_types_MlKemPrivateKey_55 libcrux_ml_kem_types_from_e7_a70( uint8_t value[2400U]) { - uint8_t uu____0[2400U]; - memcpy(uu____0, value, (size_t)2400U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[2400U]; + memcpy(copy_of_value, value, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_55 lit; - memcpy(lit.value, uu____0, (size_t)2400U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)2400U * sizeof(uint8_t)); return lit; } @@ -259,10 +273,11 @@ with const generics */ libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_15_f50( uint8_t value[1088U]) { - uint8_t uu____0[1088U]; - memcpy(uu____0, value, (size_t)1088U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1088U]; + memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; - memcpy(lit.value, uu____0, (size_t)1088U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); return lit; } @@ -288,12 +303,14 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 1088 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_ba_ed0( +Eurydice_slice libcrux_ml_kem_types_as_ref_ba_710( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { - return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t, - Eurydice_slice); + return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t); } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -303,12 +320,10 @@ void libcrux_ml_kem_utils_into_padded_array_2d3(Eurydice_slice slice, uint8_t ret[1120U]) { uint8_t out[1120U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)1120U * sizeof(uint8_t)); } @@ -323,10 +338,11 @@ with const generics */ libcrux_ml_kem_types_MlKemPublicKey_be libcrux_ml_kem_types_from_07_4c( uint8_t value[800U]) { - uint8_t uu____0[800U]; - memcpy(uu____0, value, (size_t)800U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[800U]; + memcpy(copy_of_value, value, (size_t)800U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPublicKey_be lit; - memcpy(lit.value, uu____0, (size_t)800U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)800U * sizeof(uint8_t)); return lit; } @@ -357,10 +373,11 @@ with const generics */ libcrux_ml_kem_types_MlKemPrivateKey_5e libcrux_ml_kem_types_from_e7_a7( uint8_t value[1632U]) { - uint8_t uu____0[1632U]; - memcpy(uu____0, value, (size_t)1632U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1632U]; + memcpy(copy_of_value, value, (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_5e lit; - memcpy(lit.value, uu____0, (size_t)1632U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1632U * sizeof(uint8_t)); return lit; } @@ -375,10 +392,11 @@ with const generics */ libcrux_ml_kem_types_MlKemCiphertext_e8 libcrux_ml_kem_types_from_15_f5( uint8_t value[768U]) { - uint8_t uu____0[768U]; - memcpy(uu____0, value, (size_t)768U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[768U]; + memcpy(copy_of_value, value, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_e8 lit; - memcpy(lit.value, uu____0, (size_t)768U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)768U * sizeof(uint8_t)); return lit; } @@ -395,6 +413,9 @@ uint8_t *libcrux_ml_kem_types_as_slice_f6_f2( return self->value; } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -404,12 +425,10 @@ void libcrux_ml_kem_utils_into_padded_array_2d2(Eurydice_slice slice, uint8_t ret[33U]) { uint8_t out[33U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)33U * sizeof(uint8_t)); } @@ -433,6 +452,9 @@ void core_result_unwrap_41_83(core_result_Result_00 self, uint8_t ret[32U]) { } } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -442,12 +464,10 @@ void libcrux_ml_kem_utils_into_padded_array_2d1(Eurydice_slice slice, uint8_t ret[34U]) { uint8_t out[34U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); } @@ -460,12 +480,14 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 768 */ -Eurydice_slice libcrux_ml_kem_types_as_ref_ba_ed( +Eurydice_slice libcrux_ml_kem_types_as_ref_ba_71( libcrux_ml_kem_types_MlKemCiphertext_e8 *self) { - return Eurydice_array_to_slice((size_t)768U, self->value, uint8_t, - Eurydice_slice); + return Eurydice_array_to_slice((size_t)768U, self->value, uint8_t); } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -475,15 +497,16 @@ void libcrux_ml_kem_utils_into_padded_array_2d0(Eurydice_slice slice, uint8_t ret[800U]) { uint8_t out[800U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)800U * sizeof(uint8_t)); } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -493,12 +516,10 @@ void libcrux_ml_kem_utils_into_padded_array_2d(Eurydice_slice slice, uint8_t ret[64U]) { uint8_t out[64U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)64U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index ea2178ff4..943b4e083 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index 8693d2383..b5cf3724c 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index a230fa8ed..05d316a3a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem1024_avx2.h" @@ -35,20 +35,30 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_69( +static void decapsulate_96( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_c40(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_200(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 1024 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem1024PrivateKey`] and an + [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_69(private_key, ciphertext, ret); + decapsulate_96(private_key, ciphertext, ret); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_unpacked with const @@ -70,19 +80,26 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_unpacked_18( +static void decapsulate_unpacked_72( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_230(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b0(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 1024 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem1024KeyPairUnpacked`] and an [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_18(private_key, ciphertext, ret); + decapsulate_unpacked_72(private_key, ciphertext, ret); } /** @@ -102,24 +119,36 @@ with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_c4( +static tuple_21 encapsulate_70( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_820(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_820(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 1024 + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem1024PublicKey`] and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_21 libcrux_ml_kem_mlkem1024_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_c4(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_70(uu____0, copy_of_randomness); } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_unpacked with const @@ -138,25 +167,37 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_unpacked_f1( +static tuple_21 encapsulate_unpacked_27( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c0(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b0( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 1024 (unpacked) + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem1024PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. + TODO: The F* prefix opens required modules, it should go away when the + following issue is resolved: https://github.com/hacspec/hax/issues/770 +*/ tuple_21 libcrux_ml_kem_mlkem1024_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_f1(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_unpacked_27(uu____0, copy_of_randomness); } /** @@ -170,20 +211,28 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_b7( +static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_ff( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c22(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c22(copy_of_randomness); } +/** + Generate ML-KEM 1024 Key Pair +*/ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_mlkem1024_avx2_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_b7(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_ff(copy_of_randomness); } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair_unpacked with const @@ -197,18 +246,24 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 -generate_keypair_unpacked_24(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f0(uu____0); +generate_keypair_unpacked_d2(uint8_t randomness[64U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b0( + copy_of_randomness); } +/** + Generate ML-KEM 1024 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 libcrux_ml_kem_mlkem1024_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_24(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_unpacked_d2(copy_of_randomness); } /** @@ -219,14 +274,19 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1536 - PUBLIC_KEY_SIZE= 1568 */ -static bool validate_public_key_e00(uint8_t *public_key) { +static bool validate_public_key_a30(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_cf0(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_99 libcrux_ml_kem_mlkem1024_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_1f public_key) { core_option_Option_99 uu____0; - if (validate_public_key_e00(public_key.value)) { + if (validate_public_key_a30(public_key.value)) { uu____0 = (CLITERAL(core_option_Option_99){.tag = core_option_Some, .f0 = public_key}); } else { diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index 46115ce9d..26425cbb7 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem1024_avx2_H @@ -22,29 +22,71 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_mlkem_avx2.h" +/** + Decapsulate ML-KEM 1024 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem1024PrivateKey`] and an + [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Decapsulate ML-KEM 1024 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem1024KeyPairUnpacked`] and an [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Encapsulate ML-KEM 1024 + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem1024PublicKey`] and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_21 libcrux_ml_kem_mlkem1024_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]); +/** + Encapsulate ML-KEM 1024 (unpacked) + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem1024PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. + TODO: The F* prefix opens required modules, it should go away when the + following issue is resolved: https://github.com/hacspec/hax/issues/770 +*/ tuple_21 libcrux_ml_kem_mlkem1024_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *public_key, uint8_t randomness[32U]); +/** + Generate ML-KEM 1024 Key Pair +*/ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_mlkem1024_avx2_generate_key_pair(uint8_t randomness[64U]); +/** + Generate ML-KEM 1024 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 libcrux_ml_kem_mlkem1024_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]); +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_99 libcrux_ml_kem_mlkem1024_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_1f public_key); diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c index 178092bfb..f6efd0915 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.c @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #include "libcrux_mlkem1024_neon.h" @@ -35,18 +35,18 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_f8( +static void decapsulate_b0( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_82(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_5b(private_key, ciphertext, ret); } void libcrux_ml_kem_mlkem1024_neon_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_f8(private_key, ciphertext, ret); + decapsulate_b0(private_key, ciphertext, ret); } /** @@ -70,18 +70,19 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_unpacked_c2( +static void decapsulate_unpacked_54( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_a3(key_pair, ciphertext, + ret); } void libcrux_ml_kem_mlkem1024_neon_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_c2(private_key, ciphertext, ret); + decapsulate_unpacked_54(private_key, ciphertext, ret); } /** @@ -95,13 +96,13 @@ with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- VECTOR_U_BLOCK_LEN= 352 +- C1_BLOCK_SIZE= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_6b( +static tuple_21 encapsulate_24( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; @@ -116,7 +117,7 @@ tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_6b(uu____0, uu____1); + return encapsulate_24(uu____0, uu____1); } /** @@ -137,14 +138,15 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_unpacked_1c( +static tuple_21 encapsulate_unpacked_ed( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_unpacked_47(uu____0, uu____1); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_ad(uu____0, + uu____1); } tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate_unpacked( @@ -154,7 +156,7 @@ tuple_21 libcrux_ml_kem_mlkem1024_neon_encapsulate_unpacked( public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_1c(uu____0, uu____1); + return encapsulate_unpacked_ed(uu____0, uu____1); } /** @@ -164,11 +166,11 @@ libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- BYTES_PER_RING_ELEMENT= 1536 +- RANKED_BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_91( +static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_62( uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); @@ -179,7 +181,7 @@ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_mlkem1024_neon_generate_key_pair(uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_91(uu____0); + return generate_keypair_62(uu____0); } /** @@ -195,10 +197,10 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c -generate_keypair_unpacked_87(uint8_t randomness[64U]) { +generate_keypair_unpacked_bc(uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b4(uu____0); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_20(uu____0); } libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c @@ -206,7 +208,7 @@ libcrux_ml_kem_mlkem1024_neon_generate_key_pair_unpacked( uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_87(uu____0); + return generate_keypair_unpacked_bc(uu____0); } /** @@ -217,14 +219,14 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1536 - PUBLIC_KEY_SIZE= 1568 */ -static bool validate_public_key_a3(uint8_t *public_key) { +static bool validate_public_key_ef(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_7e(public_key); } core_option_Option_99 libcrux_ml_kem_mlkem1024_neon_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_1f public_key) { core_option_Option_99 uu____0; - if (validate_public_key_a3(public_key.value)) { + if (validate_public_key_ef(public_key.value)) { uu____0 = (CLITERAL(core_option_Option_99){.tag = core_option_Some, .f0 = public_key}); } else { diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h index 7e0bbc8a3..038fa0d89 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_neon.h @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #ifndef __libcrux_mlkem1024_neon_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index 7f94659d5..0032daf9a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem1024_portable.h" @@ -35,20 +35,30 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_0b( +static void decapsulate_e5( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_4f1(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_e31(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 1024 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem1024PrivateKey`] and an + [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_0b(private_key, ciphertext, ret); + decapsulate_e5(private_key, ciphertext, ret); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate_unpacked with const @@ -70,19 +80,26 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -static void decapsulate_unpacked_ef( +static void decapsulate_unpacked_6e( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d1(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e1(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 1024 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem1024KeyPairUnpacked`] and an [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_ef(private_key, ciphertext, ret); + decapsulate_unpacked_6e(private_key, ciphertext, ret); } /** @@ -102,24 +119,36 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_ec( +static tuple_21 encapsulate_da( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_441(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_441(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 1024 + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem1024PublicKey`] and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_21 libcrux_ml_kem_mlkem1024_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_1f *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_ec(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_da(uu____0, copy_of_randomness); } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate_unpacked with const @@ -138,25 +167,37 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_21 encapsulate_unpacked_9d( +static tuple_21 encapsulate_unpacked_c8( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d81(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_841( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 1024 (unpacked) + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem1024PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. + TODO: The F* prefix opens required modules, it should go away when the + following issue is resolved: https://github.com/hacspec/hax/issues/770 +*/ tuple_21 libcrux_ml_kem_mlkem1024_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_9d(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_unpacked_c8(uu____0, copy_of_randomness); } /** @@ -173,18 +214,26 @@ generics */ static libcrux_ml_kem_mlkem1024_MlKem1024KeyPair generate_keypair_0e( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c24(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c24(copy_of_randomness); } +/** + Generate ML-KEM 1024 Key Pair +*/ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_mlkem1024_portable_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_0e(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_0e(copy_of_randomness); } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair_unpacked with @@ -198,18 +247,24 @@ const generics - ETA1_RANDOMNESS_SIZE= 128 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 -generate_keypair_unpacked_b3(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_251(uu____0); +generate_keypair_unpacked_5a(uint8_t randomness[64U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_481( + copy_of_randomness); } +/** + Generate ML-KEM 1024 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 libcrux_ml_kem_mlkem1024_portable_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_b3(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_unpacked_5a(copy_of_randomness); } /** @@ -224,6 +279,11 @@ static bool validate_public_key_e11(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_351(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_99 libcrux_ml_kem_mlkem1024_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_1f public_key) { core_option_Option_99 uu____0; diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index 96c3b9743..624ef0798 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem1024_portable_H @@ -22,29 +22,71 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_mlkem_portable.h" +/** + Decapsulate ML-KEM 1024 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem1024PrivateKey`] and an + [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Decapsulate ML-KEM 1024 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem1024KeyPairUnpacked`] and an [`MlKem1024Ciphertext`]. +*/ void libcrux_ml_kem_mlkem1024_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Encapsulate ML-KEM 1024 + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem1024PublicKey`] and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_21 libcrux_ml_kem_mlkem1024_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]); +/** + Encapsulate ML-KEM 1024 (unpacked) + + Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem1024PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. + TODO: The F* prefix opens required modules, it should go away when the + following issue is resolved: https://github.com/hacspec/hax/issues/770 +*/ tuple_21 libcrux_ml_kem_mlkem1024_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *public_key, uint8_t randomness[32U]); +/** + Generate ML-KEM 1024 Key Pair +*/ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_mlkem1024_portable_generate_key_pair(uint8_t randomness[64U]); +/** + Generate ML-KEM 1024 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 libcrux_ml_kem_mlkem1024_portable_generate_key_pair_unpacked( uint8_t randomness[64U]); +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_99 libcrux_ml_kem_mlkem1024_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_1f public_key); diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index 16abd9845..df871eb6d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index c9b430e4e..364933d64 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem512_avx2.h" @@ -35,18 +35,28 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_42(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, +static void decapsulate_9f(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_c4(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_20(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 512 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem512PrivateKey`] and an + [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_42(private_key, ciphertext, ret); + decapsulate_9f(private_key, ciphertext, ret); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_unpacked with const @@ -68,17 +78,24 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_unpacked_4b( +static void decapsulate_unpacked_a6( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_23(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 512 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem512KeyPairUnpacked`] and an [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_4b(private_key, ciphertext, ret); + decapsulate_unpacked_a6(private_key, ciphertext, ret); } /** @@ -98,24 +115,36 @@ with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_00( +static tuple_ec encapsulate_8e( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_82(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_82(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 512 + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_00(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_8e(uu____0, copy_of_randomness); } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_unpacked with const @@ -134,25 +163,35 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_unpacked_62( +static tuple_ec encapsulate_unpacked_ae( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 512 (unpacked) + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem512PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_62(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_unpacked_ae(uu____0, copy_of_randomness); } /** @@ -166,20 +205,28 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ -static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_9a( +static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_b1( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c2(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c2(copy_of_randomness); } +/** + Generate ML-KEM 512 Key Pair +*/ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_mlkem512_avx2_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_9a(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_b1(copy_of_randomness); } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair_unpacked with const @@ -193,18 +240,24 @@ generics - ETA1_RANDOMNESS_SIZE= 192 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 -generate_keypair_unpacked_df(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f(uu____0); +generate_keypair_unpacked_ad(uint8_t randomness[64U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b( + copy_of_randomness); } +/** + Generate ML-KEM 512 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 libcrux_ml_kem_mlkem512_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_df(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_unpacked_ad(copy_of_randomness); } /** @@ -215,14 +268,19 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 768 - PUBLIC_KEY_SIZE= 800 */ -static bool validate_public_key_e0(uint8_t *public_key) { +static bool validate_public_key_a3(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_cf(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_04 libcrux_ml_kem_mlkem512_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_be public_key) { core_option_Option_04 uu____0; - if (validate_public_key_e0(public_key.value)) { + if (validate_public_key_a3(public_key.value)) { uu____0 = (CLITERAL(core_option_Option_04){.tag = core_option_Some, .f0 = public_key}); } else { diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index 9623db789..893c5c37d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem512_avx2_H @@ -22,29 +22,69 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_mlkem_avx2.h" +/** + Decapsulate ML-KEM 512 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem512PrivateKey`] and an + [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); +/** + Decapsulate ML-KEM 512 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem512KeyPairUnpacked`] and an [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); +/** + Encapsulate ML-KEM 512 + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]); +/** + Encapsulate ML-KEM 512 (unpacked) + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem512PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *public_key, uint8_t randomness[32U]); +/** + Generate ML-KEM 512 Key Pair +*/ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_mlkem512_avx2_generate_key_pair(uint8_t randomness[64U]); +/** + Generate ML-KEM 512 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 libcrux_ml_kem_mlkem512_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]); +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_04 libcrux_ml_kem_mlkem512_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_be public_key); diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_neon.c b/libcrux-ml-kem/c/libcrux_mlkem512_neon.c index 83108e30f..d55b146b4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_neon.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_neon.c @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #include "libcrux_mlkem512_neon.h" @@ -35,16 +35,16 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_55(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, +static void decapsulate_29(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_821(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_5b1(private_key, ciphertext, ret); } void libcrux_ml_kem_mlkem512_neon_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_55(private_key, ciphertext, ret); + decapsulate_29(private_key, ciphertext, ret); } /** @@ -68,16 +68,17 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_unpacked_53( +static void decapsulate_unpacked_50( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec1(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_a31(key_pair, ciphertext, + ret); } void libcrux_ml_kem_mlkem512_neon_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_53(private_key, ciphertext, ret); + decapsulate_unpacked_50(private_key, ciphertext, ret); } /** @@ -91,13 +92,13 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_f8( +static tuple_ec encapsulate_7d( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; @@ -112,7 +113,7 @@ tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_f8(uu____0, uu____1); + return encapsulate_7d(uu____0, uu____1); } /** @@ -133,14 +134,15 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_unpacked_ce( +static tuple_ec encapsulate_unpacked_f2( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_unpacked_471(uu____0, uu____1); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_ad1(uu____0, + uu____1); } tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate_unpacked( @@ -150,7 +152,7 @@ tuple_ec libcrux_ml_kem_mlkem512_neon_encapsulate_unpacked( public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_ce(uu____0, uu____1); + return encapsulate_unpacked_f2(uu____0, uu____1); } /** @@ -160,11 +162,11 @@ libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- BYTES_PER_RING_ELEMENT= 768 +- RANKED_BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ -static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_1a( +static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_da( uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); @@ -175,7 +177,7 @@ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_mlkem512_neon_generate_key_pair(uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_1a(uu____0); + return generate_keypair_da(uu____0); } /** @@ -191,10 +193,10 @@ generics - ETA1_RANDOMNESS_SIZE= 192 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 -generate_keypair_unpacked_38(uint8_t randomness[64U]) { +generate_keypair_unpacked_c3(uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b41(uu____0); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_201(uu____0); } libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 @@ -202,7 +204,7 @@ libcrux_ml_kem_mlkem512_neon_generate_key_pair_unpacked( uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_38(uu____0); + return generate_keypair_unpacked_c3(uu____0); } /** @@ -213,14 +215,14 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 768 - PUBLIC_KEY_SIZE= 800 */ -static bool validate_public_key_a31(uint8_t *public_key) { +static bool validate_public_key_ef1(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_7e1(public_key); } core_option_Option_04 libcrux_ml_kem_mlkem512_neon_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_be public_key) { core_option_Option_04 uu____0; - if (validate_public_key_a31(public_key.value)) { + if (validate_public_key_ef1(public_key.value)) { uu____0 = (CLITERAL(core_option_Option_04){.tag = core_option_Some, .f0 = public_key}); } else { diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_neon.h b/libcrux-ml-kem/c/libcrux_mlkem512_neon.h index cd6856831..2aaedd672 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_neon.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_neon.h @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #ifndef __libcrux_mlkem512_neon_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index 87719217f..8a3ec38f0 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem512_portable.h" @@ -35,18 +35,28 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_64(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, +static void decapsulate_4a(libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_4f0(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_e30(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 512 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem512PrivateKey`] and an + [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_64(private_key, ciphertext, ret); + decapsulate_4a(private_key, ciphertext, ret); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate_unpacked with const @@ -68,17 +78,24 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -static void decapsulate_unpacked_40( +static void decapsulate_unpacked_d4( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d0(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e0(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 512 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem512KeyPairUnpacked`] and an [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_40(private_key, ciphertext, ret); + decapsulate_unpacked_d4(private_key, ciphertext, ret); } /** @@ -98,24 +115,36 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_f3( +static tuple_ec encapsulate_7d( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_440(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_440(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 512 + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_be *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_f3(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_7d(uu____0, copy_of_randomness); } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate_unpacked with const @@ -134,25 +163,35 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_ec encapsulate_unpacked_da( +static tuple_ec encapsulate_unpacked_84( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d80(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_840( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 512 (unpacked) + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem512PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_da(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_unpacked_84(uu____0, copy_of_randomness); } /** @@ -169,18 +208,26 @@ generics */ static libcrux_ml_kem_types_MlKemKeyPair_cb generate_keypair_df( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c21(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c21(copy_of_randomness); } +/** + Generate ML-KEM 512 Key Pair +*/ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_mlkem512_portable_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_df(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_df(copy_of_randomness); } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair_unpacked with @@ -194,18 +241,24 @@ const generics - ETA1_RANDOMNESS_SIZE= 192 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae -generate_keypair_unpacked_a8(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_250(uu____0); +generate_keypair_unpacked_bc(uint8_t randomness[64U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_480( + copy_of_randomness); } +/** + Generate ML-KEM 512 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae libcrux_ml_kem_mlkem512_portable_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_a8(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_unpacked_bc(copy_of_randomness); } /** @@ -220,6 +273,11 @@ static bool validate_public_key_e10(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_350(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_04 libcrux_ml_kem_mlkem512_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_be public_key) { core_option_Option_04 uu____0; diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 507bc843c..5626a47b6 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem512_portable_H @@ -22,29 +22,69 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_mlkem_portable.h" +/** + Decapsulate ML-KEM 512 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem512PrivateKey`] and an + [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); +/** + Decapsulate ML-KEM 512 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem512KeyPairUnpacked`] and an [`MlKem512Ciphertext`]. +*/ void libcrux_ml_kem_mlkem512_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); +/** + Encapsulate ML-KEM 512 + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]); +/** + Encapsulate ML-KEM 512 (unpacked) + + Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem512PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_ec libcrux_ml_kem_mlkem512_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *public_key, uint8_t randomness[32U]); +/** + Generate ML-KEM 512 Key Pair +*/ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_mlkem512_portable_generate_key_pair(uint8_t randomness[64U]); +/** + Generate ML-KEM 512 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae libcrux_ml_kem_mlkem512_portable_generate_key_pair_unpacked( uint8_t randomness[64U]); +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_04 libcrux_ml_kem_mlkem512_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_be public_key); diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index e84654b77..62edf65bc 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 659c863ae..7abc80c7d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem768_avx2.h" @@ -35,18 +35,28 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_1e( +static void decapsulate_3f( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_c41(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_201(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_1e(private_key, ciphertext, ret); + decapsulate_3f(private_key, ciphertext, ret); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_unpacked with const @@ -68,17 +78,24 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_unpacked_d5( +static void decapsulate_unpacked_e5( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_231(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b1(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_d5(private_key, ciphertext, ret); + decapsulate_unpacked_e5(private_key, ciphertext, ret); } /** @@ -98,24 +115,36 @@ with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_d0( +static tuple_3c encapsulate_ec( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_821(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_821(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_d0(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_ec(uu____0, copy_of_randomness); } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_unpacked with const @@ -134,25 +163,35 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_unpacked_1f( +static tuple_3c encapsulate_unpacked_2b( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c1(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b1( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 (unpacked) + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_1f(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_unpacked_2b(uu____0, copy_of_randomness); } /** @@ -166,20 +205,28 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_4e( +static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_c2( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c23(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c23(copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair +*/ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_4e(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_c2(copy_of_randomness); } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair_unpacked with const @@ -193,18 +240,24 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 -generate_keypair_unpacked_94(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f1(uu____0); +generate_keypair_unpacked_51(uint8_t randomness[64U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b1( + copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 libcrux_ml_kem_mlkem768_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_94(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_unpacked_51(copy_of_randomness); } /** @@ -215,14 +268,19 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static bool validate_public_key_e01(uint8_t *public_key) { +static bool validate_public_key_a31(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_cf1(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_92 libcrux_ml_kem_mlkem768_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key) { core_option_Option_92 uu____0; - if (validate_public_key_e01(public_key.value)) { + if (validate_public_key_a31(public_key.value)) { uu____0 = (CLITERAL(core_option_Option_92){.tag = core_option_Some, .f0 = public_key}); } else { diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index 3feac85db..46c8025c0 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem768_avx2_H @@ -22,29 +22,69 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_mlkem_avx2.h" +/** + Decapsulate ML-KEM 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Decapsulate ML-KEM 768 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Encapsulate ML-KEM 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]); +/** + Encapsulate ML-KEM 768 (unpacked) + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]); +/** + Generate ML-KEM 768 Key Pair +*/ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]); +/** + Generate ML-KEM 768 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 libcrux_ml_kem_mlkem768_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]); +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_92 libcrux_ml_kem_mlkem768_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key); diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_neon.c b/libcrux-ml-kem/c/libcrux_mlkem768_neon.c index 6d20b2d78..1881c272a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_neon.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_neon.c @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #include "libcrux_mlkem768_neon.h" @@ -35,16 +35,16 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_67( +static void decapsulate_e4( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_820(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_5b0(private_key, ciphertext, ret); } void libcrux_ml_kem_mlkem768_neon_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_67(private_key, ciphertext, ret); + decapsulate_e4(private_key, ciphertext, ret); } /** @@ -68,16 +68,17 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_unpacked_70( +static void decapsulate_unpacked_27( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec0(key_pair, ciphertext, ret); + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_a30(key_pair, ciphertext, + ret); } void libcrux_ml_kem_mlkem768_neon_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_70(private_key, ciphertext, ret); + decapsulate_unpacked_27(private_key, ciphertext, ret); } /** @@ -91,13 +92,13 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_ea( +static tuple_3c encapsulate_f5( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; @@ -112,7 +113,7 @@ tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_ea(uu____0, uu____1); + return encapsulate_f5(uu____0, uu____1); } /** @@ -133,14 +134,15 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_unpacked_29( +static tuple_3c encapsulate_unpacked_1b( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *uu____0 = public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_unpacked_470(uu____0, uu____1); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_ad0(uu____0, + uu____1); } tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate_unpacked( @@ -150,7 +152,7 @@ tuple_3c libcrux_ml_kem_mlkem768_neon_encapsulate_unpacked( public_key; uint8_t uu____1[32U]; memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_29(uu____0, uu____1); + return encapsulate_unpacked_1b(uu____0, uu____1); } /** @@ -160,11 +162,11 @@ libcrux_ml_kem.ind_cca.instantiations.neon.generate_keypair with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_1b( +static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_c4( uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); @@ -175,7 +177,7 @@ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_neon_generate_key_pair(uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_1b(uu____0); + return generate_keypair_c4(uu____0); } /** @@ -191,10 +193,10 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd -generate_keypair_unpacked_42(uint8_t randomness[64U]) { +generate_keypair_unpacked_1e(uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b40(uu____0); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_200(uu____0); } libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd @@ -202,7 +204,7 @@ libcrux_ml_kem_mlkem768_neon_generate_key_pair_unpacked( uint8_t randomness[64U]) { uint8_t uu____0[64U]; memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_42(uu____0); + return generate_keypair_unpacked_1e(uu____0); } /** @@ -213,14 +215,14 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static bool validate_public_key_a30(uint8_t *public_key) { +static bool validate_public_key_ef0(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_7e0(public_key); } core_option_Option_92 libcrux_ml_kem_mlkem768_neon_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key) { core_option_Option_92 uu____0; - if (validate_public_key_a30(public_key.value)) { + if (validate_public_key_ef0(public_key.value)) { uu____0 = (CLITERAL(core_option_Option_92){.tag = core_option_Some, .f0 = public_key}); } else { diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_neon.h b/libcrux-ml-kem/c/libcrux_mlkem768_neon.h index 8182ff91a..1eb060b82 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_neon.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_neon.h @@ -7,8 +7,8 @@ * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 - * Libcrux: 23480eeb26f8e66cfa9bd0eb76c65d87fbb91806 + * F*: c3d49544236797e54bfa10f65e4c2b17b543fd30 + * Libcrux: 60b28afb7bf09eeff64f7bd63b12a821496645f2 */ #ifndef __libcrux_mlkem768_neon_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index 9396f2fb5..bd8699614 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem768_portable.h" @@ -35,18 +35,28 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_78( +static void decapsulate_39( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_4f(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_e3(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_78(private_key, ciphertext, ret); + decapsulate_39(private_key, ciphertext, ret); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate_unpacked with const @@ -68,17 +78,24 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static void decapsulate_unpacked_bc( +static void decapsulate_unpacked_6b( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - decapsulate_unpacked_bc(private_key, ciphertext, ret); + decapsulate_unpacked_6b(private_key, ciphertext, ret); } /** @@ -98,24 +115,36 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_13( +static tuple_3c encapsulate_4f( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_44(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_44(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_13(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_4f(uu____0, copy_of_randomness); } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate_unpacked with const @@ -134,25 +163,35 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static tuple_3c encapsulate_unpacked_c5( +static tuple_3c encapsulate_unpacked_08( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d8(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_84( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 (unpacked) + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return encapsulate_unpacked_c5(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return encapsulate_unpacked_08(uu____0, copy_of_randomness); } /** @@ -169,18 +208,26 @@ generics */ static libcrux_ml_kem_mlkem768_MlKem768KeyPair generate_keypair_ff( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c20(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c20(copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair +*/ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_ff(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_ff(copy_of_randomness); } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair_unpacked with @@ -194,18 +241,24 @@ const generics - ETA1_RANDOMNESS_SIZE= 128 */ static libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 -generate_keypair_unpacked_d3(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_25(uu____0); +generate_keypair_unpacked_8b(uint8_t randomness[64U]) { + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_48( + copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 libcrux_ml_kem_mlkem768_portable_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return generate_keypair_unpacked_d3(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return generate_keypair_unpacked_8b(copy_of_randomness); } /** @@ -220,6 +273,11 @@ static bool validate_public_key_e1(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_35(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_92 libcrux_ml_kem_mlkem768_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key) { core_option_Option_92 uu____0; diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index 717f49e01..1efa41d23 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem768_portable_H @@ -22,29 +22,69 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_mlkem_portable.h" +/** + Decapsulate ML-KEM 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Decapsulate ML-KEM 768 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`]. +*/ void libcrux_ml_kem_mlkem768_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); +/** + Encapsulate ML-KEM 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]); +/** + Encapsulate ML-KEM 768 (unpacked) + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]); +/** + Generate ML-KEM 768 Key Pair +*/ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]); +/** + Generate ML-KEM 768 Key Pair in "unpacked" form +*/ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 libcrux_ml_kem_mlkem768_portable_generate_key_pair_unpacked( uint8_t randomness[64U]); +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ core_option_Option_92 libcrux_ml_kem_mlkem768_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key); diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index d6ac877ef..e6f3a05e8 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "internal/libcrux_mlkem_avx2.h" @@ -21,8 +21,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G(Eurydice_slice input, uint8_t ret[64U]) { uint8_t digest[64U] = {0U}; libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); } @@ -30,8 +29,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H(Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -66,7 +64,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array( core_core_arch_x86___m256i v, int16_t ret[16U]) { int16_t output[16U] = {0U}; libcrux_intrinsics_avx2_mm256_storeu_si256_i16( - Eurydice_array_to_slice((size_t)16U, output, int16_t, Eurydice_slice), v); + Eurydice_array_to_slice((size_t)16U, output, int16_t), v); memcpy(ret, output, (size_t)16U * sizeof(int16_t)); } @@ -169,6 +167,10 @@ core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea( return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); } +/** + See Section 3.2 of the implementation notes document for an explanation + of this code. +*/ KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce( core_core_arch_x86___m256i vector) { @@ -651,38 +653,22 @@ KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { core_core_arch_x86___m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t)); + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); core_core_arch_x86___m256i shift_lsb_to_msb = libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, @@ -737,15 +723,13 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( core_core_arch_x86___m128i combined0 = libcrux_intrinsics_avx2_mm256_castsi256_si128(combined); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_slice((size_t)16U, serialized, uint8_t, Eurydice_slice), - combined0); + Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), combined0); uint8_t ret0[8U]; core_result_Result_56 dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, ret0); memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); } @@ -763,38 +747,22 @@ KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { core_core_arch_x86___m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t)); + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); core_core_arch_x86___m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, @@ -858,23 +826,20 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5( core_core_arch_x86___m128i lower_8 = libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined1); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); core_core_arch_x86___m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined1, core_core_arch_x86___m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t), upper_8); uint8_t ret0[10U]; core_result_Result_cd dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[10U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t), + Eurydice_slice, uint8_t[10U]); core_result_unwrap_41_e8(dst, ret0); memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t)); } @@ -891,22 +856,22 @@ void libcrux_ml_kem_vector_avx2_serialize_5_ea( KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { core_core_arch_x86___m128i coefficients = libcrux_intrinsics_avx2_mm_set_epi8( - Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t)); + Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); core_core_arch_x86___m256i coefficients_loaded = libcrux_intrinsics_avx2_mm256_castsi128_si256(coefficients); core_core_arch_x86___m256i coefficients_loaded0 = @@ -980,23 +945,21 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( core_core_arch_x86___m128i lower_8 = libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); core_core_arch_x86___m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined, core_core_arch_x86___m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, + uint8_t), upper_8); uint8_t ret0[20U]; core_result_Result_7a dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[20U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t), + Eurydice_slice, uint8_t[20U]); core_result_unwrap_41_34(dst, ret0); memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t)); } @@ -1021,16 +984,16 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U); core_core_arch_x86___m128i lower_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)0U, (size_t)16U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); core_core_arch_x86___m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( lower_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, 3U, 2U, 2U, 1U, 1U, 0U)); core_core_arch_x86___m128i upper_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)4U, (size_t)20U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t)); core_core_arch_x86___m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8( @@ -1066,11 +1029,10 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11( core_core_arch_x86___m256i vector, uint8_t ret[22U]) { int16_t array[16U] = {0U}; libcrux_intrinsics_avx2_mm256_storeu_si256_i16( - Eurydice_array_to_slice((size_t)16U, array, int16_t, Eurydice_slice), - vector); + Eurydice_array_to_slice((size_t)16U, array, int16_t), vector); libcrux_ml_kem_vector_portable_vector_type_PortableVector input = libcrux_ml_kem_vector_portable_from_i16_array_0d( - Eurydice_array_to_slice((size_t)16U, array, int16_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)16U, array, int16_t)); uint8_t ret0[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(input, ret0); memcpy(ret, ret0, (size_t)22U * sizeof(uint8_t)); @@ -1092,7 +1054,7 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_11(Eurydice_slice bytes) { int16_t array[16U]; libcrux_ml_kem_vector_portable_to_i16_array_0d(output, array); return libcrux_intrinsics_avx2_mm256_loadu_si256_i16( - Eurydice_array_to_slice((size_t)16U, array, int16_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)16U, array, int16_t)); } /** @@ -1141,20 +1103,18 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined, core_core_arch_x86___m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)12U, (size_t)28U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)12U, (size_t)28U, + uint8_t), upper_8); uint8_t ret0[24U]; core_result_Result_6f dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)24U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[24U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)24U, uint8_t), + Eurydice_slice, uint8_t[24U]); core_result_unwrap_41_1c(dst, ret0); memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t)); } @@ -1179,16 +1139,16 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); core_core_arch_x86___m128i lower_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)0U, (size_t)16U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); core_core_arch_x86___m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( lower_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U, 4U, 3U, 2U, 1U, 1U, 0U)); core_core_arch_x86___m128i upper_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)8U, (size_t)24U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); core_core_arch_x86___m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8( @@ -1239,8 +1199,8 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample( size_t)good[0U]], (size_t)16U * sizeof(uint8_t)); core_core_arch_x86___m128i lower_shuffles0 = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_array_to_slice( - (size_t)16U, lower_shuffles, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); core_core_arch_x86___m128i lower_coefficients = libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); core_core_arch_x86___m128i lower_coefficients0 = @@ -1254,8 +1214,8 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample( size_t)good[1U]], (size_t)16U * sizeof(uint8_t)); core_core_arch_x86___m128i upper_shuffles0 = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_array_to_slice( - (size_t)16U, upper_shuffles, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); core_core_arch_x86___m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, potential_coefficients, core_core_arch_x86___m128i); @@ -1264,8 +1224,7 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample( upper_shuffles0); libcrux_intrinsics_avx2_mm_storeu_si128( Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)8U, int16_t, - Eurydice_slice), + sampled_count + (size_t)8U, int16_t), upper_coefficients0); size_t uu____0 = sampled_count; return uu____0 + (size_t)core_num__u8_6__count_ones(good[1U]); @@ -1320,6 +1279,12 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ZERO_89_d5(void) { return lit; } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -1330,13 +1295,10 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 deserialize_to_reduced_ring_element_dd(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); re.coefficients[i0] = @@ -1345,6 +1307,12 @@ deserialize_to_reduced_ring_element_dd(Eurydice_slice serialized) { return re; } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -1359,7 +1327,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d4( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, deserialized_pk[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -1367,7 +1335,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d4( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = deserialize_to_reduced_ring_element_dd(ring_element); deserialized_pk[i0] = uu____0; @@ -1383,7 +1351,7 @@ with const generics - SHIFT_BY= 15 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -shift_right_aa(core_core_arch_x86___m256i vector) { +shift_right_a8(core_core_arch_x86___m256i vector) { return libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)15, vector, core_core_arch_x86___m256i); } @@ -1397,9 +1365,9 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_ea with const generics - SHIFT_BY= 15 */ -static core_core_arch_x86___m256i shift_right_ea_e8( +static core_core_arch_x86___m256i shift_right_ea_aa( core_core_arch_x86___m256i vector) { - return shift_right_aa(vector); + return shift_right_a8(vector); } /** @@ -1410,7 +1378,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static core_core_arch_x86___m256i to_unsigned_representative_a4( core_core_arch_x86___m256i a) { - core_core_arch_x86___m256i t = shift_right_ea_e8(a); + core_core_arch_x86___m256i t = shift_right_ea_aa(a); core_core_arch_x86___m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -1434,16 +1402,16 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_92( uint8_t bytes[24U]; libcrux_ml_kem_vector_avx2_serialize_12_ea(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1456,29 +1424,29 @@ static KRML_MUSTINLINE void serialize_secret_key_ae1( uint8_t ret[1152U]) { uint8_t out[1152U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; serialize_uncompressed_ring_element_92(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1491,20 +1459,16 @@ static KRML_MUSTINLINE void serialize_public_key_d01( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *t_as_ntt, Eurydice_slice seed_for_a, uint8_t ret[1184U]) { uint8_t public_key_serialized[1184U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_subslice2(public_key_serialized, (size_t)0U, - (size_t)1152U, uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + public_key_serialized, (size_t)0U, (size_t)1152U, uint8_t); uint8_t ret0[1152U]; serialize_secret_key_ae1(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized, - (size_t)1152U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)1152U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); } @@ -1520,14 +1484,14 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_cf1(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 deserialized_pk[3U]; deserialize_ring_elements_reduced_5d4( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *uu____0 = deserialized_pk; uint8_t public_key_serialized[1184U]; serialize_public_key_d01( uu____0, Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -1582,11 +1546,10 @@ shake128_init_absorb_final_4d1(uint8_t input[3U][34U]) { libcrux_sha3_generic_keccak_KeccakState_29 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - &state, - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice)); + &state, Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t)); return state; } @@ -1602,9 +1565,10 @@ generics */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState shake128_init_absorb_final_a9_ca1(uint8_t input[3U][34U]) { - uint8_t uu____0[3U][34U]; - memcpy(uu____0, input, (size_t)3U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_4d1(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[3U][34U]; + memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); + return shake128_init_absorb_final_4d1(copy_of_input); } /** @@ -1621,10 +1585,10 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_6b1( uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t), + Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); uint8_t uu____0[504U]; memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); @@ -1652,6 +1616,47 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_4d1( shake128_squeeze_first_three_blocks_6b1(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -1670,12 +1675,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_bb3( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -1706,10 +1710,10 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_1b1( uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); uint8_t uu____0[168U]; memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); @@ -1737,6 +1741,47 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_5a1( shake128_squeeze_next_block_1b1(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -1755,12 +1800,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_bb4( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -1795,8 +1839,7 @@ from_i16_array_89_10(Eurydice_slice a) { size_t i0 = i; result.coefficients[i0] = libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice_subslice2( - a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t, - Eurydice_slice)); + a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t)); } return result; } @@ -1809,8 +1852,8 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_d2 closure_791( int16_t s[272U]) { - return from_i16_array_89_10(Eurydice_array_to_subslice2( - s, (size_t)0U, (size_t)256U, int16_t, Eurydice_slice)); + return from_i16_array_89_10( + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -1824,33 +1867,38 @@ static KRML_MUSTINLINE void sample_from_xof_b01( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { size_t sampled_coefficients[3U] = {0U}; int16_t out[3U][272U] = {{0U}}; - uint8_t uu____0[3U][34U]; - memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - shake128_init_absorb_final_a9_ca1(uu____0); + shake128_init_absorb_final_a9_ca1(copy_of_seeds); uint8_t randomness0[3U][504U]; shake128_squeeze_first_three_blocks_a9_4d1(&xof_state, randomness0); - uint8_t uu____1[3U][504U]; - memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[3U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); bool done = sample_from_uniform_distribution_next_bb3( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; } else { uint8_t randomness[3U][168U]; shake128_squeeze_next_block_a9_5a1(&xof_state, randomness); - uint8_t uu____2[3U][168U]; - memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[3U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)3U * sizeof(uint8_t[168U])); done = sample_from_uniform_distribution_next_bb4( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[3U][272U]; - memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[3U][272U]; + memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret0[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = closure_791(uu____3[i]);); + ret0[i] = closure_791(copy_of_out[i]);); memcpy( ret, ret0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); @@ -1870,24 +1918,25 @@ static KRML_MUSTINLINE void sample_matrix_A_a21( closure_b81(A_transpose[i]);); KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sampled[3U]; - sample_from_xof_b01(uu____1, sampled); + sample_from_xof_b01(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sample = sampled[j]; @@ -1896,7 +1945,9 @@ static KRML_MUSTINLINE void sample_matrix_A_a21( } else { A_transpose[i1][j] = sample; } - }); + } + + ); memcpy(ret, A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); @@ -1927,14 +1978,14 @@ static KRML_MUSTINLINE void PRFxN_1c2(uint8_t (*input)[33U], uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t), + Eurydice_array_to_slice((size_t)128U, out3, uint8_t)); uint8_t uu____0[128U]; memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); @@ -1962,6 +2013,55 @@ static KRML_MUSTINLINE void PRFxN_a9_512(uint8_t (*input)[33U], PRFxN_1c2(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -1972,24 +2072,22 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sample_from_binomial_distribution_2_c1(Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)4U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)4U, - chunk_number * (size_t)4U + (size_t)4U, uint8_t, Eurydice_slice); + chunk_number * (size_t)4U + (size_t)4U, uint8_t); uint32_t random_bits_as_u32 = (((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 24U; uint32_t even_bits = random_bits_as_u32 & 1431655765U; uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U; @@ -2005,8 +2103,8 @@ sample_from_binomial_distribution_2_c1(Eurydice_slice randomness) { sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_89_10(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return from_i16_array_89_10( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -2019,21 +2117,19 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sample_from_binomial_distribution_3_43(Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)3U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)3U, - chunk_number * (size_t)3U + (size_t)3U, uint8_t, Eurydice_slice); + chunk_number * (size_t)3U + (size_t)3U, uint8_t); uint32_t random_bits_as_u24 = ((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U; uint32_t first_bits = random_bits_as_u24 & 2396745U; uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U; @@ -2051,8 +2147,8 @@ sample_from_binomial_distribution_3_43(Eurydice_slice randomness) { sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_89_10(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return from_i16_array_89_10( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -2246,6 +2342,10 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_b5( poly_barrett_reduce_89_99(re); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -2259,12 +2359,13 @@ static KRML_MUSTINLINE tuple_b00 sample_vector_cbd_then_ntt_151( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, re_as_ntt[i] = ZERO_89_d5();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -2272,23 +2373,49 @@ static KRML_MUSTINLINE tuple_b00 sample_vector_cbd_then_ntt_151( PRFxN_a9_512(prf_inputs, prf_outputs); KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; + re_as_ntt[i0] = sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); ntt_binomially_sampled_ring_element_b5(&re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_re_as_ntt[3U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_b00 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -2323,6 +2450,10 @@ ntt_multiply_89_48(libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -2337,11 +2468,10 @@ static KRML_MUSTINLINE void add_to_ring_element_89_971( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *rhs) { for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)16U, self->coefficients, - core_core_arch_x86___m256i, Eurydice_slice), - core_core_arch_x86___m256i, size_t); + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)16U, self->coefficients, + core_core_arch_x86___m256i), + core_core_arch_x86___m256i); i++) { size_t i0 = i; self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( @@ -2385,6 +2515,9 @@ static KRML_MUSTINLINE void add_standard_error_reduce_89_ac( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2400,22 +2533,20 @@ static KRML_MUSTINLINE void compute_As_plus_e_f01( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, result[i] = ZERO_89_d5();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *matrix_element = @@ -2431,6 +2562,47 @@ static KRML_MUSTINLINE void compute_As_plus_e_f01( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -2443,9 +2615,9 @@ static tuple_9b0 generate_keypair_unpacked_6c1( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; G_a9_681(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A_transpose[3U][3U]; @@ -2455,53 +2627,59 @@ static tuple_9b0 generate_keypair_unpacked_6c1( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b00 uu____2 = sample_vector_cbd_then_ntt_151(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b00 uu____2 = sample_vector_cbd_then_ntt_151(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[3U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_as_ntt[3U]; memcpy( error_as_ntt, - sample_vector_cbd_then_ntt_151(uu____3, domain_separator).fst, + sample_vector_cbd_then_ntt_151(copy_of_prf_input, domain_separator).fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[3U]; compute_As_plus_e_f01(A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____4[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[3U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____5[3U][3U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A_transpose[3U] + [3U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____7[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[3U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); return (CLITERAL(tuple_9b0){.fst = sk, .snd = pk}); } @@ -2519,7 +2697,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static void closure_ee1( +static void closure_451( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, ret[i] = ZERO_89_d5();); @@ -2535,7 +2713,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 clone_d5_6a( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 clone_d5_75( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 lit; core_core_arch_x86___m256i ret[16U]; @@ -2573,28 +2751,27 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f1( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b1( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_9b0 uu____0 = generate_keypair_unpacked_6c1(ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 ind_cpa_private_key = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[3U][3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, closure_ee1(A[i]);); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, closure_451(A[i]);); KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - clone_d5_6a(&ind_cpa_public_key.A[j][i1]); + clone_d5_75(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1;);); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[3U][3U]; memcpy(uu____2, A, @@ -2607,33 +2784,36 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f1( serialize_public_key_d01( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; - H_a9_651(Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t, - Eurydice_slice), + H_a9_651(Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -2655,19 +2835,24 @@ static libcrux_ml_kem_utils_extraction_helper_Keypair768 generate_keypair_e11( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 sk = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 pk = uu____0.snd; uint8_t public_key_serialized[1184U]; - serialize_public_key_d01(pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, - uint8_t, Eurydice_slice), - public_key_serialized); + serialize_public_key_d01( + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), + public_key_serialized); uint8_t secret_key_serialized[1152U]; serialize_secret_key_ae1(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[1152U]; - memcpy(uu____1, secret_key_serialized, (size_t)1152U * sizeof(uint8_t)); - uint8_t uu____2[1184U]; - memcpy(uu____2, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1152U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[1184U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, uu____1, (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)1184U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); return lit; } @@ -2686,43 +2871,37 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_751( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; H_a9_651(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } @@ -2742,12 +2921,11 @@ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_ind_cca_generate_keypair_c23(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = generate_keypair_e11(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1152U]; @@ -2756,22 +2934,26 @@ libcrux_ml_kem_ind_cca_generate_keypair_c23(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); uint8_t secret_key_serialized[2400U]; serialize_kem_secret_key_751( - Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[2400U]; - memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[2400U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_55 private_key = - libcrux_ml_kem_types_from_e7_a70(uu____1); + libcrux_ml_kem_types_from_e7_a70(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key; - uint8_t uu____3[1184U]; - memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c90( - uu____2, libcrux_ml_kem_types_from_07_4c0(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c0(copy_of_public_key)); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -2785,12 +2967,13 @@ sample_ring_element_cbd_471(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, error_1[i] = ZERO_89_d5();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -2799,16 +2982,17 @@ sample_ring_element_cbd_471(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_error_1[3U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_b00 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; @@ -2822,8 +3006,7 @@ with const generics static KRML_MUSTINLINE void PRF_420(Eurydice_slice input, uint8_t ret[128U]) { uint8_t digest[128U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); } @@ -2999,6 +3182,9 @@ static KRML_MUSTINLINE void add_error_reduce_89_91( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3014,22 +3200,20 @@ static KRML_MUSTINLINE void compute_vector_u_001( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, result[i] = ZERO_89_d5();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *a_element = &row[j]; @@ -3073,8 +3257,8 @@ deserialize_then_decompress_message_b9(uint8_t serialized[32U]) { core_core_arch_x86___m256i coefficient_compressed = libcrux_ml_kem_vector_avx2_deserialize_1_ea( Eurydice_array_to_subslice2(serialized, (size_t)2U * i0, - (size_t)2U * i0 + (size_t)2U, uint8_t, - Eurydice_slice)); + (size_t)2U * i0 + (size_t)2U, + uint8_t)); re.coefficients[i0] = decompress_1_91(coefficient_compressed);); return re; } @@ -3110,6 +3294,9 @@ add_message_error_reduce_89_67( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3139,7 +3326,7 @@ generics - COEFFICIENT_BITS= 10 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -compress_ciphertext_coefficient_e7(core_core_arch_x86___m256i vector) { +compress_ciphertext_coefficient_00(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3204,9 +3391,9 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea with const generics - COEFFICIENT_BITS= 10 */ -static core_core_arch_x86___m256i compress_ea_a1( +static core_core_arch_x86___m256i compress_ea_d4( core_core_arch_x86___m256i vector) { - return compress_ciphertext_coefficient_e7(vector); + return compress_ciphertext_coefficient_00(vector); } /** @@ -3222,16 +3409,13 @@ static KRML_MUSTINLINE void compress_then_serialize_10_2f( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient = - compress_ea_a1(to_unsigned_representative_a4(re->coefficients[i0])); + compress_ea_d4(to_unsigned_representative_a4(re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_avx2_serialize_10_ea(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -3243,7 +3427,7 @@ generics - COEFFICIENT_BITS= 11 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -compress_ciphertext_coefficient_e70(core_core_arch_x86___m256i vector) { +compress_ciphertext_coefficient_000(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3308,9 +3492,9 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea with const generics - COEFFICIENT_BITS= 11 */ -static core_core_arch_x86___m256i compress_ea_a10( +static core_core_arch_x86___m256i compress_ea_d40( core_core_arch_x86___m256i vector) { - return compress_ciphertext_coefficient_e70(vector); + return compress_ciphertext_coefficient_000(vector); } /** @@ -3327,6 +3511,9 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_b2( memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3340,25 +3527,21 @@ static void compress_then_serialize_u_841( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 input[3U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t); uint8_t ret[320U]; compress_then_serialize_ring_element_u_b2(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } } @@ -3369,7 +3552,7 @@ generics - COEFFICIENT_BITS= 4 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -compress_ciphertext_coefficient_e71(core_core_arch_x86___m256i vector) { +compress_ciphertext_coefficient_001(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3434,9 +3617,9 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea with const generics - COEFFICIENT_BITS= 4 */ -static core_core_arch_x86___m256i compress_ea_a11( +static core_core_arch_x86___m256i compress_ea_d41( core_core_arch_x86___m256i vector) { - return compress_ciphertext_coefficient_e71(vector); + return compress_ciphertext_coefficient_001(vector); } /** @@ -3452,15 +3635,13 @@ static KRML_MUSTINLINE void compress_then_serialize_4_b7( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient = - compress_ea_a11(to_unsigned_representative_a4(re.coefficients[i0])); + compress_ea_d41(to_unsigned_representative_a4(re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_avx2_serialize_4_ea(coefficient, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); } } @@ -3471,7 +3652,7 @@ generics - COEFFICIENT_BITS= 5 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -compress_ciphertext_coefficient_e72(core_core_arch_x86___m256i vector) { +compress_ciphertext_coefficient_002(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( ((int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS - (int32_t)1) / @@ -3536,9 +3717,9 @@ A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea with const generics - COEFFICIENT_BITS= 5 */ -static core_core_arch_x86___m256i compress_ea_a12( +static core_core_arch_x86___m256i compress_ea_d42( core_core_arch_x86___m256i vector) { - return compress_ciphertext_coefficient_e72(vector); + return compress_ciphertext_coefficient_002(vector); } /** @@ -3554,15 +3735,13 @@ static KRML_MUSTINLINE void compress_then_serialize_5_35( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficients = - compress_ea_a12(to_unsigned_representative_a4(re.coefficients[i0])); + compress_ea_d42(to_unsigned_representative_a4(re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_avx2_serialize_5_ea(coefficients, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)10U * i0, - (size_t)10U * i0 + (size_t)10U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)10U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)10U * i0 + (size_t)10U, uint8_t), + Eurydice_array_to_slice((size_t)10U, bytes, uint8_t), uint8_t); } } @@ -3578,6 +3757,47 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_39( compress_then_serialize_4_b7(re, out); } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3600,17 +3820,20 @@ static void encrypt_unpacked_881( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b00 uu____1 = sample_vector_cbd_then_ntt_151(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b00 uu____1 = sample_vector_cbd_then_ntt_151(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 r_as_ntt[3U]; memcpy( r_as_ntt, uu____1.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b00 uu____3 = sample_ring_element_cbd_471(uu____2, domain_separator0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b00 uu____3 = + sample_ring_element_cbd_471(copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[3U]; memcpy( error_1, uu____3.fst, @@ -3618,18 +3841,18 @@ static void encrypt_unpacked_881( uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; - PRF_a9_934( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + PRF_a9_934(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_2 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_output, uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u[3U]; compute_vector_u_001(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message_as_ring_element = - deserialize_then_decompress_message_b9(uu____4); + deserialize_then_decompress_message_b9(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = compute_ring_element_v_711(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -3640,12 +3863,11 @@ static void encrypt_unpacked_881( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); compress_then_serialize_u_841( uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____6 = v; compress_then_serialize_ring_element_v_39( - uu____6, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, + (size_t)960U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); } @@ -3667,51 +3889,51 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c1( +tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b1( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; - G_a9_681( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_681(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - encrypt_unpacked_881(uu____2, uu____3, pseudorandomness, ciphertext); + encrypt_unpacked_881(uu____2, copy_of_randomness, pseudorandomness, + ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = - libcrux_ml_kem_types_from_15_f50(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f50(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_3c lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -3725,15 +3947,19 @@ with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 3 */ -static KRML_MUSTINLINE void entropy_preprocess_af_e21(Eurydice_slice randomness, +static KRML_MUSTINLINE void entropy_preprocess_af_121(Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -3748,7 +3974,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d3( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, deserialized_pk[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -3756,7 +3982,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d3( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = deserialize_to_reduced_ring_element_dd(ring_element); deserialized_pk[i0] = uu____0; @@ -3787,45 +4013,48 @@ static void encrypt_fb1(Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[3U]; deserialize_ring_elements_reduced_5d3( - Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[3U][3U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); sample_matrix_A_a21(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[3U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1[3U][3U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A[3U][3U]; + memcpy(copy_of_A, A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[1088U]; - encrypt_unpacked_881(uu____3, uu____4, randomness, ret1); + encrypt_unpacked_881(uu____3, copy_of_message, randomness, ret1); memcpy(ret, ret1, (size_t)1088U * sizeof(uint8_t)); } @@ -3840,13 +4069,11 @@ with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void kdf_af_501(Eurydice_slice shared_secret, +static KRML_MUSTINLINE void kdf_af_e51(Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -3872,56 +4099,53 @@ tuple_3c libcrux_ml_kem_ind_cca_encapsulate_821( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - entropy_preprocess_af_e21( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + entropy_preprocess_af_121( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; H_a9_651(Eurydice_array_to_slice( (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f20(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; - G_a9_681( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_681(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f20(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f20(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - encrypt_fb1(uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + encrypt_fb1(uu____2, copy_of_randomness, pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f50(uu____4); + libcrux_ml_kem_types_from_15_f50(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - kdf_af_501(shared_secret, shared_secret_array); + kdf_af_e51(shared_secret, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_3c lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_3c result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } /** @@ -3931,7 +4155,7 @@ generics - COEFFICIENT_BITS= 10 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -decompress_ciphertext_coefficient_e4(core_core_arch_x86___m256i vector) { +decompress_ciphertext_coefficient_e9(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -3994,9 +4218,9 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const generics - COEFFICIENT_BITS= 10 */ -static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_d6( +static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_5d( core_core_arch_x86___m256i vector) { - return decompress_ciphertext_coefficient_e4(vector); + return decompress_ciphertext_coefficient_e9(vector); } /** @@ -4006,19 +4230,16 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_10_a7(Eurydice_slice serialized) { +deserialize_then_decompress_10_f2(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)20U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_ea(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_ea_d6(coefficient); + re.coefficients[i0] = decompress_ciphertext_coefficient_ea_5d(coefficient); } return re; } @@ -4030,7 +4251,7 @@ generics - COEFFICIENT_BITS= 11 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -decompress_ciphertext_coefficient_e40(core_core_arch_x86___m256i vector) { +decompress_ciphertext_coefficient_e90(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -4093,9 +4314,9 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const generics - COEFFICIENT_BITS= 11 */ -static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_d60( +static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_5d0( core_core_arch_x86___m256i vector) { - return decompress_ciphertext_coefficient_e40(vector); + return decompress_ciphertext_coefficient_e90(vector); } /** @@ -4105,19 +4326,16 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_11_8d(Eurydice_slice serialized) { +deserialize_then_decompress_11_cb(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)22U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_ea(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_ea_d60(coefficient); + re.coefficients[i0] = decompress_ciphertext_coefficient_ea_5d0(coefficient); } return re; } @@ -4129,8 +4347,8 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_ring_element_u_10(Eurydice_slice serialized) { - return deserialize_then_decompress_10_a7(serialized); +deserialize_then_decompress_ring_element_u_52(Eurydice_slice serialized) { + return deserialize_then_decompress_10_f2(serialized); } /** @@ -4139,7 +4357,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void ntt_vector_u_fe( +static KRML_MUSTINLINE void ntt_vector_u_4b( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *re) { size_t zeta_i = (size_t)0U; ntt_at_layer_4_plus_65(&zeta_i, re, (size_t)7U); @@ -4152,6 +4370,10 @@ static KRML_MUSTINLINE void ntt_vector_u_fe( poly_barrett_reduce_89_99(re); } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4160,17 +4382,16 @@ with const generics - CIPHERTEXT_SIZE= 1088 - U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void deserialize_then_decompress_u_b51( +static KRML_MUSTINLINE void deserialize_then_decompress_u_7f1( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, u_as_ntt[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U); i++) { @@ -4183,11 +4404,9 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_b51( (size_t)10U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - deserialize_then_decompress_ring_element_u_10(u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u_fe(&u_as_ntt[i0]); + uint8_t); + u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_52(u_bytes); + ntt_vector_u_4b(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, @@ -4201,7 +4420,7 @@ generics - COEFFICIENT_BITS= 4 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -decompress_ciphertext_coefficient_e41(core_core_arch_x86___m256i vector) { +decompress_ciphertext_coefficient_e91(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -4264,9 +4483,9 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const generics - COEFFICIENT_BITS= 4 */ -static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_d61( +static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_5d1( core_core_arch_x86___m256i vector) { - return decompress_ciphertext_coefficient_e41(vector); + return decompress_ciphertext_coefficient_e91(vector); } /** @@ -4276,18 +4495,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_4_9a(Eurydice_slice serialized) { +deserialize_then_decompress_4_5e(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = ZERO_89_d5(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)8U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_ea(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_ea_d61(coefficient); + re.coefficients[i0] = decompress_ciphertext_coefficient_ea_5d1(coefficient); } return re; } @@ -4299,7 +4516,7 @@ generics - COEFFICIENT_BITS= 5 */ static KRML_MUSTINLINE core_core_arch_x86___m256i -decompress_ciphertext_coefficient_e42(core_core_arch_x86___m256i vector) { +decompress_ciphertext_coefficient_e92(core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -4362,9 +4579,9 @@ libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const generics - COEFFICIENT_BITS= 5 */ -static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_d62( +static core_core_arch_x86___m256i decompress_ciphertext_coefficient_ea_5d2( core_core_arch_x86___m256i vector) { - return decompress_ciphertext_coefficient_e42(vector); + return decompress_ciphertext_coefficient_e92(vector); } /** @@ -4374,19 +4591,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_5_75(Eurydice_slice serialized) { +deserialize_then_decompress_5_43(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)10U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_ea(bytes); re.coefficients[i0] = - decompress_ciphertext_coefficient_ea_d62(re.coefficients[i0]); + decompress_ciphertext_coefficient_ea_5d2(re.coefficients[i0]); } return re; } @@ -4398,8 +4612,8 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 4 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_ring_element_v_5b(Eurydice_slice serialized) { - return deserialize_then_decompress_4_9a(serialized); +deserialize_then_decompress_ring_element_v_29(Eurydice_slice serialized) { + return deserialize_then_decompress_4_5e(serialized); } /** @@ -4413,7 +4627,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -subtract_reduce_89_63(libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, +subtract_reduce_89_fe(libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { @@ -4428,6 +4642,12 @@ subtract_reduce_89_63(libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4435,7 +4655,7 @@ with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -compute_message_221( +compute_message_751( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *u_as_ntt) { @@ -4445,7 +4665,7 @@ compute_message_221( ntt_multiply_89_48(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_89_971(&result, &product);); invert_ntt_montgomery_571(&result); - result = subtract_reduce_89_63(v, result); + result = subtract_reduce_89_fe(v, result); return result; } @@ -4455,7 +4675,7 @@ libcrux_ml_kem.serialize.compress_then_serialize_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_message_ec( +static KRML_MUSTINLINE void compress_then_serialize_message_07( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; KRML_MAYBE_FOR16( @@ -4467,15 +4687,37 @@ static KRML_MUSTINLINE void compress_then_serialize_message_ec( uint8_t bytes[2U]; libcrux_ml_kem_vector_avx2_serialize_1_ea(coefficient_compressed, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *);); + serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), + uint8_t);); memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4486,20 +4728,19 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_unpacked_8c1( +static void decrypt_unpacked_251( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[3U]; - deserialize_then_decompress_u_b51(ciphertext, u_as_ntt); + deserialize_then_decompress_u_7f1(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = - deserialize_then_decompress_ring_element_v_5b( + deserialize_then_decompress_ring_element_v_29( Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - Eurydice_slice)); + (size_t)960U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message = - compute_message_221(&v, secret_key->secret_as_ntt, u_as_ntt); + compute_message_751(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_ec(message, ret0); + compress_then_serialize_message_07(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -4511,8 +4752,7 @@ with const generics static KRML_MUSTINLINE void PRF_42(Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -4551,65 +4791,61 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_231( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b1( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - decrypt_unpacked_8c1(&key_pair->private_key.ind_cpa_private_key, + decrypt_unpacked_251(&key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; - G_a9_681( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_681(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[1120U]; libcrux_ml_kem_utils_into_padded_array_2d3( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; - PRF_a9_933( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + PRF_a9_933(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), + implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - encrypt_unpacked_881(uu____3, uu____4, pseudorandomness, expected_ciphertext); + encrypt_unpacked_881(uu____3, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -4621,35 +4857,35 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_to_uncompressed_ring_element_63(Eurydice_slice serialized) { +deserialize_to_uncompressed_ring_element_c7(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); } return re; } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ -static KRML_MUSTINLINE void deserialize_secret_key_201( +static KRML_MUSTINLINE void deserialize_secret_key_051( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, secret_as_ntt[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -4657,9 +4893,9 @@ static KRML_MUSTINLINE void deserialize_secret_key_201( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - deserialize_to_uncompressed_ring_element_63(secret_bytes); + deserialize_to_uncompressed_ring_element_c7(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -4677,21 +4913,22 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_391(Eurydice_slice secret_key, uint8_t *ciphertext, +static void decrypt_841(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[3U]; - deserialize_secret_key_201(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[3U]; + deserialize_secret_key_051(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[3U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t ret0[32U]; - decrypt_unpacked_8c1(&secret_key_unpacked, ciphertext, ret0); + decrypt_unpacked_251(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -4717,41 +4954,37 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_c41( +void libcrux_ml_kem_ind_cca_decapsulate_201( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t), (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - decrypt_391(ind_cpa_secret_key, ciphertext->value, decrypted); + decrypt_841(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; - G_a9_681( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_681(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -4760,38 +4993,44 @@ void libcrux_ml_kem_ind_cca_decapsulate_c41( libcrux_ml_kem_utils_into_padded_array_2d3(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; - PRF_a9_933( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); + PRF_a9_933(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - encrypt_fb1(uu____5, uu____6, pseudorandomness, expected_ciphertext); + encrypt_fb1(uu____5, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - kdf_af_501( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + kdf_af_e51(Eurydice_array_to_slice( + (size_t)32U, implicit_rejection_shared_secret0, uint8_t), + implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - kdf_af_501(shared_secret0, shared_secret1); + kdf_af_e51(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -4806,7 +5045,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d2( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, deserialized_pk[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -4814,7 +5053,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d2( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = deserialize_to_reduced_ring_element_dd(ring_element); deserialized_pk[i0] = uu____0; @@ -4824,6 +5063,9 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d2( (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4836,29 +5078,29 @@ static KRML_MUSTINLINE void serialize_secret_key_ae0( uint8_t ret[1536U]) { uint8_t out[1536U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; serialize_uncompressed_ring_element_92(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1536U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4871,20 +5113,16 @@ static KRML_MUSTINLINE void serialize_public_key_d00( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *t_as_ntt, Eurydice_slice seed_for_a, uint8_t ret[1568U]) { uint8_t public_key_serialized[1568U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_subslice2(public_key_serialized, (size_t)0U, - (size_t)1536U, uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + public_key_serialized, (size_t)0U, (size_t)1536U, uint8_t); uint8_t ret0[1536U]; serialize_secret_key_ae0(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1536U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)1536U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)1568U, public_key_serialized, - (size_t)1536U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)1536U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); } @@ -4900,14 +5138,14 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_cf0(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 deserialized_pk[4U]; deserialize_ring_elements_reduced_5d2( Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *uu____0 = deserialized_pk; uint8_t public_key_serialized[1568U]; serialize_public_key_d00( uu____0, Eurydice_array_to_subslice_from((size_t)1568U, public_key, (size_t)1536U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1568U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -4962,11 +5200,10 @@ shake128_init_absorb_final_4d0(uint8_t input[4U][34U]) { libcrux_sha3_generic_keccak_KeccakState_29 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - &state, - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[3U], uint8_t, Eurydice_slice)); + &state, Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[3U], uint8_t)); return state; } @@ -4982,9 +5219,10 @@ generics */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState shake128_init_absorb_final_a9_ca0(uint8_t input[4U][34U]) { - uint8_t uu____0[4U][34U]; - memcpy(uu____0, input, (size_t)4U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_4d0(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[4U][34U]; + memcpy(copy_of_input, input, (size_t)4U * sizeof(uint8_t[34U])); + return shake128_init_absorb_final_4d0(copy_of_input); } /** @@ -5001,10 +5239,10 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_6b0( uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t), + Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); uint8_t uu____0[504U]; memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); @@ -5035,6 +5273,47 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_4d0( shake128_squeeze_first_three_blocks_6b0(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -5053,12 +5332,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_bb1( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -5089,10 +5367,10 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_1b0( uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); uint8_t uu____0[168U]; memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); @@ -5123,6 +5401,47 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_5a0( shake128_squeeze_next_block_1b0(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -5141,12 +5460,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_bb2( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -5171,8 +5489,8 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_d2 closure_790( int16_t s[272U]) { - return from_i16_array_89_10(Eurydice_array_to_subslice2( - s, (size_t)0U, (size_t)256U, int16_t, Eurydice_slice)); + return from_i16_array_89_10( + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -5186,33 +5504,38 @@ static KRML_MUSTINLINE void sample_from_xof_b00( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[4U]) { size_t sampled_coefficients[4U] = {0U}; int16_t out[4U][272U] = {{0U}}; - uint8_t uu____0[4U][34U]; - memcpy(uu____0, seeds, (size_t)4U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[4U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - shake128_init_absorb_final_a9_ca0(uu____0); + shake128_init_absorb_final_a9_ca0(copy_of_seeds); uint8_t randomness0[4U][504U]; shake128_squeeze_first_three_blocks_a9_4d0(&xof_state, randomness0); - uint8_t uu____1[4U][504U]; - memcpy(uu____1, randomness0, (size_t)4U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[4U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)4U * sizeof(uint8_t[504U])); bool done = sample_from_uniform_distribution_next_bb1( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; } else { uint8_t randomness[4U][168U]; shake128_squeeze_next_block_a9_5a0(&xof_state, randomness); - uint8_t uu____2[4U][168U]; - memcpy(uu____2, randomness, (size_t)4U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[4U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)4U * sizeof(uint8_t[168U])); done = sample_from_uniform_distribution_next_bb2( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[4U][272U]; - memcpy(uu____3, out, (size_t)4U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[4U][272U]; + memcpy(copy_of_out, out, (size_t)4U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret0[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - ret0[i] = closure_790(uu____3[i]);); + ret0[i] = closure_790(copy_of_out[i]);); memcpy( ret, ret0, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); @@ -5232,24 +5555,25 @@ static KRML_MUSTINLINE void sample_matrix_A_a20( closure_b80(A_transpose[i]);); KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[4U][34U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[4U][34U]; - memcpy(uu____1, seeds, (size_t)4U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[4U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sampled[4U]; - sample_from_xof_b00(uu____1, sampled); + sample_from_xof_b00(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sample = sampled[j]; @@ -5258,7 +5582,9 @@ static KRML_MUSTINLINE void sample_matrix_A_a20( } else { A_transpose[i1][j] = sample; } - }); + } + + ); memcpy(ret, A_transpose, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U])); @@ -5289,14 +5615,14 @@ static KRML_MUSTINLINE void PRFxN_1c1(uint8_t (*input)[33U], uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[3U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[3U], uint8_t), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t), + Eurydice_array_to_slice((size_t)128U, out3, uint8_t)); uint8_t uu____0[128U]; memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); @@ -5327,6 +5653,10 @@ static KRML_MUSTINLINE void PRFxN_a9_511(uint8_t (*input)[33U], PRFxN_1c1(input, ret); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5340,12 +5670,13 @@ static KRML_MUSTINLINE tuple_71 sample_vector_cbd_then_ntt_150( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, re_as_ntt[i] = ZERO_89_d5();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[4U][33U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -5353,23 +5684,26 @@ static KRML_MUSTINLINE tuple_71 sample_vector_cbd_then_ntt_150( PRFxN_a9_511(prf_inputs, prf_outputs); KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; + re_as_ntt[i0] = sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); ntt_binomially_sampled_ring_element_b5(&re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_re_as_ntt[4U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_71 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -5384,11 +5718,10 @@ static KRML_MUSTINLINE void add_to_ring_element_89_970( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *rhs) { for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)16U, self->coefficients, - core_core_arch_x86___m256i, Eurydice_slice), - core_core_arch_x86___m256i, size_t); + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)16U, self->coefficients, + core_core_arch_x86___m256i), + core_core_arch_x86___m256i); i++) { size_t i0 = i; self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( @@ -5396,6 +5729,9 @@ static KRML_MUSTINLINE void add_to_ring_element_89_970( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5411,22 +5747,20 @@ static KRML_MUSTINLINE void compute_As_plus_e_f00( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, result[i] = ZERO_89_d5();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *matrix_element = @@ -5442,6 +5776,47 @@ static KRML_MUSTINLINE void compute_As_plus_e_f00( (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5454,9 +5829,9 @@ static tuple_54 generate_keypair_unpacked_6c0( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; G_a9_680(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A_transpose[4U][4U]; @@ -5466,53 +5841,59 @@ static tuple_54 generate_keypair_unpacked_6c0( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_71 uu____2 = sample_vector_cbd_then_ntt_150(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_71 uu____2 = sample_vector_cbd_then_ntt_150(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[4U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_as_ntt[4U]; memcpy( error_as_ntt, - sample_vector_cbd_then_ntt_150(uu____3, domain_separator).fst, + sample_vector_cbd_then_ntt_150(copy_of_prf_input, domain_separator).fst, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[4U]; compute_As_plus_e_f00(A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____4[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[4U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____5[4U][4U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A_transpose[4U] + [4U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____7[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[4U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_01 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); return (CLITERAL(tuple_54){.fst = sk, .snd = pk}); } @@ -5530,7 +5911,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static void closure_ee0( +static void closure_450( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[4U]) { KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, ret[i] = ZERO_89_d5();); @@ -5563,28 +5944,27 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f0( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b0( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_54 uu____0 = generate_keypair_unpacked_6c0(ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_01 ind_cpa_private_key = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[4U][4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, closure_ee0(A[i]);); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, closure_450(A[i]);); KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - clone_d5_6a(&ind_cpa_public_key.A[j][i1]); + clone_d5_75(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1;);); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[4U][4U]; memcpy(uu____2, A, @@ -5597,33 +5977,36 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f0( serialize_public_key_d00( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; - H_a9_650(Eurydice_array_to_slice((size_t)1568U, pk_serialized, uint8_t, - Eurydice_slice), + H_a9_650(Eurydice_array_to_slice((size_t)1568U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_01 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_01 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -5645,19 +6028,24 @@ static libcrux_ml_kem_utils_extraction_helper_Keypair1024 generate_keypair_e10( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_01 sk = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 pk = uu____0.snd; uint8_t public_key_serialized[1568U]; - serialize_public_key_d00(pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, - uint8_t, Eurydice_slice), - public_key_serialized); + serialize_public_key_d00( + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), + public_key_serialized); uint8_t secret_key_serialized[1536U]; serialize_secret_key_ae0(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[1536U]; - memcpy(uu____1, secret_key_serialized, (size_t)1536U * sizeof(uint8_t)); - uint8_t uu____2[1568U]; - memcpy(uu____2, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1536U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1536U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[1568U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair1024 lit; - memcpy(lit.fst, uu____1, (size_t)1536U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)1568U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)1536U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)1568U * sizeof(uint8_t)); return lit; } @@ -5676,43 +6064,37 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_750( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; H_a9_650(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)3168U * sizeof(uint8_t)); } @@ -5732,12 +6114,11 @@ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_ind_cca_generate_keypair_c22(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair1024 uu____0 = generate_keypair_e10(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1536U]; @@ -5746,22 +6127,26 @@ libcrux_ml_kem_ind_cca_generate_keypair_c22(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof(uint8_t)); uint8_t secret_key_serialized[3168U]; serialize_kem_secret_key_750( - Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[3168U]; - memcpy(uu____1, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[3168U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_95 private_key = - libcrux_ml_kem_types_from_e7_a71(uu____1); + libcrux_ml_kem_types_from_e7_a71(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_95 uu____2 = private_key; - uint8_t uu____3[1568U]; - memcpy(uu____3, public_key, (size_t)1568U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1568U]; + memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c91( - uu____2, libcrux_ml_kem_types_from_07_4c1(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c1(copy_of_public_key)); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5775,12 +6160,13 @@ sample_ring_element_cbd_470(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, error_1[i] = ZERO_89_d5();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[4U][33U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -5789,16 +6175,17 @@ sample_ring_element_cbd_470(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_error_1[4U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_71 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; @@ -5839,6 +6226,9 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_570( poly_barrett_reduce_89_99(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5854,22 +6244,20 @@ static KRML_MUSTINLINE void compute_vector_u_000( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, result[i] = ZERO_89_d5();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *a_element = &row[j]; @@ -5885,6 +6273,9 @@ static KRML_MUSTINLINE void compute_vector_u_000( (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5920,16 +6311,13 @@ static KRML_MUSTINLINE void compress_then_serialize_11_d10( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient = - compress_ea_a10(to_unsigned_representative_a4(re->coefficients[i0])); + compress_ea_d40(to_unsigned_representative_a4(re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_avx2_serialize_11_ea(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)22U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)22U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)352U * sizeof(uint8_t)); } @@ -5948,6 +6336,9 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_b20( memcpy(ret, uu____0, (size_t)352U * sizeof(uint8_t)); } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5961,25 +6352,21 @@ static void compress_then_serialize_u_840( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 input[4U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)1408U / (size_t)4U), - (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U), uint8_t); uint8_t ret[352U]; compress_then_serialize_ring_element_u_b20(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)352U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)352U, ret, uint8_t), uint8_t); } } @@ -5995,6 +6382,47 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_390( compress_then_serialize_5_35(re, out); } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6017,17 +6445,20 @@ static void encrypt_unpacked_880( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1568U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_71 uu____1 = sample_vector_cbd_then_ntt_150(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_71 uu____1 = sample_vector_cbd_then_ntt_150(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 r_as_ntt[4U]; memcpy( r_as_ntt, uu____1.fst, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_71 uu____3 = sample_ring_element_cbd_470(uu____2, domain_separator0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_71 uu____3 = + sample_ring_element_cbd_470(copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[4U]; memcpy( error_1, uu____3.fst, @@ -6035,18 +6466,18 @@ static void encrypt_unpacked_880( uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; - PRF_a9_932( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + PRF_a9_932(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_2 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_output, uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u[4U]; compute_vector_u_000(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message_as_ring_element = - deserialize_then_decompress_message_b9(uu____4); + deserialize_then_decompress_message_b9(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = compute_ring_element_v_710(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -6056,14 +6487,12 @@ static void encrypt_unpacked_880( uu____5, u, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); compress_then_serialize_u_840( - uu____5, - Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)1408U, - uint8_t, Eurydice_slice)); + uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, + (size_t)1408U, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____6 = v; compress_then_serialize_ring_element_v_390( - uu____6, - Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, (size_t)1408U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, + (size_t)1408U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)1568U * sizeof(uint8_t)); } @@ -6085,51 +6514,51 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c0( +tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b0( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_01 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; - G_a9_680( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_680(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1568U]; - encrypt_unpacked_880(uu____2, uu____3, pseudorandomness, ciphertext); + encrypt_unpacked_880(uu____2, copy_of_randomness, pseudorandomness, + ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[1568U]; - memcpy(uu____4, ciphertext, (size_t)1568U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1568U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext uu____5 = - libcrux_ml_kem_types_from_15_f51(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f51(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_21 lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -6143,15 +6572,19 @@ with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 4 */ -static KRML_MUSTINLINE void entropy_preprocess_af_e20(Eurydice_slice randomness, +static KRML_MUSTINLINE void entropy_preprocess_af_120(Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6166,7 +6599,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d1( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, deserialized_pk[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -6174,7 +6607,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d1( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = deserialize_to_reduced_ring_element_dd(ring_element); deserialized_pk[i0] = uu____0; @@ -6205,45 +6638,48 @@ static void encrypt_fb0(Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1568U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[4U]; deserialize_ring_elements_reduced_5d1( - Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1536U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)1536U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[4U][4U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); sample_matrix_A_a20(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[4U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1[4U][4U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A[4U][4U]; + memcpy(copy_of_A, A, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[4U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[1568U]; - encrypt_unpacked_880(uu____3, uu____4, randomness, ret1); + encrypt_unpacked_880(uu____3, copy_of_message, randomness, ret1); memcpy(ret, ret1, (size_t)1568U * sizeof(uint8_t)); } @@ -6258,13 +6694,11 @@ with const generics - K= 4 - CIPHERTEXT_SIZE= 1568 */ -static KRML_MUSTINLINE void kdf_af_500(Eurydice_slice shared_secret, +static KRML_MUSTINLINE void kdf_af_e50(Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -6290,56 +6724,53 @@ tuple_21 libcrux_ml_kem_ind_cca_encapsulate_820( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - entropy_preprocess_af_e20( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + entropy_preprocess_af_120( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; H_a9_650(Eurydice_array_to_slice( (size_t)1568U, libcrux_ml_kem_types_as_slice_f6_f21(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; - G_a9_680( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_680(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_f6_f21(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1568U, libcrux_ml_kem_types_as_slice_f6_f21(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1568U]; - encrypt_fb0(uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[1568U]; - memcpy(uu____4, ciphertext, (size_t)1568U * sizeof(uint8_t)); + encrypt_fb0(uu____2, copy_of_randomness, pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1568U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f51(uu____4); + libcrux_ml_kem_types_from_15_f51(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - kdf_af_500(shared_secret, shared_secret_array); + kdf_af_e50(shared_secret, shared_secret_array); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_21 lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_21 result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } /** @@ -6349,8 +6780,8 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 11 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_ring_element_u_100(Eurydice_slice serialized) { - return deserialize_then_decompress_11_8d(serialized); +deserialize_then_decompress_ring_element_u_520(Eurydice_slice serialized) { + return deserialize_then_decompress_11_cb(serialized); } /** @@ -6359,7 +6790,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - VECTOR_U_COMPRESSION_FACTOR= 11 */ -static KRML_MUSTINLINE void ntt_vector_u_fe0( +static KRML_MUSTINLINE void ntt_vector_u_4b0( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *re) { size_t zeta_i = (size_t)0U; ntt_at_layer_4_plus_65(&zeta_i, re, (size_t)7U); @@ -6372,6 +6803,10 @@ static KRML_MUSTINLINE void ntt_vector_u_fe0( poly_barrett_reduce_89_99(re); } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6380,17 +6815,16 @@ with const generics - CIPHERTEXT_SIZE= 1568 - U_COMPRESSION_FACTOR= 11 */ -static KRML_MUSTINLINE void deserialize_then_decompress_u_b50( +static KRML_MUSTINLINE void deserialize_then_decompress_u_7f0( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, u_as_ntt[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U); i++) { @@ -6403,11 +6837,9 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_b50( (size_t)11U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - deserialize_then_decompress_ring_element_u_100(u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u_fe0(&u_as_ntt[i0]); + uint8_t); + u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_520(u_bytes); + ntt_vector_u_4b0(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, @@ -6421,10 +6853,16 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - COMPRESSION_FACTOR= 5 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -deserialize_then_decompress_ring_element_v_5b0(Eurydice_slice serialized) { - return deserialize_then_decompress_5_75(serialized); +deserialize_then_decompress_ring_element_v_290(Eurydice_slice serialized) { + return deserialize_then_decompress_5_43(serialized); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6432,7 +6870,7 @@ with const generics - K= 4 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -compute_message_220( +compute_message_750( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *u_as_ntt) { @@ -6442,10 +6880,34 @@ compute_message_220( ntt_multiply_89_48(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_89_970(&result, &product);); invert_ntt_montgomery_570(&result); - result = subtract_reduce_89_63(v, result); + result = subtract_reduce_89_fe(v, result); return result; } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6456,20 +6918,19 @@ with const generics - U_COMPRESSION_FACTOR= 11 - V_COMPRESSION_FACTOR= 5 */ -static void decrypt_unpacked_8c0( +static void decrypt_unpacked_250( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_01 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[4U]; - deserialize_then_decompress_u_b50(ciphertext, u_as_ntt); + deserialize_then_decompress_u_7f0(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = - deserialize_then_decompress_ring_element_v_5b0( + deserialize_then_decompress_ring_element_v_290( Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, - (size_t)1408U, uint8_t, size_t, - Eurydice_slice)); + (size_t)1408U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message = - compute_message_220(&v, secret_key->secret_as_ntt, u_as_ntt); + compute_message_750(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_ec(message, ret0); + compress_then_serialize_message_07(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -6508,84 +6969,83 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_230( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b0( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_01 *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - decrypt_unpacked_8c0(&key_pair->private_key.ind_cpa_private_key, + decrypt_unpacked_250(&key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; - G_a9_680( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_680(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[1600U]; libcrux_ml_kem_utils_into_padded_array_2d4( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; - PRF_a9_931( - Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + PRF_a9_931(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), + implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_01 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1568U]; - encrypt_unpacked_880(uu____3, uu____4, pseudorandomness, expected_ciphertext); + encrypt_unpacked_880(uu____3, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), - Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 4 */ -static KRML_MUSTINLINE void deserialize_secret_key_200( +static KRML_MUSTINLINE void deserialize_secret_key_050( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, secret_as_ntt[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -6593,9 +7053,9 @@ static KRML_MUSTINLINE void deserialize_secret_key_200( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - deserialize_to_uncompressed_ring_element_63(secret_bytes); + deserialize_to_uncompressed_ring_element_c7(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -6613,21 +7073,22 @@ with const generics - U_COMPRESSION_FACTOR= 11 - V_COMPRESSION_FACTOR= 5 */ -static void decrypt_390(Eurydice_slice secret_key, uint8_t *ciphertext, +static void decrypt_840(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[4U]; - deserialize_secret_key_200(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[4U]; + deserialize_secret_key_050(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[4U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_01 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t ret0[32U]; - decrypt_unpacked_8c0(&secret_key_unpacked, ciphertext, ret0); + decrypt_unpacked_250(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -6653,42 +7114,38 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_c40( +void libcrux_ml_kem_ind_cca_decapsulate_200( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)3168U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)3168U, private_key->value, uint8_t), (size_t)1536U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1568U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - decrypt_390(ind_cpa_secret_key, ciphertext->value, decrypted); + decrypt_840(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; - G_a9_680( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_680(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -6697,38 +7154,44 @@ void libcrux_ml_kem_ind_cca_decapsulate_c40( libcrux_ml_kem_utils_into_padded_array_2d4(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; - PRF_a9_931( - Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); + PRF_a9_931(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1568U]; - encrypt_fb0(uu____5, uu____6, pseudorandomness, expected_ciphertext); + encrypt_fb0(uu____5, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - kdf_af_500( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + kdf_af_e50(Eurydice_array_to_slice( + (size_t)32U, implicit_rejection_shared_secret0, uint8_t), + implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - kdf_af_500(shared_secret0, shared_secret1); + kdf_af_e50(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), - Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6743,7 +7206,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d0( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, deserialized_pk[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -6751,7 +7214,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d0( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = deserialize_to_reduced_ring_element_dd(ring_element); deserialized_pk[i0] = uu____0; @@ -6761,6 +7224,9 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d0( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6773,29 +7239,29 @@ static KRML_MUSTINLINE void serialize_secret_key_ae( uint8_t ret[768U]) { uint8_t out[768U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; serialize_uncompressed_ring_element_92(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)768U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6809,18 +7275,15 @@ static KRML_MUSTINLINE void serialize_public_key_d0( Eurydice_slice seed_for_a, uint8_t ret[800U]) { uint8_t public_key_serialized[800U] = {0U}; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - public_key_serialized, (size_t)0U, (size_t)768U, uint8_t, Eurydice_slice); + public_key_serialized, (size_t)0U, (size_t)768U, uint8_t); uint8_t ret0[768U]; serialize_secret_key_ae(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)768U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)768U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)800U, public_key_serialized, - (size_t)768U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)768U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)800U * sizeof(uint8_t)); } @@ -6836,14 +7299,14 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_cf(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 deserialized_pk[2U]; deserialize_ring_elements_reduced_5d0( Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *uu____0 = deserialized_pk; uint8_t public_key_serialized[800U]; serialize_public_key_d0( uu____0, Eurydice_array_to_subslice_from((size_t)800U, public_key, (size_t)768U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)800U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -6898,11 +7361,10 @@ shake128_init_absorb_final_4d(uint8_t input[2U][34U]) { libcrux_sha3_generic_keccak_KeccakState_29 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - &state, - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice)); + &state, Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t)); return state; } @@ -6918,9 +7380,10 @@ generics */ static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState shake128_init_absorb_final_a9_ca(uint8_t input[2U][34U]) { - uint8_t uu____0[2U][34U]; - memcpy(uu____0, input, (size_t)2U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_4d(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[2U][34U]; + memcpy(copy_of_input, input, (size_t)2U * sizeof(uint8_t[34U])); + return shake128_init_absorb_final_4d(copy_of_input); } /** @@ -6937,10 +7400,10 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_6b( uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t), + Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); uint8_t uu____0[504U]; memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); @@ -6965,6 +7428,47 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_a9_4d( shake128_squeeze_first_three_blocks_6b(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -6983,12 +7487,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_bb( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -7019,10 +7522,10 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_1b( uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); uint8_t uu____0[168U]; memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); @@ -7047,6 +7550,47 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_a9_5a( shake128_squeeze_next_block_1b(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -7065,12 +7609,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_bb0( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -7095,8 +7638,8 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_d2 closure_79( int16_t s[272U]) { - return from_i16_array_89_10(Eurydice_array_to_subslice2( - s, (size_t)0U, (size_t)256U, int16_t, Eurydice_slice)); + return from_i16_array_89_10( + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -7110,33 +7653,38 @@ static KRML_MUSTINLINE void sample_from_xof_b0( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[2U]) { size_t sampled_coefficients[2U] = {0U}; int16_t out[2U][272U] = {{0U}}; - uint8_t uu____0[2U][34U]; - memcpy(uu____0, seeds, (size_t)2U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[2U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = - shake128_init_absorb_final_a9_ca(uu____0); + shake128_init_absorb_final_a9_ca(copy_of_seeds); uint8_t randomness0[2U][504U]; shake128_squeeze_first_three_blocks_a9_4d(&xof_state, randomness0); - uint8_t uu____1[2U][504U]; - memcpy(uu____1, randomness0, (size_t)2U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[2U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)2U * sizeof(uint8_t[504U])); bool done = sample_from_uniform_distribution_next_bb( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; } else { uint8_t randomness[2U][168U]; shake128_squeeze_next_block_a9_5a(&xof_state, randomness); - uint8_t uu____2[2U][168U]; - memcpy(uu____2, randomness, (size_t)2U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[2U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)2U * sizeof(uint8_t[168U])); done = sample_from_uniform_distribution_next_bb0( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[2U][272U]; - memcpy(uu____3, out, (size_t)2U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[2U][272U]; + memcpy(copy_of_out, out, (size_t)2U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret0[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - ret0[i] = closure_79(uu____3[i]);); + ret0[i] = closure_79(copy_of_out[i]);); memcpy( ret, ret0, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); @@ -7156,24 +7704,25 @@ static KRML_MUSTINLINE void sample_matrix_A_a2( closure_b8(A_transpose[i]);); KRML_MAYBE_FOR2( i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[2U][34U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[2U][34U]; - memcpy(uu____1, seeds, (size_t)2U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[2U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sampled[2U]; - sample_from_xof_b0(uu____1, sampled); + sample_from_xof_b0(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sample = sampled[j]; @@ -7182,7 +7731,9 @@ static KRML_MUSTINLINE void sample_matrix_A_a2( } else { A_transpose[i1][j] = sample; } - }); + } + + ); memcpy(ret, A_transpose, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U])); @@ -7213,14 +7764,14 @@ static KRML_MUSTINLINE void PRFxN_1c(uint8_t (*input)[33U], uint8_t out2[192U] = {0U}; uint8_t out3[192U] = {0U}; libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)192U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)192U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)192U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)192U, out3, uint8_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)192U, out0, uint8_t), + Eurydice_array_to_slice((size_t)192U, out1, uint8_t), + Eurydice_array_to_slice((size_t)192U, out2, uint8_t), + Eurydice_array_to_slice((size_t)192U, out3, uint8_t)); uint8_t uu____0[192U]; memcpy(uu____0, out0, (size_t)192U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)192U * sizeof(uint8_t)); @@ -7256,6 +7807,10 @@ sample_from_binomial_distribution_47(Eurydice_slice randomness) { return sample_from_binomial_distribution_3_43(randomness); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -7269,12 +7824,13 @@ static KRML_MUSTINLINE tuple_74 sample_vector_cbd_then_ntt_15( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, re_as_ntt[i] = ZERO_89_d5();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[2U][33U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -7282,23 +7838,26 @@ static KRML_MUSTINLINE tuple_74 sample_vector_cbd_then_ntt_15( PRFxN_a9_51(prf_inputs, prf_outputs); KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - sample_from_binomial_distribution_47(Eurydice_array_to_slice( - (size_t)192U, prf_outputs[i0], uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; + re_as_ntt[i0] = sample_from_binomial_distribution_47( + Eurydice_array_to_slice((size_t)192U, prf_outputs[i0], uint8_t)); ntt_binomially_sampled_ring_element_b5(&re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_re_as_ntt[2U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_74 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -7313,11 +7872,10 @@ static KRML_MUSTINLINE void add_to_ring_element_89_97( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *rhs) { for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)16U, self->coefficients, - core_core_arch_x86___m256i, Eurydice_slice), - core_core_arch_x86___m256i, size_t); + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)16U, self->coefficients, + core_core_arch_x86___m256i), + core_core_arch_x86___m256i); i++) { size_t i0 = i; self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( @@ -7325,6 +7883,9 @@ static KRML_MUSTINLINE void add_to_ring_element_89_97( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7340,22 +7901,20 @@ static KRML_MUSTINLINE void compute_As_plus_e_f0( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, result[i] = ZERO_89_d5();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *matrix_element = @@ -7371,6 +7930,47 @@ static KRML_MUSTINLINE void compute_As_plus_e_f0( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -7383,9 +7983,9 @@ static tuple_4c generate_keypair_unpacked_6c( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; G_a9_68(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A_transpose[2U][2U]; @@ -7395,53 +7995,59 @@ static tuple_4c generate_keypair_unpacked_6c( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_74 uu____2 = sample_vector_cbd_then_ntt_15(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_74 uu____2 = sample_vector_cbd_then_ntt_15(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[2U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_as_ntt[2U]; memcpy( error_as_ntt, - sample_vector_cbd_then_ntt_15(uu____3, domain_separator).fst, + sample_vector_cbd_then_ntt_15(copy_of_prf_input, domain_separator).fst, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[2U]; compute_As_plus_e_f0(A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____4[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[2U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____5[2U][2U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A_transpose[2U] + [2U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____7[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[2U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_d6 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); return (CLITERAL(tuple_4c){.fst = sk, .snd = pk}); } @@ -7459,7 +8065,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ -static void closure_ee( +static void closure_45( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[2U]) { KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, ret[i] = ZERO_89_d5();); @@ -7492,28 +8098,27 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7b( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_4c uu____0 = generate_keypair_unpacked_6c(ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_d6 ind_cpa_private_key = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[2U][2U]; - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, closure_ee(A[i]);); + KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, closure_45(A[i]);); KRML_MAYBE_FOR2( i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - clone_d5_6a(&ind_cpa_public_key.A[j][i1]); + clone_d5_75(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1;);); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[2U][2U]; memcpy(uu____2, A, @@ -7526,33 +8131,36 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_7f( serialize_public_key_d0( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; - H_a9_65(Eurydice_array_to_slice((size_t)800U, pk_serialized, uint8_t, - Eurydice_slice), + H_a9_65(Eurydice_array_to_slice((size_t)800U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_d6 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_d6 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -7574,19 +8182,24 @@ static libcrux_ml_kem_utils_extraction_helper_Keypair512 generate_keypair_e1( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_d6 sk = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 pk = uu____0.snd; uint8_t public_key_serialized[800U]; - serialize_public_key_d0(pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, - uint8_t, Eurydice_slice), - public_key_serialized); + serialize_public_key_d0( + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), + public_key_serialized); uint8_t secret_key_serialized[768U]; serialize_secret_key_ae(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[768U]; - memcpy(uu____1, secret_key_serialized, (size_t)768U * sizeof(uint8_t)); - uint8_t uu____2[800U]; - memcpy(uu____2, public_key_serialized, (size_t)800U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[768U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)768U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[800U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)800U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair512 lit; - memcpy(lit.fst, uu____1, (size_t)768U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)800U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)768U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)800U * sizeof(uint8_t)); return lit; } @@ -7605,43 +8218,37 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_75( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; H_a9_65(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)1632U * sizeof(uint8_t)); } @@ -7661,12 +8268,11 @@ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_ind_cca_generate_keypair_c2( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair512 uu____0 = generate_keypair_e1(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[768U]; @@ -7675,20 +8281,21 @@ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_ind_cca_generate_keypair_c2( memcpy(public_key, uu____0.snd, (size_t)800U * sizeof(uint8_t)); uint8_t secret_key_serialized[1632U]; serialize_kem_secret_key_75( - Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)800U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)800U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[1632U]; - memcpy(uu____1, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1632U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_5e private_key = - libcrux_ml_kem_types_from_e7_a7(uu____1); + libcrux_ml_kem_types_from_e7_a7(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_5e uu____2 = private_key; - uint8_t uu____3[800U]; - memcpy(uu____3, public_key, (size_t)800U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[800U]; + memcpy(copy_of_public_key, public_key, (size_t)800U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c9( - uu____2, libcrux_ml_kem_types_from_07_4c(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c(copy_of_public_key)); } /** @@ -7705,14 +8312,14 @@ static KRML_MUSTINLINE void PRFxN_1c0(uint8_t (*input)[33U], uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t), + Eurydice_array_to_slice((size_t)128U, out3, uint8_t)); uint8_t uu____0[128U]; memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); @@ -7737,6 +8344,9 @@ static KRML_MUSTINLINE void PRFxN_a9_510(uint8_t (*input)[33U], PRFxN_1c0(input, ret); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -7750,12 +8360,13 @@ sample_ring_element_cbd_47(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, error_1[i] = ZERO_89_d5();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[2U][33U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -7764,16 +8375,17 @@ sample_ring_element_cbd_47(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_error_1[2U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_74 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; @@ -7814,6 +8426,9 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_57( poly_barrett_reduce_89_99(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7829,22 +8444,20 @@ static KRML_MUSTINLINE void compute_vector_u_00( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, result[i] = ZERO_89_d5();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *a_element = &row[j]; @@ -7860,6 +8473,9 @@ static KRML_MUSTINLINE void compute_vector_u_00( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7882,6 +8498,9 @@ compute_ring_element_v_71( return result; } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7895,28 +8514,65 @@ static void compress_then_serialize_u_84( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 input[2U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)640U / (size_t)2U), - (i0 + (size_t)1U) * ((size_t)640U / (size_t)2U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)640U / (size_t)2U), uint8_t); uint8_t ret[320U]; compress_then_serialize_ring_element_u_b2(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -7939,17 +8595,20 @@ static void encrypt_unpacked_88( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[768U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_74 uu____1 = sample_vector_cbd_then_ntt_15(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_74 uu____1 = sample_vector_cbd_then_ntt_15(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 r_as_ntt[2U]; memcpy( r_as_ntt, uu____1.fst, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_74 uu____3 = sample_ring_element_cbd_47(uu____2, domain_separator0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_74 uu____3 = + sample_ring_element_cbd_47(copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[2U]; memcpy( error_1, uu____3.fst, @@ -7957,18 +8616,18 @@ static void encrypt_unpacked_88( uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; - PRF_a9_930( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + PRF_a9_930(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_2 = - sample_from_binomial_distribution_470(Eurydice_array_to_slice( - (size_t)128U, prf_output, uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_470( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u[2U]; compute_vector_u_00(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message_as_ring_element = - deserialize_then_decompress_message_b9(uu____4); + deserialize_then_decompress_message_b9(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = compute_ring_element_v_71(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -7979,12 +8638,11 @@ static void encrypt_unpacked_88( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); compress_then_serialize_u_84( uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)640U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____6 = v; compress_then_serialize_ring_element_v_39( - uu____6, - Eurydice_array_to_subslice_from((size_t)768U, ciphertext, (size_t)640U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)768U, ciphertext, + (size_t)640U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)768U * sizeof(uint8_t)); } @@ -8006,51 +8664,51 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_6c( +tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_7b( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_d6 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; - G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_68(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[768U]; - encrypt_unpacked_88(uu____2, uu____3, pseudorandomness, ciphertext); + encrypt_unpacked_88(uu____2, copy_of_randomness, pseudorandomness, + ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[768U]; - memcpy(uu____4, ciphertext, (size_t)768U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[768U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_e8 uu____5 = - libcrux_ml_kem_types_from_15_f5(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_ec lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -8064,15 +8722,19 @@ with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - K= 2 */ -static KRML_MUSTINLINE void entropy_preprocess_af_e2(Eurydice_slice randomness, +static KRML_MUSTINLINE void entropy_preprocess_af_12(Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -8087,7 +8749,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, deserialized_pk[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -8095,7 +8757,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_5d( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = deserialize_to_reduced_ring_element_dd(ring_element); deserialized_pk[i0] = uu____0; @@ -8126,45 +8788,48 @@ static void encrypt_fb(Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[768U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[2U]; deserialize_ring_elements_reduced_5d( - Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)768U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)768U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[2U][2U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); sample_matrix_A_a2(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[2U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1[2U][2U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A[2U][2U]; + memcpy(copy_of_A, A, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[2U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[768U]; - encrypt_unpacked_88(uu____3, uu____4, randomness, ret1); + encrypt_unpacked_88(uu____3, copy_of_message, randomness, ret1); memcpy(ret, ret1, (size_t)768U * sizeof(uint8_t)); } @@ -8179,13 +8844,11 @@ with const generics - K= 2 - CIPHERTEXT_SIZE= 768 */ -static KRML_MUSTINLINE void kdf_af_50(Eurydice_slice shared_secret, +static KRML_MUSTINLINE void kdf_af_e5(Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -8211,58 +8874,59 @@ tuple_ec libcrux_ml_kem_ind_cca_encapsulate_82( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - entropy_preprocess_af_e2( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + entropy_preprocess_af_12( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; H_a9_65(Eurydice_array_to_slice( (size_t)800U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; - G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_68(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)800U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)800U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[768U]; - encrypt_fb(uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[768U]; - memcpy(uu____4, ciphertext, (size_t)768U * sizeof(uint8_t)); + encrypt_fb(uu____2, copy_of_randomness, pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[768U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_e8 ciphertext0 = - libcrux_ml_kem_types_from_15_f5(uu____4); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - kdf_af_50(shared_secret, shared_secret_array); + kdf_af_e5(shared_secret, shared_secret_array); libcrux_ml_kem_types_MlKemCiphertext_e8 uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_ec lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_ec result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8271,17 +8935,16 @@ with const generics - CIPHERTEXT_SIZE= 768 - U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void deserialize_then_decompress_u_b5( +static KRML_MUSTINLINE void deserialize_then_decompress_u_7f( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, u_as_ntt[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U); i++) { @@ -8294,17 +8957,21 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_b5( (size_t)10U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - deserialize_then_decompress_ring_element_u_10(u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u_fe(&u_as_ntt[i0]); + uint8_t); + u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_52(u_bytes); + ntt_vector_u_4b(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8312,7 +8979,7 @@ with const generics - K= 2 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -compute_message_22( +compute_message_75( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *u_as_ntt) { @@ -8322,10 +8989,34 @@ compute_message_22( ntt_multiply_89_48(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_89_97(&result, &product);); invert_ntt_montgomery_57(&result); - result = subtract_reduce_89_63(v, result); + result = subtract_reduce_89_fe(v, result); return result; } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8336,20 +9027,19 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_unpacked_8c( +static void decrypt_unpacked_25( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_d6 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[2U]; - deserialize_then_decompress_u_b5(ciphertext, u_as_ntt); + deserialize_then_decompress_u_7f(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = - deserialize_then_decompress_ring_element_v_5b( + deserialize_then_decompress_ring_element_v_29( Eurydice_array_to_subslice_from((size_t)768U, ciphertext, - (size_t)640U, uint8_t, size_t, - Eurydice_slice)); + (size_t)640U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message = - compute_message_22(&v, secret_key->secret_as_ntt, u_as_ntt); + compute_message_75(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_ec(message, ret0); + compress_then_serialize_message_07(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -8388,83 +9078,82 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_23( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4b( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_d6 *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - decrypt_unpacked_8c(&key_pair->private_key.ind_cpa_private_key, + decrypt_unpacked_25(&key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; - G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_68(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[800U]; libcrux_ml_kem_utils_into_padded_array_2d0( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; - PRF_a9_93( - Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + PRF_a9_93(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t), + implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_d6 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[768U]; - encrypt_unpacked_88(uu____3, uu____4, pseudorandomness, expected_ciphertext); + encrypt_unpacked_88(uu____3, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), - Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 2 */ -static KRML_MUSTINLINE void deserialize_secret_key_20( +static KRML_MUSTINLINE void deserialize_secret_key_05( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, secret_as_ntt[i] = ZERO_89_d5();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -8472,9 +9161,9 @@ static KRML_MUSTINLINE void deserialize_secret_key_20( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - deserialize_to_uncompressed_ring_element_63(secret_bytes); + deserialize_to_uncompressed_ring_element_c7(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -8492,21 +9181,22 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_39(Eurydice_slice secret_key, uint8_t *ciphertext, +static void decrypt_84(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[2U]; - deserialize_secret_key_20(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[2U]; + deserialize_secret_key_05(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[2U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_d6 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t ret0[32U]; - decrypt_unpacked_8c(&secret_key_unpacked, ciphertext, ret0); + decrypt_unpacked_25(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -8532,41 +9222,37 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_c4( +void libcrux_ml_kem_ind_cca_decapsulate_20( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)1632U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)1632U, private_key->value, uint8_t), (size_t)768U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)800U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - decrypt_39(ind_cpa_secret_key, ciphertext->value, decrypted); + decrypt_84(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; - G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_a9_68(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -8575,34 +9261,33 @@ void libcrux_ml_kem_ind_cca_decapsulate_c4( libcrux_ml_kem_utils_into_padded_array_2d0(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; - PRF_a9_93( - Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); + PRF_a9_93(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t), + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[768U]; - encrypt_fb(uu____5, uu____6, pseudorandomness, expected_ciphertext); + encrypt_fb(uu____5, copy_of_decrypted, pseudorandomness, expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - kdf_af_50( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + kdf_af_e5(Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret0, uint8_t), + implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - kdf_af_50(shared_secret0, shared_secret1); + kdf_af_e5(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), - Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index c28196f56..9d7aa0ed7 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem_avx2_H @@ -115,6 +115,10 @@ core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea( #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \ ((int16_t)20159) +/** + See Section 3.2 of the implementation notes document for an explanation + of this code. +*/ core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce( core_core_arch_x86___m256i vector); diff --git a/libcrux-ml-kem/c/libcrux_mlkem_neon.c b/libcrux-ml-kem/c/libcrux_mlkem_neon.c index 9f33e8f2f..019effe21 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_neon.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_neon.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_mlkem_neon.h" @@ -17,8 +17,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_neon_G(Eurydice_slice input, uint8_t ret[64U]) { uint8_t digest[64U] = {0U}; libcrux_sha3_neon_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); } @@ -26,7 +25,6 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_neon_H(Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_neon_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_neon.h b/libcrux-ml-kem/c/libcrux_mlkem_neon.h index dbe30739d..e2979d8d5 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_neon.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_neon.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem_neon_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index d251d45b0..f2edc753e 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "internal/libcrux_mlkem_portable.h" @@ -20,8 +20,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_G( Eurydice_slice input, uint8_t ret[64U]) { uint8_t digest[64U] = {0U}; libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); } @@ -29,8 +28,7 @@ KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_H( Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -75,10 +73,8 @@ libcrux_ml_kem_vector_portable_vector_type_from_i16_array( int16_t ret[16U]; core_result_Result_c0 dst; Eurydice_slice_to_array2( - &dst, - Eurydice_slice_subslice2(array, (size_t)0U, (size_t)16U, int16_t, - Eurydice_slice), - Eurydice_slice, int16_t[16U], void *); + &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)16U, int16_t), + Eurydice_slice, int16_t[16U]); core_result_unwrap_41_f9(dst, ret); memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); return lit; @@ -95,68 +91,64 @@ libcrux_ml_kem_vector_portable_from_i16_array_0d(Eurydice_slice array) { KRML_MUSTINLINE uint8_t_x11 libcrux_ml_kem_vector_portable_serialize_serialize_11_int(Eurydice_slice v) { - uint8_t r0 = - (uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, int16_t); + uint8_t r0 = (uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *); uint8_t r1 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)31) << 3U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 8U); uint8_t r2 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)3) << 6U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 5U); - uint8_t r3 = (uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *, - int16_t) >> - 2U & - (int16_t)255); + uint8_t r3 = + (uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *) >> 2U & + (int16_t)255); uint8_t r4 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)127) << 1U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 10U); uint8_t r5 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)4U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)15) << 4U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 7U); uint8_t r6 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)1) << 7U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)4U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 4U); - uint8_t r7 = (uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *, - int16_t) >> - 1U & - (int16_t)255); + uint8_t r7 = + (uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) >> 1U & + (int16_t)255); uint8_t r8 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)63) << 2U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 9U); uint8_t r9 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)7) << 5U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 6U); - uint8_t r10 = (uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, - int16_t *, int16_t) >> - 3U); + uint8_t r10 = + (uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) >> 3U); return (CLITERAL(uint8_t_x11){.fst = r0, .snd = r1, .thd = r2, @@ -174,12 +166,11 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_11( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[22U]) { uint8_t_x11 r0_10 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t)); uint8_t_x11 r11_21 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, - int16_t, Eurydice_slice)); + int16_t)); uint8_t result[22U] = {0U}; result[0U] = r0_10.fst; result[1U] = r0_10.snd; @@ -219,66 +210,56 @@ void libcrux_ml_kem_vector_portable_serialize_11_0d( KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice bytes) { - int16_t r0 = ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)7) - << 8U | - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t); - int16_t r1 = ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)63) - << 5U | - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) >> - 3U; - int16_t r2 = (((int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)1) - << 10U | - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, - uint8_t *, uint8_t) - << 2U) | - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) >> - 6U; - int16_t r3 = ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)15) - << 7U | - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, - uint8_t *, uint8_t) >> - 1U; - int16_t r4 = ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)127) - << 4U | - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, - uint8_t *, uint8_t) >> - 4U; - int16_t r5 = (((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)3) - << 9U | - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, - uint8_t *, uint8_t) - << 1U) | - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) >> - 7U; - int16_t r6 = ((int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)31) - << 6U | - (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) >> - 2U; - int16_t r7 = (int16_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, - uint8_t *, uint8_t) - << 3U | - (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, - uint8_t *, uint8_t) >> - 5U; + int16_t r0 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) & + (int16_t)7) + << 8U | + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int16_t r1 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) & + (int16_t)63) + << 5U | + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) >> + 3U; + int16_t r2 = + (((int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) & + (int16_t)1) + << 10U | + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) + << 2U) | + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 6U; + int16_t r3 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) & + (int16_t)15) + << 7U | + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >> + 1U; + int16_t r4 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) & + (int16_t)127) + << 4U | + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) >> + 4U; + int16_t r5 = + (((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) & + (int16_t)3) + << 9U | + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) + << 1U) | + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> + 7U; + int16_t r6 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) & + (int16_t)31) + << 6U | + (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) >> + 2U; + int16_t r7 = + (int16_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, uint8_t *) + << 3U | + (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) >> + 5U; return (CLITERAL(int16_t_x8){.fst = r0, .snd = r1, .thd = r2, @@ -314,12 +295,10 @@ libcrux_ml_kem_vector_portable_vector_type_zero(void) { KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)11U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)11U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( - Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1018,6 +997,19 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( return libcrux_ml_kem_vector_portable_arithmetic_cond_subtract_3329(v); } +/** + Signed Barrett Reduction + + Given an input `value`, `barrett_reduce` outputs a representative `result` + such that: + + - result ≡ value (mod FIELD_MODULUS) + - the absolute value of `result` is bound as follows: + + `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) + + In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +*/ int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value) { int32_t t = (int32_t)value * @@ -1053,6 +1045,20 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d( return libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce(v); } +/** + Signed Montgomery Reduction + + Given an input `value`, `montgomery_reduce` outputs a representative `o` + such that: + + - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) + - the absolute value of `o` is bound as follows: + + `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) + + In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · + FIELD_MODULUS) / 2`. +*/ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value) { int32_t k = @@ -1071,6 +1077,17 @@ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( return value_high - c; } +/** + If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to + `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to + `x · y`, as follows: + + `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` + + `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a + representative `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod + FIELD_MODULUS)`. +*/ KRML_MUSTINLINE int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer) { @@ -1102,6 +1119,28 @@ libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d( v, r); } +/** + The `compress_*` functions implement the `Compress` function specified in the + NIST FIPS 203 standard (Page 18, Expression 4.5), which is defined as: + + ```plaintext + Compress_d: ℤq -> ℤ_{2ᵈ} + Compress_d(x) = ⌈(2ᵈ/q)·x⌋ + ``` + + Since `⌈x⌋ = ⌊x + 1/2⌋` we have: + + ```plaintext + Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋ + = ⌊(2^{d+1}·x + q) / 2q⌋ + ``` + + For further information about the function implementations, consult the + `implementation_notes.pdf` document in this directory. + + The NIST FIPS 203 standard can be found at + . +*/ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( uint16_t fe) { int16_t shifted = (int16_t)1664 - (int16_t)fe; @@ -1374,6 +1413,28 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } +/** + Compute the product of two Kyber binomials with respect to the + modulus `X² - zeta`. + + This function almost implements Algorithm 11 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: a₀, a₁, b₀, b₁ ∈ ℤq. + Input: γ ∈ ℤq. + Output: c₀, c₁ ∈ ℤq. + + c₀ ← a₀·b₀ + a₁·b₁·γ + c₁ ← a₀·b₁ + a₁·b₀ + return c₀, c₁ + ``` + We say "almost" because the coefficients output by this function are in + the Montgomery domain (unlike in the specification). + + The NIST FIPS 203 standard can be found at + . +*/ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta, @@ -1465,19 +1526,17 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { libcrux_ml_kem_vector_portable_vector_type_zero(); KRML_MAYBE_FOR8( i, (size_t)0U, (size_t)8U, (size_t)1U, size_t i0 = i; - result.elements[i0] = - (int16_t)((uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, - uint8_t *, uint8_t) >> - (uint32_t)i0 & - 1U);); + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)0U, uint8_t, uint8_t *) >> + (uint32_t)i0 & + 1U);); for (size_t i = (size_t)8U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - result.elements[i0] = - (int16_t)((uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, - uint8_t *, uint8_t) >> - (uint32_t)(i0 - (size_t)8U) & - 1U); + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)1U, uint8_t, uint8_t *) >> + (uint32_t)(i0 - (size_t)8U) & + 1U); } return result; } @@ -1493,26 +1552,26 @@ libcrux_ml_kem_vector_portable_deserialize_1_0d(Eurydice_slice a) { KRML_MUSTINLINE uint8_t_x4 libcrux_ml_kem_vector_portable_serialize_serialize_4_int(Eurydice_slice v) { - uint8_t result0 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)1U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)0U, int16_t, int16_t *, int16_t); - uint8_t result1 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)3U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)2U, int16_t, int16_t *, int16_t); - uint8_t result2 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)5U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)4U, int16_t, int16_t *, int16_t); - uint8_t result3 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)7U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)6U, int16_t, int16_t *, int16_t); + uint8_t result0 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, + int16_t *); + uint8_t result1 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)2U, int16_t, + int16_t *); + uint8_t result2 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)4U, int16_t, + int16_t *); + uint8_t result3 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)6U, int16_t, + int16_t *); return (CLITERAL(uint8_t_x4){ .fst = result0, .snd = result1, .thd = result2, .f3 = result3}); } @@ -1523,11 +1582,11 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_4( uint8_t_x4 result0_3 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, - int16_t, Eurydice_slice)); + int16_t)); uint8_t_x4 result4_7 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, - int16_t, Eurydice_slice)); + int16_t)); uint8_t result[8U] = {0U}; result[0U] = result0_3.fst; result[1U] = result0_3.snd; @@ -1553,32 +1612,32 @@ void libcrux_ml_kem_vector_portable_serialize_4_0d( KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( Eurydice_slice bytes) { - int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) & + int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) & 15U); - int16_t v1 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) >> + int16_t v1 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) >> 4U & 15U); - int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) & + int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) & 15U); - int16_t v3 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) >> + int16_t v3 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) >> 4U & 15U); - int16_t v4 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) & + int16_t v4 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) & 15U); - int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) >> + int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) >> 4U & 15U); - int16_t v6 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) & + int16_t v6 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) & 15U); - int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) >> + int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) >> 4U & 15U); return (CLITERAL(int16_t_x8){.fst = v0, @@ -1594,11 +1653,9 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1632,40 +1689,24 @@ libcrux_ml_kem_vector_portable_deserialize_4_0d(Eurydice_slice a) { KRML_MUSTINLINE uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_5_int(Eurydice_slice v) { uint8_t r0 = - (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) | - Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *, int16_t) - << 5U); + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) | + Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) << 5U); uint8_t r1 = - (uint8_t)((Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *, - int16_t) >> - 3U | - Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *, - int16_t) + (uint8_t)((Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 3U | + Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *) << 2U) | - Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *, int16_t) - << 7U); + Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) << 7U); uint8_t r2 = - (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *, - int16_t) >> - 1U | - Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *, int16_t) - << 4U); + (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 1U | + Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *) << 4U); uint8_t r3 = - (uint8_t)((Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *, - int16_t) >> - 4U | - Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *, - int16_t) + (uint8_t)((Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *) >> 4U | + Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) << 1U) | - Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *, int16_t) - << 6U); + Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) << 6U); uint8_t r4 = - (uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *, - int16_t) >> - 2U | - Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *, int16_t) - << 3U); + (uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) >> 2U | + Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) << 3U); return (CLITERAL(uint8_t_x5){ .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); } @@ -1674,11 +1715,10 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_5( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[10U]) { uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t)); uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( - Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, + int16_t)); uint8_t result[10U] = {0U}; result[0U] = r0_4.fst; result[1U] = r0_4.snd; @@ -1706,44 +1746,44 @@ void libcrux_ml_kem_vector_portable_serialize_5_0d( KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( Eurydice_slice bytes) { - int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) & + int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) & 31U); - int16_t v1 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) & + int16_t v1 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) & 3U) << 3U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) >> 5U); - int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) >> + int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) >> 2U & 31U); - int16_t v3 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) & + int16_t v3 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) & 15U) << 1U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) >> 7U); - int16_t v4 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) & + int16_t v4 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) & 1U) << 4U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) >> 4U); - int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) >> + int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) >> 1U & 31U); - int16_t v6 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)4U, uint8_t, uint8_t *, uint8_t) & + int16_t v6 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)4U, + uint8_t, uint8_t *) & 7U) << 2U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) >> 6U); - int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)4U, uint8_t, uint8_t *, uint8_t) >> + int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)4U, + uint8_t, uint8_t *) >> 3U); return (CLITERAL(int16_t_x8){.fst = v0, .snd = v1, @@ -1758,11 +1798,9 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( - Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1795,37 +1833,36 @@ libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) { KRML_MUSTINLINE uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_10_int(Eurydice_slice v) { - uint8_t r0 = (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) & - (int16_t)255); + uint8_t r0 = + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) & + (int16_t)255); uint8_t r1 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)63) << 2U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 8U & (int16_t)3); uint8_t r2 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)15) << 4U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 6U & (int16_t)15); uint8_t r3 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)3) << 6U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 4U & (int16_t)63); - uint8_t r4 = (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *, - int16_t) >> - 2U & - (int16_t)255); + uint8_t r4 = + (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 2U & + (int16_t)255); return (CLITERAL(uint8_t_x5){ .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); } @@ -1834,17 +1871,15 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_10( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[20U]) { uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)4U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)4U, int16_t)); uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)8U, int16_t)); uint8_t_x5 r10_14 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)12U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)12U, + int16_t)); uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U, + int16_t)); uint8_t result[20U] = {0U}; result[0U] = r0_4.fst; result[1U] = r0_4.snd; @@ -1882,60 +1917,52 @@ void libcrux_ml_kem_vector_portable_serialize_10_0d( KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice bytes) { - int16_t r0 = ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)3) - << 8U | - ((int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)255); - int16_t r1 = ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)15) - << 6U | - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) >> - 2U; - int16_t r2 = ((int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)63) - << 4U | - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) >> - 4U; - int16_t r3 = (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, - uint8_t *, uint8_t) - << 2U | - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, - uint8_t *, uint8_t) >> - 6U; - int16_t r4 = ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)3) - << 8U | - ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)255); - int16_t r5 = ((int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)15) - << 6U | - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) >> - 2U; - int16_t r6 = ((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)63) - << 4U | - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, - uint8_t *, uint8_t) >> - 4U; - int16_t r7 = (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, - uint8_t *, uint8_t) - << 2U | - (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) >> - 6U; + int16_t r0 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) & + (int16_t)3) + << 8U | + ((int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *) & + (int16_t)255); + int16_t r1 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) & + (int16_t)15) + << 6U | + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) >> + 2U; + int16_t r2 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) & + (int16_t)63) + << 4U | + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 4U; + int16_t r3 = + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) + << 2U | + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) >> + 6U; + int16_t r4 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) & + (int16_t)3) + << 8U | + ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) & + (int16_t)255); + int16_t r5 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) & + (int16_t)15) + << 6U | + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> + 2U; + int16_t r6 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) & + (int16_t)63) + << 4U | + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) >> + 4U; + int16_t r7 = + (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) + << 2U | + (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) >> + 6U; return (CLITERAL(int16_t_x8){.fst = r0, .snd = r1, .thd = r2, @@ -1949,12 +1976,10 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)10U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)10U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1987,20 +2012,17 @@ libcrux_ml_kem_vector_portable_deserialize_10_0d(Eurydice_slice a) { KRML_MUSTINLINE uint8_t_x3 libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) { - uint8_t r0 = (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) & - (int16_t)255); - uint8_t r1 = (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) >> - 8U | - (Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) & - (int16_t)15) - << 4U); - uint8_t r2 = (uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *, - int16_t) >> - 4U & - (int16_t)255); + uint8_t r0 = + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) & + (int16_t)255); + uint8_t r1 = + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) >> 8U | + (Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) & + (int16_t)15) + << 4U); + uint8_t r2 = + (uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U & + (int16_t)255); return (CLITERAL(uint8_t_x3){.fst = r0, .snd = r1, .thd = r2}); } @@ -2008,29 +2030,25 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_serialize_serialize_12( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[24U]) { uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)2U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)2U, int16_t)); uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)2U, (size_t)4U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)2U, (size_t)4U, int16_t)); uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)6U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)6U, int16_t)); uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)6U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)6U, (size_t)8U, int16_t)); uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)10U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)10U, + int16_t)); uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)10U, (size_t)12U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)10U, (size_t)12U, + int16_t)); uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)14U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)14U, + int16_t)); uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, + int16_t)); uint8_t result[24U] = {0U}; result[0U] = r0_2.fst; result[1U] = r0_2.snd; @@ -2072,12 +2090,12 @@ void libcrux_ml_kem_vector_portable_serialize_12_0d( KRML_MUSTINLINE int16_t_x2 libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice bytes) { - int16_t byte0 = (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t); - int16_t byte1 = (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t); - int16_t byte2 = (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t); + int16_t byte0 = + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int16_t byte1 = + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int16_t byte2 = + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); int16_t r0 = (byte1 & (int16_t)15) << 8U | (byte0 & (int16_t)255); int16_t r1 = byte2 << 4U | (byte1 >> 4U & (int16_t)15); return (CLITERAL(int16_t_x2){.fst = r0, .snd = r1}); @@ -2086,32 +2104,24 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { int16_t_x2 v0_1 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)3U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)3U, uint8_t)); int16_t_x2 v2_3 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)3U, (size_t)6U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)3U, (size_t)6U, uint8_t)); int16_t_x2 v4_5 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)6U, (size_t)9U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)6U, (size_t)9U, uint8_t)); int16_t_x2 v6_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)9U, (size_t)12U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)9U, (size_t)12U, uint8_t)); int16_t_x2 v8_9 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)12U, (size_t)15U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)12U, (size_t)15U, uint8_t)); int16_t_x2 v10_11 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)15U, (size_t)18U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)15U, (size_t)18U, uint8_t)); int16_t_x2 v12_13 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)18U, (size_t)21U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)18U, (size_t)21U, uint8_t)); int16_t_x2 v14_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector re = libcrux_ml_kem_vector_portable_vector_type_zero(); re.elements[0U] = v0_1.fst; @@ -2145,15 +2155,15 @@ libcrux_ml_kem_vector_portable_deserialize_12_0d(Eurydice_slice a) { KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( Eurydice_slice a, Eurydice_slice result) { size_t sampled = (size_t)0U; - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(a, uint8_t, size_t) / (size_t)3U; i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U; + i++) { size_t i0 = i; int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U, - uint8_t, uint8_t *, uint8_t); + uint8_t, uint8_t *); int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U, - uint8_t, uint8_t *, uint8_t); + uint8_t, uint8_t *); int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U, - uint8_t, uint8_t *, uint8_t); + uint8_t, uint8_t *); int16_t d1 = (b2 & (int16_t)15) << 8U | b1; int16_t d2 = b3 << 4U | b2 >> 4U; bool uu____0; @@ -2165,7 +2175,7 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( int16_t uu____6; if (d1 < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS) { if (sampled < (size_t)16U) { - Eurydice_slice_index(result, sampled, int16_t, int16_t *, int16_t) = d1; + Eurydice_slice_index(result, sampled, int16_t, int16_t *) = d1; sampled++; uu____1 = d2; uu____6 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; @@ -2176,8 +2186,7 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( if (uu____2) { uu____4 = d2; uu____5 = sampled; - Eurydice_slice_index(result, uu____5, int16_t, int16_t *, int16_t) = - uu____4; + Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4; sampled++; continue; } @@ -2194,8 +2203,7 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample( if (uu____2) { uu____4 = d2; uu____5 = sampled; - Eurydice_slice_index(result, uu____5, int16_t, int16_t *, int16_t) = - uu____4; + Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4; sampled++; continue; } @@ -2254,6 +2262,12 @@ static libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ZERO_89_39(void) { return lit; } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -2264,13 +2278,10 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialize_to_reduced_ring_element_ad(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -2280,6 +2291,12 @@ deserialize_to_reduced_ring_element_ad(Eurydice_slice serialized) { return re; } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -2294,7 +2311,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_724( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, deserialized_pk[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -2302,7 +2319,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_724( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = deserialize_to_reduced_ring_element_ad(ring_element); deserialized_pk[i0] = uu____0; @@ -2375,16 +2392,16 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_f6( uint8_t bytes[24U]; libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2397,29 +2414,29 @@ static KRML_MUSTINLINE void serialize_secret_key_f81( uint8_t ret[1536U]) { uint8_t out[1536U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; serialize_uncompressed_ring_element_f6(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1536U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2432,20 +2449,16 @@ static KRML_MUSTINLINE void serialize_public_key_801( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *t_as_ntt, Eurydice_slice seed_for_a, uint8_t ret[1568U]) { uint8_t public_key_serialized[1568U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_subslice2(public_key_serialized, (size_t)0U, - (size_t)1536U, uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + public_key_serialized, (size_t)0U, (size_t)1536U, uint8_t); uint8_t ret0[1536U]; serialize_secret_key_f81(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1536U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)1536U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)1568U, public_key_serialized, - (size_t)1536U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)1536U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); } @@ -2461,14 +2474,14 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_351(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[4U]; deserialize_ring_elements_reduced_724( Eurydice_array_to_subslice_to((size_t)1568U, public_key, (size_t)1536U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *uu____0 = deserialized_pk; uint8_t public_key_serialized[1568U]; serialize_public_key_801( uu____0, Eurydice_array_to_subslice_from((size_t)1568U, public_key, (size_t)1536U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1568U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -2534,16 +2547,17 @@ shake128_init_absorb_final_751(uint8_t input[4U][34U]) { KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init();); - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState_48 uu____0[4U]; - memcpy(uu____0, shake128_state, + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &shake128_state[i0], + Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t));); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_48 copy_of_shake128_state[4U]; + memcpy(copy_of_shake128_state, shake128_state, (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); PortableHash_d1 lit; - memcpy(lit.shake128_state, uu____0, + memcpy(lit.shake128_state, copy_of_shake128_state, (size_t)4U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); return lit; } @@ -2560,9 +2574,10 @@ generics */ static KRML_MUSTINLINE PortableHash_d1 shake128_init_absorb_final_f1_111(uint8_t input[4U][34U]) { - uint8_t uu____0[4U][34U]; - memcpy(uu____0, input, (size_t)4U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_751(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[4U][34U]; + memcpy(copy_of_input, input, (size_t)4U * sizeof(uint8_t[34U])); + return shake128_init_absorb_final_751(copy_of_input); } /** @@ -2578,8 +2593,7 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_101( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t));); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[504U])); } @@ -2598,6 +2612,47 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_4e1( shake128_squeeze_first_three_blocks_101(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -2616,12 +2671,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_053( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -2647,11 +2701,11 @@ generics static KRML_MUSTINLINE void shake128_squeeze_next_block_ed1( PortableHash_d1 *st, uint8_t ret[4U][168U]) { uint8_t out[4U][168U] = {{0U}}; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &st->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t));); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[168U])); } @@ -2670,6 +2724,47 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_c11( shake128_squeeze_next_block_ed1(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -2688,12 +2783,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_054( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -2729,8 +2823,7 @@ from_i16_array_89_6b(Eurydice_slice a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_from_i16_array_0d( Eurydice_slice_subslice2(a, i0 * (size_t)16U, - (i0 + (size_t)1U) * (size_t)16U, int16_t, - Eurydice_slice)); + (i0 + (size_t)1U) * (size_t)16U, int16_t)); result.coefficients[i0] = uu____0; } return result; @@ -2745,8 +2838,8 @@ generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f0 closure_991( int16_t s[272U]) { - return from_i16_array_89_6b(Eurydice_array_to_subslice2( - s, (size_t)0U, (size_t)256U, int16_t, Eurydice_slice)); + return from_i16_array_89_6b( + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -2761,32 +2854,37 @@ static KRML_MUSTINLINE void sample_from_xof_2b1( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[4U]) { size_t sampled_coefficients[4U] = {0U}; int16_t out[4U][272U] = {{0U}}; - uint8_t uu____0[4U][34U]; - memcpy(uu____0, seeds, (size_t)4U * sizeof(uint8_t[34U])); - PortableHash_d1 xof_state = shake128_init_absorb_final_f1_111(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[4U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U])); + PortableHash_d1 xof_state = shake128_init_absorb_final_f1_111(copy_of_seeds); uint8_t randomness0[4U][504U]; shake128_squeeze_first_three_blocks_f1_4e1(&xof_state, randomness0); - uint8_t uu____1[4U][504U]; - memcpy(uu____1, randomness0, (size_t)4U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[4U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)4U * sizeof(uint8_t[504U])); bool done = sample_from_uniform_distribution_next_053( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; } else { uint8_t randomness[4U][168U]; shake128_squeeze_next_block_f1_c11(&xof_state, randomness); - uint8_t uu____2[4U][168U]; - memcpy(uu____2, randomness, (size_t)4U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[4U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)4U * sizeof(uint8_t[168U])); done = sample_from_uniform_distribution_next_054( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[4U][272U]; - memcpy(uu____3, out, (size_t)4U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[4U][272U]; + memcpy(copy_of_out, out, (size_t)4U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret0[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - ret0[i] = closure_991(uu____3[i]);); + ret0[i] = closure_991(copy_of_out[i]);); memcpy( ret, ret0, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); @@ -2807,24 +2905,25 @@ static KRML_MUSTINLINE void sample_matrix_A_231( closure_e81(A_transpose[i]);); KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[4U][34U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[4U][34U]; - memcpy(uu____1, seeds, (size_t)4U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[4U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)4U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sampled[4U]; - sample_from_xof_2b1(uu____1, sampled); + sample_from_xof_2b1(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample = sampled[j]; @@ -2833,7 +2932,9 @@ static KRML_MUSTINLINE void sample_matrix_A_231( } else { A_transpose[i1][j] = sample; } - }); + } + + ); memcpy(ret, A_transpose, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U])); @@ -2859,12 +2960,11 @@ with const generics static KRML_MUSTINLINE void PRFxN_1d2(uint8_t (*input)[33U], uint8_t ret[4U][128U]) { uint8_t out[4U][128U] = {{0U}}; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR4( + i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));); memcpy(ret, out, (size_t)4U * sizeof(uint8_t[128U])); } @@ -2883,6 +2983,55 @@ static KRML_MUSTINLINE void PRFxN_f1_892(uint8_t (*input)[33U], PRFxN_1d2(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -2893,24 +3042,22 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample_from_binomial_distribution_2_20(Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)4U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)4U, - chunk_number * (size_t)4U + (size_t)4U, uint8_t, Eurydice_slice); + chunk_number * (size_t)4U + (size_t)4U, uint8_t); uint32_t random_bits_as_u32 = (((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 24U; uint32_t even_bits = random_bits_as_u32 & 1431655765U; uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U; @@ -2926,8 +3073,8 @@ sample_from_binomial_distribution_2_20(Eurydice_slice randomness) { sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_89_6b(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return from_i16_array_89_6b( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -2940,21 +3087,19 @@ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample_from_binomial_distribution_3_85(Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)3U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)3U, - chunk_number * (size_t)3U + (size_t)3U, uint8_t, Eurydice_slice); + chunk_number * (size_t)3U + (size_t)3U, uint8_t); uint32_t random_bits_as_u24 = ((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U; uint32_t first_bits = random_bits_as_u24 & 2396745U; uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U; @@ -2972,8 +3117,8 @@ sample_from_binomial_distribution_3_85(Eurydice_slice randomness) { sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_89_6b(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return from_i16_array_89_6b( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3001,9 +3146,8 @@ static KRML_MUSTINLINE void ntt_at_layer_7_13( libcrux_ml_kem_vector_portable_vector_type_PortableVector t = libcrux_ml_kem_vector_portable_multiply_by_constant_0d( re->coefficients[j + step], (int16_t)-1600); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[j + step] = libcrux_ml_kem_vector_portable_sub_0d(re->coefficients[j], &t); - re->coefficients[j + step] = uu____0; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = libcrux_ml_kem_vector_portable_add_0d(re->coefficients[j], &t); re->coefficients[j] = uu____1; @@ -3108,13 +3252,13 @@ static KRML_MUSTINLINE void ntt_at_layer_2_7b( KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)1U;); + zeta_i[0U] = zeta_i[0U] + (size_t)1U;); } /** @@ -3128,7 +3272,7 @@ static KRML_MUSTINLINE void ntt_at_layer_1_4f( KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], @@ -3138,7 +3282,7 @@ static KRML_MUSTINLINE void ntt_at_layer_1_4f( (size_t)2U], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)3U;); + zeta_i[0U] = zeta_i[0U] + (size_t)3U;); } /** @@ -3182,6 +3326,10 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_88( poly_barrett_reduce_89_2c(re); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -3196,12 +3344,13 @@ static KRML_MUSTINLINE tuple_710 sample_vector_cbd_then_ntt_d71( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, re_as_ntt[i] = ZERO_89_39();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[4U][33U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -3209,23 +3358,49 @@ static KRML_MUSTINLINE tuple_710 sample_vector_cbd_then_ntt_d71( PRFxN_f1_892(prf_inputs, prf_outputs); KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; + re_as_ntt[i0] = sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); ntt_binomially_sampled_ring_element_88(&re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_re_as_ntt[4U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_710 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -3262,6 +3437,10 @@ ntt_multiply_89_d5(libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -3276,13 +3455,11 @@ static KRML_MUSTINLINE void add_to_ring_element_89_931( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - Eurydice_slice), - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - size_t); + libcrux_ml_kem_vector_portable_vector_type_PortableVector), + libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -3331,6 +3508,9 @@ static KRML_MUSTINLINE void add_standard_error_reduce_89_99( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3346,22 +3526,20 @@ static KRML_MUSTINLINE void compute_As_plus_e_da1( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, result[i] = ZERO_89_39();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *matrix_element = @@ -3377,6 +3555,47 @@ static KRML_MUSTINLINE void compute_As_plus_e_da1( (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -3390,9 +3609,9 @@ static tuple_540 generate_keypair_unpacked_f41( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; G_f1_b61(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[4U][4U]; @@ -3402,53 +3621,59 @@ static tuple_540 generate_keypair_unpacked_f41( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_710 uu____2 = sample_vector_cbd_then_ntt_d71(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_710 uu____2 = sample_vector_cbd_then_ntt_d71(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[4U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[4U]; memcpy( error_as_ntt, - sample_vector_cbd_then_ntt_d71(uu____3, domain_separator).fst, + sample_vector_cbd_then_ntt_d71(copy_of_prf_input, domain_separator).fst, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[4U]; compute_As_plus_e_da1(A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____4[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[4U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____5[4U][4U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A_transpose[4U] + [4U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____7[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[4U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_42 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); return (CLITERAL(tuple_540){.fst = sk, .snd = pk}); } @@ -3467,7 +3692,7 @@ generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static void closure_931( +static void closure_9d1( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[4U]) { KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, ret[i] = ZERO_89_39();); @@ -3483,7 +3708,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 clone_d5_97( +static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 clone_d5_1e( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[16U]; @@ -3524,28 +3749,27 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_251( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_481( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_540 uu____0 = generate_keypair_unpacked_f41(ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_42 ind_cpa_private_key = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[4U][4U]; - KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, closure_931(A[i]);); + KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, closure_9d1(A[i]);); KRML_MAYBE_FOR4( i0, (size_t)0U, (size_t)4U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - clone_d5_97(&ind_cpa_public_key.A[j][i1]); + clone_d5_1e(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1;);); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[4U][4U]; memcpy(uu____2, A, @@ -3558,33 +3782,36 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_251( serialize_public_key_801( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; - H_f1_2e1(Eurydice_array_to_slice((size_t)1568U, pk_serialized, uint8_t, - Eurydice_slice), + H_f1_2e1(Eurydice_array_to_slice((size_t)1568U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_42 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_42 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -3607,19 +3834,24 @@ static libcrux_ml_kem_utils_extraction_helper_Keypair1024 generate_keypair_ec1( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_42 sk = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 pk = uu____0.snd; uint8_t public_key_serialized[1568U]; - serialize_public_key_801(pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, - uint8_t, Eurydice_slice), - public_key_serialized); + serialize_public_key_801( + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), + public_key_serialized); uint8_t secret_key_serialized[1536U]; serialize_secret_key_f81(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[1536U]; - memcpy(uu____1, secret_key_serialized, (size_t)1536U * sizeof(uint8_t)); - uint8_t uu____2[1568U]; - memcpy(uu____2, public_key_serialized, (size_t)1568U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1536U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1536U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[1568U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair1024 lit; - memcpy(lit.fst, uu____1, (size_t)1536U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)1568U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)1536U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)1568U * sizeof(uint8_t)); return lit; } @@ -3638,43 +3870,37 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_f2( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; H_f1_2e1(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)3168U * sizeof(uint8_t)); } @@ -3695,12 +3921,11 @@ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair libcrux_ml_kem_ind_cca_generate_keypair_c24(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair1024 uu____0 = generate_keypair_ec1(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1536U]; @@ -3709,22 +3934,26 @@ libcrux_ml_kem_ind_cca_generate_keypair_c24(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)1568U * sizeof(uint8_t)); uint8_t secret_key_serialized[3168U]; serialize_kem_secret_key_f2( - Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1536U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1568U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[3168U]; - memcpy(uu____1, secret_key_serialized, (size_t)3168U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[3168U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)3168U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_95 private_key = - libcrux_ml_kem_types_from_e7_a71(uu____1); + libcrux_ml_kem_types_from_e7_a71(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_95 uu____2 = private_key; - uint8_t uu____3[1568U]; - memcpy(uu____3, public_key, (size_t)1568U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1568U]; + memcpy(copy_of_public_key, public_key, (size_t)1568U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c91( - uu____2, libcrux_ml_kem_types_from_07_4c1(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c1(copy_of_public_key)); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -3739,12 +3968,13 @@ sample_ring_element_cbd_2c1(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, error_1[i] = ZERO_89_39();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[4U][33U]; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -3753,16 +3983,17 @@ sample_ring_element_cbd_2c1(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_error_1[4U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_710 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; @@ -3776,8 +4007,7 @@ with const generics static KRML_MUSTINLINE void PRF_3a0(Eurydice_slice input, uint8_t ret[128U]) { uint8_t digest[128U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); } @@ -3807,7 +4037,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_1_9f( KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], @@ -3817,7 +4047,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_1_9f( (size_t)2U], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)3U;); + zeta_i[0U] = zeta_i[0U] - (size_t)3U;); } /** @@ -3831,13 +4061,13 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_2_a6( KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)1U;); + zeta_i[0U] = zeta_i[0U] - (size_t)1U;); } /** @@ -3960,6 +4190,9 @@ static KRML_MUSTINLINE void add_error_reduce_89_08( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3975,22 +4208,20 @@ static KRML_MUSTINLINE void compute_vector_u_a11( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, result[i] = ZERO_89_39();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *a_element = &row[j]; @@ -4036,7 +4267,7 @@ deserialize_then_decompress_message_f6(uint8_t serialized[32U]) { libcrux_ml_kem_vector_portable_deserialize_1_0d( Eurydice_array_to_subslice2(serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = decompress_1_89(coefficient_compressed); re.coefficients[i0] = uu____0;); @@ -4077,6 +4308,9 @@ add_message_error_reduce_89_8b( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4180,12 +4414,9 @@ static KRML_MUSTINLINE void compress_then_serialize_11_e10( uint8_t bytes[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)22U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)22U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)352U * sizeof(uint8_t)); } @@ -4204,6 +4435,9 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_2f0( memcpy(ret, uu____0, (size_t)352U * sizeof(uint8_t)); } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4217,25 +4451,21 @@ static void compress_then_serialize_u_241( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 input[4U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)4U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)1408U / (size_t)4U), - (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)1408U / (size_t)4U), uint8_t); uint8_t ret[352U]; compress_then_serialize_ring_element_u_2f0(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)352U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)352U, ret, uint8_t), uint8_t); } } @@ -4287,12 +4517,10 @@ static KRML_MUSTINLINE void compress_then_serialize_4_e5( compress_0d_311(to_unsigned_representative_78(re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); } } @@ -4344,12 +4572,10 @@ static KRML_MUSTINLINE void compress_then_serialize_5_a3( compress_0d_312(to_unsigned_representative_78(re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)10U * i0, - (size_t)10U * i0 + (size_t)10U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)10U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)10U * i0 + (size_t)10U, uint8_t), + Eurydice_array_to_slice((size_t)10U, bytes, uint8_t), uint8_t); } } @@ -4365,6 +4591,47 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_310( compress_then_serialize_5_a3(re, out); } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4388,17 +4655,20 @@ static void encrypt_unpacked_6c1( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1568U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_710 uu____1 = sample_vector_cbd_then_ntt_d71(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_710 uu____1 = sample_vector_cbd_then_ntt_d71(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 r_as_ntt[4U]; memcpy( r_as_ntt, uu____1.fst, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_710 uu____3 = sample_ring_element_cbd_2c1(uu____2, domain_separator0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_710 uu____3 = + sample_ring_element_cbd_2c1(copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[4U]; memcpy( error_1, uu____3.fst, @@ -4406,18 +4676,18 @@ static void encrypt_unpacked_6c1( uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; - PRF_f1_044( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + PRF_f1_044(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_2 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_output, uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u[4U]; compute_vector_u_a11(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message_as_ring_element = - deserialize_then_decompress_message_f6(uu____4); + deserialize_then_decompress_message_f6(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = compute_ring_element_v_1f1(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -4427,14 +4697,12 @@ static void encrypt_unpacked_6c1( uu____5, u, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); compress_then_serialize_u_241( - uu____5, - Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)1408U, - uint8_t, Eurydice_slice)); + uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, + (size_t)1408U, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____6 = v; compress_then_serialize_ring_element_v_310( - uu____6, - Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, (size_t)1408U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, + (size_t)1408U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)1568U * sizeof(uint8_t)); } @@ -4457,51 +4725,51 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d81( +tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_841( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_42 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; - G_f1_b61( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b61(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1568U]; - encrypt_unpacked_6c1(uu____2, uu____3, pseudorandomness, ciphertext); + encrypt_unpacked_6c1(uu____2, copy_of_randomness, pseudorandomness, + ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[1568U]; - memcpy(uu____4, ciphertext, (size_t)1568U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1568U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext uu____5 = - libcrux_ml_kem_types_from_15_f51(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f51(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_21 lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -4515,15 +4783,19 @@ with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$4size_t]] with const generics - K= 4 */ -static KRML_MUSTINLINE void entropy_preprocess_af_44(Eurydice_slice randomness, +static KRML_MUSTINLINE void entropy_preprocess_af_3d(Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -4538,7 +4810,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_723( KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, deserialized_pk[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -4546,7 +4818,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_723( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = deserialize_to_reduced_ring_element_ad(ring_element); deserialized_pk[i0] = uu____0; @@ -4578,45 +4850,48 @@ static void encrypt_0d1(Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1568U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[4U]; deserialize_ring_elements_reduced_723( - Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)1536U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1536U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)1536U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[4U][4U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); sample_matrix_A_231(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[4U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[4U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1[4U][4U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A[4U][4U]; + memcpy(copy_of_A, A, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[4U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[1568U]; - encrypt_unpacked_6c1(uu____3, uu____4, randomness, ret1); + encrypt_unpacked_6c1(uu____3, copy_of_message, randomness, ret1); memcpy(ret, ret1, (size_t)1568U * sizeof(uint8_t)); } @@ -4631,13 +4906,11 @@ with const generics - K= 4 - CIPHERTEXT_SIZE= 1568 */ -static KRML_MUSTINLINE void kdf_af_c2(Eurydice_slice shared_secret, +static KRML_MUSTINLINE void kdf_af_ef(Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -4663,56 +4936,53 @@ tuple_21 libcrux_ml_kem_ind_cca_encapsulate_441( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - entropy_preprocess_af_44( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + entropy_preprocess_af_3d( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; H_f1_2e1(Eurydice_array_to_slice( (size_t)1568U, libcrux_ml_kem_types_as_slice_f6_f21(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; - G_f1_b61( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b61(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1568U, libcrux_ml_kem_types_as_slice_f6_f21(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1568U, libcrux_ml_kem_types_as_slice_f6_f21(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1568U]; - encrypt_0d1(uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[1568U]; - memcpy(uu____4, ciphertext, (size_t)1568U * sizeof(uint8_t)); + encrypt_0d1(uu____2, copy_of_randomness, pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1568U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1568U * sizeof(uint8_t)); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f51(uu____4); + libcrux_ml_kem_types_from_15_f51(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - kdf_af_c2(shared_secret, shared_secret_array); + kdf_af_ef(shared_secret, shared_secret_array); libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_21 lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_21 result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } /** @@ -4759,16 +5029,13 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_10_e9(Eurydice_slice serialized) { +deserialize_then_decompress_10_fc(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)20U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_10_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -4822,16 +5089,13 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_11_f5(Eurydice_slice serialized) { +deserialize_then_decompress_11_ba(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)22U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -4848,8 +5112,8 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 11 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_ring_element_u_890(Eurydice_slice serialized) { - return deserialize_then_decompress_11_f5(serialized); +deserialize_then_decompress_ring_element_u_980(Eurydice_slice serialized) { + return deserialize_then_decompress_11_ba(serialized); } /** @@ -4858,7 +5122,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - VECTOR_U_COMPRESSION_FACTOR= 11 */ -static KRML_MUSTINLINE void ntt_vector_u_ed0( +static KRML_MUSTINLINE void ntt_vector_u_7a0( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) { size_t zeta_i = (size_t)0U; ntt_at_layer_4_plus_cc(&zeta_i, re, (size_t)7U); @@ -4871,6 +5135,10 @@ static KRML_MUSTINLINE void ntt_vector_u_ed0( poly_barrett_reduce_89_2c(re); } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4879,17 +5147,16 @@ with const generics - CIPHERTEXT_SIZE= 1568 - U_COMPRESSION_FACTOR= 11 */ -static KRML_MUSTINLINE void deserialize_then_decompress_u_b11( +static KRML_MUSTINLINE void deserialize_then_decompress_u_af1( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, u_as_ntt[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U); i++) { @@ -4902,11 +5169,9 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_b11( (size_t)11U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)11U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - deserialize_then_decompress_ring_element_u_890(u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u_ed0(&u_as_ntt[i0]); + uint8_t); + u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_980(u_bytes); + ntt_vector_u_7a0(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, @@ -4957,15 +5222,13 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_4_34(Eurydice_slice serialized) { +deserialize_then_decompress_4_8f(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = ZERO_89_39(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)8U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_4_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -5019,19 +5282,15 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_5_53(Eurydice_slice serialized) { +deserialize_then_decompress_5_04(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)10U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t, - Eurydice_slice); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); + re.coefficients[i0] = libcrux_ml_kem_vector_portable_deserialize_5_0d(bytes); - re.coefficients[i0] = uu____0; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = decompress_ciphertext_coefficient_0d_f42(re.coefficients[i0]); re.coefficients[i0] = uu____1; @@ -5046,8 +5305,8 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 5 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_ring_element_v_300(Eurydice_slice serialized) { - return deserialize_then_decompress_5_53(serialized); +deserialize_then_decompress_ring_element_v_df0(Eurydice_slice serialized) { + return deserialize_then_decompress_5_04(serialized); } /** @@ -5061,7 +5320,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -subtract_reduce_89_7d(libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, +subtract_reduce_89_70(libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { @@ -5079,6 +5338,12 @@ subtract_reduce_89_7d(libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5086,7 +5351,7 @@ with const generics - K= 4 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -compute_message_cb1( +compute_message_ff1( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *u_as_ntt) { @@ -5096,7 +5361,7 @@ compute_message_cb1( ntt_multiply_89_d5(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_89_931(&result, &product);); invert_ntt_montgomery_861(&result); - result = subtract_reduce_89_7d(v, result); + result = subtract_reduce_89_70(v, result); return result; } @@ -5106,7 +5371,7 @@ libcrux_ml_kem.serialize.compress_then_serialize_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_message_3a( +static KRML_MUSTINLINE void compress_then_serialize_message_c1( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; KRML_MAYBE_FOR16( @@ -5119,15 +5384,37 @@ static KRML_MUSTINLINE void compress_then_serialize_message_3a( uint8_t bytes[2U]; libcrux_ml_kem_vector_portable_serialize_1_0d( coefficient_compressed, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *);); + serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), + uint8_t);); memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5138,20 +5425,19 @@ with const generics - U_COMPRESSION_FACTOR= 11 - V_COMPRESSION_FACTOR= 5 */ -static void decrypt_unpacked_e71( +static void decrypt_unpacked_5d1( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_42 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[4U]; - deserialize_then_decompress_u_b11(ciphertext, u_as_ntt); + deserialize_then_decompress_u_af1(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = - deserialize_then_decompress_ring_element_v_300( + deserialize_then_decompress_ring_element_v_df0( Eurydice_array_to_subslice_from((size_t)1568U, ciphertext, - (size_t)1408U, uint8_t, size_t, - Eurydice_slice)); + (size_t)1408U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message = - compute_message_cb1(&v, secret_key->secret_as_ntt, u_as_ntt); + compute_message_ff1(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_3a(message, ret0); + compress_then_serialize_message_c1(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -5163,8 +5449,7 @@ with const generics static KRML_MUSTINLINE void PRF_3a(Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -5204,66 +5489,62 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d1( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e1( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_42 *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - decrypt_unpacked_e71(&key_pair->private_key.ind_cpa_private_key, + decrypt_unpacked_5d1(&key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; - G_f1_b61( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b61(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[1600U]; libcrux_ml_kem_utils_into_padded_array_2d4( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; - PRF_f1_043( - Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + PRF_f1_043(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), + implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_42 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1568U]; - encrypt_unpacked_6c1(uu____3, uu____4, pseudorandomness, expected_ciphertext); + encrypt_unpacked_6c1(uu____3, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), - Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -5275,16 +5556,13 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_to_uncompressed_ring_element_05(Eurydice_slice serialized) { +deserialize_to_uncompressed_ring_element_53(Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes); re.coefficients[i0] = uu____0; @@ -5292,20 +5570,23 @@ deserialize_to_uncompressed_ring_element_05(Eurydice_slice serialized) { return re; } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 4 */ -static KRML_MUSTINLINE void deserialize_secret_key_011( +static KRML_MUSTINLINE void deserialize_secret_key_591( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, secret_as_ntt[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -5313,9 +5594,9 @@ static KRML_MUSTINLINE void deserialize_secret_key_011( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - deserialize_to_uncompressed_ring_element_05(secret_bytes); + deserialize_to_uncompressed_ring_element_53(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -5333,21 +5614,22 @@ with const generics - U_COMPRESSION_FACTOR= 11 - V_COMPRESSION_FACTOR= 5 */ -static void decrypt_c21(Eurydice_slice secret_key, uint8_t *ciphertext, +static void decrypt_671(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[4U]; - deserialize_secret_key_011(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[4U]; + deserialize_secret_key_591(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[4U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_42 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t ret0[32U]; - decrypt_unpacked_e71(&secret_key_unpacked, ciphertext, ret0); + decrypt_unpacked_5d1(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -5373,42 +5655,38 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_4f1( +void libcrux_ml_kem_ind_cca_decapsulate_e31( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)3168U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)3168U, private_key->value, uint8_t), (size_t)1536U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1568U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - decrypt_c21(ind_cpa_secret_key, ciphertext->value, decrypted); + decrypt_671(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; - G_f1_b61( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b61(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -5417,38 +5695,44 @@ void libcrux_ml_kem_ind_cca_decapsulate_4f1( libcrux_ml_kem_utils_into_padded_array_2d4(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1600U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; - PRF_f1_043( - Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); + PRF_f1_043(Eurydice_array_to_slice((size_t)1600U, to_hash, uint8_t), + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1568U]; - encrypt_0d1(uu____5, uu____6, pseudorandomness, expected_ciphertext); + encrypt_0d1(uu____5, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - kdf_af_c2( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + kdf_af_ef(Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret0, uint8_t), + implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - kdf_af_c2(shared_secret0, shared_secret1); + kdf_af_ef(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed1(ciphertext), - Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_711(ciphertext), + Eurydice_array_to_slice((size_t)1568U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -5463,7 +5747,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_722( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, deserialized_pk[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -5471,7 +5755,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_722( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = deserialize_to_reduced_ring_element_ad(ring_element); deserialized_pk[i0] = uu____0; @@ -5481,6 +5765,9 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_722( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5493,29 +5780,29 @@ static KRML_MUSTINLINE void serialize_secret_key_f80( uint8_t ret[768U]) { uint8_t out[768U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; serialize_uncompressed_ring_element_f6(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)768U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5529,18 +5816,15 @@ static KRML_MUSTINLINE void serialize_public_key_800( Eurydice_slice seed_for_a, uint8_t ret[800U]) { uint8_t public_key_serialized[800U] = {0U}; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - public_key_serialized, (size_t)0U, (size_t)768U, uint8_t, Eurydice_slice); + public_key_serialized, (size_t)0U, (size_t)768U, uint8_t); uint8_t ret0[768U]; serialize_secret_key_f80(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)768U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)768U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)800U, public_key_serialized, - (size_t)768U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)768U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)800U * sizeof(uint8_t)); } @@ -5556,14 +5840,14 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_350(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[2U]; deserialize_ring_elements_reduced_722( Eurydice_array_to_subslice_to((size_t)800U, public_key, (size_t)768U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *uu____0 = deserialized_pk; uint8_t public_key_serialized[800U]; serialize_public_key_800( uu____0, Eurydice_array_to_subslice_from((size_t)800U, public_key, (size_t)768U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)800U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -5629,16 +5913,17 @@ shake128_init_absorb_final_750(uint8_t input[2U][34U]) { KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init();); - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState_48 uu____0[2U]; - memcpy(uu____0, shake128_state, + KRML_MAYBE_FOR2( + i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &shake128_state[i0], + Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t));); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_48 copy_of_shake128_state[2U]; + memcpy(copy_of_shake128_state, shake128_state, (size_t)2U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); PortableHash_8b lit; - memcpy(lit.shake128_state, uu____0, + memcpy(lit.shake128_state, copy_of_shake128_state, (size_t)2U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); return lit; } @@ -5655,9 +5940,10 @@ generics */ static KRML_MUSTINLINE PortableHash_8b shake128_init_absorb_final_f1_110(uint8_t input[2U][34U]) { - uint8_t uu____0[2U][34U]; - memcpy(uu____0, input, (size_t)2U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_750(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[2U][34U]; + memcpy(copy_of_input, input, (size_t)2U * sizeof(uint8_t[34U])); + return shake128_init_absorb_final_750(copy_of_input); } /** @@ -5673,8 +5959,7 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_100( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[504U])); } @@ -5693,6 +5978,47 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_4e0( shake128_squeeze_first_three_blocks_100(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -5711,12 +6037,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_051( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -5742,11 +6067,11 @@ generics static KRML_MUSTINLINE void shake128_squeeze_next_block_ed0( PortableHash_8b *st, uint8_t ret[2U][168U]) { uint8_t out[2U][168U] = {{0U}}; - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR2( + i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &st->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[168U])); } @@ -5765,6 +6090,47 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_c10( shake128_squeeze_next_block_ed0(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -5783,12 +6149,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_052( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -5814,8 +6179,8 @@ generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f0 closure_990( int16_t s[272U]) { - return from_i16_array_89_6b(Eurydice_array_to_subslice2( - s, (size_t)0U, (size_t)256U, int16_t, Eurydice_slice)); + return from_i16_array_89_6b( + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -5830,32 +6195,37 @@ static KRML_MUSTINLINE void sample_from_xof_2b0( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[2U]) { size_t sampled_coefficients[2U] = {0U}; int16_t out[2U][272U] = {{0U}}; - uint8_t uu____0[2U][34U]; - memcpy(uu____0, seeds, (size_t)2U * sizeof(uint8_t[34U])); - PortableHash_8b xof_state = shake128_init_absorb_final_f1_110(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[2U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U])); + PortableHash_8b xof_state = shake128_init_absorb_final_f1_110(copy_of_seeds); uint8_t randomness0[2U][504U]; shake128_squeeze_first_three_blocks_f1_4e0(&xof_state, randomness0); - uint8_t uu____1[2U][504U]; - memcpy(uu____1, randomness0, (size_t)2U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[2U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)2U * sizeof(uint8_t[504U])); bool done = sample_from_uniform_distribution_next_051( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; } else { uint8_t randomness[2U][168U]; shake128_squeeze_next_block_f1_c10(&xof_state, randomness); - uint8_t uu____2[2U][168U]; - memcpy(uu____2, randomness, (size_t)2U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[2U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)2U * sizeof(uint8_t[168U])); done = sample_from_uniform_distribution_next_052( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[2U][272U]; - memcpy(uu____3, out, (size_t)2U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[2U][272U]; + memcpy(copy_of_out, out, (size_t)2U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret0[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - ret0[i] = closure_990(uu____3[i]);); + ret0[i] = closure_990(copy_of_out[i]);); memcpy( ret, ret0, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); @@ -5876,24 +6246,25 @@ static KRML_MUSTINLINE void sample_matrix_A_230( closure_e80(A_transpose[i]);); KRML_MAYBE_FOR2( i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[2U][34U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[2U][34U]; - memcpy(uu____1, seeds, (size_t)2U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[2U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)2U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sampled[2U]; - sample_from_xof_2b0(uu____1, sampled); + sample_from_xof_2b0(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample = sampled[j]; @@ -5902,7 +6273,9 @@ static KRML_MUSTINLINE void sample_matrix_A_230( } else { A_transpose[i1][j] = sample; } - }); + } + + ); memcpy(ret, A_transpose, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U])); @@ -5928,12 +6301,11 @@ with const generics static KRML_MUSTINLINE void PRFxN_1d0(uint8_t (*input)[33U], uint8_t ret[2U][192U]) { uint8_t out[2U][192U] = {{0U}}; - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)192U, out[i0], uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR2( + i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)192U, out[i0], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[192U])); } @@ -5963,6 +6335,10 @@ sample_from_binomial_distribution_660(Eurydice_slice randomness) { return sample_from_binomial_distribution_3_85(randomness); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -5977,12 +6353,13 @@ static KRML_MUSTINLINE tuple_740 sample_vector_cbd_then_ntt_d70( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, re_as_ntt[i] = ZERO_89_39();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[2U][33U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -5990,23 +6367,26 @@ static KRML_MUSTINLINE tuple_740 sample_vector_cbd_then_ntt_d70( PRFxN_f1_890(prf_inputs, prf_outputs); KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - sample_from_binomial_distribution_660(Eurydice_array_to_slice( - (size_t)192U, prf_outputs[i0], uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; + re_as_ntt[i0] = sample_from_binomial_distribution_660( + Eurydice_array_to_slice((size_t)192U, prf_outputs[i0], uint8_t)); ntt_binomially_sampled_ring_element_88(&re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_re_as_ntt[2U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_740 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -6021,13 +6401,11 @@ static KRML_MUSTINLINE void add_to_ring_element_89_930( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - Eurydice_slice), - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - size_t); + libcrux_ml_kem_vector_portable_vector_type_PortableVector), + libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -6037,6 +6415,9 @@ static KRML_MUSTINLINE void add_to_ring_element_89_930( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6052,22 +6433,20 @@ static KRML_MUSTINLINE void compute_As_plus_e_da0( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, result[i] = ZERO_89_39();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *matrix_element = @@ -6083,6 +6462,47 @@ static KRML_MUSTINLINE void compute_As_plus_e_da0( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6096,9 +6516,9 @@ static tuple_4c0 generate_keypair_unpacked_f40( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; G_f1_b60(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[2U][2U]; @@ -6108,53 +6528,59 @@ static tuple_4c0 generate_keypair_unpacked_f40( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_740 uu____2 = sample_vector_cbd_then_ntt_d70(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_740 uu____2 = sample_vector_cbd_then_ntt_d70(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[2U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[2U]; memcpy( error_as_ntt, - sample_vector_cbd_then_ntt_d70(uu____3, domain_separator).fst, + sample_vector_cbd_then_ntt_d70(copy_of_prf_input, domain_separator).fst, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[2U]; compute_As_plus_e_da0(A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____4[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[2U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____5[2U][2U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A_transpose[2U] + [2U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____7[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[2U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_ae sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); return (CLITERAL(tuple_4c0){.fst = sk, .snd = pk}); } @@ -6173,7 +6599,7 @@ generics - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ -static void closure_930( +static void closure_9d0( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[2U]) { KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, ret[i] = ZERO_89_39();); @@ -6207,28 +6633,27 @@ generics - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_250( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_480( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_4c0 uu____0 = generate_keypair_unpacked_f40(ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_ae ind_cpa_private_key = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[2U][2U]; - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, closure_930(A[i]);); + KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, closure_9d0(A[i]);); KRML_MAYBE_FOR2( i0, (size_t)0U, (size_t)2U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - clone_d5_97(&ind_cpa_public_key.A[j][i1]); + clone_d5_1e(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1;);); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[2U][2U]; memcpy(uu____2, A, @@ -6241,33 +6666,36 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_250( serialize_public_key_800( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; - H_f1_2e0(Eurydice_array_to_slice((size_t)800U, pk_serialized, uint8_t, - Eurydice_slice), + H_f1_2e0(Eurydice_array_to_slice((size_t)800U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_ae uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_ae uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -6290,19 +6718,24 @@ static libcrux_ml_kem_utils_extraction_helper_Keypair512 generate_keypair_ec0( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_ae sk = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae pk = uu____0.snd; uint8_t public_key_serialized[800U]; - serialize_public_key_800(pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, - uint8_t, Eurydice_slice), - public_key_serialized); + serialize_public_key_800( + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), + public_key_serialized); uint8_t secret_key_serialized[768U]; serialize_secret_key_f80(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[768U]; - memcpy(uu____1, secret_key_serialized, (size_t)768U * sizeof(uint8_t)); - uint8_t uu____2[800U]; - memcpy(uu____2, public_key_serialized, (size_t)800U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[768U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)768U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[800U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)800U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair512 lit; - memcpy(lit.fst, uu____1, (size_t)768U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)800U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)768U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)800U * sizeof(uint8_t)); return lit; } @@ -6321,43 +6754,37 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_41( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; H_f1_2e0(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)1632U * sizeof(uint8_t)); } @@ -6378,12 +6805,11 @@ libcrux_ml_kem_types_MlKemKeyPair_cb libcrux_ml_kem_ind_cca_generate_keypair_c21(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair512 uu____0 = generate_keypair_ec0(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[768U]; @@ -6392,20 +6818,21 @@ libcrux_ml_kem_ind_cca_generate_keypair_c21(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)800U * sizeof(uint8_t)); uint8_t secret_key_serialized[1632U]; serialize_kem_secret_key_41( - Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)800U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)768U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)800U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[1632U]; - memcpy(uu____1, secret_key_serialized, (size_t)1632U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1632U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1632U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_5e private_key = - libcrux_ml_kem_types_from_e7_a7(uu____1); + libcrux_ml_kem_types_from_e7_a7(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_5e uu____2 = private_key; - uint8_t uu____3[800U]; - memcpy(uu____3, public_key, (size_t)800U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[800U]; + memcpy(copy_of_public_key, public_key, (size_t)800U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c9( - uu____2, libcrux_ml_kem_types_from_07_4c(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c(copy_of_public_key)); } /** @@ -6417,12 +6844,11 @@ with const generics static KRML_MUSTINLINE void PRFxN_1d1(uint8_t (*input)[33U], uint8_t ret[2U][128U]) { uint8_t out[2U][128U] = {{0U}}; - KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR2( + i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));); memcpy(ret, out, (size_t)2U * sizeof(uint8_t[128U])); } @@ -6441,6 +6867,9 @@ static KRML_MUSTINLINE void PRFxN_f1_891(uint8_t (*input)[33U], PRFxN_1d1(input, ret); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6455,12 +6884,13 @@ sample_ring_element_cbd_2c0(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, error_1[i] = ZERO_89_39();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[2U][33U]; KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -6469,16 +6899,17 @@ sample_ring_element_cbd_2c0(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_error_1[2U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_740 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; @@ -6519,6 +6950,9 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_860( poly_barrett_reduce_89_2c(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6534,22 +6968,20 @@ static KRML_MUSTINLINE void compute_vector_u_a10( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, result[i] = ZERO_89_39();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *a_element = &row[j]; @@ -6565,6 +6997,9 @@ static KRML_MUSTINLINE void compute_vector_u_a10( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6604,12 +7039,9 @@ static KRML_MUSTINLINE void compress_then_serialize_10_3b( uint8_t bytes[20U]; libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -6628,6 +7060,9 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_2f( memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6641,25 +7076,21 @@ static void compress_then_serialize_u_240( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 input[2U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)2U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)640U / (size_t)2U), - (i0 + (size_t)1U) * ((size_t)640U / (size_t)2U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)640U / (size_t)2U), uint8_t); uint8_t ret[320U]; compress_then_serialize_ring_element_u_2f(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } } @@ -6675,6 +7106,47 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_31( compress_then_serialize_4_e5(re, out); } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6698,17 +7170,20 @@ static void encrypt_unpacked_6c0( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[768U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_740 uu____1 = sample_vector_cbd_then_ntt_d70(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_740 uu____1 = sample_vector_cbd_then_ntt_d70(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 r_as_ntt[2U]; memcpy( r_as_ntt, uu____1.fst, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_740 uu____3 = sample_ring_element_cbd_2c0(uu____2, domain_separator0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_740 uu____3 = + sample_ring_element_cbd_2c0(copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[2U]; memcpy( error_1, uu____3.fst, @@ -6716,18 +7191,18 @@ static void encrypt_unpacked_6c0( uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; - PRF_f1_042( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + PRF_f1_042(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_2 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_output, uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u[2U]; compute_vector_u_a10(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message_as_ring_element = - deserialize_then_decompress_message_f6(uu____4); + deserialize_then_decompress_message_f6(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = compute_ring_element_v_1f0(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -6738,12 +7213,11 @@ static void encrypt_unpacked_6c0( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); compress_then_serialize_u_240( uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)640U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____6 = v; compress_then_serialize_ring_element_v_31( - uu____6, - Eurydice_array_to_subslice_from((size_t)768U, ciphertext, (size_t)640U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)768U, ciphertext, + (size_t)640U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)768U * sizeof(uint8_t)); } @@ -6766,51 +7240,51 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d80( +tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_840( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_ae *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; - G_f1_b60( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b60(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[768U]; - encrypt_unpacked_6c0(uu____2, uu____3, pseudorandomness, ciphertext); + encrypt_unpacked_6c0(uu____2, copy_of_randomness, pseudorandomness, + ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[768U]; - memcpy(uu____4, ciphertext, (size_t)768U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[768U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_e8 uu____5 = - libcrux_ml_kem_types_from_15_f5(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_ec lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -6824,15 +7298,19 @@ with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$2size_t]] with const generics - K= 2 */ -static KRML_MUSTINLINE void entropy_preprocess_af_5d(Eurydice_slice randomness, +static KRML_MUSTINLINE void entropy_preprocess_af_f4(Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6847,7 +7325,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_721( KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, deserialized_pk[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -6855,7 +7333,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_721( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = deserialize_to_reduced_ring_element_ad(ring_element); deserialized_pk[i0] = uu____0; @@ -6887,45 +7365,48 @@ static void encrypt_0d0(Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[768U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[2U]; deserialize_ring_elements_reduced_721( - Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)768U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)768U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)768U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[2U][2U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); sample_matrix_A_230(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[2U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[2U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1[2U][2U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A[2U][2U]; + memcpy(copy_of_A, A, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[2U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[768U]; - encrypt_unpacked_6c0(uu____3, uu____4, randomness, ret1); + encrypt_unpacked_6c0(uu____3, copy_of_message, randomness, ret1); memcpy(ret, ret1, (size_t)768U * sizeof(uint8_t)); } @@ -6940,13 +7421,11 @@ with const generics - K= 2 - CIPHERTEXT_SIZE= 768 */ -static KRML_MUSTINLINE void kdf_af_e8(Eurydice_slice shared_secret, +static KRML_MUSTINLINE void kdf_af_f5(Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -6972,56 +7451,53 @@ tuple_ec libcrux_ml_kem_ind_cca_encapsulate_440( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - entropy_preprocess_af_5d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + entropy_preprocess_af_f4( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; H_f1_2e0(Eurydice_array_to_slice( (size_t)800U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; - G_f1_b60( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b60(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)800U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)800U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[768U]; - encrypt_0d0(uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[768U]; - memcpy(uu____4, ciphertext, (size_t)768U * sizeof(uint8_t)); + encrypt_0d0(uu____2, copy_of_randomness, pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[768U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)768U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemCiphertext_e8 ciphertext0 = - libcrux_ml_kem_types_from_15_f5(uu____4); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - kdf_af_e8(shared_secret, shared_secret_array); + kdf_af_f5(shared_secret, shared_secret_array); libcrux_ml_kem_types_MlKemCiphertext_e8 uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_ec lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_ec result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } /** @@ -7031,8 +7507,8 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_ring_element_u_89(Eurydice_slice serialized) { - return deserialize_then_decompress_10_e9(serialized); +deserialize_then_decompress_ring_element_u_98(Eurydice_slice serialized) { + return deserialize_then_decompress_10_fc(serialized); } /** @@ -7041,7 +7517,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void ntt_vector_u_ed( +static KRML_MUSTINLINE void ntt_vector_u_7a( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) { size_t zeta_i = (size_t)0U; ntt_at_layer_4_plus_cc(&zeta_i, re, (size_t)7U); @@ -7054,6 +7530,10 @@ static KRML_MUSTINLINE void ntt_vector_u_ed( poly_barrett_reduce_89_2c(re); } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7062,17 +7542,16 @@ with const generics - CIPHERTEXT_SIZE= 768 - U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void deserialize_then_decompress_u_b10( +static KRML_MUSTINLINE void deserialize_then_decompress_u_af0( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, u_as_ntt[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U); i++) { @@ -7085,11 +7564,9 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_b10( (size_t)10U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - deserialize_then_decompress_ring_element_u_89(u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u_ed(&u_as_ntt[i0]); + uint8_t); + u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_98(u_bytes); + ntt_vector_u_7a(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, @@ -7103,10 +7580,16 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 4 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -deserialize_then_decompress_ring_element_v_30(Eurydice_slice serialized) { - return deserialize_then_decompress_4_34(serialized); +deserialize_then_decompress_ring_element_v_df(Eurydice_slice serialized) { + return deserialize_then_decompress_4_8f(serialized); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7114,7 +7597,7 @@ with const generics - K= 2 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -compute_message_cb0( +compute_message_ff0( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *u_as_ntt) { @@ -7124,10 +7607,34 @@ compute_message_cb0( ntt_multiply_89_d5(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_89_930(&result, &product);); invert_ntt_montgomery_860(&result); - result = subtract_reduce_89_7d(v, result); + result = subtract_reduce_89_70(v, result); return result; } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7138,20 +7645,19 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_unpacked_e70( +static void decrypt_unpacked_5d0( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_ae *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[2U]; - deserialize_then_decompress_u_b10(ciphertext, u_as_ntt); + deserialize_then_decompress_u_af0(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = - deserialize_then_decompress_ring_element_v_30( + deserialize_then_decompress_ring_element_v_df( Eurydice_array_to_subslice_from((size_t)768U, ciphertext, - (size_t)640U, uint8_t, size_t, - Eurydice_slice)); + (size_t)640U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message = - compute_message_cb0(&v, secret_key->secret_as_ntt, u_as_ntt); + compute_message_ff0(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_3a(message, ret0); + compress_then_serialize_message_c1(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -7191,83 +7697,82 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d0( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e0( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_ae *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - decrypt_unpacked_e70(&key_pair->private_key.ind_cpa_private_key, + decrypt_unpacked_5d0(&key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; - G_f1_b60( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b60(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[800U]; libcrux_ml_kem_utils_into_padded_array_2d0( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; - PRF_f1_041( - Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + PRF_f1_041(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t), + implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_ae *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[768U]; - encrypt_unpacked_6c0(uu____3, uu____4, pseudorandomness, expected_ciphertext); + encrypt_unpacked_6c0(uu____3, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), - Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 2 */ -static KRML_MUSTINLINE void deserialize_secret_key_010( +static KRML_MUSTINLINE void deserialize_secret_key_590( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, secret_as_ntt[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -7275,9 +7780,9 @@ static KRML_MUSTINLINE void deserialize_secret_key_010( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - deserialize_to_uncompressed_ring_element_05(secret_bytes); + deserialize_to_uncompressed_ring_element_53(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -7295,21 +7800,22 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_c20(Eurydice_slice secret_key, uint8_t *ciphertext, +static void decrypt_670(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[2U]; - deserialize_secret_key_010(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[2U]; + deserialize_secret_key_590(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[2U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_ae secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t ret0[32U]; - decrypt_unpacked_e70(&secret_key_unpacked, ciphertext, ret0); + decrypt_unpacked_5d0(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -7335,41 +7841,37 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_4f0( +void libcrux_ml_kem_ind_cca_decapsulate_e30( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)1632U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)1632U, private_key->value, uint8_t), (size_t)768U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)800U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - decrypt_c20(ind_cpa_secret_key, ciphertext->value, decrypted); + decrypt_670(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; - G_f1_b60( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b60(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -7378,38 +7880,44 @@ void libcrux_ml_kem_ind_cca_decapsulate_4f0( libcrux_ml_kem_utils_into_padded_array_2d0(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)800U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; - PRF_f1_041( - Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); + PRF_f1_041(Eurydice_array_to_slice((size_t)800U, to_hash, uint8_t), + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[768U]; - encrypt_0d0(uu____5, uu____6, pseudorandomness, expected_ciphertext); + encrypt_0d0(uu____5, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - kdf_af_e8( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + kdf_af_f5(Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret0, uint8_t), + implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - kdf_af_e8(shared_secret0, shared_secret1); + kdf_af_f5(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed(ciphertext), - Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_71(ciphertext), + Eurydice_array_to_slice((size_t)768U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -7424,7 +7932,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_720( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, deserialized_pk[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -7432,7 +7940,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_720( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = deserialize_to_reduced_ring_element_ad(ring_element); deserialized_pk[i0] = uu____0; @@ -7442,6 +7950,9 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_720( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7454,29 +7965,29 @@ static KRML_MUSTINLINE void serialize_secret_key_f8( uint8_t ret[1152U]) { uint8_t out[1152U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; serialize_uncompressed_ring_element_f6(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7489,20 +8000,16 @@ static KRML_MUSTINLINE void serialize_public_key_80( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *t_as_ntt, Eurydice_slice seed_for_a, uint8_t ret[1184U]) { uint8_t public_key_serialized[1184U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_subslice2(public_key_serialized, (size_t)0U, - (size_t)1152U, uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + public_key_serialized, (size_t)0U, (size_t)1152U, uint8_t); uint8_t ret0[1152U]; serialize_secret_key_f8(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized, - (size_t)1152U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)1152U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); } @@ -7518,14 +8025,14 @@ bool libcrux_ml_kem_ind_cca_validate_public_key_35(uint8_t *public_key) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[3U]; deserialize_ring_elements_reduced_720( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *uu____0 = deserialized_pk; uint8_t public_key_serialized[1184U]; serialize_public_key_80( uu____0, Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -7591,16 +8098,17 @@ shake128_init_absorb_final_75(uint8_t input[3U][34U]) { KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, shake128_state[i] = libcrux_sha3_portable_incremental_shake128_init();); - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state[i0], - Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t, - Eurydice_slice));); - libcrux_sha3_generic_keccak_KeccakState_48 uu____0[3U]; - memcpy(uu____0, shake128_state, + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_absorb_final( + &shake128_state[i0], + Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t));); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_48 copy_of_shake128_state[3U]; + memcpy(copy_of_shake128_state, shake128_state, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); PortableHash_58 lit; - memcpy(lit.shake128_state, uu____0, + memcpy(lit.shake128_state, copy_of_shake128_state, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); return lit; } @@ -7617,9 +8125,10 @@ generics */ static KRML_MUSTINLINE PortableHash_58 shake128_init_absorb_final_f1_11(uint8_t input[3U][34U]) { - uint8_t uu____0[3U][34U]; - memcpy(uu____0, input, (size_t)3U * sizeof(uint8_t[34U])); - return shake128_init_absorb_final_75(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[3U][34U]; + memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); + return shake128_init_absorb_final_75(copy_of_input); } /** @@ -7635,8 +8144,7 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_10( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice));); + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t));); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); } @@ -7655,6 +8163,47 @@ static KRML_MUSTINLINE void shake128_squeeze_first_three_blocks_f1_4e( shake128_squeeze_first_three_blocks_10(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -7673,12 +8222,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_05( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -7704,11 +8252,11 @@ generics static KRML_MUSTINLINE void shake128_squeeze_next_block_ed( PortableHash_58 *st, uint8_t ret[3U][168U]) { uint8_t out[3U][168U] = {{0U}}; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_incremental_shake128_squeeze_next_block( - &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_incremental_shake128_squeeze_next_block( + &st->shake128_state[i0], + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t));); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); } @@ -7727,6 +8275,47 @@ static KRML_MUSTINLINE void shake128_squeeze_next_block_f1_c1( shake128_squeeze_next_block_ed(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -7745,12 +8334,11 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_050( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, int16_t, - Eurydice_slice)); + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; @@ -7776,8 +8364,8 @@ generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f0 closure_99( int16_t s[272U]) { - return from_i16_array_89_6b(Eurydice_array_to_subslice2( - s, (size_t)0U, (size_t)256U, int16_t, Eurydice_slice)); + return from_i16_array_89_6b( + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -7792,32 +8380,37 @@ static KRML_MUSTINLINE void sample_from_xof_2b( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { size_t sampled_coefficients[3U] = {0U}; int16_t out[3U][272U] = {{0U}}; - uint8_t uu____0[3U][34U]; - memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); - PortableHash_58 xof_state = shake128_init_absorb_final_f1_11(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); + PortableHash_58 xof_state = shake128_init_absorb_final_f1_11(copy_of_seeds); uint8_t randomness0[3U][504U]; shake128_squeeze_first_three_blocks_f1_4e(&xof_state, randomness0); - uint8_t uu____1[3U][504U]; - memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[3U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); bool done = sample_from_uniform_distribution_next_05( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; } else { uint8_t randomness[3U][168U]; shake128_squeeze_next_block_f1_c1(&xof_state, randomness); - uint8_t uu____2[3U][168U]; - memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[3U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)3U * sizeof(uint8_t[168U])); done = sample_from_uniform_distribution_next_050( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[3U][272U]; - memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[3U][272U]; + memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret0[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - ret0[i] = closure_99(uu____3[i]);); + ret0[i] = closure_99(copy_of_out[i]);); memcpy( ret, ret0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); @@ -7838,24 +8431,25 @@ static KRML_MUSTINLINE void sample_matrix_A_23( closure_e8(A_transpose[i]);); KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t));); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j;); - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sampled[3U]; - sample_from_xof_2b(uu____1, sampled); + sample_from_xof_2b(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample = sampled[j]; @@ -7864,7 +8458,9 @@ static KRML_MUSTINLINE void sample_matrix_A_23( } else { A_transpose[i1][j] = sample; } - }); + } + + ); memcpy(ret, A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); @@ -7890,12 +8486,11 @@ with const generics static KRML_MUSTINLINE void PRFxN_1d(uint8_t (*input)[33U], uint8_t ret[3U][128U]) { uint8_t out[3U][128U] = {{0U}}; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice));); + KRML_MAYBE_FOR3( + i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; + libcrux_sha3_portable_shake256( + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t));); memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); } @@ -7914,6 +8509,10 @@ static KRML_MUSTINLINE void PRFxN_f1_89(uint8_t (*input)[33U], PRFxN_1d(input, ret); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -7928,12 +8527,13 @@ static KRML_MUSTINLINE tuple_b0 sample_vector_cbd_then_ntt_d7( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, re_as_ntt[i] = ZERO_89_39();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -7941,23 +8541,26 @@ static KRML_MUSTINLINE tuple_b0 sample_vector_cbd_then_ntt_d7( PRFxN_f1_89(prf_inputs, prf_outputs); KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); - re_as_ntt[i0] = uu____1; + re_as_ntt[i0] = sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); ntt_binomially_sampled_ring_element_88(&re_as_ntt[i0]);); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_re_as_ntt[3U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_b0 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -7972,13 +8575,11 @@ static KRML_MUSTINLINE void add_to_ring_element_89_93( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - Eurydice_slice), - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - size_t); + libcrux_ml_kem_vector_portable_vector_type_PortableVector), + libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -7988,6 +8589,9 @@ static KRML_MUSTINLINE void add_to_ring_element_89_93( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8003,22 +8607,20 @@ static KRML_MUSTINLINE void compute_As_plus_e_da( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, result[i] = ZERO_89_39();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *matrix_element = @@ -8034,6 +8636,47 @@ static KRML_MUSTINLINE void compute_As_plus_e_da( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8047,9 +8690,9 @@ static tuple_9b generate_keypair_unpacked_f4( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; G_f1_b6(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U]; @@ -8059,53 +8702,59 @@ static tuple_9b generate_keypair_unpacked_f4( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b0 uu____2 = sample_vector_cbd_then_ntt_d7(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b0 uu____2 = sample_vector_cbd_then_ntt_d7(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[3U]; memcpy( error_as_ntt, - sample_vector_cbd_then_ntt_d7(uu____3, domain_separator).fst, + sample_vector_cbd_then_ntt_d7(copy_of_prf_input, domain_separator).fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U]; compute_As_plus_e_da(A_transpose, secret_as_ntt, error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____4[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[3U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____5[3U][3U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A_transpose[3U] + [3U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____7[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[3U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); return (CLITERAL(tuple_9b){.fst = sk, .snd = pk}); } @@ -8124,7 +8773,7 @@ generics - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ -static void closure_93( +static void closure_9d( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, ret[i] = ZERO_89_39();); @@ -8158,28 +8807,27 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_25( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_48( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_9b uu____0 = generate_keypair_unpacked_f4(ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 ind_cpa_private_key = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[3U][3U]; - KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, closure_93(A[i]);); + KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, closure_9d(A[i]);); KRML_MAYBE_FOR3( i0, (size_t)0U, (size_t)3U, (size_t)1U, size_t i1 = i0; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - clone_d5_97(&ind_cpa_public_key.A[j][i1]); + clone_d5_1e(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1;);); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[3U][3U]; memcpy(uu____2, A, @@ -8192,33 +8840,36 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_25( serialize_public_key_80( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; - H_f1_2e(Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t, - Eurydice_slice), + H_f1_2e(Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_f8 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -8241,19 +8892,24 @@ static libcrux_ml_kem_utils_extraction_helper_Keypair768 generate_keypair_ec( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 sk = uu____0.fst; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 pk = uu____0.snd; uint8_t public_key_serialized[1184U]; - serialize_public_key_80(pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, - uint8_t, Eurydice_slice), - public_key_serialized); + serialize_public_key_80( + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), + public_key_serialized); uint8_t secret_key_serialized[1152U]; serialize_secret_key_f8(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[1152U]; - memcpy(uu____1, secret_key_serialized, (size_t)1152U * sizeof(uint8_t)); - uint8_t uu____2[1184U]; - memcpy(uu____2, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1152U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[1184U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, uu____1, (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)1184U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); return lit; } @@ -8272,43 +8928,37 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_a8( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; H_f1_2e(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } @@ -8329,12 +8979,11 @@ libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_ind_cca_generate_keypair_c20(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = generate_keypair_ec(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1152U]; @@ -8343,22 +8992,26 @@ libcrux_ml_kem_ind_cca_generate_keypair_c20(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); uint8_t secret_key_serialized[2400U]; serialize_kem_secret_key_a8( - Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[2400U]; - memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[2400U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_55 private_key = - libcrux_ml_kem_types_from_e7_a70(uu____1); + libcrux_ml_kem_types_from_e7_a70(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key; - uint8_t uu____3[1184U]; - memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c90( - uu____2, libcrux_ml_kem_types_from_07_4c0(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c0(copy_of_public_key)); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8373,12 +9026,13 @@ sample_ring_element_cbd_2c(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, error_1[i] = ZERO_89_39();); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t));); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -8387,16 +9041,17 @@ sample_ring_element_cbd_2c(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_outputs[i0], uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1;); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_error_1[3U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_b0 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; @@ -8437,6 +9092,9 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_86( poly_barrett_reduce_89_2c(re); } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8452,22 +9110,20 @@ static KRML_MUSTINLINE void compute_vector_u_a1( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, result[i] = ZERO_89_39();); for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *a_element = &row[j]; @@ -8483,6 +9139,9 @@ static KRML_MUSTINLINE void compute_vector_u_a1( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8505,6 +9164,9 @@ compute_ring_element_v_1f( return result; } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8518,28 +9180,65 @@ static void compress_then_serialize_u_24( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 input[3U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t); uint8_t ret[320U]; compress_then_serialize_ring_element_u_2f(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8563,17 +9262,20 @@ static void encrypt_unpacked_6c( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b0 uu____1 = sample_vector_cbd_then_ntt_d7(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b0 uu____1 = sample_vector_cbd_then_ntt_d7(copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 r_as_ntt[3U]; memcpy( r_as_ntt, uu____1.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b0 uu____3 = sample_ring_element_cbd_2c(uu____2, domain_separator0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b0 uu____3 = + sample_ring_element_cbd_2c(copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[3U]; memcpy( error_1, uu____3.fst, @@ -8581,18 +9283,18 @@ static void encrypt_unpacked_6c( uint8_t domain_separator = uu____3.snd; prf_input[32U] = domain_separator; uint8_t prf_output[128U]; - PRF_f1_040( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + PRF_f1_040(Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), + prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_2 = - sample_from_binomial_distribution_66(Eurydice_array_to_slice( - (size_t)128U, prf_output, uint8_t, Eurydice_slice)); + sample_from_binomial_distribution_66( + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u[3U]; compute_vector_u_a1(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message_as_ring_element = - deserialize_then_decompress_message_f6(uu____4); + deserialize_then_decompress_message_f6(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = compute_ring_element_v_1f(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -8603,12 +9305,11 @@ static void encrypt_unpacked_6c( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); compress_then_serialize_u_24( uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____6 = v; compress_then_serialize_ring_element_v_31( - uu____6, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, + (size_t)960U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); } @@ -8631,51 +9332,51 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_d8( +tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_84( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; - G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b6(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - encrypt_unpacked_6c(uu____2, uu____3, pseudorandomness, ciphertext); + encrypt_unpacked_6c(uu____2, copy_of_randomness, pseudorandomness, + ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = - libcrux_ml_kem_types_from_15_f50(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f50(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_3c lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } @@ -8689,15 +9390,19 @@ with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const generics - K= 3 */ -static KRML_MUSTINLINE void entropy_preprocess_af_6c(Eurydice_slice randomness, +static KRML_MUSTINLINE void entropy_preprocess_af_56(Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -8712,7 +9417,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_72( KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, deserialized_pk[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -8720,7 +9425,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_72( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = deserialize_to_reduced_ring_element_ad(ring_element); deserialized_pk[i0] = uu____0; @@ -8752,45 +9457,48 @@ static void encrypt_0d(Eurydice_slice public_key, uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U]; deserialize_ring_elements_reduced_72( - Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[3U][3U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); sample_matrix_A_23(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[3U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1[3U][3U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A[3U][3U]; + memcpy(copy_of_A, A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[1088U]; - encrypt_unpacked_6c(uu____3, uu____4, randomness, ret1); + encrypt_unpacked_6c(uu____3, copy_of_message, randomness, ret1); memcpy(ret, ret1, (size_t)1088U * sizeof(uint8_t)); } @@ -8805,13 +9513,11 @@ with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void kdf_af_b6(Eurydice_slice shared_secret, +static KRML_MUSTINLINE void kdf_af_27(Eurydice_slice shared_secret, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -8837,58 +9543,59 @@ tuple_3c libcrux_ml_kem_ind_cca_encapsulate_44( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - entropy_preprocess_af_6c( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + entropy_preprocess_af_56( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; H_f1_2e(Eurydice_array_to_slice( (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f20(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; - G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b6(Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f20(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f20(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - encrypt_0d(uu____2, uu____3, pseudorandomness, ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + encrypt_0d(uu____2, copy_of_randomness, pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f50(uu____4); + libcrux_ml_kem_types_from_15_f50(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - kdf_af_b6(shared_secret, shared_secret_array); + kdf_af_27(shared_secret, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_3c lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_3c result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8897,17 +9604,16 @@ with const generics - CIPHERTEXT_SIZE= 1088 - U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void deserialize_then_decompress_u_b1( +static KRML_MUSTINLINE void deserialize_then_decompress_u_af( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, u_as_ntt[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U); i++) { @@ -8920,17 +9626,21 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_b1( (size_t)10U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - deserialize_then_decompress_ring_element_u_89(u_bytes); - u_as_ntt[i0] = uu____0; - ntt_vector_u_ed(&u_as_ntt[i0]); + uint8_t); + u_as_ntt[i0] = deserialize_then_decompress_ring_element_u_98(u_bytes); + ntt_vector_u_7a(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8938,7 +9648,7 @@ with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -compute_message_cb( +compute_message_ff( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *u_as_ntt) { @@ -8948,10 +9658,34 @@ compute_message_cb( ntt_multiply_89_d5(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_89_93(&result, &product);); invert_ntt_montgomery_86(&result); - result = subtract_reduce_89_7d(v, result); + result = subtract_reduce_89_70(v, result); return result; } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8962,20 +9696,19 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_unpacked_e7( +static void decrypt_unpacked_5d( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[3U]; - deserialize_then_decompress_u_b1(ciphertext, u_as_ntt); + deserialize_then_decompress_u_af(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = - deserialize_then_decompress_ring_element_v_30( + deserialize_then_decompress_ring_element_v_df( Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - Eurydice_slice)); + (size_t)960U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message = - compute_message_cb(&v, secret_key->secret_as_ntt, u_as_ntt); + compute_message_ff(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_3a(message, ret0); + compress_then_serialize_message_c1(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -9015,83 +9748,82 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_9d( +void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_5e( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - decrypt_unpacked_e7(&key_pair->private_key.ind_cpa_private_key, + decrypt_unpacked_5d(&key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; - G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b6(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[1120U]; libcrux_ml_kem_utils_into_padded_array_2d3( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; - PRF_f1_04( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + PRF_f1_04(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), + implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - encrypt_unpacked_6c(uu____3, uu____4, pseudorandomness, expected_ciphertext); + encrypt_unpacked_6c(uu____3, copy_of_decrypted, pseudorandomness, + expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE void deserialize_secret_key_01( +static KRML_MUSTINLINE void deserialize_secret_key_59( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, secret_as_ntt[i] = ZERO_89_39();); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -9099,9 +9831,9 @@ static KRML_MUSTINLINE void deserialize_secret_key_01( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - deserialize_to_uncompressed_ring_element_05(secret_bytes); + deserialize_to_uncompressed_ring_element_53(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -9119,21 +9851,22 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static void decrypt_c2(Eurydice_slice secret_key, uint8_t *ciphertext, +static void decrypt_67(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; - deserialize_secret_key_01(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[3U]; + deserialize_secret_key_59(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[3U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t ret0[32U]; - decrypt_unpacked_e7(&secret_key_unpacked, ciphertext, ret0); + decrypt_unpacked_5d(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -9159,41 +9892,37 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_4f( +void libcrux_ml_kem_ind_cca_decapsulate_e3( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t), (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - decrypt_c2(ind_cpa_secret_key, ciphertext->value, decrypted); + decrypt_67(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; - G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + G_f1_b6(Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -9202,34 +9931,33 @@ void libcrux_ml_kem_ind_cca_decapsulate_4f( libcrux_ml_kem_utils_into_padded_array_2d3(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; - PRF_f1_04( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), - implicit_rejection_shared_secret0); + PRF_f1_04(Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), + implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - encrypt_0d(uu____5, uu____6, pseudorandomness, expected_ciphertext); + encrypt_0d(uu____5, copy_of_decrypted, pseudorandomness, expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - kdf_af_b6( - Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), - implicit_rejection_shared_secret); + kdf_af_27(Eurydice_array_to_slice((size_t)32U, + implicit_rejection_shared_secret0, uint8_t), + implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - kdf_af_b6(shared_secret0, shared_secret1); + kdf_af_27(shared_secret0, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_ed0(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_710(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 6d716c024..6cd386f96 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem_portable_H @@ -205,6 +205,19 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( ((int32_t)1 << (uint32_t) \ LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT) +/** + Signed Barrett Reduction + + Given an input `value`, `barrett_reduce` outputs a representative `result` + such that: + + - result ≡ value (mod FIELD_MODULUS) + - the absolute value of `result` is bound as follows: + + `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) + + In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +*/ int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value); @@ -226,9 +239,34 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d( ((int32_t)1 << (uint32_t) \ LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT) +/** + Signed Montgomery Reduction + + Given an input `value`, `montgomery_reduce` outputs a representative `o` + such that: + + - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) + - the absolute value of `o` is bound as follows: + + `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) + + In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · + FIELD_MODULUS) / 2`. +*/ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value); +/** + If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to + `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to + `x · y`, as follows: + + `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` + + `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a + representative `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod + FIELD_MODULUS)`. +*/ int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer); @@ -244,6 +282,28 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, int16_t r); +/** + The `compress_*` functions implement the `Compress` function specified in the + NIST FIPS 203 standard (Page 18, Expression 4.5), which is defined as: + + ```plaintext + Compress_d: ℤq -> ℤ_{2ᵈ} + Compress_d(x) = ⌈(2ᵈ/q)·x⌋ + ``` + + Since `⌈x⌋ = ⌊x + 1/2⌋` we have: + + ```plaintext + Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋ + = ⌊(2^{d+1}·x + q) / 2q⌋ + ``` + + For further information about the function implementations, consult the + `implementation_notes.pdf` document in this directory. + + The NIST FIPS 203 standard can be found at + . +*/ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( uint16_t fe); @@ -353,6 +413,28 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( libcrux_ml_kem_vector_portable_vector_type_PortableVector a, int16_t zeta); +/** + Compute the product of two Kyber binomials with respect to the + modulus `X² - zeta`. + + This function almost implements Algorithm 11 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: a₀, a₁, b₀, b₁ ∈ ℤq. + Input: γ ∈ ℤq. + Output: c₀, c₁ ∈ ℤq. + + c₀ ← a₀·b₀ + a₁·b₁·γ + c₁ ← a₀·b₁ + a₁·b₀ + return c₀, c₁ + ``` + We say "almost" because the coefficients output by this function are in + the Montgomery domain (unlike in the specification). + + The NIST FIPS 203 standard can be found at + . +*/ void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, libcrux_ml_kem_vector_portable_vector_type_PortableVector *b, int16_t zeta, diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index 55c1eb7c3..0fe581b92 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_sha3_H @@ -22,6 +22,9 @@ extern "C" { #include "libcrux_core.h" #include "libcrux_sha3_internal.h" +/** + A portable SHA3 512 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -29,6 +32,9 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, libcrux_sha3_portable_keccakx1_2a(buf0, buf); } +/** + A portable SHA3 256 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -36,6 +42,9 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, libcrux_sha3_portable_keccakx1_2a0(buf0, buf); } +/** + A portable SHAKE256 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -43,6 +52,9 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( libcrux_sha3_portable_keccakx1_2a1(buf0, buf); } +/** + A portable SHA3 224 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -50,6 +62,9 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, libcrux_sha3_portable_keccakx1_2a2(buf0, buf); } +/** + A portable SHA3 384 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -57,58 +72,88 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, libcrux_sha3_portable_keccakx1_2a3(buf0, buf); } +/** + SHA3 224 + + Preconditions: + - `digest.len() == 28` +*/ static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha224(digest, payload); } +/** + SHA3 224 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { uint8_t out[28U] = {0U}; - libcrux_sha3_sha224_ema( - Eurydice_array_to_slice((size_t)28U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), + data); memcpy(ret, out, (size_t)28U * sizeof(uint8_t)); } +/** + SHA3 256 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha256(digest, payload); } +/** + SHA3 256 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { uint8_t out[32U] = {0U}; - libcrux_sha3_sha256_ema( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), + data); memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** + SHA3 384 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha384(digest, payload); } +/** + SHA3 384 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { uint8_t out[48U] = {0U}; - libcrux_sha3_sha384_ema( - Eurydice_array_to_slice((size_t)48U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), + data); memcpy(ret, out, (size_t)48U * sizeof(uint8_t)); } +/** + SHA3 512 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha512(digest, payload); } +/** + SHA3 512 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { uint8_t out[64U] = {0U}; - libcrux_sha3_sha512_ema( - Eurydice_array_to_slice((size_t)64U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), + data); memcpy(ret, out, (size_t)64U * sizeof(uint8_t)); } +/** + A portable SHAKE128 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -116,11 +161,21 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( libcrux_sha3_portable_keccakx1_2a4(buf0, buf); } +/** + SHAKE 128 + + Writes `out.len()` bytes. +*/ static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, Eurydice_slice data) { libcrux_sha3_portable_shake128(out, data); } +/** + SHAKE 256 + + Writes `out.len()` bytes. +*/ static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, Eurydice_slice data) { libcrux_sha3_portable_shake256(out, data); diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index 03bc68b29..fb35528f9 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "internal/libcrux_sha3_avx2.h" @@ -119,14 +119,10 @@ xor_ef(core_core_arch_x86___m256i a, core_core_arch_x86___m256i b) { static KRML_MUSTINLINE void slice_4(Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { - ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t, - Eurydice_slice); - ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t, - Eurydice_slice); - ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t, - Eurydice_slice); - ret[3U] = Eurydice_slice_subslice2(a[3U], start, start + len, uint8_t, - Eurydice_slice); + ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); + ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); + ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); + ret[3U] = Eurydice_slice_subslice2(a[3U], start, start + len, uint8_t); } /** @@ -135,10 +131,11 @@ usize> for core::core_arch::x86::__m256i)} */ static KRML_MUSTINLINE void slice_n_ef(Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { - Eurydice_slice uu____0[4U]; - memcpy(uu____0, a, (size_t)4U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_a[4U]; + memcpy(copy_of_a, a, (size_t)4U * sizeof(Eurydice_slice)); Eurydice_slice ret0[4U]; - slice_4(uu____0, start, len, ret0); + slice_4(copy_of_a, start, len, ret0); memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice)); } @@ -148,19 +145,19 @@ split_at_mut_4(Eurydice_slice out[4U], size_t mid) { Eurydice_slice out1 = out[1U]; Eurydice_slice out2 = out[2U]; Eurydice_slice out3 = out[3U]; - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( out0, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out00 = uu____0.fst; Eurydice_slice out01 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at_mut( out1, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out10 = uu____1.fst; Eurydice_slice out11 = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at_mut( out2, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out20 = uu____2.fst; Eurydice_slice out21 = uu____2.snd; - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at_mut( out3, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out30 = uu____3.fst; Eurydice_slice out31 = uu____3.snd; @@ -185,6 +182,9 @@ split_at_mut_n_ef(Eurydice_slice a[4U], size_t mid) { return split_at_mut_4(a, mid); } +/** + Create a new Shake128 x4 state. +*/ /** This function found in impl {libcrux_sha3::generic_keccak::KeccakState[TraitClause@0]#1} @@ -236,21 +236,21 @@ static KRML_MUSTINLINE void load_block_c7(core_core_arch_x86___m256i (*s)[5U], for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; core_core_arch_x86___m256i v00 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[0U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v10 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[1U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v20 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[2U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v30 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[3U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10); core_core_arch_x86___m256i v1h = @@ -296,34 +296,30 @@ static KRML_MUSTINLINE void load_block_c7(core_core_arch_x86___m256i (*s)[5U], size_t rem = (size_t)136U % (size_t)32U; size_t start = (size_t)32U * ((size_t)136U / (size_t)32U); uint8_t u8s[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - u8s, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_array_to_subslice2( - u8s, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_array_to_subslice2( - u8s, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_array_to_subslice2( - u8s, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t), + uint8_t); core_core_arch_x86___m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t, Eurydice_slice)); @@ -332,34 +328,30 @@ static KRML_MUSTINLINE void load_block_c7(core_core_arch_x86___m256i (*s)[5U], s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; - Eurydice_slice uu____4 = Eurydice_array_to_subslice2( - u8s0, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = Eurydice_array_to_subslice2( - u8s0, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____5, - Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - u8s0, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_array_to_subslice2( - u8s0, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____7, - Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice uu____4 = + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy(uu____4, + Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy(uu____5, + Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy(uu____6, + Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy(uu____7, + Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); core_core_arch_x86___m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t, @@ -384,9 +376,10 @@ with const generics static KRML_MUSTINLINE void load_block_ef_6a( core_core_arch_x86___m256i (*a)[5U], Eurydice_slice b[4U]) { core_core_arch_x86___m256i(*uu____0)[5U] = a; - Eurydice_slice uu____1[4U]; - memcpy(uu____1, b, (size_t)4U * sizeof(Eurydice_slice)); - load_block_c7(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[4U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(Eurydice_slice)); + load_block_c7(uu____0, copy_of_b); } /** @@ -1418,75 +1411,29 @@ static KRML_MUSTINLINE void theta_rho_71( rotate_left1_and_xor_ef(c[((size_t)4U + (size_t)4U) % (size_t)5U], c[((size_t)4U + (size_t)1U) % (size_t)5U])}; s->st[0U][0U] = xor_ef(s->st[0U][0U], t[0U]); - core_core_arch_x86___m256i uu____4 = - xor_and_rotate_ef_17(s->st[1U][0U], t[0U]); - s->st[1U][0U] = uu____4; - core_core_arch_x86___m256i uu____5 = - xor_and_rotate_ef_170(s->st[2U][0U], t[0U]); - s->st[2U][0U] = uu____5; - core_core_arch_x86___m256i uu____6 = - xor_and_rotate_ef_171(s->st[3U][0U], t[0U]); - s->st[3U][0U] = uu____6; - core_core_arch_x86___m256i uu____7 = - xor_and_rotate_ef_172(s->st[4U][0U], t[0U]); - s->st[4U][0U] = uu____7; - core_core_arch_x86___m256i uu____8 = - xor_and_rotate_ef_173(s->st[0U][1U], t[1U]); - s->st[0U][1U] = uu____8; - core_core_arch_x86___m256i uu____9 = - xor_and_rotate_ef_174(s->st[1U][1U], t[1U]); - s->st[1U][1U] = uu____9; - core_core_arch_x86___m256i uu____10 = - xor_and_rotate_ef_175(s->st[2U][1U], t[1U]); - s->st[2U][1U] = uu____10; - core_core_arch_x86___m256i uu____11 = - xor_and_rotate_ef_176(s->st[3U][1U], t[1U]); - s->st[3U][1U] = uu____11; - core_core_arch_x86___m256i uu____12 = - xor_and_rotate_ef_177(s->st[4U][1U], t[1U]); - s->st[4U][1U] = uu____12; - core_core_arch_x86___m256i uu____13 = - xor_and_rotate_ef_178(s->st[0U][2U], t[2U]); - s->st[0U][2U] = uu____13; - core_core_arch_x86___m256i uu____14 = - xor_and_rotate_ef_179(s->st[1U][2U], t[2U]); - s->st[1U][2U] = uu____14; - core_core_arch_x86___m256i uu____15 = - xor_and_rotate_ef_1710(s->st[2U][2U], t[2U]); - s->st[2U][2U] = uu____15; - core_core_arch_x86___m256i uu____16 = - xor_and_rotate_ef_1711(s->st[3U][2U], t[2U]); - s->st[3U][2U] = uu____16; - core_core_arch_x86___m256i uu____17 = - xor_and_rotate_ef_1712(s->st[4U][2U], t[2U]); - s->st[4U][2U] = uu____17; - core_core_arch_x86___m256i uu____18 = - xor_and_rotate_ef_1713(s->st[0U][3U], t[3U]); - s->st[0U][3U] = uu____18; - core_core_arch_x86___m256i uu____19 = - xor_and_rotate_ef_1714(s->st[1U][3U], t[3U]); - s->st[1U][3U] = uu____19; - core_core_arch_x86___m256i uu____20 = - xor_and_rotate_ef_1715(s->st[2U][3U], t[3U]); - s->st[2U][3U] = uu____20; - core_core_arch_x86___m256i uu____21 = - xor_and_rotate_ef_1716(s->st[3U][3U], t[3U]); - s->st[3U][3U] = uu____21; - core_core_arch_x86___m256i uu____22 = - xor_and_rotate_ef_1717(s->st[4U][3U], t[3U]); - s->st[4U][3U] = uu____22; - core_core_arch_x86___m256i uu____23 = - xor_and_rotate_ef_1718(s->st[0U][4U], t[4U]); - s->st[0U][4U] = uu____23; - core_core_arch_x86___m256i uu____24 = - xor_and_rotate_ef_1719(s->st[1U][4U], t[4U]); - s->st[1U][4U] = uu____24; - core_core_arch_x86___m256i uu____25 = - xor_and_rotate_ef_1720(s->st[2U][4U], t[4U]); - s->st[2U][4U] = uu____25; - core_core_arch_x86___m256i uu____26 = - xor_and_rotate_ef_1721(s->st[3U][4U], t[4U]); - s->st[3U][4U] = uu____26; + s->st[1U][0U] = xor_and_rotate_ef_17(s->st[1U][0U], t[0U]); + s->st[2U][0U] = xor_and_rotate_ef_170(s->st[2U][0U], t[0U]); + s->st[3U][0U] = xor_and_rotate_ef_171(s->st[3U][0U], t[0U]); + s->st[4U][0U] = xor_and_rotate_ef_172(s->st[4U][0U], t[0U]); + s->st[0U][1U] = xor_and_rotate_ef_173(s->st[0U][1U], t[1U]); + s->st[1U][1U] = xor_and_rotate_ef_174(s->st[1U][1U], t[1U]); + s->st[2U][1U] = xor_and_rotate_ef_175(s->st[2U][1U], t[1U]); + s->st[3U][1U] = xor_and_rotate_ef_176(s->st[3U][1U], t[1U]); + s->st[4U][1U] = xor_and_rotate_ef_177(s->st[4U][1U], t[1U]); + s->st[0U][2U] = xor_and_rotate_ef_178(s->st[0U][2U], t[2U]); + s->st[1U][2U] = xor_and_rotate_ef_179(s->st[1U][2U], t[2U]); + s->st[2U][2U] = xor_and_rotate_ef_1710(s->st[2U][2U], t[2U]); + s->st[3U][2U] = xor_and_rotate_ef_1711(s->st[3U][2U], t[2U]); + s->st[4U][2U] = xor_and_rotate_ef_1712(s->st[4U][2U], t[2U]); + s->st[0U][3U] = xor_and_rotate_ef_1713(s->st[0U][3U], t[3U]); + s->st[1U][3U] = xor_and_rotate_ef_1714(s->st[1U][3U], t[3U]); + s->st[2U][3U] = xor_and_rotate_ef_1715(s->st[2U][3U], t[3U]); + s->st[3U][3U] = xor_and_rotate_ef_1716(s->st[3U][3U], t[3U]); + s->st[4U][3U] = xor_and_rotate_ef_1717(s->st[4U][3U], t[3U]); + s->st[0U][4U] = xor_and_rotate_ef_1718(s->st[0U][4U], t[4U]); + s->st[1U][4U] = xor_and_rotate_ef_1719(s->st[1U][4U], t[4U]); + s->st[2U][4U] = xor_and_rotate_ef_1720(s->st[2U][4U], t[4U]); + s->st[3U][4U] = xor_and_rotate_ef_1721(s->st[3U][4U], t[4U]); core_core_arch_x86___m256i uu____27 = xor_and_rotate_ef_1722(s->st[4U][4U], t[4U]); s->st[4U][4U] = uu____27; @@ -1598,14 +1545,11 @@ with const generics */ static KRML_MUSTINLINE void load_block_full_91( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[3U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)}; load_block_c7(s, buf); } @@ -1621,9 +1565,10 @@ with const generics static KRML_MUSTINLINE void load_block_full_ef_05( core_core_arch_x86___m256i (*a)[5U], uint8_t b[4U][200U]) { core_core_arch_x86___m256i(*uu____0)[5U] = a; - uint8_t uu____1[4U][200U]; - memcpy(uu____1, b, (size_t)4U * sizeof(uint8_t[200U])); - load_block_full_91(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[4U][200U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U])); + load_block_full_91(uu____0, copy_of_b); } /** @@ -1636,15 +1581,14 @@ with const generics */ KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_5e( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice last[4U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[4U][200U] = {{0U}}; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 31U; size_t uu____1 = i0; size_t uu____2 = (size_t)136U - (size_t)1U; blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;); @@ -1704,23 +1648,19 @@ static KRML_MUSTINLINE void store_block_e9(core_core_arch_x86___m256i (*s)[5U], libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[0U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v0); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[1U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v1); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[2U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v2); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[3U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v3); } size_t rem = (size_t)136U % (size_t)32U; @@ -1729,36 +1669,31 @@ static KRML_MUSTINLINE void store_block_e9(core_core_arch_x86___m256i (*s)[5U], size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), - s[i0][j0]); - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]); + Eurydice_slice uu____0 = + Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_slice_subslice2( - out[1U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice2( - out[2U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice2( - out[3U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; size_t i = @@ -1766,40 +1701,31 @@ static KRML_MUSTINLINE void store_block_e9(core_core_arch_x86___m256i (*s)[5U], size_t j = ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), - s[i][j]); - Eurydice_slice uu____4 = - Eurydice_slice_subslice2(out[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice2( + out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____4, - Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = - Eurydice_slice_subslice2(out[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = Eurydice_slice_subslice2( + out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____5, - Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = - Eurydice_slice_subslice2(out[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = Eurydice_slice_subslice2( + out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____6, - Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = - Eurydice_slice_subslice2(out[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = Eurydice_slice_subslice2( + out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____7, - Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); } } @@ -1815,22 +1741,25 @@ static KRML_MUSTINLINE void store_block_full_0b( uint8_t out2[200U] = {0U}; uint8_t out3[200U] = {0U}; Eurydice_slice buf[4U] = { - Eurydice_array_to_slice((size_t)200U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, out3, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out0, uint8_t), + Eurydice_array_to_slice((size_t)200U, out1, uint8_t), + Eurydice_array_to_slice((size_t)200U, out2, uint8_t), + Eurydice_array_to_slice((size_t)200U, out3, uint8_t)}; store_block_e9(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out0, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____1[200U]; - memcpy(uu____1, out1, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____2[200U]; - memcpy(uu____2, out2, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[200U]; + memcpy(copy_of_out0, out0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[200U]; + memcpy(copy_of_out1, out1, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[200U]; + memcpy(copy_of_out2, out2, (size_t)200U * sizeof(uint8_t)); uint8_t uu____3[200U]; memcpy(uu____3, out3, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[1U], uu____1, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[2U], uu____2, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out0, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[1U], copy_of_out1, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[2U], copy_of_out2, (size_t)200U * sizeof(uint8_t)); memcpy(ret[3U], uu____3, (size_t)200U * sizeof(uint8_t)); } @@ -1863,12 +1792,11 @@ static KRML_MUSTINLINE void squeeze_first_and_last_a4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; Eurydice_slice uu____0 = out[i0]; uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *);); + core_ops_range_Range_b3), + uint8_t);); } /** @@ -1926,12 +1854,11 @@ static KRML_MUSTINLINE void squeeze_last_77( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; Eurydice_slice uu____0 = out[i0]; uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *);); + core_ops_range_Range_b3), + uint8_t);); } /** @@ -1946,27 +1873,26 @@ static KRML_MUSTINLINE void keccak_14(Eurydice_slice data[4U], Eurydice_slice out[4U]) { libcrux_sha3_generic_keccak_KeccakState_29 s = new_1e_16(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)136U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_29 *uu____0 = &s; - Eurydice_slice uu____1[4U]; - memcpy(uu____1, data, (size_t)4U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[4U]; + memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice)); Eurydice_slice ret[4U]; - slice_n_ef(uu____1, i0 * (size_t)136U, (size_t)136U, ret); + slice_n_ef(copy_of_data, i0 * (size_t)136U, (size_t)136U, ret); absorb_block_37(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)136U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; libcrux_sha3_generic_keccak_KeccakState_29 *uu____2 = &s; - Eurydice_slice uu____3[4U]; - memcpy(uu____3, data, (size_t)4U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[4U]; + memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice)); Eurydice_slice ret[4U]; - slice_n_ef(uu____3, - core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, + slice_n_ef(copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_5e(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)136U; size_t last = outlen - outlen % (size_t)136U; if (blocks == (size_t)0U) { @@ -2006,6 +1932,9 @@ static KRML_MUSTINLINE void keccak_14(Eurydice_slice data[4U], } } +/** + Perform 4 SHAKE256 operations in parallel +*/ void libcrux_sha3_avx2_x4_shake256(Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1, @@ -2015,6 +1944,9 @@ void libcrux_sha3_avx2_x4_shake256(Eurydice_slice input0, Eurydice_slice input1, keccak_14(buf0, buf); } +/** + Initialise the [`KeccakState`]. +*/ libcrux_sha3_generic_keccak_KeccakState_29 libcrux_sha3_avx2_x4_incremental_init(void) { return new_1e_16(); @@ -2030,21 +1962,21 @@ static KRML_MUSTINLINE void load_block_c70(core_core_arch_x86___m256i (*s)[5U], for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; core_core_arch_x86___m256i v00 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[0U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v10 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[1U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v20 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[2U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v30 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[3U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10); core_core_arch_x86___m256i v1h = @@ -2090,34 +2022,30 @@ static KRML_MUSTINLINE void load_block_c70(core_core_arch_x86___m256i (*s)[5U], size_t rem = (size_t)168U % (size_t)32U; size_t start = (size_t)32U * ((size_t)168U / (size_t)32U); uint8_t u8s[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - u8s, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_array_to_subslice2( - u8s, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_array_to_subslice2( - u8s, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_array_to_subslice2( - u8s, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t), + uint8_t); core_core_arch_x86___m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t, Eurydice_slice)); @@ -2126,34 +2054,30 @@ static KRML_MUSTINLINE void load_block_c70(core_core_arch_x86___m256i (*s)[5U], s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; - Eurydice_slice uu____4 = Eurydice_array_to_subslice2( - u8s0, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = Eurydice_array_to_subslice2( - u8s0, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____5, - Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - u8s0, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_array_to_subslice2( - u8s0, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____7, - Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice uu____4 = + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy(uu____4, + Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy(uu____5, + Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy(uu____6, + Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy(uu____7, + Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); core_core_arch_x86___m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t, @@ -2173,14 +2097,11 @@ with const generics */ static KRML_MUSTINLINE void load_block_full_910( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[3U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)}; load_block_c70(s, buf); } @@ -2196,9 +2117,10 @@ with const generics static KRML_MUSTINLINE void load_block_full_ef_050( core_core_arch_x86___m256i (*a)[5U], uint8_t b[4U][200U]) { core_core_arch_x86___m256i(*uu____0)[5U] = a; - uint8_t uu____1[4U][200U]; - memcpy(uu____1, b, (size_t)4U * sizeof(uint8_t[200U])); - load_block_full_910(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[4U][200U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U])); + load_block_full_910(uu____0, copy_of_b); } /** @@ -2211,15 +2133,14 @@ with const generics */ static KRML_MUSTINLINE void absorb_final_5e0( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice last[4U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[4U][200U] = {{0U}}; KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 31U; size_t uu____1 = i0; size_t uu____2 = (size_t)168U - (size_t)1U; blocks[uu____1][uu____2] = (uint32_t)blocks[uu____1][uu____2] | 128U;); @@ -2230,6 +2151,9 @@ static KRML_MUSTINLINE void absorb_final_5e0( keccakf1600_07(s); } +/** + Absorb +*/ void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { @@ -2286,23 +2210,19 @@ static KRML_MUSTINLINE void store_block_e90(core_core_arch_x86___m256i (*s)[5U], libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[0U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v0); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[1U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v1); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[2U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v2); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[3U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v3); } size_t rem = (size_t)168U % (size_t)32U; @@ -2311,36 +2231,31 @@ static KRML_MUSTINLINE void store_block_e90(core_core_arch_x86___m256i (*s)[5U], size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), - s[i0][j0]); - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]); + Eurydice_slice uu____0 = + Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_slice_subslice2( - out[1U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice2( - out[2U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice2( - out[3U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; size_t i = @@ -2348,40 +2263,31 @@ static KRML_MUSTINLINE void store_block_e90(core_core_arch_x86___m256i (*s)[5U], size_t j = ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), - s[i][j]); - Eurydice_slice uu____4 = - Eurydice_slice_subslice2(out[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice2( + out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____4, - Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = - Eurydice_slice_subslice2(out[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = Eurydice_slice_subslice2( + out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____5, - Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = - Eurydice_slice_subslice2(out[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = Eurydice_slice_subslice2( + out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____6, - Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = - Eurydice_slice_subslice2(out[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = Eurydice_slice_subslice2( + out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____7, - Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); } } @@ -2450,6 +2356,9 @@ KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_first_three_blocks_27( squeeze_next_block_1c0(s, o2); } +/** + Squeeze three blocks +*/ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2457,6 +2366,9 @@ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_27(s, buf); } +/** + Squeeze another block +*/ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2504,6 +2416,9 @@ static KRML_MUSTINLINE void squeeze_first_five_blocks_e4( squeeze_next_block_1c0(s, o4); } +/** + Squeeze five blocks +*/ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, @@ -2512,6 +2427,9 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( squeeze_first_five_blocks_e4(s, buf); } +/** + Absorb +*/ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { @@ -2519,6 +2437,9 @@ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_absorb_final_5e(s, buf); } +/** + Squeeze block +*/ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, @@ -2527,6 +2448,9 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( squeeze_first_block_e9(s, buf); } +/** + Squeeze next block +*/ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index 4c7cd868d..2f398d999 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_sha3_avx2_H @@ -33,38 +33,65 @@ typedef struct libcrux_sha3_generic_keccak_KeccakState_29_s { core_core_arch_x86___m256i st[5U][5U]; } libcrux_sha3_generic_keccak_KeccakState_29; +/** + Perform 4 SHAKE256 operations in parallel +*/ void libcrux_sha3_avx2_x4_shake256(Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); +/** + Initialise the [`KeccakState`]. +*/ libcrux_sha3_generic_keccak_KeccakState_29 libcrux_sha3_avx2_x4_incremental_init(void); +/** + Absorb +*/ void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3); +/** + Squeeze three blocks +*/ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); +/** + Squeeze another block +*/ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); +/** + Squeeze five blocks +*/ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); +/** + Absorb +*/ void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3); +/** + Squeeze block +*/ void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); +/** + Squeeze next block +*/ void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3); diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 3158b0431..6a597aa5c 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_sha3_internal_H @@ -137,8 +137,7 @@ libcrux_sha3_portable_keccak_xor_5a(uint64_t a, uint64_t b) { static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_1( Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { - ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t, - Eurydice_slice); + ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); } /** @@ -147,17 +146,18 @@ usize> for u64)} */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_n_5a( Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, a, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_a[1U]; + memcpy(copy_of_a, a, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret0[1U]; - libcrux_sha3_portable_keccak_slice_1(uu____0, start, len, ret0); + libcrux_sha3_portable_keccak_slice_1(copy_of_a, start, len, ret0); memcpy(ret, ret0, (size_t)1U * sizeof(Eurydice_slice)); } static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2 libcrux_sha3_portable_keccak_split_at_mut_1(Eurydice_slice out[1U], size_t mid) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( out[0U], mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out00 = uu____0.fst; Eurydice_slice out01 = uu____0.snd; @@ -187,6 +187,9 @@ typedef struct libcrux_sha3_generic_keccak_KeccakState_48_s { uint64_t st[5U][5U]; } libcrux_sha3_generic_keccak_KeccakState_48; +/** + Create a new Shake128 x4 state. +*/ /** This function found in impl {libcrux_sha3::generic_keccak::KeccakState[TraitClause@0]#1} @@ -242,9 +245,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b3( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -260,8 +262,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b3(s, buf); } @@ -277,9 +279,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_71( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a(uu____0, copy_of_b); } /** @@ -1224,75 +1227,52 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_eb( c[((size_t)4U + (size_t)4U) % (size_t)5U], c[((size_t)4U + (size_t)1U) % (size_t)5U])}; s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_5a(s->st[0U][0U], t[0U]); - uint64_t uu____4 = + s->st[1U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da(s->st[1U][0U], t[0U]); - s->st[1U][0U] = uu____4; - uint64_t uu____5 = + s->st[2U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da0(s->st[2U][0U], t[0U]); - s->st[2U][0U] = uu____5; - uint64_t uu____6 = + s->st[3U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da1(s->st[3U][0U], t[0U]); - s->st[3U][0U] = uu____6; - uint64_t uu____7 = + s->st[4U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da2(s->st[4U][0U], t[0U]); - s->st[4U][0U] = uu____7; - uint64_t uu____8 = + s->st[0U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da3(s->st[0U][1U], t[1U]); - s->st[0U][1U] = uu____8; - uint64_t uu____9 = + s->st[1U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da4(s->st[1U][1U], t[1U]); - s->st[1U][1U] = uu____9; - uint64_t uu____10 = + s->st[2U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da5(s->st[2U][1U], t[1U]); - s->st[2U][1U] = uu____10; - uint64_t uu____11 = + s->st[3U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da6(s->st[3U][1U], t[1U]); - s->st[3U][1U] = uu____11; - uint64_t uu____12 = + s->st[4U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da7(s->st[4U][1U], t[1U]); - s->st[4U][1U] = uu____12; - uint64_t uu____13 = + s->st[0U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da8(s->st[0U][2U], t[2U]); - s->st[0U][2U] = uu____13; - uint64_t uu____14 = + s->st[1U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da9(s->st[1U][2U], t[2U]); - s->st[1U][2U] = uu____14; - uint64_t uu____15 = + s->st[2U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da10(s->st[2U][2U], t[2U]); - s->st[2U][2U] = uu____15; - uint64_t uu____16 = + s->st[3U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da11(s->st[3U][2U], t[2U]); - s->st[3U][2U] = uu____16; - uint64_t uu____17 = + s->st[4U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da12(s->st[4U][2U], t[2U]); - s->st[4U][2U] = uu____17; - uint64_t uu____18 = + s->st[0U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da13(s->st[0U][3U], t[3U]); - s->st[0U][3U] = uu____18; - uint64_t uu____19 = + s->st[1U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da14(s->st[1U][3U], t[3U]); - s->st[1U][3U] = uu____19; - uint64_t uu____20 = + s->st[2U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da15(s->st[2U][3U], t[3U]); - s->st[2U][3U] = uu____20; - uint64_t uu____21 = + s->st[3U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da16(s->st[3U][3U], t[3U]); - s->st[3U][3U] = uu____21; - uint64_t uu____22 = + s->st[4U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da17(s->st[4U][3U], t[3U]); - s->st[4U][3U] = uu____22; - uint64_t uu____23 = + s->st[0U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da18(s->st[0U][4U], t[4U]); - s->st[0U][4U] = uu____23; - uint64_t uu____24 = + s->st[1U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da19(s->st[1U][4U], t[4U]); - s->st[1U][4U] = uu____24; - uint64_t uu____25 = + s->st[2U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da20(s->st[2U][4U], t[4U]); - s->st[2U][4U] = uu____25; - uint64_t uu____26 = + s->st[3U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da21(s->st[3U][4U], t[4U]); - s->st[3U][4U] = uu____26; uint64_t uu____27 = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da22(s->st[4U][4U], t[4U]); s->st[4U][4U] = uu____27; @@ -1391,14 +1371,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_72( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; { size_t i = (size_t)0U; if (last_len > (size_t)0U) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(blocks[i], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i], uint8_t); } blocks[i][last_len] = 31U; size_t uu____1 = i; @@ -1422,14 +1402,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_58( for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -1486,9 +1463,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b30( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -1504,8 +1480,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a0( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b30(s, buf); } @@ -1521,9 +1497,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_710( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a0(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a0(uu____0, copy_of_b); } /** @@ -1536,14 +1513,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_720( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; { size_t i = (size_t)0U; if (last_len > (size_t)0U) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(blocks[i], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i], uint8_t); } blocks[i][last_len] = 31U; size_t uu____1 = i; @@ -1567,14 +1544,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_580( for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -1629,9 +1603,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd3( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b3(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b3(uu____0, copy_of_b); } /** @@ -1659,11 +1634,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa3( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_58(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -1699,12 +1675,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d3( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -1726,12 +1702,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_833( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -1748,28 +1724,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_754( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)168U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)168U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)168U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)168U, (size_t)168U, ret); libcrux_sha3_generic_keccak_absorb_block_753(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)168U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)168U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_72(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)168U; size_t last = outlen - outlen % (size_t)168U; if (blocks == (size_t)0U) { @@ -1817,9 +1792,10 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a4( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_754(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_754(copy_of_data, out); } /** @@ -1836,9 +1812,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b33( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -1859,9 +1834,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd2( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b33(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b33(uu____0, copy_of_b); } /** @@ -1887,8 +1863,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a3( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b33(s, buf); } @@ -1904,9 +1880,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_713( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a3(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a3(uu____0, copy_of_b); } /** @@ -1919,14 +1896,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_724( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; { size_t i = (size_t)0U; if (last_len > (size_t)0U) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(blocks[i], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i], uint8_t); } blocks[i][last_len] = 6U; size_t uu____1 = i; @@ -1950,14 +1927,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_583( for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -1970,11 +1944,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa2( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_583(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -2010,12 +1985,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d2( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2076,12 +2051,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_832( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2098,28 +2073,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_753( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)104U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)104U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)104U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)104U, (size_t)104U, ret); libcrux_sha3_generic_keccak_absorb_block_752(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)104U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)104U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_724(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)104U; size_t last = outlen - outlen % (size_t)104U; if (blocks == (size_t)0U) { @@ -2167,9 +2141,10 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a3( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_753(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_753(copy_of_data, out); } /** @@ -2186,9 +2161,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b32( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -2209,9 +2183,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd1( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b32(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b32(uu____0, copy_of_b); } /** @@ -2237,8 +2212,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a2( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b32(s, buf); } @@ -2254,9 +2229,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_712( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a2(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a2(uu____0, copy_of_b); } /** @@ -2269,14 +2245,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_723( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; { size_t i = (size_t)0U; if (last_len > (size_t)0U) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(blocks[i], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i], uint8_t); } blocks[i][last_len] = 6U; size_t uu____1 = i; @@ -2300,14 +2276,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_582( for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -2320,11 +2293,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa1( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_582(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -2360,12 +2334,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d1( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2426,12 +2400,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_831( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2448,28 +2422,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_752( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)144U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)144U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)144U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)144U, (size_t)144U, ret); libcrux_sha3_generic_keccak_absorb_block_751(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)144U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)144U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_723(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)144U; size_t last = outlen - outlen % (size_t)144U; if (blocks == (size_t)0U) { @@ -2517,9 +2490,10 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a2( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_752(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_752(copy_of_data, out); } /** @@ -2534,9 +2508,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd0( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b30(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b30(uu____0, copy_of_b); } /** @@ -2564,11 +2539,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa0( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_580(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -2604,12 +2580,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d0( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2631,12 +2607,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_830( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2653,28 +2629,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_751( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)136U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)136U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, (size_t)136U, ret); libcrux_sha3_generic_keccak_absorb_block_750(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)136U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_720(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)136U; size_t last = outlen - outlen % (size_t)136U; if (blocks == (size_t)0U) { @@ -2722,9 +2697,10 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a1( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_751(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_751(copy_of_data, out); } /** @@ -2737,14 +2713,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_722( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; { size_t i = (size_t)0U; if (last_len > (size_t)0U) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(blocks[i], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i], uint8_t); } blocks[i][last_len] = 6U; size_t uu____1 = i; @@ -2771,28 +2747,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_750( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)136U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)136U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, (size_t)136U, ret); libcrux_sha3_generic_keccak_absorb_block_750(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)136U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_722(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)136U; size_t last = outlen - outlen % (size_t)136U; if (blocks == (size_t)0U) { @@ -2840,9 +2815,10 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a0( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_750(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_750(copy_of_data, out); } /** @@ -2859,9 +2835,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b31( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -2882,9 +2857,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b31(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b31(uu____0, copy_of_b); } /** @@ -2910,8 +2886,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a1( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b31(s, buf); } @@ -2927,9 +2903,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_711( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a1(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a1(uu____0, copy_of_b); } /** @@ -2942,14 +2919,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_721( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; { size_t i = (size_t)0U; if (last_len > (size_t)0U) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i], uint8_t, void *); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(blocks[i], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i], uint8_t); } blocks[i][last_len] = 6U; size_t uu____1 = i; @@ -2973,14 +2950,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_581( for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -2993,11 +2967,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_581(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -3032,12 +3007,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -3098,12 +3073,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_83( uint8_t *uu____1 = b[i]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -3120,28 +3095,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_75( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)72U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)72U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)72U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)72U, (size_t)72U, ret); libcrux_sha3_generic_keccak_absorb_block_75(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)72U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)72U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_721(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)72U; size_t last = outlen - outlen % (size_t)72U; if (blocks == (size_t)0U) { @@ -3189,9 +3163,10 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_75(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_75(copy_of_data, out); } #if defined(__cplusplus) diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index e7228e4e2..c40d397e5 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -4,27 +4,38 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #include "libcrux_sha3_neon.h" +/** + A portable SHA3 512 implementation. +*/ void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); } +/** + A portable SHA3 256 implementation. +*/ void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); } +/** + Run SHAKE256 on both inputs in parallel. + + Writes the two results into `out0` and `out1` +*/ KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice out0, @@ -34,6 +45,9 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, KRML_HOST_EXIT(255U); } +/** + Initialise the `KeccakState2`. +*/ KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_shake128_init(void) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -41,6 +55,9 @@ libcrux_sha3_neon_x2_incremental_shake128_init(void) { KRML_HOST_EXIT(255U); } +/** + Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. +*/ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { @@ -49,6 +66,10 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( KRML_HOST_EXIT(255U); } +/** + Squeeze 2 times the first three blocks in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, @@ -58,6 +79,10 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( KRML_HOST_EXIT(255U); } +/** + Squeeze 2 times the next block in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, @@ -67,6 +92,9 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( KRML_HOST_EXIT(255U); } +/** + A portable SHA3 224 implementation. +*/ KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -74,6 +102,9 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, KRML_HOST_EXIT(255U); } +/** + A portable SHA3 384 implementation. +*/ KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index 161fce491..f399cf819 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_sha3_neon_H @@ -22,10 +22,21 @@ extern "C" { #include "intrinsics/libcrux_intrinsics_arm64.h" #include "libcrux_sha3_internal.h" +/** + A portable SHA3 512 implementation. +*/ void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data); +/** + A portable SHA3 256 implementation. +*/ void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data); +/** + Run SHAKE256 on both inputs in parallel. + + Writes the two results into `out0` and `out1` +*/ void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice out0, Eurydice_slice out1); @@ -33,23 +44,43 @@ typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { libcrux_sha3_generic_keccak_KeccakState_48 state[2U]; } libcrux_sha3_neon_x2_incremental_KeccakState; +/** + Initialise the `KeccakState2`. +*/ libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_shake128_init(void); +/** + Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. +*/ void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1); +/** + Squeeze 2 times the first three blocks in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1); +/** + Squeeze 2 times the next block in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1); +/** + A portable SHA3 224 implementation. +*/ void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data); +/** + A portable SHA3 384 implementation. +*/ void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data); #if defined(__cplusplus) diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index d20926d66..8f2f9d27d 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 -Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 -Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 +Charon: 0576bfc67e99aae86c51930421072688138b672b +Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 +Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 -Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 +Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index 2d6575328..b9566a023 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -1,3 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Eurydice Contributors + * SPDX-FileCopyrightText: 2024 Cryspen Sarl + * + * SPDX-License-Identifier: Apache-2.0 + */ + #pragma once #if defined(__cplusplus) @@ -54,31 +61,31 @@ typedef struct { // which is NOT correct C syntax, so we add a dedicated phase in Eurydice that // adds an extra argument to this macro at the last minute so that we have the // correct type of *pointers* to elements. -#define Eurydice_slice_index(s, i, t, t_ptr_t, _ret_t) (((t_ptr_t)s.ptr)[i]) -#define Eurydice_slice_subslice(s, r, t, _, _ret_t) \ +#define Eurydice_slice_index(s, i, t, t_ptr_t) (((t_ptr_t)s.ptr)[i]) +#define Eurydice_slice_subslice(s, r, t, _) \ EURYDICE_SLICE((t *)s.ptr, r.start, r.end) // Variant for when the start and end indices are statically known (i.e., the // range argument `r` is a literal). -#define Eurydice_slice_subslice2(s, start, end, t, _) \ +#define Eurydice_slice_subslice2(s, start, end, t) \ EURYDICE_SLICE((t *)s.ptr, start, end) -#define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _, _ret_t) \ +#define Eurydice_slice_subslice_to(s, subslice_end_pos, t, _) \ EURYDICE_SLICE((t *)s.ptr, 0, subslice_end_pos) -#define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _, _ret_t) \ +#define Eurydice_slice_subslice_from(s, subslice_start_pos, t, _) \ EURYDICE_SLICE((t *)s.ptr, subslice_start_pos, s.len) -#define Eurydice_array_to_slice(end, x, t, _ret_t) \ - EURYDICE_SLICE(x, 0, \ +#define Eurydice_array_to_slice(end, x, t) \ + EURYDICE_SLICE(x, 0, \ end) /* x is already at an array type, no need for cast */ -#define Eurydice_array_to_subslice(_arraylen, x, r, t, _, _ret_t) \ +#define Eurydice_array_to_subslice(_arraylen, x, r, t, _) \ EURYDICE_SLICE((t *)x, r.start, r.end) // Same as above, variant for when start and end are statically known -#define Eurydice_array_to_subslice2(x, start, end, t, _ret_t) \ +#define Eurydice_array_to_subslice2(x, start, end, t) \ EURYDICE_SLICE((t *)x, start, end) -#define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t, _ret_t) \ +#define Eurydice_array_to_subslice_to(_size, x, r, t, _range_t) \ EURYDICE_SLICE((t *)x, 0, r) -#define Eurydice_array_to_subslice_from(size, x, r, t, _range_t, _ret_t) \ +#define Eurydice_array_to_subslice_from(size, x, r, t, _range_t) \ EURYDICE_SLICE((t *)x, r, size) -#define core_slice___Slice_T___len(s, t, _ret_t) EURYDICE_SLICE_LEN(s, t) -#define core_slice___Slice_T___copy_from_slice(dst, src, t, _ret_t) \ +#define Eurydice_slice_len(s, t) EURYDICE_SLICE_LEN(s, t) +#define Eurydice_slice_copy(dst, src, t) \ memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) #define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \ ((Eurydice_slice){.ptr = ptr_, .len = len_}) @@ -88,25 +95,25 @@ typedef struct { (memcpy(dst, src, len * sizeof(elem_type))) #define core_array_TryFromSliceError uint8_t -#define Eurydice_array_eq(sz, a1, a2, t, _, _ret_t) \ +#define Eurydice_array_eq(sz, a1, a2, t, _a, _b) \ (memcmp(a1, a2, sz * sizeof(t)) == 0) #define core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq \ Eurydice_array_eq -#define core_slice___Slice_T___split_at(slice, mid, element_type, ret_t) \ - (CLITERAL(ret_t){ \ - .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid), \ +#define Eurydice_slice_split_at(slice, mid, element_type, ret_t) \ + (CLITERAL(ret_t){ \ + .fst = EURYDICE_SLICE((element_type *)slice.ptr, 0, mid), \ .snd = EURYDICE_SLICE((element_type *)slice.ptr, mid, slice.len)}) -#define core_slice___Slice_T___split_at_mut(slice, mid, element_type, ret_t) \ - (CLITERAL(ret_t){ \ - .fst = {.ptr = slice.ptr, .len = mid}, \ - .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \ +#define Eurydice_slice_split_at_mut(slice, mid, element_type, ret_t) \ + (CLITERAL(ret_t){ \ + .fst = {.ptr = slice.ptr, .len = mid}, \ + .snd = {.ptr = (char *)slice.ptr + mid * sizeof(element_type), \ .len = slice.len - mid}}) // Conversion of slice to an array, rewritten (by Eurydice) to name the // destination array, since arrays are not values in C. // N.B.: see note in karamel/lib/Inlining.ml if you change this. -#define Eurydice_slice_to_array2(dst, src, _, t_arr, _ret_t) \ +#define Eurydice_slice_to_array2(dst, src, _, t_arr) \ Eurydice_slice_to_array3(&(dst)->tag, (char *)&(dst)->val.case_Ok, src, \ sizeof(t_arr)) diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index 61930afda..9b9fa652e 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_core_H @@ -221,7 +221,7 @@ A monomorphic instance of libcrux_ml_kem.types.as_slice_a8 with const generics - SIZE= 1088 */ -static inline uint8_t *libcrux_ml_kem_types_as_slice_a8_8a( +static inline uint8_t *libcrux_ml_kem_types_as_slice_a8_63( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { return self->value; } @@ -237,10 +237,11 @@ with const generics */ static inline libcrux_ml_kem_types_MlKemPublicKey_15 libcrux_ml_kem_types_from_07_4c(uint8_t value[1184U]) { - uint8_t uu____0[1184U]; - memcpy(uu____0, value, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1184U]; + memcpy(copy_of_value, value, (size_t)1184U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPublicKey_15 lit; - memcpy(lit.value, uu____0, (size_t)1184U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1184U * sizeof(uint8_t)); return lit; } @@ -286,10 +287,11 @@ with const generics */ static inline libcrux_ml_kem_types_MlKemPrivateKey_55 libcrux_ml_kem_types_from_e7_a7(uint8_t value[2400U]) { - uint8_t uu____0[2400U]; - memcpy(uu____0, value, (size_t)2400U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[2400U]; + memcpy(copy_of_value, value, (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_55 lit; - memcpy(lit.value, uu____0, (size_t)2400U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)2400U * sizeof(uint8_t)); return lit; } @@ -315,10 +317,11 @@ with const generics */ static inline libcrux_ml_kem_mlkem768_MlKem768Ciphertext libcrux_ml_kem_types_from_15_f5(uint8_t value[1088U]) { - uint8_t uu____0[1088U]; - memcpy(uu____0, value, (size_t)1088U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_value[1088U]; + memcpy(copy_of_value, value, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext lit; - memcpy(lit.value, uu____0, (size_t)1088U * sizeof(uint8_t)); + memcpy(lit.value, copy_of_value, (size_t)1088U * sizeof(uint8_t)); return lit; } @@ -335,6 +338,9 @@ static inline uint8_t *libcrux_ml_kem_types_as_slice_f6_f2( return self->value; } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -344,12 +350,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_2d2( Eurydice_slice slice, uint8_t ret[33U]) { uint8_t out[33U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)33U * sizeof(uint8_t)); } @@ -387,6 +391,9 @@ static inline void core_result_unwrap_41_83(core_result_Result_00 self, } } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -396,12 +403,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_2d1( Eurydice_slice slice, uint8_t ret[34U]) { uint8_t out[34U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)34U * sizeof(uint8_t)); } @@ -414,12 +419,14 @@ A monomorphic instance of libcrux_ml_kem.types.as_ref_ba with const generics - SIZE= 1088 */ -static inline Eurydice_slice libcrux_ml_kem_types_as_ref_ba_47( +static inline Eurydice_slice libcrux_ml_kem_types_as_ref_ba_9f( libcrux_ml_kem_mlkem768_MlKem768Ciphertext *self) { - return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t, - Eurydice_slice); + return Eurydice_array_to_slice((size_t)1088U, self->value, uint8_t); } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -429,15 +436,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_2d0( Eurydice_slice slice, uint8_t ret[1120U]) { uint8_t out[1120U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)1120U * sizeof(uint8_t)); } +/** + Pad the `slice` with `0`s at the end. +*/ /** A monomorphic instance of libcrux_ml_kem.utils.into_padded_array with const generics @@ -447,12 +455,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_utils_into_padded_array_2d( Eurydice_slice slice, uint8_t ret[64U]) { uint8_t out[64U] = {0U}; uint8_t *uu____0 = out; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_subslice2( - uu____0, (size_t)0U, - core_slice___Slice_T___len(slice, uint8_t, size_t), uint8_t, - Eurydice_slice), - slice, uint8_t, void *); + Eurydice_slice_copy( + Eurydice_array_to_subslice2(uu____0, (size_t)0U, + Eurydice_slice_len(slice, uint8_t), uint8_t), + slice, uint8_t); memcpy(ret, out, (size_t)64U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index 8d20f24d7..f9f0d6642 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_ct_ops_H @@ -21,6 +21,9 @@ extern "C" { #include "eurydice_glue.h" #include "libcrux_core.h" +/** + Return 1 if `value` is not zero and 0 otherwise. +*/ static inline uint8_t libcrux_ml_kem_constant_time_ops_inz(uint8_t value) { uint16_t value0 = (uint16_t)value; uint16_t result = (((uint32_t)value0 | @@ -36,15 +39,18 @@ libcrux_ml_kem_constant_time_ops_is_non_zero(uint8_t value) { return libcrux_ml_kem_constant_time_ops_inz(value); } +/** + Return 1 if the bytes of `lhs` and `rhs` do not exactly + match and 0 otherwise. +*/ static inline uint8_t libcrux_ml_kem_constant_time_ops_compare( Eurydice_slice lhs, Eurydice_slice rhs) { uint8_t r = 0U; - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(lhs, uint8_t, size_t); i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(lhs, uint8_t); i++) { size_t i0 = i; r = (uint32_t)r | - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t) ^ - (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t)); + ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) ^ + (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *)); } return libcrux_ml_kem_constant_time_ops_is_non_zero(r); } @@ -55,6 +61,10 @@ libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( return libcrux_ml_kem_constant_time_ops_compare(lhs, rhs); } +/** + If `selector` is not zero, return the bytes in `rhs`; return the bytes in + `lhs` otherwise. +*/ static inline void libcrux_ml_kem_constant_time_ops_select_ct( Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector, uint8_t ret[32U]) { @@ -64,11 +74,10 @@ static inline void libcrux_ml_kem_constant_time_ops_select_ct( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE; i++) { size_t i0 = i; - out[i0] = - ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t) & - (uint32_t)mask) | - ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t) & - (uint32_t)~mask); + out[i0] = ((uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *) & + (uint32_t)mask) | + ((uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *) & + (uint32_t)~mask); } memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 720830b0b..787bb8e41 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem768_avx2_H @@ -30,8 +30,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_G( Eurydice_slice input, uint8_t ret[64U]) { uint8_t digest[64U] = {0U}; libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); } @@ -40,8 +39,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_H( Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -84,7 +82,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array( core_core_arch_x86___m256i v, int16_t ret[16U]) { int16_t output[16U] = {0U}; libcrux_intrinsics_avx2_mm256_storeu_si256_i16( - Eurydice_array_to_slice((size_t)16U, output, int16_t, Eurydice_slice), v); + Eurydice_array_to_slice((size_t)16U, output, int16_t), v); memcpy(ret, output, (size_t)16U * sizeof(int16_t)); } @@ -203,6 +201,10 @@ libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea( #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \ ((int16_t)20159) +/** + See Section 3.2 of the implementation notes document for an explanation + of this code. +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce( @@ -721,38 +723,22 @@ static KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { core_core_arch_x86___m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t)); + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); core_core_arch_x86___m256i shift_lsb_to_msb = libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)1 << 8U, (int16_t)1 << 9U, (int16_t)1 << 10U, @@ -809,15 +795,13 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( core_core_arch_x86___m128i combined0 = libcrux_intrinsics_avx2_mm256_castsi256_si128(combined); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_slice((size_t)16U, serialized, uint8_t, Eurydice_slice), - combined0); + Eurydice_array_to_slice((size_t)16U, serialized, uint8_t), combined0); uint8_t ret0[8U]; core_result_Result_56 dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, ret0); memcpy(ret, ret0, (size_t)8U * sizeof(uint8_t)); } @@ -837,38 +821,22 @@ static KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { core_core_arch_x86___m256i coefficients = libcrux_intrinsics_avx2_mm256_set_epi16( - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t), - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, - uint8_t)); + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *), + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); core_core_arch_x86___m256i shift_lsbs_to_msbs = libcrux_intrinsics_avx2_mm256_set_epi16( (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, @@ -934,23 +902,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5( core_core_arch_x86___m128i lower_8 = libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined1); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); core_core_arch_x86___m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined1, core_core_arch_x86___m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)5U, (size_t)21U, uint8_t), upper_8); uint8_t ret0[10U]; core_result_Result_cd dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[10U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)10U, uint8_t), + Eurydice_slice, uint8_t[10U]); core_result_unwrap_41_e8(dst, ret0); memcpy(ret, ret0, (size_t)10U * sizeof(uint8_t)); } @@ -969,22 +934,22 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { core_core_arch_x86___m128i coefficients = libcrux_intrinsics_avx2_mm_set_epi8( - Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t), - Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t)); + Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *), + Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *)); core_core_arch_x86___m256i coefficients_loaded = libcrux_intrinsics_avx2_mm256_castsi128_si256(coefficients); core_core_arch_x86___m256i coefficients_loaded0 = @@ -1060,23 +1025,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( core_core_arch_x86___m128i lower_8 = libcrux_intrinsics_avx2_mm256_castsi256_si128(adjacent_8_combined); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); core_core_arch_x86___m128i upper_8 = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined, core_core_arch_x86___m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)10U, (size_t)26U, + uint8_t), upper_8); uint8_t ret0[20U]; core_result_Result_7a dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[20U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)20U, uint8_t), + Eurydice_slice, uint8_t[20U]); core_result_unwrap_41_34(dst, ret0); memcpy(ret, ret0, (size_t)20U * sizeof(uint8_t)); } @@ -1103,16 +1066,16 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { (int16_t)1 << 0U, (int16_t)1 << 2U, (int16_t)1 << 4U, (int16_t)1 << 6U); core_core_arch_x86___m128i lower_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)0U, (size_t)16U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); core_core_arch_x86___m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( lower_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(9U, 8U, 8U, 7U, 7U, 6U, 6U, 5U, 4U, 3U, 3U, 2U, 2U, 1U, 1U, 0U)); core_core_arch_x86___m128i upper_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)4U, (size_t)20U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)20U, uint8_t)); core_core_arch_x86___m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8( @@ -1150,11 +1113,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11( core_core_arch_x86___m256i vector, uint8_t ret[22U]) { int16_t array[16U] = {0U}; libcrux_intrinsics_avx2_mm256_storeu_si256_i16( - Eurydice_array_to_slice((size_t)16U, array, int16_t, Eurydice_slice), - vector); + Eurydice_array_to_slice((size_t)16U, array, int16_t), vector); libcrux_ml_kem_vector_portable_vector_type_PortableVector input = libcrux_ml_kem_vector_portable_from_i16_array_0d( - Eurydice_array_to_slice((size_t)16U, array, int16_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)16U, array, int16_t)); uint8_t ret0[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(input, ret0); memcpy(ret, ret0, (size_t)22U * sizeof(uint8_t)); @@ -1178,7 +1140,7 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_11(Eurydice_slice bytes) { int16_t array[16U]; libcrux_ml_kem_vector_portable_to_i16_array_0d(output, array); return libcrux_intrinsics_avx2_mm256_loadu_si256_i16( - Eurydice_array_to_slice((size_t)16U, array, int16_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)16U, array, int16_t)); } /** @@ -1229,20 +1191,18 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, adjacent_8_combined, core_core_arch_x86___m128i); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)16U, uint8_t), lower_8); libcrux_intrinsics_avx2_mm_storeu_bytes_si128( - Eurydice_array_to_subslice2(serialized, (size_t)12U, (size_t)28U, uint8_t, - Eurydice_slice), + Eurydice_array_to_subslice2(serialized, (size_t)12U, (size_t)28U, + uint8_t), upper_8); uint8_t ret0[24U]; core_result_Result_6f dst; Eurydice_slice_to_array2( &dst, - Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)24U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[24U], void *); + Eurydice_array_to_subslice2(serialized, (size_t)0U, (size_t)24U, uint8_t), + Eurydice_slice, uint8_t[24U]); core_result_unwrap_41_1c(dst, ret0); memcpy(ret, ret0, (size_t)24U * sizeof(uint8_t)); } @@ -1269,16 +1229,16 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { (int16_t)1 << 0U, (int16_t)1 << 4U, (int16_t)1 << 0U, (int16_t)1 << 4U); core_core_arch_x86___m128i lower_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)0U, (size_t)16U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)16U, uint8_t)); core_core_arch_x86___m128i lower_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( lower_coefficients, libcrux_intrinsics_avx2_mm_set_epi8(11U, 10U, 10U, 9U, 8U, 7U, 7U, 6U, 5U, 4U, 4U, 3U, 2U, 1U, 1U, 0U)); core_core_arch_x86___m128i upper_coefficients = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_slice_subslice2( - bytes, (size_t)8U, (size_t)24U, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_slice_subslice2(bytes, (size_t)8U, (size_t)24U, uint8_t)); core_core_arch_x86___m128i upper_coefficients0 = libcrux_intrinsics_avx2_mm_shuffle_epi8( upper_coefficients, libcrux_intrinsics_avx2_mm_set_epi8( @@ -1332,8 +1292,8 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, size_t)good[0U]], (size_t)16U * sizeof(uint8_t)); core_core_arch_x86___m128i lower_shuffles0 = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_array_to_slice( - (size_t)16U, lower_shuffles, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, lower_shuffles, uint8_t)); core_core_arch_x86___m128i lower_coefficients = libcrux_intrinsics_avx2_mm256_castsi256_si128(potential_coefficients); core_core_arch_x86___m128i lower_coefficients0 = @@ -1347,8 +1307,8 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, size_t)good[1U]], (size_t)16U * sizeof(uint8_t)); core_core_arch_x86___m128i upper_shuffles0 = - libcrux_intrinsics_avx2_mm_loadu_si128(Eurydice_array_to_slice( - (size_t)16U, upper_shuffles, uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm_loadu_si128( + Eurydice_array_to_slice((size_t)16U, upper_shuffles, uint8_t)); core_core_arch_x86___m128i upper_coefficients = libcrux_intrinsics_avx2_mm256_extracti128_si256( (int32_t)1, potential_coefficients, core_core_arch_x86___m128i); @@ -1357,8 +1317,7 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, upper_shuffles0); libcrux_intrinsics_avx2_mm_storeu_si128( Eurydice_slice_subslice2(output, sampled_count, - sampled_count + (size_t)8U, int16_t, - Eurydice_slice), + sampled_count + (size_t)8U, int16_t), upper_coefficients0); size_t uu____0 = sampled_count; return uu____0 + (size_t)core_num__u8_6__count_ones(good[1U]); @@ -1424,7 +1383,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_70(size_t _) { +libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_e1(size_t _) { return libcrux_ml_kem_polynomial_ZERO_89_d5(); } @@ -1436,23 +1395,23 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_3e( +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_2d( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = libcrux_ml_kem_polynomial_ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); } return re; } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1460,7 +1419,7 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_40( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_67( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[3U]; @@ -1468,7 +1427,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_40( secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -1476,9 +1435,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_40( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_3e( + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_2d( secret_bytes); secret_as_ntt[i0] = uu____0; } @@ -1507,7 +1466,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_11(size_t _) { +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_8d(size_t _) { return libcrux_ml_kem_polynomial_ZERO_89_d5(); } @@ -1519,7 +1478,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f4( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -1585,9 +1544,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b7( core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f4( vector); } @@ -1599,22 +1558,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_serialize_deserialize_then_decompress_10_d7( +libcrux_ml_kem_serialize_deserialize_then_decompress_10_3f( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = libcrux_ml_kem_polynomial_ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)20U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_ea(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b7( coefficient); } return re; @@ -1628,7 +1584,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e0( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f40( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -1694,9 +1650,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db0( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b70( core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e0( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f40( vector); } @@ -1708,22 +1664,19 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_serialize_deserialize_then_decompress_11_ae( +libcrux_ml_kem_serialize_deserialize_then_decompress_11_07( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = libcrux_ml_kem_polynomial_ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)22U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_ea(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db0( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b70( coefficient); } return re; @@ -1737,9 +1690,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_f9( +libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ba( Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_d7(serialized); + return libcrux_ml_kem_serialize_deserialize_then_decompress_10_3f(serialized); } typedef struct libcrux_ml_kem_vector_avx2_SIMD256Vector_x2_s { @@ -1905,7 +1858,7 @@ with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_09( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_98( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *re) { size_t zeta_i = (size_t)0U; libcrux_ml_kem_ntt_ntt_at_layer_4_plus_65(&zeta_i, re, (size_t)7U, @@ -1922,6 +1875,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_09( libcrux_ml_kem_polynomial_poly_barrett_reduce_89_99(re); } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1932,7 +1889,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_35( +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ac( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[3U]; @@ -1940,10 +1897,9 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_35( u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U); i++) { @@ -1956,12 +1912,11 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_35( (size_t)10U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_f9( + uint8_t); + u_as_ntt[i0] = + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ba( u_bytes); - u_as_ntt[i0] = uu____0; - libcrux_ml_kem_ntt_ntt_vector_u_09(&u_as_ntt[i0]); + libcrux_ml_kem_ntt_ntt_vector_u_98(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, @@ -1976,7 +1931,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e1( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f41( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -2042,9 +1997,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db1( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b71( core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e1( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f41( vector); } @@ -2056,21 +2011,19 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_serialize_deserialize_then_decompress_4_00( +libcrux_ml_kem_serialize_deserialize_then_decompress_4_ba( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = libcrux_ml_kem_polynomial_ZERO_89_d5(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)8U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_ea(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db1( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b71( coefficient); } return re; @@ -2084,7 +2037,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e2( +libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f42( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -2150,9 +2103,9 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db2( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b72( core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_2e2( + return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f42( vector); } @@ -2164,21 +2117,18 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_serialize_deserialize_then_decompress_5_aa( +libcrux_ml_kem_serialize_deserialize_then_decompress_5_62( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = libcrux_ml_kem_polynomial_ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)10U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_ea(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_db2( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_b72( re.coefficients[i0]); } return re; @@ -2194,9 +2144,36 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_8f( Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_00(serialized); + return libcrux_ml_kem_serialize_deserialize_then_decompress_4_ba(serialized); } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -2234,6 +2211,10 @@ libcrux_ml_kem_polynomial_ntt_multiply_89_48( return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -2249,11 +2230,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_89_97( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *rhs) { for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)16U, self->coefficients, - core_core_arch_x86___m256i, Eurydice_slice), - core_core_arch_x86___m256i, size_t); + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)16U, self->coefficients, + core_core_arch_x86___m256i), + core_core_arch_x86___m256i); i++) { size_t i0 = i; self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( @@ -2422,7 +2402,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_polynomial_subtract_reduce_89_56( +libcrux_ml_kem_polynomial_subtract_reduce_89_8d( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 b) { for (size_t i = (size_t)0U; @@ -2438,6 +2418,12 @@ libcrux_ml_kem_polynomial_subtract_reduce_89_56( return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2446,7 +2432,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_matrix_compute_message_d0( +libcrux_ml_kem_matrix_compute_message_72( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *u_as_ntt) { @@ -2460,7 +2446,7 @@ libcrux_ml_kem_matrix_compute_message_d0( libcrux_ml_kem_polynomial_add_to_ring_element_89_97(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_57(&result); - result = libcrux_ml_kem_polynomial_subtract_reduce_89_56(v, result); + result = libcrux_ml_kem_polynomial_subtract_reduce_89_8d(v, result); return result; } @@ -2471,7 +2457,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_arithmetic_shift_right_eb( +libcrux_ml_kem_vector_avx2_arithmetic_shift_right_1a( core_core_arch_x86___m256i vector) { return libcrux_intrinsics_avx2_mm256_srai_epi16((int32_t)15, vector, core_core_arch_x86___m256i); @@ -2488,9 +2474,9 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_shift_right_ea_f9( +libcrux_ml_kem_vector_avx2_shift_right_ea_eb( core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_arithmetic_shift_right_eb(vector); + return libcrux_ml_kem_vector_avx2_arithmetic_shift_right_1a(vector); } /** @@ -2504,7 +2490,7 @@ static inline core_core_arch_x86___m256i libcrux_ml_kem_vector_traits_to_unsigned_representative_a4( core_core_arch_x86___m256i a) { core_core_arch_x86___m256i t = - libcrux_ml_kem_vector_avx2_shift_right_ea_f9(a); + libcrux_ml_kem_vector_avx2_shift_right_ea_eb(a); core_core_arch_x86___m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); @@ -2519,7 +2505,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_4a( +libcrux_ml_kem_serialize_compress_then_serialize_message_77( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; for (size_t i = (size_t)0U; i < (size_t)16U; i++) { @@ -2532,16 +2518,37 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_4a( uint8_t bytes[2U]; libcrux_ml_kem_vector_avx2_serialize_1_ea(coefficient_compressed, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2553,21 +2560,20 @@ with const generics - V_COMPRESSION_FACTOR= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cpa_decrypt_unpacked_ff( +static inline void libcrux_ml_kem_ind_cpa_decrypt_unpacked_b8( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_35(ciphertext, u_as_ntt); + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ac(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_8f( Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - Eurydice_slice)); + (size_t)960U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message = - libcrux_ml_kem_matrix_compute_message_d0(&v, secret_key->secret_as_ntt, + libcrux_ml_kem_matrix_compute_message_72(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_4a(message, ret0); + libcrux_ml_kem_serialize_compress_then_serialize_message_77(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -2582,22 +2588,23 @@ with const generics - V_COMPRESSION_FACTOR= 4 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cpa_decrypt_b1(Eurydice_slice secret_key, +static inline void libcrux_ml_kem_ind_cpa_decrypt_1d(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_secret_key_40(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[3U]; + libcrux_ml_kem_ind_cpa_deserialize_secret_key_67(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[3U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t ret0[32U]; - libcrux_ml_kem_ind_cpa_decrypt_unpacked_ff(&secret_key_unpacked, ciphertext, + libcrux_ml_kem_ind_cpa_decrypt_unpacked_b8(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -2627,8 +2634,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_42( Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -2662,6 +2668,12 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure_c0( return libcrux_ml_kem_polynomial_ZERO_89_d5(); } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -2675,13 +2687,10 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_dd( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = libcrux_ml_kem_polynomial_ZERO_89_d5(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); core_core_arch_x86___m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); re.coefficients[i0] = @@ -2690,6 +2699,12 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_dd( return re; } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -2707,7 +2722,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_5d( deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -2715,7 +2730,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_5d( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_dd( ring_element); @@ -2768,11 +2783,10 @@ libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_4d( libcrux_sha3_generic_keccak_KeccakState_29 state = libcrux_sha3_avx2_x4_incremental_init(); libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( - &state, - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t, Eurydice_slice)); + &state, Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[2U], uint8_t), + Eurydice_array_to_slice((size_t)34U, input[0U], uint8_t)); return state; } @@ -2790,10 +2804,11 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_sha3_avx2_x4_incremental_KeccakState libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_a9_ca( uint8_t input[3U][34U]) { - uint8_t uu____0[3U][34U]; - memcpy(uu____0, input, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[3U][34U]; + memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); return libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_4d( - uu____0); + copy_of_input); } /** @@ -2812,10 +2827,10 @@ libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_6b( uint8_t out2[504U] = {0U}; uint8_t out3[504U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( - st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)504U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)504U, out0, uint8_t), + Eurydice_array_to_slice((size_t)504U, out1, uint8_t), + Eurydice_array_to_slice((size_t)504U, out2, uint8_t), + Eurydice_array_to_slice((size_t)504U, out3, uint8_t)); uint8_t uu____0[504U]; memcpy(uu____0, out0, (size_t)504U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)504U * sizeof(uint8_t)); @@ -2846,6 +2861,47 @@ libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_a9_4d( self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -2864,14 +2920,13 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_bb( size_t r = i; if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, + r * (size_t)24U + (size_t)24U, uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( - uu____0, - Eurydice_array_to_subslice2(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, - int16_t, Eurydice_slice)); + uu____0, Eurydice_array_to_subslice2( + out[i1], sampled_coefficients[i1], + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; } @@ -2907,10 +2962,10 @@ libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_1b( uint8_t out2[168U] = {0U}; uint8_t out3[168U] = {0U}; libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( - st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)168U, out3, uint8_t, Eurydice_slice)); + st, Eurydice_array_to_slice((size_t)168U, out0, uint8_t), + Eurydice_array_to_slice((size_t)168U, out1, uint8_t), + Eurydice_array_to_slice((size_t)168U, out2, uint8_t), + Eurydice_array_to_slice((size_t)168U, out3, uint8_t)); uint8_t uu____0[168U]; memcpy(uu____0, out0, (size_t)168U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)168U * sizeof(uint8_t)); @@ -2940,6 +2995,47 @@ libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_a9_5a( libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_1b(self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -2958,14 +3054,13 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_bb0( size_t r = i; if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, + r * (size_t)24U + (size_t)24U, uint8_t); size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( - uu____0, - Eurydice_array_to_subslice2(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, - int16_t, Eurydice_slice)); + uu____0, Eurydice_array_to_subslice2( + out[i1], sampled_coefficients[i1], + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; } @@ -3005,8 +3100,7 @@ libcrux_ml_kem_polynomial_from_i16_array_89_10(Eurydice_slice a) { size_t i0 = i; result.coefficients[i0] = libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice_subslice2( - a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t, - Eurydice_slice)); + a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t)); } return result; } @@ -3021,8 +3115,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 libcrux_ml_kem_sampling_sample_from_xof_closure_79(int16_t s[272U]) { return libcrux_ml_kem_polynomial_from_i16_array_89_10( - Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -3037,18 +3130,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_b0( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { size_t sampled_coefficients[3U] = {0U}; int16_t out[3U][272U] = {{0U}}; - uint8_t uu____0[3U][34U]; - memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_sha3_avx2_x4_incremental_KeccakState xof_state = libcrux_ml_kem_hash_functions_avx2_shake128_init_absorb_final_a9_ca( - uu____0); + copy_of_seeds); uint8_t randomness0[3U][504U]; libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_first_three_blocks_a9_4d( &xof_state, randomness0); - uint8_t uu____1[3U][504U]; - memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[3U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_bb( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; @@ -3056,17 +3151,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_b0( uint8_t randomness[3U][168U]; libcrux_ml_kem_hash_functions_avx2_shake128_squeeze_next_block_a9_5a( &xof_state, randomness); - uint8_t uu____2[3U][168U]; - memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[3U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)3U * sizeof(uint8_t[168U])); done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_bb0( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[3U][272U]; - memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[3U][272U]; + memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_closure_79(uu____3[i]); + ret0[i] = + libcrux_ml_kem_sampling_sample_from_xof_closure_79(copy_of_out[i]); } memcpy( ret, ret0, @@ -3089,28 +3188,29 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_a2( } for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t)); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_b0(uu____1, sampled); + libcrux_ml_kem_sampling_sample_from_xof_b0(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 sample = sampled[j]; @@ -3179,14 +3279,14 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_1c( uint8_t out2[128U] = {0U}; uint8_t out3[128U] = {0U}; libcrux_sha3_avx2_x4_shake256( - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)128U, out3, uint8_t, Eurydice_slice)); + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[1U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[2U], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[0U], uint8_t), + Eurydice_array_to_slice((size_t)128U, out0, uint8_t), + Eurydice_array_to_slice((size_t)128U, out1, uint8_t), + Eurydice_array_to_slice((size_t)128U, out2, uint8_t), + Eurydice_array_to_slice((size_t)128U, out3, uint8_t)); uint8_t uu____0[128U]; memcpy(uu____0, out0, (size_t)128U * sizeof(uint8_t)); memcpy(out[0U], uu____0, (size_t)128U * sizeof(uint8_t)); @@ -3215,6 +3315,55 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRFxN_a9_51( libcrux_ml_kem_hash_functions_avx2_PRFxN_1c(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -3227,24 +3376,22 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_c1( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)4U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)4U, - chunk_number * (size_t)4U + (size_t)4U, uint8_t, Eurydice_slice); + chunk_number * (size_t)4U + (size_t)4U, uint8_t); uint32_t random_bits_as_u32 = (((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 24U; uint32_t even_bits = random_bits_as_u32 & 1431655765U; uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U; @@ -3260,8 +3407,8 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_c1( sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_89_10(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return libcrux_ml_kem_polynomial_from_i16_array_89_10( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3276,21 +3423,19 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_43( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)3U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)3U, - chunk_number * (size_t)3U + (size_t)3U, uint8_t, Eurydice_slice); + chunk_number * (size_t)3U + (size_t)3U, uint8_t); uint32_t random_bits_as_u24 = ((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U; uint32_t first_bits = random_bits_as_u24 & 2396745U; uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U; @@ -3308,8 +3453,8 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_43( sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_89_10(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return libcrux_ml_kem_polynomial_from_i16_array_89_10( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -3372,6 +3517,10 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_b5( libcrux_ml_kem_polynomial_poly_barrett_reduce_89_99(re); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3388,11 +3537,12 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15(uint8_t prf_input[33U], for (size_t i = (size_t)0U; i < (size_t)3U; i++) { re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; @@ -3403,20 +3553,19 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15(uint8_t prf_input[33U], libcrux_ml_kem_hash_functions_avx2_PRFxN_a9_51(prf_inputs, prf_outputs); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = + re_as_ntt[i0] = libcrux_ml_kem_sampling_sample_from_binomial_distribution_47( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, - Eurydice_slice)); - re_as_ntt[i0] = uu____1; + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_b5(&re_as_ntt[i0]); } - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_re_as_ntt[3U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_b00 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; @@ -3436,6 +3585,9 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_8f(size_t _i) { return libcrux_ml_kem_polynomial_ZERO_89_d5(); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3452,11 +3604,12 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_47(uint8_t prf_input[33U], for (size_t i = (size_t)0U; i < (size_t)3U; i++) { error_1[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; @@ -3469,17 +3622,17 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_47(uint8_t prf_input[33U], size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = libcrux_ml_kem_sampling_sample_from_binomial_distribution_47( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1; } - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_error_1[3U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); tuple_b00 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); lit.snd = domain_separator; return lit; @@ -3495,8 +3648,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_avx2_PRF_420( Eurydice_slice input, uint8_t ret[128U]) { uint8_t digest[128U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); } @@ -3554,6 +3706,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_89_91( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3571,22 +3726,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_00( result[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *a_element = &row[j]; @@ -3633,9 +3786,9 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_b9( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_array_to_subslice2( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_vector_avx2_deserialize_1_ea( + Eurydice_array_to_subslice2(serialized, (size_t)2U * i0, + (size_t)2U * i0 + (size_t)2U, uint8_t)); re.coefficients[i0] = libcrux_ml_kem_vector_traits_decompress_1_91(coefficient_compressed); } @@ -3674,6 +3827,9 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_89_67( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3710,7 +3866,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e7( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -3778,8 +3934,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_ea_07(core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e7( +libcrux_ml_kem_vector_avx2_compress_ea_1d(core_core_arch_x86___m256i vector) { + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b( vector); } @@ -3798,18 +3954,15 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_2f( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient = - libcrux_ml_kem_vector_avx2_compress_ea_07( + libcrux_ml_kem_vector_avx2_compress_ea_1d( libcrux_ml_kem_vector_traits_to_unsigned_representative_a4( re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_avx2_serialize_10_ea(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -3822,7 +3975,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e70( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b0( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -3890,8 +4043,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_ea_070(core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e70( +libcrux_ml_kem_vector_avx2_compress_ea_1d0(core_core_arch_x86___m256i vector) { + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b0( vector); } @@ -3910,18 +4063,15 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_d1( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient = - libcrux_ml_kem_vector_avx2_compress_ea_070( + libcrux_ml_kem_vector_avx2_compress_ea_1d0( libcrux_ml_kem_vector_traits_to_unsigned_representative_a4( re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_avx2_serialize_11_ea(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)22U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)22U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -3942,6 +4092,9 @@ libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_b2( memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3956,26 +4109,22 @@ static inline void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_84( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 input[3U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t); uint8_t ret[320U]; libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_b2(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } } @@ -3987,7 +4136,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e71( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b1( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -4055,8 +4204,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_ea_071(core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e71( +libcrux_ml_kem_vector_avx2_compress_ea_1d1(core_core_arch_x86___m256i vector) { + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b1( vector); } @@ -4075,17 +4224,15 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_b7( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficient = - libcrux_ml_kem_vector_avx2_compress_ea_071( + libcrux_ml_kem_vector_avx2_compress_ea_1d1( libcrux_ml_kem_vector_traits_to_unsigned_representative_a4( re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_avx2_serialize_4_ea(coefficient, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); } } @@ -4097,7 +4244,7 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e72( +libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b2( core_core_arch_x86___m256i vector) { core_core_arch_x86___m256i field_modulus_halved = libcrux_intrinsics_avx2_mm256_set1_epi32( @@ -4165,8 +4312,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline core_core_arch_x86___m256i -libcrux_ml_kem_vector_avx2_compress_ea_072(core_core_arch_x86___m256i vector) { - return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_e72( +libcrux_ml_kem_vector_avx2_compress_ea_1d2(core_core_arch_x86___m256i vector) { + return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_7b2( vector); } @@ -4185,17 +4332,15 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_35( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; core_core_arch_x86___m256i coefficients = - libcrux_ml_kem_vector_avx2_compress_ea_072( + libcrux_ml_kem_vector_avx2_compress_ea_1d2( libcrux_ml_kem_vector_traits_to_unsigned_representative_a4( re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_avx2_serialize_5_ea(coefficients, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)10U * i0, - (size_t)10U * i0 + (size_t)10U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)10U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)10U * i0 + (size_t)10U, uint8_t), + Eurydice_array_to_slice((size_t)10U, bytes, uint8_t), uint8_t); } } @@ -4213,6 +4358,47 @@ libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_39( libcrux_ml_kem_serialize_compress_then_serialize_4_b7(re, out); } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -4236,19 +4422,21 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_unpacked_88( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b00 uu____1 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b00 uu____1 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15( + copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 r_as_ntt[3U]; memcpy( r_as_ntt, uu____1.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); tuple_b00 uu____3 = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_47( - uu____2, domain_separator0); + copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_1[3U]; memcpy( error_1, uu____3.fst, @@ -4257,19 +4445,19 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_unpacked_88( prf_input[32U] = domain_separator; uint8_t prf_output[128U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_930( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_2 = libcrux_ml_kem_sampling_sample_from_binomial_distribution_47( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 u[3U]; libcrux_ml_kem_matrix_compute_vector_u_00(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_b9(uu____4); + libcrux_ml_kem_serialize_deserialize_then_decompress_message_b9( + copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 v = libcrux_ml_kem_matrix_compute_ring_element_v_71( public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -4280,12 +4468,11 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_unpacked_88( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_compress_then_serialize_u_84( uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____6 = v; libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_39( - uu____6, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, + (size_t)960U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); } @@ -4313,46 +4500,49 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_fb(Eurydice_slice public_key, uint8_t ret[1088U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 t_as_ntt[3U]; libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_5d( - Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[3U][3U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); libcrux_ml_kem_matrix_sample_matrix_A_a2(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[3U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1[3U][3U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A[3U][3U]; + memcpy(copy_of_A, A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_88(uu____3, uu____4, randomness, - ret1); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_88(uu____3, copy_of_message, + randomness, ret1); memcpy(ret, ret1, (size_t)1088U * sizeof(uint8_t)); } @@ -4368,14 +4558,12 @@ with const generics - CIPHERTEXT_SIZE= 1088 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_43_da( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_43_ca( Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -4401,42 +4589,39 @@ with const generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_decapsulate_be( +static inline void libcrux_ml_kem_ind_cca_decapsulate_01( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t), (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_b1(ind_cpa_secret_key, ciphertext->value, + libcrux_ml_kem_ind_cpa_decrypt_1d(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -4445,37 +4630,38 @@ static inline void libcrux_ml_kem_ind_cca_decapsulate_be( libcrux_ml_kem_utils_into_padded_array_2d0(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_47(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_93( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_fb(uu____5, uu____6, pseudorandomness, - expected_ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_fb(uu____5, copy_of_decrypted, + pseudorandomness, expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_ind_cca_kdf_43_da( + libcrux_ml_kem_ind_cca_kdf_43_ca( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), + uint8_t), ciphertext, implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - libcrux_ml_kem_ind_cca_kdf_43_da(shared_secret0, ciphertext, shared_secret1); + libcrux_ml_kem_ind_cca_kdf_43_ca(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_47(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } /** @@ -4499,17 +4685,24 @@ with const generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_58( +static inline void libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_d8( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_be(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_01(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_58(private_key, + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_d8(private_key, ciphertext, ret); } @@ -4569,70 +4762,70 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4d( +static inline void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_b6( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_unpacked_ff( + libcrux_ml_kem_ind_cpa_decrypt_unpacked_b8( &key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[1120U]; libcrux_ml_kem_utils_into_padded_array_2d0( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_47(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_93( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_88(uu____3, uu____4, pseudorandomness, - expected_ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_88( + uu____3, copy_of_decrypted, pseudorandomness, expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_47(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.decapsulate_unpacked with const @@ -4656,18 +4849,25 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_unpacked_75( +libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_unpacked_67( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_4d(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_b6(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`]. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_unpacked_75( + libcrux_ml_kem_ind_cca_instantiations_avx2_decapsulate_unpacked_67( private_key, ciphertext, ret); } @@ -4682,13 +4882,11 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_43_d2( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_43_a6( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -4730,59 +4928,57 @@ static inline tuple_3c libcrux_ml_kem_ind_cca_encapsulate_82( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - libcrux_ml_kem_ind_cca_entropy_preprocess_43_d2( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + libcrux_ml_kem_ind_cca_entropy_preprocess_43_a6( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_65( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_fb(uu____2, uu____3, pseudorandomness, - ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + libcrux_ml_kem_ind_cpa_encrypt_fb(uu____2, copy_of_randomness, + pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f5(uu____4); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - libcrux_ml_kem_ind_cca_kdf_43_da(shared_secret, &ciphertext0, + libcrux_ml_kem_ind_cca_kdf_43_ca(shared_secret, &ciphertext0, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_3c lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_3c result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } /** @@ -4804,24 +5000,33 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_7c( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_fa( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_82(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_82(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_7c(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_fa( + uu____0, copy_of_randomness); } /** @@ -4843,55 +5048,58 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_5a( +static inline tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_a9( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_88(uu____2, uu____3, pseudorandomness, - ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_88(uu____2, copy_of_randomness, + pseudorandomness, ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = - libcrux_ml_kem_types_from_15_f5(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_3c lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.encapsulate_unpacked with const @@ -4912,27 +5120,37 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_unpacked_51( +libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_unpacked_50( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_5a(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_a9( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 (unpacked) + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c libcrux_ml_kem_mlkem768_avx2_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_unpacked_51( - uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_avx2_encapsulate_unpacked_50( + uu____0, copy_of_randomness); } /** @@ -5001,6 +5219,9 @@ libcrux_ml_kem_polynomial_add_standard_error_reduce_89_ac( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5018,22 +5239,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_f0( result[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *matrix_element = @@ -5052,6 +5271,47 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_f0( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5065,9 +5325,9 @@ static inline tuple_9b0 libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_6c( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A_transpose[3U][3U]; @@ -5077,21 +5337,23 @@ static inline tuple_9b0 libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_6c( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b00 uu____2 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b00 uu____2 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15( + copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 secret_as_ntt[3U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 error_as_ntt[3U]; memcpy( error_as_ntt, - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15(uu____3, + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_15(copy_of_prf_input, domain_separator) .fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); @@ -5100,34 +5362,38 @@ static inline tuple_9b0 libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_6c( error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____4[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_t_as_ntt[3U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____5[3U][3U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_A_transpose[3U] + [3U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____7[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_d2 copy_of_secret_as_ntt[3U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_d2)); return (CLITERAL(tuple_9b0){.fst = sk, .snd = pk}); } @@ -5152,16 +5418,16 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_92( uint8_t bytes[24U]; libcrux_ml_kem_vector_avx2_serialize_12_ea(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5175,29 +5441,29 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_secret_key_ae( uint8_t ret[1152U]) { uint8_t out[1152U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_d2, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_d2), + libcrux_ml_kem_polynomial_PolynomialRingElement_d2); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_92(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5211,20 +5477,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_d0( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *t_as_ntt, Eurydice_slice seed_for_a, uint8_t ret[1184U]) { uint8_t public_key_serialized[1184U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_subslice2(public_key_serialized, (size_t)0U, - (size_t)1152U, uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + public_key_serialized, (size_t)0U, (size_t)1152U, uint8_t); uint8_t ret0[1152U]; libcrux_ml_kem_ind_cpa_serialize_secret_key_ae(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized, - (size_t)1152U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)1152U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); } @@ -5248,20 +5510,24 @@ libcrux_ml_kem_ind_cpa_generate_keypair_e1(Eurydice_slice key_generation_seed) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 pk = uu____0.snd; uint8_t public_key_serialized[1184U]; libcrux_ml_kem_ind_cpa_serialize_public_key_d0( - pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t, - Eurydice_slice), + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), public_key_serialized); uint8_t secret_key_serialized[1152U]; libcrux_ml_kem_ind_cpa_serialize_secret_key_ae(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[1152U]; - memcpy(uu____1, secret_key_serialized, (size_t)1152U * sizeof(uint8_t)); - uint8_t uu____2[1184U]; - memcpy(uu____2, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1152U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[1184U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, uu____1, (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)1184U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); return lit; } @@ -5281,43 +5547,37 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_75( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_65(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } @@ -5338,12 +5598,11 @@ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_ind_cca_generate_keypair_c20(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = libcrux_ml_kem_ind_cpa_generate_keypair_e1(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1152U]; @@ -5352,20 +5611,21 @@ libcrux_ml_kem_ind_cca_generate_keypair_c20(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); uint8_t secret_key_serialized[2400U]; libcrux_ml_kem_ind_cca_serialize_kem_secret_key_75( - Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[2400U]; - memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[2400U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_55 private_key = - libcrux_ml_kem_types_from_e7_a7(uu____1); + libcrux_ml_kem_types_from_e7_a7(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key; - uint8_t uu____3[1184U]; - memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c9( - uu____2, libcrux_ml_kem_types_from_07_4c(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c(copy_of_public_key)); } /** @@ -5381,20 +5641,25 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_2e( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_cb( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c20(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c20(copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_avx2_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_2e( - uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_cb( + copy_of_randomness); } /** @@ -5412,7 +5677,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_closure_f7( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_closure_c6( size_t _j) { return libcrux_ml_kem_polynomial_ZERO_89_d5(); } @@ -5432,7 +5697,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_ac( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_b5( size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_d2 ret[3U]) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ret[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); @@ -5451,7 +5716,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_d2 -libcrux_ml_kem_polynomial_clone_d5_b8( +libcrux_ml_kem_polynomial_clone_d5_60( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_d2 lit; core_core_arch_x86___m256i ret[16U]; @@ -5477,16 +5742,15 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_13( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_6e( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_9b0 uu____0 = libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_6c( ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 @@ -5495,7 +5759,7 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_13( ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 A[3U][3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_ac(i, + libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_b5(i, A[i]); } for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { @@ -5503,7 +5767,7 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_13( for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____1 = - libcrux_ml_kem_polynomial_clone_d5_b8(&ind_cpa_public_key.A[j][i1]); + libcrux_ml_kem_polynomial_clone_d5_60(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1; } } @@ -5518,38 +5782,44 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_13( libcrux_ml_kem_ind_cpa_serialize_public_key_d0( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_65( - Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_a0 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_a0 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.generate_keypair_unpacked with const @@ -5564,21 +5834,27 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 -libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_unpacked_2a( +libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_unpacked_0b( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_13(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_6e( + copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair in "unpacked" form +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_a0 libcrux_ml_kem_mlkem768_avx2_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_unpacked_2a( - uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_avx2_generate_keypair_unpacked_0b( + copy_of_randomness); } /** @@ -5593,28 +5869,25 @@ with const generics - CIPHERTEXT_SIZE= 1088 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_6c_3e( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_6c_14( Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t kdf_input[64U]; libcrux_ml_kem_utils_into_padded_array_2d(shared_secret, kdf_input); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, kdf_input, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret0[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_65( Eurydice_array_to_slice((size_t)1088U, - libcrux_ml_kem_types_as_slice_a8_8a(ciphertext), - uint8_t, Eurydice_slice), + libcrux_ml_kem_types_as_slice_a8_63(ciphertext), + uint8_t), ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); uint8_t ret1[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_93( - Eurydice_array_to_slice((size_t)64U, kdf_input, uint8_t, Eurydice_slice), - ret1); + Eurydice_array_to_slice((size_t)64U, kdf_input, uint8_t), ret1); memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); } @@ -5641,42 +5914,39 @@ with const generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_decapsulate_be0( +static inline void libcrux_ml_kem_ind_cca_decapsulate_010( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t), (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_b1(ind_cpa_secret_key, ciphertext->value, + libcrux_ml_kem_ind_cpa_decrypt_1d(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -5685,39 +5955,43 @@ static inline void libcrux_ml_kem_ind_cca_decapsulate_be0( libcrux_ml_kem_utils_into_padded_array_2d0(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_47(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_avx2_PRF_a9_93( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_fb(uu____5, uu____6, pseudorandomness, - expected_ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_fb(uu____5, copy_of_decrypted, + pseudorandomness, expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_ind_cca_kdf_6c_3e( + libcrux_ml_kem_ind_cca_kdf_6c_14( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), + uint8_t), ciphertext, implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - libcrux_ml_kem_ind_cca_kdf_6c_3e(shared_secret0, ciphertext, shared_secret1); + libcrux_ml_kem_ind_cca_kdf_6c_14(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_47(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.kyber_decapsulate with const generics @@ -5740,17 +6014,24 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.kyber_decapsulate with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline void -libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_18( +libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_80( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_be0(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_010(private_key, ciphertext, ret); } +/** + Decapsulate Kyber 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_kyber_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_18( + libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_decapsulate_80( private_key, ciphertext, ret); } @@ -5765,7 +6046,7 @@ with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_6c_de( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_6c_b6( Eurydice_slice randomness, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_avx2_H_a9_65(randomness, ret); } @@ -5794,61 +6075,62 @@ static inline tuple_3c libcrux_ml_kem_ind_cca_encapsulate_820( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - libcrux_ml_kem_ind_cca_entropy_preprocess_6c_de( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + libcrux_ml_kem_ind_cca_entropy_preprocess_6c_b6( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; libcrux_ml_kem_hash_functions_avx2_H_a9_65( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_avx2_G_a9_68( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_fb(uu____2, uu____3, pseudorandomness, - ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + libcrux_ml_kem_ind_cpa_encrypt_fb(uu____2, copy_of_randomness, + pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f5(uu____4); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - libcrux_ml_kem_ind_cca_kdf_6c_3e(shared_secret, &ciphertext0, + libcrux_ml_kem_ind_cca_kdf_6c_14(shared_secret, &ciphertext0, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_3c lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_3c result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } +/** + Portable encapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.avx2.kyber_encapsulate with const generics @@ -5868,24 +6150,33 @@ libcrux_ml_kem.ind_cca.instantiations.avx2.kyber_encapsulate with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_1f( +libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_e6( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_820(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_820(uu____0, copy_of_randomness); } +/** + Encapsulate Kyber 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline tuple_3c libcrux_ml_kem_mlkem768_avx2_kyber_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_1f( - uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_avx2_kyber_encapsulate_e6( + uu____0, copy_of_randomness); } /** @@ -5902,6 +6193,12 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure_c00( return libcrux_ml_kem_polynomial_ZERO_89_d5(); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -5919,7 +6216,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_5d0( deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_89_d5(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -5927,7 +6224,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_5d0( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 uu____0 = libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_dd( ring_element); @@ -5952,14 +6249,14 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_cf( libcrux_ml_kem_polynomial_PolynomialRingElement_d2 deserialized_pk[3U]; libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_5d0( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_d2 *uu____0 = deserialized_pk; uint8_t public_key_serialized[1184U]; libcrux_ml_kem_ind_cpa_serialize_public_key_d0( uu____0, Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -5975,17 +6272,22 @@ generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline bool -libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_ad( +libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_fe( uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_cf(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ KRML_ATTRIBUTE_TARGET("avx2") static inline core_option_Option_92 libcrux_ml_kem_mlkem768_avx2_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key) { core_option_Option_92 uu____0; - if (libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_ad( + if (libcrux_ml_kem_ind_cca_instantiations_avx2_validate_public_key_fe( public_key.value)) { uu____0 = (CLITERAL(core_option_Option_92){.tag = core_option_Some, .f0 = public_key}); diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index c805c83b2..3a4cb9119 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_mlkem768_portable_H @@ -32,8 +32,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_neon_G( Eurydice_slice input, uint8_t ret[64U]) { uint8_t digest[64U] = {0U}; libcrux_sha3_neon_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); } @@ -41,8 +40,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_neon_H( Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_neon_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -54,8 +52,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_G( Eurydice_slice input, uint8_t ret[64U]) { uint8_t digest[64U] = {0U}; libcrux_sha3_portable_sha512( - Eurydice_array_to_slice((size_t)64U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)64U, digest, uint8_t), input); memcpy(ret, digest, (size_t)64U * sizeof(uint8_t)); } @@ -63,8 +60,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_H( Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_sha256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -136,10 +132,8 @@ libcrux_ml_kem_vector_portable_vector_type_from_i16_array( int16_t ret[16U]; core_result_Result_c0 dst; Eurydice_slice_to_array2( - &dst, - Eurydice_slice_subslice2(array, (size_t)0U, (size_t)16U, int16_t, - Eurydice_slice), - Eurydice_slice, int16_t[16U], void *); + &dst, Eurydice_slice_subslice2(array, (size_t)0U, (size_t)16U, int16_t), + Eurydice_slice, int16_t[16U]); core_result_unwrap_41_f9(dst, ret); memcpy(lit.elements, ret, (size_t)16U * sizeof(int16_t)); return lit; @@ -170,68 +164,64 @@ typedef struct uint8_t_x11_s { static KRML_MUSTINLINE uint8_t_x11 libcrux_ml_kem_vector_portable_serialize_serialize_11_int(Eurydice_slice v) { - uint8_t r0 = - (uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, int16_t); + uint8_t r0 = (uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *); uint8_t r1 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)31) << 3U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 8U); uint8_t r2 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)3) << 6U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 5U); - uint8_t r3 = (uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *, - int16_t) >> - 2U & - (int16_t)255); + uint8_t r3 = + (uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *) >> 2U & + (int16_t)255); uint8_t r4 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)127) << 1U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 10U); uint8_t r5 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)4U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)15) << 4U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 7U); uint8_t r6 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)1) << 7U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)4U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 4U); - uint8_t r7 = (uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *, - int16_t) >> - 1U & - (int16_t)255); + uint8_t r7 = + (uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) >> 1U & + (int16_t)255); uint8_t r8 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)63) << 2U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)5U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 9U); uint8_t r9 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)7) << 5U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 6U); - uint8_t r10 = (uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, - int16_t *, int16_t) >> - 3U); + uint8_t r10 = + (uint8_t)(Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) >> 3U); return (CLITERAL(uint8_t_x11){.fst = r0, .snd = r1, .thd = r2, @@ -250,12 +240,11 @@ libcrux_ml_kem_vector_portable_serialize_serialize_11( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[22U]) { uint8_t_x11 r0_10 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t)); uint8_t_x11 r11_21 = libcrux_ml_kem_vector_portable_serialize_serialize_11_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, - int16_t, Eurydice_slice)); + int16_t)); uint8_t result[22U] = {0U}; result[0U] = r0_10.fst; result[1U] = r0_10.snd; @@ -306,66 +295,56 @@ typedef struct int16_t_x8_s { static KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( Eurydice_slice bytes) { - int16_t r0 = ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)7) - << 8U | - (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t); - int16_t r1 = ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)63) - << 5U | - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) >> - 3U; - int16_t r2 = (((int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)1) - << 10U | - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, - uint8_t *, uint8_t) - << 2U) | - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) >> - 6U; - int16_t r3 = ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)15) - << 7U | - (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, - uint8_t *, uint8_t) >> - 1U; - int16_t r4 = ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)127) - << 4U | - (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, - uint8_t *, uint8_t) >> - 4U; - int16_t r5 = (((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)3) - << 9U | - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, - uint8_t *, uint8_t) - << 1U) | - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) >> - 7U; - int16_t r6 = ((int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)31) - << 6U | - (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) >> - 2U; - int16_t r7 = (int16_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, - uint8_t *, uint8_t) - << 3U | - (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, - uint8_t *, uint8_t) >> - 5U; + int16_t r0 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) & + (int16_t)7) + << 8U | + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int16_t r1 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) & + (int16_t)63) + << 5U | + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) >> + 3U; + int16_t r2 = + (((int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) & + (int16_t)1) + << 10U | + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) + << 2U) | + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 6U; + int16_t r3 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) & + (int16_t)15) + << 7U | + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) >> + 1U; + int16_t r4 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) & + (int16_t)127) + << 4U | + (int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) >> + 4U; + int16_t r5 = + (((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) & + (int16_t)3) + << 9U | + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) + << 1U) | + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> + 7U; + int16_t r6 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) & + (int16_t)31) + << 6U | + (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) >> + 2U; + int16_t r7 = + (int16_t)Eurydice_slice_index(bytes, (size_t)10U, uint8_t, uint8_t *) + << 3U | + (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) >> + 5U; return (CLITERAL(int16_t_x8){.fst = r0, .snd = r1, .thd = r2, @@ -401,12 +380,10 @@ libcrux_ml_kem_vector_portable_vector_type_zero(void) { static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_11(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)11U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)11U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_11_int( - Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)11U, (size_t)22U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1115,6 +1092,19 @@ libcrux_ml_kem_vector_portable_cond_subtract_3329_0d( ((int32_t)1 << (uint32_t) \ LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_BARRETT_SHIFT) +/** + Signed Barrett Reduction + + Given an input `value`, `barrett_reduce` outputs a representative `result` + such that: + + - result ≡ value (mod FIELD_MODULUS) + - the absolute value of `result` is bound as follows: + + `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) + + In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +*/ static inline int16_t libcrux_ml_kem_vector_portable_arithmetic_barrett_reduce_element( int16_t value) { @@ -1157,6 +1147,20 @@ libcrux_ml_kem_vector_portable_barrett_reduce_0d( ((int32_t)1 << (uint32_t) \ LIBCRUX_ML_KEM_VECTOR_PORTABLE_ARITHMETIC_MONTGOMERY_SHIFT) +/** + Signed Montgomery Reduction + + Given an input `value`, `montgomery_reduce` outputs a representative `o` + such that: + + - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) + - the absolute value of `o` is bound as follows: + + `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) + + In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · + FIELD_MODULUS) / 2`. +*/ static inline int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( int32_t value) { @@ -1176,6 +1180,17 @@ libcrux_ml_kem_vector_portable_arithmetic_montgomery_reduce_element( return value_high - c; } +/** + If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to + `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to + `x · y`, as follows: + + `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` + + `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a + representative `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod + FIELD_MODULUS)`. +*/ static KRML_MUSTINLINE int16_t libcrux_ml_kem_vector_portable_arithmetic_montgomery_multiply_fe_by_fer( int16_t fe, int16_t fer) { @@ -1207,6 +1222,28 @@ libcrux_ml_kem_vector_portable_montgomery_multiply_by_constant_0d( v, r); } +/** + The `compress_*` functions implement the `Compress` function specified in the + NIST FIPS 203 standard (Page 18, Expression 4.5), which is defined as: + + ```plaintext + Compress_d: ℤq -> ℤ_{2ᵈ} + Compress_d(x) = ⌈(2ᵈ/q)·x⌋ + ``` + + Since `⌈x⌋ = ⌊x + 1/2⌋` we have: + + ```plaintext + Compress_d(x) = ⌊(2ᵈ/q)·x + 1/2⌋ + = ⌊(2^{d+1}·x + q) / 2q⌋ + ``` + + For further information about the function implementations, consult the + `implementation_notes.pdf` document in this directory. + + The NIST FIPS 203 standard can be found at + . +*/ static inline uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( uint16_t fe) { @@ -1481,6 +1518,28 @@ libcrux_ml_kem_vector_portable_inv_ntt_layer_3_step_0d( return libcrux_ml_kem_vector_portable_ntt_inv_ntt_layer_3_step(a, zeta); } +/** + Compute the product of two Kyber binomials with respect to the + modulus `X² - zeta`. + + This function almost implements Algorithm 11 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: a₀, a₁, b₀, b₁ ∈ ℤq. + Input: γ ∈ ℤq. + Output: c₀, c₁ ∈ ℤq. + + c₀ ← a₀·b₀ + a₁·b₁·γ + c₁ ← a₀·b₁ + a₁·b₀ + return c₀, c₁ + ``` + We say "almost" because the coefficients output by this function are in + the Montgomery domain (unlike in the specification). + + The NIST FIPS 203 standard can be found at + . +*/ static KRML_MUSTINLINE void libcrux_ml_kem_vector_portable_ntt_ntt_multiply_binomials( libcrux_ml_kem_vector_portable_vector_type_PortableVector *a, @@ -1577,20 +1636,18 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_1(Eurydice_slice v) { libcrux_ml_kem_vector_portable_vector_type_zero(); for (size_t i = (size_t)0U; i < (size_t)8U; i++) { size_t i0 = i; - result.elements[i0] = - (int16_t)((uint32_t)Eurydice_slice_index(v, (size_t)0U, uint8_t, - uint8_t *, uint8_t) >> - (uint32_t)i0 & - 1U); + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)0U, uint8_t, uint8_t *) >> + (uint32_t)i0 & + 1U); } for (size_t i = (size_t)8U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - result.elements[i0] = - (int16_t)((uint32_t)Eurydice_slice_index(v, (size_t)1U, uint8_t, - uint8_t *, uint8_t) >> - (uint32_t)(i0 - (size_t)8U) & - 1U); + result.elements[i0] = (int16_t)((uint32_t)Eurydice_slice_index( + v, (size_t)1U, uint8_t, uint8_t *) >> + (uint32_t)(i0 - (size_t)8U) & + 1U); } return result; } @@ -1613,26 +1670,26 @@ typedef struct uint8_t_x4_s { static KRML_MUSTINLINE uint8_t_x4 libcrux_ml_kem_vector_portable_serialize_serialize_4_int(Eurydice_slice v) { - uint8_t result0 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)1U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)0U, int16_t, int16_t *, int16_t); - uint8_t result1 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)3U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)2U, int16_t, int16_t *, int16_t); - uint8_t result2 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)5U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)4U, int16_t, int16_t *, int16_t); - uint8_t result3 = (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)7U, int16_t, int16_t *, int16_t) - << 4U | - (uint32_t)(uint8_t)Eurydice_slice_index( - v, (size_t)6U, int16_t, int16_t *, int16_t); + uint8_t result0 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)0U, int16_t, + int16_t *); + uint8_t result1 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)2U, int16_t, + int16_t *); + uint8_t result2 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)4U, int16_t, + int16_t *); + uint8_t result3 = + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) + << 4U | + (uint32_t)(uint8_t)Eurydice_slice_index(v, (size_t)6U, int16_t, + int16_t *); return (CLITERAL(uint8_t_x4){ .fst = result0, .snd = result1, .thd = result2, .f3 = result3}); } @@ -1644,11 +1701,11 @@ libcrux_ml_kem_vector_portable_serialize_serialize_4( uint8_t_x4 result0_3 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, - int16_t, Eurydice_slice)); + int16_t)); uint8_t_x4 result4_7 = libcrux_ml_kem_vector_portable_serialize_serialize_4_int( Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, - int16_t, Eurydice_slice)); + int16_t)); uint8_t result[8U] = {0U}; result[0U] = result0_3.fst; result[1U] = result0_3.snd; @@ -1674,32 +1731,32 @@ static inline void libcrux_ml_kem_vector_portable_serialize_4_0d( static KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( Eurydice_slice bytes) { - int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) & + int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) & 15U); - int16_t v1 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) >> + int16_t v1 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) >> 4U & 15U); - int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) & + int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) & 15U); - int16_t v3 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) >> + int16_t v3 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) >> 4U & 15U); - int16_t v4 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) & + int16_t v4 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) & 15U); - int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) >> + int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) >> 4U & 15U); - int16_t v6 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) & + int16_t v6 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) & 15U); - int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) >> + int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) >> 4U & 15U); return (CLITERAL(int16_t_x8){.fst = v0, @@ -1715,11 +1772,9 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_4(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)4U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_4_int( - Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)4U, (size_t)8U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1761,40 +1816,24 @@ typedef struct uint8_t_x5_s { static KRML_MUSTINLINE uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_5_int(Eurydice_slice v) { uint8_t r0 = - (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) | - Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *, int16_t) - << 5U); + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) | + Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) << 5U); uint8_t r1 = - (uint8_t)((Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *, - int16_t) >> - 3U | - Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *, - int16_t) + (uint8_t)((Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 3U | + Eurydice_slice_index(v, (size_t)2U, int16_t, int16_t *) << 2U) | - Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *, int16_t) - << 7U); + Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) << 7U); uint8_t r2 = - (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *, - int16_t) >> - 1U | - Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *, int16_t) - << 4U); + (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 1U | + Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *) << 4U); uint8_t r3 = - (uint8_t)((Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *, - int16_t) >> - 4U | - Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *, - int16_t) + (uint8_t)((Eurydice_slice_index(v, (size_t)4U, int16_t, int16_t *) >> 4U | + Eurydice_slice_index(v, (size_t)5U, int16_t, int16_t *) << 1U) | - Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *, int16_t) - << 6U); + Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) << 6U); uint8_t r4 = - (uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *, - int16_t) >> - 2U | - Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *, int16_t) - << 3U); + (uint8_t)(Eurydice_slice_index(v, (size_t)6U, int16_t, int16_t *) >> 2U | + Eurydice_slice_index(v, (size_t)7U, int16_t, int16_t *) << 3U); return (CLITERAL(uint8_t_x5){ .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); } @@ -1804,11 +1843,10 @@ libcrux_ml_kem_vector_portable_serialize_serialize_5( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[10U]) { uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)8U, int16_t)); uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_5_int( - Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)16U, + int16_t)); uint8_t result[10U] = {0U}; result[0U] = r0_4.fst; result[1U] = r0_4.snd; @@ -1836,44 +1874,44 @@ static inline void libcrux_ml_kem_vector_portable_serialize_5_0d( static KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( Eurydice_slice bytes) { - int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) & + int16_t v0 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) & 31U); - int16_t v1 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) & + int16_t v1 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) & 3U) << 3U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)0U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)0U, + uint8_t, uint8_t *) >> 5U); - int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) >> + int16_t v2 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) >> 2U & 31U); - int16_t v3 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) & + int16_t v3 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) & 15U) << 1U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)1U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)1U, + uint8_t, uint8_t *) >> 7U); - int16_t v4 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) & + int16_t v4 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) & 1U) << 4U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)2U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)2U, + uint8_t, uint8_t *) >> 4U); - int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) >> + int16_t v5 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) >> 1U & 31U); - int16_t v6 = (int16_t)(((uint32_t)Eurydice_slice_index( - bytes, (size_t)4U, uint8_t, uint8_t *, uint8_t) & + int16_t v6 = (int16_t)(((uint32_t)Eurydice_slice_index(bytes, (size_t)4U, + uint8_t, uint8_t *) & 7U) << 2U | - (uint32_t)Eurydice_slice_index( - bytes, (size_t)3U, uint8_t, uint8_t *, uint8_t) >> + (uint32_t)Eurydice_slice_index(bytes, (size_t)3U, + uint8_t, uint8_t *) >> 6U); - int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index( - bytes, (size_t)4U, uint8_t, uint8_t *, uint8_t) >> + int16_t v7 = (int16_t)((uint32_t)Eurydice_slice_index(bytes, (size_t)4U, + uint8_t, uint8_t *) >> 3U); return (CLITERAL(int16_t_x8){.fst = v0, .snd = v1, @@ -1888,11 +1926,9 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_5(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)5U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_5_int( - Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)5U, (size_t)10U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -1925,37 +1961,36 @@ libcrux_ml_kem_vector_portable_deserialize_5_0d(Eurydice_slice a) { static KRML_MUSTINLINE uint8_t_x5 libcrux_ml_kem_vector_portable_serialize_serialize_10_int(Eurydice_slice v) { - uint8_t r0 = (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) & - (int16_t)255); + uint8_t r0 = + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) & + (int16_t)255); uint8_t r1 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)63) << 2U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 8U & (int16_t)3); uint8_t r2 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)15) << 4U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 6U & (int16_t)15); uint8_t r3 = (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, - int16_t *, int16_t) & + int16_t *) & (int16_t)3) << 6U | (uint32_t)(uint8_t)(Eurydice_slice_index(v, (size_t)2U, int16_t, - int16_t *, int16_t) >> + int16_t *) >> 4U & (int16_t)63); - uint8_t r4 = (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *, - int16_t) >> - 2U & - (int16_t)255); + uint8_t r4 = + (uint8_t)(Eurydice_slice_index(v, (size_t)3U, int16_t, int16_t *) >> 2U & + (int16_t)255); return (CLITERAL(uint8_t_x5){ .fst = r0, .snd = r1, .thd = r2, .f3 = r3, .f4 = r4}); } @@ -1965,17 +2000,15 @@ libcrux_ml_kem_vector_portable_serialize_serialize_10( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[20U]) { uint8_t_x5 r0_4 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)4U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)4U, int16_t)); uint8_t_x5 r5_9 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)8U, int16_t)); uint8_t_x5 r10_14 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)12U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)12U, + int16_t)); uint8_t_x5 r15_19 = libcrux_ml_kem_vector_portable_serialize_serialize_10_int( - Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)16U, + int16_t)); uint8_t result[20U] = {0U}; result[0U] = r0_4.fst; result[1U] = r0_4.snd; @@ -2013,60 +2046,52 @@ static inline void libcrux_ml_kem_vector_portable_serialize_10_0d( static KRML_MUSTINLINE int16_t_x8 libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( Eurydice_slice bytes) { - int16_t r0 = ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)3) - << 8U | - ((int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)255); - int16_t r1 = ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)15) - << 6U | - (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t) >> - 2U; - int16_t r2 = ((int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)63) - << 4U | - (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t) >> - 4U; - int16_t r3 = (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, - uint8_t *, uint8_t) - << 2U | - (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, - uint8_t *, uint8_t) >> - 6U; - int16_t r4 = ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)3) - << 8U | - ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)255); - int16_t r5 = ((int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)15) - << 6U | - (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, - uint8_t *, uint8_t) >> - 2U; - int16_t r6 = ((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) & - (int16_t)63) - << 4U | - (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, - uint8_t *, uint8_t) >> - 4U; - int16_t r7 = (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, - uint8_t *, uint8_t) - << 2U | - (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, - uint8_t *, uint8_t) >> - 6U; + int16_t r0 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) & + (int16_t)3) + << 8U | + ((int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *) & + (int16_t)255); + int16_t r1 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) & + (int16_t)15) + << 6U | + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *) >> + 2U; + int16_t r2 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) & + (int16_t)63) + << 4U | + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *) >> + 4U; + int16_t r3 = + (int16_t)Eurydice_slice_index(bytes, (size_t)4U, uint8_t, uint8_t *) + << 2U | + (int16_t)Eurydice_slice_index(bytes, (size_t)3U, uint8_t, uint8_t *) >> + 6U; + int16_t r4 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) & + (int16_t)3) + << 8U | + ((int16_t)Eurydice_slice_index(bytes, (size_t)5U, uint8_t, uint8_t *) & + (int16_t)255); + int16_t r5 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) & + (int16_t)15) + << 6U | + (int16_t)Eurydice_slice_index(bytes, (size_t)6U, uint8_t, uint8_t *) >> + 2U; + int16_t r6 = + ((int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) & + (int16_t)63) + << 4U | + (int16_t)Eurydice_slice_index(bytes, (size_t)7U, uint8_t, uint8_t *) >> + 4U; + int16_t r7 = + (int16_t)Eurydice_slice_index(bytes, (size_t)9U, uint8_t, uint8_t *) + << 2U | + (int16_t)Eurydice_slice_index(bytes, (size_t)8U, uint8_t, uint8_t *) >> + 6U; return (CLITERAL(int16_t_x8){.fst = r0, .snd = r1, .thd = r2, @@ -2080,12 +2105,10 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_10(Eurydice_slice bytes) { int16_t_x8 v0_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)10U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)10U, uint8_t)); int16_t_x8 v8_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_10_int( - Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)10U, (size_t)20U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector v = libcrux_ml_kem_vector_portable_vector_type_zero(); v.elements[0U] = v0_7.fst; @@ -2124,20 +2147,17 @@ typedef struct uint8_t_x3_s { static KRML_MUSTINLINE uint8_t_x3 libcrux_ml_kem_vector_portable_serialize_serialize_12_int(Eurydice_slice v) { - uint8_t r0 = (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) & - (int16_t)255); - uint8_t r1 = (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *, - int16_t) >> - 8U | - (Eurydice_slice_index(v, (size_t)1U, int16_t, - int16_t *, int16_t) & - (int16_t)15) - << 4U); - uint8_t r2 = (uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *, - int16_t) >> - 4U & - (int16_t)255); + uint8_t r0 = + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) & + (int16_t)255); + uint8_t r1 = + (uint8_t)(Eurydice_slice_index(v, (size_t)0U, int16_t, int16_t *) >> 8U | + (Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) & + (int16_t)15) + << 4U); + uint8_t r2 = + (uint8_t)(Eurydice_slice_index(v, (size_t)1U, int16_t, int16_t *) >> 4U & + (int16_t)255); return (CLITERAL(uint8_t_x3){.fst = r0, .snd = r1, .thd = r2}); } @@ -2146,29 +2166,25 @@ libcrux_ml_kem_vector_portable_serialize_serialize_12( libcrux_ml_kem_vector_portable_vector_type_PortableVector v, uint8_t ret[24U]) { uint8_t_x3 r0_2 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)2U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)0U, (size_t)2U, int16_t)); uint8_t_x3 r3_5 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)2U, (size_t)4U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)2U, (size_t)4U, int16_t)); uint8_t_x3 r6_8 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)6U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)4U, (size_t)6U, int16_t)); uint8_t_x3 r9_11 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)6U, (size_t)8U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)6U, (size_t)8U, int16_t)); uint8_t_x3 r12_14 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)10U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)8U, (size_t)10U, + int16_t)); uint8_t_x3 r15_17 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)10U, (size_t)12U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)10U, (size_t)12U, + int16_t)); uint8_t_x3 r18_20 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)14U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)12U, (size_t)14U, + int16_t)); uint8_t_x3 r21_23 = libcrux_ml_kem_vector_portable_serialize_serialize_12_int( - Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(v.elements, (size_t)14U, (size_t)16U, + int16_t)); uint8_t result[24U] = {0U}; result[0U] = r0_2.fst; result[1U] = r0_2.snd; @@ -2215,12 +2231,12 @@ typedef struct int16_t_x2_s { static KRML_MUSTINLINE int16_t_x2 libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( Eurydice_slice bytes) { - int16_t byte0 = (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, - uint8_t *, uint8_t); - int16_t byte1 = (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, - uint8_t *, uint8_t); - int16_t byte2 = (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, - uint8_t *, uint8_t); + int16_t byte0 = + (int16_t)Eurydice_slice_index(bytes, (size_t)0U, uint8_t, uint8_t *); + int16_t byte1 = + (int16_t)Eurydice_slice_index(bytes, (size_t)1U, uint8_t, uint8_t *); + int16_t byte2 = + (int16_t)Eurydice_slice_index(bytes, (size_t)2U, uint8_t, uint8_t *); int16_t r0 = (byte1 & (int16_t)15) << 8U | (byte0 & (int16_t)255); int16_t r1 = byte2 << 4U | (byte1 >> 4U & (int16_t)15); return (CLITERAL(int16_t_x2){.fst = r0, .snd = r1}); @@ -2229,32 +2245,24 @@ libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_serialize_deserialize_12(Eurydice_slice bytes) { int16_t_x2 v0_1 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)3U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)0U, (size_t)3U, uint8_t)); int16_t_x2 v2_3 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)3U, (size_t)6U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)3U, (size_t)6U, uint8_t)); int16_t_x2 v4_5 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)6U, (size_t)9U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)6U, (size_t)9U, uint8_t)); int16_t_x2 v6_7 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)9U, (size_t)12U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)9U, (size_t)12U, uint8_t)); int16_t_x2 v8_9 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)12U, (size_t)15U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)12U, (size_t)15U, uint8_t)); int16_t_x2 v10_11 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)15U, (size_t)18U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)15U, (size_t)18U, uint8_t)); int16_t_x2 v12_13 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)18U, (size_t)21U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)18U, (size_t)21U, uint8_t)); int16_t_x2 v14_15 = libcrux_ml_kem_vector_portable_serialize_deserialize_12_int( - Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t, - Eurydice_slice)); + Eurydice_slice_subslice2(bytes, (size_t)21U, (size_t)24U, uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector re = libcrux_ml_kem_vector_portable_vector_type_zero(); re.elements[0U] = v0_1.fst; @@ -2289,15 +2297,15 @@ static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a, Eurydice_slice result) { size_t sampled = (size_t)0U; - for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(a, uint8_t, size_t) / (size_t)3U; i++) { + for (size_t i = (size_t)0U; i < Eurydice_slice_len(a, uint8_t) / (size_t)3U; + i++) { size_t i0 = i; int16_t b1 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)0U, - uint8_t, uint8_t *, uint8_t); + uint8_t, uint8_t *); int16_t b2 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)1U, - uint8_t, uint8_t *, uint8_t); + uint8_t, uint8_t *); int16_t b3 = (int16_t)Eurydice_slice_index(a, i0 * (size_t)3U + (size_t)2U, - uint8_t, uint8_t *, uint8_t); + uint8_t, uint8_t *); int16_t d1 = (b2 & (int16_t)15) << 8U | b1; int16_t d2 = b3 << 4U | b2 >> 4U; bool uu____0; @@ -2309,7 +2317,7 @@ libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a, int16_t uu____6; if (d1 < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS) { if (sampled < (size_t)16U) { - Eurydice_slice_index(result, sampled, int16_t, int16_t *, int16_t) = d1; + Eurydice_slice_index(result, sampled, int16_t, int16_t *) = d1; sampled++; uu____1 = d2; uu____6 = LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; @@ -2320,8 +2328,7 @@ libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a, if (uu____2) { uu____4 = d2; uu____5 = sampled; - Eurydice_slice_index(result, uu____5, int16_t, int16_t *, int16_t) = - uu____4; + Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4; sampled++; continue; } @@ -2338,8 +2345,7 @@ libcrux_ml_kem_vector_portable_sampling_rej_sample(Eurydice_slice a, if (uu____2) { uu____4 = d2; uu____5 = sampled; - Eurydice_slice_index(result, uu____5, int16_t, int16_t *, int16_t) = - uu____4; + Eurydice_slice_index(result, uu____5, int16_t, int16_t *) = uu____4; sampled++; continue; } @@ -2468,7 +2474,7 @@ with const generics - K= 3 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_17(size_t _) { +libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_fc(size_t _) { return libcrux_ml_kem_polynomial_ZERO_89_39(); } @@ -2479,18 +2485,15 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_59( +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_9c( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = libcrux_ml_kem_polynomial_ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes); re.coefficients[i0] = uu____0; @@ -2498,13 +2501,16 @@ libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_59( return re; } +/** + Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_29( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_7e( Eurydice_slice secret_key, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; @@ -2512,7 +2518,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_29( secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(secret_key, uint8_t, size_t) / + i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -2520,9 +2526,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_29( secret_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_59( + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_9c( secret_bytes); secret_as_ntt[i0] = uu____0; } @@ -2550,7 +2556,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - U_COMPRESSION_FACTOR= 10 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_34(size_t _) { +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_ef(size_t _) { return libcrux_ml_kem_polynomial_ZERO_89_39(); } @@ -2599,18 +2605,15 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_then_decompress_10_f5( +libcrux_ml_kem_serialize_deserialize_then_decompress_10_ff( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = libcrux_ml_kem_polynomial_ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)20U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_10_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -2666,18 +2669,15 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_then_decompress_11_64( +libcrux_ml_kem_serialize_deserialize_then_decompress_11_98( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = libcrux_ml_kem_polynomial_ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)22U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_11_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -2695,9 +2695,9 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_f4( +libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_d2( Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_f5(serialized); + return libcrux_ml_kem_serialize_deserialize_then_decompress_10_ff(serialized); } typedef struct libcrux_ml_kem_vector_portable_vector_type_PortableVector_x2_s { @@ -2801,13 +2801,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_7b( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_2_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)1U; } } @@ -2824,7 +2823,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_4f( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_ntt_layer_1_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], @@ -2834,7 +2833,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_4f( (size_t)2U], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] + (size_t)3U; } } @@ -2867,7 +2865,7 @@ with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - VECTOR_U_COMPRESSION_FACTOR= 10 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_65( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_de( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *re) { size_t zeta_i = (size_t)0U; libcrux_ml_kem_ntt_ntt_at_layer_4_plus_cc(&zeta_i, re, (size_t)7U, @@ -2884,6 +2882,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_65( libcrux_ml_kem_polynomial_poly_barrett_reduce_89_2c(re); } +/** + Call [`deserialize_then_decompress_ring_element_u`] on each ring element + in the `ciphertext`. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2893,7 +2895,7 @@ with const generics - U_COMPRESSION_FACTOR= 10 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_38( +libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_72( uint8_t *ciphertext, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[3U]; @@ -2901,10 +2903,9 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_38( u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( - Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t, - Eurydice_slice), - uint8_t, size_t) / + i < Eurydice_slice_len( + Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), + uint8_t) / (LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U); i++) { @@ -2917,12 +2918,11 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_38( (size_t)10U / (size_t)8U) + LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT * (size_t)10U / (size_t)8U, - uint8_t, Eurydice_slice); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_f4( + uint8_t); + u_as_ntt[i0] = + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_d2( u_bytes); - u_as_ntt[i0] = uu____0; - libcrux_ml_kem_ntt_ntt_vector_u_65(&u_as_ntt[i0]); + libcrux_ml_kem_ntt_ntt_vector_u_de(&u_as_ntt[i0]); } memcpy( ret, u_as_ntt, @@ -2974,17 +2974,15 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_then_decompress_4_9b( +libcrux_ml_kem_serialize_deserialize_then_decompress_4_47( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = libcrux_ml_kem_polynomial_ZERO_89_39(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)8U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_4_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -3040,21 +3038,17 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_then_decompress_5_93( +libcrux_ml_kem_serialize_deserialize_then_decompress_5_c0( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = libcrux_ml_kem_polynomial_ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)10U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t, - Eurydice_slice); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); + re.coefficients[i0] = libcrux_ml_kem_vector_portable_deserialize_5_0d(bytes); - re.coefficients[i0] = uu____0; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = libcrux_ml_kem_vector_portable_decompress_ciphertext_coefficient_0d_f42( re.coefficients[i0]); @@ -3070,11 +3064,38 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - COMPRESSION_FACTOR= 4 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_f7( +libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_97( Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_9b(serialized); + return libcrux_ml_kem_serialize_deserialize_then_decompress_4_47(serialized); } +/** + Given two `KyberPolynomialRingElement`s in their NTT representations, + compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, + the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: + + ```plaintext + ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² + - ζ^(2·BitRev₇(i) + 1)) + ``` + + This function almost implements Algorithm 10 of the + NIST FIPS 203 standard, which is reproduced below: + + ```plaintext + Input: Two arrays fˆ ∈ ℤ₂₅₆ and ĝ ∈ ℤ₂₅₆. + Output: An array ĥ ∈ ℤq. + + for(i ← 0; i < 128; i++) + (ĥ[2i], ĥ[2i+1]) ← BaseCaseMultiply(fˆ[2i], fˆ[2i+1], ĝ[2i], ĝ[2i+1], + ζ^(2·BitRev₇(i) + 1)) end for return ĥ + ``` + We say "almost" because the coefficients of the ring element output by + this function are in the Montgomery domain. + + The NIST FIPS 203 standard can be found at + . +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -3113,6 +3134,10 @@ libcrux_ml_kem_polynomial_ntt_multiply_89_d5( return out; } +/** + Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise + sum of their constituent coefficients. +*/ /** This function found in impl {libcrux_ml_kem::polynomial::PolynomialRingElement[TraitClause@0]} @@ -3127,13 +3152,11 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_89_93( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *rhs) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)16U, self->coefficients, - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - Eurydice_slice), - libcrux_ml_kem_vector_portable_vector_type_PortableVector, - size_t); + libcrux_ml_kem_vector_portable_vector_type_PortableVector), + libcrux_ml_kem_vector_portable_vector_type_PortableVector); i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -3155,7 +3178,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_9f( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_1_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], @@ -3165,7 +3188,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_9f( (size_t)2U], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - (size_t)3U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)3U; } } @@ -3182,13 +3204,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_a6( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[round] = libcrux_ml_kem_vector_portable_inv_ntt_layer_2_step_0d( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - (size_t)1U]); - re->coefficients[round] = uu____0; zeta_i[0U] = zeta_i[0U] - (size_t)1U; } } @@ -3303,7 +3324,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_polynomial_subtract_reduce_89_79( +libcrux_ml_kem_polynomial_subtract_reduce_89_78( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 b) { for (size_t i = (size_t)0U; @@ -3322,6 +3343,12 @@ libcrux_ml_kem_polynomial_subtract_reduce_89_79( return b; } +/** + The following functions compute various expressions involving + vectors and matrices. The computation of these expressions has been + abstracted away into these functions in order to save on loop iterations. + Compute v − InverseNTT(sᵀ ◦ NTT(u)) +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_message with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3329,7 +3356,7 @@ with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_matrix_compute_message_b8( +libcrux_ml_kem_matrix_compute_message_15( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *u_as_ntt) { @@ -3343,7 +3370,7 @@ libcrux_ml_kem_matrix_compute_message_b8( libcrux_ml_kem_polynomial_add_to_ring_element_89_93(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_86(&result); - result = libcrux_ml_kem_polynomial_subtract_reduce_89_79(v, result); + result = libcrux_ml_kem_polynomial_subtract_reduce_89_78(v, result); return result; } @@ -3402,7 +3429,7 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_fb( +libcrux_ml_kem_serialize_compress_then_serialize_message_66( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; for (size_t i = (size_t)0U; i < (size_t)16U; i++) { @@ -3417,16 +3444,37 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_fb( libcrux_ml_kem_vector_portable_serialize_1_0d(coefficient_compressed, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)2U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); } +/** + This function implements Algorithm 14 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. + + Algorithm 14 is reproduced below: + + ```plaintext + Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + Output: message m ∈ 𝔹^{32}. + + c₁ ← c[0 : 32dᵤk] + c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] + u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) + v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) + ŝ ← ByteDecode₁₂(dkₚₖₑ) + w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) + m ← ByteEncode₁(Compress₁(w)) + return m + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3437,21 +3485,20 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static inline void libcrux_ml_kem_ind_cpa_decrypt_unpacked_41( +static inline void libcrux_ml_kem_ind_cpa_decrypt_unpacked_34( libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 *secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_38(ciphertext, u_as_ntt); + libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_72(ciphertext, u_as_ntt); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = - libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_f7( + libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_97( Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, - (size_t)960U, uint8_t, size_t, - Eurydice_slice)); + (size_t)960U, uint8_t, size_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message = - libcrux_ml_kem_matrix_compute_message_b8(&v, secret_key->secret_as_ntt, + libcrux_ml_kem_matrix_compute_message_15(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_fb(message, ret0); + libcrux_ml_kem_serialize_compress_then_serialize_message_66(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -3465,22 +3512,23 @@ with const generics - U_COMPRESSION_FACTOR= 10 - V_COMPRESSION_FACTOR= 4 */ -static inline void libcrux_ml_kem_ind_cpa_decrypt_39(Eurydice_slice secret_key, +static inline void libcrux_ml_kem_ind_cpa_decrypt_06(Eurydice_slice secret_key, uint8_t *ciphertext, uint8_t ret[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; - libcrux_ml_kem_ind_cpa_deserialize_secret_key_29(secret_key, secret_as_ntt); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[3U]; + libcrux_ml_kem_ind_cpa_deserialize_secret_key_7e(secret_key, secret_as_ntt); + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[3U]; memcpy( - uu____0, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 secret_key_unpacked; memcpy( - secret_key_unpacked.secret_as_ntt, uu____0, + secret_key_unpacked.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t ret0[32U]; - libcrux_ml_kem_ind_cpa_decrypt_unpacked_41(&secret_key_unpacked, ciphertext, + libcrux_ml_kem_ind_cpa_decrypt_unpacked_34(&secret_key_unpacked, ciphertext, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -3508,8 +3556,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRF_3a( Eurydice_slice input, uint8_t ret[32U]) { uint8_t digest[32U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)32U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)32U, digest, uint8_t), input); memcpy(ret, digest, (size_t)32U * sizeof(uint8_t)); } @@ -3541,6 +3588,12 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure_06( return libcrux_ml_kem_polynomial_ZERO_89_39(); } +/** + Only use with public values. + + This MUST NOT be used with secret inputs, like its caller + `deserialize_ring_elements_reduced`. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_to_reduced_ring_element with types @@ -3553,13 +3606,10 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ad( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = libcrux_ml_kem_polynomial_ZERO_89_39(); for (size_t i = (size_t)0U; - i < - core_slice___Slice_T___len(serialized, uint8_t, size_t) / (size_t)24U; - i++) { + i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( - serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t, - Eurydice_slice); + serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_deserialize_12_0d(bytes); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = @@ -3569,6 +3619,12 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ad( return re; } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -3585,7 +3641,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_72( deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -3593,7 +3649,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_72( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ad( ring_element); @@ -3655,14 +3711,15 @@ libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_75( for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_sha3_portable_incremental_shake128_absorb_final( - &shake128_state[i0], Eurydice_array_to_slice((size_t)34U, input[i0], - uint8_t, Eurydice_slice)); + &shake128_state[i0], + Eurydice_array_to_slice((size_t)34U, input[i0], uint8_t)); } - libcrux_sha3_generic_keccak_KeccakState_48 uu____0[3U]; - memcpy(uu____0, shake128_state, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_sha3_generic_keccak_KeccakState_48 copy_of_shake128_state[3U]; + memcpy(copy_of_shake128_state, shake128_state, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); libcrux_ml_kem_hash_functions_portable_PortableHash_58 lit; - memcpy(lit.shake128_state, uu____0, + memcpy(lit.shake128_state, copy_of_shake128_state, (size_t)3U * sizeof(libcrux_sha3_generic_keccak_KeccakState_48)); return lit; } @@ -3680,10 +3737,11 @@ generics static KRML_MUSTINLINE libcrux_ml_kem_hash_functions_portable_PortableHash_58 libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_11( uint8_t input[3U][34U]) { - uint8_t uu____0[3U][34U]; - memcpy(uu____0, input, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_input[3U][34U]; + memcpy(copy_of_input, input, (size_t)3U * sizeof(uint8_t[34U])); return libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_75( - uu____0); + copy_of_input); } /** @@ -3701,8 +3759,7 @@ libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_10( size_t i0 = i; libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)504U, out[i0], uint8_t)); } memcpy(ret, out, (size_t)3U * sizeof(uint8_t[504U])); } @@ -3725,6 +3782,47 @@ libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_4e self, ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -3742,14 +3840,13 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_05( size_t r = i; if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, + r * (size_t)24U + (size_t)24U, uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( - uu____0, - Eurydice_array_to_subslice2(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, - int16_t, Eurydice_slice)); + uu____0, Eurydice_array_to_subslice2( + out[i1], sampled_coefficients[i1], + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; } @@ -3784,8 +3881,7 @@ libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_ed( size_t i0 = i; libcrux_sha3_portable_incremental_shake128_squeeze_next_block( &st->shake128_state[i0], - Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)168U, out[i0], uint8_t)); } memcpy(ret, out, (size_t)3U * sizeof(uint8_t[168U])); } @@ -3808,6 +3904,47 @@ libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_c1( ret); } +/** + If `bytes` contains a set of uniformly random bytes, this function + uniformly samples a ring element `â` that is treated as being the NTT + representation of the corresponding polynomial `a`. + + Since rejection sampling is used, it is possible the supplied bytes are + not enough to sample the element, in which case an `Err` is returned and the + caller must try again with a fresh set of bytes. + + This function partially implements Algorithm + 6 of the NIST FIPS 203 standard, We say "partially" because this + implementation only accepts a finite set of bytes as input and returns an error + if the set is not enough; Algorithm 6 of the FIPS 203 standard on the other + hand samples from an infinite stream of bytes until the ring element is filled. + Algorithm 6 is reproduced below: + + ```plaintext + Input: byte stream B ∈ 𝔹*. + Output: array â ∈ ℤ₂₅₆. + + i ← 0 + j ← 0 + while j < 256 do + d₁ ← B[i] + 256·(B[i+1] mod 16) + d₂ ← ⌊B[i+1]/16⌋ + 16·B[i+2] + if d₁ < q then + â[j] ← d₁ + j ← j + 1 + end if + if d₂ < q and j < 256 then + â[j] ← d₂ + j ← j + 1 + end if + i ← i + 3 + end while + return â + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_uniform_distribution_next with types @@ -3825,14 +3962,13 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_050( size_t r = i; if (sampled_coefficients[i1] < LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT) { - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, - uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, + r * (size_t)24U + (size_t)24U, uint8_t); size_t sampled = libcrux_ml_kem_vector_portable_rej_sample_0d( - uu____0, - Eurydice_array_to_subslice2(out[i1], sampled_coefficients[i1], - sampled_coefficients[i1] + (size_t)16U, - int16_t, Eurydice_slice)); + uu____0, Eurydice_array_to_subslice2( + out[i1], sampled_coefficients[i1], + sampled_coefficients[i1] + (size_t)16U, int16_t)); size_t uu____1 = i1; sampled_coefficients[uu____1] = sampled_coefficients[uu____1] + sampled; } @@ -3872,8 +4008,7 @@ libcrux_ml_kem_polynomial_from_i16_array_89_6b(Eurydice_slice a) { libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_portable_from_i16_array_0d( Eurydice_slice_subslice2(a, i0 * (size_t)16U, - (i0 + (size_t)1U) * (size_t)16U, int16_t, - Eurydice_slice)); + (i0 + (size_t)1U) * (size_t)16U, int16_t)); result.coefficients[i0] = uu____0; } return result; @@ -3889,8 +4024,7 @@ generics static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 libcrux_ml_kem_sampling_sample_from_xof_closure_99(int16_t s[272U]) { return libcrux_ml_kem_polynomial_from_i16_array_89_6b( - Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t, - Eurydice_slice)); + Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } /** @@ -3905,18 +4039,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { size_t sampled_coefficients[3U] = {0U}; int16_t out[3U][272U] = {{0U}}; - uint8_t uu____0[3U][34U]; - memcpy(uu____0, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_ml_kem_hash_functions_portable_PortableHash_58 xof_state = libcrux_ml_kem_hash_functions_portable_shake128_init_absorb_final_f1_11( - uu____0); + copy_of_seeds); uint8_t randomness0[3U][504U]; libcrux_ml_kem_hash_functions_portable_shake128_squeeze_first_three_blocks_f1_4e( &xof_state, randomness0); - uint8_t uu____1[3U][504U]; - memcpy(uu____1, randomness0, (size_t)3U * sizeof(uint8_t[504U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness0[3U][504U]; + memcpy(copy_of_randomness0, randomness0, (size_t)3U * sizeof(uint8_t[504U])); bool done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_05( - uu____1, sampled_coefficients, out); + copy_of_randomness0, sampled_coefficients, out); while (true) { if (done) { break; @@ -3924,17 +4060,21 @@ static KRML_MUSTINLINE void libcrux_ml_kem_sampling_sample_from_xof_2b( uint8_t randomness[3U][168U]; libcrux_ml_kem_hash_functions_portable_shake128_squeeze_next_block_f1_c1( &xof_state, randomness); - uint8_t uu____2[3U][168U]; - memcpy(uu____2, randomness, (size_t)3U * sizeof(uint8_t[168U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[3U][168U]; + memcpy(copy_of_randomness, randomness, + (size_t)3U * sizeof(uint8_t[168U])); done = libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_050( - uu____2, sampled_coefficients, out); + copy_of_randomness, sampled_coefficients, out); } } - int16_t uu____3[3U][272U]; - memcpy(uu____3, out, (size_t)3U * sizeof(int16_t[272U])); + /* Passing arrays by value in Rust generates a copy in C */ + int16_t copy_of_out[3U][272U]; + memcpy(copy_of_out, out, (size_t)3U * sizeof(int16_t[272U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - ret0[i] = libcrux_ml_kem_sampling_sample_from_xof_closure_99(uu____3[i]); + ret0[i] = + libcrux_ml_kem_sampling_sample_from_xof_closure_99(copy_of_out[i]); } memcpy( ret, ret0, @@ -3957,28 +4097,29 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_sample_matrix_A_23( } for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { size_t i1 = i0; - uint8_t uu____0[34U]; - memcpy(uu____0, seed, (size_t)34U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed[34U]; + memcpy(copy_of_seed, seed, (size_t)34U * sizeof(uint8_t)); uint8_t seeds[3U][34U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - memcpy(seeds[i], uu____0, (size_t)34U * sizeof(uint8_t)); + memcpy(seeds[i], copy_of_seed, (size_t)34U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; seeds[j][32U] = (uint8_t)i1; seeds[j][33U] = (uint8_t)j; } - uint8_t uu____1[3U][34U]; - memcpy(uu____1, seeds, (size_t)3U * sizeof(uint8_t[34U])); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seeds[3U][34U]; + memcpy(copy_of_seeds, seeds, (size_t)3U * sizeof(uint8_t[34U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sampled[3U]; - libcrux_ml_kem_sampling_sample_from_xof_2b(uu____1, sampled); + libcrux_ml_kem_sampling_sample_from_xof_2b(copy_of_seeds, sampled); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, sampled, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 sample = sampled[j]; @@ -4044,9 +4185,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRFxN_1d( for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)128U, out[i0], uint8_t), + Eurydice_array_to_slice((size_t)33U, input[i0], uint8_t)); } memcpy(ret, out, (size_t)3U * sizeof(uint8_t[128U])); } @@ -4066,6 +4206,55 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRFxN_f1_89( libcrux_ml_kem_hash_functions_portable_PRFxN_1d(input, ret); } +/** + Given a series of uniformly random bytes in `randomness`, for some number + `eta`, the `sample_from_binomial_distribution_{eta}` functions sample a ring + element from a binomial distribution centered at 0 that uses two sets of `eta` + coin flips. If, for example, `eta = ETA`, each ring coefficient is a value `v` + such such that `v ∈ {-ETA, -ETA + 1, ..., 0, ..., ETA + 1, ETA}` and: + + ```plaintext + - If v < 0, Pr[v] = Pr[-v] + - If v >= 0, Pr[v] = BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / 2 ^ (2 * ETA) + ``` + + The values `v < 0` are mapped to the appropriate `KyberFieldElement`. + + The expected value is: + + ```plaintext + E[X] = (-ETA)Pr[-ETA] + (-(ETA - 1))Pr[-(ETA - 1)] + ... + (ETA - 1)Pr[ETA - 1] + + (ETA)Pr[ETA] = 0 since Pr[-v] = Pr[v] when v < 0. + ``` + + And the variance is: + + ```plaintext + Var(X) = E[(X - E[X])^2] + = E[X^2] + = sum_(v=-ETA to ETA)v^2 * (BINOMIAL_COEFFICIENT(2 * ETA; ETA - v) / + 2^(2 * ETA)) = ETA / 2 + ``` + + This function implements Algorithm 7 of the NIST FIPS 203 + standard, which is reproduced below: + + ```plaintext + Input: byte array B ∈ 𝔹^{64η}. + Output: array f ∈ ℤ₂₅₆. + + b ← BytesToBits(B) + for (i ← 0; i < 256; i++) + x ← ∑(j=0 to η - 1) b[2iη + j] + y ← ∑(j=0 to η - 1) b[2iη + η + j] + f[i] ← x−y mod q + end for + return f + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.sampling.sample_from_binomial_distribution_2 with types @@ -4077,24 +4266,22 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_20( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)4U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)4U, - chunk_number * (size_t)4U + (size_t)4U, uint8_t, Eurydice_slice); + chunk_number * (size_t)4U + (size_t)4U, uint8_t); uint32_t random_bits_as_u32 = (((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)3U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 24U; uint32_t even_bits = random_bits_as_u32 & 1431655765U; uint32_t odd_bits = random_bits_as_u32 >> 1U & 1431655765U; @@ -4110,8 +4297,8 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_20( sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_89_6b(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return libcrux_ml_kem_polynomial_from_i16_array_89_6b( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -4125,21 +4312,19 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_85( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; - i0 < - core_slice___Slice_T___len(randomness, uint8_t, size_t) / (size_t)3U; - i0++) { + i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) { size_t chunk_number = i0; Eurydice_slice byte_chunk = Eurydice_slice_subslice2( randomness, chunk_number * (size_t)3U, - chunk_number * (size_t)3U + (size_t)3U, uint8_t, Eurydice_slice); + chunk_number * (size_t)3U + (size_t)3U, uint8_t); uint32_t random_bits_as_u24 = ((uint32_t)Eurydice_slice_index(byte_chunk, (size_t)0U, uint8_t, - uint8_t *, uint8_t) | + uint8_t *) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)1U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 8U) | (uint32_t)Eurydice_slice_index(byte_chunk, (size_t)2U, uint8_t, - uint8_t *, uint8_t) + uint8_t *) << 16U; uint32_t first_bits = random_bits_as_u24 & 2396745U; uint32_t second_bits = random_bits_as_u24 >> 1U & 2396745U; @@ -4157,8 +4342,8 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_85( sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_89_6b(Eurydice_array_to_slice( - (size_t)256U, sampled_i16s, int16_t, Eurydice_slice)); + return libcrux_ml_kem_polynomial_from_i16_array_89_6b( + Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } /** @@ -4188,9 +4373,8 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_13( libcrux_ml_kem_vector_portable_vector_type_PortableVector t = libcrux_ml_kem_vector_portable_multiply_by_constant_0d( re->coefficients[j + step], (int16_t)-1600); - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + re->coefficients[j + step] = libcrux_ml_kem_vector_portable_sub_0d(re->coefficients[j], &t); - re->coefficients[j + step] = uu____0; libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____1 = libcrux_ml_kem_vector_portable_add_0d(re->coefficients[j], &t); re->coefficients[j] = uu____1; @@ -4220,6 +4404,10 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_88( libcrux_ml_kem_polynomial_poly_barrett_reduce_89_2c(re); } +/** + Sample a vector of ring elements from a centered binomial distribution and + convert them into their NTT representations. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4236,11 +4424,12 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7(uint8_t prf_input[33U], for (size_t i = (size_t)0U; i < (size_t)3U; i++) { re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; @@ -4251,20 +4440,19 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7(uint8_t prf_input[33U], libcrux_ml_kem_hash_functions_portable_PRFxN_f1_89(prf_inputs, prf_outputs); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = + re_as_ntt[i0] = libcrux_ml_kem_sampling_sample_from_binomial_distribution_66( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, - Eurydice_slice)); - re_as_ntt[i0] = uu____1; + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_88(&re_as_ntt[i0]); } - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_re_as_ntt[3U]; memcpy( - uu____2, re_as_ntt, + copy_of_re_as_ntt, re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_b0 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_re_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; @@ -4284,6 +4472,9 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_da(size_t _i) { return libcrux_ml_kem_polynomial_ZERO_89_39(); } +/** + Sample a vector of ring elements from a centered binomial distribution. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4300,11 +4491,12 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_2c(uint8_t prf_input[33U], for (size_t i = (size_t)0U; i < (size_t)3U; i++) { error_1[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); uint8_t prf_inputs[3U][33U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - memcpy(prf_inputs[i], uu____0, (size_t)33U * sizeof(uint8_t)); + memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; @@ -4317,17 +4509,17 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_2c(uint8_t prf_input[33U], size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = libcrux_ml_kem_sampling_sample_from_binomial_distribution_66( - Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); error_1[i0] = uu____1; } - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____2[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_error_1[3U]; memcpy( - uu____2, error_1, + copy_of_error_1, error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); tuple_b0 lit; memcpy( - lit.fst, uu____2, + lit.fst, copy_of_error_1, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); lit.snd = domain_separator; return lit; @@ -4342,8 +4534,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_hash_functions_portable_PRF_3a0( Eurydice_slice input, uint8_t ret[128U]) { uint8_t digest[128U] = {0U}; libcrux_sha3_portable_shake256( - Eurydice_array_to_slice((size_t)128U, digest, uint8_t, Eurydice_slice), - input); + Eurydice_array_to_slice((size_t)128U, digest, uint8_t), input); memcpy(ret, digest, (size_t)128U * sizeof(uint8_t)); } @@ -4401,6 +4592,9 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_89_08( } } +/** + Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_vector_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4417,22 +4611,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_a1( result[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, a_as_ntt, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = a_as_ntt[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *a_element = &row[j]; @@ -4482,7 +4674,7 @@ libcrux_ml_kem_serialize_deserialize_then_decompress_message_f6( libcrux_ml_kem_vector_portable_deserialize_1_0d( Eurydice_array_to_subslice2(serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = libcrux_ml_kem_vector_traits_decompress_1_89(coefficient_compressed); re.coefficients[i0] = uu____0; @@ -4524,6 +4716,9 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_89_8b( return result; } +/** + Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_ring_element_v with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4605,12 +4800,9 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_3b( uint8_t bytes[20U]; libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)20U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)20U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -4669,12 +4861,9 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_e1( uint8_t bytes[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)22U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)22U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)320U * sizeof(uint8_t)); } @@ -4694,6 +4883,9 @@ libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_2f( memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); } +/** + Call [`compress_then_serialize_ring_element_u`] on each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4707,26 +4899,22 @@ static inline void libcrux_ml_kem_ind_cpa_compress_then_serialize_u_24( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 input[3U], Eurydice_slice out) { for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, input, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = input[i0]; Eurydice_slice uu____0 = Eurydice_slice_subslice2( out, i0 * ((size_t)960U / (size_t)3U), - (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t, - Eurydice_slice); + (i0 + (size_t)1U) * ((size_t)960U / (size_t)3U), uint8_t); uint8_t ret[320U]; libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_2f(&re, ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)320U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)320U, ret, uint8_t), uint8_t); } } @@ -4783,12 +4971,10 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_e5( re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)8U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_array_to_slice((size_t)8U, bytes, uint8_t), uint8_t); } } @@ -4845,12 +5031,10 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_a3( re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)10U * i0, - (size_t)10U * i0 + (size_t)10U, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)10U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + (size_t)10U * i0 + (size_t)10U, uint8_t), + Eurydice_array_to_slice((size_t)10U, bytes, uint8_t), uint8_t); } } @@ -4867,6 +5051,47 @@ libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_31( libcrux_ml_kem_serialize_compress_then_serialize_4_e5(re, out); } +/** + This function implements Algorithm 13 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. + + Algorithm 13 is reproduced below: + + ```plaintext + Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Input: message m ∈ 𝔹^{32}. + Input: encryption randomness r ∈ 𝔹^{32}. + Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. + + N ← 0 + t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) + ρ ← ekₚₖₑ[384k: 384k + 32] + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + N ← N + 1 + end for + e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) + r̂ ← NTT(r) + u ← NTT-¹(Âᵀ ◦ r̂) + e₁ + μ ← Decompress₁(ByteDecode₁(m))) + v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ + c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) + c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) + return c ← (c₁ ‖ c₂) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4890,19 +5115,21 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c( uint8_t message[32U], Eurydice_slice randomness, uint8_t ret[1088U]) { uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(randomness, prf_input); - uint8_t uu____0[33U]; - memcpy(uu____0, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b0 uu____1 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7(uu____0, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b0 uu____1 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7( + copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 r_as_ntt[3U]; memcpy( r_as_ntt, uu____1.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator0 = uu____1.snd; - uint8_t uu____2[33U]; - memcpy(uu____2, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); tuple_b0 uu____3 = libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_2c( - uu____2, domain_separator0); + copy_of_prf_input, domain_separator0); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_1[3U]; memcpy( error_1, uu____3.fst, @@ -4911,19 +5138,19 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c( prf_input[32U] = domain_separator; uint8_t prf_output[128U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_040( - Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t, Eurydice_slice), - prf_output); + Eurydice_array_to_slice((size_t)33U, prf_input, uint8_t), prf_output); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_2 = libcrux_ml_kem_sampling_sample_from_binomial_distribution_66( - Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t, - Eurydice_slice)); + Eurydice_array_to_slice((size_t)128U, prf_output, uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 u[3U]; libcrux_ml_kem_matrix_compute_vector_u_a1(public_key->A, r_as_ntt, error_1, u); - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_f6(uu____4); + libcrux_ml_kem_serialize_deserialize_then_decompress_message_f6( + copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 v = libcrux_ml_kem_matrix_compute_ring_element_v_1f( public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -4934,12 +5161,11 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_compress_then_serialize_u_24( uu____5, Eurydice_array_to_subslice2(ciphertext, (size_t)0U, (size_t)960U, - uint8_t, Eurydice_slice)); + uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____6 = v; libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_31( - uu____6, - Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, (size_t)960U, - uint8_t, size_t, Eurydice_slice)); + uu____6, Eurydice_array_to_subslice_from((size_t)1088U, ciphertext, + (size_t)960U, uint8_t, size_t)); memcpy(ret, ciphertext, (size_t)1088U * sizeof(uint8_t)); } @@ -4967,46 +5193,49 @@ static inline void libcrux_ml_kem_ind_cpa_encrypt_0d(Eurydice_slice public_key, uint8_t ret[1088U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 t_as_ntt[3U]; libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_72( - Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t, - Eurydice_slice), + Eurydice_slice_subslice_to(public_key, (size_t)1152U, uint8_t, size_t), t_as_ntt); - Eurydice_slice seed = Eurydice_slice_subslice_from( - public_key, (size_t)1152U, uint8_t, size_t, Eurydice_slice); + Eurydice_slice seed = + Eurydice_slice_subslice_from(public_key, (size_t)1152U, uint8_t, size_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[3U][3U]; uint8_t ret0[34U]; libcrux_ml_kem_utils_into_padded_array_2d1(seed, ret0); libcrux_ml_kem_matrix_sample_matrix_A_23(ret0, false, A); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U], void *); + Eurydice_slice_to_array2(&dst, seed, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[3U]; memcpy( - uu____0, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1[3U][3U]; - memcpy(uu____1, A, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A[3U][3U]; + memcpy(copy_of_A, A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); - uint8_t uu____2[32U]; - memcpy(uu____2, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 public_key_unpacked; memcpy( - public_key_unpacked.t_as_ntt, uu____0, + public_key_unpacked.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(public_key_unpacked.seed_for_A, uu____2, + memcpy(public_key_unpacked.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); - memcpy(public_key_unpacked.A, uu____1, + memcpy(public_key_unpacked.A, copy_of_A, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *uu____3 = &public_key_unpacked; - uint8_t uu____4[32U]; - memcpy(uu____4, message, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_message[32U]; + memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); uint8_t ret1[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c(uu____3, uu____4, randomness, - ret1); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c(uu____3, copy_of_message, + randomness, ret1); memcpy(ret, ret1, (size_t)1088U * sizeof(uint8_t)); } @@ -5021,14 +5250,12 @@ with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_43_cc( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_43_02( Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - shared_secret, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, shared_secret, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -5053,42 +5280,39 @@ libcrux_ml_kem_ind_cca_MlKem with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static inline void libcrux_ml_kem_ind_cca_decapsulate_88( +static inline void libcrux_ml_kem_ind_cca_decapsulate_c4( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t), (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_39(ind_cpa_secret_key, ciphertext->value, + libcrux_ml_kem_ind_cpa_decrypt_06(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -5097,37 +5321,38 @@ static inline void libcrux_ml_kem_ind_cca_decapsulate_88( libcrux_ml_kem_utils_into_padded_array_2d0(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_47(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_04( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_0d(uu____5, uu____6, pseudorandomness, - expected_ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_0d(uu____5, copy_of_decrypted, + pseudorandomness, expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_ind_cca_kdf_43_cc( + libcrux_ml_kem_ind_cca_kdf_43_02( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), + uint8_t), ciphertext, implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - libcrux_ml_kem_ind_cca_kdf_43_cc(shared_secret0, ciphertext, shared_secret1); + libcrux_ml_kem_ind_cca_kdf_43_02(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_47(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } /** @@ -5151,16 +5376,23 @@ libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate with const generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static inline void -libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_3e( +libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_5b( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_88(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_c4(private_key, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ static inline void libcrux_ml_kem_mlkem768_portable_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_3e( + libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_5b( private_key, ciphertext, ret); } @@ -5220,70 +5452,70 @@ generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static inline void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_92( +static inline void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_ab( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_unpacked_41( + libcrux_ml_kem_ind_cpa_decrypt_unpacked_34( &key_pair->private_key.ind_cpa_private_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + uint8_t, size_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)32U, key_pair->public_key.public_key_hash, - uint8_t, Eurydice_slice), - uint8_t, void *); + uint8_t), + uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; uint8_t to_hash[1120U]; libcrux_ml_kem_utils_into_padded_array_2d0( - Eurydice_array_to_slice((size_t)32U, - key_pair->private_key.implicit_rejection_value, - uint8_t, Eurydice_slice), + Eurydice_array_to_slice( + (size_t)32U, key_pair->private_key.implicit_rejection_value, uint8_t), to_hash); Eurydice_slice uu____2 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____2, libcrux_ml_kem_types_as_ref_ba_47(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____2, libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_04( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), implicit_rejection_shared_secret); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *uu____3 = &key_pair->public_key.ind_cpa_public_key; - uint8_t uu____4[32U]; - memcpy(uu____4, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c(uu____3, uu____4, pseudorandomness, - expected_ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c( + uu____3, copy_of_decrypted, pseudorandomness, expected_ciphertext); uint8_t selector = libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_47(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice)); + libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t)); uint8_t ret0[32U]; libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time( shared_secret, Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), selector, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.decapsulate_unpacked with const @@ -5306,17 +5538,24 @@ generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static inline void -libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_unpacked_63( +libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_unpacked_9d( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_92(key_pair, ciphertext, + libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_ab(key_pair, ciphertext, ret); } +/** + Decapsulate ML-KEM 768 (unpacked) + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an unpacked key pair of type + [`MlKem768KeyPairUnpacked`] and an [`MlKem768Ciphertext`]. +*/ static inline void libcrux_ml_kem_mlkem768_portable_decapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_unpacked_63( + libcrux_ml_kem_ind_cca_instantiations_portable_decapsulate_unpacked_9d( private_key, ciphertext, ret); } @@ -5330,13 +5569,11 @@ with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_43_ad( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_43_ac( Eurydice_slice randomness, uint8_t ret[32U]) { - uint8_t out[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), - randomness, uint8_t, void *); - memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); + core_result_Result_00 dst; + Eurydice_slice_to_array2(&dst, randomness, Eurydice_slice, uint8_t[32U]); + core_result_unwrap_41_83(dst, ret); } /** @@ -5376,59 +5613,57 @@ static inline tuple_3c libcrux_ml_kem_ind_cca_encapsulate_44( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - libcrux_ml_kem_ind_cca_entropy_preprocess_43_ad( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + libcrux_ml_kem_ind_cca_entropy_preprocess_43_ac( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_2e( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_0d(uu____2, uu____3, pseudorandomness, - ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + libcrux_ml_kem_ind_cpa_encrypt_0d(uu____2, copy_of_randomness, + pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f5(uu____4); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - libcrux_ml_kem_ind_cca_kdf_43_cc(shared_secret, &ciphertext0, + libcrux_ml_kem_ind_cca_kdf_43_02(shared_secret, &ciphertext0, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_3c lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_3c result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } /** @@ -5449,23 +5684,32 @@ libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate with const generics - ETA2_RANDOMNESS_SIZE= 128 */ static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_67( +libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_4d( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_44(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_44(uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ static inline tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_67(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_4d( + uu____0, copy_of_randomness); } /** @@ -5487,55 +5731,58 @@ generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -static inline tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_54( +static inline tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_15( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]) { uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, public_key->public_key_hash, uint8_t, - Eurydice_slice), - uint8_t, void *); + size_t); + Eurydice_slice_copy(uu____0, + Eurydice_array_to_slice( + (size_t)32U, public_key->public_key_hash, uint8_t), + uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 *uu____2 = &public_key->ind_cpa_public_key; - uint8_t uu____3[32U]; - memcpy(uu____3, randomness, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c(uu____2, uu____3, pseudorandomness, - ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_unpacked_6c(uu____2, copy_of_randomness, + pseudorandomness, ciphertext); uint8_t shared_secret_array[32U] = {0U}; - core_slice___Slice_T___copy_from_slice( - Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t, - Eurydice_slice), - shared_secret, uint8_t, void *); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + Eurydice_slice_copy( + Eurydice_array_to_slice((size_t)32U, shared_secret_array, uint8_t), + shared_secret, uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = - libcrux_ml_kem_types_from_15_f5(uu____4); - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); tuple_3c lit; lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_shared_secret_array, (size_t)32U * sizeof(uint8_t)); return lit; } +/** + Portable encapsualte +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.encapsulate_unpacked with const @@ -5555,26 +5802,36 @@ generics - ETA2_RANDOMNESS_SIZE= 128 */ static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_unpacked_ff( +libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_unpacked_84( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_54(uu____0, - uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_15( + uu____0, copy_of_randomness); } +/** + Encapsulate ML-KEM 768 (unpacked) + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an unpacked public key of type + [`MlKem768PublicKeyUnpacked`], the SHA3-256 hash of this public key, and + [`SHARED_SECRET_SIZE`] bytes of `randomness`. +*/ static inline tuple_3c libcrux_ml_kem_mlkem768_portable_encapsulate_unpacked( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_f8 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_unpacked_ff( - uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_portable_encapsulate_unpacked_84( + uu____0, copy_of_randomness); } /** @@ -5643,6 +5900,9 @@ libcrux_ml_kem_polynomial_add_standard_error_reduce_89_99( } } +/** + Compute  ◦ ŝ + ê +*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5659,22 +5919,20 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_da( result[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } for (size_t i0 = (size_t)0U; - i0 < core_slice___Slice_T___len( + i0 < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, matrix_A, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U], size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U]); i0++) { size_t i1 = i0; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *row = matrix_A[i1]; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, row, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *matrix_element = @@ -5693,6 +5951,47 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_da( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); } +/** + This function implements most of Algorithm 12 of the + NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation + algorithm. + + We say "most of" since Algorithm 12 samples the required randomness within + the function itself, whereas this implementation expects it to be provided + through the `key_generation_seed` parameter. + + Algorithm 12 is reproduced below: + + ```plaintext + Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. + Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. + + d ←$ B + (ρ,σ) ← G(d) + N ← 0 + for (i ← 0; i < k; i++) + for(j ← 0; j < k; j++) + Â[i,j] ← SampleNTT(XOF(ρ, i, j)) + end for + end for + for(i ← 0; i < k; i++) + s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) + N ← N + 1 + end for + for(i ← 0; i < k; i++) + e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) + N ← N + 1 + end for + ŝ ← NTT(s) + ê ← NTT(e) + t̂ ← Â◦ŝ + ê + ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ + dkₚₖₑ ← ByteEncode₁₂(ŝ) + ``` + + The NIST FIPS 203 standard can be found at + . +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -5706,9 +6005,9 @@ static inline tuple_9b libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_f4( Eurydice_slice key_generation_seed) { uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6(key_generation_seed, hashed); - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), - (size_t)32U, uint8_t, Eurydice_slice_uint8_t_x2); + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), (size_t)32U, + uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice seed_for_A0 = uu____0.fst; Eurydice_slice seed_for_secret_and_error = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A_transpose[3U][3U]; @@ -5718,21 +6017,23 @@ static inline tuple_9b libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_f4( uint8_t prf_input[33U]; libcrux_ml_kem_utils_into_padded_array_2d2(seed_for_secret_and_error, prf_input); - uint8_t uu____1[33U]; - memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); - tuple_b0 uu____2 = - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7(uu____1, 0U); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input0[33U]; + memcpy(copy_of_prf_input0, prf_input, (size_t)33U * sizeof(uint8_t)); + tuple_b0 uu____2 = libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7( + copy_of_prf_input0, 0U); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 secret_as_ntt[3U]; memcpy( secret_as_ntt, uu____2.fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); uint8_t domain_separator = uu____2.snd; - uint8_t uu____3[33U]; - memcpy(uu____3, prf_input, (size_t)33U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_prf_input[33U]; + memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 error_as_ntt[3U]; memcpy( error_as_ntt, - libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7(uu____3, + libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_d7(copy_of_prf_input, domain_separator) .fst, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); @@ -5741,34 +6042,38 @@ static inline tuple_9b libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_f4( error_as_ntt, t_as_ntt); uint8_t seed_for_A[32U]; core_result_Result_00 dst; - Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U], - void *); + Eurydice_slice_to_array2(&dst, seed_for_A0, Eurydice_slice, uint8_t[32U]); core_result_unwrap_41_83(dst, seed_for_A); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____4[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_t_as_ntt[3U]; memcpy( - uu____4, t_as_ntt, + copy_of_t_as_ntt, t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____5[3U][3U]; - memcpy(uu____5, A_transpose, + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_A_transpose[3U] + [3U]; + memcpy(copy_of_A_transpose, A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); - uint8_t uu____6[32U]; - memcpy(uu____6, seed_for_A, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_seed_for_A[32U]; + memcpy(copy_of_seed_for_A, seed_for_A, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 pk; memcpy( - pk.t_as_ntt, uu____4, + pk.t_as_ntt, copy_of_t_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); - memcpy(pk.seed_for_A, uu____6, (size_t)32U * sizeof(uint8_t)); - memcpy(pk.A, uu____5, + memcpy(pk.seed_for_A, copy_of_seed_for_A, (size_t)32U * sizeof(uint8_t)); + memcpy(pk.A, copy_of_A_transpose, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0[3U])); - libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____7[3U]; + /* Passing arrays by value in Rust generates a copy in C */ + libcrux_ml_kem_polynomial_PolynomialRingElement_f0 copy_of_secret_as_ntt[3U]; memcpy( - uu____7, secret_as_ntt, + copy_of_secret_as_ntt, secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 sk; memcpy( - sk.secret_as_ntt, uu____7, + sk.secret_as_ntt, copy_of_secret_as_ntt, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f0)); return (CLITERAL(tuple_9b){.fst = sk, .snd = pk}); } @@ -5792,16 +6097,16 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_f6( uint8_t bytes[24U]; libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t, - Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)24U, bytes, uint8_t, Eurydice_slice), - uint8_t, void *); + serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); } +/** + Call [`serialize_uncompressed_ring_element`] for each ring element. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5814,29 +6119,29 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_secret_key_f8( uint8_t ret[1152U]) { uint8_t out[1152U] = {0U}; for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len( + i < Eurydice_slice_len( Eurydice_array_to_slice( (size_t)3U, key, - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, - Eurydice_slice), - libcrux_ml_kem_polynomial_PolynomialRingElement_f0, size_t); + libcrux_ml_kem_polynomial_PolynomialRingElement_f0), + libcrux_ml_kem_polynomial_PolynomialRingElement_f0); i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 re = key[i0]; Eurydice_slice uu____0 = Eurydice_array_to_subslice2( out, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); uint8_t ret0[384U]; libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_f6(&re, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)384U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } +/** + Concatenate `t` and `ρ` into the public key. +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5849,20 +6154,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_80( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *t_as_ntt, Eurydice_slice seed_for_a, uint8_t ret[1184U]) { uint8_t public_key_serialized[1184U] = {0U}; - Eurydice_slice uu____0 = - Eurydice_array_to_subslice2(public_key_serialized, (size_t)0U, - (size_t)1152U, uint8_t, Eurydice_slice); + Eurydice_slice uu____0 = Eurydice_array_to_subslice2( + public_key_serialized, (size_t)0U, (size_t)1152U, uint8_t); uint8_t ret0[1152U]; libcrux_ml_kem_ind_cpa_serialize_secret_key_f8(t_as_ntt, ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)1152U, ret0, uint8_t), uint8_t); + Eurydice_slice_copy( Eurydice_array_to_subslice_from((size_t)1184U, public_key_serialized, - (size_t)1152U, uint8_t, size_t, - Eurydice_slice), - seed_for_a, uint8_t, void *); + (size_t)1152U, uint8_t, size_t), + seed_for_a, uint8_t); memcpy(ret, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); } @@ -5886,20 +6187,24 @@ libcrux_ml_kem_ind_cpa_generate_keypair_ec(Eurydice_slice key_generation_seed) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 pk = uu____0.snd; uint8_t public_key_serialized[1184U]; libcrux_ml_kem_ind_cpa_serialize_public_key_80( - pk.t_as_ntt, - Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t, - Eurydice_slice), + pk.t_as_ntt, Eurydice_array_to_slice((size_t)32U, pk.seed_for_A, uint8_t), public_key_serialized); uint8_t secret_key_serialized[1152U]; libcrux_ml_kem_ind_cpa_serialize_secret_key_f8(sk.secret_as_ntt, secret_key_serialized); - uint8_t uu____1[1152U]; - memcpy(uu____1, secret_key_serialized, (size_t)1152U * sizeof(uint8_t)); - uint8_t uu____2[1184U]; - memcpy(uu____2, public_key_serialized, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[1152U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_serialized[1184U]; + memcpy(copy_of_public_key_serialized, public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); libcrux_ml_kem_utils_extraction_helper_Keypair768 lit; - memcpy(lit.fst, uu____1, (size_t)1152U * sizeof(uint8_t)); - memcpy(lit.snd, uu____2, (size_t)1184U * sizeof(uint8_t)); + memcpy(lit.fst, copy_of_secret_key_serialized, + (size_t)1152U * sizeof(uint8_t)); + memcpy(lit.snd, copy_of_public_key_serialized, + (size_t)1184U * sizeof(uint8_t)); return lit; } @@ -5918,43 +6223,37 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_a8( uint8_t *uu____0 = out; size_t uu____1 = pointer; size_t uu____2 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____0, uu____1, - uu____2 + core_slice___Slice_T___len(private_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - private_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(private_key, uint8_t, size_t); + uu____0, uu____1, uu____2 + Eurydice_slice_len(private_key, uint8_t), + uint8_t), + private_key, uint8_t); + pointer = pointer + Eurydice_slice_len(private_key, uint8_t); uint8_t *uu____3 = out; size_t uu____4 = pointer; size_t uu____5 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( - uu____3, uu____4, - uu____5 + core_slice___Slice_T___len(public_key, uint8_t, size_t), - uint8_t, Eurydice_slice), - public_key, uint8_t, void *); - pointer = pointer + core_slice___Slice_T___len(public_key, uint8_t, size_t); + uu____3, uu____4, uu____5 + Eurydice_slice_len(public_key, uint8_t), + uint8_t), + public_key, uint8_t); + pointer = pointer + Eurydice_slice_len(public_key, uint8_t); Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - Eurydice_slice); + out, pointer, pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t); uint8_t ret0[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_2e(public_key, ret0); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____6, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); pointer = pointer + LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE; uint8_t *uu____7 = out; size_t uu____8 = pointer; size_t uu____9 = pointer; - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_copy( Eurydice_array_to_subslice2( uu____7, uu____8, - uu____9 + core_slice___Slice_T___len(implicit_rejection_value, - uint8_t, size_t), - uint8_t, Eurydice_slice), - implicit_rejection_value, uint8_t, void *); + uu____9 + Eurydice_slice_len(implicit_rejection_value, uint8_t), + uint8_t), + implicit_rejection_value, uint8_t); memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } @@ -5975,12 +6274,11 @@ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_ind_cca_generate_keypair_c2(uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); libcrux_ml_kem_utils_extraction_helper_Keypair768 uu____0 = libcrux_ml_kem_ind_cpa_generate_keypair_ec(ind_cpa_keypair_randomness); uint8_t ind_cpa_private_key[1152U]; @@ -5989,20 +6287,21 @@ libcrux_ml_kem_ind_cca_generate_keypair_c2(uint8_t randomness[64U]) { memcpy(public_key, uu____0.snd, (size_t)1184U * sizeof(uint8_t)); uint8_t secret_key_serialized[2400U]; libcrux_ml_kem_ind_cca_serialize_kem_secret_key_a8( - Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1152U, ind_cpa_private_key, uint8_t), + Eurydice_array_to_slice((size_t)1184U, public_key, uint8_t), implicit_rejection_value, secret_key_serialized); - uint8_t uu____1[2400U]; - memcpy(uu____1, secret_key_serialized, (size_t)2400U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_secret_key_serialized[2400U]; + memcpy(copy_of_secret_key_serialized, secret_key_serialized, + (size_t)2400U * sizeof(uint8_t)); libcrux_ml_kem_types_MlKemPrivateKey_55 private_key = - libcrux_ml_kem_types_from_e7_a7(uu____1); + libcrux_ml_kem_types_from_e7_a7(copy_of_secret_key_serialized); libcrux_ml_kem_types_MlKemPrivateKey_55 uu____2 = private_key; - uint8_t uu____3[1184U]; - memcpy(uu____3, public_key, (size_t)1184U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key[1184U]; + memcpy(copy_of_public_key, public_key, (size_t)1184U * sizeof(uint8_t)); return libcrux_ml_kem_types_from_64_c9( - uu____2, libcrux_ml_kem_types_from_07_4c(uu____3)); + uu____2, libcrux_ml_kem_types_from_07_4c(copy_of_public_key)); } /** @@ -6020,17 +6319,22 @@ generics static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ff( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_generate_keypair_c2(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_generate_keypair_c2(copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair +*/ static inline libcrux_ml_kem_mlkem768_MlKem768KeyPair libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_ff( - uu____0); + copy_of_randomness); } /** @@ -6048,7 +6352,7 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_closure_e0( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_closure_ac( size_t _j) { return libcrux_ml_kem_polynomial_ZERO_89_39(); } @@ -6068,7 +6372,7 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static inline void -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_b0( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_52( size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_f0 ret[3U]) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ret[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); @@ -6086,7 +6390,7 @@ with const generics */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f0 -libcrux_ml_kem_polynomial_clone_d5_75( +libcrux_ml_kem_polynomial_clone_d5_f7( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f0 lit; libcrux_ml_kem_vector_portable_vector_type_PortableVector ret[16U]; @@ -6114,16 +6418,15 @@ generics - ETA1_RANDOMNESS_SIZE= 128 */ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_d4( +libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_e6( uint8_t randomness[64U]) { Eurydice_slice ind_cpa_keypair_randomness = Eurydice_array_to_subslice2( randomness, (size_t)0U, - LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - Eurydice_slice); + LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t); Eurydice_slice implicit_rejection_value0 = Eurydice_array_to_subslice_from( (size_t)64U, randomness, LIBCRUX_ML_KEM_CONSTANTS_CPA_PKE_KEY_GENERATION_SEED_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); tuple_9b uu____0 = libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_f4( ind_cpa_keypair_randomness); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 @@ -6132,7 +6435,7 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_d4( ind_cpa_public_key = uu____0.snd; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 A[3U][3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_b0(i, + libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_closure_52(i, A[i]); } for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { @@ -6140,7 +6443,7 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_d4( for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____1 = - libcrux_ml_kem_polynomial_clone_d5_75(&ind_cpa_public_key.A[j][i1]); + libcrux_ml_kem_polynomial_clone_d5_f7(&ind_cpa_public_key.A[j][i1]); A[i1][j] = uu____1; } } @@ -6155,38 +6458,44 @@ libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_d4( libcrux_ml_kem_ind_cpa_serialize_public_key_80( ind_cpa_public_key.t_as_ntt, Eurydice_array_to_slice((size_t)32U, ind_cpa_public_key.seed_for_A, - uint8_t, Eurydice_slice), + uint8_t), pk_serialized); uint8_t public_key_hash[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_2e( - Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t, - Eurydice_slice), + Eurydice_array_to_slice((size_t)1184U, pk_serialized, uint8_t), public_key_hash); uint8_t implicit_rejection_value[32U]; core_result_Result_00 dst; Eurydice_slice_to_array2(&dst, implicit_rejection_value0, Eurydice_slice, - uint8_t[32U], void *); + uint8_t[32U]); core_result_unwrap_41_83(dst, implicit_rejection_value); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_f8 uu____3 = ind_cpa_private_key; - uint8_t uu____4[32U]; - memcpy(uu____4, implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_implicit_rejection_value[32U]; + memcpy(copy_of_implicit_rejection_value, implicit_rejection_value, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_f8 uu____5; uu____5.ind_cpa_private_key = uu____3; - memcpy(uu____5.implicit_rejection_value, uu____4, + memcpy(uu____5.implicit_rejection_value, copy_of_implicit_rejection_value, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_f8 uu____6 = ind_cpa_public_key; - uint8_t uu____7[32U]; - memcpy(uu____7, public_key_hash, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_public_key_hash[32U]; + memcpy(copy_of_public_key_hash, public_key_hash, + (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 lit; lit.private_key = uu____5; lit.public_key.ind_cpa_public_key = uu____6; - memcpy(lit.public_key.public_key_hash, uu____7, + memcpy(lit.public_key.public_key_hash, copy_of_public_key_hash, (size_t)32U * sizeof(uint8_t)); return lit; } +/** + Unpacked API +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.generate_keypair_unpacked with @@ -6200,20 +6509,26 @@ const generics - ETA1_RANDOMNESS_SIZE= 128 */ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 -libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_unpacked_b4( +libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_unpacked_6a( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_d4(uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_e6( + copy_of_randomness); } +/** + Generate ML-KEM 768 Key Pair in "unpacked" form +*/ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_f8 libcrux_ml_kem_mlkem768_portable_generate_key_pair_unpacked( uint8_t randomness[64U]) { - uint8_t uu____0[64U]; - memcpy(uu____0, randomness, (size_t)64U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_unpacked_b4( - uu____0); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[64U]; + memcpy(copy_of_randomness, randomness, (size_t)64U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_portable_generate_keypair_unpacked_6a( + copy_of_randomness); } /** @@ -6227,28 +6542,25 @@ with const generics - K= 3 - CIPHERTEXT_SIZE= 1088 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_6c_72( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_kdf_6c_d2( Eurydice_slice shared_secret, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { uint8_t kdf_input[64U]; libcrux_ml_kem_utils_into_padded_array_2d(shared_secret, kdf_input); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, kdf_input, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret0[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_2e( Eurydice_array_to_slice((size_t)1088U, - libcrux_ml_kem_types_as_slice_a8_8a(ciphertext), - uint8_t, Eurydice_slice), + libcrux_ml_kem_types_as_slice_a8_63(ciphertext), + uint8_t), ret0); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret0, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret0, uint8_t), uint8_t); uint8_t ret1[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_04( - Eurydice_array_to_slice((size_t)64U, kdf_input, uint8_t, Eurydice_slice), - ret1); + Eurydice_array_to_slice((size_t)64U, kdf_input, uint8_t), ret1); memcpy(ret, ret1, (size_t)32U * sizeof(uint8_t)); } @@ -6274,42 +6586,39 @@ libcrux_ml_kem_ind_cca_Kyber with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -static inline void libcrux_ml_kem_ind_cca_decapsulate_880( +static inline void libcrux_ml_kem_ind_cca_decapsulate_c40( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t, - Eurydice_slice), + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)2400U, private_key->value, uint8_t), (size_t)1152U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_secret_key = uu____0.fst; Eurydice_slice secret_key0 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( secret_key0, (size_t)1184U, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key = uu____1.fst; Eurydice_slice secret_key = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at( secret_key, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice ind_cpa_public_key_hash = uu____2.fst; Eurydice_slice implicit_rejection_value = uu____2.snd; uint8_t decrypted[32U]; - libcrux_ml_kem_ind_cpa_decrypt_39(ind_cpa_secret_key, ciphertext->value, + libcrux_ml_kem_ind_cpa_decrypt_06(ind_cpa_secret_key, ciphertext->value, decrypted); uint8_t to_hash0[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t, Eurydice_slice), - to_hash0); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, decrypted, uint8_t), to_hash0); + Eurydice_slice_copy( Eurydice_array_to_subslice_from( (size_t)64U, to_hash0, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice), - ind_cpa_public_key_hash, uint8_t, void *); + uint8_t, size_t), + ind_cpa_public_key_hash, uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash0, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret0 = uu____3.fst; @@ -6318,39 +6627,43 @@ static inline void libcrux_ml_kem_ind_cca_decapsulate_880( libcrux_ml_kem_utils_into_padded_array_2d0(implicit_rejection_value, to_hash); Eurydice_slice uu____4 = Eurydice_array_to_subslice_from( (size_t)1120U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, - uint8_t, size_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, libcrux_ml_kem_types_as_ref_ba_47(ciphertext), uint8_t, void *); + uint8_t, size_t); + Eurydice_slice_copy(uu____4, libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + uint8_t); uint8_t implicit_rejection_shared_secret0[32U]; libcrux_ml_kem_hash_functions_portable_PRF_f1_04( - Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)1120U, to_hash, uint8_t), implicit_rejection_shared_secret0); Eurydice_slice uu____5 = ind_cpa_public_key; - uint8_t uu____6[32U]; - memcpy(uu____6, decrypted, (size_t)32U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_decrypted[32U]; + memcpy(copy_of_decrypted, decrypted, (size_t)32U * sizeof(uint8_t)); uint8_t expected_ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_0d(uu____5, uu____6, pseudorandomness, - expected_ciphertext); + libcrux_ml_kem_ind_cpa_encrypt_0d(uu____5, copy_of_decrypted, + pseudorandomness, expected_ciphertext); uint8_t implicit_rejection_shared_secret[32U]; - libcrux_ml_kem_ind_cca_kdf_6c_72( + libcrux_ml_kem_ind_cca_kdf_6c_d2( Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret0, - uint8_t, Eurydice_slice), + uint8_t), ciphertext, implicit_rejection_shared_secret); uint8_t shared_secret1[32U]; - libcrux_ml_kem_ind_cca_kdf_6c_72(shared_secret0, ciphertext, shared_secret1); + libcrux_ml_kem_ind_cca_kdf_6c_d2(shared_secret0, ciphertext, shared_secret1); uint8_t shared_secret[32U]; libcrux_ml_kem_constant_time_ops_compare_ciphertexts_select_shared_secret_in_constant_time( - libcrux_ml_kem_types_as_ref_ba_47(ciphertext), - Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t, - Eurydice_slice), - Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t, - Eurydice_slice), + libcrux_ml_kem_types_as_ref_ba_9f(ciphertext), + Eurydice_array_to_slice((size_t)1088U, expected_ciphertext, uint8_t), + Eurydice_array_to_slice((size_t)32U, shared_secret1, uint8_t), Eurydice_array_to_slice((size_t)32U, implicit_rejection_shared_secret, - uint8_t, Eurydice_slice), + uint8_t), shared_secret); - memcpy(ret, shared_secret, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, shared_secret, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } +/** + Portable decapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.kyber_decapsulate with const @@ -6373,16 +6686,23 @@ generics - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ static inline void -libcrux_ml_kem_ind_cca_instantiations_portable_kyber_decapsulate_9f( +libcrux_ml_kem_ind_cca_instantiations_portable_kyber_decapsulate_7f( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_decapsulate_880(private_key, ciphertext, ret); + libcrux_ml_kem_ind_cca_decapsulate_c40(private_key, ciphertext, ret); } +/** + Decapsulate Kyber 768 + + Generates an [`MlKemSharedSecret`]. + The input is a reference to an [`MlKem768PrivateKey`] and an + [`MlKem768Ciphertext`]. +*/ static inline void libcrux_ml_kem_mlkem768_portable_kyber_decapsulate( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]) { - libcrux_ml_kem_ind_cca_instantiations_portable_kyber_decapsulate_9f( + libcrux_ml_kem_ind_cca_instantiations_portable_kyber_decapsulate_7f( private_key, ciphertext, ret); } @@ -6396,7 +6716,7 @@ with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]] with const generics - K= 3 */ -static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_6c_f0( +static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_entropy_preprocess_6c_c1( Eurydice_slice randomness, uint8_t ret[32U]) { libcrux_ml_kem_hash_functions_portable_H_f1_2e(randomness, ret); } @@ -6424,61 +6744,62 @@ static inline tuple_3c libcrux_ml_kem_ind_cca_encapsulate_440( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { uint8_t randomness0[32U]; - libcrux_ml_kem_ind_cca_entropy_preprocess_6c_f0( - Eurydice_array_to_slice((size_t)32U, randomness, uint8_t, Eurydice_slice), - randomness0); + libcrux_ml_kem_ind_cca_entropy_preprocess_6c_c1( + Eurydice_array_to_slice((size_t)32U, randomness, uint8_t), randomness0); uint8_t to_hash[64U]; libcrux_ml_kem_utils_into_padded_array_2d( - Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t, - Eurydice_slice), - to_hash); + Eurydice_array_to_slice((size_t)32U, randomness0, uint8_t), to_hash); Eurydice_slice uu____0 = Eurydice_array_to_subslice_from( (size_t)64U, to_hash, LIBCRUX_ML_KEM_CONSTANTS_H_DIGEST_SIZE, uint8_t, - size_t, Eurydice_slice); + size_t); uint8_t ret[32U]; libcrux_ml_kem_hash_functions_portable_H_f1_2e( Eurydice_array_to_slice((size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), - uint8_t, Eurydice_slice), + uint8_t), ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)32U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)32U, ret, uint8_t), uint8_t); uint8_t hashed[64U]; libcrux_ml_kem_hash_functions_portable_G_f1_b6( - Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t, Eurydice_slice), - hashed); - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at( - Eurydice_array_to_slice((size_t)64U, hashed, uint8_t, Eurydice_slice), + Eurydice_array_to_slice((size_t)64U, to_hash, uint8_t), hashed); + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at( + Eurydice_array_to_slice((size_t)64U, hashed, uint8_t), LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice shared_secret = uu____1.fst; Eurydice_slice pseudorandomness = uu____1.snd; Eurydice_slice uu____2 = Eurydice_array_to_slice( - (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t, - Eurydice_slice); - uint8_t uu____3[32U]; - memcpy(uu____3, randomness0, (size_t)32U * sizeof(uint8_t)); + (size_t)1184U, libcrux_ml_kem_types_as_slice_f6_f2(public_key), uint8_t); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness0, (size_t)32U * sizeof(uint8_t)); uint8_t ciphertext[1088U]; - libcrux_ml_kem_ind_cpa_encrypt_0d(uu____2, uu____3, pseudorandomness, - ciphertext); - uint8_t uu____4[1088U]; - memcpy(uu____4, ciphertext, (size_t)1088U * sizeof(uint8_t)); + libcrux_ml_kem_ind_cpa_encrypt_0d(uu____2, copy_of_randomness, + pseudorandomness, ciphertext); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_ciphertext[1088U]; + memcpy(copy_of_ciphertext, ciphertext, (size_t)1088U * sizeof(uint8_t)); libcrux_ml_kem_mlkem768_MlKem768Ciphertext ciphertext0 = - libcrux_ml_kem_types_from_15_f5(uu____4); + libcrux_ml_kem_types_from_15_f5(copy_of_ciphertext); uint8_t shared_secret_array[32U]; - libcrux_ml_kem_ind_cca_kdf_6c_72(shared_secret, &ciphertext0, + libcrux_ml_kem_ind_cca_kdf_6c_d2(shared_secret, &ciphertext0, shared_secret_array); libcrux_ml_kem_mlkem768_MlKem768Ciphertext uu____5 = ciphertext0; - uint8_t uu____6[32U]; - memcpy(uu____6, shared_secret_array, (size_t)32U * sizeof(uint8_t)); - tuple_3c lit; - lit.fst = uu____5; - memcpy(lit.snd, uu____6, (size_t)32U * sizeof(uint8_t)); - return lit; + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_shared_secret_array[32U]; + memcpy(copy_of_shared_secret_array, shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + tuple_3c result; + result.fst = uu____5; + memcpy(result.snd, copy_of_shared_secret_array, + (size_t)32U * sizeof(uint8_t)); + return result; } +/** + Portable encapsulate +*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.kyber_encapsulate with const @@ -6498,23 +6819,32 @@ generics - ETA2_RANDOMNESS_SIZE= 128 */ static inline tuple_3c -libcrux_ml_kem_ind_cca_instantiations_portable_kyber_encapsulate_a7( +libcrux_ml_kem_ind_cca_instantiations_portable_kyber_encapsulate_9f( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_encapsulate_440(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_encapsulate_440(uu____0, copy_of_randomness); } +/** + Encapsulate Kyber 768 + + Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. + The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] + bytes of `randomness`. +*/ static inline tuple_3c libcrux_ml_kem_mlkem768_portable_kyber_encapsulate( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]) { libcrux_ml_kem_types_MlKemPublicKey_15 *uu____0 = public_key; - uint8_t uu____1[32U]; - memcpy(uu____1, randomness, (size_t)32U * sizeof(uint8_t)); - return libcrux_ml_kem_ind_cca_instantiations_portable_kyber_encapsulate_a7( - uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_randomness[32U]; + memcpy(copy_of_randomness, randomness, (size_t)32U * sizeof(uint8_t)); + return libcrux_ml_kem_ind_cca_instantiations_portable_kyber_encapsulate_9f( + uu____0, copy_of_randomness); } /** @@ -6530,6 +6860,12 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_closure_060( return libcrux_ml_kem_polynomial_ZERO_89_39(); } +/** + This function deserializes ring elements and reduces the result by the field + modulus. + + This function MUST NOT be used on secret inputs. +*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6546,7 +6882,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_720( deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_89_39(); } for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(public_key, uint8_t, size_t) / + i < Eurydice_slice_len(public_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; i++) { size_t i0 = i; @@ -6554,7 +6890,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_720( public_key, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, i0 * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT + LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, - uint8_t, Eurydice_slice); + uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 uu____0 = libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_ad( ring_element); @@ -6578,14 +6914,14 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_35( libcrux_ml_kem_polynomial_PolynomialRingElement_f0 deserialized_pk[3U]; libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_720( Eurydice_array_to_subslice_to((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), deserialized_pk); libcrux_ml_kem_polynomial_PolynomialRingElement_f0 *uu____0 = deserialized_pk; uint8_t public_key_serialized[1184U]; libcrux_ml_kem_ind_cpa_serialize_public_key_80( uu____0, Eurydice_array_to_subslice_from((size_t)1184U, public_key, (size_t)1152U, - uint8_t, size_t, Eurydice_slice), + uint8_t, size_t), public_key_serialized); return core_array_equality___core__cmp__PartialEq__Array_U__N___for__Array_T__N____eq( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); @@ -6605,6 +6941,11 @@ libcrux_ml_kem_ind_cca_instantiations_portable_validate_public_key_e1( return libcrux_ml_kem_ind_cca_validate_public_key_35(public_key); } +/** + Validate a public key. + + Returns `Some(public_key)` if valid, and `None` otherwise. +*/ static inline core_option_Option_92 libcrux_ml_kem_mlkem768_portable_validate_public_key( libcrux_ml_kem_types_MlKemPublicKey_15 public_key) { diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index 92b3e6d06..426dd490c 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_sha3_avx2_H @@ -150,14 +150,10 @@ static KRML_MUSTINLINE core_core_arch_x86___m256i libcrux_sha3_simd_avx2_xor_ef( KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4( Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { - ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t, - Eurydice_slice); - ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t, - Eurydice_slice); - ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t, - Eurydice_slice); - ret[3U] = Eurydice_slice_subslice2(a[3U], start, start + len, uint8_t, - Eurydice_slice); + ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); + ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); + ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); + ret[3U] = Eurydice_slice_subslice2(a[3U], start, start + len, uint8_t); } /** @@ -167,10 +163,11 @@ usize> for core::core_arch::x86::__m256i)} KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef( Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { - Eurydice_slice uu____0[4U]; - memcpy(uu____0, a, (size_t)4U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_a[4U]; + memcpy(copy_of_a, a, (size_t)4U * sizeof(Eurydice_slice)); Eurydice_slice ret0[4U]; - libcrux_sha3_simd_avx2_slice_4(uu____0, start, len, ret0); + libcrux_sha3_simd_avx2_slice_4(copy_of_a, start, len, ret0); memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice)); } @@ -181,19 +178,19 @@ libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) { Eurydice_slice out1 = out[1U]; Eurydice_slice out2 = out[2U]; Eurydice_slice out3 = out[3U]; - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( out0, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out00 = uu____0.fst; Eurydice_slice out01 = uu____0.snd; - Eurydice_slice_uint8_t_x2 uu____1 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____1 = Eurydice_slice_split_at_mut( out1, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out10 = uu____1.fst; Eurydice_slice out11 = uu____1.snd; - Eurydice_slice_uint8_t_x2 uu____2 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____2 = Eurydice_slice_split_at_mut( out2, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out20 = uu____2.fst; Eurydice_slice out21 = uu____2.snd; - Eurydice_slice_uint8_t_x2 uu____3 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____3 = Eurydice_slice_split_at_mut( out3, mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out30 = uu____3.fst; Eurydice_slice out31 = uu____3.snd; @@ -229,6 +226,9 @@ typedef struct libcrux_sha3_generic_keccak_KeccakState_29_s { core_core_arch_x86___m256i st[5U][5U]; } libcrux_sha3_generic_keccak_KeccakState_29; +/** + Create a new Shake128 x4 state. +*/ /** This function found in impl {libcrux_sha3::generic_keccak::KeccakState[TraitClause@0]#1} @@ -282,21 +282,21 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_c7( for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; core_core_arch_x86___m256i v00 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[0U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v10 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[1U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v20 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[2U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v30 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[3U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10); core_core_arch_x86___m256i v1h = @@ -342,34 +342,30 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_c7( size_t rem = (size_t)136U % (size_t)32U; size_t start = (size_t)32U * ((size_t)136U / (size_t)32U); uint8_t u8s[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - u8s, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_array_to_subslice2( - u8s, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_array_to_subslice2( - u8s, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_array_to_subslice2( - u8s, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t), + uint8_t); core_core_arch_x86___m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t, Eurydice_slice)); @@ -378,34 +374,30 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_c7( s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; - Eurydice_slice uu____4 = Eurydice_array_to_subslice2( - u8s0, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = Eurydice_array_to_subslice2( - u8s0, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____5, - Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - u8s0, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_array_to_subslice2( - u8s0, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____7, - Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice uu____4 = + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy(uu____4, + Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy(uu____5, + Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy(uu____6, + Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy(uu____7, + Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); core_core_arch_x86___m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t, @@ -431,9 +423,10 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_ef_6a( core_core_arch_x86___m256i (*a)[5U], Eurydice_slice b[4U]) { core_core_arch_x86___m256i(*uu____0)[5U] = a; - Eurydice_slice uu____1[4U]; - memcpy(uu____1, b, (size_t)4U * sizeof(Eurydice_slice)); - libcrux_sha3_simd_avx2_load_block_c7(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[4U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(Eurydice_slice)); + libcrux_sha3_simd_avx2_load_block_c7(uu____0, copy_of_b); } /** @@ -1595,75 +1588,52 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_71( c[((size_t)4U + (size_t)4U) % (size_t)5U], c[((size_t)4U + (size_t)1U) % (size_t)5U])}; s->st[0U][0U] = libcrux_sha3_simd_avx2_xor_ef(s->st[0U][0U], t[0U]); - core_core_arch_x86___m256i uu____4 = + s->st[1U][0U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_17(s->st[1U][0U], t[0U]); - s->st[1U][0U] = uu____4; - core_core_arch_x86___m256i uu____5 = + s->st[2U][0U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_170(s->st[2U][0U], t[0U]); - s->st[2U][0U] = uu____5; - core_core_arch_x86___m256i uu____6 = + s->st[3U][0U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_171(s->st[3U][0U], t[0U]); - s->st[3U][0U] = uu____6; - core_core_arch_x86___m256i uu____7 = + s->st[4U][0U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_172(s->st[4U][0U], t[0U]); - s->st[4U][0U] = uu____7; - core_core_arch_x86___m256i uu____8 = + s->st[0U][1U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_173(s->st[0U][1U], t[1U]); - s->st[0U][1U] = uu____8; - core_core_arch_x86___m256i uu____9 = + s->st[1U][1U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_174(s->st[1U][1U], t[1U]); - s->st[1U][1U] = uu____9; - core_core_arch_x86___m256i uu____10 = + s->st[2U][1U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_175(s->st[2U][1U], t[1U]); - s->st[2U][1U] = uu____10; - core_core_arch_x86___m256i uu____11 = + s->st[3U][1U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_176(s->st[3U][1U], t[1U]); - s->st[3U][1U] = uu____11; - core_core_arch_x86___m256i uu____12 = + s->st[4U][1U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_177(s->st[4U][1U], t[1U]); - s->st[4U][1U] = uu____12; - core_core_arch_x86___m256i uu____13 = + s->st[0U][2U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_178(s->st[0U][2U], t[2U]); - s->st[0U][2U] = uu____13; - core_core_arch_x86___m256i uu____14 = + s->st[1U][2U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_179(s->st[1U][2U], t[2U]); - s->st[1U][2U] = uu____14; - core_core_arch_x86___m256i uu____15 = + s->st[2U][2U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1710(s->st[2U][2U], t[2U]); - s->st[2U][2U] = uu____15; - core_core_arch_x86___m256i uu____16 = + s->st[3U][2U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1711(s->st[3U][2U], t[2U]); - s->st[3U][2U] = uu____16; - core_core_arch_x86___m256i uu____17 = + s->st[4U][2U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1712(s->st[4U][2U], t[2U]); - s->st[4U][2U] = uu____17; - core_core_arch_x86___m256i uu____18 = + s->st[0U][3U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1713(s->st[0U][3U], t[3U]); - s->st[0U][3U] = uu____18; - core_core_arch_x86___m256i uu____19 = + s->st[1U][3U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1714(s->st[1U][3U], t[3U]); - s->st[1U][3U] = uu____19; - core_core_arch_x86___m256i uu____20 = + s->st[2U][3U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1715(s->st[2U][3U], t[3U]); - s->st[2U][3U] = uu____20; - core_core_arch_x86___m256i uu____21 = + s->st[3U][3U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1716(s->st[3U][3U], t[3U]); - s->st[3U][3U] = uu____21; - core_core_arch_x86___m256i uu____22 = + s->st[4U][3U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1717(s->st[4U][3U], t[3U]); - s->st[4U][3U] = uu____22; - core_core_arch_x86___m256i uu____23 = + s->st[0U][4U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1718(s->st[0U][4U], t[4U]); - s->st[0U][4U] = uu____23; - core_core_arch_x86___m256i uu____24 = + s->st[1U][4U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1719(s->st[1U][4U], t[4U]); - s->st[1U][4U] = uu____24; - core_core_arch_x86___m256i uu____25 = + s->st[2U][4U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1720(s->st[2U][4U], t[4U]); - s->st[2U][4U] = uu____25; - core_core_arch_x86___m256i uu____26 = + s->st[3U][4U] = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1721(s->st[3U][4U], t[4U]); - s->st[3U][4U] = uu____26; core_core_arch_x86___m256i uu____27 = libcrux_sha3_simd_avx2_xor_and_rotate_ef_1722(s->st[4U][4U], t[4U]); s->st[4U][4U] = uu____27; @@ -1784,14 +1754,11 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_91( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[3U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)}; libcrux_sha3_simd_avx2_load_block_c7(s, buf); } @@ -1808,9 +1775,10 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_ef_05( core_core_arch_x86___m256i (*a)[5U], uint8_t b[4U][200U]) { core_core_arch_x86___m256i(*uu____0)[5U] = a; - uint8_t uu____1[4U][200U]; - memcpy(uu____1, b, (size_t)4U * sizeof(uint8_t[200U])); - libcrux_sha3_simd_avx2_load_block_full_91(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[4U][200U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U])); + libcrux_sha3_simd_avx2_load_block_full_91(uu____0, copy_of_b); } /** @@ -1824,15 +1792,14 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_5e( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice last[4U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[4U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)4U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 31U; size_t uu____1 = i0; @@ -1896,23 +1863,19 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_e9( libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[0U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v0); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[1U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v1); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[2U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v2); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[3U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v3); } size_t rem = (size_t)136U % (size_t)32U; @@ -1921,36 +1884,31 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_e9( size_t i0 = (size_t)4U * ((size_t)136U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)136U / (size_t)32U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), - s[i0][j0]); - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]); + Eurydice_slice uu____0 = + Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_slice_subslice2( - out[1U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice2( - out[2U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice2( - out[3U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; size_t i = @@ -1958,40 +1916,31 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_e9( size_t j = ((size_t)4U * ((size_t)136U / (size_t)32U) + (size_t)1U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), - s[i][j]); - Eurydice_slice uu____4 = - Eurydice_slice_subslice2(out[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice2( + out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____4, - Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = - Eurydice_slice_subslice2(out[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = Eurydice_slice_subslice2( + out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____5, - Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = - Eurydice_slice_subslice2(out[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = Eurydice_slice_subslice2( + out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____6, - Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = - Eurydice_slice_subslice2(out[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = Eurydice_slice_subslice2( + out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____7, - Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); } } @@ -2008,22 +1957,25 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_full_0b( uint8_t out2[200U] = {0U}; uint8_t out3[200U] = {0U}; Eurydice_slice buf[4U] = { - Eurydice_array_to_slice((size_t)200U, out0, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, out1, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, out2, uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, out3, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out0, uint8_t), + Eurydice_array_to_slice((size_t)200U, out1, uint8_t), + Eurydice_array_to_slice((size_t)200U, out2, uint8_t), + Eurydice_array_to_slice((size_t)200U, out3, uint8_t)}; libcrux_sha3_simd_avx2_store_block_e9(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out0, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____1[200U]; - memcpy(uu____1, out1, (size_t)200U * sizeof(uint8_t)); - uint8_t uu____2[200U]; - memcpy(uu____2, out2, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out0[200U]; + memcpy(copy_of_out0, out0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out1[200U]; + memcpy(copy_of_out1, out1, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out2[200U]; + memcpy(copy_of_out2, out2, (size_t)200U * sizeof(uint8_t)); uint8_t uu____3[200U]; memcpy(uu____3, out3, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[1U], uu____1, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[2U], uu____2, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out0, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[1U], copy_of_out1, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[2U], copy_of_out2, (size_t)200U * sizeof(uint8_t)); memcpy(ret[3U], uu____3, (size_t)200U * sizeof(uint8_t)); } @@ -2061,12 +2013,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_a4( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2131,12 +2083,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_77( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2154,28 +2106,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_14( libcrux_sha3_generic_keccak_KeccakState_29 s = libcrux_sha3_generic_keccak_new_1e_16(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)136U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_29 *uu____0 = &s; - Eurydice_slice uu____1[4U]; - memcpy(uu____1, data, (size_t)4U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[4U]; + memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice)); Eurydice_slice ret[4U]; - libcrux_sha3_simd_avx2_slice_n_ef(uu____1, i0 * (size_t)136U, (size_t)136U, - ret); + libcrux_sha3_simd_avx2_slice_n_ef(copy_of_data, i0 * (size_t)136U, + (size_t)136U, ret); libcrux_sha3_generic_keccak_absorb_block_37(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)136U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; libcrux_sha3_generic_keccak_KeccakState_29 *uu____2 = &s; - Eurydice_slice uu____3[4U]; - memcpy(uu____3, data, (size_t)4U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[4U]; + memcpy(copy_of_data, data, (size_t)4U * sizeof(Eurydice_slice)); Eurydice_slice ret[4U]; libcrux_sha3_simd_avx2_slice_n_ef( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_5e(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)136U; size_t last = outlen - outlen % (size_t)136U; if (blocks == (size_t)0U) { @@ -2215,6 +2166,9 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_14( } } +/** + Perform 4 SHAKE256 operations in parallel +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256( Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, @@ -2228,6 +2182,9 @@ static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256( typedef libcrux_sha3_generic_keccak_KeccakState_29 libcrux_sha3_avx2_x4_incremental_KeccakState; +/** + Initialise the [`KeccakState`]. +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_29 libcrux_sha3_avx2_x4_incremental_init(void) { @@ -2245,21 +2202,21 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_c70( for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; core_core_arch_x86___m256i v00 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[0U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[0U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v10 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[1U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[1U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v20 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[2U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[2U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v30 = - libcrux_intrinsics_avx2_mm256_loadu_si256_u8(Eurydice_slice_subslice2( - blocks[3U], (size_t)32U * i0, (size_t)32U * (i0 + (size_t)1U), - uint8_t, Eurydice_slice)); + libcrux_intrinsics_avx2_mm256_loadu_si256_u8( + Eurydice_slice_subslice2(blocks[3U], (size_t)32U * i0, + (size_t)32U * (i0 + (size_t)1U), uint8_t)); core_core_arch_x86___m256i v0l = libcrux_intrinsics_avx2_mm256_unpacklo_epi64(v00, v10); core_core_arch_x86___m256i v1h = @@ -2305,34 +2262,30 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_c70( size_t rem = (size_t)168U % (size_t)32U; size_t start = (size_t)32U * ((size_t)168U / (size_t)32U); uint8_t u8s[32U] = {0U}; - Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - u8s, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice uu____0 = + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_array_to_subslice2( - u8s, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[0U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_array_to_subslice2( - u8s, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[1U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_array_to_subslice2( - u8s, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_slice_subslice2(blocks[2U], start, start + (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_slice_subslice2(blocks[3U], start, start + (size_t)8U, uint8_t), + uint8_t); core_core_arch_x86___m256i u = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s, uint8_t, Eurydice_slice)); @@ -2341,34 +2294,30 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_c70( s[i0][j0] = libcrux_intrinsics_avx2_mm256_xor_si256(s[i0][j0], u); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; - Eurydice_slice uu____4 = Eurydice_array_to_subslice2( - u8s0, (size_t)0U, (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____4, - Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = Eurydice_array_to_subslice2( - u8s0, (size_t)8U, (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____5, - Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = Eurydice_array_to_subslice2( - u8s0, (size_t)16U, (size_t)24U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____6, - Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = Eurydice_array_to_subslice2( - u8s0, (size_t)24U, (size_t)32U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( - uu____7, - Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice uu____4 = + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t); + Eurydice_slice_copy(uu____4, + Eurydice_slice_subslice2(blocks[0U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t); + Eurydice_slice_copy(uu____5, + Eurydice_slice_subslice2(blocks[1U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t); + Eurydice_slice_copy(uu____6, + Eurydice_slice_subslice2(blocks[2U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t); + Eurydice_slice_copy(uu____7, + Eurydice_slice_subslice2(blocks[3U], start + (size_t)8U, + start + (size_t)16U, uint8_t), + uint8_t); core_core_arch_x86___m256i u0 = libcrux_intrinsics_avx2_mm256_loadu_si256_u8( core_array___Array_T__N__23__as_slice((size_t)32U, u8s0, uint8_t, @@ -2389,14 +2338,11 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_910( core_core_arch_x86___m256i (*s)[5U], uint8_t blocks[4U][200U]) { - Eurydice_slice buf[4U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[1U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[2U], - uint8_t, Eurydice_slice), - Eurydice_array_to_slice((size_t)200U, blocks[3U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[4U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[1U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[2U], uint8_t), + Eurydice_array_to_slice((size_t)200U, blocks[3U], uint8_t)}; libcrux_sha3_simd_avx2_load_block_c70(s, buf); } @@ -2413,9 +2359,10 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_full_ef_050( core_core_arch_x86___m256i (*a)[5U], uint8_t b[4U][200U]) { core_core_arch_x86___m256i(*uu____0)[5U] = a; - uint8_t uu____1[4U][200U]; - memcpy(uu____1, b, (size_t)4U * sizeof(uint8_t[200U])); - libcrux_sha3_simd_avx2_load_block_full_910(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[4U][200U]; + memcpy(copy_of_b, b, (size_t)4U * sizeof(uint8_t[200U])); + libcrux_sha3_simd_avx2_load_block_full_910(uu____0, copy_of_b); } /** @@ -2429,15 +2376,14 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_5e0( libcrux_sha3_generic_keccak_KeccakState_29 *s, Eurydice_slice last[4U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[4U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)4U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 31U; size_t uu____1 = i0; @@ -2451,6 +2397,9 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_5e0( libcrux_sha3_generic_keccak_keccakf1600_07(s); } +/** + Absorb +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( @@ -2510,23 +2459,19 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_e90( libcrux_intrinsics_avx2_mm256_unpackhi_epi64(v2l, v3h); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[0U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v0); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[1U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v1); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[2U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v2); libcrux_intrinsics_avx2_mm256_storeu_si256_u8( Eurydice_slice_subslice2(out[3U], (size_t)32U * i0, - (size_t)32U * (i0 + (size_t)1U), uint8_t, - Eurydice_slice), + (size_t)32U * (i0 + (size_t)1U), uint8_t), v3); } size_t rem = (size_t)168U % (size_t)32U; @@ -2535,36 +2480,31 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_e90( size_t i0 = (size_t)4U * ((size_t)168U / (size_t)32U) / (size_t)5U; size_t j0 = (size_t)4U * ((size_t)168U / (size_t)32U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s, uint8_t, Eurydice_slice), - s[i0][j0]); - Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s, uint8_t), s[i0][j0]); + Eurydice_slice uu____0 = + Eurydice_slice_subslice2(out[0U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____0, - Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____1 = Eurydice_slice_subslice2( - out[1U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____1 = + Eurydice_slice_subslice2(out[1U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____1, - Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____2 = Eurydice_slice_subslice2( - out[2U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____2 = + Eurydice_slice_subslice2(out[2U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____2, - Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____3 = Eurydice_slice_subslice2( - out[3U], start, start + (size_t)8U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____3 = + Eurydice_slice_subslice2(out[3U], start, start + (size_t)8U, uint8_t); + Eurydice_slice_copy( uu____3, - Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); if (rem == (size_t)16U) { uint8_t u8s0[32U] = {0U}; size_t i = @@ -2572,40 +2512,31 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_e90( size_t j = ((size_t)4U * ((size_t)168U / (size_t)32U) + (size_t)1U) % (size_t)5U; libcrux_intrinsics_avx2_mm256_storeu_si256_u8( - Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t, Eurydice_slice), - s[i][j]); - Eurydice_slice uu____4 = - Eurydice_slice_subslice2(out[0U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_slice((size_t)32U, u8s0, uint8_t), s[i][j]); + Eurydice_slice uu____4 = Eurydice_slice_subslice2( + out[0U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____4, - Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____5 = - Eurydice_slice_subslice2(out[1U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)0U, (size_t)8U, uint8_t), + uint8_t); + Eurydice_slice uu____5 = Eurydice_slice_subslice2( + out[1U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____5, - Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____6 = - Eurydice_slice_subslice2(out[2U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)8U, (size_t)16U, uint8_t), + uint8_t); + Eurydice_slice uu____6 = Eurydice_slice_subslice2( + out[2U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____6, - Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t, - Eurydice_slice), - uint8_t, void *); - Eurydice_slice uu____7 = - Eurydice_slice_subslice2(out[3U], start + (size_t)8U, - start + (size_t)16U, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice( + Eurydice_array_to_subslice2(u8s0, (size_t)16U, (size_t)24U, uint8_t), + uint8_t); + Eurydice_slice uu____7 = Eurydice_slice_subslice2( + out[3U], start + (size_t)8U, start + (size_t)16U, uint8_t); + Eurydice_slice_copy( uu____7, - Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t, - Eurydice_slice), - uint8_t, void *); + Eurydice_array_to_subslice2(u8s0, (size_t)24U, (size_t)32U, uint8_t), + uint8_t); } } @@ -2679,6 +2610,9 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_27( libcrux_sha3_generic_keccak_squeeze_next_block_1c0(s, o2); } +/** + Squeeze three blocks +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( @@ -2688,6 +2622,9 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_27(s, buf); } +/** + Squeeze another block +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( @@ -2739,6 +2676,9 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_e4( libcrux_sha3_generic_keccak_squeeze_next_block_1c0(s, o4); } +/** + Squeeze five blocks +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( @@ -2748,6 +2688,9 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_squeeze_first_five_blocks_e4(s, buf); } +/** + Absorb +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( @@ -2757,6 +2700,9 @@ libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_absorb_final_5e(s, buf); } +/** + Squeeze block +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( @@ -2766,6 +2712,9 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_squeeze_first_block_e9(s, buf); } +/** + Squeeze next block +*/ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index 108f13034..01a592f8b 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 + * Charon: 0576bfc67e99aae86c51930421072688138b672b + * Eurydice: e66abbc2119485abfafa17c1911bdbdada5b04f3 + * Karamel: 7862fdc3899b718d39ec98568f78ec40592a622a * F*: 3ed3c98d39ce028c31c5908a38bc68ad5098f563 - * Libcrux: 532179755ebf8a52897604eaa5ce673b354c2c59 + * Libcrux: ffaeafbdbb5598f4060b0f4e1cc8ad937feac00a */ #ifndef __libcrux_sha3_portable_H @@ -137,8 +137,7 @@ libcrux_sha3_portable_keccak_xor_5a(uint64_t a, uint64_t b) { static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_1( Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { - ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t, - Eurydice_slice); + ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); } /** @@ -147,17 +146,18 @@ usize> for u64)} */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_slice_n_5a( Eurydice_slice a[1U], size_t start, size_t len, Eurydice_slice ret[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, a, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_a[1U]; + memcpy(copy_of_a, a, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret0[1U]; - libcrux_sha3_portable_keccak_slice_1(uu____0, start, len, ret0); + libcrux_sha3_portable_keccak_slice_1(copy_of_a, start, len, ret0); memcpy(ret, ret0, (size_t)1U * sizeof(Eurydice_slice)); } static KRML_MUSTINLINE Eurydice_slice_uint8_t_1size_t__x2 libcrux_sha3_portable_keccak_split_at_mut_1(Eurydice_slice out[1U], size_t mid) { - Eurydice_slice_uint8_t_x2 uu____0 = core_slice___Slice_T___split_at_mut( + Eurydice_slice_uint8_t_x2 uu____0 = Eurydice_slice_split_at_mut( out[0U], mid, uint8_t, Eurydice_slice_uint8_t_x2); Eurydice_slice out00 = uu____0.fst; Eurydice_slice out01 = uu____0.snd; @@ -187,6 +187,9 @@ typedef struct libcrux_sha3_generic_keccak_KeccakState_48_s { uint64_t st[5U][5U]; } libcrux_sha3_generic_keccak_KeccakState_48; +/** + Create a new Shake128 x4 state. +*/ /** This function found in impl {libcrux_sha3::generic_keccak::KeccakState[TraitClause@0]#1} @@ -242,9 +245,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b3( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -265,9 +267,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b3(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b3(uu____0, copy_of_b); } /** @@ -1212,75 +1215,52 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_theta_rho_eb( c[((size_t)4U + (size_t)4U) % (size_t)5U], c[((size_t)4U + (size_t)1U) % (size_t)5U])}; s->st[0U][0U] = libcrux_sha3_portable_keccak_xor_5a(s->st[0U][0U], t[0U]); - uint64_t uu____4 = + s->st[1U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da(s->st[1U][0U], t[0U]); - s->st[1U][0U] = uu____4; - uint64_t uu____5 = + s->st[2U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da0(s->st[2U][0U], t[0U]); - s->st[2U][0U] = uu____5; - uint64_t uu____6 = + s->st[3U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da1(s->st[3U][0U], t[0U]); - s->st[3U][0U] = uu____6; - uint64_t uu____7 = + s->st[4U][0U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da2(s->st[4U][0U], t[0U]); - s->st[4U][0U] = uu____7; - uint64_t uu____8 = + s->st[0U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da3(s->st[0U][1U], t[1U]); - s->st[0U][1U] = uu____8; - uint64_t uu____9 = + s->st[1U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da4(s->st[1U][1U], t[1U]); - s->st[1U][1U] = uu____9; - uint64_t uu____10 = + s->st[2U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da5(s->st[2U][1U], t[1U]); - s->st[2U][1U] = uu____10; - uint64_t uu____11 = + s->st[3U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da6(s->st[3U][1U], t[1U]); - s->st[3U][1U] = uu____11; - uint64_t uu____12 = + s->st[4U][1U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da7(s->st[4U][1U], t[1U]); - s->st[4U][1U] = uu____12; - uint64_t uu____13 = + s->st[0U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da8(s->st[0U][2U], t[2U]); - s->st[0U][2U] = uu____13; - uint64_t uu____14 = + s->st[1U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da9(s->st[1U][2U], t[2U]); - s->st[1U][2U] = uu____14; - uint64_t uu____15 = + s->st[2U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da10(s->st[2U][2U], t[2U]); - s->st[2U][2U] = uu____15; - uint64_t uu____16 = + s->st[3U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da11(s->st[3U][2U], t[2U]); - s->st[3U][2U] = uu____16; - uint64_t uu____17 = + s->st[4U][2U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da12(s->st[4U][2U], t[2U]); - s->st[4U][2U] = uu____17; - uint64_t uu____18 = + s->st[0U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da13(s->st[0U][3U], t[3U]); - s->st[0U][3U] = uu____18; - uint64_t uu____19 = + s->st[1U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da14(s->st[1U][3U], t[3U]); - s->st[1U][3U] = uu____19; - uint64_t uu____20 = + s->st[2U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da15(s->st[2U][3U], t[3U]); - s->st[2U][3U] = uu____20; - uint64_t uu____21 = + s->st[3U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da16(s->st[3U][3U], t[3U]); - s->st[3U][3U] = uu____21; - uint64_t uu____22 = + s->st[4U][3U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da17(s->st[4U][3U], t[3U]); - s->st[4U][3U] = uu____22; - uint64_t uu____23 = + s->st[0U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da18(s->st[0U][4U], t[4U]); - s->st[0U][4U] = uu____23; - uint64_t uu____24 = + s->st[1U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da19(s->st[1U][4U], t[4U]); - s->st[1U][4U] = uu____24; - uint64_t uu____25 = + s->st[2U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da20(s->st[2U][4U], t[4U]); - s->st[2U][4U] = uu____25; - uint64_t uu____26 = + s->st[3U][4U] = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da21(s->st[3U][4U], t[4U]); - s->st[3U][4U] = uu____26; uint64_t uu____27 = libcrux_sha3_portable_keccak_xor_and_rotate_5a_da22(s->st[4U][4U], t[4U]); s->st[4U][4U] = uu____27; @@ -1395,8 +1375,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b3(s, buf); } @@ -1412,9 +1392,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_71( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a(uu____0, copy_of_b); } /** @@ -1427,15 +1408,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_72( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)1U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 6U; size_t uu____1 = i0; @@ -1459,14 +1439,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_58( for (size_t i = (size_t)0U; i < (size_t)72U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -1479,11 +1456,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_58(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -1518,12 +1496,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -1584,12 +1562,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_83( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -1606,28 +1584,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_75( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)72U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)72U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)72U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)72U, (size_t)72U, ret); libcrux_sha3_generic_keccak_absorb_block_75(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)72U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)72U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_72(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)72U; size_t last = outlen - outlen % (size_t)72U; if (blocks == (size_t)0U) { @@ -1675,11 +1652,15 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_75(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_75(copy_of_data, out); } +/** + A portable SHA3 512 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -1701,9 +1682,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b30( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -1724,9 +1704,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd0( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b30(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b30(uu____0, copy_of_b); } /** @@ -1752,8 +1733,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a0( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b30(s, buf); } @@ -1769,9 +1750,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_710( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a0(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a0(uu____0, copy_of_b); } /** @@ -1784,15 +1766,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_720( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)1U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 6U; size_t uu____1 = i0; @@ -1816,14 +1797,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_580( for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -1836,11 +1814,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa0( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_580(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -1876,12 +1855,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d0( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -1942,12 +1921,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_830( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -1964,28 +1943,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_750( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)136U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)136U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, (size_t)136U, ret); libcrux_sha3_generic_keccak_absorb_block_750(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)136U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_720(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)136U; size_t last = outlen - outlen % (size_t)136U; if (blocks == (size_t)0U) { @@ -2033,11 +2011,15 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a0( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_750(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_750(copy_of_data, out); } +/** + A portable SHA3 256 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -2055,15 +2037,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_721( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)1U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 31U; size_t uu____1 = i0; @@ -2090,28 +2071,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_751( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)136U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)136U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)136U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)136U, (size_t)136U, ret); libcrux_sha3_generic_keccak_absorb_block_750(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)136U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)136U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_721(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)136U; size_t last = outlen - outlen % (size_t)136U; if (blocks == (size_t)0U) { @@ -2159,11 +2139,15 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a1( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_751(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_751(copy_of_data, out); } +/** + A portable SHAKE256 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -2171,6 +2155,9 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( libcrux_sha3_portable_keccakx1_2a1(buf0, buf); } +/** + A portable SHA3 512 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -2178,6 +2165,9 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, KRML_HOST_EXIT(255U); } +/** + A portable SHA3 256 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -2185,6 +2175,11 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, KRML_HOST_EXIT(255U); } +/** + Run SHAKE256 on both inputs in parallel. + + Writes the two results into `out0` and `out1` +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice out0, @@ -2201,6 +2196,9 @@ typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { libcrux_sha3_generic_keccak_KeccakState_48 state[2U]; } libcrux_sha3_neon_x2_incremental_KeccakState; +/** + Initialise the `KeccakState2`. +*/ static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_shake128_init(void) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -2208,6 +2206,9 @@ libcrux_sha3_neon_x2_incremental_shake128_init(void) { KRML_HOST_EXIT(255U); } +/** + Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, @@ -2217,6 +2218,10 @@ libcrux_sha3_neon_x2_incremental_shake128_absorb_final( KRML_HOST_EXIT(255U); } +/** + Squeeze 2 times the first three blocks in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, @@ -2226,6 +2231,10 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( KRML_HOST_EXIT(255U); } +/** + Squeeze 2 times the next block in parallel in the + [`KeccakState`] and return the output in `out0` and `out1`. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, @@ -2235,6 +2244,9 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( KRML_HOST_EXIT(255U); } +/** + Create a new SHAKE-128 state object. +*/ static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48 libcrux_sha3_portable_incremental_shake128_init(void) { return libcrux_sha3_generic_keccak_new_1e_f2(); @@ -2254,9 +2266,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b31( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -2272,8 +2283,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a1( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b31(s, buf); } @@ -2289,9 +2300,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_711( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a1(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a1(uu____0, copy_of_b); } /** @@ -2304,15 +2316,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_722( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)1U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 31U; size_t uu____1 = i0; @@ -2326,6 +2337,9 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_722( libcrux_sha3_generic_keccak_keccakf1600_85(s); } +/** + Absorb +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data0) { @@ -2343,14 +2357,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_581( for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -2420,6 +2431,9 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_7d( libcrux_sha3_generic_keccak_squeeze_next_block_1f1(s, o2); } +/** + Squeeze three blocks +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { @@ -2427,6 +2441,9 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_squeeze_first_three_blocks_7d(s, buf); } +/** + Squeeze another block +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { @@ -2441,6 +2458,9 @@ libcrux_sha3_portable_incremental_shake128_squeeze_next_block( typedef uint8_t libcrux_sha3_Algorithm; +/** + Returns the output size of a digest. +*/ static inline size_t libcrux_sha3_digest_size(libcrux_sha3_Algorithm mode) { size_t uu____0; switch (mode) { @@ -2483,9 +2503,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b32( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -2506,9 +2525,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd1( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b32(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b32(uu____0, copy_of_b); } /** @@ -2534,8 +2554,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a2( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b32(s, buf); } @@ -2551,9 +2571,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_712( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a2(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a2(uu____0, copy_of_b); } /** @@ -2566,15 +2587,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_723( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)1U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 6U; size_t uu____1 = i0; @@ -2598,14 +2618,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_582( for (size_t i = (size_t)0U; i < (size_t)144U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -2618,11 +2635,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa1( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_582(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -2658,12 +2676,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d1( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2724,12 +2742,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_831( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -2746,28 +2764,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_752( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)144U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)144U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)144U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)144U, (size_t)144U, ret); libcrux_sha3_generic_keccak_absorb_block_751(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)144U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)144U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_723(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)144U; size_t last = outlen - outlen % (size_t)144U; if (blocks == (size_t)0U) { @@ -2815,11 +2832,15 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a2( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_752(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_752(copy_of_data, out); } +/** + A portable SHA3 224 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -2841,9 +2862,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_b33( Eurydice_slice_to_array2( &dst, Eurydice_slice_subslice2(blocks[0U], (size_t)8U * i0, - (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice), - Eurydice_slice, uint8_t[8U], void *); + (size_t)8U * i0 + (size_t)8U, uint8_t), + Eurydice_slice, uint8_t[8U]); core_result_unwrap_41_ac(dst, uu____0); size_t uu____1 = i0 / (size_t)5U; size_t uu____2 = i0 % (size_t)5U; @@ -2864,9 +2884,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd2( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b33(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b33(uu____0, copy_of_b); } /** @@ -2892,8 +2913,8 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_7a3( uint64_t (*s)[5U], uint8_t blocks[1U][200U]) { - Eurydice_slice buf[1U] = {Eurydice_array_to_slice((size_t)200U, blocks[0U], - uint8_t, Eurydice_slice)}; + Eurydice_slice buf[1U] = { + Eurydice_array_to_slice((size_t)200U, blocks[0U], uint8_t)}; libcrux_sha3_portable_keccak_load_block_b33(s, buf); } @@ -2909,9 +2930,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_full_5a_713( uint64_t (*a)[5U], uint8_t b[1U][200U]) { uint64_t(*uu____0)[5U] = a; - uint8_t uu____1[1U][200U]; - memcpy(uu____1, b, (size_t)1U * sizeof(uint8_t[200U])); - libcrux_sha3_portable_keccak_load_block_full_7a3(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_b[1U][200U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(uint8_t[200U])); + libcrux_sha3_portable_keccak_load_block_full_7a3(uu____0, copy_of_b); } /** @@ -2924,15 +2946,14 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_724( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice last[1U]) { - size_t last_len = core_slice___Slice_T___len(last[0U], uint8_t, size_t); + size_t last_len = Eurydice_slice_len(last[0U], uint8_t); uint8_t blocks[1U][200U] = {{0U}}; for (size_t i = (size_t)0U; i < (size_t)1U; i++) { size_t i0 = i; if (last_len > (size_t)0U) { Eurydice_slice uu____0 = Eurydice_array_to_subslice2( - blocks[i0], (size_t)0U, last_len, uint8_t, Eurydice_slice); - core_slice___Slice_T___copy_from_slice(uu____0, last[i0], uint8_t, - void *); + blocks[i0], (size_t)0U, last_len, uint8_t); + Eurydice_slice_copy(uu____0, last[i0], uint8_t); } blocks[i0][last_len] = 6U; size_t uu____1 = i0; @@ -2956,14 +2977,11 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_583( for (size_t i = (size_t)0U; i < (size_t)104U / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice uu____0 = Eurydice_slice_subslice2( - out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t, - Eurydice_slice); + out[0U], (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t); uint8_t ret[8U]; core_num__u64_9__to_le_bytes(s[i0 / (size_t)5U][i0 % (size_t)5U], ret); - core_slice___Slice_T___copy_from_slice( - uu____0, - Eurydice_array_to_slice((size_t)8U, ret, uint8_t, Eurydice_slice), - uint8_t, void *); + Eurydice_slice_copy( + uu____0, Eurydice_array_to_slice((size_t)8U, ret, uint8_t), uint8_t); } } @@ -2976,11 +2994,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa2( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_583(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -3016,12 +3035,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d2( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -3082,12 +3101,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_832( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -3104,28 +3123,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_753( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)104U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)104U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)104U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)104U, (size_t)104U, ret); libcrux_sha3_generic_keccak_absorb_block_752(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)104U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)104U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_724(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)104U; size_t last = outlen - outlen % (size_t)104U; if (blocks == (size_t)0U) { @@ -3173,11 +3191,15 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a3( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_753(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_753(copy_of_data, out); } +/** + A portable SHA3 384 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -3185,55 +3207,82 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, libcrux_sha3_portable_keccakx1_2a3(buf0, buf); } +/** + SHA3 224 + + Preconditions: + - `digest.len() == 28` +*/ static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha224(digest, payload); } +/** + SHA3 224 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { uint8_t out[28U] = {0U}; - libcrux_sha3_sha224_ema( - Eurydice_array_to_slice((size_t)28U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), + data); memcpy(ret, out, (size_t)28U * sizeof(uint8_t)); } +/** + SHA3 256 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha256(digest, payload); } +/** + SHA3 256 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { uint8_t out[32U] = {0U}; - libcrux_sha3_sha256_ema( - Eurydice_array_to_slice((size_t)32U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), + data); memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } +/** + SHA3 384 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha384(digest, payload); } +/** + SHA3 384 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { uint8_t out[48U] = {0U}; - libcrux_sha3_sha384_ema( - Eurydice_array_to_slice((size_t)48U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), + data); memcpy(ret, out, (size_t)48U * sizeof(uint8_t)); } +/** + SHA3 512 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, Eurydice_slice payload) { libcrux_sha3_portable_sha512(digest, payload); } +/** + SHA3 512 +*/ static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { uint8_t out[64U] = {0U}; - libcrux_sha3_sha512_ema( - Eurydice_array_to_slice((size_t)64U, out, uint8_t, Eurydice_slice), data); + libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), + data); memcpy(ret, out, (size_t)64U * sizeof(uint8_t)); } @@ -3249,9 +3298,10 @@ with const generics static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_load_block_5a_fd3( uint64_t (*a)[5U], Eurydice_slice b[1U]) { uint64_t(*uu____0)[5U] = a; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, b, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_portable_keccak_load_block_b31(uu____0, uu____1); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_b[1U]; + memcpy(copy_of_b, b, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_portable_keccak_load_block_b31(uu____0, copy_of_b); } /** @@ -3279,11 +3329,12 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccak_store_block_full_fa3( uint64_t (*s)[5U], uint8_t ret[1U][200U]) { uint8_t out[200U] = {0U}; Eurydice_slice buf[1U] = { - Eurydice_array_to_slice((size_t)200U, out, uint8_t, Eurydice_slice)}; + Eurydice_array_to_slice((size_t)200U, out, uint8_t)}; libcrux_sha3_portable_keccak_store_block_581(s, buf); - uint8_t uu____0[200U]; - memcpy(uu____0, out, (size_t)200U * sizeof(uint8_t)); - memcpy(ret[0U], uu____0, (size_t)200U * sizeof(uint8_t)); + /* Passing arrays by value in Rust generates a copy in C */ + uint8_t copy_of_out[200U]; + memcpy(copy_of_out, out, (size_t)200U * sizeof(uint8_t)); + memcpy(ret[0U], copy_of_out, (size_t)200U * sizeof(uint8_t)); } /** @@ -3319,12 +3370,12 @@ libcrux_sha3_generic_keccak_squeeze_first_and_last_5d3( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -3346,12 +3397,12 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_last_833( uint8_t *uu____1 = b[i0]; core_ops_range_Range_b3 lit; lit.start = (size_t)0U; - lit.end = core_slice___Slice_T___len(out[i0], uint8_t, size_t); - core_slice___Slice_T___copy_from_slice( + lit.end = Eurydice_slice_len(out[i0], uint8_t); + Eurydice_slice_copy( uu____0, Eurydice_array_to_subslice((size_t)200U, uu____1, lit, uint8_t, - core_ops_range_Range_b3, Eurydice_slice), - uint8_t, void *); + core_ops_range_Range_b3), + uint8_t); } } @@ -3368,28 +3419,27 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_754( libcrux_sha3_generic_keccak_KeccakState_48 s = libcrux_sha3_generic_keccak_new_1e_f2(); for (size_t i = (size_t)0U; - i < core_slice___Slice_T___len(data[0U], uint8_t, size_t) / (size_t)168U; - i++) { + i < Eurydice_slice_len(data[0U], uint8_t) / (size_t)168U; i++) { size_t i0 = i; libcrux_sha3_generic_keccak_KeccakState_48 *uu____0 = &s; - Eurydice_slice uu____1[1U]; - memcpy(uu____1, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; - libcrux_sha3_portable_keccak_slice_n_5a(uu____1, i0 * (size_t)168U, + libcrux_sha3_portable_keccak_slice_n_5a(copy_of_data, i0 * (size_t)168U, (size_t)168U, ret); libcrux_sha3_generic_keccak_absorb_block_753(uu____0, ret); } - size_t rem = - core_slice___Slice_T___len(data[0U], uint8_t, size_t) % (size_t)168U; + size_t rem = Eurydice_slice_len(data[0U], uint8_t) % (size_t)168U; libcrux_sha3_generic_keccak_KeccakState_48 *uu____2 = &s; - Eurydice_slice uu____3[1U]; - memcpy(uu____3, data, (size_t)1U * sizeof(Eurydice_slice)); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); Eurydice_slice ret[1U]; libcrux_sha3_portable_keccak_slice_n_5a( - uu____3, core_slice___Slice_T___len(data[0U], uint8_t, size_t) - rem, rem, - ret); + copy_of_data, Eurydice_slice_len(data[0U], uint8_t) - rem, rem, ret); libcrux_sha3_generic_keccak_absorb_final_722(uu____2, ret); - size_t outlen = core_slice___Slice_T___len(out[0U], uint8_t, size_t); + size_t outlen = Eurydice_slice_len(out[0U], uint8_t); size_t blocks = outlen / (size_t)168U; size_t last = outlen - outlen % (size_t)168U; if (blocks == (size_t)0U) { @@ -3437,11 +3487,15 @@ with const generics */ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_2a4( Eurydice_slice data[1U], Eurydice_slice out[1U]) { - Eurydice_slice uu____0[1U]; - memcpy(uu____0, data, (size_t)1U * sizeof(Eurydice_slice)); - libcrux_sha3_generic_keccak_keccak_754(uu____0, out); + /* Passing arrays by value in Rust generates a copy in C */ + Eurydice_slice copy_of_data[1U]; + memcpy(copy_of_data, data, (size_t)1U * sizeof(Eurydice_slice)); + libcrux_sha3_generic_keccak_keccak_754(copy_of_data, out); } +/** + A portable SHAKE128 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; @@ -3449,11 +3503,21 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( libcrux_sha3_portable_keccakx1_2a4(buf0, buf); } +/** + SHAKE 128 + + Writes `out.len()` bytes. +*/ static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, Eurydice_slice data) { libcrux_sha3_portable_shake128(out, data); } +/** + SHAKE 256 + + Writes `out.len()` bytes. +*/ static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, Eurydice_slice data) { libcrux_sha3_portable_shake256(out, data); @@ -3473,6 +3537,9 @@ static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = { (size_t)45U, (size_t)15U, (size_t)21U, (size_t)8U, (size_t)18U, (size_t)2U, (size_t)61U, (size_t)56U, (size_t)14U}; +/** + A portable SHA3 224 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -3480,6 +3547,9 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, KRML_HOST_EXIT(255U); } +/** + A portable SHA3 384 implementation. +*/ static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -3528,6 +3598,9 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_92( libcrux_sha3_generic_keccak_squeeze_next_block_1f1(s, o4); } +/** + Squeeze five blocks +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out0) { @@ -3535,6 +3608,9 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_squeeze_first_five_blocks_92(s, buf); } +/** + Absorb some data for SHAKE-256 for the last time +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice data) { @@ -3542,11 +3618,17 @@ libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_absorb_final_721(s, buf); } +/** + Create a new SHAKE-256 state object. +*/ static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_48 libcrux_sha3_portable_incremental_shake256_init(void) { return libcrux_sha3_generic_keccak_new_1e_f2(); } +/** + Squeeze the first SHAKE-256 block +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out) { @@ -3554,6 +3636,9 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_squeeze_first_block_090(s, buf); } +/** + Squeeze the next SHAKE-256 block +*/ static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_48 *s, Eurydice_slice out) { diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 380854419..a86c331ae 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -191,7 +191,7 @@ let validate_public_key in public_key =. public_key_serialized -#push-options "--z3rlimit 150" +#push-options "--z3rlimit 500" let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -325,8 +325,9 @@ let decapsulate (Rust_primitives.unsize shared_secret <: t_Slice u8) (Rust_primitives.unsize implicit_rejection_shared_secret <: t_Slice u8) in - let _:Prims.unit = admit () in - shared_secret + let result:t_Array u8 (sz 32) = shared_secret in + let _:Prims.unit = admit () (* Panic freedom *) in + result #pop-options @@ -419,10 +420,13 @@ let encapsulate shared_secret ciphertext in - let _:Prims.unit = admit () in - ciphertext, shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) = + ciphertext, shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + in + let _:Prims.unit = admit () (* Panic freedom *) in + result #pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 76092b776..1ff7c7914 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -140,9 +140,9 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (out1: t_Array u8 (sz 32)) + (out: t_Array u8 (sz 32)) -> - out1 == shared_secret); + out == shared_secret); f_kdf = (fun @@ -155,9 +155,14 @@ let impl: t_Variant t_MlKem = (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -> - let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out shared_secret in - out); + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + shared_secret + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError)); f_entropy_preprocess_pre = (fun @@ -178,7 +183,7 @@ let impl: t_Variant t_MlKem = i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) - (out1: t_Array u8 (sz 32)) + (out: t_Array u8 (sz 32)) -> true); f_entropy_preprocess @@ -191,9 +196,14 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) -> - let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let out:t_Array u8 (sz 32) = Core.Slice.impl__copy_from_slice #u8 out randomness in - out + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) } val decapsulate @@ -223,7 +233,10 @@ val decapsulate (ensures fun result -> let result:t_Array u8 (sz 32) = result in - result == Spec.MLKEM.ind_cca_decapsulate v_K private_key.f_value ciphertext.f_value) + let expected, valid = + Spec.MLKEM.ind_cca_decapsulate v_K private_key.f_value ciphertext.f_value + in + valid ==> result == expected) val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -252,8 +265,8 @@ val encapsulate = result in - (result._1.f_value, result._2) == - Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness) + let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in + valid ==> (result._1.f_value, result._2) == expected) /// Packed API /// Generate a key pair. @@ -279,5 +292,5 @@ val generate_keypair let result:Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in - (result.f_sk.f_value, result.f_pk.f_value) == - Spec.MLKEM.ind_cca_generate_keypair v_K randomness) + let expected, valid = Spec.MLKEM.ind_cca_generate_keypair v_K randomness in + valid ==> (result.f_sk.f_value, result.f_pk.f_value) == expected) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index cb4e44a7c..7d65134d1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -199,7 +199,8 @@ val encrypt (ensures fun result -> let result:t_Array u8 v_CIPHERTEXT_SIZE = result in - result == Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness) + let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in + valid ==> result == expected) /// This function implements most of Algorithm 12 of the /// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. @@ -263,4 +264,5 @@ val generate_keypair (ensures fun result -> let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in - result == Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed) + let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in + valid ==> result == expected) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index edc784083..adcc6529f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -1,192 +1,34 @@ -# This is a generically useful Makefile for F* that is self-contained -# -# It is tempting to factor this out into multiple Makefiles but that -# makes it less portable, so resist temptation, or move to a more -# sophisticated build system. -# -# We expect FSTAR_HOME to be set to your FSTAR repo/install directory -# We expect HACL_HOME to be set to your HACL* repo location -# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. -# -# ROOTS contains all the top-level F* files you wish to verify -# The default target `verify` verified ROOTS and its dependencies -# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line -# -# -# To make F* emacs mode use the settings in this file, you need to -# add the following lines to your .emacs -# -# (setq-default fstar-executable "/bin/fstar.exe") -# (setq-default fstar-smt-executable "/bin/z3") -# -# (defun my-fstar-compute-prover-args-using-make () -# "Construct arguments to pass to F* by calling make." -# (with-demoted-errors "Error when constructing arg string: %S" -# (let* ((fname (file-name-nondirectory buffer-file-name)) -# (target (concat fname "-in")) -# (argstr (car (process-lines "make" "--quiet" target)))) -# (split-string argstr)))) -# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) -# - -WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. - -HAX_HOME ?= $(WORKSPACE_ROOT)/hax -HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar -HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction -FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar -HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star -FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") - -CACHE_DIR ?= .cache -HINT_DIR ?= .hints - -.PHONY: all verify verify-lax clean - -all: - rm -f .depend && $(MAKE) .depend - $(MAKE) verify - -VERIFIED = Libcrux_ml_kem.Types.fst \ - Libcrux_ml_kem.Types.fsti \ - Libcrux_ml_kem.Types.Unpacked.fsti \ - Libcrux_ml_kem.Constants.fsti \ - Libcrux_ml_kem.Hash_functions.Avx2.fsti \ - Libcrux_ml_kem.Hash_functions.fsti \ - Libcrux_ml_kem.Hash_functions.Neon.fsti \ - Libcrux_ml_kem.Hash_functions.Portable.fsti \ - Libcrux_ml_kem.Utils.fst \ - Libcrux_ml_kem.Utils.fsti - -PANIC_FREE = Libcrux_ml_kem.Constant_time_ops.fst \ - Libcrux_ml_kem.Constant_time_ops.fsti \ - Libcrux_ml_kem.Utils.fst \ - Libcrux_ml_kem.Utils.fsti \ - Libcrux_ml_kem.Ind_cca.fst \ - Libcrux_ml_kem.Ind_cca.fsti \ - Libcrux_ml_kem.Ind_cca.Unpacked.fsti \ - Libcrux_ml_kem.Ind_cpa.fsti \ - Libcrux_ml_kem.Ind_cpa.Unpacked.fsti \ - Libcrux_ml_kem.Sampling.fsti \ - Libcrux_ml_kem.Serialize.fsti \ - Libcrux_ml_kem.Matrix.fsti \ - Libcrux_ml_kem.Polynomial.fsti \ - Libcrux_ml_kem.Ntt.fsti \ - Libcrux_ml_kem.Invert_ntt.fsti \ - Libcrux_ml_kem.Vector.Traits.fsti \ - Libcrux_ml_kem.Vector.Portable.fsti \ - Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti \ - Libcrux_ml_kem.Vector.Portable.Compress.fsti \ - Libcrux_ml_kem.Vector.Portable.Ntt.fsti \ - Libcrux_ml_kem.Vector.Portable.Sampling.fsti \ - Libcrux_ml_kem.Vector.Portable.Serialize.fsti \ - Libcrux_ml_kem.Vector.Portable.Vector_type.fsti \ - Libcrux_ml_kem.Vector.Avx2.fsti \ - Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti \ - Libcrux_ml_kem.Vector.Avx2.Compress.fsti \ - Libcrux_ml_kem.Vector.Avx2.Ntt.fsti \ - Libcrux_ml_kem.Vector.Avx2.Portable.fsti \ - Libcrux_ml_kem.Vector.Avx2.Sampling.fsti \ - Libcrux_ml_kem.Vector.Avx2.Serialize.fsti \ - Libcrux_ml_kem.Vector.Rej_sample_table.fsti \ - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst \ - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti \ - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst \ - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti \ - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst \ - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti \ - Libcrux_ml_kem.Ind_cca.Multiplexing.fst \ - Libcrux_ml_kem.Ind_cca.Multiplexing.fsti \ - Libcrux_ml_kem.Mlkem512.Avx2.fst \ - Libcrux_ml_kem.Mlkem512.Avx2.fsti \ - Libcrux_ml_kem.Mlkem512.fst \ - Libcrux_ml_kem.Mlkem512.fsti \ - Libcrux_ml_kem.Mlkem512.Neon.fst \ - Libcrux_ml_kem.Mlkem512.Neon.fsti \ - Libcrux_ml_kem.Mlkem512.Portable.fst \ - Libcrux_ml_kem.Mlkem512.Portable.fsti \ - Libcrux_ml_kem.Mlkem768.Avx2.fst \ - Libcrux_ml_kem.Mlkem768.Avx2.fsti \ - Libcrux_ml_kem.Mlkem768.fst \ - Libcrux_ml_kem.Mlkem768.fsti \ - Libcrux_ml_kem.Mlkem768.Neon.fst \ - Libcrux_ml_kem.Mlkem768.Neon.fsti \ - Libcrux_ml_kem.Mlkem768.Portable.fst \ - Libcrux_ml_kem.Mlkem768.Portable.fsti \ - Libcrux_ml_kem.Mlkem1024.Avx2.fst \ - Libcrux_ml_kem.Mlkem1024.Avx2.fsti \ - Libcrux_ml_kem.Mlkem1024.fst \ - Libcrux_ml_kem.Mlkem1024.fsti \ - Libcrux_ml_kem.Mlkem1024.Neon.fst \ - Libcrux_ml_kem.Mlkem1024.Neon.fsti \ - Libcrux_ml_kem.Mlkem1024.Portable.fst \ - Libcrux_ml_kem.Mlkem1024.Portable.fsti \ - Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti \ - Libcrux_ml_kem.Vector.Neon.Compress.fsti \ - Libcrux_ml_kem.Vector.Neon.fsti \ - Libcrux_ml_kem.Vector.Neon.Ntt.fsti \ - Libcrux_ml_kem.Vector.Neon.Serialize.fsti \ - Libcrux_ml_kem.Vector.Neon.Vector_type.fsti - -UNVERIFIED = $(filter-out $(PANIC_FREE),$(wildcard *.fst)) - -VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) -PANIC_FREE_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(PANIC_FREE))) -UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) - -# By default, we process all the files in the current directory. Here, we -# *extend* the set of relevant files with the tests. -ROOTS = $(UNVERIFIED) $(PANIC_FREE) $(VERIFIED) - -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HACL_HOME)/specs $(HAX_PROOF_LIBS_HOME)/rust_primitives \ - $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) \ - ../spec/ \ - ../../../../sys/platform/proofs/fstar/extraction/ \ - ../../../../libcrux-intrinsics/proofs/fstar/extraction/ \ - ../../../../libcrux-sha3/proofs/fstar/extraction/ - -FSTAR_FLAGS = --cmi --query_stats \ - --warn_error -331-321-274 \ - --cache_checked_modules --cache_dir $(CACHE_DIR) \ - --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ - $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) - -FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) - - -.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) - $(info $(ROOTS)) - $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ - -include .depend - -$(HINT_DIR): - mkdir -p $@ - -$(CACHE_DIR): - mkdir -p $@ - -$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true -$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) - $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints - -verify: $(UNVERIFIED_CHECKED) $(PANIC_FREE_CHECKED) $(VERIFIED_CHECKED) - -# Targets for interactive mode - -%.fst-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) - -%.fsti-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) - - -# Clean targets - -SHELL=/usr/bin/env bash - -clean: - rm -rf $(CACHE_DIR)/* - rm *.fst +ADMIT_MODULES = Libcrux_ml_kem.Ind_cca.Unpacked.fst \ + Libcrux_ml_kem.Ind_cca.fst \ + Libcrux_ml_kem.Ind_cpa.fst \ + Libcrux_ml_kem.Ind_cpa.fsti \ + Libcrux_ml_kem.Invert_ntt.fst \ + Libcrux_ml_kem.Matrix.fst \ + Libcrux_ml_kem.Ntt.fst \ + Libcrux_ml_kem.Polynomial.fst \ + Libcrux_ml_kem.Sampling.fst \ + Libcrux_ml_kem.Serialize.fst \ + Libcrux_ml_kem.Vector.Rej_sample_table.fsti \ + Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst \ + Libcrux_ml_kem.Vector.Avx2.Compress.fst \ + Libcrux_ml_kem.Vector.Avx2.fst \ + Libcrux_ml_kem.Vector.Avx2.Ntt.fst \ + Libcrux_ml_kem.Vector.Avx2.Portable.fst \ + Libcrux_ml_kem.Vector.Avx2.Sampling.fst \ + Libcrux_ml_kem.Vector.Avx2.Serialize.fst \ + Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \ + Libcrux_ml_kem.Vector.Neon.Compress.fst \ + Libcrux_ml_kem.Vector.Neon.fst \ + Libcrux_ml_kem.Vector.Neon.Ntt.fst \ + Libcrux_ml_kem.Vector.Neon.Serialize.fst \ + Libcrux_ml_kem.Vector.Neon.Vector_type.fst \ + Libcrux_ml_kem.Vector.Portable.Arithmetic.fst \ + Libcrux_ml_kem.Vector.Portable.Compress.fst \ + Libcrux_ml_kem.Vector.Portable.Ntt.fst \ + Libcrux_ml_kem.Vector.Portable.Sampling.fst \ + Libcrux_ml_kem.Vector.Portable.Serialize.fst \ + Libcrux_ml_kem.Vector.Portable.Vector_type.fst \ + Libcrux_ml_kem.Vector.Traits.fst + +FSTAR_INCLUDE_DIRS_EXTRA = $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/libcrux-ml-kem/proofs/fstar/spec/Makefile b/libcrux-ml-kem/proofs/fstar/spec/Makefile index 6eda7cef5..ec420d509 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Makefile +++ b/libcrux-ml-kem/proofs/fstar/spec/Makefile @@ -1,122 +1 @@ -# This is a generically useful Makefile for F* that is self-contained -# -# It is tempting to factor this out into multiple Makefiles but that -# makes it less portable, so resist temptation, or move to a more -# sophisticated build system. -# -# We expect FSTAR_HOME to be set to your FSTAR repo/install directory -# We expect HACL_HOME to be set to your HACL* repo location -# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. -# -# ROOTS contains all the top-level F* files you wish to verify -# The default target `verify` verified ROOTS and its dependencies -# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line -# -# -# To make F* emacs mode use the settings in this file, you need to -# add the following lines to your .emacs -# -# (setq-default fstar-executable "/bin/fstar.exe") -# (setq-default fstar-smt-executable "/bin/z3") -# -# (defun my-fstar-compute-prover-args-using-make () -# "Construct arguments to pass to F* by calling make." -# (with-demoted-errors "Error when constructing arg string: %S" -# (let* ((fname (file-name-nondirectory buffer-file-name)) -# (target (concat fname "-in")) -# (argstr (car (process-lines "make" "--quiet" target)))) -# (split-string argstr)))) -# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) -# - -WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel) - -HAX_HOME ?= $(WORKSPACE_ROOT)/hax -HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar -HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction -FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar -HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star -FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") - -CACHE_DIR ?= .cache -HINT_DIR ?= .hints - -.PHONY: all verify verify-lax clean - -all: - rm -f .depend && $(MAKE) .depend - $(MAKE) verify - -ifeq ($(OTHERFLAGS),$(subst --admit_smt_queries true,,$(OTHERFLAGS))) -FSTAR_HINTS ?= --use_hints --use_hint_hashes --record_hints -else -FSTAR_HINTS ?= --use_hints --use_hint_hashes -endif - -VERIFIED = Spec.Utils.fst Spec.MLKEM.fst - -UNVERIFIED = - - -VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) -UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) - -# By default, we process all the files in the current directory. Here, we -# *extend* the set of relevant files with the tests. -ROOTS = $(UNVERIFIED) $(VERIFIED) - -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HACL_HOME)/specs $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) - -FSTAR_FLAGS = $(FSTAR_HINTS) \ - --cmi \ - --warn_error -331 \ - --warn_error -321 \ - --warn_error -274 \ - --query_stats \ - --cache_checked_modules --cache_dir $(CACHE_DIR) \ - --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ - $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) - -# --log_queries \ -# --z3version 4.12.3 \ -# --smtencoding.l_arith_repr native \ -# --smtencoding.nl_arith_repr native \ - -FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) - - -.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) - $(info $(ROOTS)) - $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ - -include .depend - -$(HINT_DIR): - mkdir -p $@ - -$(CACHE_DIR): - mkdir -p $@ - -$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true -$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) - $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints - -verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) - -# Targets for interactive mode - -%.fst-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) - -%.fsti-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) - - -# Clean targets - -SHELL=/usr/bin/env bash - -clean: - rm -rf $(CACHE_DIR)/* +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst new file mode 100644 index 000000000..f598ee0ff --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst @@ -0,0 +1,64 @@ +module Spec.MLKEM.Instances +#set-options "--fuel 0 --ifuel 1 --z3rlimit 30" +open FStar.Mul +open Core +open Spec.Utils +open Spec.MLKEM.Math +open Spec.MLKEM + + +(** MLKEM-768 Instantiation *) + +let mlkem768_rank : rank = sz 3 + +#push-options "--z3rlimit 300" +let mlkem768_generate_keypair (randomness:t_Array u8 (sz 64)): + (t_Array u8 (sz 2400) & t_Array u8 (sz 1184)) & bool = + ind_cca_generate_keypair mlkem768_rank randomness + +let mlkem768_encapsulate (public_key: t_Array u8 (sz 1184)) (randomness: t_Array u8 (sz 32)): + (t_Array u8 (sz 1088) & t_Array u8 (sz 32)) & bool = + ind_cca_encapsulate mlkem768_rank public_key randomness + +let mlkem768_decapsulate (secret_key: t_Array u8 (sz 2400)) (ciphertext: t_Array u8 (sz 1088)): + t_Array u8 (sz 32) & bool = + ind_cca_decapsulate mlkem768_rank secret_key ciphertext + +(** MLKEM-1024 Instantiation *) + +let mlkem1024_rank = sz 4 + +let mlkem1024_generate_keypair (randomness:t_Array u8 (sz 64)): + (t_Array u8 (sz 3168) & t_Array u8 (sz 1568)) & bool = + ind_cca_generate_keypair mlkem1024_rank randomness + +#set-options "--z3rlimit 100" +let mlkem1024_encapsulate (public_key: t_Array u8 (sz 1568)) (randomness: t_Array u8 (sz 32)): + (t_Array u8 (sz 1568) & t_Array u8 (sz 32)) & bool = + assert (v_CPA_CIPHERTEXT_SIZE mlkem1024_rank == sz 1568); + ind_cca_encapsulate mlkem1024_rank public_key randomness + +let mlkem1024_decapsulate (secret_key: t_Array u8 (sz 3168)) (ciphertext: t_Array u8 (sz 1568)): + t_Array u8 (sz 32) & bool = + ind_cca_decapsulate mlkem1024_rank secret_key ciphertext + +(** MLKEM-512 Instantiation *) + +let mlkem512_rank : rank = sz 2 + +let mlkem512_generate_keypair (randomness:t_Array u8 (sz 64)): + (t_Array u8 (sz 1632) & t_Array u8 (sz 800)) & bool = + ind_cca_generate_keypair mlkem512_rank randomness + +let mlkem512_encapsulate (public_key: t_Array u8 (sz 800)) (randomness: t_Array u8 (sz 32)): + (t_Array u8 (sz 768) & t_Array u8 (sz 32)) & bool = + assert (v_CPA_CIPHERTEXT_SIZE mlkem512_rank == sz 768); + ind_cca_encapsulate mlkem512_rank public_key randomness + + +let mlkem512_decapsulate (secret_key: t_Array u8 (sz 1632)) (ciphertext: t_Array u8 (sz 768)): + t_Array u8 (sz 32) & bool = + ind_cca_decapsulate mlkem512_rank secret_key ciphertext + + + diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst new file mode 100644 index 000000000..31fb4837b --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst @@ -0,0 +1,237 @@ +module Spec.MLKEM.Math +#set-options "--fuel 0 --ifuel 1 --z3rlimit 30" + +open FStar.Mul +open Core +open Spec.Utils + +let v_FIELD_MODULUS: i32 = 3329l +let is_rank (r:usize) = v r == 2 \/ v r == 3 \/ v r == 4 + +type rank = r:usize{is_rank r} + + +(** MLKEM Math and Sampling *) + +type field_element = n:nat{n < v v_FIELD_MODULUS} +type polynomial = t_Array field_element (sz 256) +type vector (r:rank) = t_Array polynomial r +type matrix (r:rank) = t_Array (vector r) r + +val field_add: field_element -> field_element -> field_element +let field_add a b = (a + b) % v v_FIELD_MODULUS + +val field_sub: field_element -> field_element -> field_element +let field_sub a b = (a - b) % v v_FIELD_MODULUS + +val field_neg: field_element -> field_element +let field_neg a = (0 - a) % v v_FIELD_MODULUS + +val field_mul: field_element -> field_element -> field_element +let field_mul a b = (a * b) % v v_FIELD_MODULUS + +val poly_add: polynomial -> polynomial -> polynomial +let poly_add a b = map2 field_add a b + +val poly_sub: polynomial -> polynomial -> polynomial +let poly_sub a b = map2 field_sub a b + + +(* +bitrev7 = [int('{:07b}'.format(x)[::-1], 2) for x in range(0,128)] +zetas = [pow(17,x) % 3329 for x in bitrev7] +zetas_mont = [pow(2,16) * x % 3329 for x in zetas] +zetas_mont_r = [(x - 3329 if x > 1664 else x) for x in zetas_mont] + +bitrev7 is +[0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127] + +zetas = 17^bitrev7 is +[1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797, 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333, 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756, 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915, 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648, 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100, 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789, 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641, 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757, 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886, 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154] + +zetas_mont = zetas * 2^16 is +[2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962, 2127, 1855, 1468, 573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017, 732, 608, 1787, 411, 3124, 1758, 1223, 652, 2777, 1015, 2036, 1491, 3047, 1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, 2476, 3239, 3058, 830, 107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, 2226, 430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574, 1653, 3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349, 418, 329, 3173, 3254, 817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193, 1218, 1994, 2455, 220, 2142, 1670, 2144, 1799, 2051, 794, 1819, 2475, 2459, 478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628] + +zetas_mont_r = zetas_mont - 3329 if zetas_mont > 1664 else zetas_mont is +[-1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468, 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, 1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469, -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246, 778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, 603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185, -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628] +*) + +let zetas_list : list field_element = [1; 1729; 2580; 3289; 2642; 630; 1897; 848; 1062; 1919; 193; 797; 2786; 3260; 569; 1746; 296; 2447; 1339; 1476; 3046; 56; 2240; 1333; 1426; 2094; 535; 2882; 2393; 2879; 1974; 821; 289; 331; 3253; 1756; 1197; 2304; 2277; 2055; 650; 1977; 2513; 632; 2865; 33; 1320; 1915; 2319; 1435; 807; 452; 1438; 2868; 1534; 2402; 2647; 2617; 1481; 648; 2474; 3110; 1227; 910; 17; 2761; 583; 2649; 1637; 723; 2288; 1100; 1409; 2662; 3281; 233; 756; 2156; 3015; 3050; 1703; 1651; 2789; 1789; 1847; 952; 1461; 2687; 939; 2308; 2437; 2388; 733; 2337; 268; 641; 1584; 2298; 2037; 3220; 375; 2549; 2090; 1645; 1063; 319; 2773; 757; 2099; 561; 2466; 2594; 2804; 1092; 403; 1026; 1143; 2150; 2775; 886; 1722; 1212; 1874; 1029; 2110; 2935; 885; 2154] + +let zetas : t_Array field_element (sz 128) = + assert_norm(List.Tot.length zetas_list == 128); + Rust_primitives.Arrays.of_list zetas_list + +let poly_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) = + let t = field_mul b zetas.[sz i] in + let b = field_sub a t in + let a = field_add a t in + (a,b) + +let poly_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial = + let len = pow2 l in + let k = (128 / len) - 1 in + Rust_primitives.Arrays.createi (sz 256) (fun i -> + let round = v i / (2 * len) in + let idx = v i % (2 * len) in + let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in + let (a_ntt, b_ntt) = poly_ntt_step p.[sz idx0] p.[sz idx1] (round + k) in + if idx < len then a_ntt else b_ntt) + +val poly_ntt: polynomial -> polynomial +let poly_ntt p = + let p = poly_ntt_layer p 7 in + let p = poly_ntt_layer p 6 in + let p = poly_ntt_layer p 5 in + let p = poly_ntt_layer p 4 in + let p = poly_ntt_layer p 3 in + let p = poly_ntt_layer p 2 in + let p = poly_ntt_layer p 1 in + p + +let poly_inv_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) = + let b_minus_a = field_sub b a in + let a = field_add a b in + let b = field_mul b_minus_a zetas.[sz i] in + (a,b) + +let poly_inv_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial = + let len = pow2 l in + let k = (256 / len) - 1 in + Rust_primitives.Arrays.createi (sz 256) (fun i -> + let round = v i / (2 * len) in + let idx = v i % (2 * len) in + let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in + let (a_ntt, b_ntt) = poly_inv_ntt_step p.[sz idx0] p.[sz idx1] (k - round) in + if idx < len then a_ntt else b_ntt) + +val poly_inv_ntt: polynomial -> polynomial +let poly_inv_ntt p = + let p = poly_inv_ntt_layer p 1 in + let p = poly_inv_ntt_layer p 2 in + let p = poly_inv_ntt_layer p 3 in + let p = poly_inv_ntt_layer p 4 in + let p = poly_inv_ntt_layer p 5 in + let p = poly_inv_ntt_layer p 6 in + let p = poly_inv_ntt_layer p 7 in + p + +let poly_base_case_multiply (a0 a1 b0 b1 zeta:field_element) = + let c0 = field_add (field_mul a0 b0) (field_mul (field_mul a1 b1) zeta) in + let c1 = field_add (field_mul a0 b1) (field_mul a1 b0) in + (c0,c1) + +val poly_mul_ntt: polynomial -> polynomial -> polynomial +let poly_mul_ntt a b = + Rust_primitives.Arrays.createi (sz 256) (fun i -> + let a0 = a.[sz (2 * (v i / 2))] in + let a1 = a.[sz (2 * (v i / 2) + 1)] in + let b0 = b.[sz (2 * (v i / 2))] in + let b1 = b.[sz (2 * (v i / 2) + 1)] in + let zeta_4 = zetas.[sz (64 + (v i/4))] in + let zeta = if v i % 4 < 2 then zeta_4 else field_neg zeta_4 in + let (c0,c1) = poly_base_case_multiply a0 a1 b0 b1 zeta in + if v i % 2 = 0 then c0 else c1) + + +val vector_add: #r:rank -> vector r -> vector r -> vector r +let vector_add #p a b = map2 poly_add a b + +val vector_ntt: #r:rank -> vector r -> vector r +let vector_ntt #p v = map_array poly_ntt v + +val vector_inv_ntt: #r:rank -> vector r -> vector r +let vector_inv_ntt #p v = map_array poly_inv_ntt v + +val vector_mul_ntt: #r:rank -> vector r -> vector r -> vector r +let vector_mul_ntt #p a b = map2 poly_mul_ntt a b + +val vector_sum: #r:rank -> vector r -> polynomial +let vector_sum #r a = repeati (r -! sz 1) + (fun i x -> assert (v i < v r - 1); poly_add x (a.[i +! sz 1])) a.[sz 0] + +val vector_dot_product_ntt: #r:rank -> vector r -> vector r -> polynomial +let vector_dot_product_ntt a b = vector_sum (vector_mul_ntt a b) + +val matrix_transpose: #r:rank -> matrix r -> matrix r +let matrix_transpose #r m = + createi r (fun i -> + createi r (fun j -> + m.[j].[i])) + +val matrix_vector_mul_ntt: #r:rank -> matrix r -> vector r -> vector r +let matrix_vector_mul_ntt #r m v = + createi r (fun i -> vector_dot_product_ntt m.[i] v) + +val compute_As_plus_e_ntt: #r:rank -> a:matrix r -> s:vector r -> e:vector r -> vector r +let compute_As_plus_e_ntt #p a s e = vector_add (matrix_vector_mul_ntt a s) e + + + +type dT = d: nat {d = 1 \/ d = 4 \/ d = 5 \/ d = 10 \/ d = 11 \/ d = 12} +let max_d (d:dT) = if d < 12 then pow2 d else v v_FIELD_MODULUS +type field_element_d (d:dT) = n:nat{n < max_d d} +type polynomial_d (d:dT) = t_Array (field_element_d d) (sz 256) +type vector_d (r:rank) (d:dT) = t_Array (polynomial_d d) r + +let bits_to_bytes (#bytes: usize) (bv: bit_vec (v bytes * 8)) + : Pure (t_Array u8 bytes) + (requires True) + (ensures fun r -> (forall i. bit_vec_of_int_t_array r 8 i == bv i)) + = bit_vec_to_int_t_array 8 bv + +let bytes_to_bits (#bytes: usize) (r: t_Array u8 bytes) + : Pure (i: bit_vec (v bytes * 8)) + (requires True) + (ensures fun f -> (forall i. bit_vec_of_int_t_array r 8 i == f i)) + = bit_vec_of_int_t_array r 8 + +unfold let retype_bit_vector #a #b (#_:unit{a == b}) (x: a): b = x + + +let compress_d (d: dT {d <> 12}) (x: field_element): field_element_d d + = let r = (pow2 d * x + 1664) / v v_FIELD_MODULUS in + assert (r * v v_FIELD_MODULUS <= pow2 d * x + 1664); + assert (r * v v_FIELD_MODULUS <= pow2 d * (v v_FIELD_MODULUS - 1) + 1664); + Math.Lemmas.lemma_div_le (r * v v_FIELD_MODULUS) (pow2 d * (v v_FIELD_MODULUS - 1) + 1664) (v v_FIELD_MODULUS); + Math.Lemmas.cancel_mul_div r (v v_FIELD_MODULUS); + assert (r <= (pow2 d * (v v_FIELD_MODULUS - 1) + 1664) / v v_FIELD_MODULUS); + Math.Lemmas.lemma_div_mod_plus (1664 - pow2 d) (pow2 d) (v v_FIELD_MODULUS); + assert (r <= pow2 d + (1664 - pow2 d) / v v_FIELD_MODULUS); + assert (r <= pow2 d); + if r = pow2 d then 0 else r + +let decompress_d (d: dT {d <> 12}) (x: field_element_d d): field_element + = let r = (x * v v_FIELD_MODULUS + 1664) / pow2 d in + r + + +let byte_encode (d: dT) (coefficients: polynomial_d d): t_Array u8 (sz (32 * d)) + = let coefficients' : t_Array nat (sz 256) = map_array #(field_element_d d) (fun x -> x <: nat) coefficients in + bits_to_bytes #(sz (32 * d)) + (retype_bit_vector (bit_vec_of_nat_array coefficients' d)) + +let byte_decode (d: dT) (coefficients: t_Array u8 (sz (32 * d))): polynomial_d d + = let bv = bytes_to_bits coefficients in + let arr: t_Array nat (sz 256) = bit_vec_to_nat_array d (retype_bit_vector bv) in + let p: polynomial_d d = + createi (sz 256) (fun i -> + let x_f : field_element = arr.[i] % v v_FIELD_MODULUS in + assert (d < 12 ==> arr.[i] < pow2 d); + let x_m : field_element_d d = x_f in + x_m) + in + p + +let coerce_polynomial_12 (p:polynomial): polynomial_d 12 = p +let coerce_vector_12 (#r:rank) (v:vector r): vector_d r 12 = v + +let compress_then_byte_encode (d: dT {d <> 12}) (coefficients: polynomial): t_Array u8 (sz (32 * d)) + = let coefs: t_Array (field_element_d d) (sz 256) = map_array (compress_d d) coefficients + in + byte_encode d coefs + +let byte_decode_then_decompress (d: dT {d <> 12}) (b:t_Array u8 (sz (32 * d))): polynomial + = map_array (decompress_d d) (byte_decode d b) + + diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst index 021ea0b4b..44ae4d7af 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst @@ -1,8 +1,10 @@ module Spec.MLKEM -#set-options "--fuel 0 --ifuel 1 --z3rlimit 200" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open FStar.Mul open Core -open Spec.Utils + +include Spec.Utils +include Spec.MLKEM.Math (** ML-KEM Constants *) let v_BITS_PER_COEFFICIENT: usize = sz 12 @@ -15,8 +17,6 @@ let v_BYTES_PER_RING_ELEMENT: usize = sz 384 // v_BITS_PER_RING_ELEMENT /! sz 8 let v_CPA_KEY_GENERATION_SEED_SIZE: usize = sz 32 -let v_FIELD_MODULUS: i32 = 3329l - let v_H_DIGEST_SIZE: usize = sz 32 // same as Libcrux.Digest.digest_size (Libcrux.Digest.Algorithm_Sha3_256_ <: Libcrux.Digest.t_Algorithm) @@ -24,11 +24,7 @@ let v_REJECTION_SAMPLING_SEED_SIZE: usize = sz 840 // sz 168 *! sz 5 let v_SHARED_SECRET_SIZE: usize = v_H_DIGEST_SIZE -let is_rank (r:usize) = - r == sz 2 \/ r == sz 3 \/ r == sz 4 - -type rank = r:usize{is_rank r} - +val v_ETA1 (r:rank) : u:usize{u == sz 3 \/ u == sz 2} let v_ETA1 (r:rank) : usize = if r = sz 2 then sz 3 else if r = sz 3 then sz 2 else @@ -36,17 +32,18 @@ let v_ETA1 (r:rank) : usize = let v_ETA2 (r:rank) : usize = sz 2 +val v_VECTOR_U_COMPRESSION_FACTOR (r:rank) : u:usize{u == sz 10 \/ u == sz 11} let v_VECTOR_U_COMPRESSION_FACTOR (r:rank) : usize = if r = sz 2 then sz 10 else if r = sz 3 then sz 10 else if r = sz 4 then sz 11 +val v_VECTOR_V_COMPRESSION_FACTOR (r:rank) : u:usize{u == sz 4 \/ u == sz 5} let v_VECTOR_V_COMPRESSION_FACTOR (r:rank) : usize = if r = sz 2 then sz 4 else if r = sz 3 then sz 4 else if r = sz 4 then sz 5 - val v_ETA1_RANDOMNESS_SIZE (r:rank) : u:usize{u == sz 128 \/ u == sz 192} let v_ETA1_RANDOMNESS_SIZE (r:rank) = v_ETA1 r *! sz 64 @@ -93,6 +90,7 @@ let v_KEY_GENERATION_SEED_SIZE: usize = v_CPA_KEY_GENERATION_SEED_SIZE +! v_SHARED_SECRET_SIZE + (** ML-KEM Types *) type t_MLKEMPublicKey (r:rank) = t_Array u8 (v_CPA_PUBLIC_KEY_SIZE r) @@ -105,143 +103,82 @@ type t_MLKEMCPAKeyPair (r:rank) = t_MLKEMCPAPrivateKey r & t_MLKEMPublicKey r type t_MLKEMCiphertext (r:rank) = t_Array u8 (v_CPA_CIPHERTEXT_SIZE r) type t_MLKEMSharedSecret = t_Array u8 (v_SHARED_SECRET_SIZE) -(** MLKEM Math and Sampling *) - -type field_element = n:nat{n < v v_FIELD_MODULUS} -type polynomial (ntt:bool) = t_Array field_element (sz 256) -type vector (r:rank) (ntt:bool) = t_Array (polynomial ntt) r -type matrix (r:rank) (ntt:bool) = t_Array (vector r ntt) r - -val field_add: field_element -> field_element -> field_element -let field_add a b = (a + b) % v v_FIELD_MODULUS - -val field_sub: field_element -> field_element -> field_element -let field_sub a b = (a - b) % v v_FIELD_MODULUS - -val field_mul: field_element -> field_element -> field_element -let field_mul a b = (a * b) % v v_FIELD_MODULUS - -val poly_add: #ntt:bool -> polynomial ntt -> polynomial ntt -> polynomial ntt -let poly_add a b = map2 field_add a b - -val poly_sub: #ntt:bool -> polynomial ntt -> polynomial ntt -> polynomial ntt -let poly_sub a b = map2 field_sub a b - -assume val poly_ntt: #r:rank -> polynomial false -> polynomial true -assume val poly_inv_ntt: #r:rank -> polynomial true -> polynomial false -assume val poly_mul_ntt: polynomial true -> polynomial true -> polynomial true - -val vector_add: #r:rank -> #ntt:bool -> vector r ntt -> vector r ntt -> vector r ntt -let vector_add #p a b = map2 poly_add a b - -val vector_ntt: #r:rank -> vector r false -> vector r true -let vector_ntt #p v = map_array (poly_ntt #p) v - -val vector_inv_ntt: #r:rank -> vector r true -> vector r false -let vector_inv_ntt #p v = map_array (poly_inv_ntt #p) v - -val vector_mul_ntt: #r:rank -> vector r true -> vector r true -> vector r true -let vector_mul_ntt #p a b = map2 poly_mul_ntt a b - -val vector_sum: #r:rank -> #ntt:bool -> vector r ntt -> polynomial ntt -let vector_sum #r a = repeati (v r - 1) - (fun i x -> poly_add x (Lib.Sequence.index #_ #(v r) a (i+1))) (Lib.Sequence.index #_ #(v r) a 0) - -val vector_dot_product_ntt: #r:rank -> vector r true -> vector r true -> polynomial true -let vector_dot_product_ntt a b = vector_sum (vector_mul_ntt a b) - -val matrix_transpose: #r:rank -> #ntt:bool -> matrix r ntt -> matrix r ntt -let matrix_transpose #r m = - createi r (fun i -> - createi r (fun j -> - m.[j].[i])) - -val matrix_vector_mul_ntt: #r:rank -> matrix r true -> vector r true -> vector r true -let matrix_vector_mul_ntt #r m v = - createi r (fun i -> vector_dot_product_ntt m.[i] v) - -val compute_As_plus_e_ntt: #r:rank -> a:matrix r true -> s:vector r true -> e:vector r true -> vector r true -let compute_As_plus_e_ntt #p a s e = vector_add (matrix_vector_mul_ntt a s) e - -let bits_to_bytes (#bytes: usize) (bv: bit_vec (v bytes * 8)) - : Pure (t_Array u8 bytes) - (requires True) - (ensures fun r -> (forall i. bit_vec_of_int_t_array r 8 i == bv i)) - = bit_vec_to_int_t_array 8 bv - -let bytes_to_bits (#bytes: usize) (r: t_Array u8 bytes) - : Pure (i: bit_vec (v bytes * 8)) - (requires True) - (ensures fun f -> (forall i. bit_vec_of_int_t_array r 8 i == f i)) - = bit_vec_of_int_t_array r 8 - -unfold let retype_bit_vector #a #b (#_:unit{a == b}) (x: a): b = x - -// note we take seed of size 32 not 34 as in hacspec -assume val sample_matrix_A_ntt: #r:rank -> seed:t_Array u8 (sz 32) -> matrix r true -// note we take seed of size 32 not 33 as in hacspec -assume val sample_vector_cbd: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize -> vector r false -// note we take seed of size 32 not 33 as in hacspec - -assume val sample_poly_binomial: v_ETA:usize{v v_ETA <= 3} -> t_Array u8 (v_ETA *! sz 64) -> polynomial false +assume val sample_max: n:usize{v n < pow2 32 /\ v n >= 128 * 3 /\ v n % 3 = 0} + +val sample_polynomial_ntt: seed:t_Array u8 (sz 34) -> (polynomial & bool) +let sample_polynomial_ntt seed = + let randomness = v_XOF sample_max seed in + let bv = bytes_to_bits randomness in + assert (v sample_max * 8 == (((v sample_max / 3) * 2) * 12)); + let bv: bit_vec ((v (sz ((v sample_max / 3) * 2))) * 12) = retype_bit_vector bv in + let i16s = bit_vec_to_nat_array #(sz ((v sample_max / 3) * 2)) 12 bv in + assert ((v sample_max / 3) * 2 >= 256); + let poly0: polynomial = Seq.create 256 0 in + let index_t = n:nat{n <= 256} in + let (sampled, poly1) = + repeati #(index_t & polynomial) (sz ((v sample_max / 3) * 2)) + (fun i (sampled,acc) -> + if sampled < 256 then + let sample = Seq.index i16s (v i) in + if sample < 3329 then + (sampled+1, Rust_primitives.Hax.update_at acc (sz sampled) sample) + else (sampled, acc) + else (sampled, acc)) + (0,poly0) in + if sampled < 256 then poly0, false else poly1, true + +let sample_polynomial_ntt_at_index (seed:t_Array u8 (sz 32)) (i j: (x:usize{v x <= 4})) : polynomial & bool = + let seed34 = Seq.append seed (Seq.create 2 0uy) in + let seed34 = Rust_primitives.Hax.update_at seed34 (sz 32) (mk_int #u8_inttype (v i)) in + let seed34 = Rust_primitives.Hax.update_at seed34 (sz 33) (mk_int #u8_inttype (v j)) in + sample_polynomial_ntt seed34 + +val sample_matrix_A_ntt: #r:rank -> seed:t_Array u8 (sz 32) -> (matrix r & bool) +let sample_matrix_A_ntt #r seed = + let m = + createi r (fun i -> + createi r (fun j -> + let (p,b) = sample_polynomial_ntt_at_index seed i j in + p)) + in + let sufficient_randomness = + repeati r (fun i b -> + repeati r (fun j b -> + let (p,v) = sample_polynomial_ntt_at_index seed i j in + b && v) b) true in + (m, sufficient_randomness) + +assume val sample_poly_cbd: v_ETA:usize{v v_ETA == 2 \/ v v_ETA == 3} -> t_Array u8 (v_ETA *! sz 64) -> polynomial open Rust_primitives.Integers -val sample_poly_cbd: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize{v domain_sep < 256} -> polynomial false -let sample_poly_cbd #r seed domain_sep = +val sample_poly_cbd2: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize{v domain_sep < 256} -> polynomial +let sample_poly_cbd2 #r seed domain_sep = let prf_input = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep))) in let prf_output = v_PRF (v_ETA2_RANDOMNESS_SIZE r) prf_input in - sample_poly_binomial (v_ETA2 r) prf_output - -let sample_vector_cbd_then_ntt (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize) : vector r true = - vector_ntt (sample_vector_cbd #r seed domain_sep) + sample_poly_cbd (v_ETA2 r) prf_output -type dT = d: nat {d = 1 \/ d = 4 \/ d = 5 \/ d = 10 \/ d = 11 \/ d = 12} -let max_d (d:dT) = if d < 12 then pow2 d else v v_FIELD_MODULUS -type field_element_d (d:dT) = n:nat{n < max_d d} -type polynomial_d (d:dT) = t_Array (field_element_d d) (sz 256) -type vector_d (r:rank) (d:dT) = t_Array (polynomial_d d) r +val sample_poly_cbd1: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize{v domain_sep < 256} -> polynomial +let sample_poly_cbd1 #r seed domain_sep = + let prf_input = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep))) in + let prf_output = v_PRF (v_ETA1_RANDOMNESS_SIZE r) prf_input in + sample_poly_cbd (v_ETA1 r) prf_output +let sample_vector_cbd1 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = + createi r (fun i -> sample_poly_cbd1 #r seed (domain_sep +! i)) -let compress_d (d: dT {d <> 12}) (x: field_element): field_element_d d - = let r = (pow2 d * x + 1664) / v v_FIELD_MODULUS in - assume (r * v v_FIELD_MODULUS < pow2 d * x + 1664); - assume (pow2 d * x + 1664 < pow2 d * v v_FIELD_MODULUS + 1664); - assume (r < pow2 d); - r +let sample_vector_cbd2 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = + createi r (fun i -> sample_poly_cbd2 #r seed (domain_sep +! i)) -let decompress_d (d: dT {d <> 12}) (x: field_element_d d): field_element - = let r = (x * v v_FIELD_MODULUS + 1664) / pow2 d in - assume (r < v v_FIELD_MODULUS); - r - +let sample_vector_cbd_then_ntt (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = + vector_ntt (sample_vector_cbd1 #r seed domain_sep) -let byte_encode (d: dT) (coefficients: polynomial_d d): t_Array u8 (sz (32 * d)) - = let coefficients' : t_Array nat (sz 256) = map_array #(field_element_d d) (fun x -> x <: nat) coefficients in - bits_to_bytes #(sz (32 * d)) - (retype_bit_vector (bit_vec_of_nat_array coefficients' d)) - -let byte_decode (d: dT) (coefficients: t_Array u8 (sz (32 * d))): polynomial_d d - = let bv = bytes_to_bits coefficients in - let arr: t_Array nat (sz 256) = bit_vec_to_nat_array d (retype_bit_vector bv) in - let p = map_array (fun (x: nat) -> x % v v_FIELD_MODULUS) arr in - introduce forall i. (d < 12 ==> Seq.index p i < pow2 d) - with assert (Seq.index p i == Seq.index p (v (sz i))); - introduce forall i. (d == 12 ==> Seq.index p i < v v_FIELD_MODULUS) - with assert (Seq.index p i == Seq.index p (v (sz i))); - assert (forall i. (d < 12 ==> Seq.index p i < pow2 d) /\ (d == 12 ==> Seq.index p i < v v_FIELD_MODULUS)); - admit(); - p - -let coerce_polynomial_12 #ntt (p:polynomial ntt): polynomial_d 12 = p -let coerce_vector_12 #ntt (#r:rank) (v:vector r ntt): vector_d r 12 = v - -let vector_encode_12 (#r:rank) (#ntt:bool) (v: vector r ntt): t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r) +let vector_encode_12 (#r:rank) (v: vector r) : t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r) = let s: t_Array (t_Array _ (sz 384)) r = map_array (byte_encode 12) (coerce_vector_12 v) in flatten s -let vector_decode_12 (#r:rank) (#ntt:bool) (arr: t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r)): vector r ntt +let vector_decode_12 (#r:rank) (arr: t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r)): vector r = createi r (fun block -> let block_size = (sz (32 * 12)) in let slice = Seq.slice arr (v block * v block_size) @@ -249,25 +186,17 @@ let vector_decode_12 (#r:rank) (#ntt:bool) (arr: t_Array u8 (v_T_AS_NTT_ENCODED_ byte_decode 12 slice ) -let compress_then_byte_encode #ntt (d: dT {d <> 12}) (coefficients: polynomial ntt): t_Array u8 (sz (32 * d)) - = let coefs: t_Array (field_element_d d) (sz 256) = map_array (compress_d d) coefficients - in - byte_encode d coefs - -let byte_decode_then_decompress #ntt (d: dT {d <> 12}) (b:t_Array u8 (sz (32 * d))): polynomial ntt - = map_array (decompress_d d) (byte_decode d b) - -let compress_then_encode_message #ntt (p:polynomial ntt) : t_Array u8 v_SHARED_SECRET_SIZE +let compress_then_encode_message (p:polynomial) : t_Array u8 v_SHARED_SECRET_SIZE = compress_then_byte_encode 1 p -let decode_then_decompress_message #ntt (b:t_Array u8 v_SHARED_SECRET_SIZE): polynomial ntt +let decode_then_decompress_message (b:t_Array u8 v_SHARED_SECRET_SIZE): polynomial = byte_decode_then_decompress 1 b -let compress_then_encode_u (#r:rank) (#ntt:bool) (vec: vector r ntt): t_Array u8 (v_C1_SIZE r) +let compress_then_encode_u (#r:rank) (vec: vector r): t_Array u8 (v_C1_SIZE r) = let d = v (v_VECTOR_U_COMPRESSION_FACTOR r) in flatten (map_array (compress_then_byte_encode d) vec) -let decode_then_decompress_u (#r:rank) (#ntt:bool) (arr: t_Array u8 (v_C1_SIZE r)): vector r ntt +let decode_then_decompress_u (#r:rank) (arr: t_Array u8 (v_C1_SIZE r)): vector r = let d = v_VECTOR_U_COMPRESSION_FACTOR r in createi r (fun block -> let block_size = v_C1_BLOCK_SIZE r in @@ -276,10 +205,10 @@ let decode_then_decompress_u (#r:rank) (#ntt:bool) (arr: t_Array u8 (v_C1_SIZE r byte_decode_then_decompress (v d) slice ) -let compress_then_encode_v (#r:rank) (#ntt:bool): polynomial ntt -> t_Array u8 (v_C2_SIZE r) +let compress_then_encode_v (#r:rank): polynomial -> t_Array u8 (v_C2_SIZE r) = compress_then_byte_encode (v (v_VECTOR_V_COMPRESSION_FACTOR r)) -let decode_then_decompress_v (#r:rank) (#ntt:bool): t_Array u8 (v_C2_SIZE r) -> polynomial ntt +let decode_then_decompress_v (#r:rank): t_Array u8 (v_C2_SIZE r) -> polynomial = byte_decode_then_decompress (v (v_VECTOR_V_COMPRESSION_FACTOR r)) (** IND-CPA Functions *) @@ -292,17 +221,17 @@ let decode_then_decompress_v (#r:rank) (#ntt:bool): t_Array u8 (v_C2_SIZE r) -> /// through the `key_generation_seed` parameter. val ind_cpa_generate_keypair (r:rank) (randomness:t_Array u8 v_CPA_KEY_GENERATION_SEED_SIZE) : - t_MLKEMCPAKeyPair r + (t_MLKEMCPAKeyPair r & bool) let ind_cpa_generate_keypair r randomness = let hashed = v_G randomness in let (seed_for_A, seed_for_secret_and_error) = split hashed (sz 32) in - let matrix_A_as_ntt = sample_matrix_A_ntt #r seed_for_A in + let (matrix_A_as_ntt, sufficient_randomness) = sample_matrix_A_ntt #r seed_for_A in let secret_as_ntt = sample_vector_cbd_then_ntt #r seed_for_secret_and_error (sz 0) in let error_as_ntt = sample_vector_cbd_then_ntt #r seed_for_secret_and_error r in let t_as_ntt = compute_As_plus_e_ntt #r matrix_A_as_ntt secret_as_ntt error_as_ntt in let public_key_serialized = Seq.append (vector_encode_12 #r t_as_ntt) seed_for_A in let secret_key_serialized = vector_encode_12 #r secret_as_ntt in - (secret_key_serialized,public_key_serialized) + ((secret_key_serialized,public_key_serialized), sufficient_randomness) /// This function implements Algorithm 13 of the /// NIST FIPS 203 specification; this is the MLKEM CPA-PKE encryption algorithm. @@ -310,21 +239,21 @@ let ind_cpa_generate_keypair r randomness = val ind_cpa_encrypt (r:rank) (public_key: t_MLKEMPublicKey r) (message: t_Array u8 v_SHARED_SECRET_SIZE) (randomness:t_Array u8 v_SHARED_SECRET_SIZE) : - t_MLKEMCiphertext r - + (t_MLKEMCiphertext r & bool) + let ind_cpa_encrypt r public_key message randomness = let (t_as_ntt_bytes, seed_for_A) = split public_key (v_T_AS_NTT_ENCODED_SIZE r) in let t_as_ntt = vector_decode_12 #r t_as_ntt_bytes in - let matrix_A_as_ntt = sample_matrix_A_ntt #r seed_for_A in + let matrix_A_as_ntt, sufficient_randomness = sample_matrix_A_ntt #r seed_for_A in let r_as_ntt = sample_vector_cbd_then_ntt #r randomness (sz 0) in - let error_1 = sample_vector_cbd #r randomness r in - let error_2 = sample_poly_cbd #r randomness (r +! r) in + let error_1 = sample_vector_cbd2 #r randomness r in + let error_2 = sample_poly_cbd2 #r randomness (r +! r) in let u = vector_add (vector_inv_ntt (matrix_vector_mul_ntt (matrix_transpose matrix_A_as_ntt) r_as_ntt)) error_1 in let mu = decode_then_decompress_message message in let v = poly_add (poly_add (vector_dot_product_ntt t_as_ntt r_as_ntt) error_2) mu in let c1 = compress_then_encode_u #r u in let c2 = compress_then_encode_v #r v in - concat c1 c2 + (concat c1 c2, sufficient_randomness) /// This function implements Algorithm 14 of the /// NIST FIPS 203 specification; this is the MLKEM CPA-PKE decryption algorithm. @@ -338,7 +267,7 @@ let ind_cpa_decrypt r secret_key ciphertext = let u = decode_then_decompress_u #r c1 in let v = decode_then_decompress_v #r c2 in let secret_as_ntt = vector_decode_12 #r secret_key in - let w = poly_sub v (poly_inv_ntt #r (vector_dot_product_ntt secret_as_ntt (vector_ntt u))) in + let w = poly_sub v (poly_inv_ntt (vector_dot_product_ntt secret_as_ntt (vector_ntt u))) in compress_then_encode_message w (** IND-CCA Functions *) @@ -354,16 +283,16 @@ let ind_cpa_decrypt r secret_key ciphertext = /// TODO: input validation val ind_cca_generate_keypair (r:rank) (randomness:t_Array u8 v_KEY_GENERATION_SEED_SIZE) : - t_MLKEMKeyPair r + t_MLKEMKeyPair r & bool let ind_cca_generate_keypair p randomness = let (ind_cpa_keypair_randomness, implicit_rejection_value) = split randomness v_CPA_KEY_GENERATION_SEED_SIZE in - let (ind_cpa_secret_key,ind_cpa_public_key) = ind_cpa_generate_keypair p ind_cpa_keypair_randomness in + let (ind_cpa_secret_key,ind_cpa_public_key), sufficient_randomness = ind_cpa_generate_keypair p ind_cpa_keypair_randomness in let ind_cca_secret_key = Seq.append ind_cpa_secret_key ( Seq.append ind_cpa_public_key ( Seq.append (v_H ind_cpa_public_key) implicit_rejection_value)) in - (ind_cca_secret_key, ind_cpa_public_key) + (ind_cca_secret_key, ind_cpa_public_key), sufficient_randomness /// This function implements most of Algorithm 16 of the /// NIST FIPS 203 specification; this is the MLKEM CCA-KEM encapsulation algorithm. @@ -376,13 +305,13 @@ let ind_cca_generate_keypair p randomness = val ind_cca_encapsulate (r:rank) (public_key: t_MLKEMPublicKey r) (randomness:t_Array u8 v_SHARED_SECRET_SIZE) : - (t_MLKEMCiphertext r & t_MLKEMSharedSecret) + (t_MLKEMCiphertext r & t_MLKEMSharedSecret) & bool let ind_cca_encapsulate p public_key randomness = let to_hash = concat randomness (v_H public_key) in let hashed = v_G to_hash in let (shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in - let ciphertext = ind_cpa_encrypt p public_key randomness pseudorandomness in - (ciphertext,shared_secret) + let ciphertext, sufficient_randomness = ind_cpa_encrypt p public_key randomness pseudorandomness in + (ciphertext,shared_secret), sufficient_randomness /// This function implements Algorithm 17 of the @@ -390,7 +319,7 @@ let ind_cca_encapsulate p public_key randomness = val ind_cca_decapsulate (r:rank) (secret_key: t_MLKEMPrivateKey r) (ciphertext: t_MLKEMCiphertext r): - t_MLKEMSharedSecret + t_MLKEMSharedSecret & bool let ind_cca_decapsulate p secret_key ciphertext = let (ind_cpa_secret_key,rest) = split secret_key (v_CPA_PRIVATE_KEY_SIZE p) in let (ind_cpa_public_key,rest) = split rest (v_CPA_PUBLIC_KEY_SIZE p) in @@ -405,59 +334,8 @@ let ind_cca_decapsulate p secret_key ciphertext = let to_hash = concat implicit_rejection_value ciphertext in let rejection_shared_secret = v_J to_hash in - let reencrypted = ind_cpa_encrypt p ind_cpa_public_key decrypted pseudorandomness in + let reencrypted, sufficient_randomness = ind_cpa_encrypt p ind_cpa_public_key decrypted pseudorandomness in if reencrypted = ciphertext - then success_shared_secret - else rejection_shared_secret + then success_shared_secret, sufficient_randomness + else rejection_shared_secret, sufficient_randomness - -(** MLKEM-768 Instantiation *) - -let mlkem768_rank = sz 3 - -let mlkem768_generate_keypair (randomness:t_Array u8 (sz 64)): - (t_Array u8 (sz 2400) & t_Array u8 (sz 1184)) = - ind_cca_generate_keypair mlkem768_rank randomness - -let mlkem768_encapsulate (public_key: t_Array u8 (sz 1184)) (randomness: t_Array u8 (sz 32)): - (t_Array u8 (sz 1088) & t_Array u8 (sz 32)) = - ind_cca_encapsulate mlkem768_rank public_key randomness - - -let mlkem768_decapsulate (secret_key: t_Array u8 (sz 2400)) (ciphertext: t_Array u8 (sz 1088)): - t_Array u8 (sz 32) = - ind_cca_decapsulate mlkem768_rank secret_key ciphertext - -(** MLKEM-1024 Instantiation *) - -let mlkem1024_rank = sz 4 - -let mlkem1024_generate_keypair (randomness:t_Array u8 (sz 64)): - (t_Array u8 (sz 3168) & t_Array u8 (sz 1568)) = - ind_cca_generate_keypair mlkem1024_rank randomness - -let mlkem1024_encapsulate (public_key: t_Array u8 (sz 1568)) (randomness: t_Array u8 (sz 32)): - (t_Array u8 (sz 1568) & t_Array u8 (sz 32)) = - ind_cca_encapsulate mlkem1024_rank public_key randomness - - -let mlkem1024_decapsulate (secret_key: t_Array u8 (sz 3168)) (ciphertext: t_Array u8 (sz 1568)): - t_Array u8 (sz 32) = - ind_cca_decapsulate mlkem1024_rank secret_key ciphertext - -(** MLKEM-512 Instantiation *) - -let mlkem512_rank : rank = sz 2 - -let mlkem512_generate_keypair (randomness:t_Array u8 (sz 64)): - (t_Array u8 (sz 1632) & t_Array u8 (sz 800)) = - ind_cca_generate_keypair mlkem512_rank randomness - -let mlkem512_encapsulate (public_key: t_Array u8 (sz 800)) (randomness: t_Array u8 (sz 32)): - (t_Array u8 (sz 768) & t_Array u8 (sz 32)) = - ind_cca_encapsulate mlkem512_rank public_key randomness - - -let mlkem512_decapsulate (secret_key: t_Array u8 (sz 1632)) (ciphertext: t_Array u8 (sz 768)): - t_Array u8 (sz 32) = - ind_cca_decapsulate mlkem512_rank secret_key ciphertext diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst index b9af3a9bc..671f5d46e 100644 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst +++ b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst @@ -20,7 +20,7 @@ let map2 #a #b #c (#len:usize{v len < pow2 32}) (x: t_Array a len) (y: t_Array b len): t_Array c len = Lib.Sequence.map2 #a #b #c #(v len) f x y -let repeati = Lib.LoopCombinators.repeati +let repeati #acc (l:usize) (f:(i:usize{v i < v l}) -> acc -> acc) acc0 : acc = Lib.LoopCombinators.repeati (v l) (fun i acc -> f (sz i) acc) acc0 #push-options "--fuel 0 --ifuel 0 --z3rlimit 500" let flatten #t #n diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index 24ad1d419..e617ee712 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -122,8 +122,8 @@ fn validate_public_key< $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("(${result}.f_sk.f_value, ${result}.f_pk.f_value) == - Spec.MLKEM.ind_cca_generate_keypair $K $randomness"))] +#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_generate_keypair $K $randomness in + valid ==> (${result}.f_sk.f_value, ${result}.f_pk.f_value) == expected"))] fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -162,8 +162,10 @@ fn generate_keypair< MlKemKeyPair::from(private_key, MlKemPublicKey::from(public_key)) } - +// For some reason F* manages to assert the post-condition but fails to verify it +// as a part of function signature #[hax_lib::fstar::options("--z3rlimit 150")] +#[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ @@ -177,8 +179,8 @@ fn generate_keypair< $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("(${result}._1.f_value, ${result}._2) == - Spec.MLKEM.ind_cca_encapsulate $K ${public_key}.f_value $randomness"))] +#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_encapsulate $K ${public_key}.f_value $randomness in + valid ==> (${result}._1.f_value, ${result}._2) == expected"))] fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -225,13 +227,11 @@ fn encapsulate< let ciphertext = MlKemCiphertext::from(ciphertext); let shared_secret_array = Scheme::kdf::(shared_secret, &ciphertext); - // For some reason F* manages to assert the post-condition but fails to verify it - // as a part of function signature - hax_lib::fstar!("admit() (* Panic Free *)"); (ciphertext, shared_secret_array) } -#[hax_lib::fstar::options("--z3rlimit 150")] +#[hax_lib::fstar::options("--z3rlimit 500")] +#[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ @@ -248,8 +248,8 @@ fn encapsulate< $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("$result == - Spec.MLKEM.ind_cca_decapsulate $K ${private_key}.f_value ${ciphertext}.f_value"))] +#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_decapsulate $K ${private_key}.f_value ${ciphertext}.f_value in + valid ==> $result == expected"))] pub(crate) fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, @@ -325,7 +325,6 @@ pub(crate) fn decapsulate< &shared_secret, &implicit_rejection_shared_secret, ); - hax_lib::fstar!("admit() (* Panic Free *)"); shared_secret } @@ -591,22 +590,18 @@ pub(crate) struct MlKem {} impl Variant for MlKem { #[inline(always)] #[requires(shared_secret.len() == 32)] - // Output name has be `out1` https://github.com/hacspec/hax/issues/832 - #[ensures(|out1| fstar!("$out1 == $shared_secret"))] + // Output name has be `out` https://github.com/hacspec/hax/issues/832 + #[ensures(|out| fstar!("$out == $shared_secret"))] fn kdf>( shared_secret: &[u8], _: &MlKemCiphertext, ) -> [u8; 32] { - let mut out = [0u8; 32]; - out.copy_from_slice(shared_secret); - out + shared_secret.try_into().unwrap() } #[inline(always)] #[requires(randomness.len() == 32)] fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { - let mut out = [0u8; 32]; - out.copy_from_slice(randomness); - out + randomness.try_into().unwrap() } } diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs index 555d323fc..663da1dfb 100644 --- a/libcrux-ml-kem/src/ind_cpa.rs +++ b/libcrux-ml-kem/src/ind_cpa.rs @@ -215,7 +215,8 @@ pub(crate) fn generate_keypair_unpacked< $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("$result == Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed"))] +#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in + valid ==> $result == expected"))] pub(crate) fn generate_keypair< const K: usize, const PRIVATE_KEY_SIZE: usize, @@ -397,7 +398,8 @@ pub(crate) fn encrypt_unpacked< $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\\ $C2_LEN == Spec.MLKEM.v_C2_SIZE $K"))] #[hax_lib::ensures(|result| - fstar!("$result == Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness") + fstar!("let (expected, valid) = Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness in + valid ==> $result == expected") )] pub(crate) fn encrypt< const K: usize, diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index c93712c4b..dfed28011 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -17,7 +17,7 @@ libcrux-intrinsics = { version = "0.0.2-alpha.3", path = "../libcrux-intrinsics" # This is only required for verification. # The hax config is set by the hax toolchain. [target.'cfg(hax)'.dependencies] -hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } +hax-lib.workspace = true [features] simd128 = [] diff --git a/proofs/fstar/extraction-edited/Makefile b/proofs/fstar/extraction-edited/Makefile index 6b294a42d..ec420d509 100644 --- a/proofs/fstar/extraction-edited/Makefile +++ b/proofs/fstar/extraction-edited/Makefile @@ -1,150 +1 @@ -# This is a generically useful Makefile for F* that is self-contained -# -# It is tempting to factor this out into multiple Makefiles but that -# makes it less portable, so resist temptation, or move to a more -# sophisticated build system. -# -# We expect FSTAR_HOME to be set to your FSTAR repo/install directory -# We expect HACL_HOME to be set to your HACL* repo location -# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. -# -# ROOTS contains all the top-level F* files you wish to verify -# The default target `verify` verified ROOTS and its dependencies -# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line -# -# -# To make F* emacs mode use the settings in this file, you need to -# add the following lines to your .emacs -# -# (setq-default fstar-executable "/bin/fstar.exe") -# (setq-default fstar-smt-executable "/bin/z3") -# -# (defun my-fstar-compute-prover-args-using-make () -# "Construct arguments to pass to F* by calling make." -# (with-demoted-errors "Error when constructing arg string: %S" -# (let* ((fname (file-name-nondirectory buffer-file-name)) -# (target (concat fname "-in")) -# (argstr (car (process-lines "make" "--quiet" target)))) -# (split-string argstr)))) -# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) -# - -WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. - -HAX_HOME ?= $(WORKSPACE_ROOT)/hax -HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar -HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction -FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar -HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star -FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") - -CACHE_DIR ?= .cache -HINT_DIR ?= .hints - -.PHONY: all verify verify-lax clean - -all: - rm -f .depend && $(MAKE) .depend - $(MAKE) verify - -ifeq ($(OTHERFLAGS),$(subst --admit_smt_queries true,,$(OTHERFLAGS))) -FSTAR_HINTS ?= --use_hints --use_hint_hashes --record_hints -else -FSTAR_HINTS ?= --use_hints --use_hint_hashes -endif - -VERIFIED = \ - Libcrux.Digest.fsti \ - Libcrux.Kem.Kyber.Constants.fsti \ - Libcrux.Kem.Kyber.Hash_functions.fsti \ - Libcrux.Kem.Kyber.Hash_functions.fst \ - Libcrux.Kem.Kyber.Types.fst \ - Libcrux.Kem.Kyber.Kyber768.fsti \ - Libcrux.Kem.Kyber.Kyber768.fst \ - Libcrux.Kem.Kyber.Kyber1024.fsti \ - Libcrux.Kem.Kyber.Kyber1024.fst \ - Libcrux.Kem.Kyber.Kyber512.fsti \ - Libcrux.Kem.Kyber.Kyber512.fst \ - Libcrux.Kem.Kyber.Ind_cpa.fsti \ - Libcrux.Kem.Kyber.Ind_cpa.fst \ - Libcrux.Kem.Kyber.fsti \ - Libcrux.Kem.Kyber.fst \ - Libcrux.Kem.Kyber.Arithmetic.fsti \ - Libcrux.Kem.Kyber.Arithmetic.fst \ - Libcrux.Kem.Kyber.Compress.fsti \ - Libcrux.Kem.Kyber.Compress.fst \ - Libcrux.Kem.Kyber.Constant_time_ops.fsti \ - Libcrux.Kem.Kyber.Constant_time_ops.fst \ - Libcrux.Kem.Kyber.Matrix.fsti \ - Libcrux.Kem.Kyber.Matrix.fst \ - Libcrux.Kem.Kyber.Ntt.fsti \ - Libcrux.Kem.Kyber.Ntt.fst \ - Libcrux.Kem.Kyber.Sampling.fst \ - Libcrux.Kem.Kyber.Serialize.fsti \ - Libcrux.Kem.Kyber.Serialize.fst - -UNVERIFIED = - - -VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) -UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) - -# By default, we process all the files in the current directory. Here, we -# *extend* the set of relevant files with the tests. -ROOTS = $(UNVERIFIED) $(VERIFIED) - -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) - -FSTAR_FLAGS = $(FSTAR_HINTS) \ - --cmi \ - --warn_error -331 \ - --warn_error -321 \ - --warn_error -274 \ - --query_stats \ - --cache_checked_modules --cache_dir $(CACHE_DIR) \ - --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ - $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) - -# --log_queries \ -# --z3version 4.12.3 \ -# --smtencoding.l_arith_repr native \ -# --smtencoding.nl_arith_repr native \ - -FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) - - -.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) - $(info $(ROOTS)) - $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ - -include .depend - -$(HINT_DIR): - mkdir -p $@ - -$(CACHE_DIR): - mkdir -p $@ - -$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true -$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) - $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints - -verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) - -# Targets for interactive mode - -%.fst-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) - -%.fsti-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) - - -# Clean targets - -SHELL=/usr/bin/env bash - -clean: - rm -rf $(CACHE_DIR)/* +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/proofs/fstar/extraction-secret-independent/Makefile b/proofs/fstar/extraction-secret-independent/Makefile index 3c4a3f008..ec420d509 100644 --- a/proofs/fstar/extraction-secret-independent/Makefile +++ b/proofs/fstar/extraction-secret-independent/Makefile @@ -1,134 +1 @@ -# This is a generically useful Makefile for F* that is self-contained -# -# It is tempting to factor this out into multiple Makefiles but that -# makes it less portable, so resist temptation, or move to a more -# sophisticated build system. -# -# We expect FSTAR_HOME to be set to your FSTAR repo/install directory -# We expect HACL_HOME to be set to your HACL* repo location -# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. -# -# ROOTS contains all the top-level F* files you wish to verify -# The default target `verify` verified ROOTS and its dependencies -# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line -# -# -# To make F* emacs mode use the settings in this file, you need to -# add the following lines to your .emacs -# -# (setq-default fstar-executable "/bin/fstar.exe") -# (setq-default fstar-smt-executable "/bin/z3") -# -# (defun my-fstar-compute-prover-args-using-make () -# "Construct arguments to pass to F* by calling make." -# (with-demoted-errors "Error when constructing arg string: %S" -# (let* ((fname (file-name-nondirectory buffer-file-name)) -# (target (concat fname "-in")) -# (argstr (car (process-lines "make" "--quiet" target)))) -# (split-string argstr)))) -# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) -# - -WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. - -HAX_HOME ?= $(WORKSPACE_ROOT)/hax -HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar-secret-integers -HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction -FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar -HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star -FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") - -CACHE_DIR ?= .cache -HINT_DIR ?= .hints - -.PHONY: all verify verify-lax clean - -all: - rm -f .depend && $(MAKE) .depend - $(MAKE) verify - - -SECRET_INDEPENDENT = \ - Libcrux.Kem.Kyber.Constants.fsti \ - Libcrux.Digest.fsti \ - Libcrux.Kem.Kyber.Hash_functions.fsti \ - Libcrux.Kem.Kyber.Hash_functions.fst \ - Libcrux.Kem.Kyber.Kyber768.fsti \ - Libcrux.Kem.Kyber.Kyber768.fst \ - Libcrux.Kem.Kyber.Kyber1024.fsti \ - Libcrux.Kem.Kyber.Kyber1024.fst \ - Libcrux.Kem.Kyber.Kyber512.fsti \ - Libcrux.Kem.Kyber.Kyber512.fst \ - Libcrux.Kem.Kyber.Types.fst \ - Libcrux.Kem.Kyber.fsti \ - Libcrux.Kem.Kyber.fst \ - Libcrux.Kem.Kyber.Ind_cpa.fsti \ - Libcrux.Kem.Kyber.Ind_cpa.fst \ - Libcrux.Kem.Kyber.Arithmetic.fsti \ - Libcrux.Kem.Kyber.Arithmetic.fst \ - Libcrux.Kem.Kyber.Compress.fsti \ - Libcrux.Kem.Kyber.Compress.fst \ - Libcrux.Kem.Kyber.Constant_time_ops.fsti \ - Libcrux.Kem.Kyber.Constant_time_ops.fst \ - Libcrux.Kem.Kyber.Matrix.fsti \ - Libcrux.Kem.Kyber.Matrix.fst \ - Libcrux.Kem.Kyber.Ntt.fsti \ - Libcrux.Kem.Kyber.Ntt.fst \ - Libcrux.Kem.Kyber.Sampling.fst \ - Libcrux.Kem.Kyber.Serialize.fsti \ - Libcrux.Kem.Kyber.Serialize.fst - -SECRET_INDEPENDENT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(SECRET_INDEPENDENT))) - -# By default, we process all the files in the current directory. Here, we -# *extend* the set of relevant files with the tests. -ROOTS = $(SECRET_INDEPENDENT) - -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) - -FSTAR_FLAGS = --cmi \ - --warn_error -331-321-274 \ - --admit_smt_queries true \ - --cache_checked_modules --cache_dir $(CACHE_DIR) \ - --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ - $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) - -FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) - - -.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) - $(info $(ROOTS)) - $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ - -include .depend - -$(HINT_DIR): - mkdir -p $@ - -$(CACHE_DIR): - mkdir -p $@ - -$(SECRET_INDEPENDENT_CHECKED): OTHERFLAGS=--admit_smt_queries true -$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) - $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints - -verify: $(SECRET_INDEPENDENT_CHECKED) - -# Targets for interactive mode - -%.fst-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) - -%.fsti-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) - - -# Clean targets - -SHELL=/usr/bin/env bash - -clean: - rm -rf $(CACHE_DIR)/* - rm *.fst +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/proofs/fstar/extraction/Makefile b/proofs/fstar/extraction/Makefile index 763274af1..ec420d509 100644 --- a/proofs/fstar/extraction/Makefile +++ b/proofs/fstar/extraction/Makefile @@ -1,127 +1 @@ -# This is a generically useful Makefile for F* that is self-contained -# -# It is tempting to factor this out into multiple Makefiles but that -# makes it less portable, so resist temptation, or move to a more -# sophisticated build system. -# -# We expect FSTAR_HOME to be set to your FSTAR repo/install directory -# We expect HACL_HOME to be set to your HACL* repo location -# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. -# -# ROOTS contains all the top-level F* files you wish to verify -# The default target `verify` verified ROOTS and its dependencies -# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line -# -# -# To make F* emacs mode use the settings in this file, you need to -# add the following lines to your .emacs -# -# (setq-default fstar-executable "/bin/fstar.exe") -# (setq-default fstar-smt-executable "/bin/z3") -# -# (defun my-fstar-compute-prover-args-using-make () -# "Construct arguments to pass to F* by calling make." -# (with-demoted-errors "Error when constructing arg string: %S" -# (let* ((fname (file-name-nondirectory buffer-file-name)) -# (target (concat fname "-in")) -# (argstr (car (process-lines "make" "--quiet" target)))) -# (split-string argstr)))) -# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) -# - -WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. - -HAX_HOME ?= $(WORKSPACE_ROOT)/hax -HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar -HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction -FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar -HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star -FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") - -CACHE_DIR ?= .cache -HINT_DIR ?= .hints - -.PHONY: all verify verify-lax clean - -all: - rm -f .depend && $(MAKE) .depend - $(MAKE) verify - - -VERIFIED = \ - Libcrux.Kem.Kyber.Constants.fsti \ - Libcrux.Kem.Kyber.Kyber768.fst \ - Libcrux.Kem.Kyber.Kyber1024.fst \ - Libcrux.Kem.Kyber.Kyber512.fst - - -UNVERIFIED = \ - Libcrux.Kem.Kyber.Types.fst \ - Libcrux.Kem.Kyber.fst \ - Libcrux.Kem.Kyber.Ind_cpa.fst \ - Libcrux.Kem.Kyber.Arithmetic.fst \ - Libcrux.Kem.Kyber.Arithmetic.fsti \ - Libcrux.Kem.Kyber.Compress.fst \ - Libcrux.Kem.Kyber.Constant_time_ops.fst \ - Libcrux.Digest.fsti \ - Libcrux.Digest.Incremental_x4.fsti \ - Libcrux.Kem.Kyber.Hash_functions.fst \ - Libcrux.Kem.Kyber.Matrix.fst \ - Libcrux.Kem.Kyber.Ntt.fst \ - Libcrux.Kem.Kyber.Sampling.fst \ - Libcrux.Kem.Kyber.Serialize.fst - -VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) -UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) - -# By default, we process all the files in the current directory. Here, we -# *extend* the set of relevant files with the tests. -ROOTS = $(UNVERIFIED) $(VERIFIED) - -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) ../../../sys/platform/proofs/fstar/extraction/ - -FSTAR_FLAGS = --cmi \ - --warn_error -331-321-274 \ - --cache_checked_modules --cache_dir $(CACHE_DIR) \ - --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ - $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) - -FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) - - -.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) - $(info $(ROOTS)) - $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ - -include .depend - -$(HINT_DIR): - mkdir -p $@ - -$(CACHE_DIR): - mkdir -p $@ - -$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true -$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) - $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints - -verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) - -# Targets for interactive mode - -%.fst-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) - -%.fsti-in: - $(info $(FSTAR_FLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) - - -# Clean targets - -SHELL=/usr/bin/env bash - -clean: - rm -rf $(CACHE_DIR)/* - rm *.fst +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template